====== Domain 1: Security and Risk Management ======

**Business impact analysis (BIA)** - A list of the organization's assets, annotated to reflect the criticality of each asset to the organization.

**Governance** - The process of **how an organization is managed**; usually includes all aspects of how decisions are made for that organization, such as policies, roles, and procedures the organization uses to make those decisions.

**Confidentiality** - Preserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information.

**Recovery point objective (RPO)** - A measure of **how much data** the organization can lose before the organization is no longer viable.

**RPO** establishes the maximum **data loss** that is tolerable - __**Recovery point** - **how much data**__ 

**Recovery time objective (RTO)** - The target time set for recovering from any interruption.

**RTO** establishes the maximum amount of time the organization will be down (or how long it takes to recover)

**Maximum allowable downtime (MAD)** - The measure of **how long** an organization can survive an interruption of critical functions.

**Due diligence** - **Actions** taken by a vendor to demonstrate/provide due care.

**Due Care** -  A **legal concept** pertaining to **the duty** owed by a provider to a customer.

**Integrity** - Guarding against improper information modification or destruction and includes ensuring information non-repudiation and authenticity.

**Standards**  - the object - Specific **mandates** explicitly stating expectations of performance or conformance.

**Compliance** - the action - **Adherence to a mandate** both the actions demonstrating adherence and the tools processes and documentation that are used in adherence,

**Security control framework** - A notional **construct** outlining the organization's approach to security, including a list of specific security processes, procedures, and solutions used by the organization.

**Guidelines**  -- **Suggested practices** and expectations of activity to best accomplish tasks and attain goals.

**Security governance** - The **entirety** of the policies, roles, and processes the organization uses to make security decisions in an organization.

**Risk mitigation** -- Putting security controls in place to **attenuate the possible impact** and/or likelihood of a specific risk.

**Residual risk** -- The risk **remaining after** security controls have been put in place as a means of risk mitigation.

**Business continuity (BC)**  -- Actions, processes, and tools for ensuring an **organization can continue** critical operations during a contingency.

**Governance committee** - A **formal body of personnel** who determine how decisions will be made within the organization and the entity that can approve changes and exceptions to current relevant governance.

===== Which type of control framework: =====

**Deterrent frameworks** are technology-related and used to **discourage malicious activities**.

**Preventative framework** helps establish security policies and security awareness training.

**Detective framework** is focused on finding unauthorized activity in your environment after a security incident.

**Corrective framework** focuses on activities to get your environment back after a security incident

===== Which type of approach should you use for the risk analysis? =====

**Qualitative** - uses a risk analysis matrix

**Quantitative** - uses money or metrics to compute

**Hybrid** - a combination of qualitative and quantitative

**Market approach** - used for asset valuation

**Reduction analysis** attempts to eliminate duplicate analysis and is tied to threat modeling.

**STRIDE** is used for threat modeling.