6.7. Reflection Checkpoint
Key Takeaways
Before proceeding to Exam Readiness, ensure you can:
- Differentiate between policies, standards, procedures, and guidelines
- Calculate SLE, ALE, and ARO from given values
- Select the appropriate risk management strategy for a given scenario
- Identify the correct agreement type (SLA, NDA, MOU, MSA) for a given relationship
- Explain the difference between data owner and data custodian roles
- Compare internal and external audit purposes and when each is required
- Distinguish between known-environment, unknown-environment, and partially known penetration testing
- Describe elements of an effective security awareness program
Connecting Forward
You've now covered all five exam domains. Phase 7 synthesizes everything into exam readiness: strategies for managing time and question types, quick reference tables for the most commonly tested facts, and practice questions that cross domain boundaries. The knowledge is there — now it's about applying it under exam conditions.
Self-Check Questions
-
A database server is worth $400,000. A flood has a 10% chance of occurring each year and would destroy 50% of the server. What is the SLE? What is the ALE? If flood insurance costs $25,000/year, is it cost-effective compared to the risk?
-
Your company's payroll provider suffers a data breach exposing all employee SSNs. What type of risk was realized? What vendor management controls should have been in place? Which agreement type would have defined the vendor's security obligations?
-
A red team exercise reveals that an attacker could social engineer the receptionist into granting physical access, then use an unattended workstation to access the HR database. Which three security domains (from this guide) failed, and what specific control from each domain would have prevented or detected this attack?
