Brainscape's Knowledge GenomeTM

Browse over 1 million classes created by top students, professors, publishers, and experts.


See full index

Cyber > Section 10: Governance, Risk, and Compliance > Flashcards

Section 10: Governance, Risk, and Compliance Flashcards

1
Q

What is a vulnerability in relation to risk management?

A

A weakness that an attacker could exploit.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What is the purpose of BPA?

A

Business Partnership Agreement (BPA) is used by companies in a joint venture and lays out each party’s contribution, their rights and responsibilities, how decisions are made and who makes them.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What is a multiparty risk?

A

Where someone wins a contract and sub-contracts to a third party who could sabotage your systems.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

What is IP theft?

A

Occurs when intellectual property has ben stolen, like trade secrets, copyright and patents.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

What is the difference between an MOU and an MOA?

A

Memorandum of Understanding (MOU): formal agreement between two parties but is not legally binding

Memorandum of Agreement (MOA): same as MOU but is legally binding.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

What is tokenization and why is it stronger than encryption?

A

Process by which data is replaced by a stateless token and the actual data is held in a vault by a payment provider. Because data is held in a remote location, it is stronger than encryption for which keys are held locally.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

One of the junior members of the IT team installs more copies of a piece of software than are allowed by the licenses that the company has purchased. What have they just carried out?

A

Software licensing compliance violation.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

What is the purpose of an ISA?

A

Interconnection Security Agreement (ISA) states how connections should be made between two business partners. They decide on the type of connection and how to secure it; for example, they may use a VPN to communicate.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

How does the shadow IT threat actor operate and what type of attack could benefit from their actions?

A

Shadow IT connects their own computers to your network without your consent. Could lead to pivoting.

Could also steal a company laptop to gain access to the network.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

What is an inherent risk?

A

A raw risk before it has been mitigated.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

What are the four stages of the information life cycle?

A
  1. Created
  2. Use
  3. Retention
  4. Disposal
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Why would you use STIX/TAXII?

A

They work together so that Cyber Threat Intelligence (CTI) can be distributed over HTTP.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

What is the benefit of introducing a separation of duties in the finance department?

A

Ensures that nobody in the department carried out both parts of a transaction. For example, we would have one person collecting revenue and another person authorizing payments.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

What is the purpose of a risk register?

A

Lays out all the risks a company faces; each risk will have a risk owner who specialized in that area and decides on the risk treatment.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

What is an impact assessment?

A

Where you evaluate the risk of collecting big data and what tools can be used to mitigate the risk of holding so much data.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

A company has a leak in the roof, and before it can be repaired, there’s heavy rain, resulting in 6 laptops being water-damaged. What type of disaster is this?

A

Environmental threat.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

What is the purpose of job rotation?

A

Ensures that employees work in all departments so that if someone leaves at short notice or is ill, cover can be provided. Also ensures that any fraud or theft can be detected.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

What is the purpose of a privacy notice?

A

Gives consent for data only to be collected and used for one specific purpose.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

What is data masking?

A

When data is stored and only shows portions of the data. For example, might see only the last four digits of a credit card.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

If a company suffered a data breach, what would be the impact if one of their customers suffered identity fraud?

A

Most likely would be sued by the customer.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

What is a SOC type 2 report and what is its distribution?

A

Deals with the effectiveness of controls and has limited access as it provides a detailed report about a company,

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

What is the purpose of mandatory vacations?

A

Ensures that an employee takes at least 5 days of holiday and someone provides cover for them; also ensures that fraud or theft can be detected. Common practice for jobs in finance.

23
Q

Why would an auditor look for single items that could cause the failure of whole computer systems?

A

Measuring Business Impact Analysis (BIA). This makes the company less vulnerable.

24
Q

What is the first stage in risk assessment?

A

Identifying and classifying an asset. How the asset is treated, accessed, or scored is based on the classification.

25
Q

What type of threat intelligence does the Malware Information Sharing Project provide?

A

Provides Open-Source Intelligence (OSINT).

26
Q

Your company has carried out a tabletop exercise followed by a walk-through. What type of plan has just been carried out?

A

Functional recovery plan.

27
Q

Why would a company introduce a clean-disk policy?

A

To ensure that no documents containing company data are left out on desks overnight.

28
Q

Why would someone use the website www.virustotal.com?

A

Virustotal is a code repository that holds information about malware signatures and code.

29
Q

If someone brought their own laptop to be used at work, apart from an onboarding policy, what other policy should be introduced?

A

BYOD is governed by two policies:
1. Onboarding policy
2. Acceptable Use Policy (AUP), which lays out how the laptop can be used, for example, accessing social media sites is forbidden while using the device at work

30
Q

What is the purpose of an exit interview?

A

To find out the reason why the employee has decided to leave. May help the employer improve their working conditions and therefore have a higher retention rate.

31
Q

What is the MITRE ATT&CK framework used for?

A

A spreadsheet that shows groups of adversaries, which can be drilled own to see the adversarial tactics, techniques, methods and tools used.

32
Q

What is the purpose of GDPR?

A

General Data Protection Regulation (GDPR) was developed by EU to protect an individual’s right to data privacy. It is an international regulation with 27 member countries.

33
Q

What type of information might a participant in a bug bounty program receive?

A

May be able to access information received by customers, but not company information.

34
Q

What tools do hackers that visit the dark web use to remain anonymous?

A

Tor software (The Onion Router), which has thousands of relays to prevent detection.

35
Q

What is the purpose of Capture the Flag exercises?

A

Training for both red and blue team wherein they capture a flag as they achieve each progressive level of training. When they have completed all levels, they are fit to become full-blown red or blue team members. It is used to improve skill sets.

36
Q

What is the purpose of risk avoidance?

A

When a risk is deemed too dangerous or high risk and could end in loss of life or financial loss, we would avoid the activity.

37
Q

What is the purpose of risk transference?

A

Where the risk is medium to high and you wish to offload the risk to a third party, for example, insuring your car. You might also outsource your IT.

38
Q

Who uses AIS and what is its distribution?

A

Automated Indicator Sharing (AIS) was invented by the US federal government to exchange data about cyberattacks from the state down to the local level.

39
Q

What is the purpose of the ISO standard 27701?

A

Was developed as a standard as an extension of 27001/27002 to be used for privacy information management.

40
Q

What are the rules of behavior?

A

How people should conduct themselves at work to prevent discrimination or bullying.

41
Q

What is the purpose of IOCs?

A

Indicators of Compromise (IOCs) are used to inform members of their IT security community of IP addresses, hashes or URLs they have discovered when they were attacked.

42
Q

What is the motivation of a script kiddie?

A

Fame.

43
Q

Why would a company run an annual security awareness training program?

A

Advises employees of the risk of using email, the internet, and posting information on social media. Also informs employees of any new risks posed since the last training.

44
Q

What would happen if you tried to sell your car and sent an email about it to everyone who worked in your company using your Gmail account?

A

Violation of the AUP and could lead to disciplinary action.

45
Q

Why would you perform a risk assessment for one of the main suppliers for your raw materials?

A

A manufacturing company needs a reputable supplier of raw materials so they can manufacture goods.

46
Q

What is the driving force behind BIA?

A

Business Impact Analysis is just money; it looks at the financial impact following an event. The loss of earnings, the cost of purchasing new equipment, and regulatory fines are calculated.

47
Q

What is the relationship between the RPO and the RTO?

A

Recovery Point Object (RPO): the acceptable downtime that a company can suffer without causing damage to the company.

Recovery Time Object (RTO): the time it takes for the company to return to an operations state; this should be within the RPO.

48
Q

What information can be established from an MTTR?

A

Mean Time to Repair (MTTR) is the average time it takes to repair a system. For the exam, could be the time to repair a system and not the average time.

49
Q

What type of threat actor could damage a company’s production system?

A

A competitor, also to steal trade secrets.

50
Q

What type of threat actor would demand payment from you or threaten to publish customer information that you hold on social media?

A

Criminal syndicates; they are financially driven.

51
Q

What is the purpose of MTBF?

A

Mean Time Between Failure (MTBF) is the measurement of the reliability of a system. For instance, if you bought a car Monday and it broke down Tuesday and Wednesday, you would deem it unreliable.

52
Q

What is the purpose of SSAE?

A

The Statement on Standards for Attestation Engagements (SSAE) assists CPA in carrying out the auditing of SOC reports.

53
Q

What is the purpose of SLE and how is it calculated?

A

Single Loss Expectancy (SLE) is the cost of losing one item.

54
Q

How can we calculate the ALE?

A

Annualized Loss Expectancy (ALE) is calculated by multiplying the SLE by the Annual Rate of Occurrence (ARO), or number of losses per year.

SLE x ARO

Cyber (12 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2024 Bold Learning Solutions. Terms and Conditions