Misc Governance, Risk, and Compliance

Question 1

SLA

Answer 1

Service level agreement - defines the level of service the customer expects from the service provider. The level of service definitions should be specific and measurable in each area

Question 2

MOU

Answer 2

memorandum of understanding - a legal document that describes a mutual agreement between parties

Question 3

ISA

Answer 3

interconnection security agreement - an agreement that specifies the technical and security requirements of the interconnection security requirements of the interconnection between organizations.

Question 4

BPA

Answer 4

business partnership agreement - a legal agreement between partners. It establishes the terms, conditions, and expectations of the relationship between the partners

Question 5

Risk severity = X*Impact

Answer 5

likelihood of occurrence

Question 6

RPO

Answer 6

Recovery point objective - specifies the allowable data loss. It is the amount of time that can pass during an interruption before the quantity of data lost during that period surpasses business continuity planning’s maximum acceptable threshold

Question 7

MTTR

Answer 7

Mean time to repair - the average time it takes for a failed device or component to be repaired or replaced

Question 8

MTBF

Answer 8

mean time between failures - the rating on a device or component that predicts the expected time between failures.

Question 9

ARO

Answer 9

annual rate of occurrence - is the ratio of an estimated possibility that a threat will take place within a one-year time frame.

Question 10

AUP

Answer 10

acceptable use policy - describes the limits and guidelines for users to make use of an organization’s physical and intellectual resources. This includes allowing or limiting the use of personal email during work hours.

Question 11

BIA

Answer 11

Business Impact Analysis - helps to identify critical systems by determining which systems will create the largest impact if they are not available.

Question 12

ISO 27002

Answer 12

a global standard that outlines guidelines for creating and sustaining information security systems

Question 13

ISO 27017

Answer 13

a standard for cloud security

Question 14

NIST 800-12

Answer 14

a general security standard that is specific to the United States, not recognized internationally

Question 15

NIST 800-14

Answer 15

a U.S. standard that focuses on policy development rather than information security management systems

Question 16

PCI-DSS

Answer 16

Payment Card Industry Data Security Standard - a security standard that is mandated by credit card vendors. The Payment Card Industry Security Standards Council is responsible for updates and changes to the standard

Question 17

GDPR

Answer 17

General Data Protection Regulation - a standard for data privacy and security in the European Union (EU)

Question 18

SSAE

Answer 18

Standard for Attestation Engagements

Question 19

SSAE-18 SOC 2

Answer 19

SOC 2 engagement assesses the security and privacy controls that are in place

Question 20

SSAE-18 Type 2 report

Answer 20

Type 2 report provides information on the auditor’s assessment of the effectiveness of the controls that are in place

Question 21

SSAE-18 SOC 1

Answer 21

SOC 1 report assesses the controls that impact the accuracy of financial reporting

Question 22

SSAE-18 Type 1 report

Answer 22

Type 1 reports a review auditor’s opinion of the description provided by management about the suitability of the controls as designed. They do not look at the actual operating effectiveness of the controls.

Question 23

data controller

Answer 23

sometimes called a data owner. He determines the reasons for processing personal information and how it is processed

Question 24

Data steward

Answer 24

carries out the intents of the data controller

Question 25

data custodian

Answer 25

charged with safeguarding information

Question 26

Control risk

Answer 26

a term used in public accounting. It is the risk that arises from a potential lack of internal controls within an organization that may cause a material misstatement in the organization’s financial reports. In this case, the lack of controls that would validate the financial system’s data and function is a control risk