Security Program Management and Oversight (D5) Flashcards
DOMAIN 5
Governance - Crucial Aspects (Governance and Compliance)
Risk Management
Strategic Alignment
Resource Management
Performance Management
Compliance - Importance of it (Governance and Compliance)
Legal Obligations
Trust and Reputation
Data Protection
Business Continuity
Policies (Governance and Compliance)
Acceptable Use Policies (AUP)
Information Security Policies
Business Continuity
Disaster Recovery
Incident Response
Change Management
Software Development Lifecycle (SDLC)
Purpose of Governance
Establishes a strategic framework aligning with objectives and regulations
Define rules, responsibilities, and practices for achieving goals and managing IT resources
Standards (Governance and Compliance)
Standards
Password Standards
Access Control Standards
– Discretionary Access Control (DAC)
– Mandatory Access Control (MAC)
– Role Based Access Control (RBAC)
Geographical Consideration (Governance and Compliance)
Regional considerations like CCPA in California, impose state-level regulations
National considerations, eg ADA in the US, affect business across the entire country
Global considerations like GDPR, apply extraterritorially to organizations dealing with EU citizens’ data
Due Diligence and Due Care (Governance and Compliance)
Due Diligence - identifying compliance risks through thorough review
Due Care - Mitigating identified risks
Attestation and Acknowledgement (Governance and Compliance)
Attestation - Formal declaration by a responsible party that the organization’s processes and controls are compliant
Acknowledgement - Recognition and acceptance of compliance requirements by all relevant parties
Risk Management Lifecycle
Risk Identification
Risk Analysis
Risk Treatment
Risk Monitoring
Risk Reporting
Risk Identification Concepts
(Key Metrics in Business Impact Analysis (BIA))
Recovery Time Objective
Recovery Point Objective
Mean Time to Repair
Mean Time Before Failure
Risk Analysis
Qualitative Risk Analysis - Assess and prioritize risks based on likelihood and impact
Quantitative Risk Analysis - Numerically estimate probability and potential impact
Risk Management Strategies - Types
Risk Transfer
Risk Acceptance
Risk Avoidance
Risk Mitigation
Recovery Time Objective (RTO)
- Maximum acceptable time before severe impact
- Target time for restoring a business process
Recovery Point Objective (RPO)
- Maximum acceptable data loss measured in time
- Point in time data must be restored to
Mean Time to Repair (MTTR)
- Average time to repair a failed component or system
- Indicator of repair speed and downtime minimization