Security Program Management and Oversight (D5) Flashcards

DOMAIN 5

1
Q

Governance - Crucial Aspects (Governance and Compliance)

A

Risk Management
Strategic Alignment
Resource Management
Performance Management

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Compliance - Importance of it (Governance and Compliance)

A

Legal Obligations
Trust and Reputation
Data Protection
Business Continuity

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Policies (Governance and Compliance)

A

Acceptable Use Policies (AUP)
Information Security Policies
Business Continuity
Disaster Recovery
Incident Response
Change Management
Software Development Lifecycle (SDLC)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Purpose of Governance

A

Establishes a strategic framework aligning with objectives and regulations
Define rules, responsibilities, and practices for achieving goals and managing IT resources

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Standards (Governance and Compliance)

A

Standards
Password Standards
Access Control Standards
– Discretionary Access Control (DAC)
– Mandatory Access Control (MAC)
– Role Based Access Control (RBAC)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Geographical Consideration (Governance and Compliance)

A

Regional considerations like CCPA in California, impose state-level regulations
National considerations, eg ADA in the US, affect business across the entire country
Global considerations like GDPR, apply extraterritorially to organizations dealing with EU citizens’ data

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Due Diligence and Due Care (Governance and Compliance)

A

Due Diligence - identifying compliance risks through thorough review
Due Care - Mitigating identified risks

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Attestation and Acknowledgement (Governance and Compliance)

A

Attestation - Formal declaration by a responsible party that the organization’s processes and controls are compliant
Acknowledgement - Recognition and acceptance of compliance requirements by all relevant parties

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Risk Management Lifecycle

A

Risk Identification
Risk Analysis
Risk Treatment
Risk Monitoring
Risk Reporting

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Risk Identification Concepts
(Key Metrics in Business Impact Analysis (BIA))

A

Recovery Time Objective
Recovery Point Objective
Mean Time to Repair
Mean Time Before Failure

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Risk Analysis

A

Qualitative Risk Analysis - Assess and prioritize risks based on likelihood and impact
Quantitative Risk Analysis - Numerically estimate probability and potential impact

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Risk Management Strategies - Types

A

Risk Transfer
Risk Acceptance
Risk Avoidance
Risk Mitigation

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Recovery Time Objective (RTO)

A
  • Maximum acceptable time before severe impact
  • Target time for restoring a business process
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Recovery Point Objective (RPO)

A
  • Maximum acceptable data loss measured in time
  • Point in time data must be restored to
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Mean Time to Repair (MTTR)

A
  • Average time to repair a failed component or system
  • Indicator of repair speed and downtime minimization
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Mean Time Between Failures (MTBF)

A
  • Average time between system or component failures
  • Measure of reliability
17
Q

Components of Risk Register

A

Risk Description
Risk Impact
Risk Likelihood
Risk Outcome
Risk Level or Threshold

18
Q

Risk Description (Components of Risk Register)

A
  • Identifies and describes the risk
  • Clear and concise description
19
Q

Risk Impact (Components of Risk Register)

A
  • Potential consequences of risk occurrence
  • Rated on a scale (e.g., low, medium, high)
20
Q

Risk Likelihood (Components of Risk Register)

A
  • Probability of risk occurrence
  • Rated on a scale (e.g., numerical or descriptive)
21
Q

Risk Outcome (Components of Risk Register)

A
  • Result of the risk if it occurs
  • Result of the risk if it occurs
22
Q

Risk Level or Threshold (Components of Risk Register)

A
  • Determined by combining the impact and likelihood
  • Prioritizes risks (e.g., high, medium, low)
23
Q

Risk Tolerance (Risk Acceptance)

A
  • An organization or individual’s willingness to deal with uncertainty in pursuit of their goals
  • Maximum amount of risk they are willing to accept
  • Acceptance without countermeasures
24
Q

Risk Appetite

A
  • Willingness to pursue or retain risk
  • Types (Expansionary, Conservative, Neutral)
25
Q

Risk Owner

A
  • Responsible for managing the risk
  • Monitors, implements mitigation actions, and updates Risk Register
  • Accountable for risk management
26
Q

Single Loss Expectancy (SLE) - Quantitative Risk Analysis

A
  • Monetary value expected to be lost in a single event
  • Calculated as Asset Value x Exposure Factor (EF)
27
Q

Exposure Factor (EF) - Quantitative Risk Analysis

A
  • Proportion of asset lost in an event (0% to 100%)
  • Indicates asset loss severity
28
Q

Annualized Rate of Occurrence (ARO) - Quantitative Risk Analysis

A
  • Estimated frequency of threat occurrence within a year
  • Provides a yearly probability
29
Q

Annualized Loss Expectancy (ALE) - Quantitative Risk Analysis

A
  • Expected annual loss from a risk
  • Calculated as SLE x ARO
30
Q

Piggybacking and Tailgating

A
  • Social engineers may try to enter secured premises by closely following authorized personnel
31
Q

Dumpster Diving

A

Attackers sift through garbage for discarded information

32
Q

Operational Security (OPSEC)

A
  • Protects critical information from being used by adversaries
  • Safeguard sensitive data, daily routines, and internal procedures