5.0 Security Program Management and Oversight

Question 1

Q: What is NIST SP 800-61 Rev. 2?

Answer 1

A: A guide for incident response lifecycle: prepare → detect → contain → recover → post-incident.

Question 2

Q: What is ISO?

Answer 2

A: International Organization for Standardization — sets global standards.

Question 3

Q: What is NIST?

Answer 3

A: U.S. National Institute of Standards and Technology — provides cybersecurity frameworks.

Question 4

Q: What is change management?

Answer 4

A: The process for controlling changes in IT, including approval, testing, and backups.

Question 5

Q: What is ad hoc assessment?

Answer 5

A: A targeted assessment done for a specific issue or threat (“for this”).

Question 6

Q: What are the four risk management strategies?

Answer 6

Transfer (e.g., insurance)

Accept

Avoid

Mitigate (e.g., firewall)

Question 7

Q: What is RTO (Recovery Time Objective)?

Answer 7

A: Maximum time allowed to restore a system after disruption.

Question 8

Q: What is RPO (Recovery Point Objective)?

Answer 8

A: Maximum acceptable amount of data loss (in time).

Question 9

Q: What is MTTR (Mean Time to Repair)?

Answer 9

A: Average time needed to fix a system after failure.

Question 10

Q: What is MTBF (Mean Time Between Failures)?

Answer 10

A: Average time between system/device failures.

Question 11

Q: What is an MOU (Memorandum of Understanding)?

Answer 11

A: Informal agreement to collaborate, not legally binding.

Question 12

Q: What is an MOA (Memorandum of Agreement)?

Answer 12

A: More formal than MOU; both parties conditionally agree on terms.

Question 13

Q: What is an MSA (Master Service Agreement)?

Answer 13

A: Legal contract outlining general terms between parties.

Question 14

Q: What is an SOW (Statement of Work)?

Answer 14

A: A detailed list of deliverables and responsibilities.

Question 15

Q: What is an NDA (Non-Disclosure Agreement)?

Answer 15

A: Legal contract to protect confidential information.

Question 16

Q: What is a BPA (Business Partner Agreement)?

Answer 16

A: Agreement that defines roles and responsibilities between partners.

Question 17

Q: What does SOX regulate?

Answer 17

A: Sarbanes-Oxley Act — regulates financial data reporting.

Question 18

Q: What does GLBA regulate?

Answer 18

A: Gramm-Leach-Bliley Act — for financial institutions’ data handling.

Question 19

Q: What is the role of a CCO?

Answer 19

A: Chief Compliance Officer — oversees adherence to laws/regulations.

Question 20

Q: What is due care vs due diligence?

Answer 20

Due care: Internal responsibility

Due diligence: Evaluating external parties

Question 21

Q: What is GDPR?

Answer 21

A: General Data Protection Regulation — EU law for personal data protection.

Question 22

Q: What are the roles in data privacy?

Answer 22

Data Owner: Owns the data

Data Controller: Determines how data is used

Data Processor: Processes the data

Question 23

Q: What is attestation?

Answer 23

A: An auditor’s opinion on an organization’s security posture.

Question 24

Q: What is the role of an audit committee?

Answer 24

A: Internal group that initiates, oversees, or stops an audit.

Question 25

Q: What is active reconnaissance?

Answer 25

A: Direct interaction with the target system; likely detectable.

Question 26

Q: What is passive reconnaissance?

Answer 26

A: Collecting information without interacting directly; harder to detect. Dumpster diving

Question 27

Q: What are the types of testing environments?

Answer 27

Known (white-box) Partially known (gray-box) Unknown (black-box)