Governance, Risk and Compliance Flashcards
(100 cards)
1
Q
Types of controls categories (3)
A
Managerial, technical, operational
2
Q
Difference between managerial and operational controls
A
Managerial is high-level risk management, assesment and mitigation plans, usually at the policy, plan and procedure level.
Operational is targeted to employee’s day-to-day operations, including physical security.
3
Q
AUP
A
Acceptable Use Policy
4
Q
Risk formula
A
Probability times impact
5
Q
SLE
A
Single Loss Expectancy
6
Q
EF
A
Exposure Factor
7
Q
Define Exposure Factor
A
cost of theat event divided by value of asset
8
Q
Define SLE
A
cost of a threat event (value * EF)
9
Q
ARO
A
Average Rate of Occurence
10
Q
ALE
A
Average Loss Expectancy
11
Q
Define ALE
A
The Average Loss Expectancy is the SLE * ARO
12
Q
MTTF
A
Mean Time to Fail (one-time)
13
Q
RTO
A
Recovery Time Objective
14
Q
RPO
A
Recovery Point Objective
15
Q
Ways to handle risk (3 + 2)
A
Mitigation, Acceptance and Transference + Avoidance and Deterrence
16
Q
Change Management
A
Evaluation the impact of changes in the system as a whole
17
Q
DLP
A
Data Loss Prevention
18
Q
Two locking doors with a space between them
A
Mantrap
19
Q
Cold vs Warm vs Hot Site
A
Cold is only backup space, with no IT infrastructure, needs equipment. Warm already has office space and critical IT equipment. Hot is ready to go with all infrastructure and systems needed.
20
Q
Disaster Recovery Sites can be either ____ or _____
A
shared or exclusive
21
Q
Incremental vs Differential Backup
A
Differential only saves files changed since the last full backup (only requires one delta), incremental are several deltas.
22
Q
BCP
A
Business Continuity Plan
23
Q
DRP
A
Disaster Recovery Plan
24
Q
BIA
A
Business Impact Analysis
25
BCP uses ____ to determine impact of down or lost systems
BIA
26
RAID 0
Striping
27
RAID 1
Mirroring
28
RAID 5
Striping + Parity
29
RAID 6
Striping + Double Parity
30
RAID 10
Striping + Mirroring
31
RAID 5 requires at least _ disks
3 disks
32
RAID 10 requires at least _ disks
4 disks
33
CIA
Confidentiality, Integrity and Availability
34
Security posture
baseline
35
Threat assessment
Only identifies threats, part of risk assessment
36
Vulnerability assessment
Identifies vulnerabilities, and therefore threats and risks, part of risk assessment
37
Banner grabbing
Used for service recognition during port or vulnerability scans
38
Scan from an administrative account
Credentialed scan
39
Scan as an unauthorized user
Non-credentialeed scan
40
XSRF/CSRF
Cross-site request forgery
41
AAA
Authentication, Authorization, and Accounting
42
Diversity
Having different vendors for resiliency
43
Diversity
Having different vendors for resiliency
44
Windows specific security update
Hotfix
45
Security control types (6)
Compensating, Corrective, Detective, Deterrent, Physical and Preventative
46
There are _ control categories.
3
47
There are _ control types.
6
48
PCI DSS
Payment Card Information Data Security Standard
49
PCI DSS, unlike GDPR, is an example of industry __-_____.
self-governance
50
CCPA
California Consumer Privacy Act
51
CIS CSC
Center for Information Security (CIS) Critical Security Controls (CSC)
52
Top 20 controls are published by the
Center for Information Security (CIS)
53
NIST RMF has _ steps.
7 steps
54
NIST RMF
NIST Risk Management Framework
55
RMF vs NIST CSF
CSF was made for critical sectors, but it's also used elsewhere.
56
NIST CSF Categories (5)
Identify, Protect, Detect, Respond, Recover
57
NIST CSF has _ categories.
5 categories
58
ISO/IEC 27701:2019
Requirements and guidence for implementation and mantaining a Privacy Information Management System (PIMS)
59
PIMS
Privacy Information Management System
60
PIMS guidelines are found on ISO
27701
61
ISO 31000:2018
Risk Management Guidelines
62
ISO 27000:2018
Overview of Information Security Management Systems and vocabulary
63
ISMSs
Information Security Management Systems
64
SOC 2 assesment
Service and Organizations Controls on Cybersecurity, under Statement on Standards for Attestation Engagements 18 (SSAE-18).
65
Cybersecurity assesment related to SSAE-18 from the AICPA
SOC 2
66
Two key artifacts of the Cloud Security Alliance (CSA) frameworks
Cloud Control Matrix (CCM) and Enterprise Architecture
67
Enterprise Architecture
CSA Cloud methodology for cloud service capabilities
68
Example of benchmarks and secure configuration guides
DoD Security Technical Implementation Guides (STIGs)
69
DoD STIGs
Security Technical Implementation Guides
70
RMF phases (7)
Prepare, Categorize systems, Select Controls, Implement, Assess controls, Systems Authorization by an authority, Continuous Monitoring
71
RMF phases are meant to be implemented in an _____ manner
iterative manner
72
Due Care vs Due Diligence vs Due Process
Due Care is ensuring day-to-day safe activities, due diligence is mantaining security procedures and evaluating them, due process regards employee rights and fairness when being investigated.
73
EOSL
Equipment end of service line
74
In the context of third-party risk management, MSA means
Measurement Systems Analysis
75
In the context of a BPA, a general partnership implies
equal sharing of profits and liabilities
76
A joint venture is a general partnership that has a
shorter time-frame
77
Risk Assessment Phases (4)
Asset ID, Risk Analysis, Determine Risk Likelihood and Impact, Identify Cost of Solutions
78
Inherent Risk vs Control Risk vs Residual Risk
Inherent is without controls, control is because of control failure or inadequacy, residual is what's left after controls are implemented.
79
COOP
Continuity of Operations Plan
80
BCP is composed of
BIA, DRP, COOP
81
BCP is composed of (3 + 2)
Risks, Sites + BIA, DRP, COOP
82
MEFs
Mission Essential Functions
83
PIA
Privacy Impact Assessment (PIA)
84
A PIA starts with a…
PTA (Privacy Threshold Analysis)
85
In the context of testing a DRP, AAR is
After-action reporting
86
MTTR
Mean Time To Repair
87
In the context of PIA, PHI is
Protected Health Information
88
In the context of GDPR, SPI is
Sensitive Personal Information, including PII, PHI, beliefs, standpoints, genetic data, sexual orientatrion, etc
89
At least in the US, the term “data owner” has been succeeded by
data steward, or data custodian
90
The __________ determines what data will be collected and how it will be used within an organization
Data controller
91
The overall program for the entire organization is called _____ management, while changes at the actual host or network level of baseline configurations is called ______ management.
change, configuration
92
In DLP, tokenization refers to
Replacing sensitive data by tokens that refers to the actual data somewhere else.
93
In the context of cloud storage, a CASB is
Cloud Access Security Broker, acting as an intermediary between users and cloud providers, enforcing enterprise security policy
94
DevOps is characterized by
Bringing together PMs, Developers and Operations to enable rapid software development
95
A mantrap is also called a...
Access Control Vestibule
96
In the context of electronic locks, fail safe vs fail secure
Fail safe disengages a lock in an emergency, fail secure engages it.
97
Perimeter Lightning must be
turned from dask to dawn
98
access control model that will allow you to assign specific access policies depending on which network a user is on and not necessarily on the actual identity of the specific user.
Rule based AC
99
In MAC, access is controlled by
The OS
100
In DAC, ___ ___ define what users can access data.
data owners
