Governance, Risk, and Compliance Flashcards
(40 cards)
What is the primary goal of governance in the context of information security?
A) implementing technical controls
B) establishing policies and procedures
C) performing vulnerability assessments
D) enforcing user training
Establishing policies and procedures
Governance in information security is primarily concerned with setting up a framework of policies, procedures, and controls to guide an organization’s security posture. These policies are designed to align with the organization’s objectives and ensure compliance.
What is the purpose of a risk assessment in an organization’s security strategy?
A) identifying vulnerabilities
B) determining compliance requirements
C) assigning blame in case of a security incident
D) evaluating the cost of security measures
Identifying vulnerabilities
The primary purpose of a risk assessment is to identify potential threats, vulnerabilities, and their potential impact on an organization’s assets. It’s a fundamental step in developing effective security measures.
Which of the following is an example of a compliance standard relevant to the handling of payment card data?
A) HIPAA
B) PCI DSS
C) FERPA
D) ISO/IEC 27001
PCI DSS
PCI DSS (Payment Card Industry Data Security Standard). PCI DSS is specifically designed to ensure the secure handling of cardholder information. It applies to all organizations that handle credit card data.
What role does the CISO (Chief Information Security Officer) typically play in an organization’s security governance?
A) developing software applications
B) implementing firewalls and intrusion detection systems
C) enforcing security policies and procedures
D) managing HR operations
Enforcing security policies and procedures
The CISO is primarily responsible for establishing and enforcing security policies and procedures, aligning them with the organization’s objectives.
How does governance differ from compliance in the context of security management?
A) governance deals with regulations, while compliance focuses on internal policies
B) governance refers to policies, while compliance refers to risk assessment
C) governance defines the rules, while compliance ensures adherence to those rules
D) governance establishes procedures, while compliance dictates technology use
Governance defines the rules, while compliance ensures adherence to those rules
Governance defines the rules, while compliance ensures adherence to those rules. Governance sets the framework, rules, and guidelines for security, while compliance is about conforming to those rules and standards.
What is the main purpose of a compliance audit?
A) identifying vulnerabilities
B) ensuring conformity to established standards and regulations
C) conducting risk assessment
D) creating security policies
Ensuring conformity to established standards and regulations
A compliance audit verifies whether an organization is adhering to relevant laws, regulations, and internal policies regarding security measures.
How does risk acceptance differ from risk avoidance in risk management?
A) risk acceptance involves mitigating identified risks, while risk avoidance ignores potential risks
B) risk acceptance is acknowledging the existence of a risk without taking action, while risk avoidance is actively working to eliminate risks
C) risk acceptance transfers identified risks to a third party, while risk avoidance mitigates risks within the organization
D) risk acceptance is embracing identified risks, while risk avoidance is eliminating the risk by investing in insurance
B
Risk acceptance is acknowledging the existence of a risk without taking action, while risk avoidance is actively working to eliminate risks
Risk acceptance means acknowledging the existence of a risk without taking actions to mitigate it, whereas risk avoidance involves active measures to eliminate or reduce the risk.
Which regulation is specifically designed to protect the privacy of individuals’ personally identifiable information (PII)?
A) GDPR
B) SOX
C) GLBA
D) FERPA
GDPR
GDPR (General Data Protection Regulation) is specifically designed to protect the privacy of individuals’ personally identifiable information within the European Union and the European Economic Area.
What is the primary objective of a security policy in an organization?
A) enforcing legal regulation
B) providing technical guidance for IT professionals
C) communicating management’s directives for security
D) establishing penalties for security breaches
Communicating management’s directives for security
Security policies in an organization communicate management’s directives and expectations for security measures to ensure alignment and compliance throughout the organization.
What is the primary objective of a data classification policy in an organization’s security framework?
A) to define security measures for physical data storage
B) to categorize data based on sensitivity and define handling procedures
C) to outline procedures for disaster recovery
D) to encrypt all sensitive data
To categorize data based on sensitivity and define handling procedures
A data classification policy establishes how data should be categorized based on sensitivity levels and outlines appropriate handling procedures for each category.
What is the primary focus of a change management process in an organization’s security governance?
A) implementing security incident response plans
B) reviewing security policies quarterly
C) controlling modifications to systems and environments
D) evaluating security awareness training effectiveness
C
Controlling modifications to systems and environments
Change management in security governance primarily focuses on controlling and documenting modifications to systems, configurations, and environments to maintain security and reduce risks associated with changes.
Which term refers to the maximum acceptable amount of time a system can be unavailable before it starts causing severe damage to the organization?
A) MTBF (mean time between failures)
B) RTO (recovery time objective)
C) MTTR (mean time to repair)
D) MTD (maximum tolerable downtime)
MTD (maximum tolerable downtime)
MTD is the maximum duration a system can be down before severe damage occurs to the organization.
What is the primary purpose of a security awareness training program within an organization?
A) implementing security controls
B) identifying security incidents
C) educating employees about security best practices
D) responding to security breaches
C
Educating employees about security best practices
Security awareness training aims to educate employees about security best practices and potential threats.
Which of the following is an essential component of a security policy framework in an organization?
A) conducting regular vulnerability assessments
B) providing physical access controls
C) establishing a business continuity plan
D) configuring network firewalls
Establishing a business continuity plan
A business continuity plan is vital for operations during and after a disaster or security breach.
What is the primary objective of an IT audit of an organization’s security governance?
A) ensuring all software is up-to-date
B) verifying compliance with policies and regulations
C) implementing new security protocols
D) assessing user access controls
B
Verifying compliance with policies and regulations
An IT audit primarily aims to assess and ensure that the organization complies with established policies, regulations, and industry standards.
Which term describes the process of quantifying the possible losses from a particular risk?
A) risk analysis
B) risk mitigation
C) risk assessment
D) risk management
Risk analysis
Risk analysis involves the process of evaluating potential losses from a specific risk in terms of impact and likelihood.
What is the purpose of a Security Risk Assessment?
A) identifying security controls
B) evaluating the impact of a security breach
C) measuring and managing potential risks
D) testing the effectiveness of disaster recovery plans
Measuring and managing potential risks
A Security Risk Assessment involves identifying, analyzing, and managing potential risks within an organization’s security landscape.
What is the primary function of a Privacy Impact Assessment (PIA)?
A) assessing the financial impact of security breaches
B) identifying potential risks to individual privacy
C) evaluating the effectiveness of security controls
D) analyzing the impact of data encryption methods
Identifying potential risks to individual privacy
A Privacy Impact Assessment primarily aims to identify and evaluate potential risks to individual privacy within a specific system or process.
Which term refers to a legal statement ensuring that two parties will keep specific information confidential?
A) non-disclosure agreement (NDA)
B) memorandum of understanding (MOU)
C) service level agreement (SLA)
D) business partnership agreement (BPA)
Non-disclosure agreement (NDA)
An NDA is a legally binding contract between two or more parties, ensuring that specific information remains confidential and is not shared with others.
What does the term “Chain of Custody” primarily refer to?
A) documentation of evidence handling procedures
B) tracking unauthorized access attempts
C) cataloging software and hardware inventory
D) maintaining system backups
Documentation of evidence handling procedures
The “Chain of Custody” refers to a documented trail that records the chronological history of evidence handling, ensuring its integrity and admissibility in legal proceedings.
In terms of risk management, what does the term “Risk Appetite” refer to?
A) the maximum risk level an organization is willing to accept
B) the likelihood of a security incident occurring
C) the overall risk exposure of the organization
D) the effectiveness of risk mitigation strategies
A
The maximum risk level an organization is willing to accept
Risk Appetite signifies the level of risk an organization is willing to accept or tolerate before taking action.
How do Deterrent Controls contribute to an organization’s security strategy?
A) providing immediate response to security incidents
B) discouraging potential attackers from targeting the organization
C) identifying and mitigating security vulnerabilities
D) establishing secure data backups and recovery plan
Discouraging potential attackers from targeting the organization
Deterrent Controls aim to dissuade potential attackers or threats from targeting the organization by creating visible deterrents.
What is the primary purpose of Corrective Controls in the realm of cybersecurity governance?
A) preventing potential security incidents
B) quickly responding to security incidents as they occur
C) correcting and mitigating the impact of security incidents
D) establishing robust access control measures
Correcting and mitigating the impact of security incidents
Corrective Controls aim to correct and reduce the impact of security incidents after they’ve occurred, working to restore affected systems.
What role do Preventive Controls play in an organization’s security framework?
A) correcting and mitigating the impact of security incidents
B) identifying and alerting the presence of security incidents
C) blocking potential security incidents from occurring
D) establishing secure data backups and recovery plans
Blocking potential security incidents from occurring
Preventive Controls are measures or mechanisms put in place to avoid security incidents from happening or to reduce the likelihood of their occurrence.
