Security Program Management and Oversight (D5)

Question 1

Governance - Crucial Aspects (Governance and Compliance)

Answer 1

Risk Management
Strategic Alignment
Resource Management
Performance Management

Question 2

Compliance - Importance of it (Governance and Compliance)

Answer 2

Legal Obligations
Trust and Reputation
Data Protection
Business Continuity

Question 3

Policies (Governance and Compliance)

Answer 3

Acceptable Use Policies (AUP)
Information Security Policies
Business Continuity
Disaster Recovery
Incident Response
Change Management
Software Development Lifecycle (SDLC)

Question 4

Purpose of Governance

Answer 4

Establishes a strategic framework aligning with objectives and regulations
Define rules, responsibilities, and practices for achieving goals and managing IT resources

Question 5

Standards (Governance and Compliance)

Answer 5

Standards
Password Standards
Access Control Standards
– Discretionary Access Control (DAC)
– Mandatory Access Control (MAC)
– Role Based Access Control (RBAC)

Question 6

Geographical Consideration (Governance and Compliance)

Answer 6

Regional considerations like CCPA in California, impose state-level regulations
National considerations, eg ADA in the US, affect business across the entire country
Global considerations like GDPR, apply extraterritorially to organizations dealing with EU citizens’ data

Question 7

Due Diligence and Due Care (Governance and Compliance)

Answer 7

Due Diligence - identifying compliance risks through thorough review
Due Care - Mitigating identified risks

Question 8

Attestation and Acknowledgement (Governance and Compliance)

Answer 8

Attestation - Formal declaration by a responsible party that the organization’s processes and controls are compliant
Acknowledgement - Recognition and acceptance of compliance requirements by all relevant parties

Question 9

Risk Management Lifecycle

Answer 9

Risk Identification
Risk Analysis
Risk Treatment
Risk Monitoring
Risk Reporting

Question 10

Risk Identification Concepts
(Key Metrics in Business Impact Analysis (BIA))

Answer 10

Recovery Time Objective
Recovery Point Objective
Mean Time to Repair
Mean Time Before Failure

Question 11

Risk Analysis

Answer 11

Qualitative Risk Analysis - Assess and prioritize risks based on likelihood and impact
Quantitative Risk Analysis - Numerically estimate probability and potential impact

Question 12

Risk Management Strategies - Types

Answer 12

Risk Transfer
Risk Acceptance
Risk Avoidance
Risk Mitigation

Question 13

Recovery Time Objective (RTO)

Answer 13

• Maximum acceptable time before severe impact
• Target time for restoring a business process

Question 14

Recovery Point Objective (RPO)

Answer 14

• Maximum acceptable data loss measured in time
• Point in time data must be restored to

Question 15

Mean Time to Repair (MTTR)

Answer 15

• Average time to repair a failed component or system
• Indicator of repair speed and downtime minimization

Question 16

Mean Time Between Failures (MTBF)

Answer 16

• Average time between system or component failures
• Measure of reliability

Question 17

Components of Risk Register

Answer 17

Risk Description
Risk Impact
Risk Likelihood
Risk Outcome
Risk Level or Threshold

Question 18

Risk Description (Components of Risk Register)

Answer 18

• Identifies and describes the risk
• Clear and concise description

Question 19

Risk Impact (Components of Risk Register)

Answer 19

• Potential consequences of risk occurrence
• Rated on a scale (e.g., low, medium, high)

Question 20

Risk Likelihood (Components of Risk Register)

Answer 20

• Probability of risk occurrence
• Rated on a scale (e.g., numerical or descriptive)

Question 21

Risk Outcome (Components of Risk Register)

Answer 21

• Result of the risk if it occurs
• Result of the risk if it occurs

Question 22

Risk Level or Threshold (Components of Risk Register)

Answer 22

• Determined by combining the impact and likelihood
• Prioritizes risks (e.g., high, medium, low)

Question 23

Risk Tolerance (Risk Acceptance)

Answer 23

• An organization or individual’s willingness to deal with uncertainty in pursuit of their goals
• Maximum amount of risk they are willing to accept
• Acceptance without countermeasures

Question 24

Risk Appetite

Answer 24

• Willingness to pursue or retain risk
• Types (Expansionary, Conservative, Neutral)

Question 25

Risk Owner

Answer 25

• Responsible for managing the risk
• Monitors, implements mitigation actions, and updates Risk Register
• Accountable for risk management

Question 26

Single Loss Expectancy (SLE) - Quantitative Risk Analysis

Answer 26

• Monetary value expected to be lost in a single event
• Calculated as Asset Value x Exposure Factor (EF)

Question 27

Exposure Factor (EF) - Quantitative Risk Analysis

Answer 27

• Proportion of asset lost in an event (0% to 100%)
• Indicates asset loss severity

Question 28

Annualized Rate of Occurrence (ARO) - Quantitative Risk Analysis

Answer 28

• Estimated frequency of threat occurrence within a year
• Provides a yearly probability

Question 29

Annualized Loss Expectancy (ALE) - Quantitative Risk Analysis

Answer 29

• Expected annual loss from a risk
• Calculated as SLE x ARO

Question 30

Piggybacking and Tailgating

Answer 30

• Social engineers may try to enter secured premises by closely following authorized personnel

Question 31

Dumpster Diving

Answer 31

Attackers sift through garbage for discarded information

Question 32

Operational Security (OPSEC)

Answer 32

• Protects critical information from being used by adversaries
• Safeguard sensitive data, daily routines, and internal procedures