Security Program Management and Oversight

Question 1

Security Governance

Answer 1

Framework that ensures an org’s security strategies align with business obj’s and compliance requirments

Question 2

Business Continuity Plan (BCP)

Answer 2

Strategy that outlines procedures for maintain business operations during and after a disruptive event

Question 3

Disaster Recovery Plan (DRP)

Answer 3

Documented process for restoring IT systems and data after a disaster to resume normal business op’s

Question 4

Compliance

Answer 4

Adhere to laws, regulations, standards, and policies relevant to an org’s operations

Question 5

Acceptable Use Policy (AUP)

Answer 5

Guidelines that define acceptable and unacceptable behaviors when using organizational resources

Question 6

Security Audit

Answer 6

Evaluation of an org’s security policies, procedures, and controls to ensure effectiveness and compliance

Question 7

Change Management

Answer 7

Systematic appraoch to managing alterations in IT systems to minimize negative impact on services

Question 8

Asset Management

Answer 8

Process of tracking and managing an org’s assets, including hardware, software, and data

Question 9

Data Classification

Answer 9

Process of organizing data into categories based on sensitivity and criticality to ensure proper protection

Question 10

Chief Information Security Officer (CISO)

Answer 10

Senior executive responsible for developing and implementing and information security program

Question 11

Security Metrics

Answer 11

Quantitative measures used to assess the effectiveness of an org’s security controls

Question 12

Policy Exception Management

Answer 12

Process of handling deviations from established security policies in a controlled and documented manner

Question 13

Continuous Monitoring

Answer 13

Ongoing observation of an org’s security posture to detect and respond to threats in real time

Question 14

Segregation of Duties (SoD)

Answer 14

The practice of dividing responsibilities among different individuals to reduce the risk of a fraud or error

Question 15

Security Baseline

Answer 15

Minimum security standards and config’s that must be applied to systems within an org

Question 16

Risk Appetite

Answer 16

Amount of risk an org is willing to accept in pursuit of it’s obj’s

Question 17

Business Impact Analysis (BIA)

Answer 17

Process of determining the potential effects of an interruption of critical business ops’

Question 18

Threat Modeling

Answer 18

Structured approach to identifying and prioritizing potential threats to a system

Question 19

Security Control Assessment

Answer 19

Evaluation of security controls to determine their effectiveness in protecting information assets

Question 20

Security Posture

Answer 20

Overall security status of an org’s software, hardware, network, and information

Question 21

Risk Assessment

Answer 21

Identifying and evaluating risks to an org’s information assets

Question 22

Security Governance Framework

Answer 22

Structured approach that defines the policies, procedures, and controls to manage and monitor an org’s security

Question 23

Policy Development Lifecycle

Answer 23

Structured process an org follows to create, implement, and maintain policies

Question 24

Quantitative Risk Assessment

Answer 24

Risk assessment method that assigns numerical values to risks based on potential impact and likelihood

Question 25

Qualitative Risk Assessment

Answer 25

Risk assessment method that evaluates risks based on subjective criteria like likelihood and impact using categories Examples: low, med, high

Question 26

Due Diligence

Answer 26

Process of investigating and ensuring proper security controls and measures are in place

Question 27

Due Care

Answer 27

Taking reasonable actions to protect org assets and prevent security incidents

Question 28

Key Risk Indicators (KRI's)

Answer 28

Metrics used to measure the likelihood and impact of risks within an org

Question 29

Data Steward

Answer 29

Responsible for managing data quality and enforcing data governance policies

Question 30

Data Custodian

Answer 30

Responsible for maintaining and protecting data as per org policies

Question 31

Control Risk Self-Assessment (CRSA)

Answer 31

Process where teams assess the effectiveness of security controls to identify gaps or weaknesses

Question 32

Program Management Officer (PMO)

Answer 32

Org unit responsible for standardizing and managing security related programs and projects

Question 33

Incident Coordinator

Answer 33

Responsible for managing and coordinating the response to security incidents

Question 34

Policy Dissemination

Answer 34

Process of disturbing and communicating policies to ensure understanding and compliance

Question 35

Tabletop Exercise

Answer 35

Simulated discussions of security incident scenarios to practice response and improve plans

Question 36

Service Continuity Management (SCM)

Answer 36

Ensuring that critical services remain operational during and after a disruption

Question 37

System of Record (SoR)

Answer 37

Serves as the authoritative reference for certain types of data

Question 38

Recovery Time Objective (RTO)

Answer 38

Max time allowed to restore a service or system after an outage

Question 39

Recovery Point Objective (RPO)

Answer 39

Max tolerable amount of data loss measured in time during a disruption

Question 40

Retention Policy

Answer 40

Rules governing how long data must be kept and when it should be disposed

Question 41

Benchmarking

Answer 41

Comparing an org's security practices and performance to industry standards or peers

Question 42

Residual Risk

Answer 42

Level of risk that remains after security controls have been applied to mitigate a threat

Question 43

Zero Trust Architecture (ZTA)

Answer 43

A security model that requires verification of every user and device attempting to access resources, regardless of location or network

Question 44

Risk Register

Answer 44

A document that identifies, assesses, and prioritizes risks, along with their mitigation strategies and status

Question 45

Third-Party Assessment

Answer 45

Evaluation conducted to ensure that vendors or partners comply with an organization’s security policies and standards

Question 46

Data Retention Policy

Answer 46

To define how long data should be kept, the methods for securely storing it, and when it should be securely disposed of

Question 47

Privacy Impact Assessment (PIA)

Answer 47

An analysis conducted to identify and mitigate privacy risks associated with the collection, storage, and use of personal data