Security Program Management and Oversight Flashcards

Question

A startup technology company is willing to take on high-risk ventures to expand its market share quickly. The company understands the potential consequences but is willing to proceed with aggressive business strategies. Which risk appetite best describes the company’s approach? A. Conservative B. Neutral C. Expansionary D. Risk-averse

Answer 1

✅ Correct Answer: C. Expansionary 🔹 Explanation: An expansionary risk appetite means the organization is willing to accept higher risks for the potential of greater rewards, such as rapid market expansion or aggressive investments. 🔸 Why other choices are incorrect: A. Conservative → A conservative approach would prioritize protecting assets and avoiding risks. B. Neutral → A neutral risk appetite balances risk-taking with protection, not aggressively pursuing high-risk strategies. D. Risk-averse → This describes a company that avoids risk, which is the opposite of an expansionary approach.

Answer 2

✅ Correct Answer: A. The ability of an organization to continue operating despite risks exceeding its defined risk appetite. 🔹 Explanation: Risk tolerance is an organization’s ability to endure risks beyond its predefined appetite while maintaining operations. 🔸 Why other choices are incorrect: B. Identifying and analyzing risks → Describes Risk Analysis, not tolerance. C. Document tracking risks → Describes a Risk Register, not tolerance. D. Threshold where risk is too high → Describes Risk Threshold, not tolerance

Answer 3

✅ Correct Answer: C. Conservative 🔹 Explanation: A conservative risk appetite means the organization avoids unnecessary risks and prioritizes protecting existing assets and stability. 🔸 Why other choices are incorrect: A. Expansionary → Expansionary risk appetite seeks high risk for high rewards, which this company does not do. B. Neutral → Neutral risk appetite balances risk-taking and stability, while this company strictly avoids risk. D. High-risk → Not a formal risk appetite classification, but closest to expansionary.

Answer 4

✅ Correct Answer: A. Steps for responding to security incidents and lessons learned 🔹 Explanation: An IR Plan outlines detection, response, and recovery steps when a security incident occurs. It also includes post-incident analysis (lessons learned). 🔸 Why other choices are incorrect: B. Software testing procedures → Covered under SDLC Policy. C. AUP → Defines acceptable IT resource usage, not incident response. D. Business Continuity (BC) Plan → Focuses on keeping the business running, not incident handling.

Answer 5

✅ Correct Answer: C. They provide recommended best practices but are not mandatory. 🔹 Explanation: Global security frameworks, such as ISO 27001, provide widely accepted cybersecurity best practices, but they are not legally required since no international governing body enforces them. 🔸 Why other choices are incorrect: A. Legally binding regulations → Global frameworks are recommendations, not mandatory laws. B. Apply to multinational businesses only → They can be followed by any organization, not just international ones. D. Override national laws → National and regional laws take precedence over global frameworks.

Answer 6

✅ Correct Answer: C. Minimum password requirements and account lifecycle policies 🔹 Explanation: An access control standard outlines minimum security requirements for accounts and authentication, including password policies, onboarding/offboarding procedures, and shared account restrictions. 🔸 Why other choices are incorrect: A. Acceptable use of IT resources → Describes Acceptable Use Policies (AUPs), not access control standards. B. Revoking access after employee departure → Part of offboarding procedures, but access control standards cover broader account lifecycle policies. D. Encryption algorithms → Falls under encryption standards, not access control standards.

Answer 7

✅ Correct Answer: A. Centralized governance 🔹 Explanation: A centralized governance model ensures that security policies, standards, and procedures are enforced consistently across all departments. Lower-level teams must comply with policies rather than deciding how to implement them independently. 🔸 Why other choices are incorrect: B. Decentralized governance → Gives lower levels control over implementation, which is not required in this case. C. Committee-based governance → Committees oversee specific functions, but do not enforce security across an organization. D. Industry-specific governance → Industry standards (e.g., HIPAA) define security controls but do not dictate internal governance structure.

Answer 8

✅ Correct Answer: C. Transfer 🔹 Explanation: Risk transfer (transference) shifts the financial or operational burden of a risk to a third party, such as an insurance provider. This is commonly done through cyber insurance, outsourcing, or third-party agreements. 🔸 Why other choices are incorrect: A. Mitigation → Reduces the risk impact but does not shift responsibility to another party. B. Acceptance → Means choosing to do nothing about the risk, rather than transferring it. D. Avoidance → Involves eliminating the risk entirely, not transferring liability

Answer 9

✅ Correct Answer: A. Reducing the potential for and impact of a risk 🔹 Explanation: Risk mitigation is the strategy that reduces a risk’s likelihood or impact through security measures, such as firewalls, monitoring, encryption, or multi-factor authentication (MFA). 🔸 Why other choices are incorrect: B. Completely eliminating the risk → Describes risk avoidance, not mitigation. C. Documenting risk and presenting it → Describes risk reporting, not mitigation. D. Transferring responsibility to another party → Describes risk transfer, not mitigation

Answer 10

✅ Correct Answer: A. Data owner 🔹 Explanation: A data owner is the highest-level entity responsible for ensuring proper security measures and compliance for a specific data set. Since HR handles employee records, the head of HR is the data owner in this case. 🔸 Why other choices are incorrect: B. Data processor → A processor handles data on behalf of an owner/controller but does not control the data itself. C. Data controller → A controller defines processing rules, but the head of HR has broader ownership responsibilities. D. Data custodian → A custodian focuses on data security controls but does not own the data.

Answer 11

✅ Correct Answer: B. The estimated financial or operational effect of a risk occurring. 🔹 Explanation: Impact refers to the effect a risk would have on an organization if it were to occur, including financial, operational, and reputational impacts. 🔸 Why other choices are incorrect: A. Probability of risk occurrence → Describes Likelihood, not impact. C. Number of occurrences per year → This is Annualized Rate of Occurrence (ARO). D. Risk score assigned to a threat → This is Risk Severity, not impact.

Answer 12

✅ Correct Answer: C. Encryption Standard 🔹 Explanation: An encryption standard defines the minimum encryption algorithms, key lengths, and protocols required to secure data at rest and in transit. 🔸 Why other choices are incorrect: A. Access control standard → Governs account security and authentication, not encryption methods. B. Physical security standard → Covers physical asset protection, not data encryption. D. Password standard → Focuses on password complexity and reuse policies, not encryption mechanisms.

Answer 13

✅ Correct Answer: D. Change Management Policy 🔹 Explanation: A Change Management Policy ensures that changes to systems and processes are properly submitted, reviewed, approved, and implemented while considering both security risks and operational impact. 🔸 Why other choices are incorrect: A. SDLC Policy → Covers software development security, not organizational change management. B. Incident Response (IR) Plan → Focuses on handling security incidents, not managing routine changes. C. ISP → Provides broad security guidelines, not a structured change approval process.

Answer 14

✅ Correct Answer: 1 → D (Data Owner = The highest authority responsible for data security and compliance) 2 → A (Data Controller = Decides what data is collected and how it is processed) 3 → C (Data Processor = Handles data processing based on controller/owner requirements) 4 → B (Data Custodian = Focuses on securing and storing data) 5 → E (Data Steward = Ensures data accuracy, integrity, and compliance with regulations)

Answer 15

✅ Correct Answer: A. Accept 🔹 Explanation: Risk acceptance means the organization acknowledges the risk but decides to take no action because the cost of mitigation outweighs the impact. 🔸 Why other choices are incorrect: B. Mitigate → Would involve applying security patches or implementing compensating controls. C. Avoid → Would mean removing the system entirely, which is not happening here. D. Transfer → Would mean outsourcing responsibility, such as purchasing insurance.

Answer 16

✅ Correct Answer: B. Exemption 🔹 Explanation: A risk exemption is a formal acceptance of risk that exceeds an organization’s normal risk appetite or tolerance. It requires executive approval and documentation, often with an expiration date or review period. 🔸 Why other choices are incorrect: A. Exception → Allows temporary non-compliance with security policies but is usually granted on a case-by-case basis without formal expiration. C. Mitigation → Would involve reducing the risk, not approving its acceptance. D. Transfer → Would involve outsourcing risk responsibility, which is not happening here.

Answer 17

✅ Correct Answer: A. $10,000 🔹 Explanation: ALE is calculated using the formula: 𝐴𝐿𝐸=𝐴𝑅𝑂×𝑆𝐿𝐸 where: ARO = 0.2 (since 20% = 0.2 occurrences per year) SLE = $50,000 𝐴𝐿𝐸=0.2×50,000=10,000

Answer 18

✅ Correct Answer: C. Data processor 🔹 Explanation: A data processor is responsible for handling data on behalf of the data owner or controller based on predefined instructions. In this case, the third-party service processes transactions but does not decide what data is collected or why. 🔸 Why other choices are incorrect: A. Data owner → The company that collects and owns the credit card data is the data owner, not the processor. B. Data controller → The controller decides what data is collected and how it's processed, but this role belongs to the company, not the third-party processor. D. Data custodian → A custodian focuses on securing and storing data, not actively processing transactions.

Answer 19

✅ Correct Answer: D. Software Development Lifecycle (SDLC) Policy 🔹 Explanation: An SDLC Policy ensures that software is developed, tested, deployed, and maintained securely throughout its entire lifecycle to minimize vulnerabilities. 🔸 Why other choices are incorrect: A. Change Management Policy → Governs system modifications, but does not focus on software security. B. Incident Response (IR) Plan → Handles security incidents, but does not govern software development security. C. AUP → Defines acceptable IT usage, not software lifecycle security.

Answer 20

✅ Correct Answer: B. Physical Security Standard 🔹 Explanation: A physical security standard defines minimum security requirements for protecting an organization's premises, assets, and personnel. This can include access control measures, security monitoring, and visitor entry protocols. 🔸 Why other choices are incorrect: A. Encryption standard → Focuses on data encryption, not securing physical premises. C. Playbook → Provides step-by-step response actions for incidents, not general security standards. D. Change management procedure → Governs how system and process changes are implemented, not physical security measures.

Answer 21

✅ Correct Answer: C. A mandatory, step-by-step guide for performing specific tasks 🔹 Explanation: A procedure provides a detailed, step-by-step process that must be followed to ensure consistency and compliance in security tasks. 🔸 Why other choices are incorrect: A. Security goals and intent → Describes policies, which define broad security objectives. B. Flexible recommendations → Describes guidelines, which are not mandatory like procedures. D. Guidelines for handling security incidents → Describes playbooks, which focus on incident response scenarios.

Answer 22

✅ Correct Answer: 1 → B (Ad hoc = In response to a specific event, expedited assessment) 2 → A (Recurring = Performed at regular intervals to monitor risk over time) 3 → C (One-time = A broad, high-level risk assessment at a specific point in time) 4 → D (Continuous = Ongoing, automated risk monitoring and alerting)

Answer 23

✅ Correct Answer: 1 → A (Exposure Factor = Percentage of damage an asset incurs per risk occurrence) 2 → B (SLE = Monetary loss per incident) 3 → C (ARO = Expected risk occurrences per year) 4 → D (ALE = Total yearly monetary loss expectation) 5 → E (Likelihood = Probability of risk occurrence, expressed as a percentage)

Answer 24

✅ Correct Answer: A. The process of documenting and communicating risk information to stakeholders 🔹 Explanation: Risk reporting ensures that risk-related data is collected, maintained, and presented to decision-makers to inform security strategies. 🔸 Why other choices are incorrect: B. Reducing risk through security controls → Describes risk mitigation, not reporting. C. Maximum risk level an organization is willing to accept → Describes risk threshold, not reporting. D. Ability to withstand risks beyond limits → Describes risk tolerance, not reporting.

Answer 25

✅ Correct Answer: A. Recovery Time Objective (RTO) 🔹 Explanation: Recovery Time Objective (RTO) defines the maximum allowable downtime before operations must be restored. In this scenario, the company must recover within four hours, which is the RTO. 🔸 Why other choices are incorrect: B. RPO → Defines acceptable data loss, not downtime. C. MTTR → Measures average repair time, not maximum downtime tolerance. D. MTBF → Measures average time between failures, not system recovery time.

Answer 26

✅ Correct Answer: C. Vendor Assessment 🔹 Explanation: A vendor assessment ensures that a third-party provider meets security and compliance requirements. This can involve penetration testing, audits, independent assessments, and supply chain reviews. 🔸 Why other choices are incorrect: A. Supply Chain Analysis → Focuses on supply chain security, not vendor compliance verification. B. Right-to-Audit Clause Enforcement → A contractual right to audit, but the company hasn’t signed a contract yet. D. Independent Assessment → Conducted by a third party, but the company is performing its own assessment.

Answer 27

✅ Correct Answer: A. Memorandum of Agreement (MOA) 🔹 Explanation: A Memorandum of Agreement (MOA) is a legally binding document that defines the relationship and responsibilities of two or more parties, such as government agencies or organizations. 🔸 Why other choices are incorrect: B. MOU → An informal, non-binding agreement, which would not be legally enforceable. C. MSA → Used for long-term vendor-client relationships, not interagency cooperation. D. SLA → Defines service performance guarantees, not organizational relationships.

Answer 28

✅ Correct Answer: B. Due Diligence 🔹 Explanation: Due diligence is the process of thoroughly evaluating a vendor before selection, including assessing financial stability, security measures, and regulatory compliance. 🔸 Why other choices are incorrect: A. Vendor Assessment → Typically verifies security compliance after the vendor is selected. C. Conflict of Interest Review → Focuses on vendor-client conflicts, not general vendor evaluation. D. Supply Chain Analysis → Examines security risks in the supply chain, not vendor selection.

Answer 29

✅ Correct Answer: C. Fines 🔹 Explanation: Fines are monetary penalties imposed for non-compliance with regulations, such as HIPAA, GDPR, or PCI DSS. 🔸 Why other choices are incorrect: A. Contractual Impacts → Would apply if a business contract was terminated due to the violation. B. Sanctions → Includes business restrictions or criminal charges, but fines alone do not count as sanctions. D. Reputational Damage → The company's public image may suffer, but the primary consequence is a financial penalty.

Answer 30

✅ Correct Answer: B. HIPAA Explanation: HIPAA (Health Insurance Portability and Accountability Act) is a U.S. national law that protects patient health information. Why not the others? A. GDPR: This is a European Union regulation, not specific to the U.S. C. CCPA: This is a California state law focused on consumer privacy, not healthcare data. D. ISO 27001: This is an international standard for information security management, not a law.

Answer 31

✅ Correct Answer: A. External Compliance Monitoring Explanation: The use of a third-party auditing firm to assess compliance with regulatory standards is an example of external compliance monitoring.

Answer 32

✅ Correct Answer: A. Vendor Monitoring 🔹 Explanation: Vendor monitoring is the continuous evaluation of a vendor’s compliance, performance, and security posture throughout the entire vendor-client relationship. 🔸 Why other choices are incorrect: B. Vendor Selection → Occurs before choosing a vendor, not for ongoing monitoring. C. Supply Chain Analysis → Focuses on supply chain security, not vendor contract compliance. D. Right-to-Audit Clause Enforcement → Allows audits, but vendor monitoring is broader, including performance and compliance tracking.

Answer 33

✅ Correct Answer: B. Recovery Point Objective (RPO) 🔹 Explanation: Recovery Point Objective (RPO) defines how much data loss is acceptable in a system failure. Since the last backup was at 12:00 AM, the organization risks losing up to 23 hours of data, which is the RPO value. 🔸 Why other choices are incorrect: A. RTO → Defines maximum downtime, not data loss. C. MTTR → Measures repair time, not data recovery limits. D. MTBF → Tracks system reliability, not backup frequency

Answer 34

✅ Correct Answer: D. Evidence of Internal Audits 🔹 Explanation: Evidence of internal audits allows an organization to review a vendor’s internal security documentation and controls to verify risk management practices. 🔸 Why other choices are incorrect: A. Vendor Penetration Testing → Penetration testing involves simulated attacks, not reviewing audit documentation. B. Supply Chain Analysis → Focuses on supply chain security, not vendor risk management practices. C. Right-to-Audit Clause → Allows clients to perform audits, but this scenario is about reviewing vendor audit reports, not conducting an audit.

Answer 35

✅ Correct Answer: C. Conflict of Interest 🔹 Explanation: A conflict of interest occurs when a vendor serves multiple clients with competing interests, which may lead to security risks or biased decision-making. 🔸 Why other choices are incorrect: A. Due Diligence Failure → The company did identify the issue during vendor evaluation, so due diligence was conducted correctly. B. Vendor Mismanagement → No evidence suggests the vendor is mismanaging resources or security. D. Supply Chain Risk → This involves product and distribution security, not competing client interests.

Answer 36

✅ Correct Answer: C. Questionnaires 🔹 Explanation: Questionnaires are used to gather vendor insights regarding security practices, data handling, and compliance. They are a common tool in vendor assessments and monitoring. 🔸 Why other choices are incorrect: A. Compliance Monitoring → Ensures vendor follows security policies, but this question refers to collecting vendor-provided information. B. Rules of Engagement → Defines system access and vendor interactions, not security surveys. D. Financial Monitoring → Reviews financial stability, not security posture.

Answer 37

Explanation: The correct answer is B. Sanctions, as the organization is being prohibited from processing patient data (a form of restriction or penalty) until compliance is restored. Why not the others? A. Contractual Impacts: This would involve breaches of agreements with third parties, not regulatory penalties. C. Loss of License: This would involve the revocation of a business license, which is not mentioned here. D. Fines: This would involve monetary penalties, which are not described in the scenario.

Answer 38

✅ Correct Answer: A. Internal Compliance Reporting 🔹 Explanation: Internal compliance reporting is used to inform high-level internal stakeholders, such as executives or board members, about compliance gaps, security posture, and areas for improvement. 🔸 Why other choices are incorrect: B. External Compliance Reporting → Intended for government agencies or business partners, not internal executives. C. Regulatory Compliance Audit → Involves formal assessments by auditors, not internal reporting. D. Risk Management Review → Evaluates risk exposure, not compliance status

Answer 39

✅ Correct Answer: A. The average time required to repair and restore a failed system 🔹 Explanation: MTTR (Mean Time to Repair) is the average time it takes to restore a failed system to normal operations, including troubleshooting, fixing, and verifying repairs. 🔸 Why other choices are incorrect: B. RTO → Defines maximum tolerable downtime, not actual repair time. C. RPO → Refers to acceptable data loss, not repair time. D. MTBF → Measures time between failures, not repair duration.

Answer 40

✅ Correct Answer: A. A security evaluation conducted by a third party unaffiliated with both the vendor and the client 🔹 Explanation: An independent assessment is performed by an external entity that is not associated with the client or the vendor, ensuring an unbiased security evaluation. 🔸 Why other choices are incorrect: B. Internal security review by vendor → This describes internal audits, not independent assessments. C. Penetration test by client → Penetration testing is different from independent third-party security reviews. D. Supply chain tracking → Describes supply chain analysis, not independent assessments.

Answer 41

✅ Correct Answer: B. A set of predefined conditions detailing how vendor testing, access, and monitoring may occur 🔹 Explanation: Rules of Engagement establish what systems a vendor can access, what actions they can perform, and when testing or monitoring is permitted. 🔸 Why other choices are incorrect: A. Security questionnaires → Used for vendor assessments but do not set access or testing boundaries. C. SLA (Service-Level Agreement) → Defines service expectations, not testing permissions. D. BPA (Business Partners Agreement) → Governs partnerships, not vendor security access rules.

Answer 42

✅ Correct Answer: D. Performance Monitoring 🔹 Explanation: Performance Monitoring tracks a vendor’s ability to meet service obligations, such as uptime, response times, and issue resolution, ensuring adherence to the agreement. 🔸 Why other choices are incorrect: A. Compliance Monitoring → Focuses on regulatory and security compliance, not service-level agreements. B. Financial Monitoring → Evaluates vendor financial health, not operational uptime. C. Rules of Engagement → Establishes testing conditions and vendor access, but does not track performance metrics.

Answer 43

✅ Correct Answer: D. External Compliance Reporting 🔹 Explanation: External compliance reporting provides formal documentation to government regulators, auditors, or external business partners to prove compliance with security laws and standards. 🔸 Why other choices are incorrect: A. Internal Compliance Reporting → Intended for executives and board members, not external auditors. B. Security Control Validation → Focuses on testing security controls, not compliance reporting. C. Risk Assessment Review → Assesses risk exposure, not regulatory compliance documentation.

Answer 44

Explanation: The correct answer is C. Loss of License, as the provider's authorization to operate (a form of license) is revoked by the government. Why not the others? A. Contractual Impacts: This would involve breaches of agreements with clients or partners, not regulatory penalties. B. Sanctions: This would involve restrictions or penalties imposed by a regulatory body, but not necessarily the revocation of a license. D. Fines: This would involve monetary penalties, which are not described in the scenario.

Answer 45

Explanation: The correct answer is D. Attestation and Acknowledgment, as employees are required to review and sign off on policies, which is a key aspect of this method. Why not the others? A. External Compliance Monitoring: This involves third-party audits or assessments, which are not mentioned in the scenario. B. Internal Compliance Monitoring: While the company is monitoring compliance internally, the focus here is on employee attestation and acknowledgment, which is a specific method. C. Automation: Although automated tools are used, the primary method being described is employee attestation.

Answer 46

✅ Correct Answer: B. GDPR Explanation: The General Data Protection Regulation (GDPR) includes the "Right to Be Forgotten," allowing individuals to request data deletion under specific conditions. Why not the others? A. HIPAA: This focuses on healthcare data privacy and does not include a right to be forgotten. C. CCPA: This provides rights to access and delete data but is not as comprehensive as GDPR. D. Privacy Act of 1974: This U.S. law governs federal agency use of personal data but does not include a right to be forgotten.

Answer 47

✅ Correct Answer: C. Data Controller Explanation: The data controller decides the purpose and methods of data processing. Why not the others? A. Data Subject: This is the individual (e.g., customer) whose data is being processed. B. Data Processor: This is the third-party vendor that processes the data on behalf of the controller. D. Data Owner: This refers to the entity responsible for protecting the data, often a high-level employee, not the organization as a whole.

Answer 48

✅ Correct Answer: A. Employee salary data Explanation: Personally Identifiable Information (PII) refers to data that can identify an individual, such as salary data linked to an employee. Why not the others? B. Company financial reports: This is corporate data, not tied to an individual. C. Publicly available marketing materials: This is not sensitive or personal data. D. Encrypted customer passwords: While sensitive, passwords alone are not PII unless linked to an individual.

Answer 49

✅ Correct Answer: D. Mean Time Between Failures (MTBF) 🔹 Explanation: MTBF (Mean Time Between Failures) measures how long a system operates before it fails again, making it a key indicator of system reliability. 🔸 Why other choices are incorrect: A. RTO → Refers to maximum downtime tolerance, not system reliability. B. RPO → Measures acceptable data loss, unrelated to system failures. C. MTTR → Measures repair duration, not time between failures.

Answer 50

✅ Correct Answer: C. Supply Chain Analysis 🔹 Explanation: Supply Chain Analysis examines security risks within the supply chain, including third-party vendors, logistics, and distribution. 🔸 Why other choices are incorrect: A. Vendor Assessment → Evaluates a specific vendor, not the entire supply chain. B. Independent Assessment → Conducted by external auditors, but the organization is performing this analysis itself. D. Right-to-Audit Clause Enforcement → This involves auditing a vendor, not analyzing supply chain security.

Answer 51

✅ Correct Answer: B. ISO Explanation: The International Organization for Standardization (ISO) develops global standards like ISO 27001 for information security management. Why not the others? A. NIST: This is a U.S.-based organization that develops frameworks like NIST SP 800-53, not global standards. C. GDPR: This is a European Union regulation, not an organization. D. CCPA: This is a California state law, not related to global standards.

Answer 52

✅ Correct Answer: A. To document how an organization meets applicable security standards and regulations 🔹 Explanation: Compliance reporting ensures that an organization documents and communicates how it meets regulatory and security standards for internal or external review. 🔸 Why other choices are incorrect: B. Evaluating security risks → Describes risk management, not compliance reporting. C. Providing real-time alerts → Describes security monitoring, not reporting compliance. D. Enforcing penalties → Regulatory agencies enforce penalties, but compliance reporting itself does not.

Answer 53

✅ Correct Answer: C. Automation Explanation: The use of a software tool to continuously scan, detect, and alert on policy deviations is a clear example of automation in compliance monitoring.

Answer 54

✅ Correct Answer: D. All of the above Explanation: GDPR, CCPA, and HIPAA all grant individuals the right to access their personal data, though the specifics vary by regulation.

Answer 55

✅ Correct Answer: C. Data Ownership Explanation: Data Ownership refers to assigning responsibility for protecting specific types of data to a high-level individual or role. Why not the others? A. Data Controller: This refers to the entity that decides how data is processed, not necessarily who owns it. B. Data Processor: This is the entity that processes data on behalf of the controller. D. Data Subject: This is the individual whose data is being processed.

Answer 56

✅ Correct Answer: B. Data Retention Explanation: Data Retention refers to how long data must be stored before it can be securely destroyed. Why not the others? A. Data Inventory: This refers to identifying what data is held, not how long it is retained. C. Data Ownership: This refers to who is responsible for the data, not retention periods. D. Right to Be Forgotten: This allows individuals to request data deletion, not retention.

Answer 57

✅ Correct Answer: B. Sanction Explanation: Sanctions are penalties imposed by regulatory bodies for non-compliance with data privacy laws. Why not the others? A. Contractual Impact: This refers to breaches of agreements with third parties, not regulatory fines. C. Loss of License: This would involve the revocation of a business license, which is not mentioned here. D. Data Breach: This refers to unauthorized access to data, not the consequence of non-compliance.

Answer 58

✅ Correct Answer: B. Attestation Explanation: Attestation is a formal review by a third party to confirm compliance with standards or regulations. Why not the others? A. Internal Audit: This is conducted by the organization itself, not a third party. C. Self-Assessment: This is an internal evaluation, not a formal third-party review. D. Penetration Testing: This is a technical assessment to identify vulnerabilities, not a compliance review.

Answer 59

✅ Correct Answer: B. Internal Compliance Monitoring Explanation: The company is using its own team to review, audit, and enforce compliance internally, which is the definition of internal compliance monitoring.

Answer 60

✅ Correct Answer: B. Physical Penetration Testing Explanation: Physical Penetration Testing involves attempting to infiltrate the physical environment of a network or organization, such as bypassing locks or surveillance. Why not the others? A. Offensive Penetration Testing: This focuses on logical network infiltration, not physical security. C. Defensive Penetration Testing: This tests the organization’s response to attacks, not physical infiltration. D. Integrated Penetration Testing: This combines offensive and defensive techniques, not specifically physical testing.

Answer 61

✅ Correct Answer: B. Phishing Simulation Explanation: A Phishing Simulation involves sending fake phishing messages to employees to test their awareness and provide training if they fall for the attempt. Why not the others? A. Phishing Campaign: This is a broader training program that may include posters, rewards, and awareness materials, not just simulations. C. Anomalous Behavior Recognition: This focuses on identifying unusual behavior, not phishing attempts. D. Risky Behavior Training: This addresses risky actions by employees, not phishing awareness.

Answer 62

✅ Correct Answer: C. Responding to Reported Suspicious Messages Explanation: Responding to Reported Suspicious Messages involves training employees to properly report suspicious emails to a designated location for analysis. Why not the others? A. Phishing Simulation: This involves sending fake phishing emails to test employees, not reporting suspicious messages. B. Recognizing Phishing Attempts: This involves identifying phishing emails, not reporting them. D. Anomalous Behavior Recognition: This focuses on identifying unusual behavior, not reporting suspicious emails.

Answer 63

✅ Correct Answer: B. Policy Handbook Explanation: A Policy Handbook is a written resource that provides employees with security procedures and protocols. Why not the others? A. Situational Awareness Training: This involves educating employees about current threats, not providing written procedures. C. Social Engineering Training: This focuses on recognizing and mitigating social engineering attacks, not providing written procedures. D. Operational Security Training: This involves educating employees on protecting data during normal operations, not providing written procedures.

Answer 64

✅ Correct Answer: B. Initial Assessment Explanation: An Initial Assessment is conducted before starting a security awareness program to establish a baseline for comparison. Why not the others? A. Recurring Assessment: This is conducted periodically to evaluate the program’s effectiveness, not to establish a baseline. C. Development Assessment: This refers to creating the program, not evaluating it. D. Execution Assessment: This focuses on how well the program is implemented, not establishing a baseline.

Answer 65

✅ Correct Answer: B. Offensive Penetration Testing Explanation: Offensive Penetration Testing involves using tools and simulated attacks to infiltrate a network and identify vulnerabilities. Why not the others? A. Physical Penetration Testing: This focuses on physical security, not logical network attacks. C. Defensive Penetration Testing: This tests the organization’s response to attacks, not the attack itself. D. Integrated Penetration Testing: This combines offensive and defensive techniques, not just offensive testing.

Answer 66

✅ Correct Answer: C. Internal Audit Explanation: Internal Audits are conducted by the organization’s own staff to evaluate policies, procedures, and controls. Why not the others? A. External Audit: This is conducted by a third party, not the organization’s internal team. B. Regulatory Examination: This is a focused review initiated by a regulatory body, not an internal team. D. Independent Third-Party Audit: This is conducted by an external entity, not internally.

Answer 67

✅ Correct Answer: B. Phishing Campaign Explanation: A Phishing Campaign is a comprehensive training program that uses various methods (e.g., posters, rewards) to raise awareness about phishing techniques. Why not the others? A. Phishing Simulation: This involves sending fake phishing emails to test employees, not a broader awareness program. C. Anomalous Behavior Recognition: This focuses on identifying unusual behavior, not phishing awareness. D. Unintentional Behavior Training: This addresses unintentional actions by employees, not phishing awareness.

Answer 68

✅ Correct Answer: B. Situational Awareness Training Explanation: Situational Awareness Training informs employees about current threats and how to recognize them. Why not the others? A. Policy Handbook: This provides written procedures, not education about current threats. C. Insider Threat Training: This focuses on identifying threats from within the organization, not current external threats. D. Password Management Training: This focuses on creating and protecting passwords, not recognizing threats.

Answer 69

✅ Correct Answer: B. Recurring Assessment Explanation: A Recurring Assessment is conducted periodically to evaluate the effectiveness of the program and identify areas for improvement. Why not the others? A. Initial Assessment: This is conducted before the program starts, not periodically. C. Development Assessment: This refers to creating the program, not evaluating it. D. Execution Assessment: This focuses on how well the program is implemented, not its effectiveness.

Answer 70

✅ Correct Answer: D. Program Execution Explanation: Program Execution focuses on implementing the program effectively, including sticking to a schedule, creating an inclusive environment, and providing feedback. Why not the others? A. Initial Assessment: This establishes a baseline before the program starts, not implementing it. B. Recurring Assessment: This evaluates the program’s effectiveness, not its implementation. C. Program Development: This involves creating the program, not implementing it.

Answer 71

✅ Correct Answer: C. Known Environment (White Box) Explanation: A Known Environment (White Box) provides the tester with full information about the target system before testing begins. Why not the others? A. Unknown Environment (Black Box): The tester is given no information about the target system. B. Partially Known Environment (Gray Box): The tester is given partial information about the target system. D. Active Reconnaissance: This refers to collecting information by interacting with the target system, not the type of environment.

Answer 72

✅ Correct Answer: B. Regulatory Examination Explanation: A Regulatory Examination is a focused review initiated by a regulatory body to ensure compliance with specific requirements. Why not the others? A. Internal Audit: This is conducted by the organization itself, not a regulatory body. C. Independent Third-Party Audit: This is broader and not necessarily focused on a specific regulatory requirement. D. Self-Assessment: This is an internal activity, not a regulatory review.

Answer 73

✅ Correct Answer: B. Passive Reconnaissance Explanation: Passive Reconnaissance involves collecting information from external sources, such as social media or news reports, without interacting with the target system. Why not the others? A. Active Reconnaissance: This involves interacting with the target system directly, such as using packet capture tools. C. Offensive Penetration Testing: This involves simulating attacks, not just gathering information. D. Defensive Penetration Testing: This tests the organization’s response to attacks, not information gathering.

Answer 74

✅ Correct Answer: B. Phishing Attempt Explanation: A Phishing Attempt involves a fraudulent message designed to trick the recipient into revealing sensitive information or taking harmful actions. Why not the others? A. Phishing Simulation: This is a training tool used by organizations, not an actual phishing attempt. C. Anomalous Behavior: This refers to unusual actions by individuals, not phishing emails. D. Risky Behavior: This refers to actions that may pose a threat to the organization, not phishing emails.

Answer 75

✅ Correct Answer: B. Recurring Assessment Explanation: A Recurring Assessment involves collecting feedback and conducting knowledge assessments to evaluate the program’s effectiveness over time. Why not the others? A. Initial Assessment: This establishes a baseline before the program starts, not evaluating its effectiveness. C. Program Development: This involves creating the program, not evaluating it. D. Program Execution: This focuses on implementing the program, not evaluating its effectiveness.

Answer 76

✅ Correct Answer: B. Insider Threat Training Explanation: Insider Threat Training focuses on identifying threats from within the organization, such as employees or contractors. Why not the others? A. Situational Awareness Training: This focuses on recognizing external threats, not internal ones. C. Social Engineering Training: This focuses on recognizing social engineering attacks, not insider threats. D. Operational Security Training: This focuses on protecting data during normal operations, not identifying insider threats.

Answer 77

✅ Correct Answer: D. Integrated Penetration Testing Explanation: Integrated Penetration Testing combines both offensive and defensive techniques to provide a comprehensive evaluation of the organization’s security posture. Why not the others? A. Physical Penetration Testing: This focuses on physical security, not combining offensive and defensive techniques. B. Offensive Penetration Testing: This involves only simulating attacks, not evaluating defenses. C. Defensive Penetration Testing: This involves only testing the organization’s response, not simulating attacks.

Answer 78

✅ Correct Answer: C. Independent Third-Party Audit Explanation: An Independent Third-Party Audit is conducted by an external entity, often at the request of a regulator or customer. Why not the others? A. Internal Audit: This is conducted by the organization itself, not a third party. B. Self-Assessment: This is an internal activity, not an external audit. D. Regulatory Examination: While related, this term typically refers to a narrower, more focused review initiated by a regulator.

Answer 79

✅ Correct Answer: C. Password Management Training Explanation: Password Management Training focuses on creating strong passwords and protecting them. Why not the others? A. Policy Handbook: This provides written procedures, not specific training on passwords. B. Situational Awareness Training: This focuses on recognizing threats, not password management. D. Removable Media Training: This focuses on the risks of removable media, not password management.

Answer 80

✅ Correct Answer: B. Unexpected Behavior Explanation: Unexpected Behavior refers to actions that are unusual or out of the ordinary, such as an employee being in the office on an atypical day. Why not the others? A. Risky Behavior: This refers to actions that may pose a threat, such as writing down passwords. C. Unintentional Behavior: This refers to actions with unintended consequences, such as placing a call on speakerphone. D. Phishing Attempt: This refers to fraudulent messages, not employee behavior.

Answer 81

✅ Correct Answer: B. Active Reconnaissance Explanation: Active Reconnaissance involves interacting with the target system directly, such as using packet capture tools. Why not the others? A. Passive Reconnaissance: This involves collecting information from external sources, not interacting with the target system. C. White Box (Known Environment): This refers to a known environment, not a reconnaissance technique. D. Gray Box (Partially Known Environment): This refers to a partially known environment, not a reconnaissance technique.

Answer 82

✅ Correct Answer: B. Penetration Testing Explanation: Penetration Testing is a technical assessment that simulates attacks to identify vulnerabilities. Why not the others? A. Internal Audit: This is a broader review of policies and procedures, not a technical test. C. Regulatory Examination: This is a compliance-focused review, not a technical assessment. D. Attestation: This is a formal compliance review, not a vulnerability test.

Security Program Management and Oversight Flashcards

(107 cards)