Security X Flashcards
(24 cards)
What does GRC stand for?
Governance, Risk, and Compliance
What is the purpose of GRC?
To align IT and business objectives, manage risk, and ensure regulatory compliance.
What are the three lines of defense in GRC?
Governance, Risk, and Compliance.
Who responds to risks with policy?
Governance
Who verifies that rules are being followed?
Compliance
What is the RACI model used for?
Defining roles and responsibilities across processes and teams.
In the RACI model, who owns the result of the task?
Accountable
Name two awareness and training topics in security program management.
Phishing, Social engineering
What is COBIT used for?
IT governance and management
What is ITIL focused on?
Service delivery and continual improvement
What does NIST CSF provide?
Guidance for building resilient cybersecurity programs
What is the main purpose of GRC tools?
To map, automate, track compliance, and manage documentation and monitoring.
Why is data governance important in dev/test environments?
Regulated data must be protected at all stages.
What is the difference between explainable and non-explainable AI?
Explainable AI helps humans understand decisions; non-explainable does not.
What regulation applies to healthcare organizations in the U.S.?
HIPAA
Which regulation governs financial reporting transparency?
SOX
Name one privacy regulation from the EU.
GDPR
What is PCI DSS?
A standard for securing payment card transactions
What are DoD STIGs used for?
Hardening and securing government systems
Why are third-party certifications important?
They validate compliance and build credibility
Which service provides an external attacker’s view of your system?
Penetration Testing
What framework should a CISO use for global flexibility and monitoring?
NIST Cybersecurity Framework
What are three activities in the reconnaissance phase of the kill chain?
Discover servers, harvest emails, identify employees on social media
Can continuous monitoring replace audits?
No, periodic audits are still needed
