SY0-701: 5.0 (Security Program Management and Oversight) Flashcards
(152 cards)
1
Q
Social Engineering Motivational Triggers (5.6)
A
Authority
Urgency
Social Proof
Scarcity
Likability
Fear
2
Q
Soc Eng Trigger- Authority (5.6)
A
The power or right to give orders, make decisions, and enforce obedience
3
Q
Soc Eng Trigger- Urgency (5.6)
A
Compelling sense of immediacy or time-sensitivity that drivers individuals to act swiftly or prioritize certain actions
4
Q
Soc Eng Trigger- Social Proof (5.6)
A
Psychological phenomenon where individuals look to the behaviors and actions of others to determine their own decisions or actions in similar situations
5
Q
Soc Eng Trigger- Scarcity (5.6)
A
Psychological pressure people feel when they believe a product, opportunity, or resource is in limited or in short supply
6
Q
Soc Eng Trigger- Likability (5.6)
A
Associated with being nice, friendly, and socially accepted by others
7
Q
Soc Eng Trigger- Fear (5.6)
A
Feeling afraid of someone or something, as likely to be dangerous, painful, or threatening
8
Q
Data Ownership (5.1)
A
Process of identifying the person responsible for the confidentiality, integrity, availability, and privacy of the information assets
9
Q
Data Owner (5.1)
A
Senior executive role who has the responsibility for maintaining the confidentiality, integrity, and availability of the information asset
10
Q
Data Controller (5.1)
A
Entity that holds responsibility for deciding the purposes and methods of data storage, collection, and usage and for guaranteeing the legality of processes
11
Q
Data Processor (5.1)
A
Group or individual hired by the Data Controller to help with tasks like collecting, storing, or analyzing data
12
Q
Data Steward (5.1)
A
Focused on the quality of the data and the associated metadata
13
Q
Data Custodian (5.1)
A
Responsible for handling the management of the system on which the data assets are stored (e.g. SysAdmin)
14
Q
Privacy Officer (5.1)
A
Role that is responsible for the oversight of any kind of privacy-related data, like PII (Personally Identifying Information), SPI (Sensitive Personal Information), PHI (Personal Health Information)
15
Q
Risk Management (5.2)
A
Fundamental process that involves identifying, analyzing, monitoring, and reporting risks
16
Q
Risk Management Lifecycle (5.2)
A
- Risk identification
- Risk analysis
- Risk treatment
- Risk monitoring
- Risk reporting
17
Q
Risk Assessment Frequency (5.2)
A
Refers to how often the risk assessment process is conducted within an organization
18
Q
Risk Assessment Frequency Types (5.2)
A
Ad-hoc
Recurring
One-Time
Continuous
19
Q
Ad-hoc (5.2)
A
Conducted as and when needed, often in response to a specific event or situation that has the potential to introduce new risks or change the nature of existing risks; associated with specific events or situations
20
Q
Recurring (5.2)
A
Conducted at regular intervals, such as annually, quarterly, or monthly
21
Q
One-Time (5.2)
A
Conducted for a specific purpose and are not repeated; associated with a specific project or initiative
22
Q
Continuous (5.2)
A
Ongoing monitoring and evaluation of risks
23
Q
Risk Identification (5.2)
A
Recognizing potential risks that could negatively impact an organizations ability to operate or achieve its objective
24
Q
RTO (5.2)
A
Recovery Time Objective- Represents the maximum acceptable length of time that can elapse before the lack of a business function severely impacts the organization
25
RPO (5.2)
Recovery Point Objective- Represents the maximum acceptable amount of data loss measured in time (if business has RPO of 4 hours then it can handle 4 hours of down time)
26
MTTR (5.2)
Mean Time To Repair- Represents the average time required to repair a failed component or system
27
MTBF (5.2)
Mean Time Between Failure- Represents the average time between failures
28
BIA (5.2)
Business Impact Analysis- Process that involves evaluating the potential effects of disruption to an organizations business functions and processes
29
Risk Register (Risk Log) (5.2)
A document detailing identified risks, including their description, impact likelihood, and mitigation strategies; contains:
Risk description
Risk impact
Risk likelihood
Risk outcome
Risk level
Cost
30
Risk description (5.2)
Entails identifying and providing a detailed description
31
Risk impact (5.2)
Potential consequences if the risk materializes
32
Risk likelihood (5.2)
Chance of a particular risk occurring
33
Risk outcome (5.2)
Result of a risk, linked to its impact and likelihood
34
Risk level / Threshold (5.2)
Determined by combining the impact and likelihood
35
Cost (5.2)
Pertains to its financial impact on the project, including potential expenses if it occurs or the cost of risk mitigation
36
Risk Tolerance / Risk Acceptance (5.2)
Refers to an organizations or individuals willingness to deal with uncertainty in pursuit of their goals
37
Risk Appetite (5.2)
Signifies an organizations willingness to embrace or retain specific types and levels of risk to fulfill its strategic goals
38
Expansionary Risk Appetite (5.2)
Organization is open to taking more risk in the hopes of achieving greater returns
39
Conservative Risk Appetite (5.2)
Implies that an organization favors less risk, even if it leads to lower returns
40
Neutral Risk Appetite (5.2)
Signifies a balance between risk and return
41
KRIs (5.2)
Key Risk Indicators- Essential predictive metrics used by organizations to signal rising risk levels in different parts of the enterprise
42
Risk Owner (5.2)
Person or group responsible for managing the risk
43
Qualitative Risk Analysis (5.2)
A method of assessing risks based on their potential impact and the likelihood of their occurrence (usually described as Low, Medium, High); Subjective and high level
44
Quantitative Risk Analysis (5.2)
A method of evaluating risk that uses numerical measurements (usually described as a number); Objective and numerical evaluation of risks
45
EF (5.2)
Exposure Factor- Proportion of an asset that is lost in an event (expressed as a percentage)
46
SLE (5.2)
Single Loss Expectancy- Monetary value expected to be lost in a single event (expressed as a monetary amount)
47
ARO (5.2)
Annualized Rate of Occurrence- Estimated frequency with which a threat is expected to occur within a year
48
ALE (5.2)
Annualized Loss Expectancy- Expected annual loss from a risk (SLE x ARO)
49
Risk Management Types (5.2)
Transfer
Accept
Avoid
Mitigate
50
Risk Transference (Risk Sharing) (5.2)
Involves shifting the risk from the organization to another party (most common type is insurance)
51
Contract Indemnity Clause (5.2)
A contractual agreement where one party agrees to cover the others harm, liability, or loss stemming from the contract (form of risk transference)
52
Risk Acceptance (5.2)
Recognizing a risk and choosing to address it when it arises
53
Exemption (5.2)
Provision that grants an exception from a specific rule or requirement
54
Exception (5.2)
Provision that permits a party to bypass a rule or requirement in certain situations
55
Risk Avoidance (5.2)
Strategy of altering plans or approaches to completely eliminate a specific risk
56
Risk Mitigation (5.2)
Implementing measures to decrease the likelihood or impact of a risk
57
Risk Monitoring (5.2)
Involves continuously tracking identified risks, assessing new risks, executing response plans, and evaluating their effectiveness during a projects lifecycle
58
Residual Risk (5.2)
Likelihood and impact after implementing mitigation, transference, or acceptance
59
Risk Reporting (5.2)
Process of communicating information about risk management activities
60
Third Party Vendor Risk (5.3)
Potential security and operational challenges introduced by external entities (vendors, suppliers, or service providers)
61
MSP (5.3)
Managed Service Providers- Individuals hired by companies to manage IT services on behalf of an organization
62
Supply Chain Attack (5.3)
Attack that involves targeting a weaker link in the supply chain to gain access to a primary target
63
CHIPS Act (5.3)
US federal statute that provides roughly $280 billion in new funding to boost research and manufacturing of semiconductors inside the United States
64
Steps to minimize supply chain attacks (5.3)
Vendor due diligence
Regular monitoring and audits
Education and collaboration
Incorporating contractual safeguards
65
Vendor Assessment (5.3)
Process that organizations implement to evaluate the security, reliability, and performance of external entities
66
Penetration Testing (5.3)
Simulated cyberattack against the suppliers system to check for exploitable vulnerabilities
67
Right-to-Audit Clause (5.3)
Grants organizations the right to evaluate vendors
68
Internal Audit (5.3)
Vendors self-assessment where they evaluate their own practices against industry standards or organizational requirements
69
Independent Assessment (5.3)
Evaluation conducted by third-party entities that have no stake in the organizations or vendors operations
70
Supply Chain Analysis (5.3)
Used to dive deep into a vendors entire supply chain and assess the security and reliability of each link
71
Vendor Assessment (5.3)
Process that organizations implement to evaluate the security, reliability, and performance of external entities
72
Due Diligence Topics (5.3)
Financial Stability
Operational History
Client Testimonials
On-the-Ground Practices
73
Conflict of Interest (5.3)
Arises when personal or financial relationships could potentially cloud the judgment of individuals involved in vendor selection
74
Vendor Questionnaires (5.3)
Comprehensive documents that potential vendors fill out to offer insights into the operations, capabilities, and compliance
75
Rules of Engagement (5.3)
Guidelines that dictate the terms of interaction between an organization and its potential vendors
76
Vendor Monitoring (5.3)
Mechanism to ensure that the chosen vendor still aligns with the organizational needs and standards
77
Feedback Loops (5.3)
Involve a two-way communication channel where both the organization and the vendor share feedback
78
Basic Contract (5.3)
Versatile tool that formally establishes a relationship between two parties
79
SLA (5.3)
Service-Level Agreement- The standard of service a client can expect from a provider
80
MOA (5.3)
Memorandum of Agreement- Formal agreement and outlines the specific responsibilities and roles of the involved parties
81
MOU (5.3)
Memorandum of Understanding- Less binding than a MOA and more of a declaration of mutual intent
82
MSA (5.3)
Master Service Agreement- Blanket agreement that covers the general terms of engagement between parties across multiple transactions
83
SOW (5.3)
Statement of Work (sometimes called Scope of Work or Work Order)- Used to specify details for a particular project
84
NDA (5.3)
Non-Disclosure Agreement- Commitment to privacy that ensures that any sensitive information shared during negotiations remains confidential between both parties
85
BPA (5.3)
Business Partnership Agreement (sometimes called a Joint Venture or JV)- Document that goes a step beyond the basic contract when two entities decide to pool their resources for mutual benefit
86
Governance (5.1)
Strategic leadership, structures, and processes that ensure an organizations IT infrastructure aligns with its business objectives
87
GRC Triad (5.1)
Governance, Risk Management, and Compliance
88
Monitoring (5.1)
Regularly reviewing and assessing the effectiveness of the governance framework
89
Revision (5.1)
Updating the governance framework to address these gaps or weaknesses
90
Governance- Boards (5.1)
A board of directors is a group of individuals elected by shareholders to oversee the management of an organization
91
Governance- Committees (5.1)
Subgroups of a board of directors, each with a specific focus
92
Governance- Government Entities (5.1)
They establish laws and regulations that organizations must comply with
93
Governance- Centralized Structures (5.1)
Decision-making authority is concentrated at the top levels of management
94
Governance- Decentralized Structures (5.1)
Distributes decision-making authority throughout the organization
95
AUP (5.1)
Acceptable Use Policy- A document that outlines the do's and don'ts for users when interacting with an organizations IT systems and resources
96
Information Security Policy
Outline how an organization protects its information assets from threats, both internal and external; handles:
Data Classification
Access Control
Encryption
Physical Security
97
Business Continuity Policy (5.1)
Focuses on how an organization will continue its critical operations during and after a disruption
98
Disaster Recovery Policy (5.1)
Focuses specifically on how an organization will recover its IT systems and data after a disaster
99
Incident Response Policy (5.1)
A plan for handling security incidents
100
SDLC Policy (5.1)
Software Development Lifecycle- Guides how software is developed within an organization
101
Change Management Policy (5.1)
Aims to ensure that changes are implemented in a controlled and coordinated manner, minimizing the risk of disruptions
102
Password Standards (5.1)
Dictate the complexity and management of passwords, which are the first line of defense against unauthorized access
103
Access Control Standards (5.1)
Determine who has access to what resources within an organization
104
Access Control Types (5.1)
DAC- Discretionary Access Control
MAC- Mandatory Access Control
RBAC- Role-Based Access Control
105
DAC (5.1)
Discretionary Access Control- Allows owner of information or resource decide who can access it
106
MAC (5.1)
Mandatory Access Control- Uses labels or classifications to determine access
107
RBAC (5.1)
Role-Based Access Control- Uses roles within an organization to determine access
108
Physical Security Standards (5.1)
These standards cover the physical measures taken to protect an organizations assets and information
109
Encryption Standards (5.1)
Ensure that data intercepted or accessed without authorization remains unreadable and secure
110
Procedures (5.1)
Systematic sequences of actions or steps taken to achieve a specific outcome (e.g. Emergency Evacuation Procedure)
111
Change Management (5.1)
Systematic approach to dealing with changes within an organization
112
Onboarding/Offboarding (5.1)
The process of integrating new employees into the organization / The process of managing the transition when an employee leaves
113
Playbooks (5.1)
Checklist of actions to perform to detect and respond to a specific type of incident
114
Regulatory Considerations (5.1)
These regulations can cover a wide range of areas, from data protection and privacy to environmental standards and labor laws
115
Legal Considerations (5.1)
Closely tied to regulatory considerations, but they also encompass other areas such as contract law, intellectual property, and corporate law
116
Industry Considerations (5.1)
The specific standards and practices that are prevalent in a particular industry
117
Geographic Considerations (5.1)
Local ordinance, state regulations, national laws, regulations implemented by countries
118
Compliance Reporting (5.4)
Systematic process of collecting and presenting data to demonstrate adherence to compliance requirements
119
Internal Compliance Reporting (5.4)
Collection and analysis of data to ensure that an organization is following its internal policies and procedures
120
External Compliance Reporting (5.4)
Demonstrating compliance to external entities such as regulatory bodies, auditors, or customers, often mandated by law or contract
121
Compliance Monitoring (5.4)
The process of regularly reviewing and analyzing an organizations operations to ensure compliance with laws, regulations, and internal policies
122
Due Diligence (5.4)
Conducting an exhaustive review of an organizations operations to identify potential compliance
123
Due Care (5.4)
The steps taken to mitigate the risks revealed from their due diligence
124
Attestation (5.4)
Formal declaration by a responsible party that the organizations processes and controls are compliant
125
Acknowledgement (5.4)
Recognition and acceptance of compliance requirements by all relevant parties
126
Internal Monitoring (5.4)
Regularly reviewing an organizations operations to ensure compliance with internal policies
127
External Monitoring (5.4)
Third-party reviews or audits to verify compliance with external regulations or standards
128
Automation in Compliance (5.4)
Automated compliance systems can streamline data collection, improve accuracy, and provide real-time compliance monitoring
129
Non-Compliance Consequences (5.4)
Fines
Sanctions
Reputational Damage
Loss of License
Contractual Impacts
130
Audits (5.5)
Systematic evaluations of an organizations information systems, applications, and security controls (can be internal or external)
131
Assessments (5.5)
Performing a detailed analysis of an organizations security systems to identify vulnerabilities and risks
132
Assessment Types (5.5)
Risk Assessments
Vulnerability Assessments
Threat Assessments
133
Compliance (5.5)
Ensuring that information systems and security practices meet established standards, regulations, and laws
134
Audit Committee (5.5)
Group of people responsible for supervising the organizations audit and compliance functions
135
Internal Assessment (5.5)
An in-depth analysis to identify and assess potential risks and vulnerabilities in an organizations information systems
136
Self-Assessment (5.5)
Internal review conducted by an organization to gauge its adherence to particular standards or regulations
137
Independent Third-Party Audit (5.5)
Offers validation of security practices, fostering trust with customers, stakeholders, and regulatory authorities
138
Physical Pentesting (5.5)
Testing an organizations physical security through testing locks, access cards, security cameras, and other protective measures
139
Offensive Pentesting (5.5)
aka Red Team- Proactive approach that involves use of attack techniques, akin to real cyber threats, that seek and exploit system vulnerabilities
140
Defensive Pentest (5.5)
aka Blue Team- Reactive approach that entails fortifying systems, identifying and addressing attacks, and enhancing incident response times
141
Integrated Pentesting (5.5)
aka Purple Team- Combination of aspects of both offensive and defensive testing into a single penetration test
142
Reconnaissance (5.5)
An initial phase where critical information about a target system is gathered to enhance an attacks effectiveness
143
Active Reconnaissance (5.5)
Direct engagement with the target system, offering more information but with a higher detection risk
144
Passive Reconnaissance (5.5)
Gathering information without direct engagement with the target system, offering lower detection risk but less data (e.g. OSINT)
145
Known Enviroonment (5.5)
Detailed target infrastructure information from the organization is received prior to the test
146
Partially Known Environment (5.5)
Involves limited information provided to testers, who may have partial knowledge of the system
147
Unknown Environment (5.5)
Testers receive minimal to no information about the target system
148
Metasploit (5.5)
Multi-purpose computer security and penetration testing framework that encompasses a wide array of powerful tools, enabling the execution of penetration tests
149
Attestation (5.5)
Similar to a pentest report but also includes proof
150
Software Attestation (5.5)
Involves validating the integrity of software by checking that it hasn't been tampered with or altered maliciously
151
Hardware Attestation (5.5)
Involves validating the integrity of hardware components
152
System Attestation (5.5)
Involves validating the security posture of a system
