16 Security Governance Flashcards

1
Q

What are the data types mentioned in risk management?

A
  • Regulated
  • Trade secret
  • Intellectual property
  • Legal information
  • Financial information
  • Human- and non-human-readable

These data types are crucial for understanding how to protect sensitive information.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

List the data classifications used in risk management.

A
  • Sensitive
  • Confidential
  • Public
  • Restricted
  • Private
  • Critical

Data classifications help organizations determine the level of protection required for different types of information.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What elements are summarized under effective security governance?

A
  • Owners
  • Controllers
  • Processors
  • Custodians/stewards

These roles and responsibilities are key to managing systems and data effectively.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

What is the first step in the risk management process?

A

Risk identification

Identifying risks is essential for effective risk management.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Name the types of risk assessment.

A
  • Ad hoc
  • Recurring
  • One-time
  • Continuous

Different types of assessments are used depending on the organization’s needs.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

What are the two main types of risk analysis?

A
  • Qualitative
  • Quantitative

Both types of analysis provide different perspectives on risk.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Define Single Loss Expectancy (SLE).

A

The expected monetary loss every time a risk occurs

SLE is a critical metric in risk analysis.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

What does Annualized Loss Expectancy (ALE) measure?

A

The expected yearly loss from a risk

ALE helps organizations understand the financial impact of risks over time.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

What does Risk Register include?

A
  • Key risk indicators
  • Risk owners
  • Risk threshold

A Risk Register is vital for tracking and managing risks.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

What is meant by risk tolerance?

A

The level of risk an organization is willing to accept

Understanding risk tolerance helps in decision-making regarding risk management strategies.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Fill in the blank: Risk appetite can be categorized as _______.

A
  • Expansionary
  • Conservative
  • Neutral

Different approaches to risk appetite reflect an organization’s strategy.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

List the risk management strategies.

A
  • Transfer
  • Accept
  • Avoid
  • Mitigate

These strategies guide organizations in handling identified risks.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

What is the purpose of risk reporting?

A

To communicate risk information to stakeholders

Effective risk reporting enhances awareness and decision-making.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

What are the components of Business Impact Analysis (BIA)?

A
  • Recovery time objective (RTO)
  • Recovery point objective (RPO)
  • Mean time to repair (MTTR)
  • Mean time between failures (MTBF)

BIA is essential for understanding the potential impact of disruptions.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

What legal implications must organizations consider for privacy?

A
  • Local/regional
  • National
  • Global

Organizations must navigate various legal frameworks regarding data privacy.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Differentiate between Controller vs. Processor.

A
  • Controller: Determines the purposes and means of processing personal data
  • Processor: Processes data on behalf of the controller

Understanding these roles is crucial for compliance with data protection regulations.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

What is the ‘Right to be forgotten’?

A

The ability for individuals to have their personal data deleted

This right is a key aspect of data privacy laws.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

True or False: Risk management is unrelated to cybersecurity.

A

False

Risk management is closely tied to cybersecurity, particularly regarding the protection of personal information.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

What is the primary goal of an enterprise risk management (ERM) program?

A

To take a formal approach to risk analysis, starting with identifying risks and determining their severity, leading to the adoption of risk management strategies.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

Define ‘threat’ in the context of risk management.

A

Any possible events that might have an adverse impact on the confidentiality, integrity, and/or availability of information or information systems.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

What are vulnerabilities in risk management?

A

Weaknesses in systems or controls that could be exploited by a threat.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

How is risk defined in relation to threats and vulnerabilities?

A

Risk occurs at the intersection of a vulnerability and a threat that might exploit that vulnerability.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

True or False: A threat without a corresponding vulnerability poses a risk.

A

False

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

What is an example of a vulnerability in everyday life?

A

Walking down the sidewalk without any protection.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Q

What constitutes a multiparty risk?

A

Risks that impact more than one organization, such as a power outage affecting multiple buildings.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
26
Q

What are legacy systems in the context of risk?

A

Outdated systems that often do not receive security updates and require extraordinary measures to protect against vulnerabilities.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
27
Q

How does risk assessment determine the severity of a risk?

A

By evaluating the likelihood of occurrence and the magnitude of the impact.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
28
Q

What is the formula used to express risk severity?

A

Risk Severity = Likelihood * Impact

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
29
Q

What type of risk assessment provides a point-in-time view of the risk state?

A

One-time risk assessments.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
30
Q

What is the difference between quantitative and qualitative risk analysis?

A

Quantitative uses numeric data for analysis; qualitative uses subjective judgments and categories.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
31
Q

What does the annualized rate of occurrence (ARO) represent?

A

The number of times a risk is expected to occur in a given year.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
32
Q

What is the single loss expectancy (SLE)?

A

The amount of financial damage expected each time a risk materializes.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
33
Q

Fill in the blank: The _______ is calculated by multiplying the asset value by the exposure factor.

A

single loss expectancy (SLE)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
34
Q

What type of risk assessment is performed at regular intervals?

A

Recurring risk assessments.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
35
Q

What is the purpose of continuous risk assessments?

A

To involve ongoing monitoring and analysis of risks.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
36
Q

What key factor influences the impact assessment of a risk in regulated industries?

A

Laws and regulations, such as GDPR.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
37
Q

True or False: Qualitative risk analysis can easily express reputational damage in numeric terms.

A

False

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
38
Q

What is the exposure factor (EF)?

A

The percentage of the asset expected to be damaged if a risk materializes.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
39
Q

What is the annualized loss expectancy (ALE)?

A

The amount of damage expected from a risk each year, calculated by multiplying the SLE and the ARO.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
40
Q

What is the significance of combining quantitative and qualitative risk assessments?

A

To provide a well-rounded picture of both tangible and intangible risks.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
41
Q

What is vendor due diligence?

A

The process of evaluating third-party relationships to ensure they have adequate security controls.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
42
Q

Fill in the blank: Risks that originate from a source outside the organization are called _______.

A

external risks

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
43
Q

What are internal risks?

A

Risks that originate from within the organization, such as malicious insiders or equipment failures.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
44
Q

What role do supply chain risks play in organizational security?

A

They pose risks based on third-party relationships that can affect data confidentiality, integrity, and availability.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
45
Q

What is a significant risk associated with intellectual property (IP)?

A

The theft of trade secrets or proprietary information that could compromise business advantage.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
46
Q

What are software compliance/licensing risks?

A

Risks that occur when an organization runs afoul of usage limitations set by software vendors.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
47
Q

What is a crucial security responsibility when dealing with third-party relationships?

A

Performing vendor due diligence

Vendor due diligence involves evaluating the security measures of vendors to protect sensitive data.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
48
Q

Why is it important to assess the security controls of cloud service providers?

A

They handle your organization’s sensitive information and are part of the operational and security supply chain

Inadequate security controls can put your data at risk.

49
Q

What risk is associated with hardware used in an organization?

A

It may have been tampered with during the supply chain process

Tampering can lead to security vulnerabilities in the hardware.

50
Q

Who revealed that the U.S. government intercepted hardware shipments?

A

Edward Snowden

Snowden was a former NSA contractor who leaked documents about government surveillance practices.

51
Q

What malicious action was discovered regarding hardware shipments?

A

Malicious code was implanted deep within the hardware

This action illustrates the potential risks in hardware supply chains.

52
Q

What is the purpose of performing hardware source authenticity assessments?

A

To validate that the hardware received was not tampered with

This assessment ensures the integrity of hardware before it is deployed in an organization.

53
Q

What is the process of systematically addressing the risks facing an organization called?

A

Risk management

Risk management involves identifying, prioritizing, and addressing risks.

54
Q

What are the two important roles of risk assessment in risk management?

A
  1. Prioritizing risks
  2. Determining if the potential impact justifies the costs

This helps focus efforts on the most significant risks.

55
Q

What are the four strategies available for risk management?

A
  • Risk mitigation
  • Risk avoidance
  • Risk transference
  • Risk acceptance

Each strategy has different implications and trade-offs.

56
Q

What is risk mitigation?

A

The process of applying security controls to reduce the probability and/or magnitude of a risk

It is the most common risk management strategy.

57
Q

What is an example of a risk mitigation control for laptop theft?

A

Purchasing cable locks for laptops

This helps reduce the probability of theft occurring.

58
Q

What is risk avoidance?

A

A strategy that changes business practices to completely eliminate the potential for a risk to materialize

This strategy can negatively impact business operations.

59
Q

True or False: Risk avoidance can involve shutting down a website to prevent DDoS attacks.

A

True

This is an extreme measure and often impractical.

60
Q

What is risk transference?

A

Shifting some of the impact of a risk to another entity

Commonly done through purchasing insurance.

61
Q

How does property insurance relate to laptop theft?

A

It may cover the risk of stolen laptops

Coverage depends on the type of policy.

62
Q

What type of insurance should organizations consider for DDoS attacks?

A

Cybersecurity insurance

This may cover recovery operations and lost revenue.

63
Q

What is risk acceptance?

A

Deliberately choosing to take no action against a risk and continuing operations as normal

It involves a conscious decision based on cost-benefit analysis.

64
Q

What distinguishes risk acceptance from neglecting a risk?

A

Risk acceptance is a conscious decision, while neglecting a risk is unintentional

It should involve analysis and documentation.

65
Q

What are exemptions in risk management?

A

Formal approvals to not address certain risks, documented for record-keeping

They may have expiration dates and require periodic review.

66
Q

Fill in the blank: Risk acceptance should not be undertaken as a _______.

A

default strategy

It requires thoughtful analysis.

67
Q

What might lead an organization to accept the risk of laptop theft?

A

High costs of other risk management strategies

This decision would be based on a cost-benefit analysis.

68
Q

What should learners understand for the Security+ exam regarding risk management?

A

The four risk management strategies and examples of each

Be prepared to identify strategies in given scenarios.

69
Q

What is inherent risk?

A

The original level of risk that exists before implementing any controls.

Inherent risk reflects the level of risk that is fundamental to an organization’s business.

70
Q

What is residual risk?

A

The risk that remains after implementing controls designed to mitigate, avoid, and/or transfer the inherent risk.

Residual risk represents the level of risk that persists despite risk management efforts.

71
Q

Define risk appetite.

A

The level of risk that an organization is willing to accept as a cost of doing business.

Risk appetite is a broad term encompassing the overall risk stance of an organization.

72
Q

What is risk threshold?

A

The specific level at which a risk becomes unacceptable, triggering action or decision.

Risk threshold is more quantitative than risk appetite, defining clear points or values.

73
Q

What does risk tolerance refer to?

A

An organization’s ability to withstand risks and continue operations without significant impact.

Risk tolerance can vary significantly across different organizations.

74
Q

What are Key Risk Indicators (KRIs)?

A

Metrics used to measure and provide early warning signals for increasing levels of risk.

KRIs help track the effectiveness of risk mitigation efforts.

75
Q

Who is a risk owner?

A

An individual or entity responsible for managing and monitoring risks.

The risk owner implements necessary controls and actions to mitigate risks.

76
Q

What is the relationship between inherent risk and residual risk?

A

Organizations begin with inherent risk and implement strategies to reduce it to an acceptable residual risk level.

This process ensures that residual risk aligns with the organization’s risk appetite.

77
Q

Describe an organization with an expansionary risk appetite.

A

Willing to take on higher levels of risk in pursuit of potential higher rewards.

Such organizations often seek aggressive growth, innovation, or market share.

78
Q

What characterizes a neutral risk appetite?

A

A balanced approach to risk, allowing moderate levels of risk for steady growth and returns.

Neutral risk appetites aim for stability and moderate growth.

79
Q

Describe a conservative risk appetite.

A

Tends to avoid high risks, focusing on maintaining stability and protecting existing assets.

Common in highly regulated industries or where the consequences of risks are severe.

80
Q

What is a risk register?

A

The primary tool used by risk management professionals to track risks facing the organization.

It includes detailed information about various risks and their management.

81
Q

What elements are commonly included in a risk register?

A
  • Risk owner
  • Risk threshold information
  • Key Risk Indicators (KRIs)

These elements are important for tracking and managing risks effectively.

82
Q

What is the purpose of risk reporting?

A

To communicate the status and evolution of risks to stakeholders within the organization.

Effective risk reporting ensures informed decision-making regarding risk mitigation.

83
Q

What are the types of risk reporting?

A
  • Regular Updates
  • Dashboard Reporting
  • Ad Hoc Reports
  • Risk Trend Analysis
  • Risk Event Reports

Each type serves a specific purpose in communicating risk information to stakeholders.

84
Q

What should be considered when compiling a risk report?

A

Tailor the information and format to the audience, ensuring clarity and conciseness.

Reports should highlight current status and provide context related to risk appetite and thresholds.

85
Q

What is disaster recovery planning (DRP)?

A

The discipline of developing plans to recover operations as quickly as possible in the face of a disaster.

DRP creates a formal, broad disaster recovery plan and specific functional recovery plans for critical business functions.

86
Q

What is the primary goal of disaster recovery plans?

A

To help the organization recover normal operations as quickly as possible in the wake of a disruption.

87
Q

What types of disasters can affect an organization?

A

Both natural and human-made disasters, including internal and external risks.

Disasters may come from environmental factors or human actions.

88
Q

What triggers the activation of an organization’s disaster recovery plan?

A

The occurrence of a disaster.

89
Q

What is the purpose of site risk assessments in the DRP process?

A

To identify and prioritize the risks posed to the facility by disasters.

90
Q

What does a business impact analysis (BIA) identify?

A

Mission-essential functions within an organization and the critical systems that support those functions.

91
Q

What does Mean Time Between Failures (MTBF) measure?

A

The reliability of a system, specifically the expected amount of time between system failures.

92
Q

What is the Mean Time to Repair (MTTR)?

A

The average amount of time to restore a system to its normal operating state after a failure.

93
Q

What does Recovery Time Objective (RTO) represent?

A

The amount of time that the organization can tolerate a system being down before it is repaired.

94
Q

What is Recovery Point Objective (RPO)?

A

The amount of data the organization can tolerate losing during an outage.

95
Q

Why are single points of failure significant in disaster recovery?

A

They are components that, if they fail, would cause an outage.

96
Q

Fill in the blank: The _______ is the expected amount of time that will elapse between system failures.

A

Mean Time Between Failures (MTBF)

97
Q

True or False: A redundant power supply can resolve a single point of failure.

98
Q

What should organizations pay particular attention to when evaluating their environment?

A

Single points of failure.

99
Q

What happens if a server has only one power supply?

A

The failure of that power supply would bring down the server, making it a single point of failure.

100
Q

How can a single point of failure in a server providing a web page be resolved?

A

By adding a second server to a cluster.

101
Q

What are the three key aspects cybersecurity professionals are responsible for?

A

Confidentiality, integrity, availability

These aspects ensure the protection of all information under their care.

102
Q

What is personally identifiable information (PII)?

A

Any information that uniquely identifies an individual person

This includes customers, employees, and third parties.

103
Q

What are the potential consequences of privacy breaches for individuals?

A

Identity theft, personal risks

Individuals may suffer from exposure to various personal risks.

104
Q

What organizational consequences can arise from privacy breaches?

A

Reputational damage, fines, loss of intellectual property

These consequences can significantly impact a business’s operations.

105
Q

What should organizations understand when evaluating privacy risks?

A

Legal implications based on jurisdiction

Familiarity with local, regional, national, and global privacy requirements is essential.

106
Q

What is a privacy notice?

A

A document that outlines an organization’s privacy commitments

In some cases, laws may require its adoption.

107
Q

What types of sensitive information should organizations include in their data inventory?

A
  • Personally identifiable information (PII)
  • Protected health information (PHI)
  • Financial information
  • Intellectual property
  • Legal information
  • Regulated information

This inventory helps organizations manage and protect sensitive data.

108
Q

What is the concept of data minimization?

A

Collecting the smallest amount of information necessary

This practice occurs at the early stages of the information life cycle.

109
Q

What are the four major classification categories used by the U.S. government?

A
  • Top Secret
  • Secret
  • Confidential
  • Unclassified

These categories indicate the level of protection required for information.

110
Q

What is the role of a data controller?

A

Entities who determine the reasons for processing personal information

This term is used primarily in European law.

111
Q

Who are data stewards?

A

Individuals responsible for carrying out the intent of the data controller

They are delegated responsibility from the controller.

112
Q

What is the right to be forgotten?

A

A concept allowing individuals to request the deletion of personal data

This right is implemented in various data protection laws, notably the GDPR.

113
Q

What is data obfuscation?

A

Transforming data so the original information cannot be retrieved

This process helps protect sensitive information.

114
Q

What is hashing in data protection?

A

Using a hash function to transform a value into a corresponding hash value

Hashing prevents direct retrieval of original values.

115
Q

What must organizations do in the event of a data breach?

A

Activate their cybersecurity incident response plan

This plan includes procedures for notifying key personnel and escalating incidents.

116
Q

Do U.S. states have data breach notification laws?

A

Yes, every state has different requirements for triggering notifications

These laws can vary widely by state.

117
Q

What is the importance of data retention standards?

A

Guides the end of the data life cycle, ensuring data is kept only as long as necessary

Secure destruction of data is essential at the end of its life cycle.

118
Q

Fill in the blank: _______ is the process of removing the ability to link data back to an individual.

A

Deidentification

This technique is a form of pseudo-anonymization.