16 Security Governance Flashcards
What are the data types mentioned in risk management?
- Regulated
- Trade secret
- Intellectual property
- Legal information
- Financial information
- Human- and non-human-readable
These data types are crucial for understanding how to protect sensitive information.
List the data classifications used in risk management.
- Sensitive
- Confidential
- Public
- Restricted
- Private
- Critical
Data classifications help organizations determine the level of protection required for different types of information.
What elements are summarized under effective security governance?
- Owners
- Controllers
- Processors
- Custodians/stewards
These roles and responsibilities are key to managing systems and data effectively.
What is the first step in the risk management process?
Risk identification
Identifying risks is essential for effective risk management.
Name the types of risk assessment.
- Ad hoc
- Recurring
- One-time
- Continuous
Different types of assessments are used depending on the organization’s needs.
What are the two main types of risk analysis?
- Qualitative
- Quantitative
Both types of analysis provide different perspectives on risk.
Define Single Loss Expectancy (SLE).
The expected monetary loss every time a risk occurs
SLE is a critical metric in risk analysis.
What does Annualized Loss Expectancy (ALE) measure?
The expected yearly loss from a risk
ALE helps organizations understand the financial impact of risks over time.
What does Risk Register include?
- Key risk indicators
- Risk owners
- Risk threshold
A Risk Register is vital for tracking and managing risks.
What is meant by risk tolerance?
The level of risk an organization is willing to accept
Understanding risk tolerance helps in decision-making regarding risk management strategies.
Fill in the blank: Risk appetite can be categorized as _______.
- Expansionary
- Conservative
- Neutral
Different approaches to risk appetite reflect an organization’s strategy.
List the risk management strategies.
- Transfer
- Accept
- Avoid
- Mitigate
These strategies guide organizations in handling identified risks.
What is the purpose of risk reporting?
To communicate risk information to stakeholders
Effective risk reporting enhances awareness and decision-making.
What are the components of Business Impact Analysis (BIA)?
- Recovery time objective (RTO)
- Recovery point objective (RPO)
- Mean time to repair (MTTR)
- Mean time between failures (MTBF)
BIA is essential for understanding the potential impact of disruptions.
What legal implications must organizations consider for privacy?
- Local/regional
- National
- Global
Organizations must navigate various legal frameworks regarding data privacy.
Differentiate between Controller vs. Processor.
- Controller: Determines the purposes and means of processing personal data
- Processor: Processes data on behalf of the controller
Understanding these roles is crucial for compliance with data protection regulations.
What is the ‘Right to be forgotten’?
The ability for individuals to have their personal data deleted
This right is a key aspect of data privacy laws.
True or False: Risk management is unrelated to cybersecurity.
False
Risk management is closely tied to cybersecurity, particularly regarding the protection of personal information.
What is the primary goal of an enterprise risk management (ERM) program?
To take a formal approach to risk analysis, starting with identifying risks and determining their severity, leading to the adoption of risk management strategies.
Define ‘threat’ in the context of risk management.
Any possible events that might have an adverse impact on the confidentiality, integrity, and/or availability of information or information systems.
What are vulnerabilities in risk management?
Weaknesses in systems or controls that could be exploited by a threat.
How is risk defined in relation to threats and vulnerabilities?
Risk occurs at the intersection of a vulnerability and a threat that might exploit that vulnerability.
True or False: A threat without a corresponding vulnerability poses a risk.
False
What is an example of a vulnerability in everyday life?
Walking down the sidewalk without any protection.