16 Security Governance Flashcards
What are the data types mentioned in risk management?
- Regulated
- Trade secret
- Intellectual property
- Legal information
- Financial information
- Human- and non-human-readable
These data types are crucial for understanding how to protect sensitive information.
List the data classifications used in risk management.
- Sensitive
- Confidential
- Public
- Restricted
- Private
- Critical
Data classifications help organizations determine the level of protection required for different types of information.
What elements are summarized under effective security governance?
- Owners
- Controllers
- Processors
- Custodians/stewards
These roles and responsibilities are key to managing systems and data effectively.
What is the first step in the risk management process?
Risk identification
Identifying risks is essential for effective risk management.
Name the types of risk assessment.
- Ad hoc
- Recurring
- One-time
- Continuous
Different types of assessments are used depending on the organization’s needs.
What are the two main types of risk analysis?
- Qualitative
- Quantitative
Both types of analysis provide different perspectives on risk.
Define Single Loss Expectancy (SLE).
The expected monetary loss every time a risk occurs
SLE is a critical metric in risk analysis.
What does Annualized Loss Expectancy (ALE) measure?
The expected yearly loss from a risk
ALE helps organizations understand the financial impact of risks over time.
What does Risk Register include?
- Key risk indicators
- Risk owners
- Risk threshold
A Risk Register is vital for tracking and managing risks.
What is meant by risk tolerance?
The level of risk an organization is willing to accept
Understanding risk tolerance helps in decision-making regarding risk management strategies.
Fill in the blank: Risk appetite can be categorized as _______.
- Expansionary
- Conservative
- Neutral
Different approaches to risk appetite reflect an organization’s strategy.
List the risk management strategies.
- Transfer
- Accept
- Avoid
- Mitigate
These strategies guide organizations in handling identified risks.
What is the purpose of risk reporting?
To communicate risk information to stakeholders
Effective risk reporting enhances awareness and decision-making.
What are the components of Business Impact Analysis (BIA)?
- Recovery time objective (RTO)
- Recovery point objective (RPO)
- Mean time to repair (MTTR)
- Mean time between failures (MTBF)
BIA is essential for understanding the potential impact of disruptions.
What legal implications must organizations consider for privacy?
- Local/regional
- National
- Global
Organizations must navigate various legal frameworks regarding data privacy.
Differentiate between Controller vs. Processor.
- Controller: Determines the purposes and means of processing personal data
- Processor: Processes data on behalf of the controller
Understanding these roles is crucial for compliance with data protection regulations.
What is the ‘Right to be forgotten’?
The ability for individuals to have their personal data deleted
This right is a key aspect of data privacy laws.
True or False: Risk management is unrelated to cybersecurity.
False
Risk management is closely tied to cybersecurity, particularly regarding the protection of personal information.
What is the primary goal of an enterprise risk management (ERM) program?
To take a formal approach to risk analysis, starting with identifying risks and determining their severity, leading to the adoption of risk management strategies.
Define ‘threat’ in the context of risk management.
Any possible events that might have an adverse impact on the confidentiality, integrity, and/or availability of information or information systems.
What are vulnerabilities in risk management?
Weaknesses in systems or controls that could be exploited by a threat.
How is risk defined in relation to threats and vulnerabilities?
Risk occurs at the intersection of a vulnerability and a threat that might exploit that vulnerability.
True or False: A threat without a corresponding vulnerability poses a risk.
False
What is an example of a vulnerability in everyday life?
Walking down the sidewalk without any protection.
What constitutes a multiparty risk?
Risks that impact more than one organization, such as a power outage affecting multiple buildings.
What are legacy systems in the context of risk?
Outdated systems that often do not receive security updates and require extraordinary measures to protect against vulnerabilities.
How does risk assessment determine the severity of a risk?
By evaluating the likelihood of occurrence and the magnitude of the impact.
What is the formula used to express risk severity?
Risk Severity = Likelihood * Impact
What type of risk assessment provides a point-in-time view of the risk state?
One-time risk assessments.
What is the difference between quantitative and qualitative risk analysis?
Quantitative uses numeric data for analysis; qualitative uses subjective judgments and categories.
What does the annualized rate of occurrence (ARO) represent?
The number of times a risk is expected to occur in a given year.
What is the single loss expectancy (SLE)?
The amount of financial damage expected each time a risk materializes.
Fill in the blank: The _______ is calculated by multiplying the asset value by the exposure factor.
single loss expectancy (SLE)
What type of risk assessment is performed at regular intervals?
Recurring risk assessments.
What is the purpose of continuous risk assessments?
To involve ongoing monitoring and analysis of risks.
What key factor influences the impact assessment of a risk in regulated industries?
Laws and regulations, such as GDPR.
True or False: Qualitative risk analysis can easily express reputational damage in numeric terms.
False
What is the exposure factor (EF)?
The percentage of the asset expected to be damaged if a risk materializes.
What is the annualized loss expectancy (ALE)?
The amount of damage expected from a risk each year, calculated by multiplying the SLE and the ARO.
What is the significance of combining quantitative and qualitative risk assessments?
To provide a well-rounded picture of both tangible and intangible risks.
What is vendor due diligence?
The process of evaluating third-party relationships to ensure they have adequate security controls.
Fill in the blank: Risks that originate from a source outside the organization are called _______.
external risks
What are internal risks?
Risks that originate from within the organization, such as malicious insiders or equipment failures.
What role do supply chain risks play in organizational security?
They pose risks based on third-party relationships that can affect data confidentiality, integrity, and availability.
What is a significant risk associated with intellectual property (IP)?
The theft of trade secrets or proprietary information that could compromise business advantage.
What are software compliance/licensing risks?
Risks that occur when an organization runs afoul of usage limitations set by software vendors.
What is a crucial security responsibility when dealing with third-party relationships?
Performing vendor due diligence
Vendor due diligence involves evaluating the security measures of vendors to protect sensitive data.
Why is it important to assess the security controls of cloud service providers?
They handle your organization’s sensitive information and are part of the operational and security supply chain
Inadequate security controls can put your data at risk.
What risk is associated with hardware used in an organization?
It may have been tampered with during the supply chain process
Tampering can lead to security vulnerabilities in the hardware.
Who revealed that the U.S. government intercepted hardware shipments?
Edward Snowden
Snowden was a former NSA contractor who leaked documents about government surveillance practices.
What malicious action was discovered regarding hardware shipments?
Malicious code was implanted deep within the hardware
This action illustrates the potential risks in hardware supply chains.
What is the purpose of performing hardware source authenticity assessments?
To validate that the hardware received was not tampered with
This assessment ensures the integrity of hardware before it is deployed in an organization.
What is the process of systematically addressing the risks facing an organization called?
Risk management
Risk management involves identifying, prioritizing, and addressing risks.
What are the two important roles of risk assessment in risk management?
- Prioritizing risks
- Determining if the potential impact justifies the costs
This helps focus efforts on the most significant risks.
What are the four strategies available for risk management?
- Risk mitigation
- Risk avoidance
- Risk transference
- Risk acceptance
Each strategy has different implications and trade-offs.
What is risk mitigation?
The process of applying security controls to reduce the probability and/or magnitude of a risk
It is the most common risk management strategy.
What is an example of a risk mitigation control for laptop theft?
Purchasing cable locks for laptops
This helps reduce the probability of theft occurring.
What is risk avoidance?
A strategy that changes business practices to completely eliminate the potential for a risk to materialize
This strategy can negatively impact business operations.
True or False: Risk avoidance can involve shutting down a website to prevent DDoS attacks.
True
This is an extreme measure and often impractical.
What is risk transference?
Shifting some of the impact of a risk to another entity
Commonly done through purchasing insurance.
How does property insurance relate to laptop theft?
It may cover the risk of stolen laptops
Coverage depends on the type of policy.
What type of insurance should organizations consider for DDoS attacks?
Cybersecurity insurance
This may cover recovery operations and lost revenue.
What is risk acceptance?
Deliberately choosing to take no action against a risk and continuing operations as normal
It involves a conscious decision based on cost-benefit analysis.
What distinguishes risk acceptance from neglecting a risk?
Risk acceptance is a conscious decision, while neglecting a risk is unintentional
It should involve analysis and documentation.
What are exemptions in risk management?
Formal approvals to not address certain risks, documented for record-keeping
They may have expiration dates and require periodic review.
Fill in the blank: Risk acceptance should not be undertaken as a _______.
default strategy
It requires thoughtful analysis.
What might lead an organization to accept the risk of laptop theft?
High costs of other risk management strategies
This decision would be based on a cost-benefit analysis.
What should learners understand for the Security+ exam regarding risk management?
The four risk management strategies and examples of each
Be prepared to identify strategies in given scenarios.
What is inherent risk?
The original level of risk that exists before implementing any controls.
Inherent risk reflects the level of risk that is fundamental to an organization’s business.
What is residual risk?
The risk that remains after implementing controls designed to mitigate, avoid, and/or transfer the inherent risk.
Residual risk represents the level of risk that persists despite risk management efforts.
Define risk appetite.
The level of risk that an organization is willing to accept as a cost of doing business.
Risk appetite is a broad term encompassing the overall risk stance of an organization.
What is risk threshold?
The specific level at which a risk becomes unacceptable, triggering action or decision.
Risk threshold is more quantitative than risk appetite, defining clear points or values.
What does risk tolerance refer to?
An organization’s ability to withstand risks and continue operations without significant impact.
Risk tolerance can vary significantly across different organizations.
What are Key Risk Indicators (KRIs)?
Metrics used to measure and provide early warning signals for increasing levels of risk.
KRIs help track the effectiveness of risk mitigation efforts.
Who is a risk owner?
An individual or entity responsible for managing and monitoring risks.
The risk owner implements necessary controls and actions to mitigate risks.
What is the relationship between inherent risk and residual risk?
Organizations begin with inherent risk and implement strategies to reduce it to an acceptable residual risk level.
This process ensures that residual risk aligns with the organization’s risk appetite.
Describe an organization with an expansionary risk appetite.
Willing to take on higher levels of risk in pursuit of potential higher rewards.
Such organizations often seek aggressive growth, innovation, or market share.
What characterizes a neutral risk appetite?
A balanced approach to risk, allowing moderate levels of risk for steady growth and returns.
Neutral risk appetites aim for stability and moderate growth.
Describe a conservative risk appetite.
Tends to avoid high risks, focusing on maintaining stability and protecting existing assets.
Common in highly regulated industries or where the consequences of risks are severe.
What is a risk register?
The primary tool used by risk management professionals to track risks facing the organization.
It includes detailed information about various risks and their management.
What elements are commonly included in a risk register?
- Risk owner
- Risk threshold information
- Key Risk Indicators (KRIs)
These elements are important for tracking and managing risks effectively.
What is the purpose of risk reporting?
To communicate the status and evolution of risks to stakeholders within the organization.
Effective risk reporting ensures informed decision-making regarding risk mitigation.
What are the types of risk reporting?
- Regular Updates
- Dashboard Reporting
- Ad Hoc Reports
- Risk Trend Analysis
- Risk Event Reports
Each type serves a specific purpose in communicating risk information to stakeholders.
What should be considered when compiling a risk report?
Tailor the information and format to the audience, ensuring clarity and conciseness.
Reports should highlight current status and provide context related to risk appetite and thresholds.
What is disaster recovery planning (DRP)?
The discipline of developing plans to recover operations as quickly as possible in the face of a disaster.
DRP creates a formal, broad disaster recovery plan and specific functional recovery plans for critical business functions.
What is the primary goal of disaster recovery plans?
To help the organization recover normal operations as quickly as possible in the wake of a disruption.
What types of disasters can affect an organization?
Both natural and human-made disasters, including internal and external risks.
Disasters may come from environmental factors or human actions.
What triggers the activation of an organization’s disaster recovery plan?
The occurrence of a disaster.
What is the purpose of site risk assessments in the DRP process?
To identify and prioritize the risks posed to the facility by disasters.
What does a business impact analysis (BIA) identify?
Mission-essential functions within an organization and the critical systems that support those functions.
What does Mean Time Between Failures (MTBF) measure?
The reliability of a system, specifically the expected amount of time between system failures.
What is the Mean Time to Repair (MTTR)?
The average amount of time to restore a system to its normal operating state after a failure.
What does Recovery Time Objective (RTO) represent?
The amount of time that the organization can tolerate a system being down before it is repaired.
What is Recovery Point Objective (RPO)?
The amount of data the organization can tolerate losing during an outage.
Why are single points of failure significant in disaster recovery?
They are components that, if they fail, would cause an outage.
Fill in the blank: The _______ is the expected amount of time that will elapse between system failures.
Mean Time Between Failures (MTBF)
True or False: A redundant power supply can resolve a single point of failure.
True
What should organizations pay particular attention to when evaluating their environment?
Single points of failure.
What happens if a server has only one power supply?
The failure of that power supply would bring down the server, making it a single point of failure.
How can a single point of failure in a server providing a web page be resolved?
By adding a second server to a cluster.
What are the three key aspects cybersecurity professionals are responsible for?
Confidentiality, integrity, availability
These aspects ensure the protection of all information under their care.
What is personally identifiable information (PII)?
Any information that uniquely identifies an individual person
This includes customers, employees, and third parties.
What are the potential consequences of privacy breaches for individuals?
Identity theft, personal risks
Individuals may suffer from exposure to various personal risks.
What organizational consequences can arise from privacy breaches?
Reputational damage, fines, loss of intellectual property
These consequences can significantly impact a business’s operations.
What should organizations understand when evaluating privacy risks?
Legal implications based on jurisdiction
Familiarity with local, regional, national, and global privacy requirements is essential.
What is a privacy notice?
A document that outlines an organization’s privacy commitments
In some cases, laws may require its adoption.
What types of sensitive information should organizations include in their data inventory?
- Personally identifiable information (PII)
- Protected health information (PHI)
- Financial information
- Intellectual property
- Legal information
- Regulated information
This inventory helps organizations manage and protect sensitive data.
What is the concept of data minimization?
Collecting the smallest amount of information necessary
This practice occurs at the early stages of the information life cycle.
What are the four major classification categories used by the U.S. government?
- Top Secret
- Secret
- Confidential
- Unclassified
These categories indicate the level of protection required for information.
What is the role of a data controller?
Entities who determine the reasons for processing personal information
This term is used primarily in European law.
Who are data stewards?
Individuals responsible for carrying out the intent of the data controller
They are delegated responsibility from the controller.
What is the right to be forgotten?
A concept allowing individuals to request the deletion of personal data
This right is implemented in various data protection laws, notably the GDPR.
What is data obfuscation?
Transforming data so the original information cannot be retrieved
This process helps protect sensitive information.
What is hashing in data protection?
Using a hash function to transform a value into a corresponding hash value
Hashing prevents direct retrieval of original values.
What must organizations do in the event of a data breach?
Activate their cybersecurity incident response plan
This plan includes procedures for notifying key personnel and escalating incidents.
Do U.S. states have data breach notification laws?
Yes, every state has different requirements for triggering notifications
These laws can vary widely by state.
What is the importance of data retention standards?
Guides the end of the data life cycle, ensuring data is kept only as long as necessary
Secure destruction of data is essential at the end of its life cycle.
Fill in the blank: _______ is the process of removing the ability to link data back to an individual.
Deidentification
This technique is a form of pseudo-anonymization.
