16 Security Governance Flashcards

Question

What constitutes a multiparty risk?

Answer 1

Risks that impact more than one organization, such as a power outage affecting multiple buildings.

Answer 2

Outdated systems that often do not receive security updates and require extraordinary measures to protect against vulnerabilities.

Answer 3

By evaluating the likelihood of occurrence and the magnitude of the impact.

Answer 4

Risk Severity = Likelihood * Impact

Answer 5

One-time risk assessments.

Answer 6

Quantitative uses numeric data for analysis; qualitative uses subjective judgments and categories.

Answer 7

The number of times a risk is expected to occur in a given year.

Answer 8

The amount of financial damage expected each time a risk materializes.

Answer 9

single loss expectancy (SLE)

Answer 10

Recurring risk assessments.

Answer 11

To involve ongoing monitoring and analysis of risks.

Answer 12

Laws and regulations, such as GDPR.

Answer 13

The percentage of the asset expected to be damaged if a risk materializes.

Answer 14

The amount of damage expected from a risk each year, calculated by multiplying the SLE and the ARO.

Answer 15

To provide a well-rounded picture of both tangible and intangible risks.

Answer 16

The process of evaluating third-party relationships to ensure they have adequate security controls.

Answer 17

external risks

Answer 18

Risks that originate from within the organization, such as malicious insiders or equipment failures.

Answer 19

They pose risks based on third-party relationships that can affect data confidentiality, integrity, and availability.

Answer 20

The theft of trade secrets or proprietary information that could compromise business advantage.

Answer 21

Risks that occur when an organization runs afoul of usage limitations set by software vendors.

Answer 22

Performing vendor due diligence ## Footnote Vendor due diligence involves evaluating the security measures of vendors to protect sensitive data.

Answer 23

They handle your organization's sensitive information and are part of the operational and security supply chain ## Footnote Inadequate security controls can put your data at risk.

Answer 24

It may have been tampered with during the supply chain process ## Footnote Tampering can lead to security vulnerabilities in the hardware.

Answer 25

Edward Snowden ## Footnote Snowden was a former NSA contractor who leaked documents about government surveillance practices.

Answer 26

Malicious code was implanted deep within the hardware ## Footnote This action illustrates the potential risks in hardware supply chains.

Answer 27

To validate that the hardware received was not tampered with ## Footnote This assessment ensures the integrity of hardware before it is deployed in an organization.

Answer 28

Risk management ## Footnote Risk management involves identifying, prioritizing, and addressing risks.

Answer 29

1. Prioritizing risks 2. Determining if the potential impact justifies the costs ## Footnote This helps focus efforts on the most significant risks.

Answer 30

* Risk mitigation * Risk avoidance * Risk transference * Risk acceptance ## Footnote Each strategy has different implications and trade-offs.

Answer 31

The process of applying security controls to reduce the probability and/or magnitude of a risk ## Footnote It is the most common risk management strategy.

Answer 32

Purchasing cable locks for laptops ## Footnote This helps reduce the probability of theft occurring.

Answer 33

A strategy that changes business practices to completely eliminate the potential for a risk to materialize ## Footnote This strategy can negatively impact business operations.

Answer 34

True ## Footnote This is an extreme measure and often impractical.

Answer 35

Shifting some of the impact of a risk to another entity ## Footnote Commonly done through purchasing insurance.

Answer 36

It may cover the risk of stolen laptops ## Footnote Coverage depends on the type of policy.

Answer 37

Cybersecurity insurance ## Footnote This may cover recovery operations and lost revenue.

Answer 38

Deliberately choosing to take no action against a risk and continuing operations as normal ## Footnote It involves a conscious decision based on cost-benefit analysis.

Answer 39

Risk acceptance is a conscious decision, while neglecting a risk is unintentional ## Footnote It should involve analysis and documentation.

Answer 40

Formal approvals to not address certain risks, documented for record-keeping ## Footnote They may have expiration dates and require periodic review.

Answer 41

default strategy ## Footnote It requires thoughtful analysis.

Answer 42

High costs of other risk management strategies ## Footnote This decision would be based on a cost-benefit analysis.

Answer 43

The four risk management strategies and examples of each ## Footnote Be prepared to identify strategies in given scenarios.

Answer 44

The original level of risk that exists before implementing any controls. ## Footnote Inherent risk reflects the level of risk that is fundamental to an organization's business.

Answer 45

The risk that remains after implementing controls designed to mitigate, avoid, and/or transfer the inherent risk. ## Footnote Residual risk represents the level of risk that persists despite risk management efforts.

Answer 46

The level of risk that an organization is willing to accept as a cost of doing business. ## Footnote Risk appetite is a broad term encompassing the overall risk stance of an organization.

Answer 47

The specific level at which a risk becomes unacceptable, triggering action or decision. ## Footnote Risk threshold is more quantitative than risk appetite, defining clear points or values.

Answer 48

An organization's ability to withstand risks and continue operations without significant impact. ## Footnote Risk tolerance can vary significantly across different organizations.

Answer 49

Metrics used to measure and provide early warning signals for increasing levels of risk. ## Footnote KRIs help track the effectiveness of risk mitigation efforts.

Answer 50

An individual or entity responsible for managing and monitoring risks. ## Footnote The risk owner implements necessary controls and actions to mitigate risks.

Answer 51

Organizations begin with inherent risk and implement strategies to reduce it to an acceptable residual risk level. ## Footnote This process ensures that residual risk aligns with the organization's risk appetite.

Answer 52

Willing to take on higher levels of risk in pursuit of potential higher rewards. ## Footnote Such organizations often seek aggressive growth, innovation, or market share.

Answer 53

A balanced approach to risk, allowing moderate levels of risk for steady growth and returns. ## Footnote Neutral risk appetites aim for stability and moderate growth.

Answer 54

Tends to avoid high risks, focusing on maintaining stability and protecting existing assets. ## Footnote Common in highly regulated industries or where the consequences of risks are severe.

Answer 55

The primary tool used by risk management professionals to track risks facing the organization. ## Footnote It includes detailed information about various risks and their management.

Answer 56

* Risk owner * Risk threshold information * Key Risk Indicators (KRIs) ## Footnote These elements are important for tracking and managing risks effectively.

Answer 57

To communicate the status and evolution of risks to stakeholders within the organization. ## Footnote Effective risk reporting ensures informed decision-making regarding risk mitigation.

Answer 58

* Regular Updates * Dashboard Reporting * Ad Hoc Reports * Risk Trend Analysis * Risk Event Reports ## Footnote Each type serves a specific purpose in communicating risk information to stakeholders.

Answer 59

Tailor the information and format to the audience, ensuring clarity and conciseness. ## Footnote Reports should highlight current status and provide context related to risk appetite and thresholds.

Answer 60

The discipline of developing plans to recover operations as quickly as possible in the face of a disaster. ## Footnote DRP creates a formal, broad disaster recovery plan and specific functional recovery plans for critical business functions.

Answer 61

To help the organization recover normal operations as quickly as possible in the wake of a disruption.

Answer 62

Both natural and human-made disasters, including internal and external risks. ## Footnote Disasters may come from environmental factors or human actions.

Answer 63

The occurrence of a disaster.

Answer 64

To identify and prioritize the risks posed to the facility by disasters.

Answer 65

Mission-essential functions within an organization and the critical systems that support those functions.

Answer 66

The reliability of a system, specifically the expected amount of time between system failures.

Answer 67

The average amount of time to restore a system to its normal operating state after a failure.

Answer 68

The amount of time that the organization can tolerate a system being down before it is repaired.

Answer 69

The amount of data the organization can tolerate losing during an outage.

Answer 70

They are components that, if they fail, would cause an outage.

Answer 71

Mean Time Between Failures (MTBF)

Answer 72

Single points of failure.

Answer 73

The failure of that power supply would bring down the server, making it a single point of failure.

Answer 74

By adding a second server to a cluster.

Answer 75

Confidentiality, integrity, availability ## Footnote These aspects ensure the protection of all information under their care.

Answer 76

Any information that uniquely identifies an individual person ## Footnote This includes customers, employees, and third parties.

Answer 77

Identity theft, personal risks ## Footnote Individuals may suffer from exposure to various personal risks.

Answer 78

Reputational damage, fines, loss of intellectual property ## Footnote These consequences can significantly impact a business's operations.

Answer 79

Legal implications based on jurisdiction ## Footnote Familiarity with local, regional, national, and global privacy requirements is essential.

Answer 80

A document that outlines an organization's privacy commitments ## Footnote In some cases, laws may require its adoption.

Answer 81

* Personally identifiable information (PII) * Protected health information (PHI) * Financial information * Intellectual property * Legal information * Regulated information ## Footnote This inventory helps organizations manage and protect sensitive data.

Answer 82

Collecting the smallest amount of information necessary ## Footnote This practice occurs at the early stages of the information life cycle.

Answer 83

* Top Secret * Secret * Confidential * Unclassified ## Footnote These categories indicate the level of protection required for information.

Answer 84

Entities who determine the reasons for processing personal information ## Footnote This term is used primarily in European law.

Answer 85

Individuals responsible for carrying out the intent of the data controller ## Footnote They are delegated responsibility from the controller.

Answer 86

A concept allowing individuals to request the deletion of personal data ## Footnote This right is implemented in various data protection laws, notably the GDPR.

Answer 87

Transforming data so the original information cannot be retrieved ## Footnote This process helps protect sensitive information.

Answer 88

Using a hash function to transform a value into a corresponding hash value ## Footnote Hashing prevents direct retrieval of original values.

Answer 89

Activate their cybersecurity incident response plan ## Footnote This plan includes procedures for notifying key personnel and escalating incidents.

Answer 90

Yes, every state has different requirements for triggering notifications ## Footnote These laws can vary widely by state.

Answer 91

Guides the end of the data life cycle, ensuring data is kept only as long as necessary ## Footnote Secure destruction of data is essential at the end of its life cycle.

Answer 92

Deidentification ## Footnote This technique is a form of pseudo-anonymization.