16 Security Governance Flashcards

1
Q

What are the data types mentioned in risk management?

A
  • Regulated
  • Trade secret
  • Intellectual property
  • Legal information
  • Financial information
  • Human- and non-human-readable

These data types are crucial for understanding how to protect sensitive information.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

List the data classifications used in risk management.

A
  • Sensitive
  • Confidential
  • Public
  • Restricted
  • Private
  • Critical

Data classifications help organizations determine the level of protection required for different types of information.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What elements are summarized under effective security governance?

A
  • Owners
  • Controllers
  • Processors
  • Custodians/stewards

These roles and responsibilities are key to managing systems and data effectively.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

What is the first step in the risk management process?

A

Risk identification

Identifying risks is essential for effective risk management.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Name the types of risk assessment.

A
  • Ad hoc
  • Recurring
  • One-time
  • Continuous

Different types of assessments are used depending on the organization’s needs.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

What are the two main types of risk analysis?

A
  • Qualitative
  • Quantitative

Both types of analysis provide different perspectives on risk.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Define Single Loss Expectancy (SLE).

A

The expected monetary loss every time a risk occurs

SLE is a critical metric in risk analysis.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

What does Annualized Loss Expectancy (ALE) measure?

A

The expected yearly loss from a risk

ALE helps organizations understand the financial impact of risks over time.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

What does Risk Register include?

A
  • Key risk indicators
  • Risk owners
  • Risk threshold

A Risk Register is vital for tracking and managing risks.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

What is meant by risk tolerance?

A

The level of risk an organization is willing to accept

Understanding risk tolerance helps in decision-making regarding risk management strategies.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Fill in the blank: Risk appetite can be categorized as _______.

A
  • Expansionary
  • Conservative
  • Neutral

Different approaches to risk appetite reflect an organization’s strategy.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

List the risk management strategies.

A
  • Transfer
  • Accept
  • Avoid
  • Mitigate

These strategies guide organizations in handling identified risks.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

What is the purpose of risk reporting?

A

To communicate risk information to stakeholders

Effective risk reporting enhances awareness and decision-making.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

What are the components of Business Impact Analysis (BIA)?

A
  • Recovery time objective (RTO)
  • Recovery point objective (RPO)
  • Mean time to repair (MTTR)
  • Mean time between failures (MTBF)

BIA is essential for understanding the potential impact of disruptions.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

What legal implications must organizations consider for privacy?

A
  • Local/regional
  • National
  • Global

Organizations must navigate various legal frameworks regarding data privacy.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Differentiate between Controller vs. Processor.

A
  • Controller: Determines the purposes and means of processing personal data
  • Processor: Processes data on behalf of the controller

Understanding these roles is crucial for compliance with data protection regulations.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

What is the ‘Right to be forgotten’?

A

The ability for individuals to have their personal data deleted

This right is a key aspect of data privacy laws.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

True or False: Risk management is unrelated to cybersecurity.

A

False

Risk management is closely tied to cybersecurity, particularly regarding the protection of personal information.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

What is the primary goal of an enterprise risk management (ERM) program?

A

To take a formal approach to risk analysis, starting with identifying risks and determining their severity, leading to the adoption of risk management strategies.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

Define ‘threat’ in the context of risk management.

A

Any possible events that might have an adverse impact on the confidentiality, integrity, and/or availability of information or information systems.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

What are vulnerabilities in risk management?

A

Weaknesses in systems or controls that could be exploited by a threat.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

How is risk defined in relation to threats and vulnerabilities?

A

Risk occurs at the intersection of a vulnerability and a threat that might exploit that vulnerability.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

True or False: A threat without a corresponding vulnerability poses a risk.

A

False

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

What is an example of a vulnerability in everyday life?

A

Walking down the sidewalk without any protection.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
What constitutes a multiparty risk?
Risks that impact more than one organization, such as a power outage affecting multiple buildings.
26
What are legacy systems in the context of risk?
Outdated systems that often do not receive security updates and require extraordinary measures to protect against vulnerabilities.
27
How does risk assessment determine the severity of a risk?
By evaluating the likelihood of occurrence and the magnitude of the impact.
28
What is the formula used to express risk severity?
Risk Severity = Likelihood * Impact
29
What type of risk assessment provides a point-in-time view of the risk state?
One-time risk assessments.
30
What is the difference between quantitative and qualitative risk analysis?
Quantitative uses numeric data for analysis; qualitative uses subjective judgments and categories.
31
What does the annualized rate of occurrence (ARO) represent?
The number of times a risk is expected to occur in a given year.
32
What is the single loss expectancy (SLE)?
The amount of financial damage expected each time a risk materializes.
33
Fill in the blank: The _______ is calculated by multiplying the asset value by the exposure factor.
single loss expectancy (SLE)
34
What type of risk assessment is performed at regular intervals?
Recurring risk assessments.
35
What is the purpose of continuous risk assessments?
To involve ongoing monitoring and analysis of risks.
36
What key factor influences the impact assessment of a risk in regulated industries?
Laws and regulations, such as GDPR.
37
True or False: Qualitative risk analysis can easily express reputational damage in numeric terms.
False
38
What is the exposure factor (EF)?
The percentage of the asset expected to be damaged if a risk materializes.
39
What is the annualized loss expectancy (ALE)?
The amount of damage expected from a risk each year, calculated by multiplying the SLE and the ARO.
40
What is the significance of combining quantitative and qualitative risk assessments?
To provide a well-rounded picture of both tangible and intangible risks.
41
What is vendor due diligence?
The process of evaluating third-party relationships to ensure they have adequate security controls.
42
Fill in the blank: Risks that originate from a source outside the organization are called _______.
external risks
43
What are internal risks?
Risks that originate from within the organization, such as malicious insiders or equipment failures.
44
What role do supply chain risks play in organizational security?
They pose risks based on third-party relationships that can affect data confidentiality, integrity, and availability.
45
What is a significant risk associated with intellectual property (IP)?
The theft of trade secrets or proprietary information that could compromise business advantage.
46
What are software compliance/licensing risks?
Risks that occur when an organization runs afoul of usage limitations set by software vendors.
47
What is a crucial security responsibility when dealing with third-party relationships?
Performing vendor due diligence ## Footnote Vendor due diligence involves evaluating the security measures of vendors to protect sensitive data.
48
Why is it important to assess the security controls of cloud service providers?
They handle your organization's sensitive information and are part of the operational and security supply chain ## Footnote Inadequate security controls can put your data at risk.
49
What risk is associated with hardware used in an organization?
It may have been tampered with during the supply chain process ## Footnote Tampering can lead to security vulnerabilities in the hardware.
50
Who revealed that the U.S. government intercepted hardware shipments?
Edward Snowden ## Footnote Snowden was a former NSA contractor who leaked documents about government surveillance practices.
51
What malicious action was discovered regarding hardware shipments?
Malicious code was implanted deep within the hardware ## Footnote This action illustrates the potential risks in hardware supply chains.
52
What is the purpose of performing hardware source authenticity assessments?
To validate that the hardware received was not tampered with ## Footnote This assessment ensures the integrity of hardware before it is deployed in an organization.
53
What is the process of systematically addressing the risks facing an organization called?
Risk management ## Footnote Risk management involves identifying, prioritizing, and addressing risks.
54
What are the two important roles of risk assessment in risk management?
1. Prioritizing risks 2. Determining if the potential impact justifies the costs ## Footnote This helps focus efforts on the most significant risks.
55
What are the four strategies available for risk management?
* Risk mitigation * Risk avoidance * Risk transference * Risk acceptance ## Footnote Each strategy has different implications and trade-offs.
56
What is risk mitigation?
The process of applying security controls to reduce the probability and/or magnitude of a risk ## Footnote It is the most common risk management strategy.
57
What is an example of a risk mitigation control for laptop theft?
Purchasing cable locks for laptops ## Footnote This helps reduce the probability of theft occurring.
58
What is risk avoidance?
A strategy that changes business practices to completely eliminate the potential for a risk to materialize ## Footnote This strategy can negatively impact business operations.
59
True or False: Risk avoidance can involve shutting down a website to prevent DDoS attacks.
True ## Footnote This is an extreme measure and often impractical.
60
What is risk transference?
Shifting some of the impact of a risk to another entity ## Footnote Commonly done through purchasing insurance.
61
How does property insurance relate to laptop theft?
It may cover the risk of stolen laptops ## Footnote Coverage depends on the type of policy.
62
What type of insurance should organizations consider for DDoS attacks?
Cybersecurity insurance ## Footnote This may cover recovery operations and lost revenue.
63
What is risk acceptance?
Deliberately choosing to take no action against a risk and continuing operations as normal ## Footnote It involves a conscious decision based on cost-benefit analysis.
64
What distinguishes risk acceptance from neglecting a risk?
Risk acceptance is a conscious decision, while neglecting a risk is unintentional ## Footnote It should involve analysis and documentation.
65
What are exemptions in risk management?
Formal approvals to not address certain risks, documented for record-keeping ## Footnote They may have expiration dates and require periodic review.
66
Fill in the blank: Risk acceptance should not be undertaken as a _______.
default strategy ## Footnote It requires thoughtful analysis.
67
What might lead an organization to accept the risk of laptop theft?
High costs of other risk management strategies ## Footnote This decision would be based on a cost-benefit analysis.
68
What should learners understand for the Security+ exam regarding risk management?
The four risk management strategies and examples of each ## Footnote Be prepared to identify strategies in given scenarios.
69
What is inherent risk?
The original level of risk that exists before implementing any controls. ## Footnote Inherent risk reflects the level of risk that is fundamental to an organization's business.
70
What is residual risk?
The risk that remains after implementing controls designed to mitigate, avoid, and/or transfer the inherent risk. ## Footnote Residual risk represents the level of risk that persists despite risk management efforts.
71
Define risk appetite.
The level of risk that an organization is willing to accept as a cost of doing business. ## Footnote Risk appetite is a broad term encompassing the overall risk stance of an organization.
72
What is risk threshold?
The specific level at which a risk becomes unacceptable, triggering action or decision. ## Footnote Risk threshold is more quantitative than risk appetite, defining clear points or values.
73
What does risk tolerance refer to?
An organization's ability to withstand risks and continue operations without significant impact. ## Footnote Risk tolerance can vary significantly across different organizations.
74
What are Key Risk Indicators (KRIs)?
Metrics used to measure and provide early warning signals for increasing levels of risk. ## Footnote KRIs help track the effectiveness of risk mitigation efforts.
75
Who is a risk owner?
An individual or entity responsible for managing and monitoring risks. ## Footnote The risk owner implements necessary controls and actions to mitigate risks.
76
What is the relationship between inherent risk and residual risk?
Organizations begin with inherent risk and implement strategies to reduce it to an acceptable residual risk level. ## Footnote This process ensures that residual risk aligns with the organization's risk appetite.
77
Describe an organization with an expansionary risk appetite.
Willing to take on higher levels of risk in pursuit of potential higher rewards. ## Footnote Such organizations often seek aggressive growth, innovation, or market share.
78
What characterizes a neutral risk appetite?
A balanced approach to risk, allowing moderate levels of risk for steady growth and returns. ## Footnote Neutral risk appetites aim for stability and moderate growth.
79
Describe a conservative risk appetite.
Tends to avoid high risks, focusing on maintaining stability and protecting existing assets. ## Footnote Common in highly regulated industries or where the consequences of risks are severe.
80
What is a risk register?
The primary tool used by risk management professionals to track risks facing the organization. ## Footnote It includes detailed information about various risks and their management.
81
What elements are commonly included in a risk register?
* Risk owner * Risk threshold information * Key Risk Indicators (KRIs) ## Footnote These elements are important for tracking and managing risks effectively.
82
What is the purpose of risk reporting?
To communicate the status and evolution of risks to stakeholders within the organization. ## Footnote Effective risk reporting ensures informed decision-making regarding risk mitigation.
83
What are the types of risk reporting?
* Regular Updates * Dashboard Reporting * Ad Hoc Reports * Risk Trend Analysis * Risk Event Reports ## Footnote Each type serves a specific purpose in communicating risk information to stakeholders.
84
What should be considered when compiling a risk report?
Tailor the information and format to the audience, ensuring clarity and conciseness. ## Footnote Reports should highlight current status and provide context related to risk appetite and thresholds.
85
What is disaster recovery planning (DRP)?
The discipline of developing plans to recover operations as quickly as possible in the face of a disaster. ## Footnote DRP creates a formal, broad disaster recovery plan and specific functional recovery plans for critical business functions.
86
What is the primary goal of disaster recovery plans?
To help the organization recover normal operations as quickly as possible in the wake of a disruption.
87
What types of disasters can affect an organization?
Both natural and human-made disasters, including internal and external risks. ## Footnote Disasters may come from environmental factors or human actions.
88
What triggers the activation of an organization's disaster recovery plan?
The occurrence of a disaster.
89
What is the purpose of site risk assessments in the DRP process?
To identify and prioritize the risks posed to the facility by disasters.
90
What does a business impact analysis (BIA) identify?
Mission-essential functions within an organization and the critical systems that support those functions.
91
What does Mean Time Between Failures (MTBF) measure?
The reliability of a system, specifically the expected amount of time between system failures.
92
What is the Mean Time to Repair (MTTR)?
The average amount of time to restore a system to its normal operating state after a failure.
93
What does Recovery Time Objective (RTO) represent?
The amount of time that the organization can tolerate a system being down before it is repaired.
94
What is Recovery Point Objective (RPO)?
The amount of data the organization can tolerate losing during an outage.
95
Why are single points of failure significant in disaster recovery?
They are components that, if they fail, would cause an outage.
96
Fill in the blank: The _______ is the expected amount of time that will elapse between system failures.
Mean Time Between Failures (MTBF)
97
True or False: A redundant power supply can resolve a single point of failure.
True
98
What should organizations pay particular attention to when evaluating their environment?
Single points of failure.
99
What happens if a server has only one power supply?
The failure of that power supply would bring down the server, making it a single point of failure.
100
How can a single point of failure in a server providing a web page be resolved?
By adding a second server to a cluster.
101
What are the three key aspects cybersecurity professionals are responsible for?
Confidentiality, integrity, availability ## Footnote These aspects ensure the protection of all information under their care.
102
What is personally identifiable information (PII)?
Any information that uniquely identifies an individual person ## Footnote This includes customers, employees, and third parties.
103
What are the potential consequences of privacy breaches for individuals?
Identity theft, personal risks ## Footnote Individuals may suffer from exposure to various personal risks.
104
What organizational consequences can arise from privacy breaches?
Reputational damage, fines, loss of intellectual property ## Footnote These consequences can significantly impact a business's operations.
105
What should organizations understand when evaluating privacy risks?
Legal implications based on jurisdiction ## Footnote Familiarity with local, regional, national, and global privacy requirements is essential.
106
What is a privacy notice?
A document that outlines an organization's privacy commitments ## Footnote In some cases, laws may require its adoption.
107
What types of sensitive information should organizations include in their data inventory?
* Personally identifiable information (PII) * Protected health information (PHI) * Financial information * Intellectual property * Legal information * Regulated information ## Footnote This inventory helps organizations manage and protect sensitive data.
108
What is the concept of data minimization?
Collecting the smallest amount of information necessary ## Footnote This practice occurs at the early stages of the information life cycle.
109
What are the four major classification categories used by the U.S. government?
* Top Secret * Secret * Confidential * Unclassified ## Footnote These categories indicate the level of protection required for information.
110
What is the role of a data controller?
Entities who determine the reasons for processing personal information ## Footnote This term is used primarily in European law.
111
Who are data stewards?
Individuals responsible for carrying out the intent of the data controller ## Footnote They are delegated responsibility from the controller.
112
What is the right to be forgotten?
A concept allowing individuals to request the deletion of personal data ## Footnote This right is implemented in various data protection laws, notably the GDPR.
113
What is data obfuscation?
Transforming data so the original information cannot be retrieved ## Footnote This process helps protect sensitive information.
114
What is hashing in data protection?
Using a hash function to transform a value into a corresponding hash value ## Footnote Hashing prevents direct retrieval of original values.
115
What must organizations do in the event of a data breach?
Activate their cybersecurity incident response plan ## Footnote This plan includes procedures for notifying key personnel and escalating incidents.
116
Do U.S. states have data breach notification laws?
Yes, every state has different requirements for triggering notifications ## Footnote These laws can vary widely by state.
117
What is the importance of data retention standards?
Guides the end of the data life cycle, ensuring data is kept only as long as necessary ## Footnote Secure destruction of data is essential at the end of its life cycle.
118
Fill in the blank: _______ is the process of removing the ability to link data back to an individual.
Deidentification ## Footnote This technique is a form of pseudo-anonymization.