Brainscape's Knowledge GenomeTM


Top Flashcards (Certified)
All Flashcards

2_Security+ Study Guide book > 17 Risk Management & Privacy > Flashcards

17 Risk Management & Privacy Flashcards

1
Q

What are governance programs?

A

Sets of procedures and controls for effective organizational direction

Without governance, large organizations face chaos as employees would independently determine priorities and functions.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Why is corporate governance important in publicly traded companies?

A

Ensures appropriate strategic direction, plan development, and execution

It addresses the challenges of numerous or unengaged owners who cannot oversee daily operations.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What is the role of the board of directors in corporate governance?

A

Directs actions of the corporation on behalf of shareholders

The board has ultimate authority and is elected by shareholders during regular meetings.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

What is considered best practice regarding board membership?

A

Majority of board members should be independent directors

Independent directors have no significant relationship with the company other than board membership.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

How often do boards typically meet?

A

Monthly or quarterly

This infrequency necessitates delegation of day-to-day operations to a CEO.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Who does the board of directors hire to manage company operations?

A

Chief Executive Officer (CEO)

The CEO is responsible for the daily operations and reports to the board.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

In what manner does governance cascade within an organization?

A

From shareholders to board of directors to CEO to other executives

Each level delegates authority downwards, maintaining a manageable hierarchy.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

What is the difference in governance models between nonprofit and publicly traded organizations?

A

Nonprofit boards are elected by members or self-perpetuating

Privately owned organizations may have varied governance models based on ownership.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

What is a governance, risk, and compliance (GRC) program?

A

Integration of governance, risk management, and compliance tasks

This program facilitates effective governance by addressing risk and compliance.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

What is information security governance?

A

Extension of corporate governance focusing on information security

It ensures alignment of information security with organizational goals.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Who is typically responsible for information security within an organization?

A

Chief Information Security Officer (CISO)

The CISO is delegated authority from the CEO for information security matters.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

What does an information security governance framework include?

A

Management structure for cybersecurity and enforcement mechanisms

It aligns with broader management approaches and includes policies for the organization.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

What are the two major categories of governance structures?

A

Centralized and decentralized governance models

Centralized models enforce policies from a top-down approach, while decentralized models allow individual units to achieve objectives independently.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

What is a centralized governance model?

A

Top-down approach with central authority creating and enforcing policies

This model ensures uniformity in policy application across the organization.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

What is a decentralized governance model?

A

Bottom-up approach where individual units achieve cybersecurity objectives independently

This model allows flexibility and adaptation to specific unit needs.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

What role do regulatory agencies play in governance?

A

They may regulate organizations, such as banks

For instance, banks are regulated by the U.S. Treasury Department or similar agencies.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

What are the four types of documents included in an organization’s information security policy framework?

A
  • Policies
  • Standards
  • Procedures
  • Guidelines
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

What is the primary purpose of policies in an information security framework?

A

High-level statements of management intent that are mandatory for compliance

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

True or False: Compliance with guidelines is mandatory.

A

False

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

What should organizations consider when preparing their policy documents?

A
  • Regulatory and legal requirements
  • Industry-specific considerations
  • Jurisdiction-specific considerations
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

What does an information security policy typically include?

A
  • Importance of cybersecurity
  • Requirements for staff and contractors
  • Ownership of information
  • Designation of the CISO
  • Delegation of authority
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

Fill in the blank: Standards provide mandatory requirements describing how an organization will carry out its _______.

A

[information security policies]

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

What are the four types of standards organizations should pay attention to?

A
  • Password standards
  • Access control standards
  • Physical security standards
  • Encryption standards
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

What is the role of procedures in the information security policy framework?

A

Detailed, step-by-step processes that are mandatory for compliance

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
What is an example of a procedure related to incident response?
What to Do if Compromised by Visa
26
What is the purpose of guidelines in an information security context?
To provide best practices and recommendations that are not mandatory
27
What should an exception process include when an organization needs to deviate from security standards?
* Standard requiring an exception * Reason for noncompliance * Business justification * Scope and duration * Risks associated * Compensating controls * Compliance plan
28
True or False: The CISO is typically designated as the executive responsible for cybersecurity issues.
True
29
What are some common documents found in an information security policy library?
* Information security policy * Incident response policy * Acceptable use policy * Business continuity and disaster recovery policies * Software development life cycle policy * Change management policies
30
Fill in the blank: The _______ outlines the procedures and strategies to ensure essential business functions continue to operate during a disaster.
[business continuity and disaster recovery policy]
31
What is the significance of the document titled Minimum Security Standards for Electronic Information from UC Berkeley?
It details mandatory security controls for different data protection levels
32
What is the function of compensating controls in the context of exceptions to security standards?
To mitigate the risks associated with exceptions
33
What must the control meet to be satisfactory as a compensating control according to PCI DSS?
* Meet the intent of the original requirement * Provide a similar level of defense
34
What is the purpose of compensating controls in security standards?
To mitigate the risk associated with exceptions to security standards ## Footnote Compensating controls are alternative means to achieve security objectives when original control requirements cannot be met.
35
How many criteria must a compensating control meet according to PCI DSS?
Five criteria ## Footnote These criteria ensure that the compensating control is effective in offsetting the risk posed by not adhering to original PCI DSS requirements.
36
What is the first criterion for a satisfactory compensating control as per PCI DSS?
The control must meet the intent and rigor of the original requirement ## Footnote This ensures that the compensating control aligns with the original security objective.
37
What does the second criterion for compensating controls require?
The control must provide a similar level of defense as the original requirement ## Footnote This criterion ensures that the compensating control effectively offsets the risk addressed by the original requirement.
38
What is meant by the control being 'above and beyond' other PCI DSS requirements?
The control must address the additional risk imposed by not adhering to the PCI DSS requirement ## Footnote This ensures that the compensating control provides extra protection beyond what is already required.
39
What does the fourth criterion for compensating controls state?
The control must address the additional risk imposed by not adhering to the PCI DSS requirement ## Footnote This criterion ensures that compensating controls are tailored to the specific risks created by non-compliance.
40
What is the fifth criterion for a satisfactory compensating control?
The control must address the requirement currently and in the future ## Footnote This ensures the ongoing relevance and effectiveness of the compensating control.
41
What is an example of a compensating control for using an outdated operating system?
Running the system on an isolated network with little or no access to other systems ## Footnote This approach mitigates the risk posed by the outdated operating system while allowing necessary business operations.
42
Why do organizations adopt compensating controls?
To address a temporary exception to a security requirement ## Footnote Organizations may face situations where compliance is not feasible, necessitating compensating controls.
43
What is the role of policy monitoring in an organization?
To regularly evaluate the implementation and efficacy of information security policies ## Footnote Effective monitoring helps ensure that policies remain aligned with current security needs and regulatory requirements.
44
What tools are commonly used for policy monitoring?
Security information and event management (SIEM) systems, audits, and assessments ## Footnote These tools help organizations assess adherence to policies and identify areas for improvement.
45
What happens when inconsistencies in policies are identified?
Policy revision becomes necessary ## Footnote Updating policies is essential to address shortcomings and adapt to new challenges.
46
Why is it important to communicate revised policies promptly?
To ensure effective compliance among relevant personnel ## Footnote Timely communication and training help maintain adherence to updated security policies.
47
True or False: Compensating controls are only used by organizations subject to PCI DSS.
False ## Footnote The use of compensating controls is a common strategy across various organizations, not limited to those under PCI DSS.
48
What is the primary goal of change management?
To ensure that changes do not cause outages ## Footnote Change management helps reduce unanticipated outages caused by unauthorized changes.
49
How does change management help in a technical environment?
It allows various IT experts to review proposed changes for unintended side effects before implementation ## Footnote This process ensures that changes are tested and documented appropriately.
50
Fill in the blank: Unauthorized changes directly affect the _____ in the CIA triad.
availability
51
What should personnel perform before deploying changes in a production environment?
A security impact analysis
52
List common tasks within a change management process.
* Request the change * Review the change * Approve/reject the change * Test the change * Schedule and implement the change * Document the change
53
What is a rollback or backout plan?
A plan to return the system to its original condition if the change results in a failure
54
When should changes be performed to avoid undesirable impacts?
At a scheduled and coordinated time
55
True or False: Change management documentation is unnecessary if changes are made during an emergency.
False ## Footnote Emergency changes still need to be documented for review and future reference.
56
What does version control ensure?
That developers and users have access to the latest versions of software and that changes are carefully managed
57
Fill in the blank: Documentation identifies the current _____ of systems.
configuration
58
What is the significance of involving a diverse set of technical stakeholders in change analysis?
To understand potential impacts of a change in a complex technical environment
59
What should be considered regarding security controls during a change?
Whether the change will require modifications to security controls, such as firewall rules
60
What is the potential consequence of not using a version control system?
A change could effectively break the website
61
What is the purpose of keeping documentation current?
To reflect the impact of the change and maintain accurate system information
62
What happens if an administrator closes a needed port on a firewall?
The web server may begin having problems communicating with the database server
63
What is the role of the change review board?
To approve or reject changes based on expert reviews
64
Fill in the blank: Changes should be scheduled during _____ hours to minimize impact.
nonpeak
65
What does a configuration management system do?
Stores information about system configurations and changes
66
Why is testing a change on a nonproduction server important?
To verify that the change doesn't cause an unanticipated problem
67
What is the risk of granting administrator access to a group of users without proper controls?
It violates the least privilege principle and weakens security
68
What is the main purpose of personnel management best practices?
To reduce the likelihood and impact of employee-centered security risks. ## Footnote Organizations require employees to have access to information and systems to perform their job functions, which can lead to cybersecurity incidents.
69
Define the principle of least privilege.
Individuals should be granted only the minimum set of permissions necessary to carry out their job functions. ## Footnote This principle is essential for minimizing security risks.
70
What is privilege creep?
Occurs when an employee accumulates new privileges from job to job without revoking past privileges. ## Footnote This can lead to unnecessary access and potential security issues.
71
What does separation of duties aim to achieve?
To prevent a single person from having the privileges required to perform both tasks that are sensitive when combined. ## Footnote This is particularly important in sensitive job functions such as accounting.
72
Provide an example of separation of duties in accounting.
No single individual can create a new vendor and issue a check to that vendor. ## Footnote This reduces the risk of fraudulent activities like embezzlement.
73
What is the difference between separation of duties and two-person control?
Separation of duties prevents one person from holding two privileges, while two-person control requires two people to perform a single sensitive action. ## Footnote Both concepts aim to enhance security and reduce fraud risk.
74
What is job rotation?
Moving employees with sensitive roles to other positions periodically. ## Footnote This helps in uncovering fraudulent actions by disrupting ongoing concealment activities.
75
What is the purpose of mandatory vacations in an organization?
Forcing employees to take time off to uncover fraudulent actions. ## Footnote During their absence, access privileges are revoked, which may expose any fraudulent activities.
76
What do clean desk policies aim to protect?
The confidentiality of sensitive information. ## Footnote These policies require employees to secure all papers and materials before leaving their desks.
77
What is the importance of onboarding and offboarding processes?
To ensure control of organizational assets and orderly management of credentials and privileges. ## Footnote These processes help in mitigating security risks associated with employee transitions.
78
What role do nondisclosure agreements (NDAs) play in an organization?
Require employees to protect confidential information accessed during employment. ## Footnote NDAs are typically signed upon hire and reinforced during offboarding.
79
What should a social media policy address?
It should constrain the behavior of employees on social media. ## Footnote The policy may include assessments of both personal and professional accounts.
80
What is Third-Party Risk Management?
The process of managing risks that arise from third-party organizations with whom an organization does business.
81
What should organizations evaluate when selecting vendors?
Organizations should evaluate: * Financial stability * Business reputation * Quality of products or services * Compliance with relevant regulations * Security practices and data handling procedures
82
What is due diligence in vendor selection?
The thorough vetting of potential vendors to ensure they meet the organization's standards and requirements.
83
What constitutes a conflict of interest in vendor relationships?
A situation where a vendor has a competing interest that could influence their behavior against the organization's best interests.
84
What is penetration testing?
A method to evaluate a vendor's security by conducting authorized simulated attacks to identify vulnerabilities.
85
What is a right-to-audit clause in vendor agreements?
A clause that allows the customer to conduct or commission audits on the vendor's operations and practices.
86
What is the purpose of independent assessments in vendor management?
To objectively evaluate the vendor's practices and systems, often involving third-party experts.
87
What is the significance of supply chain analysis in vendor risk management?
It helps understand the risks associated with the vendor's supply chain, including their suppliers and interdependencies.
88
What are Master Service Agreements (MSAs)?
Contracts that provide an umbrella agreement for the work a vendor does over an extended period, including security and privacy requirements.
89
What do Service Level Agreements (SLAs) specify?
The conditions of service provided by the vendor and remedies available to the customer if the vendor fails to meet the SLA.
90
Fill in the blank: A _______ is an informal document that allows parties to avoid misunderstandings in a relationship.
[memorandum of understanding (MOU)]
91
What is a Memorandum of Agreement (MOA)?
A formal document outlining terms and details of an agreement, establishing mutual understanding of roles and responsibilities.
92
What do Business Partners Agreements (BPAs) entail?
Agreements between two organizations that outline responsibilities and profit division when collaborating on a project.
93
What is the role of vendor monitoring?
To manage and mitigate third-party risks through continuous observation and analysis of vendor performance and compliance.
94
What are key performance indicators (KPIs) used for in vendor monitoring?
Quantitatively measure the vendor's performance to ensure they meet agreed-upon standards.
95
What does compliance monitoring ensure?
That vendors are adhering to legal and regulatory requirements, especially when handling sensitive data.
96
What is the importance of financial monitoring in vendor relationships?
To evaluate the vendor's financial health and ensure they remain a viable partner, especially for long-term contracts.
97
What should organizations do when issues are identified through monitoring?
Have a process for addressing issues, which may include meetings, corrective action plans, or contract termination.
98
What is the purpose of winding down vendor relationships?
To ensure an orderly transition when a vendor relationship ends or a product/service is discontinued.
99
True or False: Vendor agreements should include nondisclosure agreement (NDA) terms.
True
100
Fill in the blank: Organizations should ensure that vendors ask their employees to sign _______ if they will have access to sensitive information.
[nondisclosure agreements (NDAs)]
101
What is the main reason legislators and regulators take an interest in cybersecurity?
The potential impact of cybersecurity shortcomings on individuals, government, and society.
102
What type of regulation does the European Union have regarding data protection?
A broad-ranging data protection regulation.
103
What does HIPAA stand for?
Health Insurance Portability and Accountability Act.
104
Who does HIPAA affect?
Health-care providers, health insurers, and health information clearinghouses in the United States.
105
What does PCI DSS regulate?
The storage, processing, and transmission of credit and debit card information.
106
Is PCI DSS a law?
No, it is a contractual obligation.
107
What does GLBA stand for?
Gramm–Leach–Bliley Act.
108
What does the GLBA require from financial institutions?
To have a formal security program and designate an individual responsible for it.
109
What is the main focus of the Sarbanes–Oxley Act?
The financial records of U.S. publicly traded companies.
110
What does GDPR stand for?
General Data Protection Regulation.
111
What does FERPA require from U.S. educational institutions?
To implement security and privacy controls for student educational records.
112
What do data breach notification laws require?
Organizations to notify individuals affected by a data breach.
113
What is the purpose of internal compliance reporting?
To maintain an organization's security posture and adherence to laws and regulations.
114
What does external compliance reporting involve?
Providing documentation and evidence to external entities to demonstrate compliance.
115
What can be a consequence of noncompliance regarding fines?
Imposition of significant fines and sanctions.
116
How much can companies be fined under GDPR for serious infringements?
Up to 4 percent of their annual global turnover, or €20 million, whichever is higher.
117
What is one example of a nonfinancial sanction due to noncompliance?
Suspension or revocation of business licenses.
118
What type of damage can result from noncompliance?
Reputational damage.
119
What can happen to contracts due to noncompliance?
Termination of contracts.
120
What is one potential legal consequence of noncompliance?
Legal action leading to lawsuits for damages.
121
What is due diligence in compliance monitoring?
The process of continuously researching and understanding legal and regulatory requirements.
122
What is due care in compliance monitoring?
Ongoing efforts to ensure that policies and controls are effective and maintained.
123
What does attestation mean in the context of compliance?
Confirmation that practices adhere to compliance requirements.
124
What is the role of internal monitoring?
To ensure that the organization follows its policies and meets legal requirements.
125
What does external monitoring involve?
Third-party audits and assessments.
126
What is an advantage of automation in compliance monitoring?
Tracks changes in regulations and monitors for violations.
127
Fill in the blank: Organizations must engage in both _______ and external compliance reporting.
internal
128
What is the primary purpose of the NIST Cybersecurity Framework (CSF)?
To assist organizations in achieving five objectives: * Describe current cybersecurity posture * Describe target state for cybersecurity * Identify and prioritize opportunities for improvement * Assess progress toward target state * Communicate cybersecurity risk
129
What are the five security functions outlined in the NIST Cybersecurity Framework Core?
* Identify * Protect * Detect * Respond * Recover
130
What are the four maturity model tiers in the NIST Cybersecurity Framework Implementation Tiers?
* Tier 1: Partial * Tier 2: Risk Informed * Tier 3: Repeatable * Tier 4: Adaptive
131
What does the Framework Profile in the NIST Cybersecurity Framework describe?
How a specific organization might approach the security functions covered by the Framework Core
132
True or False: The NIST Risk Management Framework (RMF) is a mandatory standard for federal agencies.
True
133
What is the primary difference between the NIST CSF and RMF?
The CSF provides a broad structure for cybersecurity controls, while the RMF is a formal process for implementing security controls.
134
List four specific ISO standards relevant for cybersecurity.
* ISO 27001 * ISO 27002 * ISO 27701 * ISO 31000
135
What does ISO 27001 focus on?
Information security management systems and control objectives
136
What is the purpose of ISO 27002?
To describe the actual controls that an organization may implement to meet cybersecurity objectives
137
What type of guidance does ISO 27701 provide?
Guidance for managing privacy controls as an extension to ISO 27001 and ISO 27002
138
What is the focus of ISO 31000?
Guidelines for risk management programs applicable to any risk
139
Fill in the blank: The NIST and ISO frameworks provide _______ descriptions of cybersecurity best practices.
high-level
140
What organization publishes benchmarks and secure configuration guides for common platforms?
Center for Internet Security (CIS)
141
True or False: The NIST Cybersecurity Framework is commonly used in private industry.
True
142
What content is covered by the ISO 27001 standard?
* Information security policies * Organization of information security * Human resource security * Asset management * Access control * Cryptography * Physical and environmental security * Operations security * Communications security * System acquisition, development, and maintenance * Supplier relationships * Information security incident management * Information security aspects of business continuity management * Compliance with internal and external requirements
143
What does the NIST RMF process involve?
Selecting, implementing, and assessing risk-based security and privacy controls
144
What is the expected release year for the NIST Cybersecurity Framework 2.0?
2024
145
What does Tier 1: Partial indicate about an organization's cybersecurity practices?
Cybersecurity risk management practices are not formalized and managed in an ad hoc manner.
146
What is the main goal of benchmarks and secure configuration guides?
To provide practical guidance on implementing security controls for commonly used systems.
147
What is the primary purpose of security training and awareness programs?
To ensure employees and stakeholders are aware of their information security responsibilities ## Footnote These programs help keep security responsibilities top-of-mind.
148
Who is responsible for establishing and maintaining an information security training program?
Information security managers ## Footnote They promote and maintain a security culture in organizations.
149
Why is regular security training important for users?
To ensure users understand risks associated with the computing environment and their role in minimizing those risks.
150
What is role-based training?
Training tailored to the specific job responsibilities of individuals ## Footnote For example, systems administrators require more technical training than customer service representatives.
151
What type of training should be included in security awareness programs to combat phishing?
Specific anti-phishing campaigns ## Footnote These often include phishing simulations to test user skills.
152
What is anomalous behavior recognition in the context of security awareness?
The ability of employees to recognize risky or unexpected behavior that may indicate a security concern.
153
List some topics that should be included in end-user security training programs.
* Security Policies and Handbooks * Situational Awareness * Insider Threats * Password Management * Removable Media and Cables * Social Engineering * Operational Security * Hybrid/Remote Work Environments
154
What is the importance of situational awareness in security training?
It updates users on current security threats and helps them recognize suspicious activity.
155
True or False: Users should be educated to reuse passwords across multiple sites.
False ## Footnote Users should be taught the importance of not reusing passwords.
156
What are some best practices for securing data in hybrid/remote work environments?
* Use of VPNs * Secure Wi-Fi networks * Ensuring physical security of devices * Understanding specific policies for remote work
157
What is the recommended frequency for security training?
Initial training for new employees, followed by annual refresher trainings.
158
What is the first step in developing a security training program?
A thorough assessment of the organization's security landscape and identifying potential risks.
159
How can training content be made more engaging?
Incorporating real-world examples and interactive elements.
160
What types of methods should be included in the execution phase of training?
* Workshops * E-learning modules * Simulations
161
What is the purpose of reporting and monitoring in security training programs?
To track participation and assess user knowledge through quizzes and feedback.
162
What should be regularly reviewed to ensure training material remains relevant?
Training materials should be reviewed regularly to reflect changes in the security landscape.
163
What are ongoing awareness efforts in an information security program?
Less formal efforts designed to remind employees about previously learned security lessons.
164
Fill in the blank: Ongoing awareness efforts use _______ to keep security top-of-mind.
[posters, videos, email messages]
165
What forms the basis of every strong information security program?
Policies
166
What does a solid policy framework consist of?
Policies, standards, procedures, and guidelines
167
What do policies, standards, procedures, and guidelines describe?
The security control environment of an organization
168
What must organizations comply with besides internally developed policies?
Externally imposed compliance obligations
169
Name two security frameworks that provide a common structure for security programs.
NIST Cybersecurity Framework, ISO 27001
170
What do security frameworks base their structure on?
Accepted industry best practices
171
What should organizations implement and test to achieve security control objectives?
Security controls
172
Security control objectives are developed based on what factors?
The business and technical environment of the organization
173
Fill in the blank: A solid policy framework consists of policies, standards, ______, and guidelines.
procedures
174
True or False: Organizations only need to comply with their internally developed policies.
False

2_Security+ Study Guide book (17 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2025 Bold Learning Solutions. Terms and Conditions