5. Program Management

Question 1

5.1 AUP

Answer 1

Acceptable Use Policy

Question 2

5.1 SDLC

Answer 2

Software Development Lifecycle

Question 3

5.1 Data Owner

Answer 3

responsible for classification, protection, and quality

Question 4

5.1 Data Steward

Answer 4

Subject matter expert for data, including its meaning and correct usage

Question 5

5.1 Data Custodian

Answer 5

responsible for the technical environment, including database structure. Implement security controls

Question 6

5.1 Data Subject

Answer 6

Person whose data is being processed or stored

Question 7

5.2 Risk Assessment Types

Answer 7

Ad hoc (RA completed for a specific situation or application)

Recurring

One-Time

Continuous

Question 8

5.2 SLE

Answer 8

Single Loss Expectancy

Question 9

5.2 ALE

Answer 9

Annualized Loss Expectancy (How much will a threat cost you over a year?)

Question 10

5.2 ARO

Answer 10

Annualized Rate of Occurrence (projected number of times an incident will happen in a year)

Question 11

5.2 Risk Register

Answer 11

Document used to identify and track risks

Question 12

5.2 Risk Register Components

Answer 12

Risk Indicators: measureable variables that determine likelihood of a risk

Risk Owners: Person responsible for mitigating a certain risk

Risk Threshold: area determined by which risks are acceptable and which are addressed

Question 13

5.2 Risk Appetite (and kinds of appetite)

Answer 13

How much risk is an organization willing to accept to achieve its goals.

Expansion: Organization wants to expand, thus increasing the attack surface area

Conservative: Organization is focused on mitigating all risks and conserving capital rather than taking business risks

Neutral: Balanced approach. Organization only accepts risks that are essential to a predetermined strategic goal.

Question 14

5.2 Components of Business Impact Analysis

Answer 14

RTO
RPO
MTTR
MTBF

Question 15

5.2 RTO

Answer 15

Recovery Time Objective

acceptable amount of time for a service to be unavailable before too much damage is done

Question 16

5.2 RPO

Answer 16

Recovery Point Objective

maximum amount of data loss that an organization can tolerate

Question 17

5.2 MTTR and MTBF

Answer 17

Mean Time to Repair

Mean Time Between Failures

Question 18

5.3 SLA

Answer 18

Service Level Agreemenet

Defines what services to be provided and expected performance

Question 19

5.3 MOA

Answer 19

Memorandum of Agreement

outlines terms and details of an agreement between parties

Question 20

5.3 MOU

Answer 20

Memorandum of Understanding

Less formal version of MOA that may not have legal implications. Used to express mutual agreement between parties.

Question 21

5.3 MSA

Answer 21

Master Service Agreement

determines terms and conditions that govern future transactions and agreements. Framework for the entire relationship, long-term document

Question 22

5.3 SOW or WO

Answer 22

Statement of Work Order. Outlines work to be performed for a specific project.

Question 23

5.3 BPA

Answer 23

Business Process Agreement, focuses on overall client experience and satisfaction

Question 24

5.3 Security Attestation

Answer 24

Document that declares the existence of something, such as compliance or proof of secure status

Question 25

5.4 Consequences of non-compliance

Answer 25

fines
sanctions
reputation damage
loss of license
contractual impacts