5.0 Flashcards
MTBF
Mean Time Between Failures
Provides a measure of a system’s reliability and is usually represented in hours. The average time a system or component operates before it fails.
RTO
Recovery Time Objective
Identifies the maximum amount of time it can take to restore a system after an outage.
MTTR
Mean Time To Repair
A common measure of how long it takes to repair a given failure.
RPO
Recovery point objective
Identifies a point in time where data loss is acceptable.
Data Owner
Individual or entity responsible for making decisions about how data is collected, used, protected, and managed within an organization.
Data Controller
Manages the purposes and means by which personal data is processed
Data Processor
Entity processing personal data on behalf of a data controller, following instructions provided by the controller and ensuring data protection and security measures are implemented.
Data Custodian/Steward
Individual or team responsible for the physical or technical aspects of data management, including storage, security, access control, and maintenance, ensuring data integrity and compliance with policies and regulations.
ALE
Annualized Loss Expectancy
Estimated financial impact expected from a specific risk over a year, calculated by multiplying the Single Loss Expectancy (SLE) with the Annualized Rate of Occurrence (ARO).
SLE
Single Loss Expectancy
The value (or cost) of a loss expected from a single event.
ARO
Annualized Rate of Occurrence
Estimation of how often a specific threat or risk is expected to occur within a year
GDPR
General Data Protection Regulation
European Union regulation governing the protection, processing, and transfer of personal data of individuals within the EU and EEA (European Economic Area), focusing on data privacy and rights.
PCI DSS
Payment Card Industry Data Security Standard
Security standard developed by major credit card companies to protect cardholder data, outlining requirements for secure payment processing, data encryption, access control, and compliance validation.
AUP
Acceptable Use Policy
A guideline that defines acceptable and unacceptable behaviors when using a system or service.
Managerial controls
Focus on the management of risk or the management of the cybersecurity system.
Ex. Risk assessments, Vulnerability assessments
Operational controls
Helps ensure that the day-to-day operations of an organization comply with their overall security plan.
Ex. Awareness and training, Configuration management, Media protection, Physical and environmental protection
Technical controls
Use technology such as hardware, software, and firmware to reduce vulnerabilities.
Ex. Encryption, Antivirus software, Firewalls
Preventative (control type)
Act before an event, preventing it from advancing.
Ex. firewalls, encryption, locks
Detective (control type)
Act during an event, alerting operators to specific conditions.
Ex. IDS, SIEM, CCTV
Corrective (control type)
Respond to and fix security incidents after they have been detected. They aim to minimize the impact and restore normal operations.
Ex. incident response plans, patches, backups
Deterrent (control type)
Acts to discourage the attacker by reducing the likelihood of success from the perspective of the attacker.
Ex. security training, warning signs, compliance notices
Compensating (control type)
It is used to meet a requirement when there is no control available to directly address the threat.
Ex. encryption, MFA, network segmentation
Physical (control type)
Are any controls that you can physically touch.
Ex. Key Card Systems, Biometric Scanners, Fire Suppression Systems, HVAC Systems, Fences and Gates, Bollards, Security Guards, Patrols
CSA
Cloud Security Alliance
A nonprofit organization that promotes best practices for cloud security.
Least Privilege
Should have only the rights and privileges necessary to perform its task
Gamification
Intertwines game-design elements within user training methods to increase participation and interaction.
CTF
Capture the Flag
Practice hacking into a server to find data (the flag)
CBT
Computer-based training
A computer program that has self-paced modules to facilitate skill development across a wide range of skills, and the flexibility.
Supply Chain
A set of firms that operate together to manage the movement of goods and services between firms.
Vendors
Firms or individuals that supply materials or services to a business
SLA
Service Level Agreement
A contract between a service provider and a customer that outlines performance expectations, such as minimum uptime and maximum downtime levels.
MOU
Memorandum of Understanding
A formal agreement between two or more parties that expresses an understanding of their intention to work together toward a common goal.
MSA
Measurement Systems Analysis
Used to evaluate and assess the reliability and accuracy of measurement systems.
BPA
Business Partnership Agreement
An agreement that outlines the terms and conditions of a partnership between two or more parties engaged in a business venture.
EOL
End of Life
When the manufacturer quits selling an item.
EOSL
End of Service Life
The provider of the item or service will typically no longer sell or update it.
Data Retention
The management of the data lifecycle with an emphasis on when data reaches its end of useful life for an organization
Data Governance
Managing data quality in enterprise systems through policies due to the involvement of many data owners and users.
Change Management
Policies on how configurations should be changed.
Change Control
Managing the details of the systems changes.
Multi-party risk
Breaches involving multiple parties
IP theft
Intellectual Property theft
Theft of ideas, inventions, and creative expressions.
Risk Transference
Transferring the risk to another party, such as through outsourcing or insurance
Risk Acceptance
A business decision to accept the risk and its potential consequences without taking any action.
Risk Avoidance
Eliminating the risk by avoiding the activity that creates the risk
Risk Mitigation
Decrease the risk level and invest in security systems
Risk register
A tool in risk management and project management Sometimes used to fulfill regulatory compliance but often to track potential issues that can derail intended outcomes.
Inherent risk
The amount of risk that exists in the absence of controls.
Control Risk
Risk that internal controls within an organization may not effectively prevent or detect errors or fraud that could lead to material misstatement in financial reporting.
Residual risk
The presence of risks in a system is an absolute—they cannot be removed or eliminated.
DRP
Disaster Recovery Plan
Detailed plan for resuming operations after a disaster
Proprietary Data
Data that is property of an organization
PII
Personally Identifiable Information
Data that can be used to identify an individual
PHI
Protected Health Information
Health information associated with an individual
PIA
Privacy Impact Assessment
An analysis of how PII is handled through business processes and an assessment of risks to the PII during storage, use, and communication.
Data Minimization
A principle requiring organizations to limit the data they collect and use
Data Masking
Involves the hiding of data by substituting altered values.
Anonymization
The process of protecting private or sensitive information by removing identifiers that connect the stored data to an individual. Once done can’t undo
Pseudo-Anonymization
Replaces PII and other data with pseudonyms or artificial identifiers. Can revert back
Single Point of Failure
Is a component within a system that can cause the entire system to fail if the component fails.
Qualitative Risk
Assessment involves prioritizing risks based on their potential danger, such as low, medium, and high.
Quantitative
Involves assigning numerical values to the likelihood of an event occurring and the impact it would have. Usually involves the use of metrics and models
DPO
Data Protection Officers
Ensure the organization’s compliance with data protection laws and best practices.
Separation of duties
a basic security principle that ensures that no single person can control all the elements of a critical function or system.
Separation of Duties
A subject should be given only those privileges necessary to complete their job-related tasks.
Least Privilege
A subject should be given only those privileges necessary to complete their job-related tasks.
Social Media Analysis
Analysis of a potential employee’s social media during the hiring process to understand more about an individual based on their Internet presence.
Risk control assessment
Occurs when a company periodically checks that the risk controls that they have in place are still effective with changing technology.
Risk control self-assessment
Conducted by employees within the company, often through survey or department-level review.
Inherent risk
Control risk