5.0

Question 1

MTBF

Answer 1

Mean Time Between Failures
Provides a measure of a system’s reliability and is usually represented in hours. The average time a system or component operates before it fails.

Question 2

RTO

Answer 2

Recovery Time Objective
Identifies the maximum amount of time it can take to restore a system after an outage.

Question 3

MTTR

Answer 3

Mean Time To Repair
A common measure of how long it takes to repair a given failure.

Question 4

RPO

Answer 4

Recovery point objective

Identifies a point in time where data loss is acceptable.

Question 5

Data Owner

Answer 5

Individual or entity responsible for making decisions about how data is collected, used, protected, and managed within an organization.

Question 6

Data Controller

Answer 6

Manages the purposes and means by which personal data is processed

Question 7

Data Processor

Answer 7

Entity processing personal data on behalf of a data controller, following instructions provided by the controller and ensuring data protection and security measures are implemented.

Question 8

Data Custodian/Steward

Answer 8

Individual or team responsible for the physical or technical aspects of data management, including storage, security, access control, and maintenance, ensuring data integrity and compliance with policies and regulations.

Question 9

ALE

Answer 9

Annualized Loss Expectancy
Estimated financial impact expected from a specific risk over a year, calculated by multiplying the Single Loss Expectancy (SLE) with the Annualized Rate of Occurrence (ARO).

Question 10

SLE

Answer 10

Single Loss Expectancy
The value (or cost) of a loss expected from a single event.

Question 11

ARO

Answer 11

Annualized Rate of Occurrence

Estimation of how often a specific threat or risk is expected to occur within a year

Question 12

GDPR

Answer 12

General Data Protection Regulation
European Union regulation governing the protection, processing, and transfer of personal data of individuals within the EU and EEA (European Economic Area), focusing on data privacy and rights.

Question 13

PCI DSS

Answer 13

Payment Card Industry Data Security Standard

Security standard developed by major credit card companies to protect cardholder data, outlining requirements for secure payment processing, data encryption, access control, and compliance validation.

Question 14

AUP

Answer 14

Acceptable Use Policy

A guideline that defines acceptable and unacceptable behaviors when using a system or service.

Question 15

Managerial controls

Answer 15

Focus on the management of risk or the management of the cybersecurity system.
Ex. Risk assessments, Vulnerability assessments

Question 16

Operational controls

Answer 16

Helps ensure that the day-to-day operations of an organization comply with their overall security plan.
Ex. Awareness and training, Configuration management, Media protection, Physical and environmental protection

Question 17

Technical controls

Answer 17

Use technology such as hardware, software, and firmware to reduce vulnerabilities.
Ex. Encryption, Antivirus software, Firewalls

Question 18

Preventative (control type)

Answer 18

Act before an event, preventing it from advancing.
Ex. firewalls, encryption, locks

Question 19

Detective (control type)

Answer 19

Act during an event, alerting operators to specific conditions.
Ex. IDS, SIEM, CCTV

Question 20

Corrective (control type)

Answer 20

Respond to and fix security incidents after they have been detected. They aim to minimize the impact and restore normal operations.

Ex. incident response plans, patches, backups

Question 21

Deterrent (control type)

Answer 21

Acts to discourage the attacker by reducing the likelihood of success from the perspective of the attacker.

Ex. security training, warning signs, compliance notices

Question 22

Compensating (control type)

Answer 22

It is used to meet a requirement when there is no control available to directly address the threat.

Ex. encryption, MFA, network segmentation

Question 23

Physical (control type)

Answer 23

Are any controls that you can physically touch.

Ex. Key Card Systems, Biometric Scanners, Fire Suppression Systems, HVAC Systems, Fences and Gates, Bollards, Security Guards, Patrols

Question 24

CSA

Answer 24

Cloud Security Alliance

A nonprofit organization that promotes best practices for cloud security.

Question 25

Least Privilege

Answer 25

Should have only the rights and privileges necessary to perform its task

Question 26

Gamification

Answer 26

Intertwines game-design elements within user training methods to increase participation and interaction.

Question 27

CTF

Answer 27

Capture the Flag
Practice hacking into a server to find data (the flag)

Question 28

CBT

Answer 28

Computer-based training

A computer program that has self-paced modules to facilitate skill development across a wide range of skills, and the flexibility.

Question 29

Supply Chain

Answer 29

A set of firms that operate together to manage the movement of goods and services between firms.

Question 30

Vendors

Answer 30

Firms or individuals that supply materials or services to a business

Question 31

SLA

Answer 31

Service Level Agreement

A contract between a service provider and a customer that outlines performance expectations, such as minimum uptime and maximum downtime levels.

Question 32

MOU

Answer 32

Memorandum of Understanding

A formal agreement between two or more parties that expresses an understanding of their intention to work together toward a common goal.

Question 33

MSA

Answer 33

Measurement Systems Analysis

Used to evaluate and assess the reliability and accuracy of measurement systems.

Question 34

BPA

Answer 34

Business Partnership Agreement

An agreement that outlines the terms and conditions of a partnership between two or more parties engaged in a business venture.

Question 35

EOL

Answer 35

End of Life

When the manufacturer quits selling an item.

Question 36

EOSL

Answer 36

End of Service Life

The provider of the item or service will typically no longer sell or update it.

Question 37

Data Retention

Answer 37

The management of the data lifecycle with an emphasis on when data reaches its end of useful life for an organization

Question 38

Data Governance

Answer 38

Managing data quality in enterprise systems through policies due to the involvement of many data owners and users.

Question 39

Change Management

Answer 39

Policies on how configurations should be changed.

Question 40

Change Control

Answer 40

Managing the details of the systems changes.

Question 41

Multi-party risk

Answer 41

Breaches involving multiple parties

Question 42

IP theft

Answer 42

Intellectual Property theft

Theft of ideas, inventions, and creative expressions.

Question 43

Risk Transference

Answer 43

Transferring the risk to another party, such as through outsourcing or insurance

Question 44

Risk Acceptance

Answer 44

A business decision to accept the risk and its potential consequences without taking any action.

Question 45

Risk Avoidance

Answer 45

Eliminating the risk by avoiding the activity that creates the risk

Question 46

Risk Mitigation

Answer 46

Decrease the risk level and invest in security systems

Question 47

Risk register

Answer 47

A tool in risk management and project management Sometimes used to fulfill regulatory compliance but often to track potential issues that can derail intended outcomes.

Question 48

Inherent risk

Answer 48

The amount of risk that exists in the absence of controls.

Question 49

Control Risk

Answer 49

Risk that internal controls within an organization may not effectively prevent or detect errors or fraud that could lead to material misstatement in financial reporting.

Question 50

Residual risk

Answer 50

The presence of risks in a system is an absolute—they cannot be removed or eliminated.

Question 51

DRP

Answer 51

Disaster Recovery Plan

Detailed plan for resuming operations after a disaster

Question 52

Proprietary Data

Answer 52

Data that is property of an organization

Question 53

PII

Answer 53

Personally Identifiable Information

Data that can be used to identify an individual

Question 54

PHI

Answer 54

Protected Health Information

Health information associated with an individual

Question 55

PIA

Answer 55

Privacy Impact Assessment

An analysis of how PII is handled through business processes and an assessment of risks to the PII during storage, use, and communication.

Question 56

Data Minimization

Answer 56

A principle requiring organizations to limit the data they collect and use

Question 57

Data Masking

Answer 57

Involves the hiding of data by substituting altered values.

Question 58

Anonymization

Answer 58

The process of protecting private or sensitive information by removing identifiers that connect the stored data to an individual. Once done can’t undo

Question 59

Pseudo-Anonymization

Answer 59

Replaces PII and other data with pseudonyms or artificial identifiers. Can revert back

Question 60

Single Point of Failure

Answer 60

Is a component within a system that can cause the entire system to fail if the component fails.

Question 61

Qualitative Risk

Answer 61

Assessment involves prioritizing risks based on their potential danger, such as low, medium, and high.

Question 62

Quantitative

Answer 62

Involves assigning numerical values to the likelihood of an event occurring and the impact it would have. Usually involves the use of metrics and models

Question 63

DPO

Answer 63

Data Protection Officers
Ensure the organization’s compliance with data protection laws and best practices.

Question 64

Separation of duties

Answer 64

a basic security principle that ensures that no single person can control all the elements of a critical function or system.

Question 65

Separation of Duties

Answer 65

A subject should be given only those privileges necessary to complete their job-related tasks.

Question 66

Least Privilege

Answer 66

A subject should be given only those privileges necessary to complete their job-related tasks.

Question 67

Social Media Analysis

Answer 67

Analysis of a potential employee’s social media during the hiring process to understand more about an individual based on their Internet presence.

Question 68

Risk control assessment

Answer 68

Occurs when a company periodically checks that the risk controls that they have in place are still effective with changing technology.

Question 69

Risk control self-assessment

Answer 69

Conducted by employees within the company, often through survey or department-level review.
Inherent risk

Question 70

Control risk