5.0 Governance, Risk, and Compliance

Question 1

What is a managerial security control?

Answer 1

A managerial security control provides the guidance, policies, and procedures for implementing a secure environment, such as an acceptable use policy.

A managerial security control gives oversight of the information system. Examples could include risk identification or a tool allowing the evaluation and selection of other security controls.

Administrative security controls are used to determine behavior through policies, procedures, and guidance. A fair use policy is an example of an administrative control.

Question 2

What do operational security control refer to??

What can do they do?

Who are they implemented by?

2 Examples of Operational controls?

Answer 2

An operational security control refers to an item that can physically be touched. Operational controls are used to prevent or detect unauthorized access to physical areas, systems, and assets.

An operational security control is implemented primarily by people rather than systems.

For example, security guards and training programs are operational controls rather than technical controls.

Question 3

What is a technical security control?

Answer 3

A technical security control includes hardware or software mechanisms used to protect assets. Antivirus software, firewalls, and intrusion detection systems are examples of a technical control.

A technical security control is implemented as a system (hardware, software, or firmware). For example, firewalls, anti-virus software, and OS access control models are technical controls.

A technical control is implemented in operating systems, software, and security appliances. An Access Control List (ACL) or intrusion prevention system (IPS) are examples.

Question 4

What does is a preventive control do?

What are 4 examples?

Answer 4

A preventive control aims to prevent security incidents in a system.

Security training and

change management are examples of a preventive security control.

A preventive control physically or logically restricts unauthorized access. A

system password and
physical door lock are

examples of preventive controls.

Question 5

What is a detective control?

Answer 5

A detective control will identify and record any attempted or successful intrusion. A detective control operates during the progress of an attack.

A detective control identifies when incidents or vulnerabilities have occurred. Auditing and monitoring are examples of detective controls.

A detective control may not prevent or deter access, but it will identify and record any attempted or successful intrusion. A security camera system is an example of a detective contro

Question 6

What is a corrective control?

Whats an example?

Answer 6

A corrective control responds to and fixes an incident, and prevents reoccurrence. Antivirus software is an example of a corrective control.

Question 7

What does a compensating control do?

What’s an example?

Answer 7

A compensating control does not prevent an attack but can restore functionality of systems through other means, such as a backup.

Question 8

What are Administrative security controls?

Answer 8

Administrative security controls are used to determine behavior through policies, procedures, and guidance. A fair use policy is an example of an administrative control.

Question 9

What is Containment?

A control type or a step in incident management?

Answer 9

Containment does not refer to a security control type; rather, it refers to a step in the incident management lifecycle for handling a threat.

Question 10

What is a deterrent control?

Answer 10

A deterrent control may not physically or logically prevent access, but psychologically discourages an attacker from attempting an intrusion. A warning sign is an example of a deterrent control.

Question 11

Which of the following protection and accountability principles does the General Data Protection Regulation (GDPR) provide to consumers?

Answer 11

Purpose limitation

The General Data Protection Regulation (GDPR) provides consumers with purpose limitation by ensuring organizations must process data that was collected for the explicit purposes specified to the data subject.

Data minimization
A data controller should only collect and process as much data as necessary for the purposes specified. This procedure is considered data minimization.

Integrity and confidentiality

Organizations must process personal data in such a way that it ensures the integrity and confidentiality of the consumers’ information.

Question 12

What is layered security?

Answer 12

Layered security is the practice of providing prevention, detection, and response simultaneously as defense in depth. It includes multiple forms of security.

Think Antivitus, IDS, Firewall.

Patching isn’t part of layerd security as it’s done once the vulnerabilities are found and fixed.

Question 13

What is The Payment Card Data Security Standard (PC DSS)?

Answer 13

The Payment Card Data Security Standard (PC DSS) is a set of 12 requirements aimed to ensure companies that process, store, or transmit credit card information maintain a secure environment.

Question 14

What is The Health Insurance Portability and Accountability Act of 1996 (HIPAA)?

Answer 14

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) mandates that medical facilities and patient representatives protect private health information of an individual.

Question 15

What is The National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF)?

Answer 15

The National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) provides a security policy for how private sector organizations can assess and improve their ability to prevent, detect, and respond to cybersecurity attacks

Question 16

What are Regulatory frameworks based on?

What do regulatory frameworks do?

Answer 16

Regulatory frameworks are based on specific laws and regulations and ensure compliance of those standards. These regulatory frameworks are highly-controlled and regulated. Medical records are governed by regulatory laws, for example.

Question 17

What does the Federal Information Security Management Act (FISMA) of 2002 dictate?

Who does this apply to?

Answer 17

The Federal Information Security Management Act (FISMA) of 2002 requires federal agencies to develop, document, and implement an information security and protection program. The FISMA is a United States NATIONAL law.

Question 18

What is a non-regulatory framework?

Answer 18

A non-regulatory framework identifies common standards and best practices that companies can follow but is not required by law.

Question 19

What is The International Organization for Standardization (ISO)?

Answer 19

The International Organization for Standardization (ISO) is an independent international standard for information technology security. This non-governmental organization develops standards to ensure the quality, safety, and efficiency of systems.

Question 20

What are Industry-specific frameworks?

Answer 20

Industry-specific frameworks govern certain industries, such as financial and healthcare organizations. The Payment Card Data Security Standard (PC DSS) and Health Insurance Portability and Accountability Act of 1996 (HIPAA) are industry specific.

Question 21

What does a Service Organization Control (SOC) Type II report do?

Answer 21

A Service Organization Control (SOC) Type II report provides assurances about the effectiveness of controls in place in an organization within a given timeframe.

Question 22

What does a Service Organization Control (SOC) Type III report do ?

Answer 22

Service Organization Control (SOC) Type III report is not as detailed of a report certifying compliance with SOC2.

Question 23

What is the International Organization for Standardization (ISO) 27701?

Answer 23

The International Organization for Standardization (ISO) 27701 provides specific requirements and guidance for establishing, implementing, maintaining, and continually improving an information system containing private data.

Question 24

What does a A Service Organization Control (SOC) Type I report do?

Answer 24

A Service Organization Control (SOC) Type I report addresses internal controls over financial reporting.

Question 25

What is The Center for Internet Security (CIS) Risk Assessment Method (CIS-RAM)?

Answer 25

The Center for Internet Security (CIS) publishes the “20 CIS Controls.” The Risk Assessment Method (CIS-RAM) can be used to perform an overall evaluation of security posture.

Question 26

What does the Department of Defense Cyber Exchange do?

Answer 26

Department of Defense Cyber Exchange provides Security Technical Implementation Guides (STIGs) with hardening guidelines for a variety of software and hardware solutions.

Question 27

What is the National Checklist Program (NCP)?

Answer 27

National Checklist Program (NCP), by the National Institute of Standards and Technology (NIST), provides checklists and benchmarks for a variety of operating systems and applications.

Question 28

What is The Center for Internet Security Configuration Access Tool (CIS-CAT)?

Answer 28

The Center for Internet Security Configuration Access Tool (CIS-CAT) can be used with automated vulnerability scanners to test compliance against these benchmarks

Question 29

What is The European Union’s General Data Protection Regulation (GDPR)?

Answer 29

The European Union’s General Data Protection Regulation (GDPR) states that personal data cannot be collected, processed, or retained without the individual’s informed consent. Informed consent means that the data must be collected and processed only for the stated purpose, and that purpose must be clearly described to the user in plain language, not legalese.

Question 30

What is The Gramm–Leach–Bliley Act (GLBA)?

Answer 30

The Gramm–Leach–Bliley Act (GLBA) is a federal law in the United States and is a vertical law for the financial sector.

Question 31

What is The Sarbanes-Oxley Act (SOX)?

Answer 31

The Sarbanes-Oxley Act (SOX) mandates the implementation of risk assessments, internal controls, and audit procedures in the United States.

Question 32

What are the Cloud Controls Matrix?

Who is it produced by?

What does it mean for cloud customers?

Answer 32

The not-for-profit organization Cloud Security Alliance (CSA) produces various resources to assist cloud service providers (CSP) in setting up and delivering secure cloud platforms.

The cloud controls matrix lists specific controls and assessment guidelines that should be implemented by CSPs.

For cloud consumers, the matrix acts as a starting point for cloud contracts and agreements as it provides a baseline level of security competency that the CSP should meet.

Question 33

What is Security guidance (Coud Enviroments)?

Answer 33

Security guidance is a best practice summary analyzing the unique challenges of cloud environments and how on-premises controls can be adapted to them.

Question 34

What is Enterprise reference architecture?

Answer 34

Enterprise reference architecture are best practice methodology and tools for CSPs to use in architecting cloud solutions.

Question 35

What is The Statements on Standards for Attestation Engagements (SSAE)?

Answer 35

The Statements on Standards for Attestation Engagements (SSAE) are audit specifications developed by the American Institute of Certified Public Accountants (AICPA).

Question 36

The Cloud Security Alliance Cloud Controls Matrix (CSA CCM) maps to which of the following compliance standard

Answer 36

SOX
The Sarbanes-Oxley (SOX) Act helps to protect investors from fraudulent financial reporting by large corporations. It maps to CSA CCM.

ISO
The International Organization for Standardization (ISO) is an international standard for information technology security. It maps to CSA CCM.

NIST
The National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) provides a security policy for how private sector organizations can assess and improve their ability to prevent, detect, and respond to cybersecurity attacks. It maps to CSA CCM.

The Statements on Standards for Attestation Engagements (SSAE) is an audit specification guide developed for accountants. It does not map to CSA CCM.

Question 37

What does International Organization for Standardization (ISO) 27701 do?

Answer 37

International Organization for Standardization (ISO) 27001 is a standard that sets out the best practice specification for an information system. The ISO guides information security by addressing people and processes as well as technology.

International Organization for Standardization (ISO) 27701 provides specific requirements and guidance for establishing, implementing, maintaining, and continually improving an information system with private data.

Question 38

What does International Organization for Standardization (ISO) 31000 do?

Answer 38

International Organization for Standardization (ISO) 31000 is a risk management framework that assists an organization in integrating risk management into day to day functions.

Question 39

Whatr is the International Organization for Standardization (ISO) 27001 do ?

What does it address?

Answer 39

International Organization for Standardization (ISO) 27001 is a standard that sets out the best practice specification for an information system.

The ISO guides information security by addressing people and processes as well as technology.

Question 40

What does International Organization for Standardization (ISO) 27002 do?

Answer 40

International Organization for Standardization (ISO) 27002 is a supplementary standard that focuses on the information security controls that organizations might choose to implement.

Question 41

Which classifications of data does Health Insurance Portability And Accountability Act (HIPAA) protect?

Answer 41

Personal health information (PHI) is personally identifiable information about an individual’s health and medical wellbeing.

Personally identifiable information (PII) is personal information that can be used to identify an individual. A social security number and health information are considered PII.

No confidential!

Question 42

What is an impact assessment?

Answer 42

An impact assessment identifies risks and vulnerabilities and the potential impact they could cause an organization or information technology asset.

The assessment further identifies methods to limit or mitigate the risks.

Question 43

What is a quantitative risk assessment?

Answer 43

A quantitative risk assessment measures risks in a program using a specific dollar amount to identify cost and asset value.

Question 44

What is a qualitative risk assessment?

Answer 44

A qualitative risk assessment prioritizes identified risks based on their probability or likelihood of occurring.

Question 45

What is a service level agreement (SLA)?

Answer 45

A service level agreement (SLA) is a contractual arrangement that details terms under which a service is provided between a service provider and a consumer.

Question 46

What is a Data Processor?

Answer 46

A data processor collects and analyzes data based on a data collector’s set of predefined instructions.

Question 47

What is a data custodian?

Answer 47

The data custodian manages a system on which the data assets are stored by enforcing access control, encryption, and backup measures. A data owner is an individual who is accountable for all data assets in an organization.

Question 48

What is the data owner?

Answer 48

The data owner is typically a senior role that maintains responsibility for managing the confidentiality, integrity, and availability of the data assets.

A data owner is typically not the data user. The data owner’s focus typically relates to compliance issues and data classification systems.

Question 49

What is a data controller?

Answer 49

A data controller is responsible for determining why and how data is stored, collected, and used within a lawful manner. They define what a data processor should collect and why.

Question 50

Define data Tokenization?

Answer 50

Tokenization is a database de-identification method where randomly generated tokens substitute all or part of data in a field. The token is stored with the original value separate from the production database.

Question 51

Define data anonymization.

Answer 51

A data anonymization process is a practice of protecting private or sensitive data by erasing or encrypting identifiers that connect an individual to stored data. The process permanently removes the identifying information.

Question 52

Define data Pseudonymization?

Answer 52

Pseudonymization is a de-identification procedure that ensures one or more pseudonyms replace personally identifiable information (PII) fields within a data record. Pseudonymization makes the data record less identifiable and is reversible.

Question 53

What is Code reuse?

Answer 53

Code reuse is the practice of reusing tested and approved code for development to save time and prevent the introduction of errors in new coding efforts.

Question 54

Define Data masking ?

Answer 54

Data masking is a de-identification tactic that takes all or part of the contents of a data field and substitutes character strings with a simple character to conceal the Personally Identifiable Information (PII).

Question 55

Define Code obfuscation?

Answer 55

Code obfuscation is the method of disguising coding methods by way of renaming variables, replacing strings, and hiding comments.

Question 56

Define Hashing as data obfuscation?

Answer 56

Hashing is a cryptographic process that creates a fixed-length string from an input plaintext. Hashes are created at separate times to verify the integrity of a file.

Question 57

What is Identity theft?

What can you do to protect yourself?

Answer 57

Identity theft is the intentional use of someone else’s identity to gain a financial advantage or benefit in some manner, without the other person’s knowledge. People should constantly monitor their credit history as it is a good way to protect themselves from identity theft.

Question 58

Define Intellectual Property (IP) theft?

Answer 58

Intellectual Property (IP) theft involves stealing ideas, inventions, creative expressions, and trade secrets from a person or a company for another’s benefit.

Question 59

Define Extortion?

Answer 59

Extortion is the attempt to obtain money or property from another human being by threatening violence or coercing a victim.

Question 60

Define Manipulation?

Answer 60

Manipulation is to influence someone in an unfair manner to gain an advantage.

Question 61

When should an incident should be escalate a security manager?

Answer 61

Repeated attempts to gain access to a system an individual is not authorized to use can indicate a potential future breach issue.

Question 62

Define the information life cycle management model?

Answer 62

The information life cycle management model identifies the processes and procedures for managing data from cradle to the grave. This model includes creation, use, retention, and disposal.

Question 63

What is the Sarbanes-Oxley (SOX) Act?

Answer 63

The Sarbanes-Oxley (SOX) Act helps protect investors from fraudulent financial reporting by large corporations. The law created strict rules for financial representatives and imposed more rigorous recordkeeping requirements.

Question 64

What does the Federal Deposit Insurance Corporation (FDIC) regulate?

Answer 64

The Federal Deposit Insurance Corporation (FDIC) regulates state-chartered financial institutions that are not members of the federal reserve system.

Question 65

What mandates the role of the Data Privacy Officer (DPO)?

What does it do?

What is it responsible for oversight?

Answer 65

The Data Privacy Officer (DPO) is the role mandated by the General Data Protection Regulation (GDPR) that ensures the processing, disclosure, and retention complies with regulatory frameworks.

Data Privacy officer is responsible for oversight of any Personally Identifiable Information (PII) assets managed by a company.

This role ensures that the processing and disclosure of PII comply with legal and regulatory frameworks and also oversees the retention of PII.

Question 66

What does the Information Security System Manager role do? (ISSM)?

Answer 66

The Information Security System Manager (ISSM) is an information assurance role that

Establishes, documents, and maintains a program’s cyber security requirements.

Question 67

What does The Information Security System Manager (ISSM) do?

Answer 67

The Information Security System Manager (ISSM) is an information assurance role that establishes, documents, and maintains a program’s cyber security requirements.

Question 68

What does a data steward do?

Answer 68

A data steward is primarily responsible for data quality. This involves tasks such as ensuring data is labeled and identified with appropriate metadata.

Question 69

What is a token vault?

How it tokenization used?

Answer 69

A token vault or server typically stores tokens, along with the original value for easy retrieval. Tokenization is a reversible technique that allows organizations to provide company data to third-party analysts without concealing sensitive information.

Question 70

What is a privacy notice?

Answer 70

A privacy notice is a declaration to a consumer contending that a service will only use collected information in a certain manner and not be used for any other purpose.

Question 71

What is a public disclosure notification?

Answer 71

Public disclosure is a notification that includes the type of information breached, point of contact details, consequences arising from the breach, and steps taken by the company to mitigate the data breach.

Question 72

What is a risk register?

Answer 72

A risk register is a repository for documenting risks identified in an organization and includes information and steps to take regarding the risk. Common information found in a risk register is the specific risk, the likelihood of occurrence, and the action to take.

Question 73

What is a supply chain assessment?

Whats it’s goal?

Answer 73

A supply chain assessment evaluates all elements required to produce and distribute a product.

The goal of a supply chain assessment is to identify areas where a company can improve.

Question 74

What is a vulnerability assessment?

Answer 74

A vulnerability assessment identifies and provides mitigation for system vulnerabilities in a company.

Question 75

What is The Single Loss Expectancy (SLE)?

How is exposure factor EF Related?

How is EF Represented?

Answer 75

The Single Loss Expectancy (SLE) is the amount that would be lost in a single occurrence of the risk factor.

This is determined by multiplying the value of the asset by an Exposure Factor (EF).

The EF is the percentage of the asset value that would be lost.

Question 76

What is the Annualized Loss Expectancy (ALE)?

How do you calculated?

Answer 76

The Annualized Loss Expectancy (ALE) is the amount that would be lost over the course of a year.

This is determined by multiplying the SLE by the Annualized Rate of Occurrence (ARO).

To determine the ALE the SLE must be determined first.

Question 77

What is the recovery time objective (RTO)?

is it part of Quantitative risk assessment?

Answer 77

The recovery time objective (RTO) identifies the maximum time it takes to recover a system in the event of an outage. It is not part of a quantitative risk assessment.

Question 78

What is the recovery point objective (RPO)?

Answer 78

The recovery point objective (RPO) identifies a point in time that data loss is acceptable. In the event of a system failure, the company may lose some data, but the RPO is the last seven days.

Question 79

What does the mean time between failure (MTBF) provide ?

How is it measured?

Answer 79

The mean time between failure (MTBF) provides a measure of a system’s average reliability and is measured in hours.

Question 80

What is the mean time to recover (MTTR)?

Answer 80

The mean time to recover (MTTR) is the average time it takes to restore a system after an outage.

Question 81

What is a disaster recovery plan (DRP)?

Answer 81

A disaster recovery plan (DRP) is part of a continuity plan that identifies critical assets and components of a system. The disaster recovery plan prioritizes the list and identifies what to restore and in what order to restore each asset. A risk assessment quantifies and qualifies risks to a system based on variable values.

Question 82

What does a risk assessment take into account?

Answer 82

A risk assessment takes into account the value of an asset and the probability of that value being exploitable.

Question 83

What is a configuration management (CM) plan?

Answer 83

A configuration management (CM) plan is the process of identifying and managing changes to a system baseline. A CM plan defines, documents, controls, and audits all deltas.

Question 84

What is residual risk ?

Answer 84

Residual risk is the likelihood and impact after specific mitigation, transference, or acceptance measures have been applied.

Question 85

What is Control risk?

Answer 85

Control risk is a measure of how much less effective a security control has become over time. Control risk can also refer a security control that was never effective in mitigating inherent risk.

Question 86

What is Inherent risk ?

Answer 86

Inherent risk is the level of risk before any type of mitigation has been attempted.

Question 87

What is Risk appetite?

What is it constrained by? what kind of scope does it have?

Answer 87

Risk appetite is a strategic assessment of what level of residual risk is tolerable and is broad in scope. Risk appetite has a project or institution-wide scope and is constrained by regulation and compliance.

Question 88

Describe Risk Acceptance

Answer 88

The manager has accepted the risk by going on day-to-day operations and not mitigating or transferring it. The risk identified did not outweigh the cost, time, and effort to mitigate it.

The manager placed the identified risk in a risk register and continued day to day operations.

Question 89

Describe avoiding a risk:

Provide 2 examples

Answer 89

Avoidance is the act of stopping a risk-bearing activity and not related to change management. For example, removing a faulty product from the market is a strategy employed to avoid risk.

Another example: Avoiding the risk would entail changing the company policy to indicate that a failover or backup solution is not necessary.

Question 90

What is a Memorandum of Understanding (MOU)

Answer 90

A Memorandum of Understanding (MOU) is a preliminary or exploratory agreement to express an intent to work together. MOUs usually tend to be relatively informal and do not act as binding contracts.

Question 91

What is a Memorandum of Agreement (MOA)?

Answer 91

A Memorandum of Agreement (MOA) is a formal agreement or contract that contains specific obligations rather than a broad understanding.

Question 92

What is a Business Partners Agreement (BPA)?

Answer 92

A Business Partners Agreement (BPA) is a type of partner agreement that large IT companies, such as Microsoft and Cisco, set up with resellers and solution providers.

Question 93

What is a Non-Disclosure Agreement (NDA)?

Answer 93

A Non-Disclosure Agreement (NDA) is an agreement that provides a basis for protecting information assets. NDAs can be between companies and employees, between companies and contractors, and between two companies.

Question 94

Descrive a proactive approach ?

Answer 94

When a change is requested, it is best to use a formal process. With a proactive approach, a change management process is initiated internally to an organization.

Question 95

Describe a reactive approach:

Answer 95

Change is usually for improvements. When a change is reactive, external forces drive it. In this case, the company had not yet released the device to market. Had consumers discovered and reported the vulnerability, it would have been a reactive process.

Question 96

What is Transference ?

Answer 96

Transference is the act of sharing or moving the risk to another party and is not related to change management. Insurance policies and utilizing third parties for services are examples of transference of risk.

Question 97

What is a permissions workflow?

Answer 97

A workflow is an onboarding process that involves identifying the roles and permissions users need. A workflow is often a visual representation of an organization, organized by permissions and account types.

Question 98

What is Offboarding?

Answer 98

Offboarding is the process by which accounts are deleted or disabled. When personnel no longer need access to specific resources, permissions are withdrawn.

Question 99

What is User Account Control (UAC)?

Answer 99

User Account Control (UAC) is a Windows-specific function that prevents users from invoking administrative privileges without specific authorization.

Question 100

What is Privilege bracketing ?

Answer 100

Privilege bracketing is an account management practice that involves giving users permission to a resource for the duration of a specific project or a need-to-know situation.

Question 101

What is a Privileged user?

Answer 101

Employees with access to privileged data should be given extra training on data management and Personally Identifiable Information (PII), in addition to any relevant regulatory or compliance frameworks. Since Human Resources personnel have access to private employee information, they are privileged users.

Question 102

Define an Executive user

Answer 102

Executive users are at the highest level of management and are often specifically targeted (whale phishing and spear phishing). These users may or may not have daily access to privileged data.

Question 103

What is a system owner?

Answer 103

A system owner is responsible for designing and planning computer, network, and database systems.

Question 104

What is Social media analysis (Company Policies)?

Answer 104

Social media analysis is the process of gathering and analyzing data from social media platforms.

Employees who sign consent can subject themselves to having their social media accounts analyzed.

Question 105

What is Predictive analysis?

Answer 105

Predictive analysis is the use of data to identify the likelihood of future outcomes based on historical data.

Question 106

What do Rules of behavior identify?

Answer 106

Rules of behavior identify the procedures and rules that an employee must abide by in an organization.

Question 107

What does an acceptable use policy describe?

Answer 107

An acceptable use policy describes

the purpose of a system and
the responsibilities of users when accessing the system.

An acceptable use policy contains a privacy statement informing users of what is considered private.

Question 108

What is an Interconnection Security Agreement (ISA)?

Answer 108

An Interconnection Security Agreement (ISA) is used when any federal agency interconnects its IT system to a third-party.

Question 109

Differences between Mean Time to Failure (MTTF) and Mean Time Between Failures (MTBF).

Answer 109

Non-repairable assets use an MTTF, while an MTBF would describe a server.

The MTBF and MTTF calculations are different for the same tests

MTBF is a measure of the time taken to correct a fault so that the system restores to full operation, whereas MTTF does not measure this information.

Question 110

What is Offboarding ?

Answer 110

Offboarding involves withdrawing user privileges, such as instances where the user no longer needs access to a resource, leaves the company, or switches roles.

This helps protect accounts from misuse.

Question 111

What is a workflow (regarding managing users)?

Answer 111

A workflow is a tool in the user provisioning process.

It is typically associated with onboarding and assigning user privileges by mapping their group memberships and functions, etc.

Question 112

What is User provisioning?

Answer 112

User provisioning is associated with onboarding. This process involves assigning permissions to users, rather than withdrawing those permissions.

Question 113

What is Privilege bracketing?

Answer 113

Privilege bracketing is recommended for employees who will stay in a company, but occupy a different role and no longer need access to a certain resource.

This term does not include situations where an employee leaves the company.

Question 114

How do General purpose guides help increase security? In what?

Answer 114

General purpose guides help increase security in hardware and software by providing instructions to configuring a system based on roles and appliances.

Question 115

What is The end of service life (EOSL)?

Answer 115

The end of service life (EOSL) describes when a vendor will no longer support a product. As well, updates and patches will no longer be produced.

Question 116

What is The end of life (EOL) for a software product?

Answer 116

The end of life (EOL) for a software product occurs when a product will no longer be produced or sold. These products are most likely to be replaced by a newer version or model.

Question 117

What is The annual rate of occurrence (ARO)?

Answer 117

The annual rate of occurrence (ARO) indicates how many times a loss will occur within a year.

Question 118

What is A legacy system?

Answer 118

A legacy system is an outdated computing software or hardware that is still in use. Legacy systems generally receive no support or maintenance.

Question 119

What is Training diversity?

Answer 119

Training diversity is a mix of training techniques in the form of workshops, seminars, gamification, etc. to foster user engagement and retention.