5.0 Governance Risk and Compliance Flashcards

1
Q

this is a control that focuses on the design of the security or the policy implementation associated with the security. We might have a set of security policies for our organization or set of standard operating procedures that everyone is expected to follow

A

Managerial Control

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

these are controls that are managed by people. If we have security guards posted at the front doors or we have an awareness program to let people know that phishing is a significant

A

operational control

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

a control type that use our own systems to prevent some of these security events from occurring. So if you’ve implemented antivirus on your workstations or there’s a firewall connecting you to the internet

A

Technical control

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

A control type would be something that prevents access to a particular area. Something like locks on a door or a security guard would certainly prevent access as would a firewall, especially if we have a connection to the internet

A

preventive control

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

control type commonly identifies and is able to record that a security event has occurred, but it may not be able to prevent access

A

detective control

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

A control that takes action to repair damage or restore resources and capabilities to their prior state following an unauthorized or unwanted activity.

A

corrective control

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

may not stop an intrusion from occurring but it may deter someone from performing an intrusion

A

deterrent control

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

controls are put into place when specific requirements for compliance can’t be met with existing control

A

compensating control

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

a document stipulating constraints and practices that a user must agree to for access to a corporate network, the internet or other resources

A

AUP Acceptable Use Policy

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

nonbinding agreement that states each party’s intentions to take action, conduct a business transaction, or form a new partnership.

A

Memorandum of Understanding

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

looks for the classic case of garbage in, garbage out. Accurate measurements lead to accurate data lead to the best possible decisions for designing and manufacturing a product. However, faulty measurements lead to faulty data lead to poor decisions for designing and manufacturing a product

A

measurement system analysis

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

agreement establishes rules for two or more parties going into business together. It’s a legally binding document that outlines every detail of your business operations, ownership stakes, financials, responsibilities, and decision-making strategies

A

business partnership agreement

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

regulation that requires businesses to protect the personal data and privacy of EU citizens for transactions that occur within EU member states.

A

General Data Protection Regulation

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

is a nonprofit entity whose mission is to ‘identify, develop, validate, promote, and sustain best practice solutions for cyberdefense. ‘ It draws on the expertise of cybersecurity and IT professionals from government, business, and academia from around the world

A

Center for Internet Security

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Institute helps businesses of all sizes better understand, manage, and reduce their cybersecurity risk and protect their networks and data.

A

NIST National Institute of Standards and Technology

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

a template and guideline used by companies to identify, eliminate and minimize risks. also part of NIST

A

Risk Management Framework

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

a non government standards where
a specification for an information security management system (ISMS). An ISMS is a framework of policies and procedures that includes all legal, physical and technical controls involved in an organization’s information risk management processes

A

ISO 27001

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

a non government standards gives guidelines for organizational information security standards and information security management practices including the selection, implementation and management of controls taking into consideration the organization’s information security risk environment(s)

A

ISO 27002

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

a non government standards specifies the requirements for establishing, implementing, maintaining and continually improving – a privacy information management system (PIMS).

A

ISO 27701

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

Risk Management framework is an international standard that provides businesses with guidelines and principles for risk management from the International Organization for Standardization

A

ISO 31000

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

is the world’s leading organization dedicated to defining and raising awareness of best practices to help ensure a secure cloud computing environment

A

Cloud security alliance

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

is a baseline set of security controls created by the Cloud Security Alliance to help enterprises assess the risk associated with a cloud computing provider

A

Cloud Control Matrix

23
Q

is a document or set of documents that provides recommended architecture structures and integrations of IT products and services to form a solution.

A

Reference architecture

24
Q

T he level of Residual Risk that has been determined to be a reasonablelevel of potential loss/disruption for a specific IT system.

A

Risk Acceptance

25
Q

a risk management strategy that seeks to eliminate the possibility of risk by avoiding engaging in activities that create exposure to risk. The down side to risk avoidance is that it can limit a company’s opportunities

A

Risk Avoidance

26
Q

to pass the financial liability of risks, like legal expenses, damages awarded and repair costs, to the party who should be responsible should an accident or injury occur on the business’s property

A

Risk Transfer

27
Q

essentially a table of project risks that allows you to track each identified risk and any vital information about it.

A

Risk Register

28
Q

assessment matrix is a tool that provides a graphical depiction of areas of risk within an organization’s digital ecosystem or vendor network

A

risk matrix

29
Q

is a process through which operational risks and the effectiveness of their own controls are assessed and examined. The objective is to provide reasonable assurance that all business objectives will be met.

A

Risk control self-assessment

30
Q

probability that a cybersecurity event may occur as a result of a lack of countermeasures

A

Inherent Risks

31
Q

Portion of risk remaining after security measures have been applied.

A

Residual Risk

32
Q

the risk or probability of material misstatement resulting from the failure of controls to mitigate an error

A

control risk

33
Q

is the level of risk that an organization is prepared to accept in pursuit of its objectives, before action is deemed necessary to reduce the risk.

A

risk appetite

34
Q

analysis involves identifying threats (or opportunities), how likely they are to happen, and the potential impacts if they do

A

Qualitative Risk analysis

35
Q

analysis is evidence-based. It assigns numerical values to risks, based on quantifiable data, such as costs, logistics, completion time, staff sick days, and so on.

A

quantitative Risk analysis

36
Q

the monetary value expected from the occurrence of a risk on an single asset. It is related to risk management and risk assessment. Where the exposure factor is represented in the impact of the risk over the asset, or percentage of asset lostb

A

single loss expectancy

SLE = asset value × exposure factor

37
Q

a calculation that helps you to determine the yearly expected monetary loss for an asset due to a particular risk over a single year

A

annual loss expectancy

ALE = SLE x ARO

38
Q

the expected frequency with which a risk or a threat is expected to occur in a year span

A

Annualized rate of occurrence

39
Q

is the maximum tolerable length of time that a computer, system, network or application can be down after a failure or disaster occurs

A

Recovery time objective

40
Q

as the maximum amount of data – as measured by time – that can be lost after a recovery from a disaster, failure, or comparable event before data loss will exceed what is acceptable to an organization

A

recovery point objective

41
Q

is the average time it takes to recover from a product or system failure.

A

mean time to recovery MTTR

42
Q

measures the average time that equipment is operating between breakdowns or stoppages

A

Mean time between failures

43
Q

is a documented, structured approach that describes how an organization can quickly recover from a diaster

A

DRP Disaster Recovery Plan

44
Q

those functions that need to be continuous or resumed within 12 hours after an event and maintained for up to 30 days or until normal operations can be resumed

A

mission essential functions

45
Q

means that we would only collect data that would be used to perform the needed function

A

data minimization

46
Q

One way to protect data is to simply not display it . one technique is where you can shift data from one place to the other, or shuffle numbers around. Or in the case of credit card receipts, we can mask out the data with some asterisks and only show the last few numbers of the credit card number

A

data masking

47
Q

when we take existing data, and we make it impossible to identify anything associated with the original data that was saved

A

Anonymization

48
Q

has a way to convert the data back if we need to provide it for other processes. This means we might see one thing on our screen, but the original data would still be available in the database

A

Pseudo-anonymization

49
Q

This is a person in the organization who is responsible for a certain set of data

A

data owner

50
Q

determines the purposes for which and the manner in which personal data is processed.

A

data controllers

51
Q

engages in personal data processing on behalf of the controller

A

data processors

52
Q

This is someone who’s responsible for the accuracy of the data, for keeping all of your data private, and the security associated with the data that’s stored in your systems. This is also the user or group that will identify or set labels associated with data, so that exactly who might have access to that data.

A

data custodians or data stewards

53
Q

higher-level manager who is responsible for the organization’s overall data privacy policies. This person will define exactly what the privacy policies are for your organization, they will make sure processes are in place so that all of the data remains private

A

Data protection officer