5.0 Governance Risk and Compliance Flashcards
this is a control that focuses on the design of the security or the policy implementation associated with the security. We might have a set of security policies for our organization or set of standard operating procedures that everyone is expected to follow
Managerial Control
these are controls that are managed by people. If we have security guards posted at the front doors or we have an awareness program to let people know that phishing is a significant
operational control
a control type that use our own systems to prevent some of these security events from occurring. So if you’ve implemented antivirus on your workstations or there’s a firewall connecting you to the internet
Technical control
A control type would be something that prevents access to a particular area. Something like locks on a door or a security guard would certainly prevent access as would a firewall, especially if we have a connection to the internet
preventive control
control type commonly identifies and is able to record that a security event has occurred, but it may not be able to prevent access
detective control
A control that takes action to repair damage or restore resources and capabilities to their prior state following an unauthorized or unwanted activity.
corrective control
may not stop an intrusion from occurring but it may deter someone from performing an intrusion
deterrent control
controls are put into place when specific requirements for compliance can’t be met with existing control
compensating control
a document stipulating constraints and practices that a user must agree to for access to a corporate network, the internet or other resources
AUP Acceptable Use Policy
nonbinding agreement that states each party’s intentions to take action, conduct a business transaction, or form a new partnership.
Memorandum of Understanding
looks for the classic case of garbage in, garbage out. Accurate measurements lead to accurate data lead to the best possible decisions for designing and manufacturing a product. However, faulty measurements lead to faulty data lead to poor decisions for designing and manufacturing a product
measurement system analysis
agreement establishes rules for two or more parties going into business together. It’s a legally binding document that outlines every detail of your business operations, ownership stakes, financials, responsibilities, and decision-making strategies
business partnership agreement
regulation that requires businesses to protect the personal data and privacy of EU citizens for transactions that occur within EU member states.
General Data Protection Regulation
is a nonprofit entity whose mission is to ‘identify, develop, validate, promote, and sustain best practice solutions for cyberdefense. ‘ It draws on the expertise of cybersecurity and IT professionals from government, business, and academia from around the world
Center for Internet Security
Institute helps businesses of all sizes better understand, manage, and reduce their cybersecurity risk and protect their networks and data.
NIST National Institute of Standards and Technology
a template and guideline used by companies to identify, eliminate and minimize risks. also part of NIST
Risk Management Framework
a non government standards where
a specification for an information security management system (ISMS). An ISMS is a framework of policies and procedures that includes all legal, physical and technical controls involved in an organization’s information risk management processes
ISO 27001
a non government standards gives guidelines for organizational information security standards and information security management practices including the selection, implementation and management of controls taking into consideration the organization’s information security risk environment(s)
ISO 27002
a non government standards specifies the requirements for establishing, implementing, maintaining and continually improving – a privacy information management system (PIMS).
ISO 27701
Risk Management framework is an international standard that provides businesses with guidelines and principles for risk management from the International Organization for Standardization
ISO 31000
is the world’s leading organization dedicated to defining and raising awareness of best practices to help ensure a secure cloud computing environment
Cloud security alliance
is a baseline set of security controls created by the Cloud Security Alliance to help enterprises assess the risk associated with a cloud computing provider
Cloud Control Matrix
is a document or set of documents that provides recommended architecture structures and integrations of IT products and services to form a solution.
Reference architecture
T he level of Residual Risk that has been determined to be a reasonablelevel of potential loss/disruption for a specific IT system.
Risk Acceptance
a risk management strategy that seeks to eliminate the possibility of risk by avoiding engaging in activities that create exposure to risk. The down side to risk avoidance is that it can limit a company’s opportunities
Risk Avoidance
to pass the financial liability of risks, like legal expenses, damages awarded and repair costs, to the party who should be responsible should an accident or injury occur on the business’s property
Risk Transfer
essentially a table of project risks that allows you to track each identified risk and any vital information about it.
Risk Register
assessment matrix is a tool that provides a graphical depiction of areas of risk within an organization’s digital ecosystem or vendor network
risk matrix
is a process through which operational risks and the effectiveness of their own controls are assessed and examined. The objective is to provide reasonable assurance that all business objectives will be met.
Risk control self-assessment
probability that a cybersecurity event may occur as a result of a lack of countermeasures
Inherent Risks
Portion of risk remaining after security measures have been applied.
Residual Risk
the risk or probability of material misstatement resulting from the failure of controls to mitigate an error
control risk
is the level of risk that an organization is prepared to accept in pursuit of its objectives, before action is deemed necessary to reduce the risk.
risk appetite
analysis involves identifying threats (or opportunities), how likely they are to happen, and the potential impacts if they do
Qualitative Risk analysis
analysis is evidence-based. It assigns numerical values to risks, based on quantifiable data, such as costs, logistics, completion time, staff sick days, and so on.
quantitative Risk analysis
the monetary value expected from the occurrence of a risk on an single asset. It is related to risk management and risk assessment. Where the exposure factor is represented in the impact of the risk over the asset, or percentage of asset lostb
single loss expectancy
SLE = asset value × exposure factor
a calculation that helps you to determine the yearly expected monetary loss for an asset due to a particular risk over a single year
annual loss expectancy
ALE = SLE x ARO
the expected frequency with which a risk or a threat is expected to occur in a year span
Annualized rate of occurrence
is the maximum tolerable length of time that a computer, system, network or application can be down after a failure or disaster occurs
Recovery time objective
as the maximum amount of data – as measured by time – that can be lost after a recovery from a disaster, failure, or comparable event before data loss will exceed what is acceptable to an organization
recovery point objective
is the average time it takes to recover from a product or system failure.
mean time to recovery MTTR
measures the average time that equipment is operating between breakdowns or stoppages
Mean time between failures
is a documented, structured approach that describes how an organization can quickly recover from a diaster
DRP Disaster Recovery Plan
those functions that need to be continuous or resumed within 12 hours after an event and maintained for up to 30 days or until normal operations can be resumed
mission essential functions
means that we would only collect data that would be used to perform the needed function
data minimization
One way to protect data is to simply not display it . one technique is where you can shift data from one place to the other, or shuffle numbers around. Or in the case of credit card receipts, we can mask out the data with some asterisks and only show the last few numbers of the credit card number
data masking
when we take existing data, and we make it impossible to identify anything associated with the original data that was saved
Anonymization
has a way to convert the data back if we need to provide it for other processes. This means we might see one thing on our screen, but the original data would still be available in the database
Pseudo-anonymization
This is a person in the organization who is responsible for a certain set of data
data owner
determines the purposes for which and the manner in which personal data is processed.
data controllers
engages in personal data processing on behalf of the controller
data processors
This is someone who’s responsible for the accuracy of the data, for keeping all of your data private, and the security associated with the data that’s stored in your systems. This is also the user or group that will identify or set labels associated with data, so that exactly who might have access to that data.
data custodians or data stewards
higher-level manager who is responsible for the organization’s overall data privacy policies. This person will define exactly what the privacy policies are for your organization, they will make sure processes are in place so that all of the data remains private
Data protection officer
