Book-Notes Section 16 Flashcards
πΌ What does βpublicly tradedβ mean?
A publicly traded company is a business whose shares (stock) are available for anyone to buy or sell on a stock exchange like:
π NASDAQ
π New York Stock Exchange (NYSE)
π¦ Or others around the world
π§ Think of it like:
The company is βopen to the publicβ β people can invest in it by buying pieces (shares) of the company.
π¦ Example:
Apple (AAPL) and Microsoft (MSFT) are publicly traded.
You can open a brokerage account and buy their stock today.
π Opposite: Privately held
A private company is not listed on the stock market.
Only private investors (like founders, venture capitalists) own shares.
Example: SpaceX is a private company.
π‘οΈ What is GRC?
GRC stands for:
β
Governance
β
Risk Management
β
Compliance
A GRC program is a structured approach that helps an organization:
Stay organized and responsible
Manage risks
Follow laws, regulations, and policies
π§ Think of it like:
A companyβs guidebook for doing the right thing, the safe way, and the legal way.
π What does each part mean?
1. π§ Governance β βAre we doing the right things?β
Making sure the company has the right rules and decision-making structure.
Examples:
Company policies
Leadership roles
Ethical business practices
- βοΈ Risk Management β βWhat could go wrong, and how do we handle it?β
Identifying risks (like data breaches, fraud, or system failures)
Creating plans to reduce or deal with those risks
- π Compliance β βAre we following the rules?β
Making sure the organization meets legal, regulatory, and industry standards
Examples:
GDPR (data privacy law in Europe)
HIPAA (health info protection in the U.S.)
PCI DSS (credit card data security)
π§° What does a GRC Program do?
A GRC program brings all these things together in one system to:
Protect the organization
Build trust with customers and regulators
Avoid fines, breaches, and legal trouble
Make better, risk-aware business decisions
π§ Governance Models: Centralized vs. Decentralized
Governance in cybersecurity refers to who makes security decisions and how policies and responsibilities are structured.
ποΈ Centralized Governance Model
Definition:
All security decisions, policies, and controls are made and managed by a single central authority, usually the main IT/security team.
β
Characteristics:
One central team controls everything (like policies, tools, and responses)
Consistency across the whole organization
Easier to manage and audit
Often used in smaller organizations or tightly controlled environments
π Example:
The corporate HQβs security team manages policies and tools for all offices β no matter where they are.
π Decentralized Governance Model
Definition:
Each department, branch, or location has its own authority over security decisions and management.
β
Characteristics:
Multiple teams manage their own security needs
More flexibility for each team
Better suited for large or global organizations
Can lead to inconsistency and harder policy enforcement
π Example:
Each regional office (e.g., U.S., Europe, Asia) has its own security team, tools, and policies.
β
Security+ Tip:
If the exam asks which model ensures consistency and easier enforcement, go with centralized.
If the question mentions flexibility or local control, the answer is likely decentralized.
π©βπ« What are SMEs?
SME stands for Subject Matter Expert.
A Subject Matter Expert is someone who has deep knowledge and experience in a specific area or topic.
π§ Think of them as:
βThe go-to personβ for a particular subject β they really know their stuff.
π§Ύ What do EOL and EOSL mean?
Term Stands For Simple Meaning
EOL End of Life The product is no longer sold or developed
EOSL End of Service Life (or End of Support Life) The product no longer receives updates or support
π§ Think of it like:
EOL = The company stops selling or improving the product.
EOSL = The company stops supporting it (no patches, no help desk, no security updates).
π Why do EOL and EOSL matter?
In cybersecurity and IT, running EOL or EOSL systems is risky because:
β No more security updates
β No more vendor support
β Increased chance of vulnerabilities being exploited
β May fail compliance checks (like HIPAA, PCI DSS)
π¦ Example:
Windows 7 reached EOL in 2020
Then it hit EOSL shortly after β meaning no updates, no support
Using it now? Itβs a security risk unless youβre paying for extended support
β
Summary Table:
Term What Happens Risk Level
EOL Product is no longer sold/developed Medium
EOSL Product is no longer supported/updated High
π¦ What is GLBA?
GLBA stands for the:
Gramm-Leach-Bliley Act
Itβs a U.S. federal law passed in 1999 that focuses on protecting consumer financial information.
π‘οΈ Main Purpose of GLBA:
To ensure that financial institutions:
Protect customersβ private financial data
Tell customers how their data is shared
Give customers the right to opt out of some data sharing
ποΈ Who must follow GLBA?
Any business that offers financial products or services, including:
Banks π¦
Credit unions π³
Mortgage lenders π‘
Insurance companies π‘οΈ
Tax preparation services π§Ύ
π GLBA Has Three Key Rules:
Rule Name What It Does
Safeguards Rule Requires companies to protect customer data with security controls
Privacy Rule Requires companies to tell customers how they use/share data
Pretexting Protection Prevents people from using social engineering to gain access to private info
π Why is GLBA important in cybersecurity?
It pushes companies to have strong security policies
Encourages encryption, access control, and audits
Helps prevent data breaches and identity theft
Failing to comply can lead to legal penalties and fines
π What is SOX?
SOX stands for the:
Sarbanes-Oxley Act of 2002
Itβs a U.S. federal law created to protect investors by improving the accuracy and reliability of corporate financial reporting.
π₯ Why was SOX created?
SOX was passed after major corporate scandals like Enron and WorldCom, where companies:
Lied about their finances
Destroyed documents
Misled investors
So, Congress passed SOX to:
Increase accountability
Prevent fraud
Make sure companies tell the truth in their financial reports
ποΈ Who must follow SOX?
Publicly traded companies in the U.S.
Their accountants, auditors, and executives
Some private companies if they plan to go public
π What does SOX have to do with cybersecurity?
Great question β SOX focuses on financial data, but it requires companies to:
βοΈ Protect the systems and data that support financial reporting.
So IT and security teams must:
Keep audit logs
Ensure access control
Use encryption
Perform regular system monitoring
βοΈ Due Diligence vs. Due Care
Term Simple Definition
Due Diligence Doing your homework: identifying, understanding, and evaluating risks before taking action.
Due Care Taking action responsibly to protect against those risks you identified.
π§ Think of it like this:
π΅οΈββοΈ Due Diligence = Knowing what the risks are
π‘οΈ Due Care = Doing something about them
β
Real-World Example:
Imagine youβre a security officer for a company:
Due Diligence:
You assess your network, identify outdated systems, review vendor risks, and analyze data protection gaps.
Due Care:
You apply patches, update firewalls, train employees, and create policies based on what you found.
β οΈ Why it matters:
Both are used to show that your organization is not being negligent:
Due Diligence: You knew what needed to be done
Due Care: You actually did what was needed
This helps during:
Audits
Investigations
Lawsuits
β οΈ What is Ad Hoc Risk Management?
Ad hoc risk management means dealing with risks in a reactive, unplanned, and informal way β usually after something goes wrong, instead of planning ahead.
π§ Think of it like:
βWeβll figure it out when it happens.β
π§ Characteristics of Ad Hoc Risk Management:
β No formal risk management process
β No risk documentation or tracking
β Inconsistent responses to incidents
β Often based on gut feeling or urgency, not strategy
β Leads to surprises, gaps, and non-compliance
π Why itβs a problem:
Ad hoc risk management is considered immature in terms of cybersecurity maturity levels.
It puts the organization at higher risk
It often fails audits
It makes it hard to learn from past incidents
β
Opposite: Formal Risk Management
A mature organization would:
Use a risk management framework
Regularly assess and document risks
Assign responsibilities
Monitor and update risk mitigation plans
difference between a password and a passphrase
π Password vs. Passphrase
Term What It Is Example
Password A short string of characters P@ssw0rd! or 123Abc
Passphrase A longer sentence or phrase, often more readable CorrectHorseBatteryStaple or I love coffee at 6am!
π» What is Computer-Based Training (CBT)?
CBT is a type of learning that happens on a computer.
It usually involves interactive lessons, videos, quizzes, and simulations, all delivered digitally, without a live teacher.
π§ Think of it like:
βOnline self-paced training you can do on your computer.β
π Common Features of CBT:
πΊ Videos and slides to explain concepts
π§ͺ Quizzes to check your understanding
π±οΈ Interactive activities (drag-and-drop, click-to-reveal, etc.)
β±οΈ Self-paced β learn when and where you want
π Often used for certification prep, cybersecurity awareness, or new employee onboarding
π‘οΈ CBT in Cybersecurity (like for Security+):
Used for:
Security awareness training for employees
Teaching safe password practices
Phishing simulation training
Compliance training (like HIPAA, GDPR, etc.)