Book-Notes Section 16 Flashcards

1
Q

πŸ’Ό What does β€œpublicly traded” mean?

A

A publicly traded company is a business whose shares (stock) are available for anyone to buy or sell on a stock exchange like:

πŸ“ˆ NASDAQ

πŸ“‰ New York Stock Exchange (NYSE)

🏦 Or others around the world

🧠 Think of it like:

The company is β€œopen to the public” β€” people can invest in it by buying pieces (shares) of the company.

πŸ“¦ Example:
Apple (AAPL) and Microsoft (MSFT) are publicly traded.

You can open a brokerage account and buy their stock today.

πŸ” Opposite: Privately held
A private company is not listed on the stock market.

Only private investors (like founders, venture capitalists) own shares.

Example: SpaceX is a private company.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

πŸ›‘οΈ What is GRC?

A

GRC stands for:

βœ… Governance
βœ… Risk Management
βœ… Compliance

A GRC program is a structured approach that helps an organization:

Stay organized and responsible

Manage risks

Follow laws, regulations, and policies

🧠 Think of it like:

A company’s guidebook for doing the right thing, the safe way, and the legal way.

πŸ“˜ What does each part mean?
1. 🧭 Governance – β€œAre we doing the right things?”
Making sure the company has the right rules and decision-making structure.

Examples:

Company policies

Leadership roles

Ethical business practices

  1. βš–οΈ Risk Management – β€œWhat could go wrong, and how do we handle it?”
    Identifying risks (like data breaches, fraud, or system failures)

Creating plans to reduce or deal with those risks

  1. πŸ“œ Compliance – β€œAre we following the rules?”
    Making sure the organization meets legal, regulatory, and industry standards

Examples:

GDPR (data privacy law in Europe)

HIPAA (health info protection in the U.S.)

PCI DSS (credit card data security)

🧰 What does a GRC Program do?
A GRC program brings all these things together in one system to:

Protect the organization

Build trust with customers and regulators

Avoid fines, breaches, and legal trouble

Make better, risk-aware business decisions

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

🧭 Governance Models: Centralized vs. Decentralized

A

Governance in cybersecurity refers to who makes security decisions and how policies and responsibilities are structured.

πŸ›οΈ Centralized Governance Model
Definition:
All security decisions, policies, and controls are made and managed by a single central authority, usually the main IT/security team.

βœ… Characteristics:
One central team controls everything (like policies, tools, and responses)

Consistency across the whole organization

Easier to manage and audit

Often used in smaller organizations or tightly controlled environments

πŸ“Œ Example:
The corporate HQ’s security team manages policies and tools for all offices β€” no matter where they are.

🌐 Decentralized Governance Model
Definition:
Each department, branch, or location has its own authority over security decisions and management.

βœ… Characteristics:
Multiple teams manage their own security needs

More flexibility for each team

Better suited for large or global organizations

Can lead to inconsistency and harder policy enforcement

πŸ“Œ Example:
Each regional office (e.g., U.S., Europe, Asia) has its own security team, tools, and policies.

βœ… Security+ Tip:
If the exam asks which model ensures consistency and easier enforcement, go with centralized.

If the question mentions flexibility or local control, the answer is likely decentralized.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

πŸ‘©β€πŸ« What are SMEs?

A

SME stands for Subject Matter Expert.

A Subject Matter Expert is someone who has deep knowledge and experience in a specific area or topic.

🧠 Think of them as:

β€œThe go-to person” for a particular subject β€” they really know their stuff.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

🧾 What do EOL and EOSL mean?

A

Term Stands For Simple Meaning
EOL End of Life The product is no longer sold or developed
EOSL End of Service Life (or End of Support Life) The product no longer receives updates or support
🧠 Think of it like:
EOL = The company stops selling or improving the product.

EOSL = The company stops supporting it (no patches, no help desk, no security updates).

πŸ” Why do EOL and EOSL matter?
In cybersecurity and IT, running EOL or EOSL systems is risky because:

❌ No more security updates

❌ No more vendor support

❌ Increased chance of vulnerabilities being exploited

❌ May fail compliance checks (like HIPAA, PCI DSS)

πŸ“¦ Example:
Windows 7 reached EOL in 2020

Then it hit EOSL shortly after β€” meaning no updates, no support

Using it now? It’s a security risk unless you’re paying for extended support

βœ… Summary Table:
Term What Happens Risk Level
EOL Product is no longer sold/developed Medium
EOSL Product is no longer supported/updated High

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

🏦 What is GLBA?

A

GLBA stands for the:

Gramm-Leach-Bliley Act

It’s a U.S. federal law passed in 1999 that focuses on protecting consumer financial information.

πŸ›‘οΈ Main Purpose of GLBA:
To ensure that financial institutions:

Protect customers’ private financial data

Tell customers how their data is shared

Give customers the right to opt out of some data sharing

πŸ›οΈ Who must follow GLBA?
Any business that offers financial products or services, including:

Banks 🏦

Credit unions πŸ’³

Mortgage lenders 🏑

Insurance companies πŸ›‘οΈ

Tax preparation services 🧾

πŸ“‹ GLBA Has Three Key Rules:
Rule Name What It Does
Safeguards Rule Requires companies to protect customer data with security controls
Privacy Rule Requires companies to tell customers how they use/share data
Pretexting Protection Prevents people from using social engineering to gain access to private info
πŸ” Why is GLBA important in cybersecurity?
It pushes companies to have strong security policies

Encourages encryption, access control, and audits

Helps prevent data breaches and identity theft

Failing to comply can lead to legal penalties and fines

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

πŸ“˜ What is SOX?

A

SOX stands for the:

Sarbanes-Oxley Act of 2002

It’s a U.S. federal law created to protect investors by improving the accuracy and reliability of corporate financial reporting.

πŸ’₯ Why was SOX created?
SOX was passed after major corporate scandals like Enron and WorldCom, where companies:

Lied about their finances

Destroyed documents

Misled investors

So, Congress passed SOX to:

Increase accountability

Prevent fraud

Make sure companies tell the truth in their financial reports

πŸ›οΈ Who must follow SOX?
Publicly traded companies in the U.S.

Their accountants, auditors, and executives

Some private companies if they plan to go public

πŸ” What does SOX have to do with cybersecurity?
Great question β€” SOX focuses on financial data, but it requires companies to:

βœ”οΈ Protect the systems and data that support financial reporting.

So IT and security teams must:

Keep audit logs

Ensure access control

Use encryption

Perform regular system monitoring

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

βš–οΈ Due Diligence vs. Due Care

A

Term Simple Definition
Due Diligence Doing your homework: identifying, understanding, and evaluating risks before taking action.
Due Care Taking action responsibly to protect against those risks you identified.
🧠 Think of it like this:
πŸ•΅οΈβ€β™‚οΈ Due Diligence = Knowing what the risks are
πŸ›‘οΈ Due Care = Doing something about them

βœ… Real-World Example:
Imagine you’re a security officer for a company:

Due Diligence:
You assess your network, identify outdated systems, review vendor risks, and analyze data protection gaps.

Due Care:
You apply patches, update firewalls, train employees, and create policies based on what you found.

⚠️ Why it matters:
Both are used to show that your organization is not being negligent:

Due Diligence: You knew what needed to be done

Due Care: You actually did what was needed

This helps during:

Audits

Investigations

Lawsuits

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

⚠️ What is Ad Hoc Risk Management?

A

Ad hoc risk management means dealing with risks in a reactive, unplanned, and informal way β€” usually after something goes wrong, instead of planning ahead.

🧠 Think of it like:

β€œWe’ll figure it out when it happens.”

πŸ”§ Characteristics of Ad Hoc Risk Management:
❌ No formal risk management process

❌ No risk documentation or tracking

❌ Inconsistent responses to incidents

❌ Often based on gut feeling or urgency, not strategy

❌ Leads to surprises, gaps, and non-compliance

πŸ“‰ Why it’s a problem:
Ad hoc risk management is considered immature in terms of cybersecurity maturity levels.

It puts the organization at higher risk

It often fails audits

It makes it hard to learn from past incidents

βœ… Opposite: Formal Risk Management
A mature organization would:

Use a risk management framework

Regularly assess and document risks

Assign responsibilities

Monitor and update risk mitigation plans

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

difference between a password and a passphrase

A

πŸ”‘ Password vs. Passphrase
Term What It Is Example
Password A short string of characters P@ssw0rd! or 123Abc
Passphrase A longer sentence or phrase, often more readable CorrectHorseBatteryStaple or I love coffee at 6am!

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

πŸ’» What is Computer-Based Training (CBT)?

A

CBT is a type of learning that happens on a computer.
It usually involves interactive lessons, videos, quizzes, and simulations, all delivered digitally, without a live teacher.

🧠 Think of it like:

β€œOnline self-paced training you can do on your computer.”

πŸ“š Common Features of CBT:
πŸ“Ί Videos and slides to explain concepts

πŸ§ͺ Quizzes to check your understanding

πŸ–±οΈ Interactive activities (drag-and-drop, click-to-reveal, etc.)

⏱️ Self-paced β€” learn when and where you want

πŸ“ Often used for certification prep, cybersecurity awareness, or new employee onboarding

πŸ›‘οΈ CBT in Cybersecurity (like for Security+):
Used for:

Security awareness training for employees

Teaching safe password practices

Phishing simulation training

Compliance training (like HIPAA, GDPR, etc.)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly