CertMaster Practice: 5.0 Security Program Management and Oversight Flashcards
An organization is restructuring its IT governance framework to improve its cybersecurity strategy. The organization has several distributed offices across various geographical regions, each having a unique set of IT policies and infrastructure. The cybersecurity lead aims to increase control and consistency over the security practices in each office while retaining some autonomy for the individual offices to manage their specific risks. Which governance structure aligns with the objectives of the cybersecurity lead and effectively mitigates risks associated with the security practices at each office?
Centralized governance with an advisory board; Involves standardizing IT policies and practices across the organization, increasing control and consistency.
A data governance expert has to outline the distinct roles and responsibilities between the systems owners and the data custodians. The company is specifically interested in the functions that pertain to data confidentiality, integrity, and availability. Based on the scenario, which roles are correctly assigned to the system owner and the data custodian in order to maintain the confidentiality, integrity, and availability of data?
System owner—implementing data classification; Data custodian—enforcing access controls.
Which data and privacy law ensures executives within a financial institution take individual responsibility for the accuracy of financial reporting?
Sarbanes-Oxley (SOX) Act.
In which environment can multiple developers check out software code from a version control system and include change management processes?
Development.
An organization is continuously backing up its data to ensure minimum data loss in case of a system failure. It is trying to decide the maximum age of files that require recovery from backup storage for normal operations to resume after a failure. What concept should the organization consider to meet their needs?
A recovery point objective (RPO) is the maximum acceptable age of data that an organization can tolerate losing. When an organization continuously backs up its data, it is typically aiming to keep its RPO as low as possible.
A company conducts a risk analysis on a newly developed software application and has identified various potential threats and their impacts. Now, they want to set some measurable metrics that will help them understand when they might be approaching an unacceptable level of risk. What is the company looking to define in this situation?
Organizations use Key Risk Indicators (KRIs) as measurable metrics to provide an early signal of increasing risk exposures in various areas of the enterprise.
A new company implements a data center that will hold proprietary data that is output from a daily workflow. As the company has not received any funding, no risk controls are in place. How does the company approach risk during operations?
Risk acceptance; The company did not put in place countermeasures, either because the level of risk does not justify the cost or because there will be an unavoidable delay before the company can deploy the countermeasures.
What is the difference between a Memorandum of Understanding (MOU) and a Business Partners Agreement (BPA)?
MOU’s are informal, a preliminary or exploratory agreement to express an intent to work together; BPA’s are a type of partner agreement that large IT companies, such as Microsoft and Cisco, set up with resellers and solution providers.