Chapter 10: Governance, Risk, and Compliance Flashcards

1
Q

this entails evaluating the risk and then deciding not to take any action as you believe that the probability of it happening is very low or that the impact is low.

A

Risk Acceptance

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

where you decide that the risk is great and you want to offload the responsibility to a third party.
–Insurance of any kind

A

Risk Transferrence

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

is where the risk is deemed too high, so you decide not to carry out the task.

A

Risk Avoidance

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

you evaluate the risk and decide whether or not the risk as it stands will result in financial loss, loss of service, or being vulnerable to attack.

A

Risk Mitigation

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

is used to get a visual representation of the risks affecting a company. The heat map shows the severity of the situation, with the most severe risks being in red.
–areas in red cause severe damage to the company

A

Risk Matrix/Heat Map

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

this occurs when a company checks that the risk controls that they have in place are still effective with changing technology

A

Risk Control Assessment

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

this is the process of making all employees aware of the risk and motivating them to take responsibility for looking at risks

A

Risk Awareness

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

this is the amount of risk mitigation that a company is willing to do so that they can be compliant with regulations

A

Risk Appetite

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

severity of the risk—low medium high

A

Qualitative Risk

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

numerical value gained by multiplying probability with impact

A

Quantitative Risk

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

is to do with the loss of one item

A

Single Loss Expectancy (SLE)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

is the number of times an item has been lost in a year

A

Annualized Rate of Occurance (ARO)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

calculated by multiplying SLE by the ARO

A

Annualized Loss Expectancy (ALE)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

the process of looking into disasters and calculating the loss of sales, regulatory fines, and the purchase of new equipment

A

Business Impact Analysis (BIA)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

any single component that would prevent a company from remaining operational

A

single point of failure

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

how long a company can last without its data before the lack of data starts to affect operations—also known as acceptable downtime

A

Recover Point Objective (RPO)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

the time that a company needs to be returned to an operational state.

A

Recovery Time Objective (RTO)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

the average time it takes to repair a system

A

Mean Time to Repair (MTTR)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

shows the reliability of a system

A

Mean Time Between Failures (MTBF)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

no information because they are not authorized by the company (Threat Actors)

A

Black Hat

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

provided with limited information from company as they may be participating in the bug bounty program (Threat Actors)

A

Gray Hat

22
Q

ethical hacker employed by a company to test applications for flaws and vulnerabilities (Threat Actors)

A

White Hat

23
Q

these provide information related to attacks within the IT security community and include IP addresses, file hashes, URLS that are associated with malicious software.

A

Indicators of Compromise (IOCs)

24
Q

standards to prevent cyber attacks.

A

Structured Threat Information Exchange …(STIX/TAXII)

25
Q

this provides the exchange data about cyber attacks. This is shared by the US federal government from the state level down to the local level

A

Automated Indicator Sharing (AIS)

26
Q

is the oversight and management that describes the security controls that are applied at each stage of the data handling process

A

Governance

27
Q

this is the process of labeling data with relevant classifications, so that we know if it is top secret

A

Classification

28
Q

companies do not want to hold data any longer than they need to, as it reduces their liability;

A

Retention

29
Q

when an audit is carried out and reports show that controls in place are not secure enough, we implement _______ or write a new policy

A

Change Management

30
Q

is where someone requests those managing the implementing of a change to an existing control.—changes must be sent to the Change Advisory Board (CAB)

A

Change Control

31
Q

this is the process where each asset that belongs to the company has been tagged and is recorded in an asset register.

A

Asset Managment

32
Q

not for profit organization that publishes information on cybersecurity best practices and threats and has tools to help harden your environment and provide risk management

A

CIS

33
Q

is designed to focus on the individual and the risk they pose to cybersecurity.—this replaces Risk Management Framework (RMF)

A

NIST–Cyber Security Framework

34
Q

publishes standards that are internally agreed upon by experts

A

International Organization for Standardization (ISO)

35
Q

audit standard to enhance the quality and usefulness of Service Organizational Control (SOC) reports.

A

Standards on Standards Attestations Engagements (SSAE

36
Q

reports measure your security

A

SOC type 1 reports

37
Q

reports data management–on internal controls of the security processing and handling of users data to ensure that it is kept confidential and privacy is maintained

A

SOC type 2 reports

38
Q

not for profit organization that produces various resources to help Cloud Service Providers

A

Cloud Security Alliance (CSA)

39
Q

best practices for CSPs

A

CSA Reference Architecture

40
Q

data that has been created and turned into digital data is subject to the laws and regulations of the company in which it was created—it cannot be moved to another region—even for backup related reason

A

Data Sovereignty

41
Q

digital data is subject to the laws and regulations of the region it is created—need to retain medical data for 25 years; financial data for 5 years, and normal data for 2 years.

A

Legal Implications

42
Q

Reputation Damages/Domain Reputation/Identity Theft/Fines/Intellectual Property Theft

A

Privacy Breaches Consequences

43
Q

means that only necessary data should be collected based on regulations

A

Data Minimization

44
Q

where only partial data is left in a data field so that the original data cannot be stolen; credit card *** 2224

A

Data Masking

45
Q

where meaningful data is replaced with a token that is generated randomly; the original data is held in a vault—much stronger than encryption and it is stateless

A

Tokenization

46
Q

responsible for classifying the data and deciding who can access the data (data responsibility)

A

Data Owners

47
Q

ensures quality and labels it (data responsibility)

A

data steward

48
Q

stores, protects, and backs up (data responsbility)

A

data custodian

49
Q

responsible for ensuring that all data that is collected and its storage is legal and follows compliance regulations.

A

data controller

50
Q

operates on behalf of the data controller ensuring that the collection storage and analysis of the data is done in accordance with regulations

A

Data processor

51
Q

ensure that data regulations are adhered to.

A

Data Protection Officer (DPO)

52
Q

The Information Lifecycle

A
  1. Creation
  2. Use
  3. Retention
  4. Disposal