Chapter 10: Governance, Risk, and Compliance

Question 1

this entails evaluating the risk and then deciding not to take any action as you believe that the probability of it happening is very low or that the impact is low.

Answer 1

Risk Acceptance

Question 2

where you decide that the risk is great and you want to offload the responsibility to a third party.
–Insurance of any kind

Answer 2

Risk Transferrence

Question 3

is where the risk is deemed too high, so you decide not to carry out the task.

Answer 3

Risk Avoidance

Question 4

you evaluate the risk and decide whether or not the risk as it stands will result in financial loss, loss of service, or being vulnerable to attack.

Answer 4

Risk Mitigation

Question 5

is used to get a visual representation of the risks affecting a company. The heat map shows the severity of the situation, with the most severe risks being in red.
–areas in red cause severe damage to the company

Answer 5

Risk Matrix/Heat Map

Question 6

this occurs when a company checks that the risk controls that they have in place are still effective with changing technology

Answer 6

Risk Control Assessment

Question 7

this is the process of making all employees aware of the risk and motivating them to take responsibility for looking at risks

Answer 7

Risk Awareness

Question 8

this is the amount of risk mitigation that a company is willing to do so that they can be compliant with regulations

Answer 8

Risk Appetite

Question 9

severity of the risk—low medium high

Answer 9

Qualitative Risk

Question 10

numerical value gained by multiplying probability with impact

Answer 10

Quantitative Risk

Question 11

is to do with the loss of one item

Answer 11

Single Loss Expectancy (SLE)

Question 12

is the number of times an item has been lost in a year

Answer 12

Annualized Rate of Occurance (ARO)

Question 13

calculated by multiplying SLE by the ARO

Answer 13

Annualized Loss Expectancy (ALE)

Question 14

the process of looking into disasters and calculating the loss of sales, regulatory fines, and the purchase of new equipment

Answer 14

Business Impact Analysis (BIA)

Question 15

any single component that would prevent a company from remaining operational

Answer 15

single point of failure

Question 16

how long a company can last without its data before the lack of data starts to affect operations—also known as acceptable downtime

Answer 16

Recover Point Objective (RPO)

Question 17

the time that a company needs to be returned to an operational state.

Answer 17

Recovery Time Objective (RTO)

Question 18

the average time it takes to repair a system

Answer 18

Mean Time to Repair (MTTR)

Question 19

shows the reliability of a system

Answer 19

Mean Time Between Failures (MTBF)

Question 20

no information because they are not authorized by the company (Threat Actors)

Answer 20

Black Hat

Question 21

provided with limited information from company as they may be participating in the bug bounty program (Threat Actors)

Answer 21

Gray Hat

Question 22

ethical hacker employed by a company to test applications for flaws and vulnerabilities (Threat Actors)

Answer 22

White Hat

Question 23

these provide information related to attacks within the IT security community and include IP addresses, file hashes, URLS that are associated with malicious software.

Answer 23

Indicators of Compromise (IOCs)

Question 24

standards to prevent cyber attacks.

Answer 24

Structured Threat Information Exchange …(STIX/TAXII)

Question 25

this provides the exchange data about cyber attacks. This is shared by the US federal government from the state level down to the local level

Answer 25

Automated Indicator Sharing (AIS)

Question 26

is the oversight and management that describes the security controls that are applied at each stage of the data handling process

Answer 26

Governance

Question 27

this is the process of labeling data with relevant classifications, so that we know if it is top secret

Answer 27

Classification

Question 28

companies do not want to hold data any longer than they need to, as it reduces their liability;

Answer 28

Retention

Question 29

when an audit is carried out and reports show that controls in place are not secure enough, we implement _______ or write a new policy

Answer 29

Change Management

Question 30

is where someone requests those managing the implementing of a change to an existing control.—changes must be sent to the Change Advisory Board (CAB)

Answer 30

Change Control

Question 31

this is the process where each asset that belongs to the company has been tagged and is recorded in an asset register.

Answer 31

Asset Managment

Question 32

not for profit organization that publishes information on cybersecurity best practices and threats and has tools to help harden your environment and provide risk management

Answer 32

CIS

Question 33

is designed to focus on the individual and the risk they pose to cybersecurity.—this replaces Risk Management Framework (RMF)

Answer 33

NIST–Cyber Security Framework

Question 34

publishes standards that are internally agreed upon by experts

Answer 34

International Organization for Standardization (ISO)

Question 35

audit standard to enhance the quality and usefulness of Service Organizational Control (SOC) reports.

Answer 35

Standards on Standards Attestations Engagements (SSAE

Question 36

reports measure your security

Answer 36

SOC type 1 reports

Question 37

reports data management–on internal controls of the security processing and handling of users data to ensure that it is kept confidential and privacy is maintained

Answer 37

SOC type 2 reports

Question 38

not for profit organization that produces various resources to help Cloud Service Providers

Answer 38

Cloud Security Alliance (CSA)

Question 39

best practices for CSPs

Answer 39

CSA Reference Architecture

Question 40

data that has been created and turned into digital data is subject to the laws and regulations of the company in which it was created—it cannot be moved to another region—even for backup related reason

Answer 40

Data Sovereignty

Question 41

digital data is subject to the laws and regulations of the region it is created—need to retain medical data for 25 years; financial data for 5 years, and normal data for 2 years.

Answer 41

Legal Implications

Question 42

Reputation Damages/Domain Reputation/Identity Theft/Fines/Intellectual Property Theft

Answer 42

Privacy Breaches Consequences

Question 43

means that only necessary data should be collected based on regulations

Answer 43

Data Minimization

Question 44

where only partial data is left in a data field so that the original data cannot be stolen; credit card *** 2224

Answer 44

Data Masking

Question 45

where meaningful data is replaced with a token that is generated randomly; the original data is held in a vault—much stronger than encryption and it is stateless

Answer 45

Tokenization

Question 46

responsible for classifying the data and deciding who can access the data (data responsibility)

Answer 46

Data Owners

Question 47

ensures quality and labels it (data responsibility)

Answer 47

data steward

Question 48

stores, protects, and backs up (data responsbility)

Answer 48

data custodian

Question 49

responsible for ensuring that all data that is collected and its storage is legal and follows compliance regulations.

Answer 49

data controller

Question 50

operates on behalf of the data controller ensuring that the collection storage and analysis of the data is done in accordance with regulations

Answer 50

Data processor

Question 51

ensure that data regulations are adhered to.

Answer 51

Data Protection Officer (DPO)

Question 52

The Information Lifecycle

Answer 52

1. Creation
2. Use
3. Retention
4. Disposal