Domain 5 Flashcards

1
Q

What are the mechanisms employed to minimize exposure to risk and mitigate the effects of loss
Using the security attributes of confidentiality, integrity, and availability (CIA) associated with data

A

Security controls

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What controls do not require a technical team to administer and are generally handled by the human resources department (HR)Examples include background checks, employee training, and organizational policies

A

Managerial

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What is a policy or procedure used to limit security riskThese security controls are primarily implemented and executed by people, as opposed to systems

A

Operational control

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

What controls use some form of technology to address a physical security issue
These security controls are primarily implemented and executed by the information system through mechanisms contained in its hardware, software, or firmware components

A

Technical

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

What controls are barriers that are designed to stop an attacker from gaining unauthorized access to an asset
For example, this could be may include antivirus/antimalware software, firewall, or intrusion prevention systems (IPS

A

Preventive

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

What controls detect abnormalities and send alerts during an unauthorized access to an assetFor example, this includes intrusion detection systems (IDSs) and security information and event management systems (SIEMs

A

Detective

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

What controls mitigate the damage after a disruption or attack
Examples include vulnerability patching and restores from a backup

A

Corrective

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

What controls are warnings to discourage inappropriate or illegal behavior
For example, this includes warning messages about unauthorized access to an asset or a strict security policy stating severe consequences for employees who violate the policy

A

Deterrent

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

What controls (also known as alternative controls) are used when all the other controls cannot mitigate the risk

A

Compensating

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

What controls are used to deter or deny unauthorized access to facilities, equipment and resources and to protect personnel and property from damage or harm
Examples include fences, doors, locks and fire extinguishers

A

Physical

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

What specifies requirements for collecting personal information in the European Union (EU)
For all firms that wish to trade with the EU, there is now a set of privacy regulations that will require specific programs to address the requirements

A

(GDPR)General Data Protection

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

What laws are the system of rules, or statutes, made by the government of a country, state, or city
Statutes are enacted by a legislative body and then signed by the ranking official (president/governor

A
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

What is a set of contractual rules governing how credit card data is to be protected (see the sidebar “PCI DSS Objectives and Requirements

A

Payment Card Industry Data Security Standard (PCI DSS)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

National Institute of Standards and provides recommended strategies to the U.S. government and others on how to handle a wide range of issues, includingrisk from cybersecurity issues

A

Technology (NIST) Risk Management Framework (RMF)/Cybersecurity Framework (CSF)The National Institute of Standards and Technology (NIST)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

What is the international standard defining an information security management system (ISMS)What is one of many related standards in the 27000 family, what is a document that defines security techniques and a code of practice for information security controls

A

International Organization for Standardization (ISO)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

What reports focus on internal controls related to compliance or operationsA SOC Type I report evaluates whether proper controls are in place at a specific point in timeA SOC Type II report is done over a period of time to verify operational efficiency and effectiveness of the controls

A

SSAE SOC 2 Type I/IISSAE SOC 2

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

What issued the first comprehensive best-practice document for secure cloud computing, “Security Guidance for Critical Areas of Focus for Cloud Computing,” and has become the industry body for frameworks, benchmarks, and standards associated with cloud computing worldwid

A

Cloud security alliance

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

What is a meta-framework of cloud-specific security controls, mapped to leading standards, best practices, and regulationsThis document uses 16 domains to cover 133 security control objectives to address all key aspects of cloud security

A

The Cloud Controls Matrix (CCM)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

The Cloud Security Alliance has an that has developed this for cloud deployments and servicesThis framework serves as both a methodology and a set of tools that can be utilized by security professionals , and risk management professionals

A

Reference architecture

Enterprise Architecture Working Group (EAWG)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

What secure configuration guides offer guidance for setting up and operating computer systems to a secure level that is understood and documentedAs each organization may differ, the standard for a benchmark is a consensus-based set of knowledge designed to deliver a reasonable set of security across as wide a base as possible

A

Benchmarks /secureBenchmarks

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

Many different web servers are used in enterprises, but the market leaders are Microsoft, Apache, and NginxWeb servers offer a connection between users (clients) and web pages (data being provided), and as such they are prone to attacks

A

Web server

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

What is the interface for the applications that we use to perform tasks and the actual physical computer hardware
Comprehensive, proscriptive configuration guides for all major operating systems are available from their respective manufacturers, from the Center for Internet Security and from the DoD DISA STIGs program

A

The operating system (OS)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

What are the part of the enterprise that handles specific tasks we associate with IT systemsWhether it is an e-mail server, a database server, a messaging platform, or any other server, an application server is where the work happens

A

Application server

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

What devices are the switches, routers, concentrators, firewalls, and other specialty devices that make the network function smoothly
Properly configuring these devices can be challenging but is very important because failures at this level can adversely affect the security of traffic being processed by them

A

Network infrastructure

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Q

What is a policy that compels employees to rotate into different jobs, or at least rotate some of their dutiesThis practice can deter fraud (such as sabotage) and prevent information misuse as well

A

Job rotation

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
26
Q

What is a set of rules defined by the organization that detail the type of behavior that is permitted when using company assets. This should contain explicit language defining procedural requirements and the responsibilities of users

A

Acceptable use policy (AUP)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
27
Q

Some organizations have a policy that requires employees in sensitive positions to take off five or ten consecutive business days
It is common for organizations to also schedule audits to coincide with mandatory vacations to increase the likelihood of discovering fraud and other crimes

A

Mandatory vacation

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
28
Q

What responsibilities provides assurance that a single person cannot compromise a critical system or organizational security
It also creates a checks-and-balances system in which two or more users can verify what each other are doing and must work together to perform certain tasks

A

Separation of duties

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
29
Q

What refers to granting users only the privileges necessary to perform their work and nothing moreThis includes permissions to data and rights to perform tasks on systems and it also applies to system access for example, logging on to computers with or without full administrative privileges

A

Least privilege

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
30
Q

What ensures that employees are cognizant of items being left out on their desk
This prevents malicious individuals from walking around the office and stumbling across sensitive information

A

Clean desk space

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
31
Q

What are used to identify an individual’s previous activities
Most background checks are conducted prior to employment and can include an individual’s criminal, financial or driving records

A

Background checks

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
32
Q

What is a legal contract between two or more parties that details confidential information the parties will share

A

Non-disclosure agreement (NDA)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
33
Q

Whether used for marketing, communications, customer relations, or some other purpose, social media networks can be considered a form of third party
One of the challenges in working with social media networks and/or applications is their terms of use

A

Social media analysis

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
34
Q

When these kind of personnel, ensure that the personnel are aware of and understand their responsibilities with respect to securing company information and assets

A

Onboarding

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
35
Q

What refers to the processes and procedures used when an employee leaves an organizationFrom a security perspective, this process for personnel is very important

A

Off boarding

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
36
Q

What is important to ensure that users are aware of and are following appropriate policies and procedures as part of their workplace activities
As in all personnel-related training, two elements need attention

A

User training

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
37
Q

What is the use of games to facilitate user train

A

Gamification

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
38
Q

what is hands-on computer skill training where a user is tested to see if they can perform specific actions
Many hacking competitions are variations of capture-the-flag events

A

Capture the flag

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
39
Q

What are a series of connected phishing attacks against an organization
Since this is an operational method of social engineering, the greater the level of institutional, organizational, and personal knowledge one possesses about their target, the greater the chance of success

A

Phishing campaigns

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
40
Q

To help users learn and identify phishing attacks, there are methods of running tests against users
A phishing attempt is sent to a user, and should they fall prey to it, the system notifies the user that this was only a drill and that they should be more cautious

A

Phishing simulations

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
41
Q

What is the use of a computer program to manage training of usersSelf-paced modules can facilitate skill development across a wide range of skills, and the flexibility of CBT is very attractive

A

Computer-based training (CBT)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
42
Q

For training to be effective, it needs to be targeted to the user with regard to their role in the subject of the training. which regard to information security responsibilities is an important part of information security training

A

Role-based training

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
43
Q

There is a wide range of methods of training, and for the best results, which is the most important to match the training methods to the material for the best outcome

A

Diversity of training techniques

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
44
Q

Which is the practice of assessing third-party risks and then developing the necessary mitigations

A

Third-party risk management

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
45
Q

What are firms or individuals that supply materials or services to a business
These items are purchased as part of a business process and represent some form of a value proposition for the firm purchasing them

A

Vendors

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
46
Q

An organization might perform a assessment for the purposes of reducing vulnerability and ensuring business continuity
Using the risk management process tools, organizations assess the risks and uncertainties caused by logistics-related activities or resources from partners in the supply chai

A

Supply Chain

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
47
Q

What can be enrolled in a business effort for multiple reasons: to share risk, share liability, share costs, leverage specialty expertise, and more
The key to understanding and navigating business partners with respect to cybersecurity and risk is to ensure that the risks and responsibilities on both partners are understood and agreed to before the risk event occurs

A

Business partners

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
48
Q

A service level agreement (SLA) is a negotiated agreement between parties detailing the expectations between a customer and a service provider
SLAs essentially set the requisite level of performance of a given contractual service

A

Service level agreement (SLA)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
49
Q

What are also commonly used between different units within an organization to detail expectations associated with the common business interest, including security requirements

A

Memorandum of understanding (MOU)MOUs/MOAs

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
50
Q

What is a field of study that examines measurement systems for accuracy and precision
Measurements and measurement systems have to be calibrated to ensure they are evaluating the actual object of interest

A

Measurement systems analysis (MSA)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
51
Q

What is a legal agreement between partners that establishes the terms, conditions, and expectations of the relationship between the partners

A

A business partnership agreement (BPA)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
52
Q

What is it when the manufacturer quits selling an itemIn most cases, the manufacturer no longer provides maintenance services or updatesIn some cases, this date is announced to be a future date, after which support ends

A

End of Life (EOL)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
53
Q

What is the term used to denote that something has reached the end of its “useful life” When this occurs, the provider of the item or service will typically no longer sell or update it

A

End of service life (EOSL)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
54
Q

Whenever information is shared with a party, inside or outside the company, if the sharing entity wishes to have contractual terms to limit sharing or disclosure, an this is used

A

NDA

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
55
Q

System integration with internal and third parties frequently involves the sharing of this. This can be shared for the purpose of processing or storage

A

Data

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
56
Q

Organizations deal with many different types of information, and they need to recognize that not all information is of equal importance or sensitivity
This requires hidden information into various categories, each with its own requirements for its handling

A

Classification

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
57
Q

This is the process of managing the availability, usability, integrity, and security of the data in enterprise systems
This must be done by policy, as it involves a large number of data owners and users

A

Governance

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
58
Q

This is the management of the data lifecycle with an emphasis on when data reaches its end of useful life for an organization

A

Retention

59
Q

Who requires credentials to access specific system resources as part of their job duties, Management of who gets what credentials is part of the access and authorization management system and should be managed via a credential policy

A

Personnel

60
Q

Whether credentials for a system or physical access, these credentials should be managed by policies to ensure they are issued when needed to the correct parties, and when access is no longer needed, they are revoked appropriately

A

Third-party

61
Q

What are physical items that require access to a network or enterprise system
To have this access, they require credentials just like human users

A

Devices

62
Q

What are special accounts that are used to provision permissions for service, or non-human-initiated system activity
Many computer systems have automated services that function as either part of, in addition to, the operating system to enable certain functionalities

A

Service accounts

63
Q

What has elevated privileges and require closer scrutiny as to who is issued these credentials and how they are used and monitored

A

Administrator/root accounts

64
Q

What is a process to ensure proper procedures are followed when modifications to the IT infrastructure are made
Without a process to manage the change, an organization might suddenly find itself unable to conduct business

A

Change management

65
Q

What is the process of how changes to anything are sourced, analyzed, and managed. This is a subset of change management, focused on the details of a change and how it is documented

A

Change control

66
Q

What is the policies and processes used to manage the elements of the system, including hardware, software, and the data that is contained within them

A

Asset management

67
Q

What threats come from outside the organization and, by definition, begin without access to the system
Access is reserved for users who have a business need to know and have authorized accounts on the system

A

External

68
Q

What threats include disgruntled employees and well-meaning employees who make mistakes or have an accidentInternal threats tend to be more damaging, as theperpetrator has already been granted some form of access

A

Internal

69
Q

What are older, pre-existing systems. But age really isn’t the issue—the true issue behind what makes this what it is the concept of technical debtTechnical debt is the cost occurred over time as a result of not maintaining a system completely

A

Legacy Systems

70
Q

The overall risk equation gets complicatedwhen a system has multiple parties, each with its own risk determination

A

Multiparty

71
Q

What can seriously damage a company’s future healthIf a firm spends a lot of resources developing a product or a market and then is undercut by other parties that don’t have to spend those resources, sales can disappear and future revenue streams can dry up

A

Intellectual property (IP)
IP Theft

72
Q

What source of this software is via licensing and in many cases trustCopies of many software products can be made and used without licenses, and this creates software compliance/licensing risk

A

Software compliance/licensing

73
Q

An organization might accept the risk (based on their risk tolerance) after a cost/benefit analysis determines that the cost of countermeasures would outweigh the cost of asset loss due to a risk

A

Acceptance

74
Q

An organization might avoid the risk by selecting alternate options that have less associated risk than the default optionFor example, an organization might require employees to fly to destinations rather than allowing them to drive

A

Avoidance

75
Q

What organization might transfer, or assign, the risk by placing the cost of loss onto another entity internal or external to the organization
For example, an organization might purchase insurance or outsource some responsibilities

A

Transference

76
Q

A common method of transferring risk is to purchase this. This allows risk to be transferred to a third party that manages specific types of risk for multiple parties, thus reducing the individual cost

A

Cybersecurity insurance

77
Q

Risk can also be mitigated through the application of controls that reduce the impact of an attack
Controls can alert operators so that the level of exposure is reduced through process intervention

A

Mitigation

78
Q

To manage risk, there needs to be a measurement of loss, and potential loss, and much of this information comes by way of risk analysis
This is performed via a series of specific exercises that reveal presence and level of risk across an enterprise

A

Risk Analysis

79
Q

What is a list of the risks associated with a systemIt also can contain additional information associated with the risk element, such as categories to group like risks, probability of occurrence, impact to the organization, mitigation factors, and other data

A

Risk register

80
Q

What is used to visually display the results of a qualitative risk analysis

A

Risk matrix/heat map

81
Q

What is a tool used by the Financial Industry Regulatory Authority (FINRA) to assess a series of risks associated with their member institutions

A

Risk control assessment

82
Q

What is a technique that employs management and staff of all levels to identify and evaluate risks and associated controls
This information is collected and analyzed to produce a more comprehensive map of risks and the controls in place to address it

A

Risk control self-assessment

83
Q

What is knowledge of risk and consequences. This is essential for wide ranges of personnel, with the content tailored to their contributions to the enterprise

A

Risk awareness

84
Q

What is defined as the amount of risk that exists in the absence of controls. This is the current risk level given the existing set of controls, rather than the hypothetical notion of an absence of any controls

A

Inherent risk

85
Q

The presence of risks in a system is an absolute—they cannot be removed or eliminated
As mentioned previously in this chapter, four actions can be taken to respond torisk: accept, transfer, avoid, and mitigate

A

Residual risk

86
Q

What is a term used to specify risk associated with the chance of a material misstatement in a company’s financial statements
This risk can be manifested in a couple ways: either there isn’t an appropriate set of internal controls to mitigate a particular risk or the internal controls set in place malfunctioned

A

Control risk

87
Q

What is the term used to describe a firm’s tolerance for risk
Even within a sector, with companies of the same size, operating in roughly the same areas, there can be differences in the level of risk each feels comfortable in accepting

A

Risk appetiteRisk

88
Q

The Sarbanes-Oxley Act of 2002 protects investors from corporate fraud and bad financial reportingThe Payment Card Industry Data Security Standard (PCI-DSS) is a set of security standards and policies for companies to follow in order to optimize security for consumer payment cards and associated private data

A

Regulations that affect risk posture

89
Q

What risk assessment is the process of subjectively determining the impact of an event that affects a project, program, or business. This usually involves the use of expert judgment and models to complete the assessment

A

Qualitative

90
Q

This risk assessment is the process of objectively determining the impact of an event that affects a project, program, or business. This usually involves the use of metrics and models to complete the assessment

A

Quantitative

91
Q

What does it mean when the chance that a particular risk will occur
For qualitative measures, the likelihood of occurrence is typically defined on an annual basis so that it can be compared to other annualized measures If defined quantitatively, it is used to create rank-order outcomes

A

Likelihood of occurrence

92
Q

Impact

A

What event is a measure of the actual loss when a threat exploits

93
Q

What is the amount of money it would take to replace an asset
This term is used with the exposure factor (EF), a measure of how much of an asset is at risk, to determine the single-loss expectancy (SLE

A

Asset value

94
Q

What is the value of a loss expected from a single event. It is calculated using the following formula
:SLE = asset value (AV) ×exposure factor

A

Single-loss expectancy (SLE)

95
Q

What is a representation of the frequency of the event, measured in a standard year

A

Annualized rate of occurrence (ARO)

96
Q

What are major events that cause disruptions
The timescale of the disruption can vary, as can the level of disruption, but the commonality is that the external event that caused the disruption is one that cannot be prevented

A

Disasters

97
Q

What changes can come from a wide variety of sources—weather, lightning, storms, and even solar flares—and these can cause changes to the system in a manner that disrupts normal operations

A

Environmental

98
Q

What threats are those that are attributable to the actions of a person
But these threats aren’t limited to hostile actions by an attacker; they include accidents by users and system administrator

A

Person-made

99
Q

These are threats an organization can control
For example, an organization might assess the risk of implementing a data loss prevention system to ensure that corporate data is not exposed to unauthorized personnel
On the other hand, these types of threats are threats an organization is unable to controlFor example, an organization can’t control weather, protestors, or external hackers.

A

Internal vs. extern

100
Q

What identifies mission critical processes.
This analyzes the business impact if these critical processes are interrupted due to a disaster

A

Business impact analysis (BIA)

101
Q

The term is used to describe the target time that is set for the resumption of operations after an incident
This is a period of time that is defined by the business, based on the needs of the business

A

Recovery time objective (RTO)

102
Q

What is totally different concept from RTO, is the time period representing the maximum period of acceptable data loss

This defines the frequency of backup operations necessary to prevent unacceptable levels of data

A

Recovery point objective (RPO)

103
Q

What is a common measure of how long it takes to repair a given failure
This is the average time, and it may or may not include the time needed to obtain parts

A

Mean time to repair (MTTR)

104
Q

What is a common measure of reliability of a system and is an expression of the average time between system failures
The time between failures is measured from the time a system returns to service until the next failure

A

Mean time between failures (MTBF)

105
Q

What is the way to represent the next step—the transition from operations under business continuity back to normal operations
Just as the transition to business continuity operations needs to be planned, so too does the functional recovery plan

A

Functional recovery plans

106
Q

What is any system component whose failure or malfunctioning could result in the failure of the entire system

A

Single point of failure

107
Q

What is the plan a firm creates to manage the business impact of a disaster and to recover from its impacts

A

Disaster recovery plan (DRP)

108
Q

What are those that, should they not occur or be performed properly, will directly affect the mission of the organization
Mission-essential functions are those that must be restored first after a business impact to enable the organization to restore its operations

A

Mission-essential functions

109
Q

What enables the security team to properly prioritize defenses to protect the systems and data in a manner commensurate with the associated risk

A

Identification of critical systems

110
Q

What is a risk assessment tailored for a specific site
For organizations with multiple locations, these are specific to the risks associated with each site

A

Site Risk Assessment

111
Q

What is a form of damage against a firm’s brand
Customers exert a choice when they engage in a commerce transaction, and businesses spend a lot of time and resources on building brands that facilitate the purchase decision towards their firm

A

Reputation damage

112
Q

What occurs when a criminal, using stolen information, assumes the identity of another individual to obtain and use credit in the victim’s nameIf the data disclosure results in loss of customer personal information, regulations may hold a firm responsible for sharing in the risk of identity theft for the victims

A

Identity theft

113
Q

Regulatory agencies sometimes can levy fines when regulations are not followed

A

Fines

114
Q

What is a major organizational consequence when it occurs, because when it occurs, the damage may not become evident until the material is used by a competitor

A

IP theft

115
Q

Understanding and being prepared to issue __________ ___ ________ because once a breach occurs, the timelines to do the correct things are short and the penalties can be significant

A

Notifications of breaches

116
Q

When a data breach occurs in the enterprise, it is important to have a process for escalating the incident up through your organization
Most data breaches are discovered as part of some incident response process, and the breach needs to have its own response separate from the initiating incident

A

Escalation

117
Q

Many laws and regulations covering information breaches require ______ __________ of computer security breaches in which unencrypted confidential information of any resident may have been compromised

A

Public notifications and disclosures

118
Q

What can cover basic protection needs, or the sources of the data, and thus are not a taxonomy but rather a set ofmanagement labels used to alert users of specific requirements

A

Data Types

119
Q

What is data that can be seen by the public and has no needed protections with respect to confidentiality
It is important to protect the integrity of public data, lest one communicate incorrect data as being true

A

Public data

120
Q

What is labeled private if its disclosure to an unauthorized party would potentially cause harm or disruption to the organization
Passwords could be considered private

A

Private Data

121
Q

What is a generalized term that typically represents data classified as restricted from general or public release

A

Sensitive

122
Q

This is labeled confidential if its disclosure to an unauthorized party would potentially cause serious harm to the organization

A

Confidential Data

123
Q

What is labeled critical if its disclosure to an unauthorized party would potentially cause extreme harm to the organization
This data should be defined by policy, and that policy should include details regarding who has the authority to release the data

A

Critical Data

124
Q

Whatis data that is restricted to a company because of potential competitive useIf a company has data that could be used by a competitor for any particular reason (say, internal costs and pricing data), then it needs to be labeled and handled in a manner to protect it from release to competitors

A

Proprietary

125
Q

What refers to information that can be used to distinguish or trace an individual’s identity, either alone or when combined with other personal or identifying information that is linked or linkable to a specific individual

A

Personally identifiable information (PII)

126
Q

The Health Insurance Portability and Accountability Act (HIPAA) regulations define protected health information (PHI) as any information, whether oral or recorded in any form or medium thatis created or received by a health care provider, health plan, public health authority, employer, life insurer, school or university, or health care clearinghouse

A

Health information

127
Q

What is a major source of PIIItems such as bank accounts, loans, and payment amounts can all be leveraged against knowledge-based authentication systems to achieve access to even more information, such as credit reports

A

Financial information

128
Q

What can include PII about people, and this information needs protection in accordance with current rules and regulations

A

Government data

129
Q

What is the primary source of PII in an enterprise’s systemsThis information was collected in response to a specific business need, and it requires appropriate levels of protection to prevent disclosure or release

A

Customer data

130
Q

Limiting the collection of personal information to that which is directly relevant and necessary to accomplish a specified purpose

A

Data minimization

131
Q

What involves the hiding of data by substituting altered values
What hides personal or sensitive data but does not render it unusable

A

Data masking

132
Q

What assigns a random value that can be reversed or traced back to the original data

A

Tokenization

133
Q

What is the process of protecting private or sensitive information by removing identifiers that connect the stored data to an individual

A

Anonymization

134
Q

What is the method of replacing private identifiers with fake identifiers

A

Pseudo-anonymization

135
Q

The ownership and asset protection responsibilities of an organization lies with the _______ owner. The _____ owner is responsible for the protection of data at rest, in transit, and in use

A

Data owners

136
Q

Who is the person responsible for managing how and why data is going to be used by the organization

A

Data controller

137
Q

What is the entity that processes data given to it by the data controller. Data processors do not own the data, nor do they control it

A

data processor

138
Q

What is the role responsible for the day-to-day caretaking of data
The data owner sets the relevant policies, and the steward or custodian ensures they are followed

A

Data custodian/steward

139
Q

What is the C-level executive who is responsible for establishing and enforcing data privacy policy and addressing legal and compliance issuesThe data privacy officer is responsible for ensuring legal compliance with data privacy regulations

A

Data protection officer (DPO)

140
Q

Understanding the lifecycle of information assets—from the point of collection, use, and storage as well as how the assets are shared, protected, and ultimately destroyed—is important if one is to properly handle the information

A

Information life cycle

141
Q

What is a structured approach to determining the gap between desired privacy performance and actual privacy performanceOrganizations that collect, use, store, or process personal information are required to conduct a privacy ______ ________

A

Impact assessment

142
Q

The legal description of terms of agreement (commonly known as terms and conditions) is a set of items that both parties agree upon before some joint activityThis is used all the time with any external-facing interface, where you have the responding party agree to a published terms of agreement document before granting them access or processing their data elements

A

Terms of agreement

143
Q

What is an exterior-facing statement that describes how the organization collects, uses, retains, and discloses personal information
Privacy notices are also referred to as a privacy statement or a fair processing statement

A

Privacy notice