Domain 5: Program Management and Oversight Flashcards
1
Q
Security governance
Objective 5.1
A
2
Q
Guidelines
A
- recommendations that steer actions of employees and organizational departments
- Best practices, suggestions for solving issues, identify steps to comply with policy
- Recommendations but not hard and fast rules that must be followed every single time
- Example: providing suggestions for how to interact with users or ways to accommodate customer request
3
Q
Policies
A
- standard operating procedures (SOP)
- Set of instructions used to describe a process or procedure that performs in explicit operation or explicit reaction to a given event
- Having procedures that can be followed. Make sure events are handled correctly existent and often helps to minimize security risk.
4
Q
Policies (continued)
A
- Is this partners agreement (BPA)
- And agreement between two business partners. These are generally long-term and broad in nature, and include information such as how to allocate profits/losses, what percent of the business is owned by each partner and how disagreements between partners can be settled
- Service level agreement (SLA)
- agreement justifies the minimum level of service that needs to be provided between parties
- Defines item such as the responsibilities of the service provider and the lowest levels of quality and availability that the client will tolerate when using their service
5
Q
Policies (continued)
A
- connection security agreement (ISA)
- agreement that defines security controls, which need to be in place when a government connects their IT systems to those of an outside entity
- Both sides in the smallest certain guidelines on security awareness, training and establishing proper security controls
- memorandum of understanding (MOU)
- agreement that two or more parties agree with which is meant to be a precursor to an official contract. This is less formal than a signed contract in his typically non-binding.
- memorandum of agreement (MOA)
- similar to MOU but considered a formal contract. And and MOA describes responsibilities of each part, and if terms are violated, the violating party can be taken to court. 
6
Q
Acceptable use policy (AUP)
A
- Policy that defines the rules for how a resource can be used
- Violation of this policy can lead to punishment, up to an including termination
- For example a policy may state that personal social media is not allowed on work system
7
Q
Incident response
A
- incident response
- How organization handles are given incident
- Plan/policy/procedures
- business continuity
- Maintaining operations in the face of an incident, ensuring availability
- Disaster recovery
- Restoring availability in integrity after incident
8
Q
Change management
A
- formal process for reviewing and improving any changes in an environment or organization
- For example, when adding a new software to an environment, the software will need to be examined to determine if it might cause any outages or if it will interfere with other install software
- A well desiged change management process can reduce the risk associated with any given change and ideally will not cause too much change related slow down
- Change control is the process by which change management is accomplished
- change control as hell. The change management is made. 
9
Q
Software development life cycle (SDLC)
A
10
Q
Standards
A
- Define formal expectations for various operations within an organization
- Examples:
- password requirements
- Access controls
- Physical security
- Encryption
11
Q
Procedures
A
- on boarding
- off boarding
- play Books
12
Q
Legal considerations
A
13
Q
Legal
A
- state and local
- national
- HIPAA
- SOX
- International
- GDPR (EU)
14
Q
Industry, compliance, and regulations
A
- several industries have requirements that specify how those organizations should operate
- Over comes in form of:
- Industry regulations
- Laws
15
Q
Industry compliance, and regulations (continued)
A
16
Q
Governance structure
A
- boards
- oversee implementation of security controls
- Ensure compliance with relevant laws and regulations
- Evaluate security program effectiveness
- committees
- specialized groups comprised of a subject matter and experts, stakeholders, and representatives from relevant departments
- Issues, such as security, wrist management, audit, or compliance
17
Q
Governance structured (continued)
A
- Centralized oversight
- Decision making authority with single core group
- Establish security, policies, procedures, and guidelines
- resource allocation control to promote consistency and standardization across organization
- Decentralized oversight
- Decision making authority with different groups or departments based on localized needs and priorities
- each unit has greater control over allocation resources to security capabilities
18
Q
Government entities
A
- Regulatory agencies
- Establish and enforce security, standards, regulations, and guidelines
- Oversee compliance
- Intelligence agencies
- Gather analyze information to identify and counteract potential security threats
- Enforcement agencies
- Enforce laws, investigate and prosecute, criminal activities, including cyber crimes and terrorist activities
- Defense and military organizations
- Develop strategies, policies and capabilities to address, physical security, border control, and defense related cyber security
19
Q
Government entities (continued)
A
- Data protection authorities
- enforce the data protection regulations, and provide guidance on the best practices for securing personal information
- national cyber security agencies
- Provide strategies, incident, response, and guidance on cyber security practices for government entities and private organizations
20
Q
Data roles
A
21
Q
Risk management
Objective 5.2
A
22
Q
Risk identification
A
- Recognizing potential problems
- Ex:
- Vulnerability assessments
- Penetration testing
- Security audits
- Threat intelligence
23
Q
Risk assessment
A
- ad hoc assessment
- conducted as needed, response to incident
- recurring assessment
- scheduled at intervals, such as annually, quarterly, or monthly
- One time assessment
- Carried out at particular point in time, often for a new system or independent assessment
- Continuous assessment
- Constantly evaluate risk
- Supported by specialized tools, producing real time data
24
Q
Risk analysis
A
- Qualitative analysis
- Subjective, based on perception
- informed by experience
- Quantitative analysis
- Measurable, quantity
25
Q
Risk analysis (continued)
A
- Probability
- Quantitative analysis of chance of occurrence
- likelihood
- Qualitative analysis a chance of occurrence
- Impact
- Severity of risk of realized
- Exposure factor
- percentage of asset value loss from a given incident
26
Q
Calculating risk
A
- single loss expectancy (SLE)
- Annualized rate of occurrence (ARO)
27
Q
Calculating risk (continued)
A
- annualized lost expectancy (ALE)
28
Q
Risk register
A
29
Q
Risk management strategies
A
- what do we do in response?
- Transfer - moving risk responsibilities from one party to another. An example is using insurance to transfer the risk of loss to the insurance company.
- Accept - choosing to not act in response, recognizing that the recall of mitigation always the loss
- Avoid - simply not participating in risky activities or avoid taking unnecessary actions which caused risk. Not always possible.
- Mitigate - implement processes to reduce and respond to risk. For example, rule-based training, penetration testing, using the principle of lease privilege, etc..
30
Q
Risk tolerance
A
- excepting risk because the level of wrist does not justify mitigations and countermeasures
31
Q
Risk appetite
A
- describe his level of risk organization is willing to accept
- Expansionary - willing to take on higher levels of risk for high returns of growth
- Conservative - organizations, cautious, and less willing to take on risk
- Neutral - balance of both expansionary and conservative approaches
32
Q
Risk reporting
A
- methods used to communicate, organizational risk profile and efficacy of risk management steps
- provides insights to decision-makers, highlights, problem, areas and insure holders are aware of recognize risk and approaches to mitigation or mitigating vulnerabilities