Domain 5: Program Management and Oversight

Question 1

Security governance

Objective 5.1

Question 2

Guidelines

Answer 2

• recommendations that steer actions of employees and organizational departments
• Best practices, suggestions for solving issues, identify steps to comply with policy
• Recommendations but not hard and fast rules that must be followed every single time
• Example: providing suggestions for how to interact with users or ways to accommodate customer request

Question 3

Policies

Answer 3

• standard operating procedures (SOP)
  • Set of instructions used to describe a process or procedure that performs in explicit operation or explicit reaction to a given event
• Having procedures that can be followed. Make sure events are handled correctly existent and often helps to minimize security risk.

Question 4

Policies (continued)

Answer 4

• Is this partners agreement (BPA)
  • And agreement between two business partners. These are generally long-term and broad in nature, and include information such as how to allocate profits/losses, what percent of the business is owned by each partner and how disagreements between partners can be settled
• Service level agreement (SLA)
  • agreement justifies the minimum level of service that needs to be provided between parties
  • Defines item such as the responsibilities of the service provider and the lowest levels of quality and availability that the client will tolerate when using their service

Question 5

Policies (continued)

Answer 5

• connection security agreement (ISA)
  • agreement that defines security controls, which need to be in place when a government connects their IT systems to those of an outside entity
  • Both sides in the smallest certain guidelines on security awareness, training and establishing proper security controls
• memorandum of understanding (MOU)
  • agreement that two or more parties agree with which is meant to be a precursor to an official contract. This is less formal than a signed contract in his typically non-binding.
• memorandum of agreement (MOA)
  • similar to MOU but considered a formal contract. And and MOA describes responsibilities of each part, and if terms are violated, the violating party can be taken to court. 

Question 6

Acceptable use policy (AUP)

Answer 6

• Policy that defines the rules for how a resource can be used
• Violation of this policy can lead to punishment, up to an including termination
• For example a policy may state that personal social media is not allowed on work system

Question 7

Incident response

Answer 7

• incident response
  • How organization handles are given incident
  • Plan/policy/procedures
• business continuity
  • Maintaining operations in the face of an incident, ensuring availability
• Disaster recovery
  • Restoring availability in integrity after incident

Question 8

Change management

Answer 8

• formal process for reviewing and improving any changes in an environment or organization
  • For example, when adding a new software to an environment, the software will need to be examined to determine if it might cause any outages or if it will interfere with other install software
• A well desiged change management process can reduce the risk associated with any given change and ideally will not cause too much change related slow down
• Change control is the process by which change management is accomplished
• change control as hell. The change management is made. 

Question 9

Software development life cycle (SDLC)

Answer 9

Question 10

Standards

Answer 10

• Define formal expectations for various operations within an organization
• Examples:
  • password requirements
  • Access controls
  • Physical security
  • Encryption

Question 11

Procedures

Answer 11

• on boarding
• off boarding
• play Books

Question 12

Legal considerations

Question 13

Legal

Answer 13

• state and local
• national
  • HIPAA
  • SOX
• International
  • GDPR (EU)

Question 14

Industry, compliance, and regulations

Answer 14

• several industries have requirements that specify how those organizations should operate
• Over comes in form of:
  • Industry regulations
  • Laws

Question 15

Industry compliance, and regulations (continued)

Answer 15

Question 16

Governance structure

Answer 16

• boards
  • oversee implementation of security controls
  • Ensure compliance with relevant laws and regulations
  • Evaluate security program effectiveness
• committees
  • specialized groups comprised of a subject matter and experts, stakeholders, and representatives from relevant departments
  • Issues, such as security, wrist management, audit, or compliance

Question 17

Governance structured (continued)

Answer 17

• Centralized oversight
  • Decision making authority with single core group
  • Establish security, policies, procedures, and guidelines
  • resource allocation control to promote consistency and standardization across organization
• Decentralized oversight
  • Decision making authority with different groups or departments based on localized needs and priorities
  • each unit has greater control over allocation resources to security capabilities

Question 18

Government entities

Answer 18

• Regulatory agencies
  • Establish and enforce security, standards, regulations, and guidelines
  • Oversee compliance
• Intelligence agencies
  • Gather analyze information to identify and counteract potential security threats
• Enforcement agencies
  • Enforce laws, investigate and prosecute, criminal activities, including cyber crimes and terrorist activities
• Defense and military organizations
  • Develop strategies, policies and capabilities to address, physical security, border control, and defense related cyber security

Question 19

Government entities (continued)

Answer 19

• Data protection authorities
  • enforce the data protection regulations, and provide guidance on the best practices for securing personal information
• national cyber security agencies
  • Provide strategies, incident, response, and guidance on cyber security practices for government entities and private organizations

Question 20

Data roles

Answer 20

Question 21

Risk management

Objective 5.2

Question 22

Risk identification

Answer 22

• Recognizing potential problems
• Ex:
  • Vulnerability assessments
  • Penetration testing
  • Security audits
  • Threat intelligence

Question 23

Risk assessment

Answer 23

• ad hoc assessment
  • conducted as needed, response to incident
• recurring assessment
  • scheduled at intervals, such as annually, quarterly, or monthly
• One time assessment
  • Carried out at particular point in time, often for a new system or independent assessment
• Continuous assessment
  • Constantly evaluate risk
  • Supported by specialized tools, producing real time data

Question 24

Risk analysis

Answer 24

• Qualitative analysis
  • Subjective, based on perception
  • informed by experience
• Quantitative analysis
  • Measurable, quantity

Question 25

Risk analysis (continued)

Answer 25

- Probability - Quantitative analysis of chance of occurrence - likelihood - Qualitative analysis a chance of occurrence - Impact - Severity of risk of realized - Exposure factor - percentage of asset value loss from a given incident

Question 26

Calculating risk

Answer 26

- single loss expectancy (SLE) - Annualized rate of occurrence (ARO)

Question 27

Calculating risk (continued)

Answer 27

- annualized lost expectancy (ALE)

Question 28

Risk register

Answer 28

Question 29

Risk management strategies

Answer 29

- what do we do in response? - Transfer - moving risk responsibilities from one party to another. An example is using insurance to transfer the risk of loss to the insurance company. - Accept - choosing to not act in response, recognizing that the recall of mitigation always the loss - Avoid - simply not participating in risky activities or avoid taking unnecessary actions which caused risk. Not always possible. - Mitigate - implement processes to reduce and respond to risk. For example, rule-based training, penetration testing, using the principle of lease privilege, etc..

Question 30

Risk tolerance

Answer 30

- excepting risk because the level of wrist does not justify mitigations and countermeasures

Question 31

Risk appetite

Answer 31

- describe his level of risk organization is willing to accept - Expansionary - willing to take on higher levels of risk for high returns of growth - Conservative - organizations, cautious, and less willing to take on risk - Neutral - balance of both expansionary and conservative approaches

Question 32

Risk reporting

Answer 32

- methods used to communicate, organizational risk profile and efficacy of risk management steps - provides insights to decision-makers, highlights, problem, areas and insure holders are aware of recognize risk and approaches to mitigation or mitigating vulnerabilities