Brainscape's Knowledge GenomeTM


Top Flashcards (Certified)
All Flashcards

Comptia Security+ > Domain 5: Program Management and Oversight > Flashcards

Domain 5: Program Management and Oversight Flashcards

1
Q

Security governance

Objective 5.1

A
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Guidelines

A
  • recommendations that steer actions of employees and organizational departments
  • Best practices, suggestions for solving issues, identify steps to comply with policy
  • Recommendations but not hard and fast rules that must be followed every single time
  • Example: providing suggestions for how to interact with users or ways to accommodate customer request
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Policies

A
  • standard operating procedures (SOP)
    • Set of instructions used to describe a process or procedure that performs in explicit operation or explicit reaction to a given event
  • Having procedures that can be followed. Make sure events are handled correctly existent and often helps to minimize security risk.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Policies (continued)

A
  • Is this partners agreement (BPA)
    • And agreement between two business partners. These are generally long-term and broad in nature, and include information such as how to allocate profits/losses, what percent of the business is owned by each partner and how disagreements between partners can be settled
  • Service level agreement (SLA)
    • agreement justifies the minimum level of service that needs to be provided between parties
    • Defines item such as the responsibilities of the service provider and the lowest levels of quality and availability that the client will tolerate when using their service
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Policies (continued)

A
  • connection security agreement (ISA)
    • agreement that defines security controls, which need to be in place when a government connects their IT systems to those of an outside entity
    • Both sides in the smallest certain guidelines on security awareness, training and establishing proper security controls
  • memorandum of understanding (MOU)
    • agreement that two or more parties agree with which is meant to be a precursor to an official contract. This is less formal than a signed contract in his typically non-binding.
  • memorandum of agreement (MOA)
    • similar to MOU but considered a formal contract. And and MOA describes responsibilities of each part, and if terms are violated, the violating party can be taken to court. 
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Acceptable use policy (AUP)

A
  • Policy that defines the rules for how a resource can be used
  • Violation of this policy can lead to punishment, up to an including termination
  • For example a policy may state that personal social media is not allowed on work system
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Incident response

A
  • incident response
    • How organization handles are given incident
    • Plan/policy/procedures
  • business continuity
    • Maintaining operations in the face of an incident, ensuring availability
  • Disaster recovery
    • Restoring availability in integrity after incident
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Change management

A
  • formal process for reviewing and improving any changes in an environment or organization
    • For example, when adding a new software to an environment, the software will need to be examined to determine if it might cause any outages or if it will interfere with other install software
  • A well desiged change management process can reduce the risk associated with any given change and ideally will not cause too much change related slow down
  • Change control is the process by which change management is accomplished
  • change control as hell. The change management is made. 
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Software development life cycle (SDLC)

A
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Standards

A
  • Define formal expectations for various operations within an organization
  • Examples:
    • password requirements
    • Access controls
    • Physical security
    • Encryption
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Procedures

A
  • on boarding
  • off boarding
  • play Books
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Legal considerations

A
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Legal

A
  • state and local
  • national
    • HIPAA
    • SOX
  • International
    • GDPR (EU)
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Industry, compliance, and regulations

A
  • several industries have requirements that specify how those organizations should operate
  • Over comes in form of:
    • Industry regulations
    • Laws
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Industry compliance, and regulations (continued)

A
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Governance structure

A
  • boards
    • oversee implementation of security controls
    • Ensure compliance with relevant laws and regulations
    • Evaluate security program effectiveness
  • committees
    • specialized groups comprised of a subject matter and experts, stakeholders, and representatives from relevant departments
    • Issues, such as security, wrist management, audit, or compliance
17
Q

Governance structured (continued)

A
  • Centralized oversight
    • Decision making authority with single core group
    • Establish security, policies, procedures, and guidelines
    • resource allocation control to promote consistency and standardization across organization
  • Decentralized oversight
    • Decision making authority with different groups or departments based on localized needs and priorities
    • each unit has greater control over allocation resources to security capabilities
18
Q

Government entities

A
  • Regulatory agencies
    • Establish and enforce security, standards, regulations, and guidelines
    • Oversee compliance
  • Intelligence agencies
    • Gather analyze information to identify and counteract potential security threats
  • Enforcement agencies
    • Enforce laws, investigate and prosecute, criminal activities, including cyber crimes and terrorist activities
  • Defense and military organizations
    • Develop strategies, policies and capabilities to address, physical security, border control, and defense related cyber security
19
Q

Government entities (continued)

A
  • Data protection authorities
    • enforce the data protection regulations, and provide guidance on the best practices for securing personal information
  • national cyber security agencies
    • Provide strategies, incident, response, and guidance on cyber security practices for government entities and private organizations
20
Q

Data roles

21
Q

Risk management

Objective 5.2

22
Q

Risk identification

A
  • Recognizing potential problems
  • Ex:
    • Vulnerability assessments
    • Penetration testing
    • Security audits
    • Threat intelligence
23
Q

Risk assessment

A
  • ad hoc assessment
    • conducted as needed, response to incident
  • recurring assessment
    • scheduled at intervals, such as annually, quarterly, or monthly
  • One time assessment
    • Carried out at particular point in time, often for a new system or independent assessment
  • Continuous assessment
    • Constantly evaluate risk
    • Supported by specialized tools, producing real time data
24
Q

Risk analysis

A
  • Qualitative analysis
    • Subjective, based on perception
    • informed by experience
  • Quantitative analysis
    • Measurable, quantity
25
Q

Risk analysis (continued)

A
  • Probability
    • Quantitative analysis of chance of occurrence
  • likelihood
    • Qualitative analysis a chance of occurrence
  • Impact
    • Severity of risk of realized
  • Exposure factor
    • percentage of asset value loss from a given incident
26
Q

Calculating risk

A
  • single loss expectancy (SLE)
  • Annualized rate of occurrence (ARO)
27
Q

Calculating risk (continued)

A
  • annualized lost expectancy (ALE)
28
Q

Risk register

29
Q

Risk management strategies

A
  • what do we do in response?
  • Transfer - moving risk responsibilities from one party to another. An example is using insurance to transfer the risk of loss to the insurance company.
  • Accept - choosing to not act in response, recognizing that the recall of mitigation always the loss
  • Avoid - simply not participating in risky activities or avoid taking unnecessary actions which caused risk. Not always possible.
  • Mitigate - implement processes to reduce and respond to risk. For example, rule-based training, penetration testing, using the principle of lease privilege, etc..
30
Q

Risk tolerance

A
  • excepting risk because the level of wrist does not justify mitigations and countermeasures
31
Q

Risk appetite

A
  • describe his level of risk organization is willing to accept
  • Expansionary - willing to take on higher levels of risk for high returns of growth
  • Conservative - organizations, cautious, and less willing to take on risk
  • Neutral - balance of both expansionary and conservative approaches
32
Q

Risk reporting

A
  • methods used to communicate, organizational risk profile and efficacy of risk management steps
  • provides insights to decision-makers, highlights, problem, areas and insure holders are aware of recognize risk and approaches to mitigation or mitigating vulnerabilities

Comptia Security+ (5 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2025 Bold Learning Solutions. Terms and Conditions