Domain 5.0: Governance, Risk and Compliance Flashcards
Controls tend to do what?
Deters, prevents, detect or correct.
Anti-malware is an example since it includes more than one of those functions.
Computer login notification is example of what control?
Preventative control
What is compensating control?
It’s used when a business or technological constraint exists and an alternative control is effective in the current security threat landscape.
SLA
Service Level Agreement
BPA
Business Partners Agreement
MOU
Memorandum of Understanding
ISA
Interconnection Security Agreement
SLA, BPA, MOU, and ISA is what?
They are types of interoperability agreements that help mitigate risks when dealing with third parties.
What does user types require?
They require training and awareness.
What are user types?
General users Privileged users System Administrators Executive users Data owners System owners
Which user types are responsible for creating and managing security policies?
Executive users
Data owners
System owners
How should users be trained?
Proper use of their various personal applications including email and social media networks. The training should address any limitations or expectations regarding their use.
RPO
Recovery Point Objective designates the amount of data that will be lost or will have to be reentered due to network downtime.
RTO
Recovery Time Objective designates the amount of time that can pass before a disruption begins to seriously impede normal business operations.
MTBF
Means Time Between Failure is average time before a produce requires repair
MTTF
Means Time to Failure is the average time before a produce fails and cannot be repaired.
Privacy Threshold Assessment
They determines whether systems contain personal information.
Privacy Impact Assessment
It is needed for any organization that collects, uses, stores or processes personal information.
Risk assessment
Function of threat, vulnerability, and impact. Formula can be like this: Risk = Threat * Vulnerability * Impact.
Risk Identification
Includes asset identification, risk assessment, threat identification & classification and identification of vulnerabilities.
Regarding risk, qualitative measures are based on what?
Subjective values – they are less precise than quantitative measures which relies on numbers.
What can be done with identified risk?
They can be accepted, mitigated, transferred or avoided. Purchasing insurance is a common example of transferring risk.
ALE
Annual Loss Expectancy, it’s a formula -> ALE = SLE and ARO
SLE = Single Loss Expectancy ARO = Annualized rate of occurrence.
Why is change management important?
Change introduces risk that can impact systems and services.
DRP
Disaster Recovery Planning details considerations for backup and restoration including secure recovery methods.
What is considered PII
Personal Identifiable Information – information must be specifically associated with an individual.
Data owners
They determine data classification level
Data custodians
They implement the controls for data
Degaussing
Data disposal method that includes using a tool to reduce or remove the magnetic field of storage media.
Benchmarks
Providing guidance for creating a secure configuration posture.
