Legal Framework & Risk

Question 1

A private organization that oversees the development of voluntary consensus standards for various industries in the U.S.

Example: A manufacturer adheres to a widely recognized safety standard for its equipment to meet compliance requirements.

Answer 1

ANSI - American National Standards Institute

Question 2

An independent international organization that develops and publishes global standards to ensure quality, safety, efficiency, and interoperability across various industries.

Answer 2

ISO (International Organization for Standardization)

Question 3

A European Union regulation designed to protect individuals’ privacy and personal data, imposing strict rules on how organizations collect, store, and process personal information.

Answer 3

GDPR (General Data Protection Regulation)

Question 4

A U.S. federal agency that develops and promotes standards, guidelines, and best practices for technology, including cybersecurity.

Example: An organization uses a widely adopted framework to strengthen its information security policies.

Answer 4

NIST - National Institute of Standards and Technology

Question 5

A professional organization focused on advancing technology through standards, education, and research in areas like computing and telecommunications.

Example: A company follows a standard for wireless communication protocols to ensure interoperability between devices.

Answer 5

IEEE - Institute of Electrical and Electronics Engineers

Question 6

A set of security standards created to protect cardholder data and ensure secure payment processing for organizations handling credit and debit card transactions.

Answer 6

PCI DSS (Payment Card Industry Data Security Standard)

Question 7

Individuals or groups with an interest in the success, failure, or direction of a project, system, or organization.

Example: A group provides input on a new software system because its performance directly affects their daily work.

Answer 7

Stakeholders

Question 8

Governing bodies responsible for overseeing an organization’s direction, policies, and compliance with legal and ethical standards.

Example: A group reviews an organization’s cybersecurity strategy to ensure it aligns with industry regulations.

Answer 8

Boards

Question 9

Groups formed within an organization to focus on specific tasks, goals, or decision-making processes.

Example: A team develops a new set of policies to enhance data security and mitigate risks.

Answer 9

Committees

Question 10

Agencies or departments at the federal, state, or local level that regulate, enforce, or influence standards and practices.

Example: A department issues compliance requirements for businesses handling sensitive public information.

Answer 10

Government Entities

Question 11

A group of individuals assembled to discuss, decide, or advise on specific organizational, policy, or operational matters.

Example: A team meets regularly to propose updates to security protocols for the organization.

Answer 11

Council

Question 12

A panel of experts or stakeholders that provides non-binding strategic guidance and advice to an organization or project.

Example: A group recommends adopting new industry standards to enhance the company’s compliance efforts.

Answer 12

Advisory Board

Question 13

A temporary group established to address a specific problem, issue, or initiative, often with a defined deadline.

Example: A team is created to investigate a recent security breach and propose solutions within 30 days.

Answer 13

Task Force

Question 14

Agencies or organizations at federal, state, or local levels that perform administrative, regulatory, or enforcement roles.

Example: An organization enforces environmental regulations for industries to protect public health.

Answer 14

Government Entities

Question 15

Organizations formed by businesses within the same industry to promote collective interests, standards, or policies.

Example: A group lobbies for favorable legislation affecting data privacy in the technology sector.

Answer 15

Trade Associations

Question 16

Organizations created by law to carry out specific functions, often with regulatory or enforcement authority.

Example: A body monitors compliance with labor laws in the workplace to ensure legal standards are met.

Answer 16

Statutory Bodies

Question 17

Specialized government entities responsible for creating and enforcing rules within specific industries or sectors.

Example: An agency imposes fines on companies that fail to adhere to data protection laws.

Answer 17

Regulatory Agencies

Question 18

Responsible for the technical storage and security of data,

Answer 18

Data Custodian

Question 19

Determines the purpose and means of processing personal data, essentially deciding “why and how” data is used

Answer 19

Data Controller

Question 20

Holds ultimate responsibility for the data itself, including its accuracy, usage, and compliance

Answer 20

Data Owner

Question 21

An entity that performs specific data processing tasks under the direction of the Data Controller

Answer 21

Data Processor

Question 22

A role within an organization that ensures the quality and governance of data assets

Answer 22

Data Steward

Question 23

An individual whose personal data is collected, stored, or processed by an organization.

Answer 23

Data Subject

Question 24

The overall process of identifying potential hazards, analyzing their likelihood and severity, and then evaluating the level of risk they pose

Answer 24

Risk Assessment

Question 25

The initial step of recognizing potential threats or hazards

Answer 25

Risk Identification

Question 26

Involves breaking down identified risks to understand their potential impact and probability

Answer 26

Risk Analysis

Question 27

Encompasses the entire process of identifying, analyzing, evaluating, and taking action to mitigate or control identified risks.

Answer 27

Risk Management

Question 28

The decision to knowingly accept a risk without actively attempting to mitigate it, usually because the potential impact is considered low or the cost of mitigation is too high.

Answer 28

Risk Acceptance

Question 29

A spontaneous or impromptu process of identifying potential risks, meaning it’s not part of a structured, planned risk management process but rather a quick assessment done on an as-needed basis to address a specific situation or concern, often with a focused approach to identify relevant risks in the moment

Answer 29

Ad Hoc

Question 30

A method of evaluating risk by assigning numerical values to the likelihood and potential impact of a risk, allowing for a more precise analysis using data and statistical methods.

Answer 30

Quantitative Risk Assessment

Question 31

The level of risk an organization or individual is willing to accept, defining the threshold where a risk becomes too significant to ignore.

Answer 31

Risk Tolerance

Question 32

A method of evaluating risk using descriptive terms and subjective judgments to assess the likelihood and impact of a potential risk, often using a matrix system.

Answer 32

Qualitative Risk Assessment

Question 33

Represents the monetary value expected to be lost if a specific risk event occurs once; calculated by multiplying the asset value by the exposure factor.

Answer 33

SLE (Single Loss Expectancy)

Question 34

Indicates how often a specific risk event is expected to happen within a year.

Answer 34

ARO (Annual Rate of Occurrence)

Question 35

The estimated yearly cost of a risk, calculated by multiplying the SLE by the ARO.

Answer 35

ALE (Annualized Loss Expectancy)

Question 36

A comprehensive list of all identified risks with detailed information about each one, acting as a central repository for risk data

Answer 36

Risk Register

Question 37

A visual representation of risks using color-coding to indicate their severity based on likelihood and impact, essentially a graphical display of a risk matrix

Answer 37

Risk Heat Map

Question 38

A grid that plots the likelihood of a risk occurring against its potential impact, allowing for easy prioritization of risks

Answer 38

Risk Matrix

Question 39

A central location to store and manage all risk-related information across an organization.

Answer 39

Risk Repository

Question 40

The maximum amount of time a business can tolerate before normal operations are restored after a disaster. A forward-looking metric that helps define how to allocate resources for business continuity.

Answer 40

RTO (Recovery Time Objective)

Question 41

The maximum amount of data a business can tolerate losing during a disaster. A backward-looking metric that helps define how often to back up data.

Answer 41

RPO (Recovery Point Objective)

Question 42

A metric that measures the total lifespan of a system, including non-repairable failures. Useful for anticipating when to replace systems.

Answer 42

MTTF (Mean Time to Failure)

Question 43

A key performance indicator (KPI) that measures how long a system or product is expected to operate before it fails.

Answer 43

MTBF (Mean Time Between Failures)

Question 44

Measures how long it takes to repair a system or product after it fails.

Answer 44

MTTR (Mean Time to Repair)

Question 45

A contractual provision granting an organization the right to review or inspect a vendor’s operations, processes, or records to ensure compliance.

Example: A company examines a vendor’s security controls to confirm adherence to agreed-upon data protection standards.

Answer 45

Right-to-Audit Clause

Question 46

A provision that establishes the authority to monitor and manage the activities of a party or process to ensure proper execution.

Example: An organization includes regular reporting requirements to track progress on a cybersecurity project.

Answer 46

Oversight Clause

Question 47

A contractual term requiring one party to demonstrate adherence to specific standards, laws, or policies.

Example: A cloud service provider submits an annual report showing alignment with industry security certifications.

Answer 47

Compliance Verification Clause

Question 48

A provision that requires clear and open communication about activities, decisions, or processes to build trust and accountability.

Example: A company must disclose all third-party subcontractors involved in handling sensitive customer data.

Answer 48

Transparency Clause

Question 49

A contract outlining the general terms and conditions between two parties for future agreements, typically covering long-term relationships or projects.

Example: A company signs an agreement with a vendor that defines the terms for all future purchases of services.

Answer 49

MSA - Master Service Agreement

Question 50

A document that specifies the work to be performed under a contract, including deliverables, timelines, and specific requirements.

Example: A client and contractor agree on a detailed document that outlines project milestones, deadlines, and expectations.

Answer 50

SOW - Statement of Work

Question 51

A formal document that outlines the specific terms and details of a partnership or agreement between two or more parties.

Example: Two organizations sign an agreement to jointly develop a new software tool, specifying each party’s contributions.

Answer 51

MOA - Memorandum of Agreement

Question 52

A non-binding agreement that expresses the intent of parties to cooperate on a specific project or initiative.

Example: Two companies sign an understanding to collaborate on research, though no legal obligations are set at this stage.

Answer 52

MOU - Memorandum of Understanding

Question 53

A document that outlines the tasks or services to be performed, typically in a business or industrial context, including timelines and pricing.

Example: A contractor receives a document outlining the specific repairs to be made to a building, including materials and deadlines.

Answer 53

WO - Work Order

Question 54

A document that defines the security requirements for the interconnection of two or more systems or networks to ensure protection of sensitive data.

Example: A company and a third-party provider sign an agreement that outlines encryption protocols and access controls for their shared network.

Answer 54

ISA - Interconnection Security Agreement

Question 55

A legally binding contract that prevents parties from disclosing confidential information to others.

Example: An employee signs an agreement to ensure that proprietary company information is not shared with competitors.

Answer 55

NDA - Non-Disclosure Agreement

Question 56

A long-term agreement between a buyer and a supplier to provide goods or services at predetermined prices over a specified period.

Example: A company enters into an agreement with a vendor to supply office supplies on a recurring basis at fixed prices for the next year.

Answer 56

BPA - Blanket Purchase Agreement

Question 57

The process of thoroughly investigating and evaluating a business or project to identify potential risks, liabilities, or compliance issues.

Example: A company conducts a detailed background check on a potential partner to ensure they comply with industry regulations.

Answer 57

Due Diligence

Question 58

The level of caution and concern an ordinary person would exercise in a given situation, often used to determine negligence.

Example: A hospital implements strict hygiene practices, following industry norms to prevent infection during surgeries.

Answer 58

Standard of Care

Question 59

The obligation to take reasonable steps to avoid harm or risk, reflecting the care expected in a specific context.

Example: A manager ensures that sensitive customer data is encrypted before being transmitted to a third-party vendor.

Answer 59

Due Care

Question 60

A legal or ethical responsibility to act in the best interest of another party, typically in financial or management contexts.

Example: A financial advisor must recommend investment options that align with a client’s best interests, rather than personal gain.

Answer 60

Fiduciary Duty

Question 61

The process of removing or altering personal information from a dataset so that individuals cannot be easily identified.

Answer 61

De-identification

Question 62

A legal right that allows individuals to request the removal of their personal data from an organization’s records, under certain conditions.

Answer 62

Right to be Forgotten

Question 63

A declaration or statement, often made by an external party, confirming the accuracy or authenticity of a specific fact or document.

Answer 63

Attestation

Question 64

The process of confirming that a system or product meets specific requirements or standards before being used or deployed.

Answer 64

Validation

Question 65

A statement or claim made, typically in the context of security or compliance, about the state or condition of a system or process.

Answer 65

Assertion

Question 66

The formal recognition or approval granted by an authorized body that a system, individual, or organization meets specified standards or qualifications.

Answer 66

Certification

Question 67

A group of security professionals hired to simulate real-world cyberattacks in order to test and improve an organization’s defenses.

Answer 67

Red Team

Question 68

A group of cybersecurity professionals responsible for defending an organization’s systems and networks from attacks.

Answer 68

Blue Team

Question 69

A group that oversees and facilitates cybersecurity exercises or simulations, ensuring they are conducted fairly and according to the rules.

Answer 69

White Team

Question 70

A collaborative group combining members of both the red team (offensive) and blue team (defensive) to improve overall security posture through shared insights and tactics.

Answer 70

Purple Team

Question 71

Malicious hacking activities performed with the intent to exploit systems, steal data, or cause harm, often for personal or financial gain.

Answer 71

Black-Hat Hacking

Question 72

A testing method where the tester has full knowledge of the system’s internal workings, such as code and architecture, to identify vulnerabilities.

Answer 72

White-Box Testing

Question 73

A testing method where the tester has no prior knowledge of the system’s internal workings, focusing on input and output to identify security weaknesses.

Answer 73

Black-Box Testing

Question 74

Ethical hacking performed by professionals who are authorized to test systems for vulnerabilities and strengthen security.

Answer 74

White-Hat Hacking

Question 75

A testing method where the tester has partial knowledge of the system, typically access to some internal components, but not complete details, to identify vulnerabilities.

Answer 75

Gray-Box Testing