Legal Framework & Risk Flashcards
A private organization that oversees the development of voluntary consensus standards for various industries in the U.S.
Example: A manufacturer adheres to a widely recognized safety standard for its equipment to meet compliance requirements.
ANSI - American National Standards Institute
An independent international organization that develops and publishes global standards to ensure quality, safety, efficiency, and interoperability across various industries.
ISO (International Organization for Standardization)
A European Union regulation designed to protect individuals’ privacy and personal data, imposing strict rules on how organizations collect, store, and process personal information.
GDPR (General Data Protection Regulation)
A U.S. federal agency that develops and promotes standards, guidelines, and best practices for technology, including cybersecurity.
Example: An organization uses a widely adopted framework to strengthen its information security policies.
NIST - National Institute of Standards and Technology
A professional organization focused on advancing technology through standards, education, and research in areas like computing and telecommunications.
Example: A company follows a standard for wireless communication protocols to ensure interoperability between devices.
IEEE - Institute of Electrical and Electronics Engineers
A set of security standards created to protect cardholder data and ensure secure payment processing for organizations handling credit and debit card transactions.
PCI DSS (Payment Card Industry Data Security Standard)
Individuals or groups with an interest in the success, failure, or direction of a project, system, or organization.
Example: A group provides input on a new software system because its performance directly affects their daily work.
Stakeholders
Governing bodies responsible for overseeing an organization’s direction, policies, and compliance with legal and ethical standards.
Example: A group reviews an organization’s cybersecurity strategy to ensure it aligns with industry regulations.
Boards
Groups formed within an organization to focus on specific tasks, goals, or decision-making processes.
Example: A team develops a new set of policies to enhance data security and mitigate risks.
Committees
Agencies or departments at the federal, state, or local level that regulate, enforce, or influence standards and practices.
Example: A department issues compliance requirements for businesses handling sensitive public information.
Government Entities
A group of individuals assembled to discuss, decide, or advise on specific organizational, policy, or operational matters.
Example: A team meets regularly to propose updates to security protocols for the organization.
Council
A panel of experts or stakeholders that provides non-binding strategic guidance and advice to an organization or project.
Example: A group recommends adopting new industry standards to enhance the company’s compliance efforts.
Advisory Board
A temporary group established to address a specific problem, issue, or initiative, often with a defined deadline.
Example: A team is created to investigate a recent security breach and propose solutions within 30 days.
Task Force
Agencies or organizations at federal, state, or local levels that perform administrative, regulatory, or enforcement roles.
Example: An organization enforces environmental regulations for industries to protect public health.
Government Entities
Organizations formed by businesses within the same industry to promote collective interests, standards, or policies.
Example: A group lobbies for favorable legislation affecting data privacy in the technology sector.
Trade Associations
Organizations created by law to carry out specific functions, often with regulatory or enforcement authority.
Example: A body monitors compliance with labor laws in the workplace to ensure legal standards are met.
Statutory Bodies
Specialized government entities responsible for creating and enforcing rules within specific industries or sectors.
Example: An agency imposes fines on companies that fail to adhere to data protection laws.
Regulatory Agencies
Responsible for the technical storage and security of data,
Data Custodian
Determines the purpose and means of processing personal data, essentially deciding “why and how” data is used
Data Controller
Holds ultimate responsibility for the data itself, including its accuracy, usage, and compliance
Data Owner
An entity that performs specific data processing tasks under the direction of the Data Controller
Data Processor
A role within an organization that ensures the quality and governance of data assets
Data Steward
An individual whose personal data is collected, stored, or processed by an organization.
Data Subject
The overall process of identifying potential hazards, analyzing their likelihood and severity, and then evaluating the level of risk they pose
Risk Assessment
The initial step of recognizing potential threats or hazards
Risk Identification
Involves breaking down identified risks to understand their potential impact and probability
Risk Analysis
Encompasses the entire process of identifying, analyzing, evaluating, and taking action to mitigate or control identified risks.
Risk Management
The decision to knowingly accept a risk without actively attempting to mitigate it, usually because the potential impact is considered low or the cost of mitigation is too high.
Risk Acceptance
A spontaneous or impromptu process of identifying potential risks, meaning it’s not part of a structured, planned risk management process but rather a quick assessment done on an as-needed basis to address a specific situation or concern, often with a focused approach to identify relevant risks in the moment
Ad Hoc
A method of evaluating risk by assigning numerical values to the likelihood and potential impact of a risk, allowing for a more precise analysis using data and statistical methods.
Quantitative Risk Assessment
The level of risk an organization or individual is willing to accept, defining the threshold where a risk becomes too significant to ignore.
Risk Tolerance
A method of evaluating risk using descriptive terms and subjective judgments to assess the likelihood and impact of a potential risk, often using a matrix system.
Qualitative Risk Assessment
Represents the monetary value expected to be lost if a specific risk event occurs once; calculated by multiplying the asset value by the exposure factor.
SLE (Single Loss Expectancy)
Indicates how often a specific risk event is expected to happen within a year.
ARO (Annual Rate of Occurrence)
The estimated yearly cost of a risk, calculated by multiplying the SLE by the ARO.
ALE (Annualized Loss Expectancy)
A comprehensive list of all identified risks with detailed information about each one, acting as a central repository for risk data
Risk Register
A visual representation of risks using color-coding to indicate their severity based on likelihood and impact, essentially a graphical display of a risk matrix
Risk Heat Map
A grid that plots the likelihood of a risk occurring against its potential impact, allowing for easy prioritization of risks
Risk Matrix
A central location to store and manage all risk-related information across an organization.
Risk Repository
The maximum amount of time a business can tolerate before normal operations are restored after a disaster. A forward-looking metric that helps define how to allocate resources for business continuity.
RTO (Recovery Time Objective)
The maximum amount of data a business can tolerate losing during a disaster. A backward-looking metric that helps define how often to back up data.
RPO (Recovery Point Objective)
A metric that measures the total lifespan of a system, including non-repairable failures. Useful for anticipating when to replace systems.
MTTF (Mean Time to Failure)
A key performance indicator (KPI) that measures how long a system or product is expected to operate before it fails.
MTBF (Mean Time Between Failures)
Measures how long it takes to repair a system or product after it fails.
MTTR (Mean Time to Repair)
A contractual provision granting an organization the right to review or inspect a vendor’s operations, processes, or records to ensure compliance.
Example: A company examines a vendor’s security controls to confirm adherence to agreed-upon data protection standards.
Right-to-Audit Clause
A provision that establishes the authority to monitor and manage the activities of a party or process to ensure proper execution.
Example: An organization includes regular reporting requirements to track progress on a cybersecurity project.
Oversight Clause
A contractual term requiring one party to demonstrate adherence to specific standards, laws, or policies.
Example: A cloud service provider submits an annual report showing alignment with industry security certifications.
Compliance Verification Clause
A provision that requires clear and open communication about activities, decisions, or processes to build trust and accountability.
Example: A company must disclose all third-party subcontractors involved in handling sensitive customer data.
Transparency Clause
A contract outlining the general terms and conditions between two parties for future agreements, typically covering long-term relationships or projects.
Example: A company signs an agreement with a vendor that defines the terms for all future purchases of services.
MSA - Master Service Agreement
A document that specifies the work to be performed under a contract, including deliverables, timelines, and specific requirements.
Example: A client and contractor agree on a detailed document that outlines project milestones, deadlines, and expectations.
SOW - Statement of Work
A formal document that outlines the specific terms and details of a partnership or agreement between two or more parties.
Example: Two organizations sign an agreement to jointly develop a new software tool, specifying each party’s contributions.
MOA - Memorandum of Agreement
A non-binding agreement that expresses the intent of parties to cooperate on a specific project or initiative.
Example: Two companies sign an understanding to collaborate on research, though no legal obligations are set at this stage.
MOU - Memorandum of Understanding
A document that outlines the tasks or services to be performed, typically in a business or industrial context, including timelines and pricing.
Example: A contractor receives a document outlining the specific repairs to be made to a building, including materials and deadlines.
WO - Work Order
A document that defines the security requirements for the interconnection of two or more systems or networks to ensure protection of sensitive data.
Example: A company and a third-party provider sign an agreement that outlines encryption protocols and access controls for their shared network.
ISA - Interconnection Security Agreement
A legally binding contract that prevents parties from disclosing confidential information to others.
Example: An employee signs an agreement to ensure that proprietary company information is not shared with competitors.
NDA - Non-Disclosure Agreement
A long-term agreement between a buyer and a supplier to provide goods or services at predetermined prices over a specified period.
Example: A company enters into an agreement with a vendor to supply office supplies on a recurring basis at fixed prices for the next year.
BPA - Blanket Purchase Agreement
The process of thoroughly investigating and evaluating a business or project to identify potential risks, liabilities, or compliance issues.
Example: A company conducts a detailed background check on a potential partner to ensure they comply with industry regulations.
Due Diligence
The level of caution and concern an ordinary person would exercise in a given situation, often used to determine negligence.
Example: A hospital implements strict hygiene practices, following industry norms to prevent infection during surgeries.
Standard of Care
The obligation to take reasonable steps to avoid harm or risk, reflecting the care expected in a specific context.
Example: A manager ensures that sensitive customer data is encrypted before being transmitted to a third-party vendor.
Due Care
A legal or ethical responsibility to act in the best interest of another party, typically in financial or management contexts.
Example: A financial advisor must recommend investment options that align with a client’s best interests, rather than personal gain.
Fiduciary Duty
The process of removing or altering personal information from a dataset so that individuals cannot be easily identified.
De-identification
A legal right that allows individuals to request the removal of their personal data from an organization’s records, under certain conditions.
Right to be Forgotten
A declaration or statement, often made by an external party, confirming the accuracy or authenticity of a specific fact or document.
Attestation
The process of confirming that a system or product meets specific requirements or standards before being used or deployed.
Validation
A statement or claim made, typically in the context of security or compliance, about the state or condition of a system or process.
Assertion
The formal recognition or approval granted by an authorized body that a system, individual, or organization meets specified standards or qualifications.
Certification
A group of security professionals hired to simulate real-world cyberattacks in order to test and improve an organization’s defenses.
Red Team
A group of cybersecurity professionals responsible for defending an organization’s systems and networks from attacks.
Blue Team
A group that oversees and facilitates cybersecurity exercises or simulations, ensuring they are conducted fairly and according to the rules.
White Team
A collaborative group combining members of both the red team (offensive) and blue team (defensive) to improve overall security posture through shared insights and tactics.
Purple Team
Malicious hacking activities performed with the intent to exploit systems, steal data, or cause harm, often for personal or financial gain.
Black-Hat Hacking
A testing method where the tester has full knowledge of the system’s internal workings, such as code and architecture, to identify vulnerabilities.
White-Box Testing
A testing method where the tester has no prior knowledge of the system’s internal workings, focusing on input and output to identify security weaknesses.
Black-Box Testing
Ethical hacking performed by professionals who are authorized to test systems for vulnerabilities and strengthen security.
White-Hat Hacking
A testing method where the tester has partial knowledge of the system, typically access to some internal components, but not complete details, to identify vulnerabilities.
Gray-Box Testing
