Lessons 25-29

Question 1

THIRD-PARTY RISK MANAGEMENT

Answer 1

Is a composite of activities used to research and source third parties, conduct due diligence investigations, negotiate contracts, manage relationships, evaluate performance, and make payments

Question 2

THIRD-PARTY OVERSIGHT

Answer 2

The implementation of strategies to manage uncertainty, identify vulnerabilities, and ensure compliance and continuity.

Question 3

RIGHT TO AUDIT

Answer 3

A “right to audit” contract provision (clause) grants the contract holder the right to conduct or oversee an audit of the service provider’s facilities and practices.

Question 4

MOU

Answer 4

memorandum of understanding is a non-binding document that outlines the intentions and areas of cooperation between parties

Question 5

MOA

Answer 5

memorandum of agreement is a legally enforceable document that establishes a contractual relationship between parties.

Question 6

BPA

Answer 6

business partner agreement is a comprehensive legal document that outlines the terms and conditions of a relationship between two or more businesses or entities

Question 7

SLA

Answer 7

a service-level agreement codifies service and support requirements and may include incentives and or penalties.

Question 8

MSA

Answer 8

a master services agreement outlines general terms and conditions. It serves as a framework for future agreements or projects between the parties.

Question 9

SOW

Answer 9

a statement of work that defines tasks, deliverables, timelines, and performance expectations for a particular project or engagement between a client and a service provider

Question 10

WO

Answer 10

a work order is transactional and used for individual service requests, often within the context of ongoing business relationships.

Question 11

Data minimization-

Answer 11

approach limits data collection to only what is required to fulfill a specific purpose

Question 12

RIGHT TO BE FORGOTTEN

Answer 12

Pertains to an individual’s right to have their personal information removed or deleted from online platforms, search engine results, or other publicity accessible sources.

Question 13

Data controller-

Answer 13

determines the purposes for which, and the means by which, personal data is processed

Question 14

Data processor

Answer 14

processes personal data on behalf of the data controller

Question 15

Data protection officer

Answer 15

ensures that an organization is in compliance with privacy regulations as defined in the GDPR: independence is required.

Question 16

Data masking

Answer 16

a technique used to protect sensitive data by replacing it with fictional or de-identified data

Question 17

Tokenization

Answer 17

a technique to secure and desensitize data by replacing the original data with an unrelated value of the same length and format

Question 18

Anonymization

Answer 18

the process in which individually identifiable data is altered in such a way that it no longer can be related back to a given individual

Question 19

Pseudo-anonymization-

Answer 19

a method to substitute identifiable data with a reversible consistent value.

Question 20

PRIVACY IMPACT ASSESSMENT (PIA)

Answer 20

is a process used to evaluate how an organization’s projects, systems, or practices affect the privacy of individuals’ personal data. It helps identify and mitigate privacy risks, ensuring that data handling complies with privacy laws and regulations.

Question 21

PRIVACY STATEMENT

Answer 21

Describes how an organization collects, uses, shares, and protects personal information collected from individuals

Question 22

INFORMATION SECURITY ASSESSMENT

Answer 22

Is the process of determining how effectively the entity being evaluated meets specific security criteria

Question 23

Examination

Answer 23

the process of interviewing, reviewing, inspecting, studying, and observing to facilitate understanding, comparing to standards or baselines, or to obtain evidence (audit)

Question 24

Testing-

Answer 24

the process of exercising objects under specified conditions to compare actual and expected behavior (penetration testing)

Question 25

Assurance

Answer 25

is the measure of confidence that intended controls, plans, and processes are effective in their application. An audit is to provide independent assurance based on evidence.

Question 26

Audit evidence

Answer 26

all the information that is used by the auditor in arriving at the conclusions on which the auditor’s opinion is based.

Question 27

AUDIT PLAN

Answer 27

A high-level description of audit work to be performed in a specific time frame

Question 28

Evidence sampling-

Answer 28

applying a procedure to less than 100% of the population

Question 29

PENETRATION TESTING

Answer 29

To evaluate the security of a target by identifying and attempting to exploit vulnerabilities, improper configurations, and hidden points of entry (ethical hacking)

Question 30

Known environment-

Answer 30

the testers have much knowledge about the target system or network. With this level of knowledge, the testing team can do an in-depth analysis, target assessments, and explore potential attack vectors.

Question 31

Partially known environment

Answer 31

the organization provides restricted or selective information to the testers this approach can simulate scenarios where an attacker gains partial information through recon, or social engineering

Question 32

Unknown environment-

Answer 32

no information is provided to the testers. The testers need to discover vulnerabilities, conduct recon, identify potential entry points, and perform exploitation attempts.

Question 33

RULES OF ENGAGEMENT

Answer 33

ROE agreement details the parameters and expected assessor conduct of the penetration test.

Question 34

OFFENSIVE AND DEFENSIVE PENETRATION TESTING

Answer 34

It’s designed to simulate an attack and evaluate preventive and deterrent controls, detection, and response capability

Question 35

Offensive team

Answer 35

offensive penetration testing teams emulate the behaviors and techniques of likely attackers.

Question 36

Defensive team

Answer 36

teams are tasked with detective and defensive activities.

Question 37

Integrated team-

Answer 37

teams actively engage in monitoring, detection, and response activities during the testing process with a focus on information sharing and cooperation ( feedback bridge)

Question 38

Passive Recon

Answer 38

information gathering using publicly available resources. The target has no knowledge of the activity. Examples: IP addresses, external relationships, people/personnel info, content of interest, web, email, remote access portals

Question 39

Active Recon.

Answer 39

using technical tools to probe and discover information. Active recon may be intrusive and discovered. Examples- network connections, open ports, enumeration, vulnerabilities.

Question 40

Escalation of privilege

Answer 40

• the act of exploiting a vulnerability to gain elevated access to a resource.

Question 41

Pivoting

Answer 41

the act of using a weakness in one system to access a better-protected system

Question 42

Proof-of-concept (POC) exploitation

Answer 42

is the process of providing evidence that the vulnerability is exploitable

Question 43

Compromise exploitation

Answer 43

the process of fully exploiting the vulnerability without regard to potential damage

Question 44

NIST SETA MODEL [SP800-50]

Answer 44

Security Education, Training, and Awareness (SETA)

This model is designed to enhance an organization’s information security by educating and training employees about security policies, procedures, and practices.

Question 45

BRIEFING

Answer 45

Is insight and understanding for the long-term

Question 46

SECURITY AWARENESS

Answer 46

Security awareness programs should be inclusive of all levels of the organization and extend to consultations, and contractors. The objective is to influence behavior.

Question 47

ad hoc

Answer 47

something created or done for a specific purpose as needed, without prior planning or a fixed structure.