Security Program Management and Oversight (D5) Flashcards
DOMAIN 5
Governance - Crucial Aspects (Governance and Compliance)
Risk Management
Strategic Alignment
Resource Management
Performance Management
Compliance - Importance of it (Governance and Compliance)
Legal Obligations
Trust and Reputation
Data Protection
Business Continuity
Policies (Governance and Compliance)
Acceptable Use Policies (AUP)
Information Security Policies
Business Continuity
Disaster Recovery
Incident Response
Change Management
Software Development Lifecycle (SDLC)
Purpose of Governance
Establishes a strategic framework aligning with objectives and regulations
Define rules, responsibilities, and practices for achieving goals and managing IT resources
Standards (Governance and Compliance)
Standards
Password Standards
Access Control Standards
– Discretionary Access Control (DAC)
– Mandatory Access Control (MAC)
– Role Based Access Control (RBAC)
Geographical Consideration (Governance and Compliance)
Regional considerations like CCPA in California, impose state-level regulations
National considerations, eg ADA in the US, affect business across the entire country
Global considerations like GDPR, apply extraterritorially to organizations dealing with EU citizens’ data
Due Diligence and Due Care (Governance and Compliance)
Due Diligence - identifying compliance risks through thorough review
Due Care - Mitigating identified risks
Attestation and Acknowledgement (Governance and Compliance)
Attestation - Formal declaration by a responsible party that the organization’s processes and controls are compliant
Acknowledgement - Recognition and acceptance of compliance requirements by all relevant parties
Risk Management Lifecycle
Risk Identification
Risk Analysis
Risk Treatment
Risk Monitoring
Risk Reporting
Risk Identification Concepts
(Key Metrics in Business Impact Analysis (BIA))
Recovery Time Objective
Recovery Point Objective
Mean Time to Repair
Mean Time Before Failure
Risk Analysis
Qualitative Risk Analysis - Assess and prioritize risks based on likelihood and impact
Quantitative Risk Analysis - Numerically estimate probability and potential impact
Risk Management Strategies - Types
Risk Transfer
Risk Acceptance
Risk Avoidance
Risk Mitigation
Recovery Time Objective (RTO)
- Maximum acceptable time before severe impact
- Target time for restoring a business process
Recovery Point Objective (RPO)
- Maximum acceptable data loss measured in time
- Point in time data must be restored to
Mean Time to Repair (MTTR)
- Average time to repair a failed component or system
- Indicator of repair speed and downtime minimization
Mean Time Between Failures (MTBF)
- Average time between system or component failures
- Measure of reliability
Components of Risk Register
Risk Description
Risk Impact
Risk Likelihood
Risk Outcome
Risk Level or Threshold
Risk Description (Components of Risk Register)
- Identifies and describes the risk
- Clear and concise description
Risk Impact (Components of Risk Register)
- Potential consequences of risk occurrence
- Rated on a scale (e.g., low, medium, high)
Risk Likelihood (Components of Risk Register)
- Probability of risk occurrence
- Rated on a scale (e.g., numerical or descriptive)
Risk Outcome (Components of Risk Register)
- Result of the risk if it occurs
- Result of the risk if it occurs
Risk Level or Threshold (Components of Risk Register)
- Determined by combining the impact and likelihood
- Prioritizes risks (e.g., high, medium, low)
Risk Tolerance (Risk Acceptance)
- An organization or individual’s willingness to deal with uncertainty in pursuit of their goals
- Maximum amount of risk they are willing to accept
- Acceptance without countermeasures
Risk Appetite
- Willingness to pursue or retain risk
- Types (Expansionary, Conservative, Neutral)
