Security Program Management and Oversight

Question 1

Guidelines

Answer 1

Informed suggestions for task completion

Question 2

Standards

Answer 2

Established criteria for consistency and quality:
Password: Requirements for secure password management
Access control: Control access to systems
Physical security: Physical methods to protect assets and
premises
Encryption: Cryptographic techniques used to secure data

Question 3

Policies

Answer 3

Organizational rules for specific areas:
AUP: Guidelines for acceptable system usage
Information security policies: Rules for protecting data and
systems
Business continuity: Strategies for operational sustainability
Disaster recovery: Plans to restore operations post-disaster
Incident response: Protocols for addressing security incidents
SDLC: Framework for software development processes
Change management: Managing changes in a structured
manner

Question 4

Procedures

Answer 4

Established methods for task completion:
Change management: Structured approach to change
implementation
Onboarding/offboarding: Employee entry/exit processes
Playbooks: Guides for specific scenarios or procedures

Question 5

Standards

Answer 5

Established criteria for consistency and quality:
Password: Requirements for secure password management
Access control: Control access to systems
Physical security: Physical methods to protect assets and
premises
Encryption: Cryptographic techniques used to secure data

Question 6

External considerations

Answer 6

External factors affecting decision-making:
Regulatory: Maintaining compliance with external regulations
and laws
Legal: Adherence to legal requirements and obligations
Industry: Considerations specific to the industry sector
Local/regional: Pertaining to specific geographic areas
National: Influences at the national level
Global: Factors in the international context

Question 7

Monitoring and revision

Answer 7

Ongoing assessment and adaptation

Question 8

Types of governance structures

Answer 8

Frameworks for organizational
oversight:
Boards: Governing bodies providing strategic direction
Committees: Specialized groups within governance
Government entities: Public bodies responsible for
governance
Centralized/decentralized: Different organizational structures

Question 9

Types of governance structures

Answer 9

Frameworks for organizational
oversight:
Boards: Governing bodies providing strategic direction
Committees: Specialized groups within governance
Government entities: Public bodies responsible for
governance
Centralized/decentralized: Different organizational structures

Question 10

Roles and responsibilities for systems and data

Answer 10

Duties in data
management:
Owners: Stakeholders accountable for data/systems
Controllers: Stakeholders that produce policies for data
processing
Processors: Handle data processing tasks
Custodians/stewards: Stakeholders that protect and encrypt
data

Question 11

Risk identification

Answer 11

Identifying a risk

Question 12

Risk assessment

Answer 12

Assessing the impact or risk:
Ad hoc risk assessment: Spontaneous evaluation of a risk
Recurring risk assessment: Regularly scheduled risk
evaluations conducted at set intervals
One-time risk assessment: Occasional, project-specific risk
evaluations
Continuous risk assessment: Ongoing, automated monitoring
and updating of risk factor

Question 13

Risk analysis

Answer 13

Qualitative risk analysis: Subjective evaluation based on non-numeric factors
Quantitative risk analysis: Data-driven assessment using
numeric values and calculations
Single Loss Expectancy (SLE): Estimation of potential loss
from a single risk occurrence
Annualized Loss Expectancy (ALE): Expected annual loss
from a specific risk
Annualized Rate of Occurrence (ARO): Average frequency
of a risk happening
Probability: Likelihood of a specific risk event occurring.
Likelihood: The chance of a risk event taking place
Exposure factor: Proportion of asset loss in case of a risk
event
Impact: The repercussions and consequences of a risk event

Question 14

Risk register

Answer 14

A comprehensive record of identified risks and their
details:
Key risk indicators: Critical metrics used to gauge potential
risks
Risk owners: Individuals responsible for managing specific
risks
Risk threshold: The predefined limit at which a risk becomes
unacceptable

Question 15

Risk tolerance

Answer 15

The organization’s capacity to withstand and manage
risks

Question 16

Risk appetite

Answer 16

The amount of risk that an organization can bear:
Expansionary: A willingness to embrace risk for potential
gains
Conservative: A cautious approach, minimizing risk exposure
Neutral: A balanced stance regarding risk tolerance

Question 17

Risk management strategies

Answer 17

Transfer: Shifting risk responsibility to external parties or
insurance
Accept: Acknowledging and tolerating the risk without active
intervention:
Exemption: Granting specific situations immunity
from standard risk protocols
Exception: Allowing deviations from regular risk
procedures under special circumstances
Avoid: Preventing or circumventing the risk entirely through
proactive measures
Mitigate: Implementing measures to reduce the impact of the
risk

Question 18

Risk reporting

Answer 18

Communicating the status of identified risks to
stakeholders

Question 19

Business impact analysis

Answer 19

Recovery Time Objective (RTO): The targeted time for full
system recovery after an incident
Recovery Point Objective (RPO): The specific point in time
to which data must be restored following an event
Mean Time to Repair (MTTR): The average duration needed
to fix a system or component after it fails
Mean Time Between Failures (MTBF): The average interval
between system or component failures

Question 20

Vendor assessment

Answer 20

Ensuring you have the right vendor:
Penetration testing: Identifying vulnerabilities in systems or
networks
Right-to-audit clause: Allows you to audit a vendor
Evidence of internal audits: Validates internal controls and
risk management
Independent assessments: Unbiased evaluations of a vendor’s
operations
Supply chain analysis: Evaluating risks in vendor’s supply
chain

Question 21

Vendor selection

Answer 21

Choosing vendors through comprehensive
assessment:
Due diligence: Thorough evaluation of a potential vendor’s
reliability
Conflict of interest: Addressing biases in vendor selection

Question 22

Agreement types

Answer 22

Deciding how you will work together:
Service-Level Agreement (SLA): Defines service expectations
and responsibilities
Memorandum of Agreement (MOA): Outlines binding
cooperation terms and conditions
Memorandum of Understanding (MOU): Documents mutual
goals; not legally binding
Master Service Agreement (MSA): States general terms for
prolonged collaboration
Work Order/Statement of Work (SOW): Details specific
tasks, deliverables, and timelines
Non-Disclosure Agreement (NDA): Legally protects
confidential information
Business Partnership Agreement (BPA): Regulates
partnership contributions and profit-sharing

Question 23

Vendor monitoring

Answer 23

Oversees vendor performance and compliance

Question 24

Questionnaires

Answer 24

Gathers specific information from vendors

Question 25

Rules of engagement

Answer 25

Defines interaction boundaries and expectations

Question 26

Compliance reporting

Answer 26

The process of documenting adherence to
regulations:
Internal monitoring: Oversight within the organization
External monitoring: Oversight by external entities or
authorities

Question 27

Consequences of non-compliance

Answer 27

Outcomes for violations:
Fines: Regulatory penalties for non-compliance
Sanctions: Imposed penalties or restrictions
Reputational damage: Harm to an organization’s image
Loss of license: Revoking permissions or certifications
Contractual impacts: Consequences for breached agreements

Question 28

Compliance monitoring

Answer 28

Ensuring adherence to regulations:
Due diligence/care: Exercising thoroughness and care
Attestation and acknowledgment: Confirming compliance
and recognizing it
Internal and external: Monitoring within and outside the
organization
Automation: Automated processes and controls for efficiency

Question 29

Privacy

Answer 29

Protecting individuals’ personal information and rights:
Legal implications: Legal consequences and obligations
Local/regional: Regulations specific to local or
regional areas
National: Regulations at the national level
Global: Worldwide data protection regulations
Data subject: Individuals whose data is processed
Controller: Entity that determines data processing purposes
Processor: Entity processing data on behalf of the controller
Ownership: Legal rights to data control
Data inventory: Cataloging and managing data assets
Data retention: Policies for data storage duration
Right to be forgotten: Individuals’ right to have their data
erased

Question 30

Attestation

Answer 30

External validation of information

Question 31

Internal audits

Answer 31

Audits within an organization
Compliance: Adherence to rules and regulations
Audit committee: Oversight of internal audit functions
Self-assessments: Internal evaluations for improvement

Question 32

External audits

Answer 32

Audits by independent entities
Regulatory audits: Ensuring adherence to industry regulations
Examinations: Detailed scrutiny of financial records
Independent third-party audit: External impartial
assessments

Question 33

Penetration testing

Answer 33

Assessing security through simulated attacks
Physical: Testing involving real-world access attempts
Offensive: Simulated attacks by ethical hackers
Defensive: Evaluating an organization’s defense mechanisms
Integrated: Comprehensive testing combining various
approaches
Known environment: Testing with extensive knowledge about
the target
Partially known environment: Testing with limited target
information
Unknown environment: Testing with no prior target
knowledge
Reconnaissance: Information gathering before penetration
testing
Passive: Gathering data without direct interaction
Active: Interacting directly with the target’s systems

Question 34

Types of anomalous behavior

Answer 34

Risky: Carrying out risky practices
Unexpected: A user attempting unauthorized access
Unintentional: Damage caused by human error

Question 35

User guidance and training methods

Answer 35

Policy/handbooks: Training material
Situational awareness: A training aid for a job role
Insider threat: A disgruntled employee causing damage
Password management: Best practice for passwords
Removable media and cables: Attack vectors
Social engineering: Catching users unaware
Operational security: Looking at social engineering attacks
Hybrid/remote work environments: Working in remote
locations

Question 36

Reporting and monitoring

Answer 36

Initial: Evaluating training effectiveness
Recurring: Retraining if staff’s guard is lowered
Development: Creating training materials
Execution: Delivery of training