Security Program Management and Oversight Flashcards
Domain 5
Guidelines
Informed suggestions for task completion
Standards
Established criteria for consistency and quality:
Password: Requirements for secure password management
Access control: Control access to systems
Physical security: Physical methods to protect assets and
premises
Encryption: Cryptographic techniques used to secure data
Policies
Organizational rules for specific areas:
AUP: Guidelines for acceptable system usage
Information security policies: Rules for protecting data and
systems
Business continuity: Strategies for operational sustainability
Disaster recovery: Plans to restore operations post-disaster
Incident response: Protocols for addressing security incidents
SDLC: Framework for software development processes
Change management: Managing changes in a structured
manner
Procedures
Established methods for task completion:
Change management: Structured approach to change
implementation
Onboarding/offboarding: Employee entry/exit processes
Playbooks: Guides for specific scenarios or procedures
Standards
Established criteria for consistency and quality:
Password: Requirements for secure password management
Access control: Control access to systems
Physical security: Physical methods to protect assets and
premises
Encryption: Cryptographic techniques used to secure data
External considerations
External factors affecting decision-making:
Regulatory: Maintaining compliance with external regulations
and laws
Legal: Adherence to legal requirements and obligations
Industry: Considerations specific to the industry sector
Local/regional: Pertaining to specific geographic areas
National: Influences at the national level
Global: Factors in the international context
Monitoring and revision
Ongoing assessment and adaptation
Types of governance structures
Frameworks for organizational
oversight:
Boards: Governing bodies providing strategic direction
Committees: Specialized groups within governance
Government entities: Public bodies responsible for
governance
Centralized/decentralized: Different organizational structures
Types of governance structures
Frameworks for organizational
oversight:
Boards: Governing bodies providing strategic direction
Committees: Specialized groups within governance
Government entities: Public bodies responsible for
governance
Centralized/decentralized: Different organizational structures
Roles and responsibilities for systems and data
Duties in data
management:
Owners: Stakeholders accountable for data/systems
Controllers: Stakeholders that produce policies for data
processing
Processors: Handle data processing tasks
Custodians/stewards: Stakeholders that protect and encrypt
data
Risk identification
Identifying a risk
Risk assessment
Assessing the impact or risk:
Ad hoc risk assessment: Spontaneous evaluation of a risk
Recurring risk assessment: Regularly scheduled risk
evaluations conducted at set intervals
One-time risk assessment: Occasional, project-specific risk
evaluations
Continuous risk assessment: Ongoing, automated monitoring
and updating of risk factor
Risk analysis
Qualitative risk analysis: Subjective evaluation based on non-numeric factors
Quantitative risk analysis: Data-driven assessment using
numeric values and calculations
Single Loss Expectancy (SLE): Estimation of potential loss
from a single risk occurrence
Annualized Loss Expectancy (ALE): Expected annual loss
from a specific risk
Annualized Rate of Occurrence (ARO): Average frequency
of a risk happening
Probability: Likelihood of a specific risk event occurring.
Likelihood: The chance of a risk event taking place
Exposure factor: Proportion of asset loss in case of a risk
event
Impact: The repercussions and consequences of a risk event
Risk register
A comprehensive record of identified risks and their
details:
Key risk indicators: Critical metrics used to gauge potential
risks
Risk owners: Individuals responsible for managing specific
risks
Risk threshold: The predefined limit at which a risk becomes
unacceptable
Risk tolerance
The organization’s capacity to withstand and manage
risks