Security Program Management and Oversight Flashcards
How does an Acceptable Use Policy (AUP) contribute to cybersecurity in an organization?
By establishing guidelines for secure and responsible use of IT resources
Why is effective security governance crucial for managing cybersecurity risks?
To provide a strategic framework for identifying and mitigating risks
What is the primary goal of business continuity planning?
To minimize the impact of disruptions on business operations
Which of the following is a key element of a disaster recovery plan?
Offsite data backups
What is the purpose of a business impact analysis (BIA) in business continuity planning?
To prioritize critical business functions and processes
What is a key difference between business continuity planning and disaster recovery planning?
Business continuity planning encompasses the entire organization, while disaster recovery planning is specific to IT systems.
A company is implementing a backup and recovery solution for its production systems. The team wants to ensure minimal data loss in case of a disruption. What concept is the team primarily concerned with in this scenario?
RPO (Recovery Point Objective)
Which governance structure is likely to prioritize risk management and compliance?
Enterprise Governance
Which role would be responsible for defining access controls, ensuring data integrity, and overseeing the overall security posture of the customer database?
Data Owner
10) Which role would be responsible for ensuring that data processing activities comply with data protection regulations, obtaining consent from customers, and responding to data subject requests?
Data Controller
Which role would be responsible for ensuring the confidentiality, integrity, and availability of patient health records, implementing access controls, and conducting regular security training for staff?
Data Custodian
Which type of risk assessment would be most suitable for identifying and addressing emerging cybersecurity threats and vulnerabilities in real-time?
Continuous Risk Assessment
Which type of risk assessment would be most appropriate for identifying potential security vulnerabilities in a new software release before it goes live?
Ad hoc Risk Assessment
Which type of risk assessment would be most appropriate for identifying potential security vulnerabilities in a new software release before it goes live?
One-time Risk Assessment
In a software development project aiming to release a new version of a popular application, which type of risk analysis would be most appropriate for assigning qualitative measures to potential risks related to project timelines, software bugs, and user acceptance?
Qualitative Risk Analysis
In a cybersecurity project aiming to protect a financial institution’s network infrastructure, which type of risk analysis would be most appropriate for assigning numerical values to potential risks such as data breaches, system vulnerabilities, and financial losses?
Quantitative Risk Analysis
A cloud service provider experiences a service outage that lasts for 10 hours. During this time, the company estimates a loss of $50,000 in revenue. If the likelihood of such an outage occurring is determined to be 5% annually, what is the Single Loss Expectancy (SLE) for this event?.
$2,500
A healthcare organization is assessing the potential financial impact of a cybersecurity breach that could expose sensitive patient information. The estimated cost of addressing the breach and potential legal consequences is $500,000. If the likelihood of a cybersecurity breach in a given year is 8%, what is the Annualized Loss Expectancy (ALE)?
$40,000
During the due diligence process for vendor selection, what steps can help uncover potential conflicts of interest?
Conducting background checks on vendor employees
In the process of due diligence with a new software vendor, what aspect should be assessed to ensure compliance with licensing requirements?
The software licensing agreements
An organization is forming a partnership with a research institution to share resources and collaborate on joint projects. What type of agreement would you use to outline the terms of collaboration, responsibilities, and expectations without creating a legally binding contract?
Memorandum of Understanding (MOU)
An organization is entering into a partnership with a vendor to develop custom software. What type of agreement would you use to define the specific technical requirements, deliverables, and milestones of the software development project?
Statement of Work (SOW)
What type of agreement would should be used as a framework to govern the overall relationship, with provisions for scope of work, pricing, and general terms and conditions with a potential vendor?
Master Service Agreement (MSA)
What initial step would you take to gather information about the vendor’s security practices and policies before entering into an agreement?
Send the vendor a cybersecurity questionnaire
An organization is monitoring a critical third-party vendor’s performance and security practices regularly. What key objective does vendor monitoring aim to achieve in this scenario?
Identifying and mitigating potential risks
A Cyber Security firm operates in a highly regulated industry, and you’ve discovered that a critical business process is not in compliance with industry standards. What is a potential consequence of this non-compliance?
Sanctions
What element is crucial in conducting effective risk assessments to ensure compliance?
Involvement of key stakeholders
An organization has experienced a data breach involving sensitive personal information. What legal obligation does your organization likely have in such a situation?
Notifying affected individuals and relevant authorities
A consulting firm operates in multiple countries within the European Union (EU), each with its own specific data protection laws. What challenge does this pose in regarding privacy compliance?
Managing varying local/regional legal requirements
An online business receives a request from an individual to delete their personal data. What legal right is the individual exercising, and how should the organization respond?
Right to be forgotten
What type of penetration testing is most appropriate for identifying and exploiting vulnerabilities in external-facing web application to assess the security posture of the web application?
Offensive penetration testing
A financial firm is undergoing an assessment to evaluate the effectiveness of its internal controls and security practices. What type of external assessment is most appropriate for this purpose?
Independent third-party audit
An organization wants to assess the security posture of its information systems by engaging an external entity. What type of external audit is most appropriate for this purpose?
Security assessment
What type of reconnaissance technique is most suitable for gathering information about potential security vulnerabilities in a competitor’s web application without directly interacting with it?
Passive reconnaissance
In a penetration test for an unknown environment, what initial phase is crucial for gathering information and understanding the target?
Reconnaissance
As an IT security specialist, you receive reports from employees about suspicious emails. What is the most appropriate initial action to take in response to these reports?
Verify the reported emails and assess the threat level
In the event of a suspected phishing attack, what is the primary action employees should take to mitigate the risk?
Report the suspicious email to the IT security team
What is the primary objective of a data classification policy in an organization’s security framework?
To categorize data based on sensitivity and define handling procedures
How does implementing account lockout policies contribute to credential security within an organization?
Prevents unauthorized access by limiting login attempts
In the context of security best practices, what does “Separation of Duties” aim to achieve?
Dividing tasks among different individuals to prevent fraud and errors
What should be included in a comprehensive third-party risk management plan?
Assessment of third-party access and controls
How does governance differ from compliance in the context of security management?
Governance defines the rules, while compliance ensures adherence to those rules
What is the primary objective of an IT audit of an organization’s security governance?
Verifying compliance with policies and regulations
A software development company is collaborating with an external vendor to enhance a proprietary algorithm. What is a primary purpose of having both parties sign an NDA in this scenario?
Preventing the disclosure of confidential information
An organization is implementing a disaster recovery plan, and the IT team needs guidance on the steps to take in case of a data center failure. What is the primary purpose of a disaster recovery playbook in this context?
Outlining the step-by-step procedures for data recovery
Which phase of the Software Development Lifecycle (SDLC) is focused on identifying and planning for potential security risks?
Requirements
Which of the following is an example of a risk scenario where likelihood is a crucial consideration?
An employee unintentionally disclosing sensitive information
What distinguishes independent assessments from internal audits in security management?
Independent assessments are more focused on compliance, while internal audits focus on risk management.
What is a key responsibility of a Security Steering Committee within an organization’s security program management?
Overseeing and providing guidance for the security program
What is a potential consequence of failing to address conflicts of interest in a security-related project?
Compromised project integrity
