Security Program Management and Oversight Flashcards

1
Q

How does an Acceptable Use Policy (AUP) contribute to cybersecurity in an organization?

A

By establishing guidelines for secure and responsible use of IT resources

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Why is effective security governance crucial for managing cybersecurity risks?

A

To provide a strategic framework for identifying and mitigating risks

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What is the primary goal of business continuity planning?

A

To minimize the impact of disruptions on business operations

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Which of the following is a key element of a disaster recovery plan?

A

Offsite data backups

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

What is the purpose of a business impact analysis (BIA) in business continuity planning?

A

To prioritize critical business functions and processes

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

What is a key difference between business continuity planning and disaster recovery planning?

A

Business continuity planning encompasses the entire organization, while disaster recovery planning is specific to IT systems.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

A company is implementing a backup and recovery solution for its production systems. The team wants to ensure minimal data loss in case of a disruption. What concept is the team primarily concerned with in this scenario?

A

RPO (Recovery Point Objective)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Which governance structure is likely to prioritize risk management and compliance?

A

Enterprise Governance

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Which role would be responsible for defining access controls, ensuring data integrity, and overseeing the overall security posture of the customer database?

A

Data Owner

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

10) Which role would be responsible for ensuring that data processing activities comply with data protection regulations, obtaining consent from customers, and responding to data subject requests?

A

Data Controller

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Which role would be responsible for ensuring the confidentiality, integrity, and availability of patient health records, implementing access controls, and conducting regular security training for staff?

A

Data Custodian

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Which type of risk assessment would be most suitable for identifying and addressing emerging cybersecurity threats and vulnerabilities in real-time?

A

Continuous Risk Assessment

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Which type of risk assessment would be most appropriate for identifying potential security vulnerabilities in a new software release before it goes live?

A

Ad hoc Risk Assessment

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Which type of risk assessment would be most appropriate for identifying potential security vulnerabilities in a new software release before it goes live?

A

One-time Risk Assessment

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

In a software development project aiming to release a new version of a popular application, which type of risk analysis would be most appropriate for assigning qualitative measures to potential risks related to project timelines, software bugs, and user acceptance?

A

Qualitative Risk Analysis

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

In a cybersecurity project aiming to protect a financial institution’s network infrastructure, which type of risk analysis would be most appropriate for assigning numerical values to potential risks such as data breaches, system vulnerabilities, and financial losses?

A

Quantitative Risk Analysis

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

A cloud service provider experiences a service outage that lasts for 10 hours. During this time, the company estimates a loss of $50,000 in revenue. If the likelihood of such an outage occurring is determined to be 5% annually, what is the Single Loss Expectancy (SLE) for this event?.

A

$2,500

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

A healthcare organization is assessing the potential financial impact of a cybersecurity breach that could expose sensitive patient information. The estimated cost of addressing the breach and potential legal consequences is $500,000. If the likelihood of a cybersecurity breach in a given year is 8%, what is the Annualized Loss Expectancy (ALE)?

A

$40,000

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

During the due diligence process for vendor selection, what steps can help uncover potential conflicts of interest?

A

Conducting background checks on vendor employees

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

In the process of due diligence with a new software vendor, what aspect should be assessed to ensure compliance with licensing requirements?

A

The software licensing agreements

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

An organization is forming a partnership with a research institution to share resources and collaborate on joint projects. What type of agreement would you use to outline the terms of collaboration, responsibilities, and expectations without creating a legally binding contract?

A

Memorandum of Understanding (MOU)

22
Q

An organization is entering into a partnership with a vendor to develop custom software. What type of agreement would you use to define the specific technical requirements, deliverables, and milestones of the software development project?

A

Statement of Work (SOW)

23
Q

What type of agreement would should be used as a framework to govern the overall relationship, with provisions for scope of work, pricing, and general terms and conditions with a potential vendor?

A

Master Service Agreement (MSA)

24
Q

What initial step would you take to gather information about the vendor’s security practices and policies before entering into an agreement?

A

Send the vendor a cybersecurity questionnaire

25
Q

An organization is monitoring a critical third-party vendor’s performance and security practices regularly. What key objective does vendor monitoring aim to achieve in this scenario?

A

Identifying and mitigating potential risks

26
Q

A Cyber Security firm operates in a highly regulated industry, and you’ve discovered that a critical business process is not in compliance with industry standards. What is a potential consequence of this non-compliance?

A

Sanctions

27
Q

What element is crucial in conducting effective risk assessments to ensure compliance?

A

Involvement of key stakeholders

28
Q

An organization has experienced a data breach involving sensitive personal information. What legal obligation does your organization likely have in such a situation?

A

Notifying affected individuals and relevant authorities

29
Q

A consulting firm operates in multiple countries within the European Union (EU), each with its own specific data protection laws. What challenge does this pose in regarding privacy compliance?

A

Managing varying local/regional legal requirements

30
Q

An online business receives a request from an individual to delete their personal data. What legal right is the individual exercising, and how should the organization respond?

A

Right to be forgotten

31
Q

What type of penetration testing is most appropriate for identifying and exploiting vulnerabilities in external-facing web application to assess the security posture of the web application?

A

Offensive penetration testing

32
Q

A financial firm is undergoing an assessment to evaluate the effectiveness of its internal controls and security practices. What type of external assessment is most appropriate for this purpose?

A

Independent third-party audit

33
Q

An organization wants to assess the security posture of its information systems by engaging an external entity. What type of external audit is most appropriate for this purpose?

A

Security assessment

34
Q

What type of reconnaissance technique is most suitable for gathering information about potential security vulnerabilities in a competitor’s web application without directly interacting with it?

A

Passive reconnaissance

35
Q

In a penetration test for an unknown environment, what initial phase is crucial for gathering information and understanding the target?

A

Reconnaissance

36
Q

As an IT security specialist, you receive reports from employees about suspicious emails. What is the most appropriate initial action to take in response to these reports?

A

Verify the reported emails and assess the threat level

37
Q

In the event of a suspected phishing attack, what is the primary action employees should take to mitigate the risk?

A

Report the suspicious email to the IT security team

38
Q

What is the primary objective of a data classification policy in an organization’s security framework?

A

To categorize data based on sensitivity and define handling procedures

39
Q

How does implementing account lockout policies contribute to credential security within an organization?

A

Prevents unauthorized access by limiting login attempts

40
Q

In the context of security best practices, what does “Separation of Duties” aim to achieve?

A

Dividing tasks among different individuals to prevent fraud and errors

41
Q

What should be included in a comprehensive third-party risk management plan?

A

Assessment of third-party access and controls

42
Q

How does governance differ from compliance in the context of security management?

A

Governance defines the rules, while compliance ensures adherence to those rules

43
Q

What is the primary objective of an IT audit of an organization’s security governance?

A

Verifying compliance with policies and regulations

44
Q

A software development company is collaborating with an external vendor to enhance a proprietary algorithm. What is a primary purpose of having both parties sign an NDA in this scenario?

A

Preventing the disclosure of confidential information

45
Q

An organization is implementing a disaster recovery plan, and the IT team needs guidance on the steps to take in case of a data center failure. What is the primary purpose of a disaster recovery playbook in this context?

A

Outlining the step-by-step procedures for data recovery

46
Q

Which phase of the Software Development Lifecycle (SDLC) is focused on identifying and planning for potential security risks?

A

Requirements

47
Q

Which of the following is an example of a risk scenario where likelihood is a crucial consideration?

A

An employee unintentionally disclosing sensitive information

48
Q

What distinguishes independent assessments from internal audits in security management?

A

Independent assessments are more focused on compliance, while internal audits focus on risk management.

49
Q

What is a key responsibility of a Security Steering Committee within an organization’s security program management?

A

Overseeing and providing guidance for the security program

50
Q

What is a potential consequence of failing to address conflicts of interest in a security-related project?

A

Compromised project integrity