Security Program Management and Oversight Flashcards
Security Governance
Framework that ensures an org’s security strategies align with business obj’s and compliance requirments
Business Continuity Plan (BCP)
Strategy that outlines procedures for maintain business operations during and after a disruptive event
Disaster Recovery Plan (DRP)
Documented process for restoring IT systems and data after a disaster to resume normal business op’s
Compliance
Adhere to laws, regulations, standards, and policies relevant to an org’s operations
Acceptable Use Policy (AUP)
Guidelines that define acceptable and unacceptable behaviors when using organizational resources
Security Audit
Evaluation of an org’s security policies, procedures, and controls to ensure effectiveness and compliance
Change Management
Systematic appraoch to managing alterations in IT systems to minimize negative impact on services
Asset Management
Process of tracking and managing an org’s assets, including hardware, software, and data
Data Classification
Process of organizing data into categories based on sensitivity and criticality to ensure proper protection
Chief Information Security Officer (CISO)
Senior executive responsible for developing and implementing and information security program
Security Metrics
Quantitative measures used to assess the effectiveness of an org’s security controls
Policy Exception Management
Process of handling deviations from established security policies in a controlled and documented manner
Continuous Monitoring
Ongoing observation of an org’s security posture to detect and respond to threats in real time
Segregation of Duties (SoD)
The practice of dividing responsibilities among different individuals to reduce the risk of a fraud or error
Security Baseline
Minimum security standards and config’s that must be applied to systems within an org
Risk Appetite
Amount of risk an org is willing to accept in pursuit of it’s obj’s
Business Impact Analysis (BIA)
Process of determining the potential effects of an interruption of critical business ops’
Threat Modeling
Structured approach to identifying and prioritizing potential threats to a system
Security Control Assessment
Evaluation of security controls to determine their effectiveness in protecting information assets
Security Posture
Overall security status of an org’s software, hardware, network, and information
Risk Assessment
Identifying and evaluating risks to an org’s information assets
Security Governance Framework
Structured approach that defines the policies, procedures, and controls to manage and monitor an org’s security
Policy Development Lifecycle
Structured process an org follows to create, implement, and maintain policies
Quantitative Risk Assessment
Risk assessment method that assigns numerical values to risks based on potential impact and likelihood
Qualitative Risk Assessment
Risk assessment method that evaluates risks based on subjective criteria like likelihood and impact using categories
Examples: low, med, high
Due Diligence
Process of investigating and ensuring proper security controls and measures are in place
Due Care
Taking reasonable actions to protect org assets and prevent security incidents
Key Risk Indicators (KRI’s)
Metrics used to measure the likelihood and impact of risks within an org
Data Steward
Responsible for managing data quality and enforcing data governance policies
Data Custodian
Responsible for maintaining and protecting data as per org policies
Control Risk Self-Assessment (CRSA)
Process where teams assess the effectiveness of security controls to identify gaps or weaknesses
Program Management Officer (PMO)
Org unit responsible for standardizing and managing security related programs and projects
Incident Coordinator
Responsible for managing and coordinating the response to security incidents
Policy Dissemination
Process of disturbing and communicating policies to ensure understanding and compliance
Tabletop Exercise
Simulated discussions of security incident scenarios to practice response and improve plans
Service Continuity Management (SCM)
Ensuring that critical services remain operational during and after a disruption
System of Record (SoR)
Serves as the authoritative reference for certain types of data
Recovery Time Objective (RTO)
Max time allowed to restore a service or system after an outage
Recovery Point Objective (RPO)
Max tolerable amount of data loss measured in time during a disruption
Retention Policy
Rules governing how long data must be kept and when it should be disposed
Benchmarking
Comparing an org’s security practices and performance to industry standards or peers
Residual Risk
Level of risk that remains after security controls have been applied to mitigate a threat
Zero Trust Architecture (ZTA)
A security model that requires verification of every user and device attempting to access resources, regardless of location or network
Risk Register
A document that identifies, assesses, and prioritizes risks, along with their mitigation strategies and status
Third-Party Assessment
Evaluation conducted to ensure that vendors or partners comply with an organization’s security policies and standards
Data Retention Policy
To define how long data should be kept, the methods for securely storing it, and when it should be securely disposed of
Privacy Impact Assessment (PIA)
An analysis conducted to identify and mitigate privacy risks associated with the collection, storage, and use of personal data