Security Program Management and Oversight Flashcards

1
Q

Security Governance

A

Framework that ensures an org’s security strategies align with business obj’s and compliance requirments

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Business Continuity Plan (BCP)

A

Strategy that outlines procedures for maintain business operations during and after a disruptive event

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Disaster Recovery Plan (DRP)

A

Documented process for restoring IT systems and data after a disaster to resume normal business op’s

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Compliance

A

Adhere to laws, regulations, standards, and policies relevant to an org’s operations

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Acceptable Use Policy (AUP)

A

Guidelines that define acceptable and unacceptable behaviors when using organizational resources

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Security Audit

A

Evaluation of an org’s security policies, procedures, and controls to ensure effectiveness and compliance

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Change Management

A

Systematic appraoch to managing alterations in IT systems to minimize negative impact on services

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Asset Management

A

Process of tracking and managing an org’s assets, including hardware, software, and data

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Data Classification

A

Process of organizing data into categories based on sensitivity and criticality to ensure proper protection

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Chief Information Security Officer (CISO)

A

Senior executive responsible for developing and implementing and information security program

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Security Metrics

A

Quantitative measures used to assess the effectiveness of an org’s security controls

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Policy Exception Management

A

Process of handling deviations from established security policies in a controlled and documented manner

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Continuous Monitoring

A

Ongoing observation of an org’s security posture to detect and respond to threats in real time

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Segregation of Duties (SoD)

A

The practice of dividing responsibilities among different individuals to reduce the risk of a fraud or error

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Security Baseline

A

Minimum security standards and config’s that must be applied to systems within an org

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Risk Appetite

A

Amount of risk an org is willing to accept in pursuit of it’s obj’s

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

Business Impact Analysis (BIA)

A

Process of determining the potential effects of an interruption of critical business ops’

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

Threat Modeling

A

Structured approach to identifying and prioritizing potential threats to a system

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

Security Control Assessment

A

Evaluation of security controls to determine their effectiveness in protecting information assets

20
Q

Security Posture

A

Overall security status of an org’s software, hardware, network, and information

21
Q

Risk Assessment

A

Identifying and evaluating risks to an org’s information assets

22
Q

Security Governance Framework

A

Structured approach that defines the policies, procedures, and controls to manage and monitor an org’s security

23
Q

Policy Development Lifecycle

A

Structured process an org follows to create, implement, and maintain policies

24
Q

Quantitative Risk Assessment

A

Risk assessment method that assigns numerical values to risks based on potential impact and likelihood

25
Q

Qualitative Risk Assessment

A

Risk assessment method that evaluates risks based on subjective criteria like likelihood and impact using categories
Examples: low, med, high

26
Q

Due Diligence

A

Process of investigating and ensuring proper security controls and measures are in place

27
Q

Due Care

A

Taking reasonable actions to protect org assets and prevent security incidents

28
Q

Key Risk Indicators (KRI’s)

A

Metrics used to measure the likelihood and impact of risks within an org

29
Q

Data Steward

A

Responsible for managing data quality and enforcing data governance policies

30
Q

Data Custodian

A

Responsible for maintaining and protecting data as per org policies

31
Q

Control Risk Self-Assessment (CRSA)

A

Process where teams assess the effectiveness of security controls to identify gaps or weaknesses

32
Q

Program Management Officer (PMO)

A

Org unit responsible for standardizing and managing security related programs and projects

33
Q

Incident Coordinator

A

Responsible for managing and coordinating the response to security incidents

34
Q

Policy Dissemination

A

Process of disturbing and communicating policies to ensure understanding and compliance

35
Q

Tabletop Exercise

A

Simulated discussions of security incident scenarios to practice response and improve plans

36
Q

Service Continuity Management (SCM)

A

Ensuring that critical services remain operational during and after a disruption

37
Q

System of Record (SoR)

A

Serves as the authoritative reference for certain types of data

38
Q

Recovery Time Objective (RTO)

A

Max time allowed to restore a service or system after an outage

39
Q

Recovery Point Objective (RPO)

A

Max tolerable amount of data loss measured in time during a disruption

40
Q

Retention Policy

A

Rules governing how long data must be kept and when it should be disposed

41
Q

Benchmarking

A

Comparing an org’s security practices and performance to industry standards or peers

42
Q

Residual Risk

A

Level of risk that remains after security controls have been applied to mitigate a threat

43
Q

Zero Trust Architecture (ZTA)

A

A security model that requires verification of every user and device attempting to access resources, regardless of location or network

44
Q

Risk Register

A

A document that identifies, assesses, and prioritizes risks, along with their mitigation strategies and status

45
Q

Third-Party Assessment

A

Evaluation conducted to ensure that vendors or partners comply with an organization’s security policies and standards

46
Q

Data Retention Policy

A

To define how long data should be kept, the methods for securely storing it, and when it should be securely disposed of

47
Q

Privacy Impact Assessment (PIA)

A

An analysis conducted to identify and mitigate privacy risks associated with the collection, storage, and use of personal data