Security Program Management and Oversight Obj 5.2 Flashcards
Risk tolerance
Risk tolerance refers to an organization’s predetermined level of acceptable risk exposure. It represents the extent to which an organization is willing to tolerate potential risks before taking action to mitigate or avoid them.
Exposure factor
The exposure factor is a calculation that determines the amount of value that is lost if an event takes place. It doesn’t measure an organization’s level of acceptable risk exposure
Grey box test
For a grey box test, the tester has limited information about the target system. This might include specific details about its architecture or certain user credentials. This type of test represents a middle ground, providing a blend of both internal and external perspectives on potential vulnerabilities.
White box testing
In a white box test, the tester possesses complete knowledge of the target environment, including its architecture, design, and source code. It allows for an in-depth examination of the system to find vulnerabilities that might be overlooked in other test types. Boundary testing focuses on the system’s input and output data limits. Testers will try to use values at, just below, or just above these boundaries to see if the system behaves unexpectedly or reveals vulnerabilities.
Black box testing
A black box test is executed without any prior knowledge of the target environment. The tester approaches the system from an outsider’s perspective, mimicking an external attacker with no insight into the system’s design or functionality.
Risk management term to describe the effect of a risk event on an organization, particularly in terms of operational, financial, and reputational harm
Impact is a standard term used in risk management to describe the effect of a risk event on an organization, particularly in terms of operational, financial, and reputational harm?
What security awareness practice involves conducting simulated email attacks to educate employees about recognizing and responding to phishing attempts?
Phishing campaigns (Correct)
Anomalous behavior recognition
Reporting and monitoring
User guidance and training
In the context of compliance monitoring, which of the following does “due diligence/care” refer to?
Taking steps to meet legal and other requirements. (Correct)
Conducting internal audits on a regular basis.
Reviewing third-party vendor agreements.
Automated compliance checks.
