SY0-701: 5.0 (Security Program Management and Oversight) Flashcards

Question 1

Q

Social Engineering Motivational Triggers (5.6)

Answer

A

Authority
Urgency
Social Proof
Scarcity
Likability
Fear

Question 2

Q

Soc Eng Trigger- Authority (5.6)

Answer

A

The power or right to give orders, make decisions, and enforce obedience

Question 3

Q

Soc Eng Trigger- Urgency (5.6)

Answer

A

Compelling sense of immediacy or time-sensitivity that drivers individuals to act swiftly or prioritize certain actions

Question 4

Q

Soc Eng Trigger- Social Proof (5.6)

Answer

A

Psychological phenomenon where individuals look to the behaviors and actions of others to determine their own decisions or actions in similar situations

Question 5

Q

Soc Eng Trigger- Scarcity (5.6)

Answer

A

Psychological pressure people feel when they believe a product, opportunity, or resource is in limited or in short supply

Question 6

Q

Soc Eng Trigger- Likability (5.6)

Answer

A

Associated with being nice, friendly, and socially accepted by others

Question 7

Q

Soc Eng Trigger- Fear (5.6)

Answer

A

Feeling afraid of someone or something, as likely to be dangerous, painful, or threatening

Question 8

Q

Data Ownership (5.1)

Answer

A

Process of identifying the person responsible for the confidentiality, integrity, availability, and privacy of the information assets

Question 9

Q

Data Owner (5.1)

Answer

A

Senior executive role who has the responsibility for maintaining the confidentiality, integrity, and availability of the information asset

Question 10

Q

Data Controller (5.1)

Answer

A

Entity that holds responsibility for deciding the purposes and methods of data storage, collection, and usage and for guaranteeing the legality of processes

Question 11

Q

Data Processor (5.1)

Answer

A

Group or individual hired by the Data Controller to help with tasks like collecting, storing, or analyzing data

Question 12

Q

Data Steward (5.1)

Answer

A

Focused on the quality of the data and the associated metadata

Question 13

Q

Data Custodian (5.1)

Answer

A

Responsible for handling the management of the system on which the data assets are stored (e.g. SysAdmin)

Question 14

Q

Privacy Officer (5.1)

Answer

A

Role that is responsible for the oversight of any kind of privacy-related data, like PII (Personally Identifying Information), SPI (Sensitive Personal Information), PHI (Personal Health Information)

Question 15

Q

Risk Management (5.2)

Answer

A

Fundamental process that involves identifying, analyzing, monitoring, and reporting risks

Question 16

Q

Risk Management Lifecycle (5.2)

Answer

A

Risk identification
Risk analysis
Risk treatment
Risk monitoring
Risk reporting

Question 17

Q

Risk Assessment Frequency (5.2)

Answer

A

Refers to how often the risk assessment process is conducted within an organization

Question 18

Q

Risk Assessment Frequency Types (5.2)

Answer

A

Ad-hoc
Recurring
One-Time
Continuous

Question 19

Q

Ad-hoc (5.2)

Answer

A

Conducted as and when needed, often in response to a specific event or situation that has the potential to introduce new risks or change the nature of existing risks; associated with specific events or situations

Question 20

Q

Recurring (5.2)

Answer

A

Conducted at regular intervals, such as annually, quarterly, or monthly

Question 21

Q

One-Time (5.2)

Answer

A

Conducted for a specific purpose and are not repeated; associated with a specific project or initiative

Question 22

Q

Continuous (5.2)

Answer

A

Ongoing monitoring and evaluation of risks

Question 23

Q

Risk Identification (5.2)

Answer

A

Recognizing potential risks that could negatively impact an organizations ability to operate or achieve its objective

Question 24

Q

RTO (5.2)

Answer

A

Recovery Time Objective- Represents the maximum acceptable length of time that can elapse before the lack of a business function severely impacts the organization

Question 25

Q

RPO (5.2)

Answer

A

Recovery Point Objective- Represents the maximum acceptable amount of data loss measured in time (if business has RPO of 4 hours then it can handle 4 hours of down time)

Question 26

Q

MTTR (5.2)

Answer

A

Mean Time To Repair- Represents the average time required to repair a failed component or system

Question 27

Q

MTBF (5.2)

Answer

A

Mean Time Between Failure- Represents the average time between failures

Question 28

Q

BIA (5.2)

Answer

A

Business Impact Analysis- Process that involves evaluating the potential effects of disruption to an organizations business functions and processes

Question 29

Q

Risk Register (Risk Log) (5.2)

Answer

A

A document detailing identified risks, including their description, impact likelihood, and mitigation strategies; contains:
Risk description
Risk impact
Risk likelihood
Risk outcome
Risk level
Cost

Question 30

Q

Risk description (5.2)

Answer

A

Entails identifying and providing a detailed description

Question 31

Q

Risk impact (5.2)

Answer

A

Potential consequences if the risk materializes

Question 32

Q

Risk likelihood (5.2)

Answer

A

Chance of a particular risk occurring

Question 33

Q

Risk outcome (5.2)

Answer

A

Result of a risk, linked to its impact and likelihood

Question 34

Q

Risk level / Threshold (5.2)

Answer

A

Determined by combining the impact and likelihood

Question 35

Q

Cost (5.2)

Answer

A

Pertains to its financial impact on the project, including potential expenses if it occurs or the cost of risk mitigation

Question 36

Q

Risk Tolerance / Risk Acceptance (5.2)

Answer

A

Refers to an organizations or individuals willingness to deal with uncertainty in pursuit of their goals

Question 37

Q

Risk Appetite (5.2)

Answer

A

Signifies an organizations willingness to embrace or retain specific types and levels of risk to fulfill its strategic goals

Question 38

Q

Expansionary Risk Appetite (5.2)

Answer

A

Organization is open to taking more risk in the hopes of achieving greater returns

Question 39

Q

Conservative Risk Appetite (5.2)

Answer

A

Implies that an organization favors less risk, even if it leads to lower returns

Question 40

Q

Neutral Risk Appetite (5.2)

Answer

A

Signifies a balance between risk and return

Question 41

Q

KRIs (5.2)

Answer

A

Key Risk Indicators- Essential predictive metrics used by organizations to signal rising risk levels in different parts of the enterprise

Question 42

Q

Risk Owner (5.2)

Answer

A

Person or group responsible for managing the risk

Question 43

Q

Qualitative Risk Analysis (5.2)

Answer

A

A method of assessing risks based on their potential impact and the likelihood of their occurrence (usually described as Low, Medium, High); Subjective and high level

Question 44

Q

Quantitative Risk Analysis (5.2)

Answer

A

A method of evaluating risk that uses numerical measurements (usually described as a number); Objective and numerical evaluation of risks

Question 45

Q

EF (5.2)

Answer

A

Exposure Factor- Proportion of an asset that is lost in an event (expressed as a percentage)

Question 46

Q

SLE (5.2)

Answer

A

Single Loss Expectancy- Monetary value expected to be lost in a single event (expressed as a monetary amount)

Question 47

Q

ARO (5.2)

Answer

A

Annualized Rate of Occurrence- Estimated frequency with which a threat is expected to occur within a year

Question 48

Q

ALE (5.2)

Answer

A

Annualized Loss Expectancy- Expected annual loss from a risk (SLE x ARO)

Question 49

Q

Risk Management Types (5.2)

Answer

A

Transfer
Accept
Avoid
Mitigate

Question 50

Q

Risk Transference (Risk Sharing) (5.2)

Answer

A

Involves shifting the risk from the organization to another party (most common type is insurance)

Question 51

Q

Contract Indemnity Clause (5.2)

Answer

A

A contractual agreement where one party agrees to cover the others harm, liability, or loss stemming from the contract (form of risk transference)

Question 52

Q

Risk Acceptance (5.2)

Answer

A

Recognizing a risk and choosing to address it when it arises

Question 53

Q

Exemption (5.2)

Answer

A

Provision that grants an exception from a specific rule or requirement

Question 54

Q

Exception (5.2)

Answer

A

Provision that permits a party to bypass a rule or requirement in certain situations

Question 55

Q

Risk Avoidance (5.2)

Answer

A

Strategy of altering plans or approaches to completely eliminate a specific risk

Question 56

Q

Risk Mitigation (5.2)

Answer

A

Implementing measures to decrease the likelihood or impact of a risk

Question 57

Q

Risk Monitoring (5.2)

Answer

A

Involves continuously tracking identified risks, assessing new risks, executing response plans, and evaluating their effectiveness during a projects lifecycle

Question 58

Q

Residual Risk (5.2)

Answer

A

Likelihood and impact after implementing mitigation, transference, or acceptance

Question 59

Q

Risk Reporting (5.2)

Answer

A

Process of communicating information about risk management activities

Question 60

Q

Third Party Vendor Risk (5.3)

Answer

A

Potential security and operational challenges introduced by external entities (vendors, suppliers, or service providers)

Question 61

Q

MSP (5.3)

Answer

A

Managed Service Providers- Individuals hired by companies to manage IT services on behalf of an organization

Question 62

Q

Supply Chain Attack (5.3)

Answer

A

Attack that involves targeting a weaker link in the supply chain to gain access to a primary target

Question 63

Q

CHIPS Act (5.3)

Answer

A

US federal statute that provides roughly $280 billion in new funding to boost research and manufacturing of semiconductors inside the United States

Question 64

Q

Steps to minimize supply chain attacks (5.3)

Answer

A

Vendor due diligence
Regular monitoring and audits
Education and collaboration
Incorporating contractual safeguards

Answer 65

A

Process that organizations implement to evaluate the security, reliability, and performance of external entities

Answer 66

A

Simulated cyberattack against the suppliers system to check for exploitable vulnerabilities

Answer 67

A

Grants organizations the right to evaluate vendors

Answer 68

A

Vendors self-assessment where they evaluate their own practices against industry standards or organizational requirements

Answer 69

A

Evaluation conducted by third-party entities that have no stake in the organizations or vendors operations

Answer 70

A

Used to dive deep into a vendors entire supply chain and assess the security and reliability of each link

Answer 71

A

Process that organizations implement to evaluate the security, reliability, and performance of external entities

Answer 72

A

Financial Stability
Operational History
Client Testimonials
On-the-Ground Practices

Answer 73

A

Arises when personal or financial relationships could potentially cloud the judgment of individuals involved in vendor selection

Answer 74

A

Comprehensive documents that potential vendors fill out to offer insights into the operations, capabilities, and compliance

Answer 75

A

Guidelines that dictate the terms of interaction between an organization and its potential vendors

Answer 76

A

Mechanism to ensure that the chosen vendor still aligns with the organizational needs and standards

Answer 77

A

Involve a two-way communication channel where both the organization and the vendor share feedback

Answer 78

A

Versatile tool that formally establishes a relationship between two parties

Answer 79

A

Service-Level Agreement- The standard of service a client can expect from a provider

Answer 80

A

Memorandum of Agreement- Formal agreement and outlines the specific responsibilities and roles of the involved parties

Answer 81

A

Memorandum of Understanding- Less binding than a MOA and more of a declaration of mutual intent

Answer 82

A

Master Service Agreement- Blanket agreement that covers the general terms of engagement between parties across multiple transactions

Answer 83

A

Statement of Work (sometimes called Scope of Work or Work Order)- Used to specify details for a particular project

Answer 84

A

Non-Disclosure Agreement- Commitment to privacy that ensures that any sensitive information shared during negotiations remains confidential between both parties

Answer 85

A

Business Partnership Agreement (sometimes called a Joint Venture or JV)- Document that goes a step beyond the basic contract when two entities decide to pool their resources for mutual benefit

Answer 86

A

Strategic leadership, structures, and processes that ensure an organizations IT infrastructure aligns with its business objectives

Answer 87

A

Governance, Risk Management, and Compliance

Answer 88

A

Regularly reviewing and assessing the effectiveness of the governance framework

Answer 89

A

Updating the governance framework to address these gaps or weaknesses

Answer 90

A

A board of directors is a group of individuals elected by shareholders to oversee the management of an organization

Answer 91

A

Subgroups of a board of directors, each with a specific focus

Answer 92

A

They establish laws and regulations that organizations must comply with

Answer 93

A

Decision-making authority is concentrated at the top levels of management

Answer 94

A

Distributes decision-making authority throughout the organization

Answer 95

A

Acceptable Use Policy- A document that outlines the do’s and don’ts for users when interacting with an organizations IT systems and resources

Answer 96

A

Outline how an organization protects its information assets from threats, both internal and external; handles:
Data Classification
Access Control
Encryption
Physical Security

Answer 97

A

Focuses on how an organization will continue its critical operations during and after a disruption

Answer 98

A

Focuses specifically on how an organization will recover its IT systems and data after a disaster

Answer 99

A

A plan for handling security incidents

Answer 100

A

Software Development Lifecycle- Guides how software is developed within an organization

Answer 101

A

Aims to ensure that changes are implemented in a controlled and coordinated manner, minimizing the risk of disruptions

Answer 102

A

Dictate the complexity and management of passwords, which are the first line of defense against unauthorized access

Answer 103

A

Determine who has access to what resources within an organization

Answer 104

A

DAC- Discretionary Access Control
MAC- Mandatory Access Control
RBAC- Role-Based Access Control

Answer 105

A

Discretionary Access Control- Allows owner of information or resource decide who can access it

Answer 106

A

Mandatory Access Control- Uses labels or classifications to determine access

Answer 107

A

Role-Based Access Control- Uses roles within an organization to determine access

Answer 108

A

These standards cover the physical measures taken to protect an organizations assets and information

Answer 109

A

Ensure that data intercepted or accessed without authorization remains unreadable and secure

Answer 110

A

Systematic sequences of actions or steps taken to achieve a specific outcome (e.g. Emergency Evacuation Procedure)

Answer 111

A

Systematic approach to dealing with changes within an organization

Answer 112

A

The process of integrating new employees into the organization / The process of managing the transition when an employee leaves

Answer 113

A

Checklist of actions to perform to detect and respond to a specific type of incident

Answer 114

A

These regulations can cover a wide range of areas, from data protection and privacy to environmental standards and labor laws

Answer 115

A

Closely tied to regulatory considerations, but they also encompass other areas such as contract law, intellectual property, and corporate law

Answer 116

A

The specific standards and practices that are prevalent in a particular industry

Answer 117

A

Local ordinance, state regulations, national laws, regulations implemented by countries

Answer 118

A

Systematic process of collecting and presenting data to demonstrate adherence to compliance requirements

Answer 119

A

Collection and analysis of data to ensure that an organization is following its internal policies and procedures

Answer 120

A

Demonstrating compliance to external entities such as regulatory bodies, auditors, or customers, often mandated by law or contract

Answer 121

A

The process of regularly reviewing and analyzing an organizations operations to ensure compliance with laws, regulations, and internal policies

Answer 122

A

Conducting an exhaustive review of an organizations operations to identify potential compliance

Answer 123

A

The steps taken to mitigate the risks revealed from their due diligence

Answer 124

A

Formal declaration by a responsible party that the organizations processes and controls are compliant

Answer 125

A

Recognition and acceptance of compliance requirements by all relevant parties

Answer 126

A

Regularly reviewing an organizations operations to ensure compliance with internal policies

Answer 127

A

Third-party reviews or audits to verify compliance with external regulations or standards

Answer 128

A

Automated compliance systems can streamline data collection, improve accuracy, and provide real-time compliance monitoring

Answer 129

A

Fines
Sanctions
Reputational Damage
Loss of License
Contractual Impacts

Answer 130

A

Systematic evaluations of an organizations information systems, applications, and security controls (can be internal or external)

Answer 131

A

Performing a detailed analysis of an organizations security systems to identify vulnerabilities and risks

Answer 132

A

Risk Assessments
Vulnerability Assessments
Threat Assessments

Answer 133

A

Ensuring that information systems and security practices meet established standards, regulations, and laws

Answer 134

A

Group of people responsible for supervising the organizations audit and compliance functions

Answer 135

A

An in-depth analysis to identify and assess potential risks and vulnerabilities in an organizations information systems

Answer 136

A

Internal review conducted by an organization to gauge its adherence to particular standards or regulations

Answer 137

A

Offers validation of security practices, fostering trust with customers, stakeholders, and regulatory authorities

Answer 138

A

Testing an organizations physical security through testing locks, access cards, security cameras, and other protective measures

Answer 139

A

aka Red Team- Proactive approach that involves use of attack techniques, akin to real cyber threats, that seek and exploit system vulnerabilities

Answer 140

A

aka Blue Team- Reactive approach that entails fortifying systems, identifying and addressing attacks, and enhancing incident response times

Answer 141

A

aka Purple Team- Combination of aspects of both offensive and defensive testing into a single penetration test

Answer 142

A

An initial phase where critical information about a target system is gathered to enhance an attacks effectiveness

Answer 143

A

Direct engagement with the target system, offering more information but with a higher detection risk

Answer 144

A

Gathering information without direct engagement with the target system, offering lower detection risk but less data (e.g. OSINT)

Answer 145

A

Detailed target infrastructure information from the organization is received prior to the test

Answer 146

A

Involves limited information provided to testers, who may have partial knowledge of the system

Answer 147

A

Testers receive minimal to no information about the target system

Answer 148

A

Multi-purpose computer security and penetration testing framework that encompasses a wide array of powerful tools, enabling the execution of penetration tests

Answer 149

A

Similar to a pentest report but also includes proof

Answer 150

A

Involves validating the integrity of software by checking that it hasn’t been tampered with or altered maliciously

Answer 151

A

Involves validating the integrity of hardware components

Answer 152

A

Involves validating the security posture of a system

Brainscape's Knowledge GenomeTM

SY0-701: 5.0 (Security Program Management and Oversight) Flashcards

Brainscape's Knowledge Genome^TM