SY0-701: 5.0 (Security Program Management and Oversight) Flashcards
Social Engineering Motivational Triggers (5.6)
Authority
Urgency
Social Proof
Scarcity
Likability
Fear
Soc Eng Trigger- Authority (5.6)
The power or right to give orders, make decisions, and enforce obedience
Soc Eng Trigger- Urgency (5.6)
Compelling sense of immediacy or time-sensitivity that drivers individuals to act swiftly or prioritize certain actions
Soc Eng Trigger- Social Proof (5.6)
Psychological phenomenon where individuals look to the behaviors and actions of others to determine their own decisions or actions in similar situations
Soc Eng Trigger- Scarcity (5.6)
Psychological pressure people feel when they believe a product, opportunity, or resource is in limited or in short supply
Soc Eng Trigger- Likability (5.6)
Associated with being nice, friendly, and socially accepted by others
Soc Eng Trigger- Fear (5.6)
Feeling afraid of someone or something, as likely to be dangerous, painful, or threatening
Data Ownership (5.1)
Process of identifying the person responsible for the confidentiality, integrity, availability, and privacy of the information assets
Data Owner (5.1)
Senior executive role who has the responsibility for maintaining the confidentiality, integrity, and availability of the information asset
Data Controller (5.1)
Entity that holds responsibility for deciding the purposes and methods of data storage, collection, and usage and for guaranteeing the legality of processes
Data Processor (5.1)
Group or individual hired by the Data Controller to help with tasks like collecting, storing, or analyzing data
Data Steward (5.1)
Focused on the quality of the data and the associated metadata
Data Custodian (5.1)
Responsible for handling the management of the system on which the data assets are stored (e.g. SysAdmin)
Privacy Officer (5.1)
Role that is responsible for the oversight of any kind of privacy-related data, like PII (Personally Identifying Information), SPI (Sensitive Personal Information), PHI (Personal Health Information)
Risk Management (5.2)
Fundamental process that involves identifying, analyzing, monitoring, and reporting risks
Risk Management Lifecycle (5.2)
- Risk identification
- Risk analysis
- Risk treatment
- Risk monitoring
- Risk reporting
Risk Assessment Frequency (5.2)
Refers to how often the risk assessment process is conducted within an organization
Risk Assessment Frequency Types (5.2)
Ad-hoc
Recurring
One-Time
Continuous
Ad-hoc (5.2)
Conducted as and when needed, often in response to a specific event or situation that has the potential to introduce new risks or change the nature of existing risks; associated with specific events or situations
Recurring (5.2)
Conducted at regular intervals, such as annually, quarterly, or monthly
One-Time (5.2)
Conducted for a specific purpose and are not repeated; associated with a specific project or initiative
Continuous (5.2)
Ongoing monitoring and evaluation of risks
Risk Identification (5.2)
Recognizing potential risks that could negatively impact an organizations ability to operate or achieve its objective
RTO (5.2)
Recovery Time Objective- Represents the maximum acceptable length of time that can elapse before the lack of a business function severely impacts the organization
RPO (5.2)
Recovery Point Objective- Represents the maximum acceptable amount of data loss measured in time (if business has RPO of 4 hours then it can handle 4 hours of down time)
MTTR (5.2)
Mean Time To Repair- Represents the average time required to repair a failed component or system
MTBF (5.2)
Mean Time Between Failure- Represents the average time between failures
BIA (5.2)
Business Impact Analysis- Process that involves evaluating the potential effects of disruption to an organizations business functions and processes
Risk Register (Risk Log) (5.2)
A document detailing identified risks, including their description, impact likelihood, and mitigation strategies; contains:
Risk description
Risk impact
Risk likelihood
Risk outcome
Risk level
Cost
Risk description (5.2)
Entails identifying and providing a detailed description
Risk impact (5.2)
Potential consequences if the risk materializes
Risk likelihood (5.2)
Chance of a particular risk occurring
Risk outcome (5.2)
Result of a risk, linked to its impact and likelihood
Risk level / Threshold (5.2)
Determined by combining the impact and likelihood
Cost (5.2)
Pertains to its financial impact on the project, including potential expenses if it occurs or the cost of risk mitigation
Risk Tolerance / Risk Acceptance (5.2)
Refers to an organizations or individuals willingness to deal with uncertainty in pursuit of their goals
Risk Appetite (5.2)
Signifies an organizations willingness to embrace or retain specific types and levels of risk to fulfill its strategic goals
Expansionary Risk Appetite (5.2)
Organization is open to taking more risk in the hopes of achieving greater returns
Conservative Risk Appetite (5.2)
Implies that an organization favors less risk, even if it leads to lower returns
Neutral Risk Appetite (5.2)
Signifies a balance between risk and return
KRIs (5.2)
Key Risk Indicators- Essential predictive metrics used by organizations to signal rising risk levels in different parts of the enterprise
Risk Owner (5.2)
Person or group responsible for managing the risk
Qualitative Risk Analysis (5.2)
A method of assessing risks based on their potential impact and the likelihood of their occurrence (usually described as Low, Medium, High); Subjective and high level
Quantitative Risk Analysis (5.2)
A method of evaluating risk that uses numerical measurements (usually described as a number); Objective and numerical evaluation of risks
EF (5.2)
Exposure Factor- Proportion of an asset that is lost in an event (expressed as a percentage)
SLE (5.2)
Single Loss Expectancy- Monetary value expected to be lost in a single event (expressed as a monetary amount)
ARO (5.2)
Annualized Rate of Occurrence- Estimated frequency with which a threat is expected to occur within a year
ALE (5.2)
Annualized Loss Expectancy- Expected annual loss from a risk (SLE x ARO)
Risk Management Types (5.2)
Transfer
Accept
Avoid
Mitigate
Risk Transference (Risk Sharing) (5.2)
Involves shifting the risk from the organization to another party (most common type is insurance)
Contract Indemnity Clause (5.2)
A contractual agreement where one party agrees to cover the others harm, liability, or loss stemming from the contract (form of risk transference)
Risk Acceptance (5.2)
Recognizing a risk and choosing to address it when it arises
Exemption (5.2)
Provision that grants an exception from a specific rule or requirement
Exception (5.2)
Provision that permits a party to bypass a rule or requirement in certain situations
Risk Avoidance (5.2)
Strategy of altering plans or approaches to completely eliminate a specific risk
Risk Mitigation (5.2)
Implementing measures to decrease the likelihood or impact of a risk
Risk Monitoring (5.2)
Involves continuously tracking identified risks, assessing new risks, executing response plans, and evaluating their effectiveness during a projects lifecycle
Residual Risk (5.2)
Likelihood and impact after implementing mitigation, transference, or acceptance
Risk Reporting (5.2)
Process of communicating information about risk management activities
Third Party Vendor Risk (5.3)
Potential security and operational challenges introduced by external entities (vendors, suppliers, or service providers)
MSP (5.3)
Managed Service Providers- Individuals hired by companies to manage IT services on behalf of an organization
Supply Chain Attack (5.3)
Attack that involves targeting a weaker link in the supply chain to gain access to a primary target
CHIPS Act (5.3)
US federal statute that provides roughly $280 billion in new funding to boost research and manufacturing of semiconductors inside the United States
Steps to minimize supply chain attacks (5.3)
Vendor due diligence
Regular monitoring and audits
Education and collaboration
Incorporating contractual safeguards
Vendor Assessment (5.3)
Process that organizations implement to evaluate the security, reliability, and performance of external entities
Penetration Testing (5.3)
Simulated cyberattack against the suppliers system to check for exploitable vulnerabilities
Right-to-Audit Clause (5.3)
Grants organizations the right to evaluate vendors
Internal Audit (5.3)
Vendors self-assessment where they evaluate their own practices against industry standards or organizational requirements
Independent Assessment (5.3)
Evaluation conducted by third-party entities that have no stake in the organizations or vendors operations
Supply Chain Analysis (5.3)
Used to dive deep into a vendors entire supply chain and assess the security and reliability of each link
Vendor Assessment (5.3)
Process that organizations implement to evaluate the security, reliability, and performance of external entities
Due Diligence Topics (5.3)
Financial Stability
Operational History
Client Testimonials
On-the-Ground Practices
Conflict of Interest (5.3)
Arises when personal or financial relationships could potentially cloud the judgment of individuals involved in vendor selection
Vendor Questionnaires (5.3)
Comprehensive documents that potential vendors fill out to offer insights into the operations, capabilities, and compliance
Rules of Engagement (5.3)
Guidelines that dictate the terms of interaction between an organization and its potential vendors
Vendor Monitoring (5.3)
Mechanism to ensure that the chosen vendor still aligns with the organizational needs and standards
Feedback Loops (5.3)
Involve a two-way communication channel where both the organization and the vendor share feedback
Basic Contract (5.3)
Versatile tool that formally establishes a relationship between two parties
SLA (5.3)
Service-Level Agreement- The standard of service a client can expect from a provider
MOA (5.3)
Memorandum of Agreement- Formal agreement and outlines the specific responsibilities and roles of the involved parties
MOU (5.3)
Memorandum of Understanding- Less binding than a MOA and more of a declaration of mutual intent
MSA (5.3)
Master Service Agreement- Blanket agreement that covers the general terms of engagement between parties across multiple transactions
SOW (5.3)
Statement of Work (sometimes called Scope of Work or Work Order)- Used to specify details for a particular project
NDA (5.3)
Non-Disclosure Agreement- Commitment to privacy that ensures that any sensitive information shared during negotiations remains confidential between both parties
BPA (5.3)
Business Partnership Agreement (sometimes called a Joint Venture or JV)- Document that goes a step beyond the basic contract when two entities decide to pool their resources for mutual benefit
Governance (5.1)
Strategic leadership, structures, and processes that ensure an organizations IT infrastructure aligns with its business objectives
GRC Triad (5.1)
Governance, Risk Management, and Compliance
Monitoring (5.1)
Regularly reviewing and assessing the effectiveness of the governance framework
Revision (5.1)
Updating the governance framework to address these gaps or weaknesses
Governance- Boards (5.1)
A board of directors is a group of individuals elected by shareholders to oversee the management of an organization
Governance- Committees (5.1)
Subgroups of a board of directors, each with a specific focus
Governance- Government Entities (5.1)
They establish laws and regulations that organizations must comply with
Governance- Centralized Structures (5.1)
Decision-making authority is concentrated at the top levels of management
Governance- Decentralized Structures (5.1)
Distributes decision-making authority throughout the organization
AUP (5.1)
Acceptable Use Policy- A document that outlines the do’s and don’ts for users when interacting with an organizations IT systems and resources
Information Security Policy
Outline how an organization protects its information assets from threats, both internal and external; handles:
Data Classification
Access Control
Encryption
Physical Security
Business Continuity Policy (5.1)
Focuses on how an organization will continue its critical operations during and after a disruption
Disaster Recovery Policy (5.1)
Focuses specifically on how an organization will recover its IT systems and data after a disaster
Incident Response Policy (5.1)
A plan for handling security incidents
SDLC Policy (5.1)
Software Development Lifecycle- Guides how software is developed within an organization
Change Management Policy (5.1)
Aims to ensure that changes are implemented in a controlled and coordinated manner, minimizing the risk of disruptions
Password Standards (5.1)
Dictate the complexity and management of passwords, which are the first line of defense against unauthorized access
Access Control Standards (5.1)
Determine who has access to what resources within an organization
Access Control Types (5.1)
DAC- Discretionary Access Control
MAC- Mandatory Access Control
RBAC- Role-Based Access Control
DAC (5.1)
Discretionary Access Control- Allows owner of information or resource decide who can access it
MAC (5.1)
Mandatory Access Control- Uses labels or classifications to determine access
RBAC (5.1)
Role-Based Access Control- Uses roles within an organization to determine access
Physical Security Standards (5.1)
These standards cover the physical measures taken to protect an organizations assets and information
Encryption Standards (5.1)
Ensure that data intercepted or accessed without authorization remains unreadable and secure
Procedures (5.1)
Systematic sequences of actions or steps taken to achieve a specific outcome (e.g. Emergency Evacuation Procedure)
Change Management (5.1)
Systematic approach to dealing with changes within an organization
Onboarding/Offboarding (5.1)
The process of integrating new employees into the organization / The process of managing the transition when an employee leaves
Playbooks (5.1)
Checklist of actions to perform to detect and respond to a specific type of incident
Regulatory Considerations (5.1)
These regulations can cover a wide range of areas, from data protection and privacy to environmental standards and labor laws
Legal Considerations (5.1)
Closely tied to regulatory considerations, but they also encompass other areas such as contract law, intellectual property, and corporate law
Industry Considerations (5.1)
The specific standards and practices that are prevalent in a particular industry
Geographic Considerations (5.1)
Local ordinance, state regulations, national laws, regulations implemented by countries
Compliance Reporting (5.4)
Systematic process of collecting and presenting data to demonstrate adherence to compliance requirements
Internal Compliance Reporting (5.4)
Collection and analysis of data to ensure that an organization is following its internal policies and procedures
External Compliance Reporting (5.4)
Demonstrating compliance to external entities such as regulatory bodies, auditors, or customers, often mandated by law or contract
Compliance Monitoring (5.4)
The process of regularly reviewing and analyzing an organizations operations to ensure compliance with laws, regulations, and internal policies
Due Diligence (5.4)
Conducting an exhaustive review of an organizations operations to identify potential compliance
Due Care (5.4)
The steps taken to mitigate the risks revealed from their due diligence
Attestation (5.4)
Formal declaration by a responsible party that the organizations processes and controls are compliant
Acknowledgement (5.4)
Recognition and acceptance of compliance requirements by all relevant parties
Internal Monitoring (5.4)
Regularly reviewing an organizations operations to ensure compliance with internal policies
External Monitoring (5.4)
Third-party reviews or audits to verify compliance with external regulations or standards
Automation in Compliance (5.4)
Automated compliance systems can streamline data collection, improve accuracy, and provide real-time compliance monitoring
Non-Compliance Consequences (5.4)
Fines
Sanctions
Reputational Damage
Loss of License
Contractual Impacts
Audits (5.5)
Systematic evaluations of an organizations information systems, applications, and security controls (can be internal or external)
Assessments (5.5)
Performing a detailed analysis of an organizations security systems to identify vulnerabilities and risks
Assessment Types (5.5)
Risk Assessments
Vulnerability Assessments
Threat Assessments
Compliance (5.5)
Ensuring that information systems and security practices meet established standards, regulations, and laws
Audit Committee (5.5)
Group of people responsible for supervising the organizations audit and compliance functions
Internal Assessment (5.5)
An in-depth analysis to identify and assess potential risks and vulnerabilities in an organizations information systems
Self-Assessment (5.5)
Internal review conducted by an organization to gauge its adherence to particular standards or regulations
Independent Third-Party Audit (5.5)
Offers validation of security practices, fostering trust with customers, stakeholders, and regulatory authorities
Physical Pentesting (5.5)
Testing an organizations physical security through testing locks, access cards, security cameras, and other protective measures
Offensive Pentesting (5.5)
aka Red Team- Proactive approach that involves use of attack techniques, akin to real cyber threats, that seek and exploit system vulnerabilities
Defensive Pentest (5.5)
aka Blue Team- Reactive approach that entails fortifying systems, identifying and addressing attacks, and enhancing incident response times
Integrated Pentesting (5.5)
aka Purple Team- Combination of aspects of both offensive and defensive testing into a single penetration test
Reconnaissance (5.5)
An initial phase where critical information about a target system is gathered to enhance an attacks effectiveness
Active Reconnaissance (5.5)
Direct engagement with the target system, offering more information but with a higher detection risk
Passive Reconnaissance (5.5)
Gathering information without direct engagement with the target system, offering lower detection risk but less data (e.g. OSINT)
Known Enviroonment (5.5)
Detailed target infrastructure information from the organization is received prior to the test
Partially Known Environment (5.5)
Involves limited information provided to testers, who may have partial knowledge of the system
Unknown Environment (5.5)
Testers receive minimal to no information about the target system
Metasploit (5.5)
Multi-purpose computer security and penetration testing framework that encompasses a wide array of powerful tools, enabling the execution of penetration tests
Attestation (5.5)
Similar to a pentest report but also includes proof
Software Attestation (5.5)
Involves validating the integrity of software by checking that it hasn’t been tampered with or altered maliciously
Hardware Attestation (5.5)
Involves validating the integrity of hardware components
System Attestation (5.5)
Involves validating the security posture of a system
