Lesson 5

Inherent Risk

the level of risk before any type of mitigation has been attempted

EF

Exposure Factor (EF). The EF is the percentage of the asset value that would be lost.

NDA

Non-Disclosure Agreement

CSA CCM

Cloud Security Alliance Cloud Controls Matrix (CSA CCM) is a framework that provides guidance in security domains, including application security, identity and access management, mobile security, encryption and key management, and data center operations.

STIG

Department of Defense Cyber Exchange provides Security Technical Implementation Guides (STIGs) with hardening guidelines for a variety of software and hardware solutions.

SOX

Sarbanes-Oxley Act

ISO 27002

a supplementary standard that focuses on the information security controls that organizations might choose to implement.

Avoidance

e act of stopping a risk-bearing activity and not related to change management. For example, removing a faulty product from the market is a strategy employed to avoid risk.

EOL

end of life. When a product will no lon ger be sold

RTO

The recovery time objective (RTO) identifies the maximum time it takes to recover a system in the event of an outage. It is not part of a quantitative risk assessment.

Employees in a company are required to complete an annual security awareness and prevention course. Each quarter, the employees participate in computer-based disaster and recovery exercises. Employees are continuously subjected to phishing campaigns to test the likelihood of exploitation. What method is the company using to encourage the employees to retain vital security information?

Training diversity is a mix of training techniques in the form of workshops, seminars, gamification, etc. to foster user engagement and retention.

A popular entertainment company is onboarding a new employee. The company has completed preliminary interview steps and due diligence. Internal security is of high importance, so HR is preparing all of the documentation for the formal employment process. In implementing the process, which solution should the company use to assist with internal security issues?

When an employee or contractor signs a Non-Disclosure Agreement (NDA), they are confirming they will not share confidential information with a third party. Signing such a contract legally protects internal intellectual property.

control risk

a measure of how much less effective a security control has become over time. Control risk can also refer a security control that was never effective in mitigating inherent risk.

PC DSS

a set of 12 requirements aimed to ensure companies that process, store, or transmit credit card information maintain a secure environment.

ISO 27001

a standard that sets out the best practice specification for an information system. The ISO guides information security by addressing people and processes as well as technology.

Privilege Bracketing

an account management practice that involves giving users permission to a resource for the duration of a specific project or a need-to-know situation.

Workflow

an onboarding process that involves identifying the roles and permissions users need. A workflow is often a visual representation of an organization, organized by permissions and account types.

Data Processor

collects and analyzes data based on a data collector's set of predefined instructions.

data steward

is primarily responsible for data quality. This involves tasks such as ensuring data is labeled and identified with appropriate metadata, and that data is collected and stored in a format that complies with regulations

SOC TYPE 2

provides assurances about the effectiveness of controls in place in an organization within a given timeframe.

ISO 27701

provides specific requirements and guidance for establishing, implementing, maintaining, and continually improving an information system with private data.

Which data and privacy law ensures executives within a financial institution take individual responsibility for the accuracy of financial reporting?

the Sarbanes-Oxley (SOX) Act helps protect investors from fraudulent financial reporting by large corporations. The law created strict rules for financial representatives and imposed more rigorous recordkeeping requirements

Residual Risk

the likelihood and impact after specific mitigation, transference, or acceptance measures have been applied.

GLBA

"Graham-Leach-Bliley Act" (Financial Services Modernization Act of 1999) repealed a 1933 law that barred the consolidation of financial institutions and insurance companies. Included within GLBA are multiple sections relating to the privacy of financial information. Companies must provide written notice to consumers of their privacy rights and explain the company's procedures for safeguarding data.

CIS-RAM

(CIS) publishes the "20 CIS Controls." The Risk Assessment Method (CIS-RAM) can be used to perform an overall evaluation of security posture.

DPO

(data privacy officer) Institutional data governance role with responsibility for compliant collection and processing of personal and sensitive data.

A malware security breach occurred at a small firm. A maintenance agreement put in place by the IT support company has not been honored since numerous security updates were missing on all computer systems. When reviewing company agreements, which type is for support?

A Service Level Agreement (SLA) is a contractual agreement setting out detailed terms (including support metrics) for future provided services.

An information security officer creates a document that identifies downtime, likelihood of occurrence, the probable impact of the downtime, and steps to mitigate the downtime and scores the likelihood based on defined security controls. What is the information security officer creating?

A risk register is a repository for documenting risks identified in an organization and includes information and steps to take regarding the risk. Common information found in a risk register is the specific risk, the likelihood of occurrence, and the action to take.

A transportation application provides cargo and personnel information to interface partners for in-transit visibility purposes. Due to Personally Identifiable Information (PII) concerns, the application must conceal the data. A sample export provides the following information: 697-4X-XXXX 07SW-01-DENS Which of the following de-identification methods has the transportation application implemented?

Data masking is a de-identification tactic that takes all or part of the contents of a data field and substitutes character strings with a simple character to conceal the Personally Identifiable Information (PII).

DRP

Disaster Recovery Plan

ISO 31000

ISO Standard related to Risk Management

A logistics detail facility must maintain transportation data up to 365 days after transaction closeout. At the creation of the transaction, the logistics planner tags the information contained in the file according to classification. The transaction data is protected until disposal. Which data model does this best represent?

Information Lifecycle Model

The simultaneous use of which of the following components demonstrates layered security? (Select all that apply.)

Layered security is the practice of providing prevention, detection, and response simultaneously as defense in depth. It includes multiple forms of security. A firewall filters traffic. It can be used for a single host or between networks. It regulates both inbound and outbound traffic, providing a layer of security inbound and out. Antivirus software scans systems in real-time for malware, including worms, trojans, and viruses. If any of these are found, the antivirus software will quarantine the threat and notify its user. An intrusion detection system can detect attacks. Collectively, this system makes up layered security.

Analyze and select the statements that accurately distinguish the differences between Mean Time to Failure (MTTF) and Mean Time Between Failures (MTBF). (Select all that apply.)

MTTF should be used for non-repairable assets, while a server (repairable by replacing the hard drive) would be described with an MTBF. MTTF and MTBF can determine the amount of asset redundancy a system should have.

An organization internally implemented checks and balances as part of a separation of duties program. The goal is to deter the possibility of critical systems or procedures compromised by insider threats. Which policies are helpful when implementing such a program? (Select all that apply.)

Mandatory vacations occur when a company forces its employees to take their vacation time, and someone else fulfills the position during their absence. During this time, discrepancies in employee activity can occur. A mandatory vacation policy is part of a separation of duties plan. Job rotation implies that no one person is permitted to remain in the same job for an extended period of time. This ensures information/knowledge is not tied too firmly to one individual. A job rotation policy is part of a separation of duties plan.

RPO

Recovery Point Objective. A Recovery Point Objective identifies a point in time where data loss is acceptable. It is related to the RTO and the BIA often includes both RTOs and RPOs.

SLE

Single Loss Expectancy

A company needs to evaluate the overall security posture of the firm. Analyze the following options to determine which is the best solution.

The Center for Internet Security (CIS) publishes the "20 CIS Controls." The Risk Assessment Method (CIS-RAM) can be used to perform an overall evaluation of security posture.

CIS-CAT

The Center for Internet Security Configuration Access Tool (CIS-CAT) can be used with automated vulnerability scanners to test compliance against these benchmarks.

A legacy application is preparing to migrate its client-server infrastructure to a cloud environment. The capability delivery manager submits a request for a proposal to various cloud service providers (CSPs). What standardized metric should the CSPs use to evaluate themselves for the project?

The Cloud Security Alliance Cloud Controls Matrix (CSA CCM) is a framework that provides guidance in security domains, including application security, identity and access management, mobile security, encryption and key management, and data center operations.

Which of the following represents the role in an enterprise organization responsible for the end-to-end protection of personally identifiable information (PII)?

The Data Privacy Officer (DPO) is the role mandated by the General Data Protection Regulation (GDPR) that ensures the processing, disclosure, and retention complies with regulatory frameworks.

The Cloud Security Alliance Cloud Controls Matrix (CSA CCM) maps to which of the following compliance standards? (Select all that apply.)

The National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) provides a security policy for how private sector organizations can assess and improve their ability to prevent, detect, and respond to cybersecurity attacks. It maps to CSA CCM. The Sarbanes-Oxley (SOX) Act helps to protect investors from fraudulent financial reporting by large corporations. It maps to CSA CCM. The International Organization for Standardization (ISO) is an international standard for information technology security. It maps to CSA CCM.

A large online retailer is responsible for protecting consumer accounts by encrypting transmitted data, using and maintaining firewalls to prevent unauthorized access, restricting data and physical access to accounts, and maintaining access logs. These requirements are part of which benchmark for consumer data protection?

The Payment Card Data Security Standard (PC DSS) is a set of 12 requirements aimed to ensure companies that process, store, or transmit credit card information maintain a secure environment.

A company wants to determine the Single Loss Expectancy (SLE) for a critical server. What formula will the company use to calculate the SLE?

The Single Loss Expectancy (SLE) is the amount that would be lost in a single occurrence of the risk factor. This is determined by multiplying the value of the asset by an Exposure Factor (EF). The EF is the percentage of the asset value that would be lost.

Which Service Organization Control (SOC) level of reporting in the Statements on Standards for Attestation Engagements (SSAE) assesses the ongoing effectiveness of the security architecture of a system in a certain period of time?

A Service Organization Control (SOC) Type II report provides assurances about the effectiveness of controls in place in an organization within a given timeframe.

In an effort to allocate permissions appropriately when assigning new user permissions, an information assurance manager draws an organizational chart representing each division's distribution of permissions. The manager uses this to determine which allocations and permissions each role will have. What process is the information assurance manager executing in this scenario?

A workflow is an onboarding process that involves identifying the roles and permissions users need. A workflow is often a visual representation of an organization, organized by permissions and account types.

GDPR

General data protection regulation (2016) companies have 2 years to transition to GDPR compliance (from EU directive) after the final text is published

NCP

National Checklist Program (NCP), by the National Institute of Standards and Technology (NIST), provides checklists and benchmarks for a variety of operating systems and applications.

NIST

National Institute of Standards and Technology. provides a security policy for how private sector organizations can assess and improve their ability to prevent, detect, and respond to cybersecurity attacks. It maps to CSA CCM.

SOC Type 1

Report on management's description of a service organization's system and the suitability of the design of controls

Employees at a large financial firm must sign a Rules of Behavior document agreeing that they will not provide information where they work or what their job function is to other websites. In addition, the employees will not use non-organizational sites on the company laptops. IT admin will monitor employees regularly. If admin discovers suspicious activity, which procedure can the company administer with the employee?

Social media analysis is the process of gathering and analyzing data from social media platforms. Employees who sign consent can subject themselves to having their social media accounts analyzed.

SSAE

Statements on Standards for Attestation Engagements. Audit Specification guide developed for accountants/

Which of the following requires informed consent before data can be collected, processed or retained?

The European Union's General Data Protection Regulation (GDPR) states that personal data cannot be collected, processed, or retained without the individual's informed consent. Informed consent means that the data must be collected and processed only for the stated purpose, and that purpose must be clearly described to the user in plain language, not legalese.

ARO

The annual rate of occurrence (ARO) indicates the number of times the loss will occur within a year. It is a part of the quantitative risk assessment.

A company is determining what should be in a contract with a new Cloud Service Provider (CSP). Which resource from the Cloud Security Alliance will give the company the baseline level of security competency that the CSP should meet?

The not-for-profit organization Cloud Security Alliance (CSA) produces various resources to assist cloud service providers (CSP) in setting up and delivering secure cloud platforms. The cloud controls matrix lists specific controls and assessment guidelines that should be implemented by CSPs. For cloud consumers, the matrix acts as a starting point for cloud contracts and agreements as it provides a baseline level of security competency that the CSP should meet.

Which of the following are included in a quantitative risk assessment? (Select all that apply.)

The single loss expectancy (SLE) represents the cost of any single item loss. It is part of the quantitative risk assessment. The annual rate of occurrence (ARO) indicates the number of times the loss will occur within a year. It is a part of the quantitative risk assessment. The annual loss expectancy (ALE) is the single loss expectancy (SLE) times the annual rate of occurrence (ARO). It is a part of the quantitative risk assessment.

Sarbanes-Oxley Act (SOX)

helps to protect investors from fraudulent financial reporting by large corporations. It maps to CSA CCM.

Confidential

information is secret and is considered highly sensitive data. This type of information is intended to remain in the trust of an identified group or organization.

SOC Type 3

not as detailed of a report certifying compliance with SOC2.

A global transportation company completes a risk assessment against their information technology infrastructure and would like to implement a cybersecurity framework to help manage their information security by addressing people and processes, as well as technology. Which is the best solution for the company to purchase?

nternational Organization for Standardization (ISO) 27001 is a standard that sets out the best practice specification for an information system. The ISO guides information security by addressing people and processes as well as technology.

An employee is responsible for protecting the privacy and rights of data used and transmitted by an organization. The employee dictates the procedures and purpose of data usage. Which governance role for oversight does the employee maintain?

A data controller is responsible for determining why and how data is stored, collected, and used within a lawful manner. They define what a data processor should collect and why. A data controller has the highest responsibility of data privacy breaches.

A data controller is preparing to negotiate analytics terms with a third-party processor. Which of the following might the controller discuss with the third party? (Select all that apply.)

A data controller is responsible for making decisions regarding the purpose of data processing. They determine why the personal data should be collected, what it should be used for, and how it is stored. A data controller decides the type of personal data that the data processor should collect, which is determined during negotiating. A data controller decides the legal means in how the data will be collected, stored, and used.

A new job has become available at a firm that utilizes several important databases. The new job is ultimately responsible for enforcing access control and data encryption. Analyze the job titles and consider the responsibilities of each. Which job role has most likely become available?

A data custodian is responsible for managing the system where the data assets are stored. This includes responsibility for enforcing access control, encryption, along with backup and recovery measures.

A third-party vendor collects and analyzes data for a paint supply retailer website. The retailer specifically asks for information, such as what colors customers are searching for regularly and what quantity customers request the most. Which of the following best describes the third-party vendor?

A data processor collects and analyzes data based on a data collector's set of predefined instructions.

A systems analyst conducts an impact analysis to identify critical assets and components in an infrastructure. This evaluation aids in identifying the steps taken to restore a system in the event of a failure. What is the systems analyst creating?

A disaster recovery plan (DRP) is part of a continuity plan that identifies critical assets and components of a system. The disaster recovery plan prioritizes the list and identifies what to restore and in what order to restore each asset. A risk assessment quantifies and qualifies risks to a system based on variable values.

Risk Register

A document in which the results of risk analysis and risk response planning are recorded.

A multinational company is assessing risk appetite and how risks could affect mission essential functions in different regions, such as complying with local regulations and licensing to avoid financial risk or addressing security risks, and adjusting risk posture to compensate. Recommend a tool or technology that will help the assessment team find solutions to security challenges categorized by regulatory requirements and their impacts on risk posture.

A risk or impact assessment matrix, or heat map, is a chart that enables one to identify issues according to risk severity or impact.

The systems administrator of a financial firm is required to document a new backup and restore methodology for senior management. Data retention is of great concern. Which area must the systems administrator focus attention on when documenting the backup process?

Archives refer to sets of data. Since data retention is a high-priority, the systems admin should establish and/or review an archive plan to ensure data sets are held for the appropriate length of time.

ISA

Interconnection Security Agreement. USED WHEN ANY FEDERAL AGENCY INTEWRCONNECTING ITS IT SYSTEWMS TO A THIRD PARTY./

ISO

International Organization for Standardization (ISO) is an international standard for information technology security. It maps to CSA CCM.

A large organization has just hired a new employee to oversee compliance of data with regulatory frameworks. One of the immediate tasks assigned to the new employee is to ensure data retention is in accordance with regulations. Which role accurately defines the new employee's responsibilities within the company?

Privacy Officer

What type of risk describes the likelihood and impact of a risk after mitigation, transference, or acceptance measures have been applied?

Residual risk is the likelihood and impact after specific mitigation, transference, or acceptance measures have been applied.

ALE

The annual loss expectancy (ALE) is the single loss expectancy (SLE) times the annual rate of occurrence (ARO). It is a part of the quantitative risk assessment.

CM plan

The documented product of crisis management planning; a plan that shows the organization's intended efforts to protect its personnel and respond to safety threats.

The Department of Defense issues a mandate that within 365 days they will no longer support Internet Explorer. This includes application software, servers, and standard desktop configurations throughout the department. Which of the following does the mandate imply?

The end of service life (EOSL) describes when a vendor will no longer support a product. As well, updates and patches will no longer be produced.

A business continuity plan indicates that a system can only be down for a maximum of eight hours. Data within the past seven days must still be accessible once the system returns to service. What does the data availability time frame represent?

The recovery point objective (RPO) identifies a point in time that data loss is acceptable. In the event of a system failure, the company may lose some data, but the RPO is the last seven days.