Module 15: Risk Management and Data Privacy

When using SSH keys to authenticate users, how many keys are involved?

2

risk matrix/heatmap

A visual color-coded tool that lists the impact and likelihood of risks.

Private

Restricted data with a medium level of confidentiality For users who have a need-to-know basis of the contents

vendors

Entities from whom an organization purchases goods and services.

phishing simulations

Exercises to help employees recognize phishing emails.

mitigation

Addressing a risk by making the risk less serious.

phishing campaign

A broad initiative that uses a variety of tools to train users to resist phishing attacks.

Annualized Rate of Occurrence (ARO)

A calculation for determining the likelihood of a risk occurring within a year.

business partnership agreement (BPA)

A contract between two or more business partners that is used to establish the rules and responsibilities of each partner.

third-party solution

A data destruction technique that requires specialized equipment from an outside source.

likelihood of occurrence

A determination of how realistic the chance is that a given threat will compromise an asset.

terms of agreement

A document that defines what is expected from both the organization and its users.

memorandum of understanding (MOU)

A document that describes an agreement between two or more parties that is not legally enforceable.

privacy notice

A document that outlines how the organization uses personal information it collects.

fine

A financial penalty assessed against an organization as the result of a data breach.

risk appetite

A level of risk that is considered acceptable.

impact assessment

A means for measuring the effectiveness of the organization's activities.

Risk Control Self-Assessment (RCSA)

A methodology by which management and staff at all levels collectively work to identify and evaluate risks.

external risk

A risk from outside an organization.

internal risk

A risk that comes from within an organization.

service-level agreement (SLA)

A service contract between a vendor and a client that specifies what services will be provided, the responsibilities of each party, and any guarantees of service.

risk

A situation that involves exposure to some type of danger.

End of life (EOL)

A statement that a product has reached the end of its "useful life" and the manufacturer will no longer market, sell, or update it after a specified date.

End of service (EOS)

A statement that the end of support has been reached and no maintenance services or updates are provided.

reputation damage

A tarnished reputation to an organization as the result of a data breach.

acceptance

Acknowledging a risk but taking no steps to address it.

qualitative risk assessment

An approach that uses an "educated guess" based on observation.

capture the flag (CTF)

An exercise in which a series of challenges is planted as a competition between participants.

To which risk option would he classify the action that the organization has decided not to construct a new a data center because it would be located in an earthquake zone?

Avoidance

Proprietary

Belongs to the enterprise

pulping

Breaking paper into wood cellulose fibers after the ink is removed to destroy the data on it.

data anonymization

Changing data so that there is not a means to reverse the process to restore the data back to its original state.

pseudo-anonymization

Changing data so there is a means to reverse the process to restore the data back to its original state.

business partners

Commercial entities with whom an organization has an alliance.

public notifications and disclosures

Contacting relevant stakeholders in the event of a data breach.

regulations that affect risk posture

Controls based upon regulatory requirements that may be required regardless of risk.

detective control

Controls designed to identify any threat that has reached the system.

Operational

Controls implemented and executed by people.

Technical

Controls that are incorporated as part of hardware, software, or firmware.

corrective control

Controls that are intended to mitigate or lessen the damage caused by an incident.

deterrent control

Controls that attempt to discourage security violations before they occur.

physical control

Controls that implement security in a defined structure and location.

preventative control

Controls that prevent the threat from coming in contact with the vulnerability.

compensating control

Controls that provide an alternative to normal controls that for some reason cannot be used.

Managerial

Controls that use administrative methods.

Data sovereignty

Country-specific requirements that apply to data.

Data masking

Creating a copy of the original data but obfuscating any sensitive elements.

shredding

Cutting paper into small strips or particles to destroy the data on it.

Whos job is it to ensure important data sets are developed, maintained and are accessible within their defined specifications

Data Custodian

Protected Health Information (PHI)

Data about a person's health status, provision of health care, or payment for health care

Critical

Data classified according to availability needs; if critical data not available, the function and mission would be severely impacted- must be rigorously protected

Which uses data anonymization

Data masking

Sensitive

Data that could cause catastrophic harm to the company if disclosed, such as technical specifications for a new product

Personally Identifiable Information (PII)

Data that could potentially identify a specific individual

In an Active Directory environment, at which level can you assign the password policy?

Domain

When you create a user in a domain, to which of the group is the user added by default?

Domain Users

True or False: Governments cannot force companies to store data within specific countries.

False

True or False: Risk avoidance uses cybersecurity insurance.

False

True or False: Tokenization is a process that is part of data anonymization.

False

Which of the following allows you to add geographical information to the media, such as photographs?

Geotagging

Confidential

Highest level of data sensitivity Should only be made available to users with highest level of pre-approved authentication

avoidance

Identifying a risk but making the decision to not engage in the activity.

cybersecurity insurance

Insurance that protects an organization by monetary compensation in the event of a successful attack.

burning

Lighting paper on fire to destroy the data on it.

Data minimization

Limiting the collection of personal information to that which is directly relevant and necessary to accomplish a specific task.

This is not a legally enforceable agreement but is still more formal than an unwritten agreement.

MOU

Public

No risk of release - data is assumed to be public if no other data label is attached

In which of the following threat classifications would a power blackout be classified?

Operational

Which control categories includes conducting workshops to help users resist phishing attacks?

Operational

degaussing

Permanently destroying an entire hard drive by reducing or eliminating its magnetic field.

this terms refers to the processing of data so that it can no longer be attributed to a specific data subject without the use of additional information?

Pseudonymization

Which approaches to risk calculation typically assigns a numeric value (1-10) or label (High, Medium, or Low) to represent a risk?

Qualitative risk calculation

risk awareness

Raising of understanding of what risks exist, their potential impacts, and how they are managed.

Software compliance and licensing

Risks associated with violating software license agreements.

multiparty

Risks that impact multiple organizations.

Emiliano needs to determine the expected monetary loss every time a risk occurs. Which formula will he use?

SLE

role-based awareness training

Specialized training that is customized to the specific role that an employee holds in the organization.

IP theft

Stealing intellectual property such as an invention or a work that the organization or its customers may own.

Inherent risk

The current risk level given the existing set of controls.

Single Loss Expectancy (SLE)

The expected monetary loss every time a risk occurs.

Annualized Loss Expectancy (ALE)

The expected monetary loss for an asset due to a risk over a one-year period.

information life cycle

The flow of an information system's data (and metadata) from data creation to the time when it becomes obsolete.

control risk

The probability that financial statements are materially misstated because of failures in the system of controls used by an organization.

data sanitization

The process of cleaning data to provide privacy.

asset value

The relative worth of an asset.

Residual risk

The risk level that remains after additional controls are applied.

Privacy

The state or condition of being free from public attention, observation, or interference to the degree that the person chooses.

Which is NOT a concern for users regarding the usage of their privacy data?

Timeliness of data

transference

Transferring the responsibility of a risk to a third party.

True or False: At a basic level, risk may be defined as a situation that involves exposure to some type of danger, while at a more advanced level, risk can be described as a function of threats, consequences of those threats, and the resulting vulnerabilities.

True

True or False: those who collect data are not required by federal law to show consumers information that has been collected about them or provide a means of correcting it.

True

Computer-based training (CBT)

Using a computer to deliver instruction.

Gamification

Using game-based scenarios for instruction.

measurement system analysis (MSA)

Using scientific tools to determine the amount of variation that is added to a process by a measurement system.

Popular websites that act as an Identity Provider for a Web application consist of?

Web application itself Google Github Facebook