Module 15: Risk Management and Data Privacy
When using SSH keys to authenticate users, how many keys are involved?
2
risk matrix/heatmap
A visual color-coded tool that lists the impact and likelihood of risks.
Private
Restricted data with a medium level of confidentiality For users who have a need-to-know basis of the contents
vendors
Entities from whom an organization purchases goods and services.
phishing simulations
Exercises to help employees recognize phishing emails.
mitigation
Addressing a risk by making the risk less serious.
phishing campaign
A broad initiative that uses a variety of tools to train users to resist phishing attacks.
Annualized Rate of Occurrence (ARO)
A calculation for determining the likelihood of a risk occurring within a year.
business partnership agreement (BPA)
A contract between two or more business partners that is used to establish the rules and responsibilities of each partner.
third-party solution
A data destruction technique that requires specialized equipment from an outside source.
likelihood of occurrence
A determination of how realistic the chance is that a given threat will compromise an asset.
terms of agreement
A document that defines what is expected from both the organization and its users.
memorandum of understanding (MOU)
A document that describes an agreement between two or more parties that is not legally enforceable.
privacy notice
A document that outlines how the organization uses personal information it collects.
fine
A financial penalty assessed against an organization as the result of a data breach.
risk appetite
A level of risk that is considered acceptable.
impact assessment
A means for measuring the effectiveness of the organization's activities.
Risk Control Self-Assessment (RCSA)
A methodology by which management and staff at all levels collectively work to identify and evaluate risks.
external risk
A risk from outside an organization.
internal risk
A risk that comes from within an organization.
service-level agreement (SLA)
A service contract between a vendor and a client that specifies what services will be provided, the responsibilities of each party, and any guarantees of service.
risk
A situation that involves exposure to some type of danger.
End of life (EOL)
A statement that a product has reached the end of its "useful life" and the manufacturer will no longer market, sell, or update it after a specified date.
End of service (EOS)
A statement that the end of support has been reached and no maintenance services or updates are provided.
reputation damage
A tarnished reputation to an organization as the result of a data breach.
acceptance
Acknowledging a risk but taking no steps to address it.
qualitative risk assessment
An approach that uses an "educated guess" based on observation.
capture the flag (CTF)
An exercise in which a series of challenges is planted as a competition between participants.
To which risk option would he classify the action that the organization has decided not to construct a new a data center because it would be located in an earthquake zone?
Avoidance
Proprietary
Belongs to the enterprise
pulping
Breaking paper into wood cellulose fibers after the ink is removed to destroy the data on it.
data anonymization
Changing data so that there is not a means to reverse the process to restore the data back to its original state.
pseudo-anonymization
Changing data so there is a means to reverse the process to restore the data back to its original state.
business partners
Commercial entities with whom an organization has an alliance.
public notifications and disclosures
Contacting relevant stakeholders in the event of a data breach.
regulations that affect risk posture
Controls based upon regulatory requirements that may be required regardless of risk.
detective control
Controls designed to identify any threat that has reached the system.
Operational
Controls implemented and executed by people.
Technical
Controls that are incorporated as part of hardware, software, or firmware.
corrective control
Controls that are intended to mitigate or lessen the damage caused by an incident.
deterrent control
Controls that attempt to discourage security violations before they occur.
physical control
Controls that implement security in a defined structure and location.
preventative control
Controls that prevent the threat from coming in contact with the vulnerability.
compensating control
Controls that provide an alternative to normal controls that for some reason cannot be used.
Managerial
Controls that use administrative methods.
Data sovereignty
Country-specific requirements that apply to data.
Data masking
Creating a copy of the original data but obfuscating any sensitive elements.
shredding
Cutting paper into small strips or particles to destroy the data on it.
Whos job is it to ensure important data sets are developed, maintained and are accessible within their defined specifications
Data Custodian
Protected Health Information (PHI)
Data about a person's health status, provision of health care, or payment for health care
Critical
Data classified according to availability needs; if critical data not available, the function and mission would be severely impacted- must be rigorously protected
Which uses data anonymization
Data masking
Sensitive
Data that could cause catastrophic harm to the company if disclosed, such as technical specifications for a new product
Personally Identifiable Information (PII)
Data that could potentially identify a specific individual
In an Active Directory environment, at which level can you assign the password policy?
Domain
When you create a user in a domain, to which of the group is the user added by default?
Domain Users
True or False: Governments cannot force companies to store data within specific countries.
False
True or False: Risk avoidance uses cybersecurity insurance.
False
True or False: Tokenization is a process that is part of data anonymization.
False
Which of the following allows you to add geographical information to the media, such as photographs?
Geotagging
Confidential
Highest level of data sensitivity Should only be made available to users with highest level of pre-approved authentication
avoidance
Identifying a risk but making the decision to not engage in the activity.
cybersecurity insurance
Insurance that protects an organization by monetary compensation in the event of a successful attack.
burning
Lighting paper on fire to destroy the data on it.
Data minimization
Limiting the collection of personal information to that which is directly relevant and necessary to accomplish a specific task.
This is not a legally enforceable agreement but is still more formal than an unwritten agreement.
MOU
Public
No risk of release - data is assumed to be public if no other data label is attached
In which of the following threat classifications would a power blackout be classified?
Operational
Which control categories includes conducting workshops to help users resist phishing attacks?
Operational
degaussing
Permanently destroying an entire hard drive by reducing or eliminating its magnetic field.
this terms refers to the processing of data so that it can no longer be attributed to a specific data subject without the use of additional information?
Pseudonymization
Which approaches to risk calculation typically assigns a numeric value (1-10) or label (High, Medium, or Low) to represent a risk?
Qualitative risk calculation
risk awareness
Raising of understanding of what risks exist, their potential impacts, and how they are managed.
Software compliance and licensing
Risks associated with violating software license agreements.
multiparty
Risks that impact multiple organizations.
Emiliano needs to determine the expected monetary loss every time a risk occurs. Which formula will he use?
SLE
role-based awareness training
Specialized training that is customized to the specific role that an employee holds in the organization.
IP theft
Stealing intellectual property such as an invention or a work that the organization or its customers may own.
Inherent risk
The current risk level given the existing set of controls.
Single Loss Expectancy (SLE)
The expected monetary loss every time a risk occurs.
Annualized Loss Expectancy (ALE)
The expected monetary loss for an asset due to a risk over a one-year period.
information life cycle
The flow of an information system's data (and metadata) from data creation to the time when it becomes obsolete.
control risk
The probability that financial statements are materially misstated because of failures in the system of controls used by an organization.
data sanitization
The process of cleaning data to provide privacy.
asset value
The relative worth of an asset.
Residual risk
The risk level that remains after additional controls are applied.
Privacy
The state or condition of being free from public attention, observation, or interference to the degree that the person chooses.
Which is NOT a concern for users regarding the usage of their privacy data?
Timeliness of data
transference
Transferring the responsibility of a risk to a third party.
True or False: At a basic level, risk may be defined as a situation that involves exposure to some type of danger, while at a more advanced level, risk can be described as a function of threats, consequences of those threats, and the resulting vulnerabilities.
True
True or False: those who collect data are not required by federal law to show consumers information that has been collected about them or provide a means of correcting it.
True
Computer-based training (CBT)
Using a computer to deliver instruction.
Gamification
Using game-based scenarios for instruction.
measurement system analysis (MSA)
Using scientific tools to determine the amount of variation that is added to a process by a measurement system.
Popular websites that act as an Identity Provider for a Web application consist of?
Web application itself Google Github Facebook