5.3 + 5.4 Third-Party Risk Assessment and Management + effective security Compliance + Audits and assessments
purple team
A mode of penetration testing where red and blue teams share information and collaborate throughout the engagement.
Due Dilligence
A new tech firm creates measures to ensure it adheres to all compliance and data privacy aspects. What describes the comprehensive assessment and evaluation of an organization's data protection practices and measures?
Blue Team (since HR is the one on the defense from the attack (red) by IT)
A recent attack on the company involving a threat actor from another country prompted the security team to host regular penetration testing exercises. The attack involved the IT team and human resources because the breach occurred on an employee desktop. In the upcoming training, what role would the human resource team portray along with the IT team to simulate the recent attack and its experiences?
Global (General Data Protection Regulation)
An organization evaluates the legal implications of failing to protect privacy data after experiencing a breach. What level of influence does the GDPR have regarding legal implications?
okay
Data inventories provide a comprehensive overview of the types of handled data. - the purposes for processing, the legal basis, and the recipients of the data to ensure transparency and accountability.
okay
Due diligence in data protection describes the comprehensive assessment and evaluation of an organization's data protection practices and measures.
okay
Establishing rules of engagement (ROE) in a penetration testing engagement is essential to define the assessment's scope, testing methods, and timeframe. The IT team uses ROE to prevent unintended disruptions to critical services and ensure a smooth testing process.
okay
Footprinting means scanning for hosts, IP ranges, and routes between networks to map out the structure of the target network.
External Compliance
Internal or External Compliance?? - adheres to regulatory requirements and provides high-level summaries of an organization's compliance performance - targets shareholders, customers, clients, regulators, vendors, and business partners promoting accountability, transparency, and effective organizational compliance management
Internal Compliance
Internal or External Compliance?? - focuses on operational details and supports internal decision-making - targets risk managers, executives, security analysts, and privacy officers within the company
yes
Scenario: A board of directors convenes a monthly meeting to discuss reports that the tech department was not meeting legal regulations. What are the impacts associated with sanctions? (Select the two best options.) 1) it can include financial penalties, legal liabilities, and loss of customer trust 2) it can be overseen by numerous governing bodies, such as regulatory authorities
Proprietary Information (key phrase "intellectual material")
Scenario: A company is very protective of its intellectual material. The fear of a breach by a curious public or competitors is an ongoing concern. As a result, the company put in place a dedicated server containing related highly sensitive data. Apply knowledge of data types and labels and select which type the company is protecting.
regulatory compliance (key phrase "meet all the relevant legal requirements to avoid fines, penalties....")
Scenario: A multinational company is looking to ensure that its global operations meet all the relevant legal requirements to avoid fines, penalties, and potential loss of reputation. What type of process is the company planning to implement?
External Examination (key phrase "unbiased")
Scenario: A multinational corporation wants to enhance its risk management procedures and validate that its systems, controls, and processes align with specific international standards, regulations, and best practices. Which approach should the organization consider to ensure an unbiased and comprehensive analysis of its security posture?
OSINT (open-source intelligence) (key phrase "basic internet research")
Scenario: A threat actor will use basic internet research to gather enough information about a local college to determine attack vectors. Which of the following BEST describes passive reconnaissance that involves little physical work to accomplish the task?
risk register (A risk register is a repository for documenting risks identified in an organization and includes information and steps to take regarding the risk. Common information found in a risk register is the specific risk, the likelihood of occurrence, and the action.)
Scenario: An information security officer creates a document that identifies downtime, the likelihood of occurrence, the probable impact of the downtime, and steps to mitigate the downtime and scores the likelihood based on defined security controls. What is the information security officer creating in this instance?
It allows the company to assess the vendor's security controls regularly.
Scenario: The IT department at a governmental agency is presently evaluating potential vendors for a new cloud-based service. The department has narrowed down the options to five vendors, each offering different features and security measures. The agency's management emphasizes data security and intends to ensure the authority to audit the security practices of the selected vendors. What will a right-to-audit clause signify for a technology company in a vendor contract?
it allows the company to assess the vendor's security controls regularly
Scenario: The IT department at a governmental agency is presently evaluating potential vendors for a new cloud-based service. The department has narrowed down the options to five vendors, each offering different features and security measures. The agency's management emphasizes data security and intends to ensure the authority to audit the security practices of the selected vendors. What will a right-to-audit clause signify for a technology company in a vendor contract?
Memorandum of Understanding (MOU) (key phrase "preliminary discussions")
Scenario: Two technology firms are in preliminary discussions to work together on several projects. The joint venture's goal entails providing support services to a broader customer base as an entity with shared resources. Each firm has its own customer base, custom-branded products, and established processes. Which of the following types of agreements BEST meets the firms' needs?
okay
The "right to be forgotten" is a fundamental principle outlined in the General Data Protection Regulation (GDPR) that grants individuals the right to request the erasure or deletion of their personal data under certain circumstances.
service enumeration
The process of identifying the services running on a remote system. This is the main focus of Nmap port scanning.
Memorandum of Agreement (MOA)
Type of Agreement: a formal agreement or contract that contains specific obligations rather than a broad understanding
Memorandum of Understanding (MOU)
Type of Agreement: a preliminary or exploratory agreement to express an intent to work together - they are relatively informal and do not act as a binding contract
Business Partner Agreement (BPA)
Type of Agreement: a type of partner agreement that large IT companies, such as Microsoft and Cisco, set up with resellers and solution providers
Non-Disclosure Agreement (NDA)
Type of Agreement: an agreement that provides a basis for protecting information assets. They can exist - between companies and employees - between companies and contractors - between two companies
indemnification
definition: a legal concept that refers to the obligation of one party to compensate another party for losses, damages, liabilities, or expenses incurred as a result of certain specified events or actions. It is a contractual arrangement commonly used in various business agreements, contracts, and insurance policies to allocate risk and protect parties from financial harm.
white team
in a penetration test, this team is responsible for setting the rules of engagement and monitoring the exercise
Proprietary Information (Intellectual Property (IP))
information a company creates, typically about the products or services it makes or performs.
bug bounty
rewards given by software vendors for reporting vulnerabilities on their application or system
okay
the primary purpose of a Work Order (WO) or Statement of Work (SOW) is to define specific requirements and project deliverables expected from the vendor
right-to-audit clause
what clause in a vendor contract grants the tech company the authority to perform security audits on the vendor's practices, ensuring compliance with security requirements and identifying potential vulnerabilities or risks
footprinting
what reconnaissance term means scanning for hosts, IP ranges, and routes between networks to map out the structure of a target network
