Domain 5: SECURITY+ Security Program Management and Oversight

Attestation

act of verifying/confirming the accuracy of something like financial statements/ compliance with regulations

Internal

- within an organization

- self assessments

- internal evaluations

compliance

adherence to law, regulation

standard by regulatory bodies

external

- independent third party audits by external entities

physical

- _____ aspect of security

- access control

- protection of _______ assets

passive reconnaissance

collecting info without directly interacting with the target system/network

-often through passive monitoring/data analyze

active reconnaissance

collecting info directly interacting with the target system or network

- such as through scanning/probing

Anomalous behavior recognition

identifying unusual/unexpected actions or patterns that deviate from normal behavior that can indicate potential security threats

Risky Action

- posing a potential threat to security of system/sensitive info

Unexpected Actions

deviate from the norm or expected behavior

-malicious intent/ security vulnerabilities

unintentional actions

-actions occurring without purpose/awareness

-leading to security incidents/breaches due to human error

user guidance and training

provision of instructions, education and resources to users to enhance their understanding of cybersecurity

situational awareness

- cognizant and attentive to the current environment

-to respond effectively

operational security

measure and practice implemented to protect sensitive info and system during day to day operation including access control, incident response , security monitoring

initial occurance

-starting instance of event/action

-used in context of identifying/addressing security incidents/breaches

vendor assessment

-evaluation of vendor security measures/compliance with relevant standard and regulations.

evidence of internal audits

documentation demonstrating vendors internal audit activities and providing assurance of their adherence to established standards and practice

independent assessments

third party evaluation conducted to assess vendors security control

-objectivity and unbiased analysis

supply chain analysis

examination of vendors supply chain to identify potential risks and vulnerability that may impact overall security of the organization.

due diligence

comprehensive investigation and assessment of vendors background, capability and reputation to ensure they meet required standard and expectation

(MOA) Memorandum of agreement

terms, conditions, obligations of an agreement between parties often used for collaborative projects

(MOU) Memorandum of understanding

non binding agreement that outlines the intentions, goals, general understanding between parties involved in a cooperative effort/negotiation

(WO)/(SOW) Work Order/Statement of work

document that specifies tasks

vendor monitoring

ongoing evaluation/oversight of vendor's performance/ adherence to contractual obligations/compliance with relevant standards and regulations

Rules of Engagement

guidelines/protocols defining the boundaries/expectations and procedures for conducting vendor assessment

compliance reporting

process of reporting adherence to regulations and standards, both within an organization, involving documenting and communicating the extent to which an organization is complying with the required rules and guidelines

consequences of non compliance

fines

sanctions

reputational damage

loss of license

contractual impacts

compliance monitoring

process of overseeing and evaluating adherence to regulations and standards, involving continuous monitoring, assessment, reporting to ensure an organization is complying with required rules and guidelines

Due diligence/care

careful attention to compliance requirements, involving taking proactive measures to understand and fulfill compliance obligations, including conducting risk assessments, implementing controls, maintaining documentation.

legal implications

consequences and effects under the law resulting from non compliance with privacy regulations and standards can include legal action, penalties, or other legal remedies

controller

determines the purpose and means of data processing

processor

carries out processing activities on behalf of the controller

ownership

determines authority to make decisions regarding the collection, use and sharing of data

data inventory

identifying and categorizing data

retention

how long data should be held based on legal, regulatory, or business requirements

incident response

addresses and mitigates security incidents

(SDLC) software development lifecycle

process for developing and maintaining software

governance boards

governance bodies responsible for making strategic decisions

governance committees

group responsible for specific governance tasks

system owner

responsible for IT system and data

data controller

responsible for data processing activities

data processor

entities that process data on behalf of another data controller

Data steward

responsible for what is stored in a data field

data custodian

responsible for the technical environment and database structure

Ad Hoc

done for a specific purpose or situation typically not part of a regular or planned process

Risk analysis

process of analyzing risks using qualitative/quantitative methods to understand their nature, magnitude, and potential consequences

qualitative

assessing risks based on subjective factors such as expert opinions, experience, and judgement

quantitative

assessing risk based on measurable data and calculations often using statistical models and numerical values

probability

likelihood or chance of a risk event occurring often expressed as a numerical value or a qualitative assessment

likelihood

probability or chance of a risk event occurring expressed as a numerical value/qualitative assessment

Exposure Factor

percentage of loss caused by risk event indicating the extent to which the organization is vulnerable to the risk

risk register

document that records identified risks and their details serving as a central repository for risk related info

risk owners

responsible for managing/mitigating risks, accountable for the outcomes and actions related to specific risks

risk threshold

max acceptable level of risk an organization is willing to tolerate beyond which action must be taken to reduce/mitigate the risk

risk tolerance

willingness of an organization to accept and manage risks

considering factors such as its objectives, resources and risk appetite

risk appetite

organizations attitude towards taking risk, reflecting its willingness to pursue opportunities and accept potential losses

conservative

risk appetite that prioritizes caution and stability focusing on minimizing potential losses/avoiding unnecessary risks

exemption

act of granting immunity from a specific risk typically based on legal/regulatory provisions

Business Impact Analysis

assessment of the potential impact of a risk on a business operation considering factor such as financial loss, operational disruption, reputational damage

(RTO) Recovery time objective

maximum acceptable downtime after a risk event

indicating the time within which business operations should be restored

(RPO) recovery point objective

maximum acceptable data loss

Black Box Testing

Testing with no prior knowledge of system.

White Box Testing

Testing with full system knowledge.

Gray Box Testing

Partial knowledge testing approach.

Bug Bounty

Program where security researchers are rewarded for finding vulnerabilities.

Purple Team

Collaborative team that shares information between red and blue teams.

Rules of Engagement

Agreed-upon scope and boundaries for testing.

Passive Reconnaissance

Gathering info without interacting with target.

Active Reconnaissance

Direct interaction to collect info (e.g., scanning).

Secure Coding Practices

Guidelines to prevent software vulnerabilities.

Directory Traversal

Exploiting improper file path validation to access restricted files.

Mandatory Access Control (MAC)

System-enforced access, usually based on classification labels.

Discretionary Access Control (DAC)

Owner controls who can access resources.

Attribute-Based Access Control (ABAC)

Access based on policies evaluating attributes.

Privileged Access Management (PAM)

Tools for controlling and auditing admin accounts.

Demilitarized Zone (DMZ)

Isolated network segment between internal and external networks.

Chain of Custody

Documentation proving evidence was properly collected and handled.

Order of Volatility

Prioritizing collection of evidence that may disappear quickly (e.g., RAM)

Forensic Image

Bit-for-bit copy of a digital device for analysis.

Write Blocker

Device preventing modification of digital evidence during acquisition

Timeline Analysis

Building a sequence of events from evidence.

File Carving

Recovering deleted files from unallocated disk space.

Legal Hold

Preservation of all data relevant to a legal investigation.

Live Forensics

Collecting volatile data from a running system.