5. Security Program Management and Oversight

What are Information Security Policies?

list of all security

What is AUP?

acceptable use policy, what is the allowed use of technology

What is business continuity?

the outline of procedures to ensure an organization maintains critical operations and protects its assets, employees, and customers during unexpected disruptions

What is a disaster recovery plan?

documented, structured approach outlining how an organization responds to unplanned incidents

What are security incidents policies?

steps to address security incidents

What are the different roles in an incident response?

incident response team, IT security management, compliance officers, technical staff, initial users

What is NIST?

national institute of standards and technology, computer security incident handling guide

What is SDLC?

systems development life cycle, frameworks outlining the development steps

What are change management standards?

how to make a change to a system

What are security standards?

formal definition for using security technologies and processes

What are access control standards?

who has access to view what information

What are physical security standards?

rules and policies regarding physical security controls, granting physical access

What are change management procedures?

formal process for managing change

What are the steps of change management?

Scope, risk, plan, user approval, approach board, implement and document changes

What is onboarding?

creating a new user account and provide tech

What is offboarding?

proper allocation of hardware and data when an account is deactivated

What is a playbook?

steps to follow for certain situations

What is a SOAR?

security orchestration, automation, and response, used to integrate cyber tools and automated processes

What the governance structures?

boards, committees, government entities, and centralized/decentralized governance

What are boards?

the people in charge of setting the tasks/requirements for the committees

What are committees?

the experts in designated areas, determine resource allocation and present results to board

What are government entities?

a different kind of machine who deal with legal concerns, administrative requirements, and political issues

What are centralized structures?

governance is located in one location with a group of decision makers

What are decentralized structures?

governance spreads the decision

What are regulatory considerations?

regulations are mandated security processes (ex: SOX for financial data, HIPAA for healthcare info)

What are legal considerations?

security team's legal responsibilities such as reporting illegal activity, holding data for legal proceedings, breach notifications, and cloud computing ramifications

What are industry considerations?

specific security requirements per industry (ex: financial = more rules, medical = high security with logs/encryption)

What is geographical security scope?

the scale of security concerns based on company reach

What is SOX?

Sarbanes

What is HIPAA?

regulates the proper storage of healthcare information

Who is a data owner?

accountable for specific data, often a senior officer/manager

Who is a data controller?

manages how the data is used

Who is a data processor?

uses the data itself

Who is a data custodian/steward?

responsible for data accuracy, privacy, and security, and ensures compliance with data laws/requirements

What is risk identification?

understanding potential risks, weaknesses, and vulnerabilities

What is risk management?

managing potential risk by qualifying internal/external threats and planning contingencies

What is a risk assessment?

the evaluation of risk, either one

What is an ad hoc assessment?

one specific assessment, such as for a new threat

What is a recurring assessment?

internal evaluations done on standard intervals

What is qualitative risk assessment?

identifies significant risk factors, displayed visually through a grid

What is ARO?

Annualized Rate of Occurrence, how likely a risk will occur in a year

What is AV?

Asset Value, the value of the asset to the organization including cost, impact, and effect

What is EF?

Exposure Factor, the percentage of value lost due to an incident

What is SLE?

Single Loss Expectancy, monetary loss if a single event occurs (AV x EF)

What is ALE?

Annualized Loss Expectancy, monetary loss of events in a year (ARO x SLE)

What are the impact categories?

life, property, safety, and finance

What is risk likelihood?

qualitative measurement of risk (rare, possible, almost certain)

What is risk probability?

quantitative/statistical measurement of risk

What is risk appetite?

description of risk

What is risk tolerance?

an acceptable variance from the risk appetite

What is a risk register?

level of risk mapped for each new project, includes key risk indicators, risk owners, and risk thresholds

What is a risk threshold?

the point where the cost of mitigation equals the value gained by mitigation

What is risk transfer?

moving the risk to another party (ex: cybersecurity insurance)

What is risk acceptance?

a business decision to take on the risk

What is acceptance with exemption?

a security policy or regulation cannot be followed, going beyond regulation scope (may need approval)

What is acceptance with exception?

internal security policies are not applied, an exception alters the timeline

What is risk avoidance?

no need to pursue because it is no longer a threat

What is risk mitigation?

decreasing the risk level by investing in security systems

What is risk reporting?

formal document used to identify risks, used for decisions on resources, budgeting, and security tasks

What is RTO?

Recovery Time Objective, timeframe for how long it takes to get back up and running

What is RPO?

Recovery Point Objective, the point in time where systems are back up (ex: 75% or 12 months of data restored)

What is MTTR?

Mean Time to Repair, average time to fix an issue including diagnosis

What is MTBF?

Mean Time Between Failures, the time between outages (total uptime / number of breakdowns)

What is third

party risk?

What is penetration testing?

simulating an attack by exploiting vulnerabilities, often a compliance mandate done by 3rd parties

What are rules of engagement?

defines purpose and scope of a pen test: scene, time of day, on/off limits, and how to handle sensitive info

What is a right

to

What is supply chain analysis?

examining all organizations, people, activities, and resources involved in creating a product to identify vulnerabilities

What is an independent assessment?

an external evaluation that provides a different perspective on operations/security

What is the vendor selection process?

due diligence and checking for conflicts of interest (ex: vendor working with a competitor, related parties)

What is vendor monitoring?

ongoing management of vendor relationships with frequent reviews

What are questionnaires?

security

What is an SLA?

Service Level Agreement, minimum terms for services provided by a third party

What is an MOU?

Memorandum of Understanding, a formal non

What is an MOA?

Memorandum of Agreement, the next step above an MOU where both sides conditionally agree to the objectives

What is an MSA?

Master Service Agreement, legal contract setting broad terms used as a framework for future projects

What is a WO/SOW?

Work Order / Statement of Work, specific list of items to be completed under an MSA, including scope, location, deliverables, and acceptance criteria

What is an NDA?

Non

What is a BPA?

Business Partners Agreement, financial and ownership agreements when going into business together

What is compliance?

meeting the standards of laws, policies, and regulations; penalties include fines, loss of employment, and incarceration

What is internal compliance reporting?

monitoring/reporting organizational compliance efforts; large orgs use a Central Compliance Officer (CCO)

What is external compliance reporting?

documentation required by external/industry regulators; may be annual or ongoing

What is GLBA?

Gramm

What are consequences of noncompliance?

reputational damage, loss of license, and contractual impacts

What is compliance monitoring?

ensuring compliance in day

What is due diligence?

investigating and verifying; often associated with third

What is due care?

acting honestly and in good faith; tends to refer to internal activities

What is attestation and acknowledgment?

executive accountability for ensuring everything is done in good faith

What are privacy legal implications?

an evolving set of guidelines at local/regional, national, and global levels

What is GDPR?

General Data Protection Regulation, an EU regulation for data protection and privacy that controls where personal data goes

What is a data subject?

any information relating to an identified or identifiable natural person (name, ID, address, characteristics, location)

What is a data inventory?

a list of all managed data including owner, update frequency, and format

What is internal use of data inventory?

project collaboration, IT security, and data quality checks

What is external use of data inventory?

selecting data to share publicly while following laws and regulations

What is a cybersecurity audit?

examines IT infrastructure, software, and devices to check effectiveness of policies and find vulnerabilities; internal or 3rd party

What is attestation (audit)?

an auditor provides an opinion of truth/accuracy on a company's cybersecurity posture

What is an internal audit?

compliance review done by an audit committee or via self

What is an audit committee?

oversees risk management activities

What is an external audit?

audit by an independent 3rd party, often based on regulatory requirements and including hands