Security+ Flashcards

The process of identifying, assessing, and responding to threats to organizational assets. Steps: Risk Identification → Risk Assessment (qualitative or quantitative) → Risk Response → Monitoring. Key formulas: SLE = Asset Value × Exposure Factor; ALE = SLE × ARO. Aims to reduce risk to acceptable levels.

Four approaches to handling identified risks: Accept (acknowledge and live with it), Avoid (eliminate the risk-causing activity), Transfer (shift risk to a third party — insurance, outsourcing), Mitigate (implement controls to reduce probability or impact). Residual risk remains after controls are applied.

Process to identify and evaluate the potential effects of a disaster or disruption on critical business functions. Determines priorities for recovery. Key outputs: critical business functions identification, RTO and RPO for each function, and financial impact estimates. Forms the basis for business continuity planning.

A proactive plan to ensure critical business functions continue during and after a disaster. Broader than disaster recovery (which focuses on IT). Covers people, processes, and facilities. Includes alternate work locations, communication plans, and manual backup procedures. Tested through tabletop exercises and simulations.

EU regulation governing data privacy and protection of EU residents' personal data. Key requirements: lawful basis for processing, data subject rights (access, erasure, portability), breach notification within 72 hours, data protection by design, and appointing a DPO. Applies to any organization processing EU data. Fines up to €20M or 4% of global revenue.

US law protecting the privacy and security of Protected Health Information (PHI). Three rules: Privacy Rule (patient rights, data use), Security Rule (administrative, physical, technical safeguards for ePHI), Breach Notification Rule (report breaches within 60 days). Applies to covered entities and business associates.

Payment Card Industry Data Security Standard — requirements for organizations that handle credit card data. 12 main requirements covering: network security, cardholder data protection, vulnerability management, access control, monitoring, and security policy. Quarterly vulnerability scans and annual penetration testing required.

A formal document that defines an organization's security requirements, objectives, and responsibilities. Types: Acceptable Use Policy (AUP), Information Security Policy, Incident Response Policy, Password Policy, BYOD Policy, Remote Access Policy. Must be approved by leadership, communicated to all staff, and enforced.

A contract between a service provider and customer that defines expected service quality, availability, and performance standards. In security: defines uptime requirements, incident response times, data protection obligations, and audit rights. Non-compliance may trigger penalties or contract termination.

Voluntary framework developed by NIST for improving critical infrastructure cybersecurity. Five functions: Identify (understand risks), Protect (implement safeguards), Detect (identify incidents), Respond (take action), Recover (restore capabilities). Widely used for risk management and security program structure.

Qualitative assessment uses subjective scales (High/Medium/Low) and expert judgment — faster but less precise. Quantitative assessment uses numerical values (SLE, ALE, ARO) to calculate financial impact — more precise but requires accurate data. Most organizations use a combination of both approaches.

Key risk quantification formulas: SLE (Single Loss Expectancy) = Asset Value × Exposure Factor (EF) — cost of one incident. ARO (Annualized Rate of Occurrence) — expected frequency per year. ALE (Annualized Loss Expectancy) = SLE × ARO — expected annual cost. Used to justify security control costs (control cost should be < ALE).

Legal contract establishing confidential relationship between parties, protecting sensitive information shared during business dealings. Commonly used with employees, contractors, vendors, and business partners. Defines what information is confidential, obligations of receiving party, duration, and consequences of breach.

Classifications by knowledge: Black box (tester has no prior knowledge — simulates external attacker), White box (full knowledge of infrastructure, source code — most thorough), Gray box (partial knowledge — simulates insider or partner). Also: Red team (adversarial simulation), Blue team (defenders), Purple team (combined).

Ongoing education program to help employees recognize and respond to security threats. Key topics: phishing recognition, social engineering, password security, physical security, data handling, and reporting procedures. Includes simulated phishing campaigns to test awareness. Required by many regulations (HIPAA, PCI-DSS).

Adhering to laws, regulations, standards, and contractual obligations relevant to the organization. Frameworks: GDPR, HIPAA, PCI-DSS, SOX, ISO 27001, NIST. Compliance does not equal security, but security supports compliance. Requires documentation, technical controls, training, and regular audits.

A systematic, independent examination to evaluate whether security controls, processes, and policies are properly designed and operating effectively. Types: Internal (self-assessment), External (independent third party), Regulatory (by regulatory authority). Produces findings, recommendations, and compliance assessment.

The right of individuals to control how their personal information is collected, used, and shared. Organizations must implement privacy principles: data minimization, purpose limitation, storage limitation, transparency, data subject rights. Privacy and security are related but distinct — you can have security without privacy, not vice versa.

A policy defining acceptable behaviors and prohibited actions when using organizational IT resources (computers, internet, email, software). Sets expectations, protects the organization legally, and reduces risk. Users typically sign AUP during onboarding. Violations can result in disciplinary action.

The process of identifying, assessing, and mitigating risks associated with vendors, suppliers, and business partners who have access to your systems or data. Steps: vendor assessment, contractual controls (right to audit, security requirements), ongoing monitoring, and termination procedures. Supply chain risk is a major concern.

A discussion-based session where team members talk through their response to a hypothetical emergency scenario without actually executing procedures. Tests understanding of incident response plans, identifies gaps, and improves coordination. Low cost, no operational disruption. Example: "What would you do if we discovered ransomware right now?"

A centralized function staffed with security analysts that continuously monitors, detects, analyzes, and responds to cybersecurity incidents. The heart of an organization's security operations. Uses SIEM, IDS/IPS, threat intelligence, and EDR tools. 24/7 operation for enterprise organizations.

Evidence-based knowledge about existing or emerging threats that can be used to make informed security decisions. Types: Strategic (high-level trends for executives), Tactical (TTPs — Tactics, Techniques, Procedures), Operational (specific attack details), and Technical (indicators of compromise, malware hashes, IPs). Sources: ISACs, government feeds, commercial vendors.

A policy specifying how long different categories of data must be kept before secure deletion. Driven by legal requirements (IRS=7 years, HIPAA=6 years, GDPR=minimum necessary), operational needs, and compliance. Must balance storage costs with legal obligations. Secure destruction methods: shredding, degaussing, cryptographic erasure.