5.0 Governance, Risk, and Compliance

5.1 Compare and contrast various types of controls.

Category
Control type
--- Deterrent
--- Managerial
--- Preventive
--- Compensating
--- Operational
--- Detective
--- Physical
--- Technical
--- Corrective

5.2 Explain the importance of applicable regulations, standards, or framworks that impact organizational security posture.

Benchmarks, standards, and legislation
--- International Organization for Standardization (ISO) 27001/27002/27701/31000
--- Cloud control matrix
--- General Data Protection Regulation (GDPR)
--- SSAE SOC 2 Type I/II
--- Reference architecture
--- National territory or state laws
--- Cloud security alliance
Benchmarks/secure configuration guide
--- Payment Card Industry Data Security Standard (PCI DS)
--- Platform/vendor-specific guides
Key frameworks
     --- Web server
--- Center for Internet Security (CIS)
     --- OS
--- National Institute of Standards and Technology (NIST) Risk Management Framework (RMF)/ Cybersecurity Framework (CSF)
     --- Application server
     --- Network infrastructure devices

5.3 Explain the importance of policies to organizational security.

Personnel
          --- Computer-based training (CBT)
Data
--- Acceptable use policy
          --- Role-based training
--- Classification
--- Job rotation
Diversity of training techniques
--- Governance
--- Separation of duties
Third-party risk management
--- Retention
--- Least privilege
--- Vendors
Credential policies
--- Clean desk space
--- Supply chain
--- Personnel
--- Background checks
--- Business partners
--- Third party
--- Non-disclosure agreement (NDA)
--- Service level agreement (SLA)
--- Devices
--- Social media analysis
--- Memorandum of understanding (MOU)
--- Service accounts
--- Onboarding
--- Measurement systems analysis (MSA)
--- Administrator/root accounts
--- Offboarding
--- Business partnership agreement (BPA)
Organizational policies
--- User training
--- End of life (EOL)
--- Change management
     --- Gamification
--- End of service life (EOSL)
--- Change control
     --- Capture the flag
--- NDA
--- Asset management
     --- Phishing campaigns
          --- Phishing simulations

5.4 Summarize risk management processess and concepts.

Risk types
--- Risk control assessment
Disasters
--- External
--- Risk awareness
--- Environmental
--- Internal
--- Inherent risk
--- Person-made
--- Legacy system
--- Residual risk
--- Internal vs. External
--- Multiparty
--- Control risk
Business impact analysis
--- IP theft
--- Risk appetite
--- Recovery time objective (RTO)
--- Software compliance/licensing
--- Regulations that affect risk posture
--- Recovery point objective (RPO)
Risk management strategies
--- Risk assessment types
--- Mean time to repair (MTTR)
--- Acceptance
     --- Qualitative
--- Mean time between failures (MTBF)
--- Avoidance
     --- Quantitative
--- Functional recovery plans
--- Transference
--- Lilkelihood of occurrence
--- Single point of failure
     --- Cybersecurity insurance
--- Impact
--- Disaster recovery plan (DRP)
--- Mitigation
--- Asset value
--- Mission essential functions
Risk analysis
--- Single loss expectancy (SLE)
--- Identification of critical systems
--- Risk register
--- Annualized loss expectancy (ALE)
--- Site risk assessment
--- Risk matrix/heat map
--- Annualized rate of occurrence (ARO)
--- Risk control assessment

5.5 Explain privacy and sensitivity data concepts in relation to security.

Organizational consequences of privacy and data breaches
--- Personally identifiable information (PII)
Information life cycle
--- Reputation damage
--- Health information
Impact assessment
--- Identity theft
--- Financial information
Terms of agreement
--- Fines
--- Government data
Privacy notice
--- IP theft
--- Consumer data
Notifications of breaches
Privacy enhancing technologies
--- Escalation
--- Data minimization
--- Public notifications
--- Data masking
Data types
--- Tokenization
--- Classifications
--- Anonymization
     --- Public
--- Pseudo-anonymization
     --- Private
Roles and responsibilities
     --- Sensitive
--- Data owners
     --- Confidential
--- Data controller
     --- Critical
--- Data processor
     --- Proprietary
--- Data custodian/steward
--- Data protection officer (DPO)