Domain 5: Security Program Management and Oversight Review — 56 of 61

Domain 5 – Section A Review: Governance and Risk

Security+ Domain 5 — Security Program Management and Oversight Section A — Governance and Risk Review 10 Questions

This section integrates:

  • Governance Structures and Security Policies
  • Risk Identification
  • Risk Analysis and Assessment
  • Third-Party Risk Management

Security+ expects you to understand how governance frameworks, risk management processes, and vendor oversight work together to protect the organization.

1. Governance and Policy Frameworks

Governance provides the structure for making and enforcing security decisions:

Policies define what must be done.
Standards define how it must be done.
Procedures define the step-by-step process.
  • Policy — high-level statement of intent and direction (mandatory).
  • Standard — specific, measurable requirements that support a policy.
  • Procedure — detailed steps to accomplish a task.
  • Guideline — recommended best practice (not mandatory).
  • Frameworks — NIST CSF, ISO 27001, CIS Controls provide governance structure.

Policies must be reviewed and updated regularly. Outdated policies create false confidence and compliance gaps.

2. Risk Identification

Risk identification is the foundation of risk management:

  • Risk register — formal documentation of identified risks, likelihood, impact, and mitigation status.
  • Risk assessment — systematic process to identify and evaluate risks.
  • Threat intelligence — external data about emerging threats relevant to the organization.
  • Business impact analysis (BIA) — identifies critical processes and the impact of disruption.
You cannot manage a risk you have not identified.
The risk register is the single source of truth for known risks.

3. Risk Analysis Methods

Risk can be analyzed qualitatively or quantitatively:

  • Qualitative — categorizes risks as high/medium/low based on judgment. Faster but less precise.
  • Quantitative — assigns dollar values to risk. ALE = SLE x ARO.
  • SLE (Single Loss Expectancy) — the cost of one occurrence.
  • ARO (Annualized Rate of Occurrence) — how often the event is expected per year.
  • ALE (Annualized Loss Expectancy) — the expected annual cost of the risk.

Risk response options:

  • Mitigate — reduce the risk with controls.
  • Transfer — shift the risk to a third party (insurance, outsourcing).
  • Accept — acknowledge the risk with documented approval.
  • Avoid — eliminate the risk by discontinuing the activity.

4. Third-Party Risk Management

Vendors and partners extend the organization's risk surface:

  • Vendor assessments — evaluate security posture before and during engagement.
  • SLAs (Service Level Agreements) — define security expectations contractually.
  • Right to audit clauses — enable verification of vendor security practices.
  • Supply chain risk — compromised vendors become attack vectors.
Your security is only as strong as your weakest vendor.
Trust but verify — contractual controls enable oversight.

Section A Decision Pattern

When unsure in Domain 5 Section A:

  1. Distinguish between policy (what), standard (how), and procedure (steps).
  2. Use the risk register to track and manage identified risks.
  3. Apply ALE = SLE x ARO for quantitative risk questions.
  4. Risk acceptance requires documented, authorized approval.
  5. Third-party risk requires both contractual and technical controls.

Section A – Practice Questions

Question 1

An organization creates a document requiring all laptops to use full-disk encryption with AES-256. What type of document is this?

A. Standard
B. Policy
C. Procedure
D. Guideline

Answer & reasoning

Correct: A

A standard specifies measurable requirements (AES-256 encryption on all laptops). A policy would state that sensitive data must be protected. A procedure would describe the steps to enable encryption. A guideline would recommend encryption without mandating it.

Question 2

A server's hard drive is valued at $5,000. A power surge is expected to occur twice per year, and each occurrence would destroy the drive. What is the ALE?

A. $2,500
B. $5,000
C. $10,000
D. $15,000

Answer & reasoning

Correct: C

ALE = SLE x ARO. SLE is $5,000 (cost per occurrence) and ARO is 2 (twice per year). $5,000 x 2 = $10,000 annualized loss expectancy. This value justifies the cost of controls like a UPS or surge protector.

Question 3

After a risk assessment, management decides the cost of mitigating a low-probability risk exceeds the potential loss. They formally document this decision. What risk response is this?

A. Risk mitigation
B. Risk transfer
C. Risk acceptance
D. Risk avoidance

Answer & reasoning

Correct: C

Risk acceptance means the organization acknowledges the risk and decides not to mitigate it, typically because the cost of controls exceeds the potential loss. The key requirement is formal documentation and authorized approval of the decision.

Question 4

A company's primary SaaS vendor suffers a data breach, exposing customer records that the company shared for processing. Who bears responsibility for notifying affected customers?

A. The company that shared the data
B. The SaaS vendor exclusively
C. Both parties share responsibility equally
D. Neither — the customers must discover it themselves

Answer & reasoning

Correct: A

The organization that collected and owns the customer data retains responsibility for notification, regardless of where the breach occurred. Third-party processing does not transfer the organization's obligation to its customers. This is why vendor contracts should include breach notification clauses.

Question 5

An organization identifies a critical risk but does not have the internal expertise to manage it. They purchase a cybersecurity insurance policy. What risk response is this?

A. Risk mitigation
B. Risk avoidance
C. Risk acceptance
D. Risk transfer

Answer & reasoning

Correct: D

Risk transfer shifts the financial impact of a risk to a third party. Cybersecurity insurance is a common risk transfer mechanism. The risk still exists, but the financial consequence is borne by the insurance provider rather than the organization alone.

Question 6

During a vendor assessment, a critical supplier refuses to provide their latest security audit report and rejects a right-to-audit clause. What should the organization do?

A. Accept the vendor based on their reputation
B. Proceed with the contract and hope for the best
C. Escalate the risk and consider alternative vendors
D. Waive the security requirements to maintain the relationship

Answer & reasoning

Correct: C

A vendor that refuses transparency about their security posture represents an unquantifiable risk. The organization should escalate this to risk management and evaluate alternative vendors. Proceeding without visibility into the vendor's security creates unacceptable exposure.

Question 7

A risk register lists 47 identified risks. Management asks the security team to prioritize remediation. What is the MOST effective approach?

A. Prioritize by likelihood and business impact
B. Address risks alphabetically
C. Address the most recently identified risks first
D. Remediate the cheapest risks first

Answer & reasoning

Correct: A

Risk prioritization considers both likelihood (how probable) and impact (how severe). High-likelihood, high-impact risks should be addressed first. Cost of remediation is a factor but not the primary prioritization criterion. A risk matrix helps visualize this prioritization.

Question 8

A security team conducts a qualitative risk assessment and categorizes a data breach risk as "high likelihood, high impact." Management asks for a dollar estimate. What should the team recommend?

A. Use the qualitative result as-is
B. Perform a quantitative risk analysis to calculate ALE
C. Ignore the risk because qualitative assessments are sufficient
D. Transfer the risk immediately without further analysis

Answer & reasoning

Correct: B

When management needs financial estimates, a quantitative analysis (SLE x ARO = ALE) provides the dollar values needed for budget justification and cost-benefit analysis. Qualitative analysis is a starting point; quantitative analysis provides the precision management needs for financial decisions.

Question 9

An organization discovers that a critical business process relies entirely on a single vendor with no alternative. What risk concept does this represent?

A. Risk mitigation
B. Single point of failure
C. Risk acceptance
D. Vendor lock-in

Answer & reasoning

Correct: D

Vendor lock-in occurs when an organization becomes so dependent on a single vendor that switching is prohibitively difficult or costly. This creates concentration risk because the organization's operations depend on that vendor's availability and performance. While it is also a single point of failure, vendor lock-in is the more specific and complete description.

Question 10

A security policy was last updated three years ago. Several of its requirements reference deprecated technologies and no longer reflect current operations. What is the PRIMARY concern?

A. The policy is too short
B. The policy creates a false sense of compliance
C. The policy uses incorrect formatting
D. The policy needs more technical detail

Answer & reasoning

Correct: B

An outdated policy creates a false sense of compliance because the organization may believe it is following security requirements that no longer apply to current operations. Regular policy review ensures alignment with current technology, threats, and business processes.

Next Module Module 42: Regulatory Compliance and Privacy