5.0 - Security Program Management and Oversight
5.1 - Summarize elements of effective security governance.
Effective security governance includes establishing clear policies, implementing security standards, managing procedures, ensuring compliance with regulatory and legal requirements, and defining roles for data owners, controllers, processors, and custodians.
5.2 - Explain elements of the risk management process.
The risk management process involves identifying risks, conducting assessments, analyzing risks with qualitative and quantitative methods, calculating potential losses, and applying strategies like transferring, accepting, avoiding, or mitigating risks, while using Business Impact Analysis (BIA) to guide recovery and ensure ongoing preparedness.
5.3 - Explain the processes associated with third-party risk assessment and management.
Third-party risk assessment involves vendor assessments, due diligence, and continuous monitoring through methods like penetration testing, audits, and questionnaires to evaluate security practices and compliance, while agreement types (management) such as SLAs, MOUs, MSAs, and NDAs establish service expectations, confidentiality, and partnership terms.