IAM
This common security practice requires something you know plus something you have, like a password and a phone prompt.
What is multi-factor authentication (MFA)?
This BC law governs how TransLink protects personal information and handles privacy requests.
What is FIPPA (Freedom of Information and Protection of Privacy Act)?
The type of risk that remains after mitigation controls have been implemented.
What is Residual Risk?
This attack method overwhelms users with repeated login prompts until one is approved.
What is MFA fatigue?
This is the first step in managing cyber risk. It involves finding out what systems, data, and technology are important to the organization and what could potentially harm them.
What is Risk Identification?
This principle says users should only have the minimum access needed to do their jobs — nothing more.
What is least privilege?
Compass Card systems must follow this global standard to secure credit card data used for fare payments.
What is PCI DSS?
The assessment performed after a vendor is selected to identify threats and risks associated with the proposed solution.
What is a Security Threat and Risk Assessment (STRA)?
This concept sounds like having trust issues with everyone — including your own network.
What is Zero Trust?
Once risks are identified, this step helps determine how likely they are to happen and how much damage they could cause to the business.
What is Risk Assessment?
This periodic process requires managers to review and confirm their team members' access rights, often quarterly.
What is an access review (or access certification/recertification)?
When TransLink reviews whether Developers only have access to systems required for their job, this principle is being enforced.
What is the Principle of Least Privilege?
The standard duration of a Risk Exception before renewal is required.
What is 12 months?
This is the cybersecurity version of an unannounced exam.
What is Phishing Simulation?
After a cyber risk is rated as high, this step decides what action to take, such as reducing the risk, accepting it, avoiding it, or transferring it through insurance.
What is Risk Treatment?
When an employee transfers departments but keeps accumulating old permissions along the way, it's called this.
What is privilege creep (or access creep)?
This defines the “rules of the road” for employees; what they must or must not do.
What is a Policy?
The contract appendix used to ensure security controls, incident reporting, audit rights, and other security obligations are enforceable on a third-party vendor.
What is a Security Schedule?
The “V-VIP edition” of phishing — going after the biggest targets.
What is Whaling?
Cyber risks change over time. This step involves regularly checking that security controls are working and watching for new threats or vulnerabilities.
What is Risk Monitoring?
This class of controls prevents a single person from holding two conflicting permissions, like creating a vendor and approving payments to them.
What is segregation of duties (SoD)?
This distinguishes between oversight vs execution in cybersecurity.
What is the Three Lines of Defense Model?
A company that has no direct contract with organization but provides services to one of its vendors.
What is a Fourth Party?
Ironically, this is the group most likely to pass a phishing simulation perfectly is also the least useful in a real attack.
Who are Users Who Don't Read Emails?
This step keeps executives and the board informed about the organization's cyber risks, major issues, and progress in reducing those risks.
What is Risk Reporting?