16 - Security Policies, Standards, and Compliance

Question 1

Joe is authoring a document that explains to system administrators one way in which they might comply with the org’s requirement to encrypt all laptops. What type of document is Joe writing?

Answer 1

Guideline

Question 2

Concerning PCI DSS compensating controls, assess the following statement as True or False: Controls used to fulfill one PCI DSS requirement may be used to compensate for the absence of a control needed to meet another requirement.

Answer 2

False: compensating controls for PCI DSS must go “above and beyond” all other PCI DSS requirements.

Question 3

What law creates privacy obligations for those who handle the personal information of European Union residents?

Answer 3

The General Data Protection Regulation (GDPR)

Question 4

Which one of the following is NOT one of the fire core security functions defined by the NIST Cybersecurity Framework?

• Identify
• Contain
• Respond
• Recover

Answer 4

Contain

The five core functions are: Identify, Protect, Detect, Respond, and Recover

Question 5

What ISO standard provides guidance on privacy controls?

Answer 5

ISO 27701

Question 6

Which of the following documents must normally be approved by the CEO or similarly high-level executive?

Answer 6

Policy

Question 7

Greg would like to create an umbrella agreement that provides the security terms and conditions for all future work that his organization does with a vendor. What type of agreement should Greg use?

Answer 7

Master Service Agreement (MSA)

Question 8

What organization is known for creating independent security benchmarks covering hardware and software platforms from many different vendors?

Answer 8

Center for Internet Security (CIS)

Question 9

What type of security policy often serves as a backstop for issues not addressed in other policies?

Answer 9

The Code of Conduct

Question 10

What would normally be found in an organization’s information security policy?

Answer 10

Statement of “The Importance of Cybersecurity”, Delegation of Authority, and Designation of Responsible Executive

Question 11

Tonya discovers that an employee is running a side business from his office, using company technology resources. What policy would most likely contain information relevant to this situation?

Answer 11

Acceptable Use Policy (AUP)

Question 12

What compliance obligation applies to merchants and service providers who work with credit card information?

Answer 12

Payment Card Industry Data Security Standard

PCI DSS

Question 13

What policy would typically answer questions about when an organization should destroy records?

Answer 13

Data Retention Policy

Question 14

Colin would like to implement a security control in his accounting department that is specifically designed to detect cases of fraud that are able to occur despite the presence of other security controls. What control would best suit Colin’s need?

Answer 14

Mandatory Vacations

Question 15

Which of the following security policy framework components does not contain mandatory guidance for individuals without an org?

• Policy
• Standard
• Procedure
• Guideline

Answer 15

Guideline

Question 16

The board of directors of Kate’s company recently hired an independent firm to review the state of the org’s security controls and certify those results to the board. What term best describes this engagement?

Answer 16

Audit

Question 17

Allan is developing a document that lists the acceptable mechanisms for securely obtaining remote admin access to servers in his org. What type of document is Allan writing?

Answer 17

Standard

Question 18

Which of the following items is NOT normally included in a request for an exception to security policy?

• Description of a compensating control
• Description of the risks associated with exception
• Proposed revision to the security policy
• Business justification for the exception

Answer 18

Proposed revision to the policy - Exceptions are the variances away from policy due to technical and business requirements.