16 - Security Policies, Standards, and Compliance Flashcards

Question 11 and 19 have been omitted for brevity. Explain the importance of applicable regulations, standards, policies, or frameworks that impact organizational security postures

1
Q

Joe is authoring a document that explains to system administrators one way in which they might comply with the org’s requirement to encrypt all laptops. What type of document is Joe writing?

A

Guideline

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Concerning PCI DSS compensating controls, assess the following statement as True or False: Controls used to fulfill one PCI DSS requirement may be used to compensate for the absence of a control needed to meet another requirement.

A

False: compensating controls for PCI DSS must go “above and beyond” all other PCI DSS requirements.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What law creates privacy obligations for those who handle the personal information of European Union residents?

A

The General Data Protection Regulation (GDPR)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Which one of the following is NOT one of the fire core security functions defined by the NIST Cybersecurity Framework?

  • Identify
  • Contain
  • Respond
  • Recover
A

Contain

The five core functions are: Identify, Protect, Detect, Respond, and Recover

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

What ISO standard provides guidance on privacy controls?

A

ISO 27701

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Which of the following documents must normally be approved by the CEO or similarly high-level executive?

A

Policy

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Greg would like to create an umbrella agreement that provides the security terms and conditions for all future work that his organization does with a vendor. What type of agreement should Greg use?

A

Master Service Agreement (MSA)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

What organization is known for creating independent security benchmarks covering hardware and software platforms from many different vendors?

A

Center for Internet Security (CIS)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

What type of security policy often serves as a backstop for issues not addressed in other policies?

A

The Code of Conduct

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

What would normally be found in an organization’s information security policy?

A

Statement of “The Importance of Cybersecurity”, Delegation of Authority, and Designation of Responsible Executive

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Tonya discovers that an employee is running a side business from his office, using company technology resources. What policy would most likely contain information relevant to this situation?

A

Acceptable Use Policy (AUP)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

What compliance obligation applies to merchants and service providers who work with credit card information?

A

Payment Card Industry Data Security Standard

PCI DSS

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

What policy would typically answer questions about when an organization should destroy records?

A

Data Retention Policy

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Colin would like to implement a security control in his accounting department that is specifically designed to detect cases of fraud that are able to occur despite the presence of other security controls. What control would best suit Colin’s need?

A

Mandatory Vacations

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Which of the following security policy framework components does not contain mandatory guidance for individuals without an org?

  • Policy
  • Standard
  • Procedure
  • Guideline
A

Guideline

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

The board of directors of Kate’s company recently hired an independent firm to review the state of the org’s security controls and certify those results to the board. What term best describes this engagement?

A

Audit

17
Q

Allan is developing a document that lists the acceptable mechanisms for securely obtaining remote admin access to servers in his org. What type of document is Allan writing?

A

Standard

18
Q

Which of the following items is NOT normally included in a request for an exception to security policy?

  • Description of a compensating control
  • Description of the risks associated with exception
  • Proposed revision to the security policy
  • Business justification for the exception
A

Proposed revision to the policy - Exceptions are the variances away from policy due to technical and business requirements.