16 - Security Policies, Standards, and Compliance Flashcards
Question 11 and 19 have been omitted for brevity. Explain the importance of applicable regulations, standards, policies, or frameworks that impact organizational security postures
Joe is authoring a document that explains to system administrators one way in which they might comply with the org’s requirement to encrypt all laptops. What type of document is Joe writing?
Guideline
Concerning PCI DSS compensating controls, assess the following statement as True or False: Controls used to fulfill one PCI DSS requirement may be used to compensate for the absence of a control needed to meet another requirement.
False: compensating controls for PCI DSS must go “above and beyond” all other PCI DSS requirements.
What law creates privacy obligations for those who handle the personal information of European Union residents?
The General Data Protection Regulation (GDPR)
Which one of the following is NOT one of the fire core security functions defined by the NIST Cybersecurity Framework?
- Identify
- Contain
- Respond
- Recover
Contain
The five core functions are: Identify, Protect, Detect, Respond, and Recover
What ISO standard provides guidance on privacy controls?
ISO 27701
Which of the following documents must normally be approved by the CEO or similarly high-level executive?
Policy
Greg would like to create an umbrella agreement that provides the security terms and conditions for all future work that his organization does with a vendor. What type of agreement should Greg use?
Master Service Agreement (MSA)
What organization is known for creating independent security benchmarks covering hardware and software platforms from many different vendors?
Center for Internet Security (CIS)
What type of security policy often serves as a backstop for issues not addressed in other policies?
The Code of Conduct
What would normally be found in an organization’s information security policy?
Statement of “The Importance of Cybersecurity”, Delegation of Authority, and Designation of Responsible Executive
Tonya discovers that an employee is running a side business from his office, using company technology resources. What policy would most likely contain information relevant to this situation?
Acceptable Use Policy (AUP)
What compliance obligation applies to merchants and service providers who work with credit card information?
Payment Card Industry Data Security Standard
PCI DSS
What policy would typically answer questions about when an organization should destroy records?
Data Retention Policy
Colin would like to implement a security control in his accounting department that is specifically designed to detect cases of fraud that are able to occur despite the presence of other security controls. What control would best suit Colin’s need?
Mandatory Vacations
Which of the following security policy framework components does not contain mandatory guidance for individuals without an org?
- Policy
- Standard
- Procedure
- Guideline
Guideline