17 Risk Management & Privacy Flashcards
What are governance programs?
Sets of procedures and controls for effective organizational direction
Without governance, large organizations face chaos as employees would independently determine priorities and functions.
Why is corporate governance important in publicly traded companies?
Ensures appropriate strategic direction, plan development, and execution
It addresses the challenges of numerous or unengaged owners who cannot oversee daily operations.
What is the role of the board of directors in corporate governance?
Directs actions of the corporation on behalf of shareholders
The board has ultimate authority and is elected by shareholders during regular meetings.
What is considered best practice regarding board membership?
Majority of board members should be independent directors
Independent directors have no significant relationship with the company other than board membership.
How often do boards typically meet?
Monthly or quarterly
This infrequency necessitates delegation of day-to-day operations to a CEO.
Who does the board of directors hire to manage company operations?
Chief Executive Officer (CEO)
The CEO is responsible for the daily operations and reports to the board.
In what manner does governance cascade within an organization?
From shareholders to board of directors to CEO to other executives
Each level delegates authority downwards, maintaining a manageable hierarchy.
What is the difference in governance models between nonprofit and publicly traded organizations?
Nonprofit boards are elected by members or self-perpetuating
Privately owned organizations may have varied governance models based on ownership.
What is a governance, risk, and compliance (GRC) program?
Integration of governance, risk management, and compliance tasks
This program facilitates effective governance by addressing risk and compliance.
What is information security governance?
Extension of corporate governance focusing on information security
It ensures alignment of information security with organizational goals.
Who is typically responsible for information security within an organization?
Chief Information Security Officer (CISO)
The CISO is delegated authority from the CEO for information security matters.
What does an information security governance framework include?
Management structure for cybersecurity and enforcement mechanisms
It aligns with broader management approaches and includes policies for the organization.
What are the two major categories of governance structures?
Centralized and decentralized governance models
Centralized models enforce policies from a top-down approach, while decentralized models allow individual units to achieve objectives independently.
What is a centralized governance model?
Top-down approach with central authority creating and enforcing policies
This model ensures uniformity in policy application across the organization.
What is a decentralized governance model?
Bottom-up approach where individual units achieve cybersecurity objectives independently
This model allows flexibility and adaptation to specific unit needs.
What role do regulatory agencies play in governance?
They may regulate organizations, such as banks
For instance, banks are regulated by the U.S. Treasury Department or similar agencies.
What are the four types of documents included in an organization’s information security policy framework?
- Policies
- Standards
- Procedures
- Guidelines
What is the primary purpose of policies in an information security framework?
High-level statements of management intent that are mandatory for compliance
True or False: Compliance with guidelines is mandatory.
False
What should organizations consider when preparing their policy documents?
- Regulatory and legal requirements
- Industry-specific considerations
- Jurisdiction-specific considerations
What does an information security policy typically include?
- Importance of cybersecurity
- Requirements for staff and contractors
- Ownership of information
- Designation of the CISO
- Delegation of authority
Fill in the blank: Standards provide mandatory requirements describing how an organization will carry out its _______.
[information security policies]
What are the four types of standards organizations should pay attention to?
- Password standards
- Access control standards
- Physical security standards
- Encryption standards
What is the role of procedures in the information security policy framework?
Detailed, step-by-step processes that are mandatory for compliance
What is an example of a procedure related to incident response?
What to Do if Compromised by Visa
What is the purpose of guidelines in an information security context?
To provide best practices and recommendations that are not mandatory
What should an exception process include when an organization needs to deviate from security standards?
- Standard requiring an exception
- Reason for noncompliance
- Business justification
- Scope and duration
- Risks associated
- Compensating controls
- Compliance plan
True or False: The CISO is typically designated as the executive responsible for cybersecurity issues.
True
What are some common documents found in an information security policy library?
- Information security policy
- Incident response policy
- Acceptable use policy
- Business continuity and disaster recovery policies
- Software development life cycle policy
- Change management policies
Fill in the blank: The _______ outlines the procedures and strategies to ensure essential business functions continue to operate during a disaster.
[business continuity and disaster recovery policy]
What is the significance of the document titled Minimum Security Standards for Electronic Information from UC Berkeley?
It details mandatory security controls for different data protection levels
What is the function of compensating controls in the context of exceptions to security standards?
To mitigate the risks associated with exceptions
What must the control meet to be satisfactory as a compensating control according to PCI DSS?
- Meet the intent of the original requirement
- Provide a similar level of defense
What is the purpose of compensating controls in security standards?
To mitigate the risk associated with exceptions to security standards
Compensating controls are alternative means to achieve security objectives when original control requirements cannot be met.
How many criteria must a compensating control meet according to PCI DSS?
Five criteria
These criteria ensure that the compensating control is effective in offsetting the risk posed by not adhering to original PCI DSS requirements.
What is the first criterion for a satisfactory compensating control as per PCI DSS?
The control must meet the intent and rigor of the original requirement
This ensures that the compensating control aligns with the original security objective.
What does the second criterion for compensating controls require?
The control must provide a similar level of defense as the original requirement
This criterion ensures that the compensating control effectively offsets the risk addressed by the original requirement.
What is meant by the control being ‘above and beyond’ other PCI DSS requirements?
The control must address the additional risk imposed by not adhering to the PCI DSS requirement
This ensures that the compensating control provides extra protection beyond what is already required.
What does the fourth criterion for compensating controls state?
The control must address the additional risk imposed by not adhering to the PCI DSS requirement
This criterion ensures that compensating controls are tailored to the specific risks created by non-compliance.
What is the fifth criterion for a satisfactory compensating control?
The control must address the requirement currently and in the future
This ensures the ongoing relevance and effectiveness of the compensating control.
What is an example of a compensating control for using an outdated operating system?
Running the system on an isolated network with little or no access to other systems
This approach mitigates the risk posed by the outdated operating system while allowing necessary business operations.
Why do organizations adopt compensating controls?
To address a temporary exception to a security requirement
Organizations may face situations where compliance is not feasible, necessitating compensating controls.
What is the role of policy monitoring in an organization?
To regularly evaluate the implementation and efficacy of information security policies
Effective monitoring helps ensure that policies remain aligned with current security needs and regulatory requirements.
What tools are commonly used for policy monitoring?
Security information and event management (SIEM) systems, audits, and assessments
These tools help organizations assess adherence to policies and identify areas for improvement.
What happens when inconsistencies in policies are identified?
Policy revision becomes necessary
Updating policies is essential to address shortcomings and adapt to new challenges.
Why is it important to communicate revised policies promptly?
To ensure effective compliance among relevant personnel
Timely communication and training help maintain adherence to updated security policies.
True or False: Compensating controls are only used by organizations subject to PCI DSS.
False
The use of compensating controls is a common strategy across various organizations, not limited to those under PCI DSS.
What is the primary goal of change management?
To ensure that changes do not cause outages
Change management helps reduce unanticipated outages caused by unauthorized changes.
How does change management help in a technical environment?
It allows various IT experts to review proposed changes for unintended side effects before implementation
This process ensures that changes are tested and documented appropriately.
Fill in the blank: Unauthorized changes directly affect the _____ in the CIA triad.
availability
What should personnel perform before deploying changes in a production environment?
A security impact analysis
List common tasks within a change management process.
- Request the change
- Review the change
- Approve/reject the change
- Test the change
- Schedule and implement the change
- Document the change
What is a rollback or backout plan?
A plan to return the system to its original condition if the change results in a failure
When should changes be performed to avoid undesirable impacts?
At a scheduled and coordinated time
True or False: Change management documentation is unnecessary if changes are made during an emergency.
False
Emergency changes still need to be documented for review and future reference.
What does version control ensure?
That developers and users have access to the latest versions of software and that changes are carefully managed
Fill in the blank: Documentation identifies the current _____ of systems.
configuration
What is the significance of involving a diverse set of technical stakeholders in change analysis?
To understand potential impacts of a change in a complex technical environment
What should be considered regarding security controls during a change?
Whether the change will require modifications to security controls, such as firewall rules
What is the potential consequence of not using a version control system?
A change could effectively break the website
What is the purpose of keeping documentation current?
To reflect the impact of the change and maintain accurate system information
What happens if an administrator closes a needed port on a firewall?
The web server may begin having problems communicating with the database server
What is the role of the change review board?
To approve or reject changes based on expert reviews
Fill in the blank: Changes should be scheduled during _____ hours to minimize impact.
nonpeak
What does a configuration management system do?
Stores information about system configurations and changes
Why is testing a change on a nonproduction server important?
To verify that the change doesn’t cause an unanticipated problem
What is the risk of granting administrator access to a group of users without proper controls?
It violates the least privilege principle and weakens security
What is the main purpose of personnel management best practices?
To reduce the likelihood and impact of employee-centered security risks.
Organizations require employees to have access to information and systems to perform their job functions, which can lead to cybersecurity incidents.
Define the principle of least privilege.
Individuals should be granted only the minimum set of permissions necessary to carry out their job functions.
This principle is essential for minimizing security risks.
What is privilege creep?
Occurs when an employee accumulates new privileges from job to job without revoking past privileges.
This can lead to unnecessary access and potential security issues.
What does separation of duties aim to achieve?
To prevent a single person from having the privileges required to perform both tasks that are sensitive when combined.
This is particularly important in sensitive job functions such as accounting.
Provide an example of separation of duties in accounting.
No single individual can create a new vendor and issue a check to that vendor.
This reduces the risk of fraudulent activities like embezzlement.
What is the difference between separation of duties and two-person control?
Separation of duties prevents one person from holding two privileges, while two-person control requires two people to perform a single sensitive action.
Both concepts aim to enhance security and reduce fraud risk.
What is job rotation?
Moving employees with sensitive roles to other positions periodically.
This helps in uncovering fraudulent actions by disrupting ongoing concealment activities.
What is the purpose of mandatory vacations in an organization?
Forcing employees to take time off to uncover fraudulent actions.
During their absence, access privileges are revoked, which may expose any fraudulent activities.
What do clean desk policies aim to protect?
The confidentiality of sensitive information.
These policies require employees to secure all papers and materials before leaving their desks.
What is the importance of onboarding and offboarding processes?
To ensure control of organizational assets and orderly management of credentials and privileges.
These processes help in mitigating security risks associated with employee transitions.
What role do nondisclosure agreements (NDAs) play in an organization?
Require employees to protect confidential information accessed during employment.
NDAs are typically signed upon hire and reinforced during offboarding.
What should a social media policy address?
It should constrain the behavior of employees on social media.
The policy may include assessments of both personal and professional accounts.
What is Third-Party Risk Management?
The process of managing risks that arise from third-party organizations with whom an organization does business.
What should organizations evaluate when selecting vendors?
Organizations should evaluate:
* Financial stability
* Business reputation
* Quality of products or services
* Compliance with relevant regulations
* Security practices and data handling procedures
What is due diligence in vendor selection?
The thorough vetting of potential vendors to ensure they meet the organization’s standards and requirements.
What constitutes a conflict of interest in vendor relationships?
A situation where a vendor has a competing interest that could influence their behavior against the organization’s best interests.
What is penetration testing?
A method to evaluate a vendor’s security by conducting authorized simulated attacks to identify vulnerabilities.
What is a right-to-audit clause in vendor agreements?
A clause that allows the customer to conduct or commission audits on the vendor’s operations and practices.
What is the purpose of independent assessments in vendor management?
To objectively evaluate the vendor’s practices and systems, often involving third-party experts.
What is the significance of supply chain analysis in vendor risk management?
It helps understand the risks associated with the vendor’s supply chain, including their suppliers and interdependencies.
What are Master Service Agreements (MSAs)?
Contracts that provide an umbrella agreement for the work a vendor does over an extended period, including security and privacy requirements.
What do Service Level Agreements (SLAs) specify?
The conditions of service provided by the vendor and remedies available to the customer if the vendor fails to meet the SLA.
Fill in the blank: A _______ is an informal document that allows parties to avoid misunderstandings in a relationship.
[memorandum of understanding (MOU)]
What is a Memorandum of Agreement (MOA)?
A formal document outlining terms and details of an agreement, establishing mutual understanding of roles and responsibilities.
What do Business Partners Agreements (BPAs) entail?
Agreements between two organizations that outline responsibilities and profit division when collaborating on a project.
What is the role of vendor monitoring?
To manage and mitigate third-party risks through continuous observation and analysis of vendor performance and compliance.
What are key performance indicators (KPIs) used for in vendor monitoring?
Quantitatively measure the vendor’s performance to ensure they meet agreed-upon standards.
What does compliance monitoring ensure?
That vendors are adhering to legal and regulatory requirements, especially when handling sensitive data.
What is the importance of financial monitoring in vendor relationships?
To evaluate the vendor’s financial health and ensure they remain a viable partner, especially for long-term contracts.
What should organizations do when issues are identified through monitoring?
Have a process for addressing issues, which may include meetings, corrective action plans, or contract termination.
What is the purpose of winding down vendor relationships?
To ensure an orderly transition when a vendor relationship ends or a product/service is discontinued.
True or False: Vendor agreements should include nondisclosure agreement (NDA) terms.
True
Fill in the blank: Organizations should ensure that vendors ask their employees to sign _______ if they will have access to sensitive information.
[nondisclosure agreements (NDAs)]
What is the main reason legislators and regulators take an interest in cybersecurity?
The potential impact of cybersecurity shortcomings on individuals, government, and society.
What type of regulation does the European Union have regarding data protection?
A broad-ranging data protection regulation.
What does HIPAA stand for?
Health Insurance Portability and Accountability Act.
Who does HIPAA affect?
Health-care providers, health insurers, and health information clearinghouses in the United States.
What does PCI DSS regulate?
The storage, processing, and transmission of credit and debit card information.
Is PCI DSS a law?
No, it is a contractual obligation.
What does GLBA stand for?
Gramm–Leach–Bliley Act.
What does the GLBA require from financial institutions?
To have a formal security program and designate an individual responsible for it.
What is the main focus of the Sarbanes–Oxley Act?
The financial records of U.S. publicly traded companies.
What does GDPR stand for?
General Data Protection Regulation.
What does FERPA require from U.S. educational institutions?
To implement security and privacy controls for student educational records.
What do data breach notification laws require?
Organizations to notify individuals affected by a data breach.
What is the purpose of internal compliance reporting?
To maintain an organization’s security posture and adherence to laws and regulations.
What does external compliance reporting involve?
Providing documentation and evidence to external entities to demonstrate compliance.
What can be a consequence of noncompliance regarding fines?
Imposition of significant fines and sanctions.
How much can companies be fined under GDPR for serious infringements?
Up to 4 percent of their annual global turnover, or €20 million, whichever is higher.
What is one example of a nonfinancial sanction due to noncompliance?
Suspension or revocation of business licenses.
What type of damage can result from noncompliance?
Reputational damage.
What can happen to contracts due to noncompliance?
Termination of contracts.
What is one potential legal consequence of noncompliance?
Legal action leading to lawsuits for damages.
What is due diligence in compliance monitoring?
The process of continuously researching and understanding legal and regulatory requirements.
What is due care in compliance monitoring?
Ongoing efforts to ensure that policies and controls are effective and maintained.
What does attestation mean in the context of compliance?
Confirmation that practices adhere to compliance requirements.
What is the role of internal monitoring?
To ensure that the organization follows its policies and meets legal requirements.
What does external monitoring involve?
Third-party audits and assessments.
What is an advantage of automation in compliance monitoring?
Tracks changes in regulations and monitors for violations.
Fill in the blank: Organizations must engage in both _______ and external compliance reporting.
internal
What is the primary purpose of the NIST Cybersecurity Framework (CSF)?
To assist organizations in achieving five objectives:
* Describe current cybersecurity posture
* Describe target state for cybersecurity
* Identify and prioritize opportunities for improvement
* Assess progress toward target state
* Communicate cybersecurity risk
What are the five security functions outlined in the NIST Cybersecurity Framework Core?
- Identify
- Protect
- Detect
- Respond
- Recover
What are the four maturity model tiers in the NIST Cybersecurity Framework Implementation Tiers?
- Tier 1: Partial
- Tier 2: Risk Informed
- Tier 3: Repeatable
- Tier 4: Adaptive
What does the Framework Profile in the NIST Cybersecurity Framework describe?
How a specific organization might approach the security functions covered by the Framework Core
True or False: The NIST Risk Management Framework (RMF) is a mandatory standard for federal agencies.
True
What is the primary difference between the NIST CSF and RMF?
The CSF provides a broad structure for cybersecurity controls, while the RMF is a formal process for implementing security controls.
List four specific ISO standards relevant for cybersecurity.
- ISO 27001
- ISO 27002
- ISO 27701
- ISO 31000
What does ISO 27001 focus on?
Information security management systems and control objectives
What is the purpose of ISO 27002?
To describe the actual controls that an organization may implement to meet cybersecurity objectives
What type of guidance does ISO 27701 provide?
Guidance for managing privacy controls as an extension to ISO 27001 and ISO 27002
What is the focus of ISO 31000?
Guidelines for risk management programs applicable to any risk
Fill in the blank: The NIST and ISO frameworks provide _______ descriptions of cybersecurity best practices.
high-level
What organization publishes benchmarks and secure configuration guides for common platforms?
Center for Internet Security (CIS)
True or False: The NIST Cybersecurity Framework is commonly used in private industry.
True
What content is covered by the ISO 27001 standard?
- Information security policies
- Organization of information security
- Human resource security
- Asset management
- Access control
- Cryptography
- Physical and environmental security
- Operations security
- Communications security
- System acquisition, development, and maintenance
- Supplier relationships
- Information security incident management
- Information security aspects of business continuity management
- Compliance with internal and external requirements
What does the NIST RMF process involve?
Selecting, implementing, and assessing risk-based security and privacy controls
What is the expected release year for the NIST Cybersecurity Framework 2.0?
2024
What does Tier 1: Partial indicate about an organization’s cybersecurity practices?
Cybersecurity risk management practices are not formalized and managed in an ad hoc manner.
What is the main goal of benchmarks and secure configuration guides?
To provide practical guidance on implementing security controls for commonly used systems.
What is the primary purpose of security training and awareness programs?
To ensure employees and stakeholders are aware of their information security responsibilities
These programs help keep security responsibilities top-of-mind.
Who is responsible for establishing and maintaining an information security training program?
Information security managers
They promote and maintain a security culture in organizations.
Why is regular security training important for users?
To ensure users understand risks associated with the computing environment and their role in minimizing those risks.
What is role-based training?
Training tailored to the specific job responsibilities of individuals
For example, systems administrators require more technical training than customer service representatives.
What type of training should be included in security awareness programs to combat phishing?
Specific anti-phishing campaigns
These often include phishing simulations to test user skills.
What is anomalous behavior recognition in the context of security awareness?
The ability of employees to recognize risky or unexpected behavior that may indicate a security concern.
List some topics that should be included in end-user security training programs.
- Security Policies and Handbooks
- Situational Awareness
- Insider Threats
- Password Management
- Removable Media and Cables
- Social Engineering
- Operational Security
- Hybrid/Remote Work Environments
What is the importance of situational awareness in security training?
It updates users on current security threats and helps them recognize suspicious activity.
True or False: Users should be educated to reuse passwords across multiple sites.
False
Users should be taught the importance of not reusing passwords.
What are some best practices for securing data in hybrid/remote work environments?
- Use of VPNs
- Secure Wi-Fi networks
- Ensuring physical security of devices
- Understanding specific policies for remote work
What is the recommended frequency for security training?
Initial training for new employees, followed by annual refresher trainings.
What is the first step in developing a security training program?
A thorough assessment of the organization’s security landscape and identifying potential risks.
How can training content be made more engaging?
Incorporating real-world examples and interactive elements.
What types of methods should be included in the execution phase of training?
- Workshops
- E-learning modules
- Simulations
What is the purpose of reporting and monitoring in security training programs?
To track participation and assess user knowledge through quizzes and feedback.
What should be regularly reviewed to ensure training material remains relevant?
Training materials should be reviewed regularly to reflect changes in the security landscape.
What are ongoing awareness efforts in an information security program?
Less formal efforts designed to remind employees about previously learned security lessons.
Fill in the blank: Ongoing awareness efforts use _______ to keep security top-of-mind.
[posters, videos, email messages]
What forms the basis of every strong information security program?
Policies
What does a solid policy framework consist of?
Policies, standards, procedures, and guidelines
What do policies, standards, procedures, and guidelines describe?
The security control environment of an organization
What must organizations comply with besides internally developed policies?
Externally imposed compliance obligations
Name two security frameworks that provide a common structure for security programs.
NIST Cybersecurity Framework, ISO 27001
What do security frameworks base their structure on?
Accepted industry best practices
What should organizations implement and test to achieve security control objectives?
Security controls
Security control objectives are developed based on what factors?
The business and technical environment of the organization
Fill in the blank: A solid policy framework consists of policies, standards, ______, and guidelines.
procedures
True or False: Organizations only need to comply with their internally developed policies.
False
