2.1_The Security Organization - GRC

Question 1

What are the 5 areas of Security Team Alignment?

Answer 1

• Linux and Windows
• Networking
• Defense Security
• Web and Web Vulnerabilities
• Offensive Security

Question 2

Security operations will interact with other non-security team departments within the organization. Give an example.

Answer 2

An organization’s Marketing and Communications teams use the networks and accounts that IT and Networking manage.

Question 3

Security Concerns vs. Business Concerns

Answer 3

Security Team’s Main Goal: Protect the business’s data

Business Goal: To make profit

Question 4

An organization’s engineering team proposes an innovative but insecure new feature for their flagship product. What would the security team say vs the suits?

Answer 4

Security Team:
The security team would probably advise against the new feature due to its poor security.

Business-At-Large:
The business might decide to develop it anyway, believing the potential profit is worth the risk.

Question 5

An organization’s engineering team proposes an innovative but insecure new feature for their flagship product. What could the security team do?

Answer 5

1. Put in place more aggressive monitoring
   on data servers likely to be exposed by the
   new feature.
2. Advise IT and Networking to put in place more sophisticated access controls on important servers and proxies.

Question 6

True or False:

100% security is not the business’s goal

Answer 6

True

To limit spending and increase profit, businesses often provide only adequate protection for their most important assets.

Question 7

What is the GRC framework and the three components?

Answer 7

GRC is a framework for answering the questions: What assets are most important? and what is adequate protection?

Question 8

Creating management processes for implementing security practices across the organization is what component of GRC framework?

Answer 8

Governance

Question 9

Making sure the business follows internal security policies and adheres to relevant security laws is what component of GRC framework?

Answer 9

Compliance

Question 10

Identifying an organization’s most important assets and determining how they might be compromised.

Answer 10

Risk Management

Question 11

The more significant the loss, the more important the asset is apart of what concept?

Answer 11

GRC Framework

Question 12

Security vs. Business Objective:

The organization performs a risk assessment and concludes that the feature could lead to a 25% increase in quarterly profits. The feature would also risk exposing an isolated data server containing customer names, usernames, and email addresses, but no other PII (personally identifiable information). What wins?

Answer 12

Business Wins!

The security team objects to the feature on the grounds of insecurity. But the business decides that the cost of the potential breach—of an isolated server with no sensitive PI —would be less than the potential profit of the feature.

Question 13

The director of Engineering suggested giving all developers access to all data. What’s the recommendation?

Answer 13

Reject on the grounds of privacy?

Question 14

The director of IT suggested exposing administration servers to the public internet. What’s the recommendation?

Answer 14

Reject this request. A VPN would be a better solution to this problem.

Question 15

An SOC analyst recommended merging all of the company’s mail servers into a single server, in order to cut costs and improve efficiency. What’s the recommendation?

Answer 15

If the company has so many emails that it needs to maintain multiple servers, this suggestion is not possible. Otherwise, hosting all of the data on a single server makes sense.

Question 16

Strong organizational security begins with what?

Answer 16

Strong organizational security begins with making sure employees both consider security important and understand the security implications of their decisions.

Question 17

A healthy _______________ requires motivating employees to value security, and training them on how to avoid insecure behavior.

Answer 17

A healthy security culture requires motivating employees to value security, and training them on how to avoid insecure behavior.

Question 18

Employees are receiving emails to their work accounts from external sources. What should you do and what is your first step?

Answer 18

Measure and Set Goals

Hire a pentester to run a phishing campaign against your organization. They will send malicious files to everyone in the organization and keep track of who downloads them.

Set a click rate goal of 5%. Measure this data to determine (1) what percentage of employees download the files and (2) which employees download them.

Question 19

Involving the right people is what step of security culture framework.

Answer 19

Step 2

Question 20

What is the security culture framework? How many steps are there?

Answer 20

1. Measure and Set Goals
2. Involve the Right People
3. Create an Action Plan
4. Execute the Plan
5. Measure Change

Question 21

Chief Information Security Officer (CISO) reports to whom?

Answer 21

CEO

Question 22

What is a typical reporting structure fro VP of Networking?

Answer 22

VP of Networking:

• Director of IT > Director of Network Security
• Performance Manager
• Network Engineer

Question 23

CISO is responsible for protecting what?

Answer 23

Company’s data

Question 24

Explain the responsibilities of a security department.

Answer 24

1. Network Security - Director of Network Security is in charge of networks.
2. Incident Response - IR Manager or SOC Manager manages and Incident Response unit.
3. Application Security - Security Architect is in charge of application security.

Question 25

What are the 5 security controls?

Answer 25

1. Preventative controls prevent access with physical or technical barriers. (Key-card access is an example of a preventive control.)
2. Deterrent controls discourage attackers from attempting to access a resource.
3. Detective controls identify and alert attempts at access to a resource.
4. Corrective controls attempt to fix an incident, and possibly stop it from happening again.
5. Compensating controls restore the function of compromised systems.

Question 26

A system with multiple layers of protection is said to have ____________ because it is protected in multiple ways.

Answer 26

Control Diversity

A system with multiple layers of protection is said to have control diversity, because it is protected in multiple ways.

Question 27

Discouraging attackers from attempting to access a resource is what security control?

Answer 27

Deterrent

Question 28

Controls that identify and alert attempts at access to a resource is what security control?

Answer 28

Detective

Question 29

Controls that attempt to fix an incident, and possibly stop it from happening again is what security control?

Answer 29

Corrective

Question 30

Controls that restore the function of compromised systems is what security control?

Answer 30

Compensating

Question 31

Controls that prevent access with physical or technical barriers.

Answer 31

Preventative

Key-card access is an example of a preventive control.