5.0 - Governance, Risk, & Compliance

Question 1

What are the three categories of Security Control?

Answer 1

• Managerial (Controls that address security design and implementation; policies)

• Operational (Controls that are implemented by people; security guards, awareness programs)

• Technical (firewalls, antivirus, etc.)

Question 2

List examples of Corrective control types?

Answer 2

• an IPS blocking an attacker

• Using backups to mitigate a ransomware infection

• A backup site when a storm hits

Question 3

List examples of Compensating control types?

Answer 3

• re-imaging a device from backup

• A hot site

• a backup power generator

• Or, per an alternative definition, anything put in place as an easier/cheaper alternative to a better control.

Question 4

Explain

GDPR

Answer 4

• General Data Protection Regulation

• Allows individuals in the EU to control what happens with their info

• Users must be aware of where data is stored and can control its export / where it goes

• “Right to be forgotten” – user requests for deletion of their data must be followed

• Every website must provide a detailed privacy policy

Question 5

Define

PCI DSS

Answer 5

• Payment Card Industry Data Security Standard

• A standard for protecting credit card info

• Not a set of laws or regulations, but guidelines managed by the payment card industry

Question 6

What are the 6 control objectives of PCI DSS?

Answer 6

• Build and maintain a secure network and systems

• Protect cardholder data

• Maintain a vulnerability management program

• Implement strong access control measures

• Regularly monitor and test networks

• Maintain an information security policy

Question 7

Define

Security Framework

Answer 7

• A guide for creating a security program

• Document processes

• Defines tasks and prioritizes projects

Question 8

Explain

CIS CSC

Answer 8

• Center for Internet Security Critical Security Controls for Effective Cyber Defense

• A security framework, designed to help you improve cyber defenses

• Twenty key actions (the CSCs)

• Categorized with different recommendations for different organization sizes

Question 9

Explain

NIST RMF

Answer 9

• National Institute of Standards and Technology Risk Management Framework

• A security framework

• mandatory for US federal agencies, and any organization that handles federal data

Question 10

Explain

NIST CSF

Answer 10

• National Institute of Standards and Technology Cybersecurity Framework

• Designed for commercial organizations; voluntary rather than mandatory.

Question 11

What security frameworks are useful at an international level?

Answer 11

• ISO/IEC has several frameworks

• International Organization for Standardization / International Electrotechnical Commission

Question 12

Define

SSAE SOC 2 Type I/II

Answer 12

• an auditing standard from the American Institute of CPAs (AICPA)

• The Statement on Standards for Attestation Engagements (SSAE)

• Include several reports. The suite of reports related to security controls is SOC 2

• System and Organization Controls (SOC) Number 2

• Audit covers firewalls, intrusion detection, MFA, etc.

Question 13

Difference between SOC 2 Type 1 and SOC 2 Type 2?

Answer 13

• a Type I audit tests security controls in place at a particular point in time

• a Type II audit tests controls over a period of at least six consecutive months

Question 14

Define

ISO 27001

Answer 14

• an international specification for information security management systems

• details documentation, management responsibility, internal audits, continual improvement, and corrective and preventive action

• Organizations meeting all requirements can be certified as ISO 27001 compliant

Question 15

Define

ISO 37000

Answer 15

• international guidelines for risk management

• can be applied across a variety of industries, to any size company

• guidelines only; not requirements. There is no certification of compliance.

Question 16

Define

CSA

Answer 16

• Cloud Security Alliance

• A not-for-profit organization that focuses on security in the cloud

• Developed the CCM (Cloud Controls Matrix)

Question 17

Define

CCM

Answer 17

• Cloud Controls Matrix

• a security framework

• Developed by CSA (Cloud Security Alliance)

• Cloud-specific security controls

• Controls are mapped to standards, best practices, and regulations

Question 18

What does this stand for?

AUP

Answer 18

• Acceptable Use Policy

Question 19

Define:

Job Rotation

Answer 19

• Keep people moving between responsibilities

• No one person maintains control for long periods of time

• Benefits of cross-training, but also security as an individual is less likely to take advantage of vulnerabilities if they do not stay in one place for as long, and subsequent workers will see their work

Question 20

Define:

Mandatory Vacations

Answer 20

• Rotates others through the job to ensure that fraud is not occurring

• Rarely seen in the business world but may be important in high-security environments

Question 21

What are two examples of Separation of Duties?

Answer 21

• Split knowledge: No single person has all the details

• Dual Control: Two people must be present to perform the function

Question 22

Define:

CBT

Answer 22

• Computer-Based Training

• Automated pre-built training that users receiving

Question 23

Define

MOU

Answer 23

• Memorandum of Understanding

• Informal letter of intent; not a contract, not binding

• Often used when a contract is not possible

• Both sides agree on the contents of the memorandum

Question 24

Define

MSA

Answer 24

• Measurement Systems Analysis

• A process that assesses a measurement system, and calculates the amount of uncertainty in the measurement

• Used with quality management systems, i.e., Six Sigma

Question 25

Define

BPA

Answer 25

• Business Partnership Agreement

• Provides details when going into an agreement with a third party

• Details what the owner’s stake might be, decision-making agreements, contingency arrangements, financial contract, etc.

Question 26

Difference between EOL and EOSL?

Answer 26

• End of Life means the manufacturer stops selling a product, but may continue to update and support it

• End of Service Life means no more updates, and support is no longer available (though there may be a premium-cost support option)

Question 27

Define

Data Steward

Answer 27

• Oversees how data is used

• Manages governance process

• Ensures compliance with any applicable laws and standards

• Responsible for data accuracy, privacy, and security

• Associates sensitivity labels to the data (personal, public, or restricted)

Question 28

Describe four Risk Management Strategies

Answer 28

• Acceptance: just take the risk

• Avoidance: Stop participating in the high-risk activity entirely

• Transference: Buy insurance so the risk is carried by the insurer

• Mitigation: Decrease the risk level by adding security

Question 29

Define

Inherent Risk

Answer 29

• Risk that exists by nature of an activity in the absence of any controls

• Considers the impact and the likelihood

Question 30

Define

Residual Risk

Answer 30

• What remains of the inherent risk after current security controls are taken into consideration

Question 31

Define:

SLE

Answer 31

• Single Loss Expectancy

• park of risk assessment

• the expected monetary loss if a single event occurs

Question 32

Define:

ARO

Answer 32

• Annualized Rate of Occurrence

• part of risk assessment

• describes the expected likelihood of an event occurring

Question 33

Define

ALE

Answer 33

• Annualized Loss Expectancy

• part of risk assessment

• Multiply the ARO by the SLE to determine the ALE

Question 34

Define

MTTR

Answer 34

• Mean Time to Repair

• The time required to fix a given issue

Question 35

Define

MTBF

Answer 35

• Mean Time Between Failures

• The predicted time between outages

Question 36

Define

DRP

Answer 36

• Disaster Recovery Plan

• A step-by-step guide for resuming operations after a disaster has occurred

Question 37

Define

PIA

Answer 37

• Privacy Impact Assessment

• An assessment for any given project of how private customer data may be impacted.

• Used to determine how an organization collects, processes, stores, and shares PII.

• How will the new processes or products affect customer privacy?

• Helps in fixing privacy issues before they become a problem.

Question 38

Define

Data Minimization

Answer 38

• The principle of collecting and retaining only data that is necessary

• Required by many regulations, such as HIPAA and GDPR

• In principle, also applies to how data is used and accessed; you should only be able to access data required for the task at hand

Question 39

Define

Data Owner

Answer 39

• The person accountable / responsible for the set data

• often a senior officer

• E.g. VP of Sales owns the customer relationship data

• E.g. Treasurer owns the financial information

Question 40

Define

Data Controller

Answer 40

• Manages the purposes and means by which personal data is processed

• E.g. payroll department defines payroll amounts and timeframes

• (but they don’t necessarily process payroll, which would be done by the data processor)

Question 41

Define

Data Processor

Answer 41

• Processes data on behalf of the data controller

• Often a third-party

• E.g. Payroll company (data processor) processes payroll and stores employee information on behalf of a payroll department (the data controller)

Question 42

Define

Data Custodian / Steward

Answer 42

• Responsible for data accuracy, privacy, and security

• Associates sensitivity labels to the data

• Ensure compliance with applicable laws and standards

• Manages access rights to the data

• Implements security controls

Question 43

Define

DPO

Answer 43

• Data Protection Officer

• Responsible for the organization’s data privacy

• Sets policies, implements processes and procedures