5.1

Question 1

Security polices answer the ____ and ____ of security implementation.

Technical security controls answer the ____.

Answer 1

What, why

How

Question 2

A master list of all polices that should be followed to maintain the uptime, availability, and security of the network.

They might be mandated by governmental regulations.

It details what happens in different threat situations, and a list of roles and responsibilities.

Answer 2

Information security policies

Question 3

AUP stands for

Answer 3

Acceptable Use Policy

Question 4

A policy that details how an organization’s assets (normally technology) may or may not be used.

Protects the organization from both cyber threats and legal liability.

Answer 4

AUP

Question 5

A plan that keeps the organization’s critical functions going when disaster happens.

This could mean using manual transactions, paper receipts, and calling up credit card companies to manually approve credit card transactions.

Answer 5

BCP

Question 6

A plan that details actions that can help keep the organization going after disaster as well as steps for how to get the organization back to full functionality.

Like a BCP, but with more steps.

Answer 6

DRP

Question 7

This group of personnel is useful in incident response for their specialized training for any type of disaster.

Answer 7

CIRT/CSIRT/CERT

Question 8

This group of personnel is useful in incident response for their corporate support. This can help obtain the proper resources and people to address incidents.

Answer 8

IT security management team

Question 9

This group of personnel is useful in incident response for ensuring that the network is compliant with mandated regulations.

Answer 9

Compliance officers

Question 10

This group of personnel is useful in incident response for actively solving technical problems during disaster.

Answer 10

Technical staff

Question 11

This group of personnel is useful in incident response for being able to see everything that occurs in a network–even if they only see symptoms.

Answer 11

Users

Question 12

A framework that helps to organize and maintain the creation of software.

Answer 12

SDLC

Question 13

2 of the most common SDLCs

Answer 13

Agile

Waterfall

Question 14

A linear SDLC cycle

Answer 14

Waterfall

Question 15

A faster SDLC that goes through multiple cycles before being finished

Answer 15

Agile

Question 16

The process associated with making changes - upgrading software, changing firewall configuration, modifying switch ports, etc.

Answer 16

Change management

Question 17

True/False

Security standards may be written in-house or be picked from many nationally-recognized standards.

Answer 17

True

Question 18

True/False

One common account policy is that there are to be no local accounts; only accounts through LDAP or the AD database

Answer 18

True

Question 19

True/False

Access control also includes how and when a user’s privileges get revoked - such as security issues, account expiration, contract renewals, or dismissal from the organization.

Answer 19

True

Question 20

True/False

Encryption requirements list the type of encryption, type of implementation, and password storage techniques, but will also include how to encrypt data in transit/at rest/in use.

Answer 20

True

Question 21

The process of bringing a new person into the organization

Answer 21

Onboarding

Question 22

The process of dismissing a person from the organization.

This includes what will happen to the user’s hardware (and its associated data).

Answer 22

Offboarding

Question 23

True/False

When offboarding a user, you always want to delete their account.

Answer 23

False

Keeping the account around is important to retain encryption keys, files, and messages that may be important to use during company operations or during legal proceedings that require that information.

Question 24

Documents that define a set of steps to follow in any kind of situation. There should be at least one document for every kind of situation.

Answer 24

Playbook

Question 25

A governance structure that is a panel of specialists that are responsible for gathering information for a committee.

This structure may also set the tasks or series of requirements (usually very broad) for a committee to follow.

Answer 25

Board

Question 26

A governance structure that acts as the primary decision maker. It considers input from a board in order to determine next steps for a topic at hand. It takes direction from the board on what steps need to be accomplished next.

Once the task is completed, this structure presents it to the board for approval or feedback.

Answer 26

Committee

Question 27

The 2 methods of governance used by both public (governmental) and private (proprietary) governance structures.

Answer 27

Centralized
Decentralized

Question 28

The method of governance that involves one group/person making decisions for the entire organization.

Answer 28

Centralized

Question 29

The method of governance that gives decision-making power to many/all members of the organization, including those people who are actually doing said changes.

Answer 29

Decentralized

Question 30

The individual that is broadly and ultimately responsible for data being stored.

Ex. Vice president of sales is the data owner for all customer relationship data
Treasurer owns the financial information

Answer 30

Owner

Question 31

The individual that manages the purposes and means by which personal data is processed. They manage “how” the data will be used.

They provide instructions to the data processor on how the data should be used.

Answer 31

Data controller

Question 32

The individual that process data on behalf of the data controller and is often a third-party or different group.

Answer 32

Data processor

Question 33

An example of a data controller/data processor relationship

Answer 33

A data controller would be a company’s payroll department.

A data processor would be a third-party payroll company.

The payroll dept gives instructions to the payroll company on how employee data is used, and how the payroll process occurs.

The payroll company has access to the data and implements the process.

Question 34

The individual responsible for data accuracy, privacy, and security. They make sure that the organization is in compliance with laws/regulations associated with the data. They also assign sensitivity labels to the data, manage access rights to the data, and implement security controls.

Answer 34

Data custodian/steward