CCSP Domain 6: Policies, Standards, Baselines and Guidelines

Question 1

What is a policy?

Answer 1

broad statement of management intent

Question 2

Is policy compliance mandatory?

Answer 2

yes

Question 3

What are the generalized statements about the cybersecurity objective included in information security policy?

Answer 3

• stetement of importance of cybersecurity to the organization
• requirements that all staff and contracts take measures to protect the confidentiality, integrity and availability of information and information systems
• statement of the ownership of information created and/or possessed by the organization
• designation of CISO or other individual as the executive responsible for cybersecurity issues
• delegation of authority granting the CISO the ability to create standards, procedures and guidelines that implement the policy

Question 4

Who approves policies?

Answer 4

CEO; requires approval from senior management

Question 5

What should cybersecurity managers do when developing new security policies in the relation to the already existing policy development mechanisms?

Answer 5

should align their work with any other policy development mechanisms that may exist within their organization; aligning with existing procedures makes it easier for the new initiative to track action

Question 6

What key principles should be followed by cybersecurity managers when working on policy development initiatives? (4)

Answer 6

1. obtain input from all relevant stakeholders
2. follow the chain of command
3. accomodate the organizational structure
4. meet internal and external requirements

Question 7

Do security policies contain prescriptive technical guidance, such as a requirement to use a specific encryption algorithm?

Answer 7

no, this type of detail would normally be found in a security standard

Question 8

All policies within the organization should include a section that includes which elements?

Answer 8

• policy maintenance
• policy enforcement
• policy enforcement

Question 9

The baseline should cover what systems?

Answer 9

as many systems throughout the organization as possible; more systems that are included in the baseline, the more cost-effective and scalable the baseline is

Question 10

What do standards provide?

Answer 10

mandatory requirements describing how an organization will carry out its information security policies; may include specific configuration settings used for OS’es

Question 11

Who approves standards in an organization?

Answer 11

standards are usually approved at lower organizational level than policies, thus they change more frequently

Question 12

What are procedures?

Answer 12

detailed, step-by-step processes that individuals and organizations must follow; ensure consistent process for achieving a security objective

Question 13

Is compliance with procedures mandatory?

Answer 13

yes

Question 14

What is the purpose of guidelines?

Answer 14

provide best practices and recommendations related to a given concept, technology or task

Question 15

Is compliance with guidelines mandatory?

Answer 15

no, it aims to serve as a helping hand

Question 16

What do many exception processes require?

Answer 16

use of compensating controls to mitigate the risk associated with exceptions to security standards

Question 17

PCI DSS includes one of the most formal compensating control process in use today and sets out 3 criteria that must be met for a compensating control to be satisfactory. What are these criteria?

Answer 17

1. the control must meet the intent and rigor of the original requirement
2. the control must provide similar level of defense as the original requirement such that the compensating control sufficiently offsets the risk that the original PCI DSS requirement was designed to defend against
3. the control must be “above and beyond” other PCI DSS requirements

Question 18

Are compansating controls intended to be permanent?

Answer 18

no, remediation plans should be developed to bring the organization back into compliance with the letter and intent of the original control

Question 19

What is the common baselining method?

Answer 19

imaging

Question 20

What is versioning?

Answer 20

using a labeling or numbering system to track changes in updated versions of baseline (image, application, system, etc.)

Question 20

How can be baselines applied?

Answer 20

to a single VM image or to a VM template, that is then used to deploy all VMs

Question 21

What is hardening?

Answer 21

configuration of a machine into a secure state through application of a configuration baseline

Question 22

Who can offer hardened VM images?

Answer 22

• customer-defined
• CPS-defined
• 3rd party, often available through a cloud marketplace

Question 23

Who offers hardened VM images in CSP marketplaces?

Answer 23

Center for Internet Security (CIS)

Question 24

What is a control?

Answer 24

high-level description of a feature or activity that needs to be addressed and is not specific to a technology or implementation

Question 25

What does benchmark contain?

Answer 25

contains security recommendations for a specific technology, such as an IaaS VM; describe configuration baselines and best practices for securely configuring a system

Question 26

What is a baseline?

Answer 26

implementation of the benchmark on the individual service

Question 27

How is control expressed?

Answer 27

as a benchmark

Question 28

How is benchmark implemented?

Answer 28

through a baseline

Question 29

What is the main purpose of benchmarks?

Answer 29

to ease process of securing a component, reduce footprint and minimize risk of security breach

Question 30

What are the sources from where baselines can be obtained?

Answer 30

• Vendor-Supplied Baselines
  
  • vendors provide configuration guideliness
• DISA STIGs
  
  • U.S. Defense Information Systems Agency (DISA) produces baseline documents known as Security Technical Implementation Guides (STIGs); may be too restrictive for businesses
• NIST Checklists
  
  • National Institute of Technology and Standards maintains a repository of configuration checklists for various OS and application software
• CIS Benchmarks
  
  • Center for Internet Security publishes baseline guides for a variety of OSes, applications and devices
  • priced based on environment size

Question 31

Baselines are composed of individual settings called what?

Answer 31

Configuration Items (CI)

Question 32

What organizations provide Windows server security baselines?

Answer 32

Center for Internet Security, Microsoft, and the National Institute for Standards and Technology

Question 33

What are CIS security controls?

Answer 33

security baseline adopted by many organizations

Question 34

What term describes a general-purpose map of the systems and networks used in an organization?

Answer 34

baseline