Chapter 1 - Understanding Cybersecurity Policy and Governance Flashcards
What is the significance of cybersecurity policies?
Cybersecurity policies protect individuals, economies, critical infrastructure, and countries from harm due to misuse or compromise of information and systems.
What role does policy play in corporate culture and civil society?
Policy provides direction, structure, and order, influencing behavior within organizations and society.
What is the objective of cybersecurity-related policies?
To establish guidelines for protecting information and information systems from threats.
List the characteristics of successful cybersecurity policies.
- Clear objectives
- Comprehensive scope
- Adaptability
- Stakeholder involvement
- Regular updates
- Effective communication
- Implementation strategies
Define the life cycle of a cybersecurity policy.
The life cycle includes stages such as development, implementation, evaluation, and revision.
How does the U.S. Department of Homeland Security define critical infrastructure?
As assets, systems, and networks vital to the economy, security, and health of the nation, whose incapacitation would have a debilitating effect.
What did Presidential Policy Directive 7 establish in 2003?
A national policy requiring federal entities to identify and protect critical infrastructure from attacks.
What is the key focus of Presidential Policy Directive 21 issued in 2013?
To strengthen and maintain secure and resilient critical infrastructure through shared responsibility.
What does Executive Order 13800 require from federal agencies?
Adoption of the Framework for Improving Critical Infrastructure Cybersecurity developed by NIST.
What is the main goal of Executive Order 14028 issued by President Biden?
To improve the cybersecurity defenses of the U.S. government and private sector.
Fill in the blank: The Cyber Resilience Act (CRA) and AI Act are regulations released by the _______.
[European Union]
What are the three classifications of corporate culture?
- Negative
- Neutral
- Positive
What is the difference between information security and cybersecurity policies?
Information security focuses on protecting data within an organization, while cybersecurity encompasses broader protection against attacks across all connections.
What is the primary purpose of the Torah from a social perspective?
To articulate a codified social order and provide guidance for behavior and interactions within society.
True or False: The U.S. Constitution was designed to be a static document without provisions for change.
False
How can corporate culture be shaped within an organization?
Both informally through individual treatment and formally through written policies.
What is a key lesson learned from the U.S. Constitution regarding policy?
Policies need to be dynamic enough to adjust to changing environments.
What role does policy play in protecting individual liberties?
Policy provides direction and structure to safeguard rights and freedoms.
What are some examples of business-related rules from the Torah?
- Not to use false weights and measures
- Not to charge excessive interest
- To be honest in all dealings
- To pay wages promptly
- To fulfill promises to others
What is a common impact of negative corporate culture?
A hostile environment where employees do not feel safe and customers are not valued.
What is the focus of the EU CRA Roadmap?
Strengthening the European cybersecurity ecosystem and enhancing resilience against cyber incidents.
What does cybersecurity encompass beyond traditional information security?
- Cyber risk management
- Threat intelligence
- Supply chain security
- Incident response
- Vulnerability management
What is the role of guiding principles in corporate culture?
They synthesize the fundamental philosophy and beliefs of an organization.
What is the difference in response between Company A and Company B after a data breach?
Company A blames management and avoids customer notification, while Company B seeks feedback, improves controls, and informs customers timely.
This illustrates the impact of corporate culture on incident response.
What are the characteristics of a positive corporate culture regarding cybersecurity?
Focuses on protecting information, solicits input, engages in education, and allocates resources appropriately.
Such a culture values employees and customers.
What is the philosophy of honoring the public trust?
To be careful stewards of the information entrusted to organizations, ensuring protection against unauthorized disclosure.
It emphasizes the importance of privacy in various contexts.
What is the role of a cybersecurity policy?
To codify guiding principles, shape behavior, provide guidance, and serve as an implementation roadmap.
It defines how an organization protects its information assets.
What are the objectives of a cybersecurity policy?
To protect the organization, employees, customers, and vendors from harm, and to ensure information integrity and availability.
This includes safeguarding against both intentional and accidental damage.
Define ‘cyber’ in the context of cybersecurity.
‘Cyber’ refers to anything involving computers or computer networks, especially in terms of crime, terrorism, or warfare.
It highlights the technological aspect of modern threats.
What is an information asset?
An information asset is data with context or meaning that holds value for an organization.
Examples include customer data, employee records, and business plans.
What is a defense-in-depth strategy?
A layered security approach that ensures multiple security controls are in place to protect network and corporate assets.
It allows for protection even if a single control fails.
List the layers included in a defense-in-depth strategy.
- Administrative activities
- Physical security
- Perimeter security
- Host security solutions
- Application security best practices
- Encryption methods
Each layer adds complexity but enhances overall security.
What is zero trust architecture?
A security model that advocates for ‘never trust, always verify’ to enhance identity-focused security.
It shifts the security paradigm from being network-focused.
What are the characteristics of successful cybersecurity policy?
- Endorsed
- Relevant
- Realistic
- Attainable
- Adaptable
- Enforceable
- Inclusive
These characteristics ensure policies are effective and widely accepted.
True or False: A successful cybersecurity policy must specify exactly how to implement its directives.
False. A good policy establishes what must be done and why, but not how.
This allows for flexibility in implementation.
Fill in the blank: A cybersecurity policy must be ______ to the organization.
Relevant.
Why is it important for policies to be realistic?
To prevent employees from rejecting policies that do not reflect their operational reality.
Unrealistic policies lead to non-compliance and frustration.
What should organizations do to ensure policies are attainable?
Involve key personnel in policy development and ensure expectations are reasonable.
This helps in creating a clear path for success.
How can a cybersecurity policy remain adaptable?
By allowing changes in response to market conditions and innovations without compromising security.
Static policies can hinder growth and innovation.
What is the significance of visible leadership in policy implementation?
Visible leadership demonstrates commitment to the policy and encourages compliance among employees.
Leadership actions can motivate or demotivate adherence to policies.
What should organizations consider when implementing cybersecurity in a multi-cloud environment?
Focus on security, operational effectiveness, and understanding the responsibilities of cloud providers.
This is crucial for maintaining data integrity and availability.
What is meant by ‘going around’ security?
The way to get things done that may introduce risks to the organization.
What was Company A’s approach to developing its mobile app?
The programming manager instructed her team to keep the development process secret and not involve other departments.
What was Company B’s approach to developing its mobile app?
The programming manager demanded security requirements be defined early in the software development cycle.
What is an adaptable cybersecurity policy?
A policy designed to support the organizational mission and encourage reassessment of current requirements.
What does the term ‘enforceable’ mean in the context of cybersecurity policy?
It means that controls can be implemented to support the policy and compliance can be measured.
True or False: Company A had controls in place to restrict Internet access to business use only.
False
What happens when a rule is broken without consequences?
The rule becomes essentially meaningless.
What should an effective cybersecurity policy include for external parties?
Consideration of third parties in the policy thought process.
What is the role of government in cybersecurity?
To protect critical infrastructure and citizens through regulation.
Define ‘regulation’ in the context of cybersecurity.
Intervention to restrain or cause uniform actions in cybersecurity practices.
What is the Gramm-Leach-Bliley Act (GLBA)?
Legislation aimed at protecting consumer financial information and ensuring its confidentiality.
What does the HIPAA Security Rule protect?
Individuals’ electronic personal health information (ePHI).
Fill in the blank: The _______ Act requires financial institutions to develop cybersecurity policies.
Gramm-Leach-Bliley
What is the primary objective of the Sarbanes-Oxley Act (SOX)?
To protect investors by improving the accuracy of corporate disclosures.
What are the six main goals of the Payment Card Industry Data Security Standard (PCI DSS)?
- Build and maintain a secure network and systems
- Protect cardholder data
- Maintain a vulnerability management program
- Implement strong access control measures
- Regularly monitor and test networks
- Maintain an information security policy
What does the Children’s Online Privacy Protection Act (COPPA) require?
Websites directed at children to obtain verifiable parental consent before collecting personal information.
What rights does the California Consumer Privacy Act (CCPA) provide to consumers?
- Right to know about data collection
- Right to request deletion of personal information
- Right to opt out of data sales
- Right to access data in a usable format
What are the requirements of the Defense Federal Acquisition Regulation Supplement (DFARS)?
Stringent cybersecurity requirements for contractors doing business with the DoD.
What is the purpose of the Federal Risk and Authorization Management Program (FedRAMP)?
To standardize the security assessment process for cloud products and services.
What does the General Data Protection Regulation (GDPR) aim to achieve?
Give individuals greater control over their personal data and harmonize data protection laws across the EU.
What does GDPR stand for?
General Data Protection Regulation
GDPR is a regulation in EU law on data protection and privacy.
Which rights are granted to individuals under GDPR?
- Right to access and correct personal data
- Right to data portability
- Right to be forgotten
- Requirement for explicit and informed consent
These rights empower individuals regarding their personal data.
What are the potential fines for noncompliance with GDPR?
Up to 4% of global annual revenue or €20 million, whichever is higher.
What was the purpose of the NIS Directive?
To enhance cybersecurity across EU member states.
What sectors are targeted by the NIS Directive?
- Energy
- Transportation
- Health care
- Financial services
- Digital service providers
These sectors are required to take appropriate security measures and report incidents.
What is the Data Protection Act 2018?
The U.K.’s implementation of the GDPR, with additional provisions and exceptions.
What is Cyber Essentials?
A U.K. government-backed certification scheme encouraging organizations to adopt fundamental cybersecurity practices.
List the five key controls outlined in Cyber Essentials.
- Secure configuration
- Boundary firewalls and Internet gateways
- Access control
- Patch management
- Malware protection
What does PIPEDA stand for?
Personal Information Protection and Electronic Documents Act
PIPEDA is a Canadian law governing private-sector organizations’ handling of personal information.
What are the Australian Privacy Principles (APPs)?
Principles guiding how personal information should be collected, stored, used, and disclosed.
What is the aim of POPIA?
To safeguard the processing of personal information by public and private entities in South Africa.
What is required under Japan’s Personal Information Protection Act (PIPA)?
Organizations must obtain consent before collecting or using personal data.
What does India’s Information Technology Act of 2000 primarily regulate?
Cyber activities including electronic commerce, governance, and cybercrimes.
What federal law governs the privacy of student records in the U.S.?
FERPA (Family Educational Rights and Privacy Act of 1974).
What is the California Security Breach Information Act?
Requires businesses or state agencies to notify residents of California of security breaches involving personal information.
What does the Massachusetts regulation 201 CMR 17 require?
Establishes minimum standards for safeguarding personal information of residents.
What is the role of the Information Commissioner’s Office (ICO) in the U.K.?
Responsible for enforcing data protection laws.
What are the responsibilities of the Board of Directors in the cybersecurity policy life cycle?
- Communicate guiding principles
- Authorize policy
- Champion the policy
- Lead by example
- Reauthorize or approve retirement
Fill in the blank: The first step in policy development is _______.
[Planning]
True or False: Noncompliance with PIPEDA can lead to legal action, including fines.
True
What is the main challenge in establishing global cybersecurity policies?
The complexity of public policy issues makes a global policy practically impossible to attain.
What are the key tasks in the policy development phase?
- Planning
- Researching
- Writing
- Vetting
- Approving
What organization oversees compliance with Australia’s Privacy Act?
Office of the Australian Information Commissioner (OAIC).
What is the first task in the vetting process of cybersecurity policies?
Consulting with internal and external experts including legal counsel, HR, compliance, cybersecurity professionals, auditors, and regulators.
Why is approval of cybersecurity policies considered cross-departmental?
Because cybersecurity policies affect the entire organization and require consensus and support from all affected departments.
What is required for the authorization of cybersecurity policies?
Agreement from executive management or an equivalent authoritative body.
Which two regulations require written cybersecurity policies that are board approved?
GLBA and HIPAA.
What are the three key tasks in the publication phase of a policy?
- Communication * Dissemination * Education
What is the goal of the communication task in policy publication?
To deliver the message that the policy is important to the organization.
True or False: Leaders who see their role as a privilege positively influence cybersecurity compliance.
False.
What does the dissemination task involve?
Making the policy available and accessible to the intended audience.
Why is ongoing training and education important in the context of cybersecurity policies?
It builds culture and reinforces understanding of policy objectives.
Fill in the blank: The ultimate goal of policy adoption is __________.
[normative integration]
What are the three key tasks in the adoption phase of a policy?
- Implementation * Monitoring * Enforcement
What is required for successful implementation of a policy?
Everyone involved must understand the intent of the policy and how it is to be applied.
What must be monitored post-implementation of a policy?
Compliance and policy effectiveness.
True or False: Policies must be enforced inconsistently to be effective.
False.
What are the two key tasks in the review phase of a policy?
- Soliciting feedback * Reauthorizing or retiring policies
What is the purpose of soliciting feedback on cybersecurity policies?
To ensure policies keep up with significant changes in the organization or technology infrastructure.
What happens to outdated policies during the review phase?
They should be refreshed; those no longer applicable should be retired.
What is the purpose of policies in organizations?
To address common foreseeable situations and guide decision-making.
List the seven common characteristics of a successful cybersecurity policy.
- Endorsed * Relevant * Realistic * Attainable * Adaptable * Enforceable * Inclusive
What does normative integration mean in the context of policy adoption?
The policy is expected behavior, and all others are considered deviant.
Which document serves as an excellent example of a strong, flexible, and resilient policy?
The U.S. Constitution.
What is the objective of a cybersecurity policy?
To protect an organization, its employees, customers, and partners from harm related to information misuse or damage.
True or False: Policies can remain static and never need to change.
False.
Who is responsible for approving the retirement of a policy?
Executive management or the board of directors.
What sector is not considered part of the ‘critical infrastructure’?
Museums and arts.
What is the difference between cybercrime and cyber-espionage?
Cybercrime involves illegal activities for personal gain, while cyber-espionage involves spying on governments or organizations.
Fill in the blank: Policies should be reviewed __________.
[annually or sooner if significant change occurs]
Which phase of the cybersecurity policy life cycle involves communication, dissemination, and education?
Publication phase.
What is the difference between cybercrime, hacktivism, cyber-espionage, and cyber-warfare?
Cybercrime involves illegal activities conducted via the internet; hacktivism is politically motivated hacking; cyber-espionage is spying conducted through digital means; cyber-warfare refers to state-sponsored attacks against another state’s information systems.
Each of these terms represents a different motivation and context for cyber activities.
What are the similarities between cybercrime, hacktivism, cyber-espionage, and cyber-warfare?
All involve the use of technology to achieve goals, often bypassing legal and ethical norms, and they can lead to significant harm or disruption.
These activities can overlap in methods and impacts, creating challenges for law enforcement and policy makers.
Are cyber threats escalating or diminishing?
Escalating.
Trends indicate an increase in frequency, sophistication, and impact of cyber threats globally.
What is the objective of PROJECT 1.1: Honoring the Public Trust?
To find examples of policies or practices that banks and hospitals use to protect customer and patient information.
This project emphasizes the importance of data privacy in sensitive sectors.
How do the policies or practices of banks compare to those of hospitals?
Both aim to protect sensitive personal information but may differ in regulatory frameworks and specific practices.
Banks often focus on financial data protection, while hospitals emphasize health information privacy.
What are some regulatory requirements that bank policies or hospital policies may reference?
- GDPR
- FedRAMP
- NIS
- HIPAA
These regulations vary by industry and geographic region, influencing how institutions handle data protection.
What is the objective of PROJECT 1.2: Understanding Government Regulations?
To explore the impact of key government regulations on various industries, highlighting their influence on business practices and consumer rights.
This project encourages analysis of regulations like HIPAA and GDPR.
What should students analyze regarding government regulations?
- Origins
- Purposes
- Enforcement
- Effects on businesses and society
Understanding these elements is crucial for assessing the effectiveness of regulations.
What is the focus of PROJECT 1.3: Developing Communication and Training Skills?
To introduce a new security policy requiring identification badges for students and employees.
This project emphasizes the importance of effective communication and training in policy implementation.
What should the action plan for developing a cybersecurity policy at OK Credit Union include?
- Biggest challenge
- Personnel involvement
- OK Credit Union staff participation
- Support building strategies
- Handling employee resistance
- Compliance issues
These elements are critical for successful policy adoption.
What is the objective of PROJECT 1.4: Comparing the EU Cyber Resilience Act and the U.S. Executive Order on Improving the Nation’s Cybersecurity?
To explore, compare, and contrast the cybersecurity approaches of the EU and the U.S., analyzing strengths and weaknesses.
This project highlights the importance of global cybersecurity strategies.
What are the main provisions of the EU Cyber Resilience Act (CRA)?
Establishes cybersecurity requirements for digital products in the EU market.
The CRA aims to strengthen the overall cybersecurity posture within the EU.
What does the U.S. Executive Order on Improving the Nation’s Cybersecurity focus on?
Enhancing cybersecurity across federal agencies and promoting public-private partnerships.
This order is part of a broader strategy to address national security concerns.
What methods should be used to compare the CRA and the Executive Order?
- Legislative content
- Scope
- Enforcement mechanisms
- Impact assessment
These methods provide a structured approach to analysis.
What are the implications of comparing the CRA and the Executive Order?
Understanding how each measure influences global cybersecurity norms and international cooperation.
This comparison can inform future policy decisions.
What are some key elements to analyze regarding enforcement mechanisms?
- Compliance requirements
- Penalties for noncompliance
- Measures to ensure adherence
Effective enforcement is essential for the success of cybersecurity regulations.
What are the expected impacts of the CRA and the Executive Order?
Improved cybersecurity resilience and enhanced protection against cyber threats.
Both measures aim to create a safer digital environment.
What are the benefits of government regulations for consumers?
- Enhanced protection of personal information
- Increased trust in services
- Promotion of social welfare
Regulations play a vital role in consumer protection.
What areas should future research focus on regarding cybersecurity policy?
Building on findings from comparative analyses and exploring emerging threats and technologies.
Future research can help adapt policies to evolving challenges.
