Chapter 5 - Governance, Risk, and Compliance

Question 1

Managerial Controls

Answer 1

Controls that address security design and implementation
Security policies, standard operating procedures

Question 2

Operational Controls

Answer 2

Controls that are implemented by people
Security guards, awareness programs

Question 3

Technical Controls

Answer 3

Controls implemented by system
Operating systems, firewalls, anti-virus

Question 4

Control Type - Preventative

Answer 4

Physically control access
Door lock, security guard, firewall

Question 5

Control Type - Detective

Answer 5

May not prevent access but identifies and records any intrusion attempt
Motion detector, IDS/ IPS

Question 6

Control Type - Corrective

Answer 6

Designed to mitigate damage
IPS - block an attacker, Backups - mitigate a ransomware infection, Backup site - can provide options when a storm hits

Question 7

Control Type - Deterrent

Answer 7

May not directly prevent access but discourages an intrusion attempts
Warning signs, login banner

Question 8

Control Type - Compensating

Answer 8

Doesn’t prevent an attack but can restore using other means
Re-image or restore from backup, hot site, backup power system, generator

Question 9

Control Type - Physical

Answer 9

Real-world security
Fences, locks, man traps

Question 10

Security Controls

Answer 10

Prevent security events, minimize the impact, and limit the damage

Question 11

General Data Protection Regulation (GDPR)

Answer 11

A set of rules and regulations that allows someone in the EU to control what happens with their private information
Name, address, photo, email, bank
Controls export of personal data and can decide where it goes

Question 12

National, Territory, or State Laws

Question 13

Payment Card Industry Data Security Standard (PCI DSS)

Answer 13

A standard for protecting credit cards and transactions
Objectives: build/maintain a secure network and systems, protect cardholder data, maintain vulnerability management program, implement strong access control, regularly monitor, information security policies

Question 14

Center for Internet Security (CIS) Critical Security Controls for Effective Cyber Defense (CSC)

Answer 14

Improves security posture of organization
Has 20 keys actions and is designed for implementation

Question 15

National Institute of Standards and Technology (NIST) Risk Management Framework (RMF)

Answer 15

Mandatory for US federal agencies and organizations that handle federal data
Six step process: categorize, select, implement, assess, authorize, monitor

Question 16

National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF)

Answer 16

A voluntary commercial implementation framework
Framework core - identify, protect, detect, respond, recover
Framework implementation tiers - view and process of handling risk
Framework profile - standards, guidelines, and practices of core

Question 17

International Organization for Standardization (ISO)/ International Electrotechnical Commission (IEC)
27001/ 27002/ 27701/ 31000

Answer 17

ISO/ IEC 27001 - standard for information security management systems (ISMS)
ISO/ IEC 27002 - Code of practice for information security controls
ISO/ IEC 27701 - Privacy information Management systems (PIMS)
ISO 31000 - International standards for risk management practices

Question 18

SSAE SOC 2 Type I/II

Answer 18

American Institute of Certified Public Accountants auditing standard
SOC 2 - Trust services criteria (security controls)
Type I Audit - Tests controls in place at a particular point in time
Type II Audit - Tests controls over a period of at least six consecutive months

Question 19

Cloud Security Alliance (CSA)

Answer 19

Security in cloud computing
Not-for-profit organization

Question 20

Cloud Control Matrix

Answer 20

Cloud-specific security controls
Controls are mapped to standards, best practices, and regulations

Question 21

Reference Architecture

Answer 21

Methodology and tools, assessing internal organization, security capabilities, and building a road map

Question 22

Platform/ Vendor-specific Hardening Guides

Answer 22

Guides that are specific to the software and platform
Get feedback from manufacturer or internet interest group

Question 23

Web Server Hardening Guide

Answer 23

Provides information on how to prevent data leakage and server access, what permissions the server should run on, configuring SSL, and monitoring/ reporting on access logs

Question 24

Operating System Hardening Guide

Answer 24

Provides latest OS updates/ service packs, user accounts limitations and password complexity/ length, and how to control network access and security

Question 25

Application Server Software

Answer 25

Middleware - between web server and database
Disables all unnecessary devices, updates security patches, and limits access and rights

Question 26

Network Infrastructure Devices

Answer 26

Switches, routers, firewalls, IPS, etc.
Purpose-built devices, configure authentication, and check with manufacturer for known updates

Question 27

Acceptable Use Policy

Answer 27

Detailed documentation of acceptable use of a companies assets
Used by an organization to limit legal liability

Question 28

Job Rotation

Answer 28

Keep people moving between responsibilities so no one person maintains control for long periods of time

Question 29

Mandatory Vacation

Answer 29

Rotate others through job to make sure everything is operating correctly
Not used often but especially important in high security environment

Question 30

Separation of Duties

Answer 30

Split knowledge - No one person has all of the details
Example: half of a safe combination
Dual control - two people must be present to perform a task
Example: two keys opening a safe (or launch missile)

Question 31

Least Privilege

Answer 31

Rights and permissions set to the bar minimum so a user only has exact access needed to perform an objective

Question 32

Clean Desk Space

Answer 32

Whenever leaving desk, not important information is left on desk

Question 33

Background Checks

Answer 33

Pre-employment screening to verify the applicant’s claims, discover criminal history, workers compensation claims

Question 34

Non-disclosure Agreements (NDA)

Answer 34

Confidentiality agreement where both sides decide what information can be shared and what information should be kept private

Question 35

Social Media Analysis

Answer 35

Gathering information from social media platforms to be able to see what the potential employee is like outside of a professional atmosphere

Question 36

Onboarding

Answer 36

Bring a new person into the organization
IT agreements need to be signed, create accounts, provide hardware

Question 37

Offboarding

Answer 37

Someone leaving the organization in a pre-planned way
Returning of hardware, access of data, deactivate accounts

Question 38

User Training

Answer 38

Helps the user in operating the system in efficient way by learning, executing, and implementation policies

Question 39

Gamification

Answer 39

Train while giving people points, competing with other, and collecting badges

Question 40

Capture the Flag

Answer 40

Security competition where someone hacks into a system in order to steal the flag and create simulations

Question 41

Phishing Campaigns

Answer 41

A scam that impersonates a reputable person or organization with the intent to steal credentials or sensitive information

Question 42

Phishing Simulations

Answer 42

Send simulated emails/ make vishing calls
See which users need additional training is susceptible

Question 43

Computer-based Training (CBT)

Answer 43

Automated pre-built training to do on your own time
What I am doing now

Question 44

Role-based Training

Answer 44

Specialized training that requires each user to experience with their unique security responsibilities

Question 45

Third Party Risk Management - Vendors

Answer 45

Important company data is shared
Perform a risk assessment for each vendor and use contracts
Payroll, travel, raw material, customer relations

Question 46

Third Party Risk Management - Supply Chain

Answer 46

The system involved when creating a product
Perform a supply chain assessment
Organizations, people, activities, and resources

Question 47

Third Party Risk Management - Business Partners

Answer 47

Closer to data than a vendor
Involves communication over trusted connection

Question 48

Service Level Agreement (SLA)

Answer 48

Sets a minimum set of service terms for a particular service or product
Between customers and service providers
uptime, response time agreement

Question 49

Memorandum of Understanding (MOU)

Answer 49

Memo sent between two different parties so that they understand what the requirements might be for a particular business process

Question 50

Measurement of Systems Analysis (MSA)

Answer 50

Provides a way for a company to evaluate and assess the quality of the process used in their measurement systems

Question 51

Business Partnership Agreement (BPA)

Answer 51

A legally binding document that determines the roles and responsibilities between two individuals or entities acting as business partners

Question 52

End of Life (EOL)

Answer 52

When a manufacturer stops selling a product but may still support the product
Security patches, updates

Question 53

End of Service Life (EOSL)

Answer 53

When a manufacturer stops selling and supporting the product
Security patches, updates
Could maybe pay a premium fee to get security patch or update

Question 54

Data Classification

Answer 54

Identify data types - use and protect data efficiently
Personal, public, restricted, etc.

Question 55

Data Governance

Answer 55

Rules, processes, and accountability associated with an organization’s data - data is used in the right ways
Data steward

Question 56

Data Retention

Answer 56

Keep files that change frequently for version control
Corporate tax information, customer PII, tape backups, etc.

Question 57

Credential Management

Answer 57

All that stands between the outside world and all of the data
Everything needs to reside on the server and not the client
Encryption

Question 58

Personnel Accounts

Answer 58

An account on a computer associated with a specific person
Storage and files can be private to that user

Question 59

Third-party Accounts

Answer 59

Access to external third-party systems
Cloud platforms for payroll, enterprise resource planning, etc.

Question 60

Device Accounts

Answer 60

Access to devices
Mobile devices
Mobile Device Manager

Question 61

Service Accounts

Answer 61

Used exclusively by services running on a computer
No interactive/ user access
Web server, database server, etc.

Question 62

Administrator/ Root Accounts

Answer 62

Elevated access to one or more systems
Complete access to operating system
Manage hardware, drivers, and software installation

Question 63

Change Management

Answer 63

How to make a change
Upgrade software, change firewall configuration, modify switch ports
Have clear policies
Frequency, duration, installation process, fallback procedures

Question 64

Change Control

Answer 64

A formal process for managing change
Avoid downtime, confusion, and mistakes

Question 65

Asset Management

Answer 65

Identify and tracking computing assets - hardware and data
Respond fast to security problem
Who, what, and where

Question 66

Risk Assessment

Answer 66

Identifying assets that could be affected by an attack as well as the threats that could affect those assets and the amount of risk of the attack

Question 67

External Threats

Answer 67

Outside the organization
Hacker, former employee

Question 68

Internal Threats

Answer 68

Inside the organization
Employees, partners

Question 69

Legacy Systems

Answer 69

Outdated or older technologies that may not be supported by the manufacturer or may not have security updates

Question 70

Multiparty Risks

Answer 70

Breaches involving multiple parties
Personal information held by an organization for customers

Question 71

Intellectual Party (IP) Theft

Answer 71

Theft of ideas, inventions, and creative expressions
Human error, hacking, employees with access

Question 72

Software Compliance/ Licensing

Answer 72

The process of ensuring that your company is only using software it is authorized to use
Not too many licenses and not too few licenses

Question 73

Risk Management Strategy - Acceptance

Answer 73

Not making changes and taking the risk

Question 74

Risk Management Strategy - Avoidance

Answer 74

Stop participating in a high-risk activity

Question 75

Risk Management Strategy - Transference

Answer 75

Buying some cybersecurity insurance - helps financially if a threat occurs

Question 76

Cybersecurity Insurance

Answer 76

Helps an organization pay for any financial losses they may incur in the event of a cyberattack or data breach

Question 77

Risk Management Strategy - Mitigation

Answer 77

Decrease the risk level by investing in security systems

Question 78

Risk Register

Answer 78

Document used as a risk management tool
Applies possible solutions to the identified risks
Monitors the results

Question 79

Risk Matrix/ Heat Map

Answer 79

Visually determining the risk assessment based on color that help make strategic decisions
Combines the likelihood of an event with the potential impact

Question 80

Risk Control Assessment

Answer 80

After determining risks we need to build and maintain security systems based on the requirements

Question 81

Risk Control Self-assessment

Answer 81

A procedure for assessing and examining operational hazards and the efficacy of risk management controls

Question 82

Risk Awareness

Answer 82

Having an understanding of what risks exist, what impact they can have, and how to deal with them, but also constantly keeping an open eye for new risks

Question 83

Inherent Risk

Answer 83

Risk that exists in the absence of security controls
Impact + likelihood

Question 84

Residual Risk

Answer 84

Inherent risks combined with the effectiveness of security controls
Inherent risk + control effectiveness

Question 85

Control Risk

Answer 85

Define methods, procedures, technologies, or other measures that can help the organization mitigate the risks

Question 86

Risk Appetite

Answer 86

How much an organization may be willing to take

Question 87

Regulations That Affect Risk Posture

Answer 87

Protection of personal information, disclosure of information breaches
HIPPA, GDPR

Question 88

Risk Assessment - Qualitative

Answer 88

Identifying significant risk factors and displaying visually with a traffic light grid or similar method
Red, yellow, green

Question 89

Risk Assessment - Quantitative

Answer 89

Method using measurable, objective data to determine an asset’s value, the probability of loss and other associated risks

Question 90

Likelihood of Occurrence

Answer 90

How likely it is that something will happen
ARO

Question 91

Impact

Answer 91

How much something happening will effect the organization
Life, property, safety, finance, and reputation

Question 92

Asset Value

Answer 92

The value or amount spent on a singular asset
Computer = $1,000

Question 93

Single-loss Expectancy (SLE)

Answer 93

Describes how much money an organization is going to lose if that single event occurs
If computer that is $1,000 the SLE is $1,000

Question 94

Annualized Loss Expectancy (ALE)

Answer 94

ARO x SLE
ARO = 7, SLE = $1,000; 7 x 1,000 = $7,000 (ALE)

Question 95

Annualized Rate of Occurrence (ARO)

Answer 95

Describes the likelihood of an attack or disaster of occurring per year

Question 96

Disasters - Environmental Threats

Answer 96

Tornadoes, hurricanes, earthquakes, or severe weather

Question 97

Disasters - Person-made Threats

Answer 97

Created by a person
Human-intent, negligence, or error
Arson, crime, civil disorder, fires, riots, etc.

Question 98

Disasters - Internal

Answer 98

Threats from employees or partners

Question 99

Disasters - External

Answer 99

Threats from outside the organization

Question 100

Recovery Time Objective (RTO)

Answer 100

How long it would take to get back up and running to a particular service level
Do not need to get to complete recover but need to get to a certain point

Question 101

Recovery Point Objective (RPO)

Answer 101

Set an objective to meet a certain set of minimum requirements to get a system up and running
Part of it may be available but part of it may be unavailable

Question 102

Mean Time to Repair (MTTR)

Answer 102

Time required to fix the issue

Question 103

Mean Time Between Failures (MTBF)

Answer 103

Predicting the time between failures or outages

Question 104

Functional Recovery Plans

Answer 104

A set of processes and procedures that can take us from the very beginning of solving the issue all the way through to getting back up and running - step-by-step guide
Contact information, technical processes, recover and test

Question 105

Single Point of Failure

Answer 105

A part of a system that, if it fails, will stop the entire system from working

Question 106

Disaster Recovery Plan (DRP)

Answer 106

Detailed step-by-step plan for resuming operations after a disaster has occurred
Application, data center, building, campus, region, etc.

Question 107

Mission Essential Functions

Answer 107

Functions that are the most essential to an organization depending on the type of disaster that occurred

Question 108

Identification of Critical Systems

Answer 108

Identifying critical systems that are the most essential to an organization depending on the type of disaster that occurred

Question 109

Site Risk Assessment

Answer 109

Assessments that have been adapted to a specific site, and only contain relevant information for that particular project
Applications, personnel, equipment, work environment

Question 110

Consequences - Reputation Damage

Answer 110

Opinion of the organization becomes negative in turn can have an impact on products, services, and stock price

Question 111

Consequences - Identity Theft

Answer 111

Company or customer information becomes public

Question 112

Consequences - Fines

Answer 112

Can be fined in someone’s PII becomes available due to the company’s fault

Question 113

Consequences - IP Theft

Answer 113

Stealing company secrets that could make them go out of business

Question 114

Internal Escalation

Answer 114

Providing a process of importance for when internal employees find breaches

Question 115

External Escalation

Answer 115

Providing a process of importance for when a breach is too difficult to find or manage - ask a third party

Question 116

Public Notifications and Disclosures

Answer 116

Information the public of a previous notification breach that can inform them before it happens to them

Question 117

Data Types - Public

Answer 117

No restrictions on viewing the data - everyone can see it

Question 118

Data Types - Private

Answer 118

Restricted access for viewing the data - must be authorized
Might require NDA

Question 119

Data Types - Sensitive

Answer 119

Intellectual property, PII, PHI

Question 120

Data Types - Confidential

Answer 120

Very sensitive - must be authorized to view

Question 121

Data Types - Critical

Answer 121

Data should always be available
Processes we use in the organization or public

Question 122

Data Types - Proprietary

Answer 122

Information that is private and the property of an organization
Trade secrets

Question 123

Data Types - Personally Identifiable Information (PII)

Answer 123

Data that can be used to identify and individual
Name, DOB, biometric information, etc.

Question 124

Data Types - Protected Health Information (PHI)

Answer 124

Health information associated with an individual
Health status, health insurance, health records

Question 125

Data Types - Financial Information

Answer 125

Internal company financial information
Customer financial details

Question 126

Data Types - Government Data

Answer 126

Open data that is transferred between government entities
May be protected by law

Question 127

Data Types - Customer Data

Answer 127

Data associated with customers
Could be user-specific details

Question 128

Data Minimization

Answer 128

Only collecting data that would be used to perform the necessary function
HIPPA, GDPR

Question 129

Data Masking

Answer 129

Hide some of the original data
Data obfuscation
Bank card ****2671

Question 130

Tokenization

Answer 130

Replacing sensitive data with a non-sensitive placeholder
SSN - 226-12-1112 is now SSN 691-61-8539

Question 131

Anonymization

Answer 131

Make it impossible to identify individual data from a dataset

Question 132

Pseudo-anonymization

Answer 132

Replacing personal information with pseudonyms
Random placement
James Messer -> Jack O’Neill -> Sam Carter -> Daniel Jackson

Question 133

Data Owners

Answer 133

Person who is responsible for a certain set of data
Treasurer own financial data

Question 134

Data Controller

Answer 134

Manages the purposes and means by which personal data is processed
Payroll department

Question 135

Data Processor

Answer 135

Processes the data on behalf of the data controller
Often a third-party
Payroll company

Question 136

Data Custodian/ Steward

Answer 136

Responsible for data accuracy, privacy, and security of data
Set labels to the data
Laws and regulations
Access rights

Question 137

Data Protection Officer (DPO)

Answer 137

Responsible for the organization’s privacy
Policies, implements processes and procedures

Question 138

Information Lifecycle

Answer 138

Creation and receipt - create data internally/receive data externally
Distribution - records are sorted and stored
Use - business decisions, create products and services
Maintenance - ongoing data retrieval and transfers
Disposition - Archiving or disposal of data

Question 139

Privacy Impact Assessment (PIA)

Answer 139

Understanding how processes and products will affect the privacy of a organization’s customers or data
New projects, initiatives, systems, processes, strategies, policies, business relationships etc

Question 140

Terms of Agreement

Answer 140

A set of legal conditions used to ensure that all parties involved in a contract or transaction understand the responsibilities and obligations of each party

Question 141

Privacy Notice

Answer 141

Documents the handling of personal data
Provides additional data options and contact information