Chapter 9 Policy and Compliance

Question 1

Contains a series of documents designed to describe the organization’s security program

Answer 1

Information security policy framework

Question 2

Information security policy frameworks generally include four different types of documents, what are they?

Answer 2

Policies
Standards
Procedures
Guidelines

Question 3

• High-level statements of management intent
• A statement of the importance of cybersecurity to an organization
• Requirement that all staff and contracts take measures to protect the confidentiality, integrity, and availability of information and information systems
• Statement of ownership of information created and or possessed by the organization Designation of the chief information security officer (CISO) or other individual as an executive responsible for cyber security issues
• Delegation of authority granting the CISO the ability to create standards, procedures, and guidelines that implement the policy

Answer 3

Policies

Question 4

• Common document that is often apart of an organization’s information security policy library
• Provides high level of authority and guidance for the security program

Answer 4

Information security policy

Question 5

• Common document that is often apart of an organization’s information security policy library
• Provides network and system users with clear direction on permissible uses of information resources

Answer 5

Acceptable use policy

Question 6

• Common document that is often apart of an organization’s information security policy library
• Clearly states the ownership of information created or used by the organization

Answer 6

Data ownership policy

Question 7

• Common document that is often apart of an organization’s information security policy library
• Describe the classification structure used by the organization and the process used to properly assign classifications to data

Answer 7

Data classification policy

Question 8

• Common document that is often apart of an organization’s information security policy library
• Outlines what information organization will maintain and the length of time different categories of information will be retained prior to destruction

Answer 8

Data retention policy

Question 9

• Common document that is often apart of an organization’s information security policy library
• Describe the account life cycle from provisioning through active use and decommissioning

Answer 9

Account management policy

Question 10

• Common document that is often apart of an organization’s information security policy library
• Set forth requirements for password length, complexity, reuse, and similar issues

Answer 10

Password policy

Question 11

• Provides mandatory requirements describing how an organization will carry out its information security policies
• i.e. the specific configuration settings used for OS systems, controls put in place for highly sensitive information and etc

Answer 11

Standards

Question 12

Provide examples of standards

Answer 12

• Devices must have secure configuration in place prior to deployment
• Any deviations from defined security configurations must be approved through a change management process and documented. a process must exist to annually review deviations for continued relevance.
• A process messages to regular check configurations at devices in alert the resource custodian of any changes

Question 13

• Are detailed step-by-step processes that individuals and organizations must follow in specific circumstances
• i.e. building new systems, releasing code to the production environment, responding to security incidents, and etc…

Answer 13

Procedures

Question 14

• Common procedure doc
• Describes how the organization will perform security monitoring activities, including the possible use of continuous monitoring technology

Answer 14

Monitoring procedures

Question 15

• Common procedure doc
• Describes how the organization will respond to subpoenas, court orders, and other legitimate request to produce digital evidence

Answer 15

Evidence production procedures

Question 16

• Common procedure doc

- Describes the frequency in process of applying patches to applications and systems under the organization’s care

Answer 16

Patching procedures

Question 17

• Provides best practices and recommendations related to a given concept, technology, or task
• Not mandatory and offered as helpful advice

Answer 17

Guidelines

Question 18

What happens when an organization must deviate from a policy?

Answer 18

The policy framework should lay out the specific requirements for receiving an exception and the individual or committee with authority to approve exceptions

Question 19

Security and privacy rules that affect Healthcare Providers, Health insurances, and Health Information clearing house

Answer 19

The Health Insurance Portability and Accountability Act (HIPAA)

Question 20

• Provide detailed rules about the storage, processing, and transmission of credit and debit card information
• Not a law but a contractual obligation it applies to credit card merchants and service providers

Answer 20

The Payment Card Industry Data Security Standard (PCI DSS)

Question 21

• Covers financial institutions, broadly defined. It requires that those institutions have a formal security program and designate an individual as having overall responsibility for that program.

Answer 21

The Gramm Leach Bliley Act (GLBA)

Question 22

Applies to the financial records of publicly traded companies and requires that those companies have a strong degree of assurance around the IT systems that store and process those records

Answer 22

The Sarbanes-Oxley (SOX) Act

Question 23

Requires that educational institutions implement security and privacy controls for student educational records

Answer 23

The Family Educational Rights and Privacy Act (FERPA)

Question 24

Describe the requirements that individual states place on organizations that suffer data breaches regarding notification of individuals affected by the breach

Answer 24

Various data breach notification laws

Question 25

Responsible for developing cyber security standards across the US federal government

Answer 25

The National Institute for Standards and Technology (NIST)

Question 26

The NIST framework includes what three components?

Answer 26

1. The Framework Core
2. The Framework Implementation Tiers
3. The Framework Profiles

Question 27

• NIST framework
• A set of five security functions that apply across all Industries and sectors; identify, protect, detect, respond, and recover.
• The framework then divides the functions into categories, subcategories, and informative references

Answer 27

The Framework Core

Question 28

• NIST framework
• Assesses how an organization is position to meet cyber security objectives
• Example is there a maturity model that describes the current and desired positioning of an organization along a continuum of progress

Answer 28

The Framework Implementation Tiers

Question 29

• NIST framework

- Describes how a specific organization might approach the security functions covered by the framework core

Answer 29

The Framework Profiles

Question 30

• Once the most commonly used information security standard but is now declining in popularity outside of highly regulated industries that require compliance
• Includes control objectives covering 14 categories

Answer 30

International Organization for standardization (ISO 27001)

Question 31

Is a set of best practices for IT governance developed by the Information Systems Audit and Control Association (ISACA)

Answer 31

The Control Objectives for Information and Related Technologies (COBIT)

Question 32

COBIT divides Information Technology activities into what four domains?

Answer 32

1. Plan and Organize
2. Acquire and Implement
3. Deliver and Support
4. Monitor and Evaluate

Question 33

COBIT addresses each of the four domains of Technology by providing what five framework components?

Answer 33

1. COBIT framework
2. Process descriptions
3. Control objectives
4. Management guidelines
5. Maturity models

Question 34

Offers an alternative model for approaching security architecture from a variety of different perspectives that map to architectural layers

Answer 34

The Sherwood Applied Business Security Architecture (SABSA) framework

Question 35

• SABSA architectural layers

- Contextual security architecture

Answer 35

Business View

Question 36

• SABSA architectural layers

- Conceptual security architecture

Answer 36

Designers View

Question 37

• SABSA architectural layers

- Physical security architecture

Answer 37

Builders View

Question 38

• SABSA architectural layers

- Component security architecture

Answer 38

Trade Treatment review

Question 39

• SABSA architectural layers

- Security Service management architecture

Answer 39

Service Managers View

Question 40

Widely adapted approach to enterprise architecture

Answer 40

The Open Group Architecture Framework (TOGAF)

Question 41

The Open Group Architecture Framework (TOGAF) divides architecture into four domains: what are they?

Answer 41

• Business architecture
• Applications architecture
• Data architecture
• Technical architecture

Question 42

• One of The Open Group Architecture Framework (TOGAF) domains
• Defines governance and organization and explains the interaction between Enterprise architecture and business strategy

Answer 42

Business architecture

Question 43

• One of The Open Group Architecture Framework (TOGAF) domains
• Includes the applications and systems that an organization deploys, the interactions between those systems and their relation to business processes

Answer 43

Applications architecture

Question 44

• One of The Open Group Architecture Framework (TOGAF) domains
• Provides the organization’s approach to storing and managing information assets

Answer 44

Data architecture

Question 45

• One of The Open Group Architecture Framework (TOGAF) domains
• Describes the infrastructure needed to support the other architectural domains

Answer 45

Technical architecture

Question 46

Framework that offers a comprehensive approach to IT service management (ITSM) within the modern enterprise

Answer 46

The Information Technology Infrastructure Library (ITIL)

Question 47

The Information Technology Infrastructure Library (ITIL) covers what five core activities?

Answer 47

• Service strategy
• Service design
• Service transition
• Service operation
• Continual service improvement

Question 48

Specific measures that fulfill the security objectives of an organization

Answer 48

Security controls

Question 49

Are security controls that impact the physical world

Answer 49

Physical controls

Question 50

• Technical controls that enforce confidentiality, integrity, and availability in the digital space
• i.e. firewall rules, Access Control lists, and choosing prevention systems, and encryption

Answer 50

Logical controls

Question 51

• Procedural mechanisms that an organization follows to implement sound security management practices
• i.e. user account reviews, employee background investigations, log reviews, and separation of duties policies

Answer 51

Administrative controls

Question 52

Are formal reviews of an organization’s security program or specific compliance issues conducted on behalf of a third party

Answer 52

Audits

Question 53

Less formal reviews of security controls that are typically requested by the security organization itself and an effort to engage in process Improvement

Answer 53

Assessment