Compliance

Question 1

What is the definition of compliance?

Answer 1

Adherence to the rules and regulations that govern the information you handle and the industry within which you operate

Question 2

Does being in compliance mean your system is secure?

Answer 2

No. Compliance fills a business need rather than any technical security need.

Question 3

What are the two types of compliance?

Answer 3

Regulatory
Industry

Question 4

Define regulatory compliance

Answer 4

Adherence to laws specific to the industry in which you’re operating; usually involves cyclical audits and assessments to ensure compliance

Question 5

Define industry compliance

Answer 5

Adherence to regulations that aren’t mandated by law but that can nevertheless have severe impacts upon your ability to conduct business
Example: PCI DSS

Question 6

What are the three main types of controls for compliance?

Answer 6

Physical
Administrative
Technical

Question 7

What do physical controls in compliance do?

Answer 7

Mitigate risks to physical security
Deter unauthorized access
Examples: Fences, guards, cameras, locked doors

Question 8

How do administrative controls help achieve compliance?

Answer 8

Mitigate risks by implementing certain processes and procedures
Must be documented to show that they are put in place and enforced

Question 9

Information security policy

Answer 9

To comply with this requirement, must put a policy in place and prove you have followed it
Examples: Emails, tickets from ticketing systems, files from investigations

Question 10

Define and describe technical controls for compliance please.

Answer 10

Manage risk using technical measures
Regulations will often mandate certain technical controls
Examples: firewalls, intrusion detection systems, access control lists

Question 11

Name the two levels of compliance controls, pertaining to importance

Answer 11

Key
Compensating

Question 12

Define and describe key controls in compliance. (4)

Answer 12

Primary controls used to manage risk in your environment
Provide a reasonable degree of assurance that risk will be mitigated
If control fails, it’s unlikely another control could take over for it
Failure of this control will affect an entire process

Question 13

Should you always test key controls as part of compliance and audit efforts?

Answer 13

Yes.

Question 14

Define and describe compensating compliance controls.

Answer 14

Replace impractical or unfeasible key controls
Likely to have to explain to auditors how it will fulfill the intent and purpose of the key control it’s replacing

Question 15

What are the four steps to maintaining compliance?

Answer 15

Monitoring
Reviewing
Documenting
Reporting

Question 16

Describe monitoring as a step of maintaining compliance. (3)

Answer 16

See if the controls you have in place mitigate or reduce your risk
No news is good news
Check controls to make sure they are still effective as environment and technology changes

Question 17

Describe reviewing as a step in maintaining compliance.

Answer 17

Periodically make sure your controls cover old and emergent risks appropriately
Determine whether you need to implement new controls or retire outdated controls

Question 18

Describe documenting as a step of maintaining compliance. (3)

Answer 18

Document results of review
Tracks changes to control’s environment
Helps to evaluate trends, possibly predict future control changes

Question 19

Describe reporting as a step in maintaining compliance.

Answer 19

Report results of review and documentation to leadership
Keeps them in the loop and provides you with means of requesting staff and resources you may need

Question 20

Where are many of the US government’s standards in their information security laws from?

Answer 20

Standards that form the basis of US laws are often from the series of Special Publications of the US National Institute of Standards and Technology (NIST)

Question 21

What is FISMA?

Answer 21

Federal Information Security Management Act (2002)
Requirements involve risk-based approach–one that handles security by enumerating and compensating for specific risks
Once an org passes an audit, it receives an authority to operate (ATO)

Question 22

Whom does FISMA apply to? (3)

Answer 22

US federal government agencies
State agencies that administer federal programs (eg, Medicare)
Private companies that support, sell to, or receive grant money from feds

Question 23

What is FedRAMP?

Answer 23

Federal Risk and Authorization Management Program (2011)
Defines rules for government agencies contracting with cloud providers, including SaaS cloud tools
Certification has single ATO for all agencies

Question 24

What is HIPAA?

Answer 24

Health Insurance Portability and Accountability Act (1996)
Protects rights and data of patients in the US
Applies generally to orgs involved in healthcare and health insurance

Question 25

What is PHI and e-PHI?

Answer 25

Protected health information–any portion of a patient’s medical records or medical transactions

Question 26

What are some requirements of HIPAA? (4)

Answer 26

Requires to safeguard protected health information (PHI) and electronic PHI (e-PHI)
Ensure CIA of any information that you handle or store
Protect info from threats and unauthorized disclosures
Ensure workforce is compliant with these rules

Question 27

What is SOX?

Answer 27

Sarbanes-Oxley Act (2002)
Regulates financial data, operations, and assets for publicly held companies
Made in response to incidents of financial fraud, like Enron

Question 28

What are the requirements of SOX?

Answer 28

Has reqs on record-keeping, including integrity of records, retention periods for some information, and methods of storing electronic information.

Question 29

What law do information security professionals often used to develop and implement systems?

Answer 29

SOX

Question 30

What is GLBA?

Answer 30

Gramm-Leach-Bliley Act (1999)
Protects personally identifiable information (PII) and financial data of customers of financial institutions

Question 31

Broad strokes, what must one do to comply with GLBA? (3)

Answer 31

Secure pertinent records against unauthorized access
Track people’s access to these records
Notify customers when you share their information

Question 32

Do you have to have an information security plan in place and overarching IS program to handle security for org, according to GLBA?

Answer 32

Yes.

Question 33

What is CIPA?

Answer 33

Children’s Internet Protection Act (2000)
Requires schools to prevent children from accessing obscene or harmful content over Internet

Question 34

What are some requirements of CIPA?

Answer 34

Have policies and tech protection measures in place to filter or block the bad content
Monitor activities of minors and educate about proper online behavior

Question 35

What are the penalties for CIPA noncompliance?

Answer 35

No cheap internet. No jail or fines.

Question 36

What is COPPA?

Answer 36

Children’s Online Privacy Protection Act (1988)
No PII from kids under 13
Difficult to comply with

Question 37

What is FERPA?

Answer 37

Family Educational Rights and Privacy Act (1974)
Protects student records
Defines how institutions must handle student records

Question 38

When might you want to choose a more overarching framework?

Answer 38

When you have to comply with separate, unrelated regulations.

Question 39

What is ISO?

Answer 39

International Organization for Standardization

Question 40

What does ISO do?

Answer 40

Sets standards between nations

Question 41

What is GDPR?

Answer 41

General Data Protection Regulation (2018)
Covers data protection and privacy for all citizens of EU

Question 42

What document deals with international information security standards?

Answer 42

ISO 27000 series

Question 43

What does ISO 27k do?

Answer 43

Lays out best practices for managing risk, controls, privacy, technical issues, etc

Question 44

What is SP 800-37?

Answer 44

Special publication put out by NIST
Guide for Applying the Risk Management Framework for Federal Information Systems

Question 45

What is SP 800-53?

Answer 45

Special publication put out by NIST
Security and Privacy Controls for Federal Information Systems and Organizations

Question 46

What are the six steps in the risk management framework of SP 800-37?

Answer 46

Categorize
Select
Implement
Assess
Authorize
Monitor

Question 47

Describe the categorize step in SP 800-37.

Answer 47

Categorize based on what the system handles and impact of exposing or losing data

Question 48

Describe the select step in SP 800-37.

Answer 48

Pick controls based on system’s categorization and any extenuating circumstances

Question 49

Describe the implement step in SP 800-37.

Answer 49

Implement the controls selected and document the implementation

Question 50

Describe the assess step in SP 800-37.

Answer 50

Make sure controls are properly implemented and performing as expected.

Question 51

Describe the authorize step in SP 800-37.

Answer 51

Authorize or ban use of system based on risk it faces and controls implemented to mitigate risk

Question 52

Describe the monitor step in SP 800-37.

Answer 52

Monitor controls to ensure that they continue to appropriately mitigate risk

Question 53

Does SP 800-37 contain specific guidelines for selecting controls?

Answer 53

Yes.

Question 54

List cloud services in increasing order of control and responsibility.

Answer 54

Software as a service
Platform as a service
Infrastructure as a service

Question 55

Who owns the risk in cloud-based computing?

Answer 55

Cloud provider takes responsibility for the portions of the environment the users can’t control.

Question 56

What are the responsibilities for IaaS cloud providers?

Answer 56

Risk related to networks and servers on which the virtual infrastructure exists
ie, securing and maintaining hosts, storage arrays, networks

Question 57

What are the responsibilities for PaaS cloud providers?

Answer 57

Security of infrastructure, ie, patching operating system, configuring servers, backing up servers

Question 58

What are the responsibilities of SaaS cloud providers?

Answer 58

Basically everything, except perhaps the data put into the environment by the users themselves

Question 59

Do contracts generally state that you have a right to audit and assess the security of the cloud environment?

Answer 59

Yes, but it’s gotta be reasonable.

Question 60

Are risks higher in SaaS or IaaS?

Answer 60

SaaS, because you share a larger portion of the environment with other users. In IaaS, you are your data are more sharply divided from other users.

Question 61

Describe compliance with blockchain

Answer 61

Must understand it to regulate it, which not many lawmakers do
Requires consensus of 51% of participants, which is not unbeatable

Question 62

What is NIST?

Answer 62

National Institute of Standards and Technology