Domain 5: Summarize elements of effective security governance

Question 1

Guidelines

Answer 1

Guidelines provide structured recommendations and principles that serve as a framework for guiding decision-making and behavior

Question 2

Policies

Answer 2

policies create a rigid prescriptive framework of what needs to be done to ensure guidelines are me

Question 3

Acceptable use policy

Answer 3

An AUP sets the ground rules for how employees and stakeholders can utilize an organization’s resources. It outlines acceptable and unacceptable behaviors, such as appropriate use of email, internet access, and social media, while emphasizing the importance of responsible and ethical use.

Question 4

Information security policies

Answer 4

Information security policies are policies that define the procedures and controls that protect sensitive information from unauthorized access, data breaches, and cyber threats. They encompass aspects such as access control, data encryption, and password management to ensure data confidentiality, integrity, and availability.

Question 5

Business continuity Plan

Answer 5

BCP policies provide a roadmap for organizations to sustain essential operations in the face of disruptions, whether caused by natural disasters, cyberattacks, or other unforeseen events. These policies outline strategies for data backup, disaster recovery, and continuity of critical functions. These policies go together with Continuity-of-Operations Plans (COOPs), outlining strategies for data backup, disaster recovery, and the continuous operation of critical functions.

Question 6

Software development cycle

Answer 6

An SDLC policy establishes the methodologies and best practices for creating, testing, and deploying software applications. This policy ensures that software projects are managed efficiently, with an emphasis on quality, security, and compliance

Question 7

Change Management

Answer 7

Change management policies facilitate the adoption of new technologies, processes, or organizational changes. They help maintain stability by defining how changes are proposed, evaluated, and implemented. Effective change management policies minimize disruption and ensure that changes align with strategic objectives.

Question 8

Software development cycle stages

Answer 8

As shown in the diagram, the first stage is software development. It is important to use the most secure programming language for the task at hand

In the next stage of the cycle, the Test block in the diagram, a secure coding freelancer carries out regression testing on the final version of the code to ensure that the application is fit for purpose, meaning the software application meets its intended goals and requirements.

The next phase is Staging, which is the point at which the code becomes an application (though quality assurance must be carried out before it can be rolled out to production). In this stage, the new application is tested with real data in a sandbox environment to ensure that the application meets the original specifications and that all necessary reports are available and complete. Vulnerability scanning is also conducted at this stage, any required changes or patches are applied, and, if quality assurance has been fulfilled, the application is signed off and moved to the next stage.

Finally, in the Production stage, the final block in the diagram, the application is deployed to its end users.

Question 9

Standards

Answer 9

Standards provide a common framework for security practices to ensure consistency and alignment with industry best practices and regulatory requirements. Adhering to these standards promotes a security-conscious environment and establishes a foundation for measuring and enhancing security posture.

Question 10

ISO 27001 Security

Answer 10

This is a comprehensive and internationally recognized framework for Information Security Management Systems (ISMSs) that has seen global acceptance, making it a valuable credential for organizations operating on a global scale.

Question 11

ISO 27002 Guidance on Best Practices

Answer 11

ISO 27002 is a collection of security controls and best practices that organizations can implement to secure their information assets

Question 12

ISO 22701 Privacy

Answer 12

ISO 27701 is designed to help organizations manage and enhance their privacy practices effectively. It builds upon the foundation of ISO 27001, which is the globally recognized ISMS, a framework for protecting information through policies and controls. It has a privacy-centric approach, recognizing that data privacy is not an afterthought but a fundamental requirement in today’s data-driven world.

Question 13

Privacy Information Management System (PIMS),

Answer 13

Is an organizational framework designed to effectively manage and protect individuals’ personal and sensitive information, ensuring compliance with privacy laws and regulations.

Question 14

ISO/IEC 27017 Cloud Security:

Answer 14

ISO/IEC 27017 is the standard for cloud security, focusing on information security controls for cloud services. It provides cloud-specific guidelines for both Cloud Service Providers (CSPs) and cloud service customers and addresses shared security responsibilities between the CSP and the customer to ensure clarity on security measures. The standard also emphasizes risk assessment and management to help organizations identify and mitigate cloud-specific risks effectively. ISO/IEC 27017 aligns with other ISO/IEC standards (such as ISO 27001), streamlining the integration of cloud security into an organization’s broader information security management system.

Question 15

ISO/IEC 27018 Privacy:

Answer 15

This is a vital standard for cloud computing, specifically addressing data privacy concerns. It provides guidelines for safeguarding personal data in the cloud, including policies that outline the need for transparency, obtaining consent to access data, data access controls, and secure handling of PII. Compliance with these guidelines instills trust in the organization, assuring customers that their data is protected and all privacy regulations are met.

Question 16

Payment Card Industry Data Security Standard

Answer 16

PCI-DSS is a robust security standard designed to safeguard payment card data during transactions. It sets stringent requirements for organizations to protect sensitive financial information, ensuring secure commerce in an evolving digital landscape.

Question 17

Password Managers

Answer 17

Password managers allow users to set longer and more complex passwords as they don’t need to remember them, An example of a secure password manager is Bitwarden.

Question 18

Procedures

Answer 18

Procedures are a set of documented steps or guidelines designed to standardize and streamline processes within an organization.

Question 19

Playbooks

Answer 19

Playbooks are a subset of procedures that are often used in specific contexts such as sales, marketing, disaster recovery, or incident response. They are comprehensive guides that outline actions, strategies, and contingencies for various scenarios. Playbooks equip teams with predefined responses to complex situations to ensure consistency and effective decision-making.

Question 20

Boards

Answer 20

: Boards of directors or governing boards are fundamental to governance in numerous organizations, including corporations, non-profits, and educational institutions. These boards are entrusted with setting the strategic direction, overseeing management, and safeguarding stakeholders’ interests. Boards ensure accountability through governance, oversight, transparency, and ethical leadership.

Question 21

Committes

Answer 21

Committees are internal task forces within larger governance structures that focus on specific functions or tasks. They play a critical role in breaking down complex governance responsibilities into manageable components. Examples include audit committees, compensation committees, and governance committees. These specialized groups enhance the efficiency and effectiveness of governance by diving deep into specific areas of concern, such as financial compliance, cybersecurity, regulatory compliance, and strategic planning, among others.

Question 22

Centralized and Decentralized
Governments

Answer 22

Centralized and decentralized governance structures are at opposite extremes. Centralized governance consolidates decision-making authority at the top, often with a single governing body or individual. In contrast, decentralized governance distributes decision-making across various entities or levels. Finding the right balance between centralization and decentralization depends on the organization’s size, complexity, and objectives. The amount of centralization/decentralization impacts how decisions are made, resources are allocated, and responsibilities are delegated.

Question 23

Data owners

Answer 23

Data owners bear the responsibility of safeguarding data and overseeing the enforcement of policies that govern its proper usage to ensure the protection and responsible handling of data.

Question 24

Government Entities

Answer 24

: Government entities at various levels are responsible for public governance. These entities (including federal, state, and local governments) create policies, enforce laws, and provide public services. Public governance structures are vital for maintaining law and order, protecting citizens’ rights, and promoting general welfare. They operate within established legal frameworks and democratic principles.

Question 25

Data processor

Answer 25

The data processor must handle and process the data on behalf of data controllers. They must adhere to the predetermined instructions and policies set by the controllers and ensure the sanctity of data subject rights and regulatory compliance. They must maintain a record and audit trail for every transaction during data processing so that the auditor can ensure compliance.

Question 25

Data custodian

Answer 25

The data custodian is responsible for the secure storage of data in compliance with data privacy regulations such as GDPR, ISO 27701, or HIPAA. The data custodian protects the data by ensuring it is encrypted, stored, and backed up. They implement the organization’s data retention policy and archive data that is outside of the legal data retention regulations

Question 26

Data stewards

Answer 26

Data stewards are dedicated to maintaining data quality, diligently identifying and rectifying errors and inconsistencies. They also maintain detailed records and metadata, making data understandable and accessible to users. Beyond quality, they classify data based on sensitivity and collaborate with data custodians to implement the necessary controls for compliance.