Governance, Risk Management and Compliance

Question 1

Control Framework

Examples

Answer 1

These are used to create a governance program to enable compliance with security and privacy requirements

ISO 27014 - Governance of Information Security
ISO 38501 - Governance of Information Technology

Question 2

What characteristics should control frameworks have?

Answer 2

Consistent - in line with Sr. Mgmt guidance and expectations with regards to security and data privacy goals

Measurable - provides a way to determine progress and set goals or KPIs

Standardized - rely on standards or results from one organization or part of an organization that can be compared in a meaningful way

Comprehensive - Should cover the minimum legal and/or regulatory requirements

Modular - A framework that can withstand the changes of an organization because the controls or requirements needing modification are reviewed and updated

Question 3

Governance

Answer 3

Ensures the business focuses on core activities, clarifies WHO in the organization has the authority to make DECISIONS, create POLICY, determines ACCOUNTABILITY for actions and RESPONSIBILITY for outcomes and addresses how expected performance will be evaluated.

Question 4

Compliance

Answer 4

Refers to actions that ensure behavior complies with established rules/policies

Question 5

Data Subject

Answer 5

An individual who is the subject of personal data

Question 6

Data Steward

Answer 6

Responsible for data quality, content, context, and associated business rules

from class “responsible for data integrity”

Question 7

Data Owner

Answer 7

Hold legal rights and complete control and accountability of a single piece or set of data elements

usually the department head or business unit manager for the office that has created or collected a certain dataset.

The data owner will be identified in the create phase.

Question 8

Data Custodian

Answer 8

Responsible for the safe custody, transport, storage of the data and implementation of business rules

The data custodian is any person or entity that is tasked with the daily maintenance and administration of the data. The custodian also has the role of applying the proper security controls and processes as directed by the data owner.

Question 9

Data Controller

Answer 9

A person who determines WHY and HOW PERSONAL DATA is processed

Question 10

Data Processor

Answer 10

Any person who processes data on behalf of the data controller

Question 11

Data Protection Officer (DPO)

Answer 11

Normally APPOINTED by the Data Controller and Data Processor

Responsible for ensuring the strategy and implementation of DATA PROTECTION requirements are in COMPLIANCE with data standards/requirements/laws (e.g. GDPR)

Question 12

Due Care

Answer 12

Setting best or reasonable practices as a responsible organization should do

“Do the Right Thing”

Every employee in the organization should do their job correctly, following policies, procedures, and best practices

The company did all it could have reasonably done to prevent.. breach, what ever…

They exercised due care

Note: Auditors care about due care

Question 13

Due Diligence

Answer 13

Providing a record or history of compliance and enforcement

Providing evidence that you are doing the right thing.. e.g. proof a policy was followed

Note: Auditors care about due diligence

Question 14

Corporate Governance

Answer 14

the system of rules, practices, and process by which a company is directed and controlled

begins with policy

Question 15

1. Policies?

Corporate Policies?

Answer 15

1. the foundation of corporate governance

Mandatory rules, practices and processes authorized and sponsored by Sr. Mgmt and followed by everyone under penalty if broken

2. Requirements derived from regulatory/legal, contractual, or social/ethical compliance

Question 16

How is Policy Implemented?

Answer 16

Management must adopt:

Standards/Frameworks
Baselines
Procedures
Guidelines

Question 17

How should you adopt standards/frameworks to implement policy?

Answer 17

HW, SW, documents are deployed universally throughout the organization

Specific technologies are used in uniform ways

Standards are mandatory, everyone must follow them

Question 18

How should baselines be used to implement policy?

Answer 18

The minimum level of protection or settings for specific platforms or environments should be established as a baseline

Baselines are derived from standards and are mandatory

Question 19

How should Procedures be used to implement policy?

Answer 19

Step by step required and mandatory actions on how to accomplish or maintain the directives of the policy should be documented and followed

Question 20

How should Guidelines be used to implement policy?

Answer 20

Not mandatory but used as best practices, recommendations, suggestions or advice for accomplishing a goal

e.g. optional, non-binding

Question 21

Executive committees for governance

1. Purpose
2. Who is on the committee

Answer 21

1. Determine Organizational requirements and determine Governance, Risk Management and Compliance
2. Board of Directors, Shareholders, Stakeholders and Senior Management

Question 22

Risk Management

Answer 22

identifying threats and vulnerabilities and quantifying and addressing risk associated with them

identify industry, legal and regulatory requirements and addressing risk associated with them

a cyclic, systematic process for monitoring, identifying, analyzing, evaluating/assessing risk to determine risk response: mitigating, transferring, avoiding, and accepting risk

To mitigate or reduce risk to acceptable levels
Includes Risk Analysis, Cost/Benefit Analysis, Deploying counter measures or safeguards, auditing, insurance, Business Continuity Planning, education, training, etc.

Question 23

What measure does a Qualitative Risk Assessment use to assess risks?

Answer 23

Qualitative risk assessments use nonnumerical categories that are relative in nature, such as high, medium, and low. Quantitative assessments use specific numerical values such as 1, 2, and 3.

Question 24

Risk Appetite

AKA, Desc

Answer 24

Risk appetite is the level, amount, or type of risk that the organization finds acceptable.

Organization is prepared to accept this amount or level of risks to meet its objectives

AKA Risk Tolerance

Question 25

Organizations have four main ways to address risk?

Answer 25

Avoidance
Acceptance
Transference
Mitigation

Question 26

Risk Avoidance

Answer 26

removing the technology or activity to remove the risk

it means leaving a business opportunity because the risk is simply too high and cannot be compensated for with adequate control mechanisms—a risk that exceeds the organization’s appetite.

Question 27

Risk Acceptance

What should never happen with respect to managing risk?

AKA

Answer 27

The opposite of avoidance; the risk falls within the organization’s risk appetite, so the organization continues operations without any additional efforts regarding the risk

NEVER accept risk without avoiding, mitigating and transferring as much as possible based on business/compliance/due care conditions

Risk Retention

Question 28

Risk Transference

Answer 28

The organization pays someone else to accept the risk, at a lower cost than the potential impact that would result from the risk being realized; this is usually in the form of insurance or outsourcing. This type of risk is often associated with things that have a low probability of occurring but a high impact should they occur.

Question 29

Risk Mitigation

Answer 29

The organization takes steps to decrease the likelihood or the impact of the risk (and often both); this can take the form of controls or COUNTERMEASURES and is usually where security practitioners are involved.

Question 30

Internal Compliance Items

Answer 30

Mission/Vision Statement
Selected Strategies
Goals and Benchmarks

Question 31

External Compliance Items

Answer 31

Legislation/Legal

Regulatory/Oversight

Industry Standards

Customer Requirements

Question 32

List Compliance Standard Requirement Types

Answer 32

Regulatory/Legal

Contractual

Ethical/Social

Question 33

How should corporate policies/compliance requirements be tested/verified?

Answer 33

Compliance audit, either internal or external to ensure the company does what they say they do to comply with legal/regulatory, contractual, and ethical standards

Question 34

Laws Considered for GRC

Answer 34

International Law
State Law
Federal Law
Privacy Law
Criminal Law
Common Law/Tort

Question 35

International Law

Answer 35

Rules that govern relations between countries

Question 36

State Laws

Answer 36

typically refers to laws of each US state but can refer to geographic divisions (e.g. state, provinces) within any country

Question 37

Privacy Law

Answer 37

Laws that generally protect the rights of an individual within a country; Can extend to PII of the individual housed in a different country

Question 38

Federal Law

Answer 38

The body of laws used to govern a sovereign nation

Question 39

Criminal Law

Answer 39

Typically rules and statutes that define contact prohibited by government to protect the SAFETY and well-being of the public, punishable by jail, death, fines, loss of certain individual rights

Question 40

Common Law (Tort)

Answer 40

Laws that seek to COMPENSATE victims for injuries suffered at the hand of another ex Lawsuit

Question 41

Investigations considered for GRC

Answer 41

Operational
Civil
Criminal

Question 42

Operational Investigation

What are potential penalties?

Answer 42

An investigation performed by the organization related to internal digital or other malfeasance

Penalty may include release from the company

Question 43

Civil Investigation, Penalties, Standard of Proof?

Answer 43

In the US and other countries, civil investigations are governed by Federal Rules of Civil Procedure

Based on TORT law, they seek to remedy a conflict between parties

Penalties are usually MONETARY and/or result in a court order

Standard of proof is a preponderance of evidence

Question 44

Criminal Investigation

Who governs/performs and what are potential penalties?

Answer 44

In a criminal case, it is the STATE against the individual which a jury or judge must find guilty

Penalties may include incarceration, monetary fines or death

Question 45

What are the concerns when a cloud provider becomes involved in an investigation?

Answer 45

Control over data
Multi-Tenancy
Data Volatility
Evidence Acquisition (especially e-disovery)

Question 46

E-discovery

What ISO relates to e-discovery?

Answer 46

Any process in which ELECTRONIC data is sought, located, secured, and searched with the intent of using it as EVIDENCE in a LEGAL case

ISO 27050

Question 47

Legal Hold

Answer 47

If a party reasonably anticipates litigation it must SUSPEND its routine document retention destruction policy and put in place a hold on relevant documents

Question 48

Spoliation

Answer 48

The intentional or accidental DESTRUCTION or ALTERATION of data that is either under legal hold or lawfully requested by a court

Question 49

Production - GRC

Answer 49

The PRESENTATION of the requested data to the court or to the requesting party

Question 50

Agent of the Government

Answer 50

When a PRIVATE citizen who has been given government AUTHORIZATION to act on behalf of the government, they must follow the same rules as the government

Question 51

Warrant

Answer 51

A court order AUTHORIZING law enforcement to gain entry and to search for items or persons for seizure

Question 52

Subpoena

Answer 52

A written legal order summoning a witness or requiring evidence to be submitted to a court

Question 53

Doctrine of plain view

Answer 53

Allows law enforcement to seize objects not described in a WARRANT when executing a lawful search or seizure if they observe the object in plain view and has PROBABLE cause to believe that it is connected with a criminal activity

Question 54

Extradition

Answer 54

The REMOVAL of a person from a requested state to a requesting state for criminal prosecution or punishment

Question 55

Jurisdiction

Answer 55

The authority granted by law to the courts to rule on a legal matter and render judgments according to the subject matter of the case and the GEOGRAPHICAL region in which the issue took place

Question 56

Harmonization of Law

Answer 56

the process of creating common standards across the internal market specifically in the EU

The process of achieving technical EQUIVALENCY and enabling interchangeability between different standards with OVERLAPPING functionality. Harmonization REQUIRES an architecture that documents key points of interoperability and associated interfaces ex. the user of directives in the EU

Question 57

Rules of Evidence Admissibility

Answer 57

1. Be AUTHENTIC - the evidence needs to be tied back to the scene
2. Be ACCURATE - evidence must maintain authenticity and veracity throughout the evidence lifecycle
3. Be COMPLETE - all evidence should be collected, including evidence that support and that can diminish the reliability of the other incriminating evidence
4. Be CONVINCING - evidence should be easy to understand and believable to a jury
5. Be ADMISSIBLE - evidence must be able to be used in a court of law

Question 58

Digital Forensics Phases

Answer 58

1. Collection - identifying, labeling, recording, and acquiring data from a possible source of relevant data
2. Examination - processing collected data
3. Analysis - analyzing the results of the examination
4. Reporting - reporting the results of analysis

Question 59

Chain of Custody

Answer 59

A complete, verifiable record of handling evidence from the moment of acquisition through destruction or return

A chronological paper trail documenting evidence that was gathered, who had it and when (documenting and controlling evidence handling)

Integrity is the upmost importance

Must be maintained while evidence is identified, gathered, protected, accessed and presented

Question 60

Non-Repudiation

Answer 60

The ability to prove that the evidence is the original as acquired from the system

Question 61

Probative Value

Answer 61

Evidence that has some benefit to the court case or interest to the court. It must prove something.

Question 62

Provenance

Answer 62

The ability to track back to the original creation of the evidence

Question 63

How do you capture Digital Evidence in order to ensure you gather all that may be available given time?

Answer 63

Start from the volatile forms then go to more persistent forms

Volatile items cant be recovered after a reboot

Question 64

Order of Volatility

Answer 64

1. Live system info (RAM, process list, unsaved work, encryption keys, etc.)
2. Virtual memory (Paging file/swap file, temp file)
3. Physical media - HD, DVD, USB, printouts
4. Backups and networks - back up media server logs files, cloud storage

Question 65

Shadow IT

Answer 65

Shadow IT, occurs when cloud users access and use cloud systems and resources that have not been authorized by their organization.

Unsanctioned or unapproved cloud workloads or utilization of unapproved devices or VMs within the enterprise

Question 66

Risk Profile

Answer 66

The willingness of an organization to take on risk as well as the threats it will be exposed to

Question 67

Exposure

Answer 67

Actual or anticipated damage from a threat

Question 68

How do you calculate Annual Rate of Occurrence?

Answer 68

Asset Value (AV) x Exposure Factor (EF) = Single Loss Expectancy

of incidents/ # of years = ARO

Question 69

How do you calculate Annual Loss Expectancy?

Answer 69

Single Loss Expectancy (SLE) x Annual Rate of Occurrence (ARO) = Annual Loss Expectancy

Question 70

Controls Gap

How is this calculated?

Answer 70

The amount of risk that is mitigated implementing countermeasures

Controls Gap = Total Risk - Residual Risk
If I am 100% exposed, and after mitigation, I am 5% exposed, then controls gap is 95%

Question 71

Residual Risk

Answer 71

smaller amount of risk that remains after mitigation or transference or avoidance and must be accepted