Lecture 3

Question 1

What is a policy in the context of vulnerability management?

Answer 1

A high-level statement from top management.

It reflects intent and direction

Examples include Acceptable Use Policy (AUP), Email policies, Internet Usage policies.

Question 2

What is the purpose of a standard?

Answer 2

An acceptable level of quality

Example: ISO 27001.

Question 3

Define a procedure.

Answer 3

A series of detailed steps to be followed for accomplishing a particular task

Related to Standard Operating Procedures (SOP).

Question 4

What does a guideline provide?

Answer 4

Additional recommendations or suggestions for security

Question 5

What is the significance of ITSG-33?

Answer 5

It’s the Canadian equivalent to NIST 800-53

It is Canada’s Information Technology Security Guidance Publication

Question 6

What does PCI/DSS apply to?

Answer 6

Any organization that processes payment cards, such as VISA

It focuses on protecting cardholder data.

Question 7

What is GAP Analysis?

Answer 7

Finding the gap between an organization’s security systems and those recommended by a framework.

Question 8

List the NIST Framework Core Functions.

Answer 8

• Identify
• Protect
• Detect
• Respond
• Recover

Question 9

What are the three classes of security controls according to NIST?

Answer 9

• Technical
• Operational/Administrative
• Management

Question 10

True or False: Guidelines are mandatory to follow.

Answer 10

False

Guidelines provide optional guidance based on best practices.