Module 3 Governance, Risk and Compliance

Question 0

Two Governance Components

Answer 0

1. Separation of Duties

2. Policy Definition

Question 1

GRC

Answer 1

Governance
Risk
Compliance

Question 2

3 Characteristics of GRC

Answer 2

1. Integrated and holistic
2. Organization structures
3. Process oriented

Question 3

Two Risk Management Components

Answer 3

1. Change Management

2. Configuration Management

Question 4

Two Compliance Components

Answer 4

1. Adherence to Regulations

2. Industry Aligned

Question 5

Integrated approach to organization-wide governance, risk management, and compliance.

Answer 5

GRC

Question 6

Helps ensure that an organization acts ethically correct and in accordance with its risk appetite, internal policies and external regulations.

Answer 6

GRC

Question 7

Integrated, holistic, and organization-wide

Answer 7

GRC

Question 8

Managed and supported through GRC

Answer 8

Operations

Question 9

Defines the guidelines and performance goals of an organization.

Answer 9

Governance

Question 10

Must include measurements of success to determine if the operation is performing to the company’s standard and, if not, what type of remediation is required.

Answer 10

Governance

Question 11

Four Consequences of Bad / Failed / No GRC

Answer 11

1. Risk of fines for failed audits.
2. Compliance concerns stall virtualization and Cloud.
3. Audits - time consuming and costly.
4. Concerns of identifying risk and proper valuation.

Question 12

Examples of external events that drive a company to have a GRC program

Answer 12

1. A breach where information is lost and has to be reported due to regulations.
2. A new Federal regulation

Question 13

Companies usually accept the risk of exposure until what?

Answer 13

Until they have an actual breach

Question 14

Why GRC is important

Answer 14

1. Breach
2. Regulation
3. Other?

Question 15

Is security GRC?

Answer 15

No. Security is not GRC.

Question 16

1. Related to information processing systems.

2. Mechanisms and techniques that control who may use or modify the computer or the information stored in it.

Answer 16

Security

Question 17

Three key security tenets

Answer 17

1. Confidentiality
2. Integrity
3. Availability

CIA

Question 18

CIA

Answer 18

Confidentiality
Integrity
Availability

Question 19

Purpose of IT security

Answer 19

To mitigate risks

Question 20

IT risks are coupled with what?

Answer 20

Business risks

Question 21

A framework for decision making, accountability, and measuring success.

Answer 21

Governance

Question 22

Data protection and regulatory laws require what?

Answer 22

Security controls

Question 23

How does Compliance relate to Security?

Answer 23

1. Data protection and regulatory laws require security controls.
2. Access to information and enforcement.

Question 24

Related to information processing systems

Answer 24

Security

Question 25

Mechanisms and techniques that control who may use or modify the computer or the information stored in it.

Answer 25

Security

Question 26

Key security rule regarding information

Answer 26

Always ensure that your company owns the information; retain ownership no matter who stores / maintains it.

Question 27

Key security rule regarding the Cloud

Answer 27

Make your information Cloud ready - clearly understand:

1. Data you’re putting in the Cloud.
2. Regulations and legislation surrounding that data.
3. Worst case outcomes related to a breach of this information.

Question 28

Required for data

Answer 28

A creation-to-deletion plan

Question 29

Layered Security Approach

Answer 29

Take a layered approach to protections with defense-in-depth, measuring against the CIA model, and keep roles segregated.

Question 30

Term for End-to-end Data Lifecycle

Answer 30

Information Lifecycle Management

Question 31

Key because most regulated data has data lifecycle requirements and should be how all data is handled.

Answer 31

The end-to-end data lifecycle (Information Lifecycle Management)

Question 32

Four GRC Requirements for Virtualize Step

Answer 32

1. Visibility into virtual infrastructure
2. Privileged user monitoring
3. Access management
4. Network security

Question 33

Four GRC Requirements for Operationalize Step

Answer 33

1. Security compliance
2. Information-centric
3. Risk-driven policies
4. IT & security operations alignment

Question 34

Three GRC Requirements for IT-as-a-Service Step

Answer 34

1. Secure hyrbid Clouds
2. Secure multi-tenancy
3. Chain of trust

Question 35

3 Infrastructure Characteristics for Virtualize Step

Answer 35

1. Automation
2. Efficiency
3. Integration of virtual OS and infrastructure

Question 36

3 Infrastructure Characteristics for Operationalize Step

Answer 36

1. On-demand
2. Service Level Management
3. Increased range of capability

Question 37

3 Infrastructure Characteristics for IT-as-a-Service Step

Answer 37

1. Metering and charge-back
2. Federation of resources
3. Geographically independent

Question 38

Must be included when securing hybrid Clouds

Answer 38

Secure multi-tenancy and hardware root of trust

Question 39

How do enterprises need to look at the Cloud?

Answer 39

As an extension of the data center

Question 40

Looking at the Cloud as an extension of the data center means what?

Answer 40

That security and GRC controls should already be in place and be enforceable with measurable results.

Question 41

Most large enterprises fall between what two stages?

Answer 41

Between the Virtualize and Operationalize stages

Question 42

7 Top Threats - Cloud Security Alliance (CSA)

Answer 42

1. Abuse and nefarious use of Cloud computing
2. Insecure interface and APIs
3. Malicious insiders
4. Shared technology issues
5. Data loss or leakage
6. Account or service hijacking
7. Unknown risk profile

Question 43

7 Top Threats - ENISA

Answer 43

1. Loss of governance
2. Lock-in
3. Isolation failure
4. Compliance risks
5. Data protection
6. Insecure or incomplete data deletion
7. Malicious insider

Question 44

True or False: Currently, there are few tools, procedures, standard data formats, or services interfaces to guarantee data, application, and service portability.

Answer 44

True

Question 45

Dependency on a particular hypervisor for service provisioning, especially if data portability is not enabled.

Answer 45

Lock-in

Question 46

Includes the failure of mechanisms separating storage, memory, routing - and even reputation between different tenants (e.g., guest-hopping attacks).

Answer 46

Isolation Failure

Question 47

True or False: Attacks on resource isolation mechanisms (e.g., against hypervisors) are less numerous and much more difficult for an attacker to put in practice compared to attacks on traditional OSs.

Answer 47

True

Question 48

Compliance risks of migration to the VDC

Answer 48

1. If the VDC cannot provide evidence of their own compliance with the relevant requirements.
2. If the VDC does not permit audit by the VDC customer.
3. If using a multi-tenant infrastructure implies that certain kinds of compliance cannot be achieved (e.g., Electronic Healthcare Records).

Question 49

True or False: Management interface compromise is not a Cloud security risk.

Answer 49

False

Question 50

Threat associated with requests to delete a Cloud resource

Answer 50

As with most OSs, may not result in true wiping of the data - insecure or incomplete data deletion

Question 51

Definition of Enterprise Governance

Answer 51

The active distribution of decision-making rights and accountability among different stakeholders in an organization and the rules and procedures for making and monitoring those decisions to determine and achieve desired behaviors and results.

Question 52

Questions related to Enterprise Governance

Answer 52

1. Who makes directing, controlling and executing decisions?
2. How will the decision be made?
3. What info is required to make the decisions?
4. What decision-making mechanisms should be required?
5. How will exceptions be handled?
6. How should governance results be reviewed and improved?

Question 53

Directors should govern ICT through which three main tasks?

Answer 53

1. Evaluate the use of ICT.
2. Direct preparation and implementation of plans and policies.
3. Monitor conformance to policies, and performance against the plans.

Question 54

Four applications that require GRC

Answer 54

1. Email
2. Accounts Payable
3. Accounts Receivable
4. Expense Management

Question 55

Defines the rules of electronics discovery

Answer 55

U.S. Federal Rules of Civil Procedure (FRCP)

Question 56

FRCP

Answer 56

Federal Rules of Civil Procedure

Question 57

Requires improved transparency in financial services reporting methods, data collection, and aging standards.

Answer 57

Graham Leach Bliley Act (GLBA) - Financial Modernization Act of 1999

Question 58

GLBA

Answer 58

Graham Leach Bliley Act - Financial Modernization Act of 1999

Question 59

SOX

Answer 59

Sarbanes Oxley Act of 2002

Question 60

Requires improved transparency in public company filings.

Answer 60

Sarbanes Oxley Act of 2002

Question 61

Requires supporting information be kept in compliance with specifications around: ease of restore, length of data retention, types of data retained, and auditing processes.

Answer 61

Sarbanes Oxley Act of 2002 (SOX)

Question 62

PII

Answer 62

Personally Identifiable Information

Question 63

Usually includes Social Security Number (government ID), name, address, and credit card numbers

Answer 63

Personally Identifiable Information (PII)

Question 64

PCI DSS

Answer 64

Payment Card Industry Data Security Standard

PCI DSS

Question 65

Worldwide standard that specifies how cardholder information is collected, stored, processed, and shared with requirements for the processes (monitoring, audits) as well as the technology (encryption) used to manage PCI data.

Answer 65

Payment Card Industry Data Security Standard (PCI DSS)

Question 66

US regulations which apply to email

Answer 66

FRCP
GLBA
SOX
HIPAA

Question 67

US regulations which apply to accounts payable

Answer 67

GLBA

SOX

Question 68

US regulations which apply to accounts receivable

Answer 68

GLBA

SOX

Question 69

US regulations which apply to expense management

Answer 69

GLBA
SOX
PII
PCI

Question 70

Typical security requirements for email, accounts payable, accounts receivable, and expense management applications.

Answer 70

2 factor authentication

45 day password expiration

Question 71

The potential that a specific action or activity (including no action) will lead to an undesirable outcome

Answer 71

Risk

Question 72

3 VDC Risk & Risk Assessment Considerations

Answer 72

1. What decision-making mechanisms should be required?
2. How will exceptions be handled?
3. How should governance results be reviewed and improved

Question 73

3 Cloud Risk & Risk Assessment Considerations

Answer 73

1. Potential for data flow across boundaries in the public Cloud?
2. Third party controls need to be clearly documented.
3. Handoffs.
4. Clear process to manage information flow.

Question 74

True or False: Traditional data centers have risk assessment considerations and they should be the foundation of any VDC and Cloud GRC implementation.

Answer 74

True

Question 75

Tenancy GRC Consideration

Answer 75

When data is no longer kept on a system dedicated to just one business unit or application and is now in a multi-tenant shared resource pool - what are the implications from a risk perspective?

Question 76

Auto-migration GRC Consideration

Answer 76

Does automatically migrating a VM and/or the data to another system or location have an impact on the risk level?

Question 77

Auto-scaling GRC Considerations

Answer 77

As workloads scale up is there an availability risk or performance risk?
Can the environment automatically scale up to handle the workload and what happens when it scales down?
Are all the systems left “clean” of residual data that could be exposed?

Question 78

Virtual provisioning GRC Considerations

Answer 78

Can it be considered a risk if it exhausts resources?

Has that consideration been included in the risk assessments?

Question 79

Cloud boundary GRC Considerations

Answer 79

With a public Cloud environment there are new risks such as the potential for data to be flowing across boundaries. Does the environment have adequate controls to assure that the data won’t cross borders if it is not allowed to due to rules of law or regulation?

Question 80

Cloud GRC considerations for trusted 3rd parties

Answer 80

Are there clearly understood controls for trusted 3rd parties, such as the Cloud SP?
Are they clearly documented to mitigate the risks as much as possible.

Question 81

Cloud GRC Considerations for Incidents

Answer 81

When an incident occurs, is there a clear definition of where / when / who handoffs are done to facilitate efficient incident response escalation and post mortems?

Question 82

Cloud GRC Consideration for Service Provider Information Flow

Answer 82

Do you as the customer have a clear process in place that manages the information flow and timing from the SP into your own organization and vice versa?

Question 83

5 Steps in the Risk Assessment Process

Answer 83

1. Perform a quick, very high level risk check.
2. Based on the risk score, determine what mitigation needs to be applied to allow the asset to be placed in a VDC or Cloud environment.
3. Perform a full, detailed risk assessment. Understand all exposures; any further mitigations can be applied as necessary.
4. Deploy the asset within the shared environment. Security controls are in place with compliance requirements being met.
5. Re-evaluate the environment with another assessment and potentially an external audit.

Question 84

3 levels of a risk scoring system

Answer 84

Low
Medium
High

Question 85

5 Steps in Risk Assessment Process (Abbreviated Version)

Answer 85

1. Quick Risk (L/M/H)
2. Mitigation
3. Full Risk Assessment
4. Deploy
5. Evaluate

Question 86

3 Quick Risk (L/M/H) Components

Answer 86

1. Asset Valuation
2. Pass / Fail
3. For VDC or Cloud

Question 87

2 Mitigation Components

Answer 87

1. Apply Standards

2. Apply Internal Mitigation

Question 88

3 Components of Full Risk Assessment

Answer 88

1. Perform Deeper Assessment
2. Determine Exposures
3. Apply Mitigations

Question 89

2 Components of Deploy Stage in Risk Assessment Process

Answer 89

1. With Security Controls

2. With Compliance Controls

Question 90

2 Components of Evaluate Stage of Risk Assessment Process

Answer 90

1. People, Process and Technology

2. Execute Full Audits Internal and External

Question 91

Assessment usually applied to a whole business unit’s IT infrastructure and processes - or even a whole company.

Answer 91

ISO 27002 Assessment

Question 92

IRM

Answer 92

Information Rights Management

Question 93

True or False: Risk determination must be asset-centric.

Answer 93

True

Question 94

3 Risk Determination Quick Scoring Systems

Answer 94

1. Balanced Scorecard
2. Pre-Assessment
3. Blended Methor

Question 95

What does a Balanced Scorecard risk determination evaluate?

Answer 95

Business and technology risk

Question 96

Pre-assessment usually pertains to privacy assessments.

Answer 96

True

Question 97

Pre-assessment IOS standard designed for financial services

Answer 97

ISO/IEC 22307

Question 98

4 Primary Risk Determination Considerations

Answer 98

1. CIA - Confidentiality, Integrity, Availability
2. Management and organization
3. Value of application and data
4. Leverage standards for mitigation

Question 99

Most important dimension to evaluate the risk

Answer 99

The value of the application and data to the company

Question 100

3 Information Security Questions

Answer 100

1. Where is this application hosted?
2. How are support processes performed for the application?
3. Are there documented vulnerabilities in the application or associated infrastructure?

Question 101

3 Business Considerations for Risk Scoring

Answer 101

1. Classify Data Sensitivity
2. Cost of Financial Damage
3. Value of Application Product and Data

Question 102

ALE

Answer 102

Average Loss Expectancy

Question 103

A state of being in accordance with established guidelines, specifications, or legislation

Answer 103

Compliance

Question 104

Compliance Issues

Answer 104

1. Inventory applications
2. Pre-assessment for risk level for the VDC and Cloud
3. Deploy / apply rating system
4. Evaluate based on regulatory requirements
5. Evaluate compliance criteria for virtualization / Cloud
6. If data will handled by SP, evaluate them for transitive risks
7. Evaluate for vendor lock-in and future need to migrate to another provider.

Question 105

Generally used before the asset is to be placed in a new environment

Answer 105

Privacy Assessments

Question 106

Regulation which applies to financial data (personal and corporate)

Answer 106

PCI

Question 107

Regulations which apply to healthcare data

Answer 107

HIPAA

HITECH/HER

Question 108

Regulation which applies to financial data (corporate)

Answer 108

SOX

Question 109

Regulation which applies to personal information data

Answer 109

PII

Question 110

Examples of 3rd party audit

Answer 110

SAS 70 Type II