Módulo 11 - Security Governance Concepts

Question 1

List:
Key roles in security governance

Answer 1

1. Owner
2. Controller
3. Processor
4. Custodian

Question 2

List:
Governance guidelines

Answer 2

1. Implement a structure that supports objectives
2. Leverage expertise through committees
3. Establish comprehensive policies, processes, and standards
4. Implement change management programs
5. Use automation and orchestration tools

Question 3

List:
Examples of global and regional privacy laws

Answer 3

1. General Data Protection Regulation (GDPR)
2. California Consumer Privacy Act (CCPA)
3. Health Insurance Portability and Accountability Act (HIPAA)
4. Federal Information Security Management Act (FISMA)
5. Personal Information Protection and Electronic Documents Act (PIPEDA)
6. Privacy Act 1988 (Australia)

Question 4

List:
Sectors and corresponding cybersecurity laws - Healthcare

Answer 4

HIPAA, GDPR

Question 5

List:
Sectors and corresponding cybersecurity laws - Financial Services

Answer 5

Gramm-Leach-Bliley Act, PCI DSS

Question 6

List:
Sectors and corresponding cybersecurity laws - Telecommunications

Answer 6

Communications Assistance for Law Enforcement Act (CALEA)

Question 7

List:
Sectors and corresponding cybersecurity laws - Energy

Answer 7

North American Electric Reliability Corporation (NERC)

Question 8

List:
Sectors and corresponding cybersecurity laws - Education & Children:

Answer 8

FERPA, CIPA, COPPA

Question 9

List:
Sectors and corresponding cybersecurity laws - Government

Answer 9

FISMA, CJIS, GSC

Question 10

List:
Examples of cybersecurity frameworks and regulations

Answer 10

1. GDPR
2. CCPA
3. NIST
4. ISO 27K
5. CMMC

Question 11

Define:
Security governance

Answer 11

A framework guiding the management of cybersecurity risks, encompassing policies, standards, and guidelines to safeguard information assets and align security with organizational objectives.

Question 12

Define:
Centralized governance

Answer 12

A governance model where decision-making authority resides with a core group or department, promoting consistency and standardization across the organization.

Question 13

Define:
Decentralized governance

Answer 13

A governance model that distributes decision-making authority to different groups or departments, allowing tailored security practices based on localized needs.

Question 14

Define:
Hybrid governance

Answer 14

A governance structure combining centralized oversight with decentralized implementation, balancing standardization with flexibility.

Question 15

Define:
Owner (security role)

Answer 15

A high-ranking employee responsible for classifying data, determining access levels, and ensuring security measures align with business objectives.

Question 16

Define:
Controller (security role)

Answer 16

A role, often associated with GDPR, that defines the purposes and means of processing personal data while ensuring compliance with legal requirements.

Question 17

Define:
Processor (security role)

Answer 17

An entity, such as a cloud service provider, that processes personal data on behalf of the controller, ensuring secure handling and compliance.

Question 18

Define:
Custodian (security role)

Answer 18

An entity, often the IT department, responsible for the safe custody, storage, and implementation of security controls for data.

Question 19

Acronym:
GDPR

Answer 19

General Data Protection Regulation

Question 20

Acronym:
CCPA

Answer 20

California Consumer Privacy Act

Question 21

Acronym:
HIPAA

Answer 21

Health Insurance Portability and Accountability Act

Question 22

Acronym:
FISMA

Answer 22

Federal Information Security Management Act

Question 23

Acronym:
NIST

Answer 23

National Institute of Standards and Technology

Question 24

Acronym:
CMMC

Answer 24

Cybersecurity Maturity Model Certification

Question 25

Define:
Policies

Answer 25

High-level, authoritative documents outlining an organization’s security commitment and guiding decision-making, risk mitigation, and compliance.

Question 26

Define:
Standards

Answer 26

Specific methods and outcomes used to implement technical and procedural requirements, ensuring consistency and compliance.

Question 27

Define:
Procedures

Answer 27

Step-by-step instructions detailing how to perform specific tasks aligned with standards and policies.

Question 28

Define: Playbooks

Answer 28

Centralized, standardized strategies and tactics guiding personnel in operational consistency, quality improvement, and incident response.

Question 29

Define: Acceptable Use Policy (AUP)

Answer 29

A policy defining acceptable user behavior regarding network and computer systems, including browsing, content, and software usage.

Question 30

List: Common organizational policies

Answer 30

1. Acceptable Use Policy (AUP)
2. Information Security Policies
3. Business Continuity & COOP
4. Disaster Recovery
5. Incident Response
6. Software Development Life Cycle (SDLC)
7. Change Management

Question 31

List: Industry standards

Answer 31

1. ISO/IEC 27001 (ISMS framework)
2. ISO/IEC 27002 (detailed guidance on ISMS controls)
3. ISO/IEC 27017 (cloud-specific extension)
4. ISO/IEC 27018 (PII in public clouds)
5. NIST SP 800-63 (digital identity)
6. PCI DSS (payment card data)
7. FIPS (cryptographic standards)

Question 32

List: Internal security standards examples

Answer 32

1. Password standards
2. Access control standards
3. Physical security standards
4. Encryption standards

Question 33

List: Key components of encryption standards

Answer 33

1. Encryption algorithms
2. Key length
3. Key management

Question 34

List: Benefits of playbooks

Answer 34

1. Consistency in operations
2. Knowledge sharing and continuity
3. Risk mitigation and quality assurance
4. Incident response and crisis management

Question 35

Acronym: ISMS

Answer 35

Information Security Management System

Question 36

Acronym: PCI DSS

Answer 36

Payment Card Industry Data Security Standard

Question 37

Acronym: FIPS

Answer 37

Federal Information Processing Standards

Question 38

Acronym: SDLC

Answer 38

Software Development Life Cycle

Question 39

Compare: Policies vs. Standards

Answer 39

Policies define high-level rules for security and compliance, while standards provide specific methods to implement those rules.

Question 40

Compare: Standards vs. Procedures

Answer 40

Standards define expected outcomes and configurations, while procedures detail the step-by-step tasks to achieve those outcomes.

Question 41

Compare: Centralized vs. Decentralized security governance

Answer 41

Centralized governance centralizes decision-making for consistency, while decentralized governance allows localized control for flexibility.

Question 42

What is the role of guidelines in security governance?

Answer 42

Guidelines provide flexible recommendations to steer actions and help individuals align with policies and improve effectiveness.

Question 43

Why are playbooks critical for incident response?

Answer 43

Playbooks detail emergency procedures and contingency plans, helping teams respond quickly and effectively to security incidents.

Question 44

How do standards support compliance?

Answer 44

Standards provide a measurable framework for implementing controls, ensuring regulatory requirements and best practices are met.

Question 45

What is Change Management?

Answer 45

Change management is a systematic approach to managing changes in IT infrastructure to minimize risks and disruptions while maximizing value.

Question 46

Define: Allow List in Change Management.

Answer 46

An allow list specifies approved changes, software, or individuals to streamline the change management process.

Question 47

Define: Deny List in Change Management.

Answer 47

A deny list blocks unauthorized or high-risk changes, software, or actions to prevent unintended impacts.

Question 48

What is Version Control?

Answer 48

Version control tracks and manages changes to documents, code, or configurations, ensuring consistency and providing rollback capabilities.

Question 49

What are the steps in a typical change management approval process?

Answer 49

1. Submit Request for Change (RFC)
2. Review by change manager or committee
3. Formal approval by stakeholders
4. Implementation with testing and rollback plans
5. Post-implementation review and documentation.

Question 50

What should every change request include?

Answer 50

Details of the change, reasons, potential impacts, a rollback plan, and documentation.

Question 51

What are the critical elements of a change implementation plan?

Answer 51

1. Testing procedures
2. Rollback or remediation plans
3. Scheduling to minimize downtime
4. Stakeholder communication.

Question 52

How can allow and deny lists impact change management?

Answer 52

Allow lists streamline trusted changes; deny lists prevent risky changes. Improperly configured lists can disrupt software updates or patching.

Question 53

What is the risk of dependencies in change management?

Answer 53

Changes to one system may unintentionally disrupt dependent systems, causing broader outages or downtime.

Question 54

Which documents are impacted by change management?

Answer 54

1. Change requests
2. Policies and procedures
3. System/process documentation
4. Configuration management
5. Training materials
6. Incident response and recovery plans.

Question 55

How often should documentation be updated in change management?

Answer 55

Documentation should be updated whenever significant changes occur, ensuring accuracy and alignment with current processes.

Question 56

What steps should be taken for a legacy system update?

Answer 56

1. Extensive testing for compatibility
2. Detailed implementation and rollback plans
3. Use of virtualization or custom solutions
4. Update documentation and ensure training.

Question 57

What factors must be considered for changes requiring downtime?

Answer 57

1. Scheduling during maintenance windows
2. Notifying stakeholders
3. Mitigating impacts on dependent services
4. Implementing post-change performance monitoring.

Question 58

Compare: Allowed vs. Blocked changes.

Answer 58

Allowed changes are pre-approved, routine, or low-risk. Blocked changes are high-risk, unauthorized, or incompatible with systems.

Question 59

Compare: Scheduled vs. Unscheduled Downtime.

Answer 59

Scheduled downtime is planned for maintenance, minimizing disruption. Unscheduled downtime occurs unexpectedly due to issues or failures.

Question 60

What are examples of changes requiring service restarts?

Answer 60

1. Software upgrades and patches
2. Configuration changes
3. Infrastructure updates
4. Security feature implementations.

Question 61

What is the role of stakeholders in change management?

Answer 61

Stakeholders review, approve, and provide insights into proposed changes to minimize risks and ensure alignment with objectives.

Question 62

What is Automation in IT operations?

Answer 62

Automation uses software to perform repetitive, rule-based tasks like monitoring threats, applying patches, and maintaining baselines to improve efficiency and reduce errors.

Question 63

What is Orchestration in IT operations?

Answer 63

Orchestration coordinates and streamlines automated processes across systems to enable seamless, integrated workflows in complex environments.

Question 64

What is a Standard Baseline in Configuration Management?

Answer 64

A standard baseline is a predefined set of approved configurations used as a reference to maintain the desired state of a system.

Question 65

What is the role of automation in change management?

Answer 65

Automation reduces human error, speeds up implementation, and provides clear audit trails for tracking changes.

Question 66

How does orchestration improve incident response?

Answer 66

Orchestration automates threat detection, isolation, reporting, and ticket generation, reducing reaction times and enabling faster resolutions.

Question 67

What are the key benefits of automation in security operations?

Answer 67

1. Reduces operator fatigue
2. Improves efficiency and accuracy
3. Frees staff for strategic tasks
4. Enforces standardized baselines
5. Enhances threat detection and response.

Question 68

How does automation benefit infrastructure management?

Answer 68

Automation ensures consistency, saves time, enhances scalability, strengthens security, and simplifies auditing and compliance.

Question 69

How can automation improve staff retention?

Answer 69

By reducing repetitive tasks, automation allows staff to focus on more rewarding and creative work, increasing job satisfaction.

Question 70

What are the key challenges of implementing automation and orchestration?

Answer 70

1. Complexity in integration
2. High initial cost
3. Risk of single points of failure
4. Accruing technical debt
5. Need for ongoing support and updates.

Question 71

What is Technical Debt in the context of automation?

Answer 71

Technical debt arises when automation tools are implemented hastily, resulting in poor documentation, brittle systems, and increased maintenance costs.

Question 72

How can automation handle newly added hardware in a network?

Answer 72

Automation enforces standard configurations, ensuring new hardware is up-to-date, secure, and consistent with organizational policies.

Question 73

What happens if a critical automated system fails?

Answer 73

It creates a single point of failure that can disrupt multiple areas, causing widespread operational problems.

Question 74

Compare: Automation vs. Orchestration.

Answer 74

Automation handles repetitive tasks independently, while orchestration coordinates automated tasks across systems to create integrated workflows.

Question 75

How can orchestration reduce response times to security threats?

Answer 75

Orchestration automatically isolates affected systems, generates reports, notifies teams, and documents incidents without human intervention.

Question 76

What is the importance of audit trails in automation?

Answer 76

Audit trails track automated changes and processes, supporting compliance, investigation, and transparency.