Section 5 - Governance, Risk, and Compliance

Question 1

Control categories

Answer 1

• Managerial
• Operational
• Technical

Question 2

Control type

Answer 2

• Preventive
• Detective
• Corrective
• Deterrent
• Compensating
• Physical

Question 3

General Data Protection Regulation (GDPR)

Answer 3

Is a regulation in EU law on data protection and privacy in the EU and the European Economic Area. GDPR governs the way in which we can use, process, and store personal data (information about an identifiable, living person).

Question 4

The Payment Card Industry Data Security Standard (PCI DSS)

Answer 4

Is a set of security standards designed to ensure that ALL companies that accept, process, store or transmit credit card information maintain a secure environment.

Question 5

Center for Internet Security (CIS)

Answer 5

CIS Benchmarks are frameworks for calibrating a range of IT services and products to ensure the highest standards of cybersecurity and a vital part of your organizations CIS compliance objectives.

Question 6

The NIST Risk Management Framework (RMF)

Answer 6

Provides a comprehensive, flexible, repeatable, and measurable 7-step process that any organization can use to manage information security and privacy risk for organizations and systems and links to a suite of NIST standards and guidelines to support implementation of risk management programs to meet the requirements of the Federal Information Security Modernization Act (FISMA).

Question 7

NIST RMF steps

Answer 7

Essential activities to prepare the organization to manage security and privacy risks
Categorize the system and information processed, stored, and transmitted based on an impact analysis
Select the set of NIST SP 800-53 controls to protect the system based on risk assessment(s)
Implement the controls and document how controls are deployed
Assess to determine if the controls are in place, operating as intended, and producing the desired results
Senior official makes a risk-based decision to authorize the system (to operate)
Continuously monitor control implementation and risks to the system

Question 8

National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF)

Answer 8

Institute at the U.S. Department of Commerce. The NIST Cybersecurity Framework helps businesses of all sizes better understand, manage, and reduce their cybersecurity risk and protect their networks and data. The Framework is voluntary.

Question 9

ISO 27001

Answer 9

Was developed to “provide a model for establishing, implementing, operating, monitoring, reviewing, maintaining and improving an information security management system.”
The specification includes details for documentation, management responsibility, internal audits, continual improvement, and corrective and preventive action

Question 10

ISO 27002

Answer 10

Is a collection of information security guidelines that are intended to help an organization implement, maintain, and improve its information security management

Question 11

ISO/IEC 27701

Answer 11

Is a data privacy extension to ISO 27001. It assists organizations to establish systems to support compliance with the European Union General Data Protection Regulation (GDPR) and other data privacy requirements but as a global standard it is not GDPR specific.

Question 12

ISO 31000

Answer 12

Is the international Standard for risk management, created by the International Organization of Standardization (ISO). It creates a framework of best-practice processes that enable an organization to manage risks, protect it from internal and external threats and improve overall crisis management.

Question 13

SSAE-16 SOC 2 Type 2

Answer 13

Stands for Standards of Attestations Engagement No. 16, System and Organizations Controls Report 2, Type 2. This AICPA-developed auditing report assesses how well organizations handle data security, system privacy, data confidentiality and data processing processes.

Question 14

Cloud Security Alliance (CSA)

Answer 14

Is a not-for-profit organization with the mission to “promote the use of best practices for providing security assurance within cloud computing, and to provide education on the uses of cloud computing to help secure all other forms of computing

Question 15

CSA Cloud Controls Matrix (CCM)

Answer 15

Is a cybersecurity control framework for cloud computing. It is composed of 197 control objectives that are structured in 17 domains covering all key aspects of cloud technology. It can be used as a tool for the systematic assessment of a cloud implementation, and provides guidance on which security controls should be implemented by which actor within the cloud supply chain.

Question 16

CSA Enterprise Architecture (EA)

Answer 16

Is both a methodology and a set of tools. It is a framework, a comprehensive approach for the architecture of a secure cloud infrastructure, and can be used to assess opportunities for improvement, create roadmaps for technology adoption, identify reusable security patterns, and assess various cloud providers and security technology vendors against a common set of capabilities.

Question 17

Benchmarks/secure configuration guides

Answer 17

The best-practice security configuration guides for software and hardware configuration. Typically, made by the manufacturers.

Question 18

Typical personnel policies

Answer 18

• Acceptable use policy
• Job rotation
• Mandatory vacation
• Separation of duties
• Least privilege
• Clean desk space
• Background checks
• Non-disclosure agreement (NDA)
• Social media analysis
• Onboarding
• Offboarding
• User training

Question 19

Memorandum of understanding (MOU)

Answer 19

Is a nonbinding agreement that states each party’s intentions to take action, conduct a business transaction, or form a new partnership. This type of agreement may also be referred to as a letter of intent (LOI) or memorandum of agreement (MOA).

Question 20

Measurement system analysis (MSA)

Answer 20

Is a thorough assessment of a measurement process, and typically includes a specially designed experiment that seeks to identify the components of variation in that measurement process.

Question 21

Business partnership agreement (BPA)

Answer 21

Establishes rules for two or more parties going into business together. It’s a legally binding document that outlines every detail of your business operations, ownership stakes, financials, responsibilities, and decision-making strategies.

Question 22

Risk types

Answer 22

• External
• Internal
• Legacy systems
• Multiparty
• IP theft
• Software compliance/licensing

Question 23

Risk management strategies

Answer 23

• Acceptance
• Avoidance
• Transference (Cybersecurity insurance)
• Mitigation

Question 24

Residual risk

Answer 24

the risk that remains after efforts to identify and eliminate some or all types of risk have been made.

Question 25

Risk assessment types

Answer 25

• Qualitative
• Quantitative

Question 26

SLE=AV * EF

Answer 26

SLE = single loss expectancy
AV = asset value
EF = exposure factor

Question 27

ALE = SLE * ARO

Answer 27

ALE = Annual Loss Expectancy
SLE = single loss expectancy
ARO = annualized rate of occurrence

Question 28

Disasters

Answer 28

• Environmental
• Person-made
• Internal vs. external

Question 29

RTO

Answer 29

Recovery time objective - the maximum desired length of time between an unexpected failure or disaster and the resumption of normal operations

Question 30

RPO

Answer 30

Recovery point objective - the maximum amount of data (measured by time), that can be lost after a recovery from a disaster before data loss will exceed what is acceptable to an organization

Question 31

MTTR

Answer 31

Mean time to repair - the average time it takes to detect an issue, diagnose the problem, repair the fault and return the system to being fully functional

Question 32

MTBF

Answer 32

Mean time between failures - the predicted elapsed time between inherent failures of a mechanical or electronic system during normal system operation

Question 33

MTTF

Answer 33

Mean Time to Failure - the average time between non-repairable failures of a technology product

Question 34

Functional recovery plans

Answer 34

Are plans that aim to restore the functionality of a system or service after a disruption or disaster

Question 35

SPOF

Answer 35

Single point of failure - a part of a system that, if it fails, will stop the entire system from working

Question 36

DRP

Answer 36

Disaster recovery plan - a recorded policy and/or process that is designed to assist an organization in executing recovery processes in response to a disaster to protect business IT infrastructure

Question 37

MEFs

Answer 37

Mission essential functions - are the limited set of department and agency level government functions that must be continued throughout, or resumed rapidly after, a disruption of normal operations.

Question 38

Identification of critical systems

Answer 38

Is the process of finding, listing, and characterizing the systems that are essential to the organization’s success.

Question 39

PII

Answer 39

Personally identifiable information - any information that can be used to identify an individual, either alone or in combination with other data

Question 40

PHI

Answer 40

Protected Health Information - any identifiable information that appears in medical records as well as conversations between healthcare staff regarding a patient’s treatment

Question 41

Data minimization

Answer 41

Is the process of limiting data collection to only what is required to fulfill a specific purpose.

Question 42

Data masking

Answer 42

Is the process of modifying sensitive data in such a way that it is of no or little value to unauthorized intruders while still being usable by software or authorized personnel.

Question 43

Tokenization

Answer 43

It is a process of replacing sensitive data with non-sensitive data. Tokenized data can be retrieved back to original one.

Question 44

Anonymization

Answer 44

Is the process of removing any information that shows which particular person something, particularly something such as a record on or message from a computer, relates to.

Question 45

Pseudo-anonymization

Answer 45

Processing of personal data in such a way that the personal data or enlistment of additional information can no longer be traced to a specific person

Question 46

Data owners

Answer 46

A person in the organization who is responsible for a certain set of data

Question 47

Data processor

Answer 47

responsible for the purposes and means by which the data is processed.

Question 48

Data controller

Answer 48

work on behalf of the data controllers to process the data.

Question 49

Data custodian/steward

Answer 49

responsible for the accuracy of the data, for keeping all of the data private, and the security associated with the data that’s stored in the systems

Question 50

Data protection officer (DPO)

Answer 50

a higher-level manager who is responsible for the organization’s overall data privacy policies