Security Management Programs and Oversight Quiz Flashcards
A huge customer data breach occurred at a retail store. It originated from the store’s point-of-sales system contractor, who did not have adequate malware protection. Which risk mitigation concept could the store have implemented to avoid the breach?
A) Risk register
B) Risk response techniques
C) Likelihood of occurrence
D) Supply chain assessment
Supply chain assessment, or supply chain analysis, might have stopped the store’s data breach. The breach was initiated with the failure of a contractor to have adequate anti-malware protection. Supply chain assessment would include verifying that vendors and contractors have adequate safeguards in place before they can access your network.
A risk register is a scatter graph of problem areas identified in a business impact analysis.
Risk response techniques include avoidance, transference, mitigation, and acceptance.
Analyzing the likelihood of occurrence compares the potential threat with the probability that the threat will occur.
In a security awareness training session, employees are taught to recognize various types of behaviors that may indicate a security threat. Which type of behavior involves actions that are not in line with established security policies or procedures, potentially putting sensitive information at risk?
A) Risky
B) Suspicious
C) Unintentional
D) Unexplained
Unexplained behavior involves actions that are not in line with established security policies or procedures. This type of behavior lacks a clear justification or explanation within the context of an individual’s job responsibilities or typical behavior patterns. As an example, accessing files or systems that are unrelated to one’s role, attempting to modify critical settings without proper authorization, or logging into the network at odd hours without a valid reason could all be considered unexplained behavior. Behavior such as this may indicate a potential security threat or unauthorized access attempt.
Risky behavior refers to actions taken by individuals that knowingly or recklessly disregard established security policies and procedures, putting sensitive information at risk. Examples of risky behavior include sharing passwords, using unauthorized software or devices, accessing sensitive data without proper authorization, or bypassing security controls intentionally. Risky behavior often stems from a lack of awareness or disregard for security protocols.
Unintentional behavior refers to actions that occur inadvertently or accidentally, without malicious intent. This could include clicking on phishing emails or links, falling victim to social engineering tactics, inadvertently sharing sensitive information, or mishandling data due to lack of awareness or training. Unintentional behavior often results from human error, ignorance of security best practices, or a failure to recognize potential risks.
Suspicious behavior involves actions or activities that raise concerns or suspicions regarding potential security threats. This could include attempting to access restricted areas or information without proper authorization, exhibiting unusual patterns of behavior or communication, displaying aggressive or confrontational behavior when questioned about security practices, or attempting to circumvent security controls. Suspicious behavior may indicate insider threats, malicious intent, or attempts to compromise the security of systems or data.
What is defined in an acceptable use policy?
A) which users require access to certain company data
B) the sensitivity of company data
C) which method administrators should use to back up network data
D) how users are allowed to employ company hardware
n acceptable use policy defines how users are allowed to employ company hardware. For example, an acceptable use policy, which is sometimes referred to as a use policy, might answer the following questions: Are employees allowed to store personal files on company computers? Are employees allowed to play network games on breaks? Are employees allowed to “surf the Web” after hours? The acceptable use policy should define the rules of behavior and any penalties or adverse actions that will arise from non-compliance.
An information policy defines the sensitivity of a company’s data. In part, a security policy defines separation of duties, which determines who needs access to certain company information. A backup policy defines the procedure that administrators should use to back up company information.
A privacy policy defines which information is considered private and how this information should be handled, stored, and destroyed.
Which penetration-testing concept is used to detect vulnerabilities that are found by means other than testing the system directly?
A) Active reconnaissance
B) Passive reconnaissance
C) Initial exploitation
D) Pivot
Passive reconnaissance detects vulnerabilities through techniques such as social engineering, accessing supposedly confidential information on publicly available databases, dumpster diving, and shoulder surfing. Active reconnaissance accesses the system directly to detect vulnerabilities. Tools and techniques such as network mapping, port scans, and network sniffing are used to test the system and identify potential sources of attack.
Pivots use a compromised system to attack another system. Initial exploitation compromises one system so that it can be used in a pivot test against another system.
Persistence is when the compromised system is used in an attack at some point after the initial exploitation occurred. An example of persistence would be when a student’s notebook computer contracts malware at a coffee shop, but the school network is not affected until the student logs in to the school network.
Which type of external audit or assessment encompasses a broad range of evaluations conducted by external parties, potentially covering financial audits, security audits, or compliance audits?
A) Examinations
B) Regulatory
C) Assessments
D) Compliance
Examinations refer to a comprehensive category of assessments that encompasses a broad range of evaluations and can include various types of evaluations conducted by external parties. These assessments may encompass financial audits, security audits, compliance audits, or other examinations aimed at evaluating different aspects of organizational performance, governance, or risk management. Unlike regulatory audits, which specifically focus on compliance with laws and regulations, examinations are more inclusive and may cover a wider scope of assessments conducted by external entities.
Assessment generally refers to the process of evaluating systems, processes, or controls to identify strengths, weaknesses, and areas for improvement. While assessments may include external evaluations conducted by third-party auditors, they are not inherently focused on regulatory compliance. Assessments can encompass a wide range of objectives, such as risk assessments, security assessments, or performance assessments, and may involve internal or external parties.
What are regulatory audits?
Regulatory audits and assessments involve evaluating adherence to laws, regulations, or industry standards set forth by governing bodies or regulatory agencies. These audits typically assess compliance with requirements related to data protection, privacy, financial reporting, or industry-specific regulations. The primary purpose is to ensure that the organization meets legal and regulatory obligations and avoids potential penalties or sanctions for non-compliance.
What are compliance audits?
Compliance audits specifically target adherence to applicable laws, regulations, or industry standards. These audits assess whether the organization’s policies, procedures, and practices align with regulatory requirements and whether it has implemented adequate controls to mitigate compliance risks. Compliance audits aim to verify that the organization operates within legal and regulatory boundaries and fulfills its obligations to stakeholders, but they are not synonymous with the broader category of examinations.
Which component of effective security compliance involves regularly assessing and verifying adherence to security policies and regulations to identify and address gaps or deficiencies?
A) Compliance monitoring
B) Compliance reporting
C) Privacy
D) Consequences of non-compliance
Compliance monitoring involves the ongoing process of assessing and verifying adherence to security policies, procedures, and regulations to ensure that the organization meets its compliance obligations. This component includes activities such as conducting regular audits, assessments, and reviews to identify compliance gaps, monitoring changes in regulatory requirements, and implementing controls to mitigate compliance risks. Effective compliance monitoring helps organizations proactively detect and address issues before they escalate into compliance failures. For example, organizations may use automated monitoring tools to track access controls, analyze security logs, and detect unauthorized activities.
Compliance reporting involves the process of documenting and communicating the organization’s compliance status, activities, and findings to relevant stakeholders, such as management, regulatory authorities, or auditors. This component ensures transparency and accountability in compliance efforts and helps stakeholders understand the organization’s adherence to security policies and regulations. For example, compliance reports may include summaries of audit findings, assessments of control effectiveness, and recommendations for improvement.
The consequences of non-compliance?
The consequences of non-compliance encompass the potential penalties, sanctions, or impacts that organizations may face as a result of failing to meet security requirements or regulations. These consequences can include legal liabilities, financial penalties, reputational damage, or loss of business opportunities. Effective compliance programs aim to mitigate these risks by proactively identifying and addressing compliance gaps to avoid adverse outcomes. For instance, non-compliance with data protection regulations such as the General Data Protection Regulation (GDPR) may result in hefty fines, legal disputes, and damage to an organization’s reputation.
What does Privacy entail?
Privacy refers to the protection of individuals’ personal information from unauthorized access, use, or disclosure, in accordance with applicable privacy laws, regulations, and organizational policies. Ensuring privacy compliance involves implementing measures to safeguard personal data, such as encryption, access controls, data minimization, and privacy impact assessments. Compliance with privacy requirements helps build trust with customers, enhances organizational reputation, and mitigates the risk of legal and financial liabilities resulting from data breaches or privacy violations. For example, organizations subject to the European Union’s General Data Protection Regulation (GDPR) must comply with strict requirements for data protection, privacy, and individual rights, such as the right to access and control personal data.
Which process defines the scope, objectives, and guidelines for conducting third-party risk assessments and engagements?
A) Vendor monitoring
B) Rules of engagement
C) Questionnaires
D) Vendor assessment
Rules of engagement define the scope, objectives, and guidelines for conducting third-party risk assessments and engagements. They outline the roles and responsibilities of both parties, the methods and tools to be used, the timing and frequency of assessments, and the reporting and communication protocols. These rules help ensure that third-party risk assessments are conducted in a consistent, thorough, and transparent manner, fostering effective communication, collaboration, and risk management between the parties.
Vendor monitoring involves continuously monitoring the activities, performance, and security practices of third-party vendors to ensure ongoing compliance with security requirements and contractual obligations. It may include real-time monitoring of vendor systems and networks, analyzing security logs and alerts, and conducting periodic reviews of vendor performance. Vendor monitoring helps detect and address security incidents, breaches, or performance issues promptly, reducing the risk of disruptions or security breaches.
Questionnaires involve sending standardized surveys or questionnaires to third-party vendors to gather information about their security practices, policies, controls, and compliance with security standards and regulations. The questionnaires typically cover a wide range of topics, including network security, data protection, access controls, incident response, and regulatory compliance. The responses provided by vendors help assess their security posture and identify potential risks or areas for improvement.
Vendor assessment involves evaluating the security controls, practices, and processes of third-party vendors to assess their security posture and compliance with security requirements. These assessments play a crucial role in third-party risk management and allow organizations to evaluate the security posture and compliance of their vendors. The vendor assessments that are included in the SY0-701 objectives are penetration testing, right-to-audit clause, evidence of internal audits, independent assessments, and supply chain analysis.
On-boarding/off-boarding business partners: Security Implications and risk
On-boarding/off-boarding business partners – When you bring new business partners on board, you must ensure that all of your organization’s security policies and regulations are fully understood and implemented by the partner organization. The transfer, storage, and collection of any data must be protected according to your organization’s security policy, unless a valid reason exists for ignoring certain security tenets (such as if they contradict local, state, or federal laws, etc.) When you are terminating a business partner, you must ensure that the partner organization transfers all assets back to your organization and that the partner organization understands the legal ramifications if the data is compromised at their facilities AFTER the transfer has occurred.
Social media networks and applications: Security Implications and risk
Social media networks and applications – Organizations should analyze the security implications of social media networks and applications and should adopt a formal policy regarding their usage. Any security awareness training should fully cover the organization’s policy regarding such usage. If usage is forbidden, repercussions for non-compliance should be fully spelled out in any employment agreements. Keep in mind that social media networks and their applications are often under attack because of the proliferation of usage. Companies should not allow users to authenticate to a company’s Web applications using credentials from a popular social media site because password breaches to the social media site would affect the company application as well.
Personal email - Security Implications and risk
Personal email – Organizations should analyze the security implications of allowing access to personal email and should adopt a formal policy regarding it access. Any security awareness training should fully cover the organization’s policy regarding such access. If usage is forbidden, repercussions for non-compliance should be fully spelled out in any employment agreements. Keep in mind that email is often used to spread viruses and malware.
Privacy considerations - Security Implications and risk
Privacy considerations – Any organization that collects and stores personally identifiable information (PII) or any other protected information should be concerned with the security of that data. If the privacy data that your organization collects is stored or managed by a third party, you must ensure that the other organization properly secures the data. In addition, personnel should be trained to recognize PII, as well as how to protect this data. If for any reason you need to be able to transmit PII, you should use SSH or PGP/GPG. The best ways to address customer data privacy concerns are to employ encryption and stronger access controls.
Why is it important for risk awareness when integrating with third party vendors?
Risk awareness – It is vital that your organization understands the risks involved with integrating systems and data with third parties. You should ensure that a risk assessment is carried out and the results are presented to management. Both organizations should periodically review the security risks of the partnership.
Third party integration risk: Unauthorized data sharing?
Unauthorized data sharing – Whenever systems and data are integrated with third parties, personnel from both organizations should have clear guidelines on the data that can and cannot be shared between the organizations. These guidelines should include the methods of sharing as well as the type of data that can and cannot be shared and penalties for noncompliance.
Third party Integrating implications: Data Ownership
Data ownership – Organizations should fully define the ownership of any data that is collected, stored, and exchanged. Without a clear definition, legal issues could arise if the partnership is ever dissolved.
Third party Integrating implications: Data Backup
Data backups – The frequency of any data backups should be documented in a formal backup plan. In addition, the formal backup plan should include storage guidelines.
Third party Integrating implications: Follow security policy and procedures
Follow security policy and procedures – Any third parties with which your organization deals should modify their security policies and procedures to follow your organization’s policies and procedures if your policies and procedures are stricter unless they contradict local, state, or federal laws.
Third party Integrating implications: Agreement requirements
Agreement requirements – You should review agreement requirements to verify compliance and performance standards. This should be done at least annually to ensure that they comply with regulations and laws and to ensure that performance is maintained.
Your organization wants to use the Open-Source Security Testing Methodology Manual (OSSTMM) framework for meeting your organization’s compliance requirements.
Which type of compliances is NOT recognized by the OSSTMM framework?
A) Legislative
B) Security
C) Contractual
D) Standards-based
Security is not a type of compliance recognized by the OSSTMM framework. A security audit is used to evaluate the effectiveness of implemented security controls within your organization. Audits can be internal or external. Internal audits are conducted by independent audit teams to evaluate the effectiveness of controls. However, external audits are conducted by independent third-party organizations to evaluate the effectiveness of controls against regulatory or standard requirements.
What is the OSSTMM frame work?
The OSSTMM framework recognizes three types of compliance:
Legislative – Legislative compliance is enforced by regional regulatory bodies. It is mandatory to comply with regulatory requirements enforced by the government. Failing to comply with the regulatory requirements can lead to heavy fines and charges. Examples of legislative requirements are Sarbanes-Oxley (SOX), the EU General Data Protection Regulation (GDPR), and the Health Insurance Portability and Accountability Act (HIPAA).
Contractual – Contractual compliance is enforced by groups such as customers and vendors through documented contractual requirements in master service agreements (MSAs). Parties signing the contract must comply with contractual requirements. Failure to comply with contractual requirements may lead to fines, penalties, and loss of reputation. An example of a contractual requirement is the Payment Card Industry Data Security Standard (PCI DSS), enforced by VISA and Mastercard. Merchants who handle credit card data must comply with it.
Standards-based – Compliance with standards is enforced within the organization or by the customer to whom the organization is providing services. Failure to comply with standard requirements may lead to loss of reputation or dismissal of certification from the certifying body. For example, ISO 27001 is the international standard for information security.
Your organization has decided to outsource its e-mail service. The company chosen for this purpose has provided a document that details the e-mail functions that will be provided for a specified period, along with guaranteed performance metrics. What is this document called?
A) SLA
B) BPA
C) MOU
D) ISA
A service level agreement (SLA) is an agreement between a company and a vendor in which the vendor agrees to provide certain functions for a specified period.
What is a BPA?
A business partner agreement (BPA) is an agreement between two companies that ensures that both parties implement the appropriate security measures. This type of agreement is particularly important when the two partners exchange data that could harm the companies’ Reputations if the data was accessed by an attacker.
What is an MOU?
A memorandum of understanding (MOU) is a mutual agreement between two parties to perform a common action or relationship. If well-defined legal elements are included, the MOU is considered binding. MOUs are generally loose agreements and therefore may not have strict guidelines in place to protect sensitive data between the two entities. An MOU is also known as a memorandum of agreement (MOA) or letter of agreement (LOA)
What is ISA?
An interconnection security agreement (ISA) is an agreement established between organizations that own and operate connected systems to document the technical requirements of the connection. An ISA can also be used to ensure both parties have a clear understanding of the controls needed to protect the data.
Which policy outlines the procedures and protocols for managing and responding to a security breach?
A) Incident response policy
B) SDLC
C) Disaster recovery policy
D) Change management policy
An incident response policy would outline the procedures and protocols for managing and responding to (among other things) a security breach. Incident response policies define the procedures and protocols for detecting, assessing, and responding to many types of security incidents. These policies outline the steps to be taken in the event of a security breach or incident, including incident identification, containment, eradication, recovery, and post-incident analysis. Incident response policies help ensure a coordinated and effective response to security incidents, minimizing the impact on the organization’s operations and data.
What is SDLC?
The Software Development Lifecycle (SDLC) is not a policy. It refers to the process of planning, designing, developing, testing, deploying, and maintaining software. While SDLC involves policies and procedures for ensuring the quality, security, and reliability of software products, it is not specifically focused on incident response or security governance.
What are change management policies?
Change management policies govern the process of planning, implementing, and controlling changes to systems, applications, and infrastructure. These policies outline procedures for assessing the impact of proposed changes, obtaining approval, managing risks, and ensuring changes are implemented smoothly and efficiently. While change management policies are essential for maintaining system stability and security, they do not specifically address incident response.
What are discovery policies?
Disaster recovery policies outline the strategies and procedures for recovering systems, applications, and data following a catastrophic event or significant disruption. These policies focus on restoring operations and services to minimize downtime and data loss, ensuring the organization can continue functioning despite adverse conditions. While disaster recovery is a critical component of security governance, it is not specifically focused on incident response.
Which of the following types of guidance and training is most effective in mitigating risks associated with employees inadvertently exposing sensitive information through actions like clicking on phishing emails or sharing passwords?
A) Hybrid/remote work environments
B) Operational security
C) Social engineering
D) Removable media and cables
Social engineering training is the most effective in mitigating the risks as described. This training is critical in educating employees about the various tactics used by malicious actors to manipulate individuals into divulging confidential information or performing actions that compromise security. This type of training often includes simulated phishing attacks, awareness campaigns, and interactive modules to teach employees how to recognize and respond to social engineering attempts effectively.
What is OPSEC?
Operational security (OPSEC) training focuses on safeguarding sensitive information by controlling access, implementing security protocols, and promoting a culture of security awareness within an organization. While OPSEC encompasses a broad range of security practices, it may not specifically target user behaviors related to falling prey to social engineering tactics.
Guidance training, what does it entail?
Situational awareness training focuses on educating users about recognizing and responding to potential security threats. Further, the emphasis is on teaching users to be observant and alert to potential security threats in their environment. This training encourages employees to pay attention to unusual behaviors, unauthorized access attempts, or other suspicious activities. As an example, an employee trained in situational awareness might notice a stranger wandering around the office without a visitor badge and report it to security, potentially preventing a physical security breach.
While providing guidance on the proper use of removable media and cables is important for physical security and data transfer protocols, it does not directly address the issue of employees falling victim to social engineering attacks or sharing sensitive information.
Training tailored to hybrid or remote work environments is essential for educating employees on the unique security challenges associated with working from different locations and using various devices to access corporate networks and data. This includes topics such as secure remote access, endpoint security, data encryption, and secure communication tools. While addressing remote work security concerns is important, it may not directly address the specific issue of employees being tricked into disclosing sensitive information through social engineering tactics.
Other types of user guidance and training are policy/handbooks, situational awareness, insider threat, password management.
Policies and handbooks outline rules and procedures related to security practices within an organization. While they provide important guidance on acceptable behavior, they might not always directly address recognizing and responding to security threats. For example, an employee handbook might include sections on acceptable computer usage, but it may not specifically cover how to identify phishing emails or social engineering attempts.
Situational awareness training focuses on educating users about recognizing and responding to potential security threats. Further, the emphasis is on teaching users to be observant and alert to potential security threats in their environment. This training encourages employees to pay attention to unusual behaviors, unauthorized access attempts, or other suspicious activities. As an example, an employee trained in situational awareness might notice a stranger wandering around the office without a visitor badge and report it to security, potentially preventing a physical security breach.
Insider threat training raises awareness among employees about the risks posed by individuals within the organization who may intentionally or unintentionally harm the organization’s security. This type of training often includes examples of insider threats, such as employees stealing data for personal gain or inadvertently exposing sensitive information through negligent actions. For example, insider threat training might educate employees about the dangers of sharing passwords or clicking on links in suspicious emails, which could lead to data breaches.
Password management training educates users on best practices for creating and safeguarding passwords. This includes using strong, complex passwords, avoiding password reuse across multiple accounts, and protecting passwords from unauthorized access. An example of password management training might involve teaching employees how to create passphrases using a combination of letters, numbers, and special characters, as well as using password managers to securely store and manage passwords.
Which vendor assessment evaluates the security controls and practices of third-party vendors through an external evaluation process?
A) Evidence of internal audits
B) Supply chain analysis
C) Penetration testing
D) Right-to-audit clause
E) Independent assessments
In an independent assessment, third-party auditors or assessors are engaged to evaluate the security posture of a vendor independently. These assessments are conducted by impartial and qualified professionals who review the vendor’s security controls, policies, and procedures against industry standards, best practices, and regulatory requirements. Independent assessments provide an objective evaluation of the vendor’s security practices and help validate their compliance with security standards and contractual obligations.
When you bring new business partners on board, you must ensure that all of your organization’s security policies and regulations are fully understood and implemented by the partner organization. The transfer, storage, and collection of any data must be protected according to your organization’s security policy, unless a valid reason exists for ignoring certain security tenets (such as if they contradict local, state, or federal laws, etc.) When you are terminating a business partner, you must ensure that the partner organization transfers all assets back to your organization and that the partner organization understands the legal ramifications if the data is compromised at their facilities AFTER the transfer has occurred.
What is pen testing?
Penetration testing simulates cyberattacks on a vendor’s systems and networks to identify vulnerabilities and weaknesses that could be exploited by attackers. Penetration tests are typically conducted by security professionals or ethical hackers who attempt to breach the vendor’s defenses using various attack techniques. The goal is to uncover security gaps and provide recommendations for remediation to enhance the vendor’s security posture.
What is a right to audit?
A right-to-audit clause is a contractual agreement that allows the organization to audit and assess the security controls and practices of a vendor. It grants the organization the legal right to conduct audits or inspections of the vendor’s facilities, processes, and documentation to ensure compliance with security requirements. The right-to-audit clause enables the organization to verify that the vendor is implementing adequate security measures and adhering to contractual obligations.
What does evidence of internal audits refer to?
Evidence of internal audits refers to documentation or reports from internal audit teams that assess the effectiveness of the vendor’s internal controls and processes. Internal audits may evaluate various aspects of the vendor’s operations, including IT security, risk management, compliance with policies and regulations, and overall governance practices. Evidence of internal audits provides insights into the vendor’s internal control environment and helps assess their risk management capabilities.
What is a supply chain analysis?
The supply chain analysis process involves assessing the security risks associated with the vendors, suppliers, and partners within a supply chain. It examines the interconnected relationships between different entities involved in the supply chain and evaluates the potential security vulnerabilities and threats that could impact operations. Supply chain analysis helps identify risks related to dependencies on third-party vendors and enables the organization to implement risk mitigation strategies to protect against supply chain disruptions and security breaches.
Arrange the steps in the risk response process in the appropriate order.
Establishment of risk appetite and risk tolerance
Risk identification
Risk analysis
Risk response selection and documentation
Risk response prioritization
Development of risk action plan
Establishment of risk appetite and risk tolerance – this is the foremost activity because management needs to determine what extent of risk is acceptable and tolerable to the organization that would not have an impact on achieving its business objectives.
Risk identification – this is done to determine all the risks that are applicable to the organization.
Risk analysis – once the risks have been identified, assessment is performed for the risk impact and likelihood.
Risk response selection and documentation – the risk response is selected based on the established risk appetite and risk tolerance.
Risk response prioritization – prioritization is based on the risk environment and cost-benefit analysis.
Development of risk action plan – this is created in order to be able to manage the risk responses.
Which method of ensuring compliance monitoring involves a combination of manual and automated processes, facilitating a thorough examination of adherence to security standards and regulations from multiple perspectives?
A) Due diligence/care
B) Automation
C) Attestation and acknowledgement
D) Internal and external
The internal and external approach to compliance monitoring ensures comprehensive validation of compliance efforts through both internal assessments conducted by personnel within the organization and external assessments conducted by independent third parties. This comprehensive approach ensures that compliance efforts are validated from multiple perspectives and helps identify potential blind spots or biases in self-assessment processes. For example, an organization may conduct internal audits to evaluate its internal controls and practices, while also undergoing external audits by regulatory agencies to verify compliance with industry regulations.
What is attestation and acknowledgment?
Attestation and acknowledgement involve formal processes where individuals or organizations affirm their compliance with security standards or regulations through written statements or documentation. While attestation and acknowledgement are important components of compliance programs, they primarily focus on obtaining assurances or commitments from stakeholders rather than the actual monitoring of compliance activities.