Security Program Management and Oversight

Question 1

Guidelines

Answer 1

Guidelines provide structured recommendations and principles that serve as a framework for guiding decision-making and behavior. Unlike policies, they are not rigid rules that look at operations in a granular fashion. Instead, guidelines are adaptable and informed suggestions.

Chapter 23

Question 2

7 types of Policies

Answer 2

Organizational rules for specific areas:
Acceptable Use Policy (AUP): An AUP sets the ground rules for how employees and stakeholders can utilize an organization’s resources. It outlines acceptable and unacceptable behaviors, such as appropriate use of email, internet access, and social media, while emphasizing the importance of responsible and ethical use.
Information security policies: Information security policies are policies that define the procedures and controls that protect sensitive information from unauthorized access, data breaches, and cyber threats. They encompass aspects such as access control, data encryption, and password management to ensure data confidentiality, integrity, and availability.
**Business Continuity Plan (BCP): **BCP policies provide a roadmap for organizations to sustain essential operations in the face of disruptions, whether caused by natural disasters, cyberattacks, or other unforeseen events. These policies outline strategies for data backup, disaster recovery, and continuity of critical functions. These policies go together with Continuity-of-Operations Plans (COOPs), outlining strategies for data backup, disaster recovery, and the continuous operation of critical functions.
Disaster recovery: While related to BCP, disaster recovery policies are more specific and focus on IT infrastructure and systems. They lay out procedures for data recovery and system restoration in the aftermath of a disaster, minimizing downtime and ensuring the continuity of IT services.
Incident response: Incident response policies are a playbook for addressing cybersecurity incidents effectively. They define the steps to identify, report, and mitigate security and data breaches promptly. Clear incident response policies can prevent a minor issue from escalating into a full-scale crisis.
Change management: Change management policies facilitate the adoption of new technologies, processes, or organizational changes. They help maintain stability by defining how changes are proposed, evaluated, and implemented. Effective change management policies minimize disruption and ensure that changes align with strategic objectives.
Software Development Life Cycle (SDLC): An SDLC policy establishes the methodologies and best practices for creating, testing, and deploying software applications. This policy ensures that software projects are managed efficiently, with an emphasis on quality, security, and compliance.

Chapter 23

Question 3

Standards

Answer 3

Standards provide a common framework for security practices to ensure consistency and alignment with industry best practices and regulatory requirements.

REMINDER
The following regulations deal with privacy: GDPR, CCPA, ISO 27701, and ISO/IEC 27018.

Chapter 23

Question 4

5 key components of Password Standards

Answer 4

Hashing: Hashing converts passwords into intricate, unalterable sequences of characters to protect them against unauthorized access and attacks.
Salting: Salting is a technique by which a random piece of data, known as a “salt,” is introduced to each password before hashing it. This unique addition ensures that even if two users have identical passwords, their hashed values will differ significantly. This defense mechanism slows down brute-force attacks and prevents rainbow table attacks, in which an attacker has a list of accounts with corresponding passwords. Rainbow tables are not designed to deal with random characters.
Encryption: TLS ensures that data such as passwords transmitted between a client (e.g., a user’s device) and a server (e.g., a website) is encrypted and protected from eavesdropping or tampering during transit.
Password reset: Password standards define robust identity verification methods to ensure that password reset requests are shielded from exploitation.
Password managers: Password managers allow users to set longer and more complex passwords as they don’t need to remember them

Chapter 23

Question 5

8 elements of Access Control Standards

Answer 5

Authentication protocols: Authentication protocols vary but can include SSH keys for Linux, Kerberos on a Microsoft environment, OAuth for internet-based authentication, and SAML for third-party authentication.
Least privilege: The policy of least privilege should be used to prevent privilege escalation.
Access control type: There are various types of access control, including Mandatory Access Control (MAC), based on classification labels, Role-Based Access Control (RBAC), to give permissions according to users’ job roles, rule-based access control, which affects everyone within given conditions, and Discretionary Access Control (DAC), which gives the data owner the power to grant or deny access directly. Each organization must determine which control is most appropriate for its particular context.
User identity: User identity refers to the method of identification, such as usernames, smart cards, or biometrics, based on an organization’s preference.
Multifactor Authentication (MFA): MFA enhances the access control process by requiring more than one form of authentication factor for each authentication request.
Privilege Access Management (PAM): PAM is a solution designed for stricter control over administrative accounts within a domain. It helps prevent privilege escalation and enhances security for privileged accounts.
Audit trail: Any access control system needs an audit trail that lists every event that happens on a server and identifies who carried out the action and when. Implementing a RADIUS server is a good way to set up audit trailing because of the server’s ability to perform accounting. Specialist applications such as medical systems have built-in audit trails for compliance reasons.
Conditional Access policy: A Conditional Access policy is a cloudbased access control that uses signals, conditions, and enforcement mechanisms to manage and regulate user access to resources, enhancing security and ensuring compliance

Chapter 23

Question 6

7 types of Physical Security Standards

Answer 6

Mantrap This is a secure entryway with two interlocking doors that allows only one person at a time, enhancing access control.
Turnstile This is a rotating gate that permits one person to pass at a time and is often used for crowd management and access control.
Access control vestibule This is an enclosed area between two secure doors used to verify credentials and restrict unauthorized access.
Guards Trained personnel monitor and protect physical premises, providing a visible deterrent and response to security incidents.
Visitor logs This is an audit trail for visitors when they are signed in and out by their sponsor. The sponsor is then responsible for them.
Proximity cards/fobs These refer to Radio-Frequency Identification (RFID) devices used for access control. Entrants must tap their assigned device on a card reader.
CCTV Closed-Circuit Television (CCTV) is a surveillance system using cameras to monitor and record activities in specific areas for security and monitoring purposes.

Chapter 23

Question 7

4 types of Procedures

Answer 7

Established methods for task completion:
Change management: Change management procedures outline the steps and protocols for initiating, evaluating, implementing, and monitoring changes within an organization. They ensure that transitions (whether in technology, processes, or policies) are authorized and executed smoothly, minimizing disruptions and optimizing outcomes.
Onboarding: Onboarding is the process of integrating new team members into an organization’s culture and workflows. Onboarding procedures create a structured path for introducing newcomers, including orientation, training, and the provisioning of necessary
resources, such as phones and laptops. These procedures help new employees acclimatize quickly, fostering productivity and engagement from day one. The signing of a Non-Disclosure Agreement (NDA) is typically required during onboarding to legally protect sensitive company information and ensure that new employees or individuals joining the organization understand and agree to maintain confidentiality regarding proprietary or confidential data.
Offboarding: When someone decides to leave the company, HR carries out offboarding procedures to ensure a dignified and systematic exit. These procedures encompass tasks such as returning equipment, revoking access privileges, and conducting exit interviews. They help
protect sensitive data, maintain security, and preserve positive relationships even as farewells are bid.
Playbooks: Playbooks are a subset of procedures that are often used in specific contexts such as sales, marketing, disaster recovery, or incident response. They are comprehensive guides that outline actions, strategies, and contingencies for various scenarios. Playbooks equip teams with predefined responses to complex situations to ensure consistency and effective decision-making.

Chapter 23

Question 8

6 External considerations

Answer 8

External factors affecting decision-making:
Regulatory: Governments and regulatory bodies enact laws and regulations to ensure fair practices, protect consumers, and maintain industry standards. Staying compliant with these regulations is essential to avoiding legal consequences and maintaining public trust. Whether it’s data privacy, financial reporting, or environmental standards, organizations must navigate the intricate web of regulations that apply to their industry and jurisdiction.
Legal: Legal factors encompass not only regulatory compliance but also broader legal issues that organizations face, such as contracts, intellectual property, liability, and litigation. Organizations need robust legal strategies (including effective contract management and risk
mitigation) to safeguard their interests and ensure ethical and lawful operations.
Industry: Industries evolve rapidly due to technological advancements, consumer trends, and competitive pressures, so industry considerations must encompass those unique challenges and opportunities within their related sector. Organizations must stay attuned to industry dynamics, embracing innovation and adapting to changing market conditions to
remain relevant and competitive.
Local/regional: Local and regional factors consider the specific conditions and demands of a particular location or geographic area. These factors may include cultural preferences, economic conditions, infrastructure, and local regulations. Organizations that engage with and
understand the nuances of local communities can build strong relationships and achieve sustainable growth.
National: National factors pertain to an organization’s interactions with the country in which it operates or is headquartered. National policies, economic trends, and geopolitical stability can significantly impact business operations. Organizations must align their strategies with national priorities and navigate the broader economic and political landscape.
Global: Organizations confront global challenges tied to international trade, geopolitical complexities, and cross-border compliance requirements. A global perspective is imperative, then, in order to capitalize on opportunities and adeptly navigate risks in an increasingly
borderless business landscape. In line with this, there are some global standards that all countries need to adhere to, for example, PCI-DSS, which is an international standard relating to credit card data. An online retail company that accepts credit card payments from customers must adhere to PCI-DSS standards to secure cardholder data during transactions and protect against potential data breaches.

Chapter 23

Question 9

5 aspects of Monitoring and revision

Answer 9

Ongoing assessment and adaptation
Regular audits and assessments: Routine audits, inspections, and assessments are conducted to gauge compliance levels and identify potential vulnerabilities. These evaluations help organizations stay ahead of threats by ensuring that their existing controls align with
current requirements.
Policy and procedure revisions: The results of compliance reports, technological advancements, changes in business processes, newly identified risks, or evolving legal requirements can necessitate revisions to cybersecurity policies and procedures. Organizations must ensure they know the latest standards and frameworks and revise their policies accordingly as these revisions are essential to address emerging threats effectively.
Employee training: Keeping employees informed and engaged is crucial. Regular training sessions not only educate employees about policy changes but also serve as a reinforcement of cybersecurity best practices to maintain a security-conscious organizational culture.
Legal changes: Organizations must remain vigilant regarding any changes in cybersecurity legislation, whether at the international, national, regional, or industry-specific levels. Staying informed about evolving legal requirements is essential for compliance and risk
mitigation.
Cyclical and proactive approach: Monitoring and revision in cybersecurity governance form a continuous loop of assessment, adaptation, and enhancement. Proactive strategies are key in this process, as they enable organizations to anticipate potential threats, assess their preparedness, and make necessary adjustments ahead of time.

Chapter 23

Question 10

4 Types of governance structures

Answer 10

Frameworks for organizational oversight:
Boards: Boards of directors or governing boards are fundamental to governance in numerous organizations, including corporations, nonprofits, and educational institutions. These boards are entrusted with setting the strategic direction, overseeing management, and
safeguarding stakeholders’ interests. Boards ensure accountability through governance, oversight, transparency, and ethical leadership.
Committees: Committees are internal task forces within larger governance structures that focus on specific functions or tasks. They play a critical role in breaking down complex governance responsibilities into manageable components. Examples include audit committees, compensation committees, and governance committees. These specialized groups enhance the efficiency and effectiveness of governance by diving deep into specific areas of concern, such as financial compliance, cybersecurity, regulatory compliance, and strategic planning, among others.
Government entities: Government entities at various levels are responsible for public governance. These entities (including federal, state, and local governments) create policies, enforce laws, and provide public services. Public governance structures are vital for maintaining law and order, protecting citizens’ rights, and promoting general welfare. They operate within established legal frameworks and democratic principles.
Centralized/decentralized governance: Centralized and decentralized governance structures are at opposite extremes. Centralized governance consolidates decision-making authority at the top, often with a single governing body or individual. In contrast, decentralized governance distributes decision-making across various entities or levels. Finding the right balance between centralization and decentralization depends on the organization’s size, complexity, and objectives. The amount of centralization/decentralization impacts how decisions are made, resources are allocated, and responsibilities are delegated.

Chapter 23

Question 11

The 5 Roles and responsibilities for systems and data

Answer 11

Duties in data management:
Data owner: Data owners bear the responsibility of safeguarding data and overseeing the enforcement of policies that govern its proper usage to ensure the protection and responsible handling of data.
Data controller: The data controller writes the policies that relate to data collection and processing. They are legally responsible for ensuring compliance with the up-to-date regulations for each type of data and ensuring that data subjects are acknowledged, their permission to use the data is granted, and all necessary procedures related to privacy notices are correctly implemented in their policies, promoting transparency and data protection.
Data processor: The data processor must handle and process the data on behalf of data controllers. They must adhere to the predetermined instructions and policies set by the controllers and ensure the sanctity of data subject rights and regulatory compliance. They must maintain a record and audit trail for every transaction during data processing so that the auditor can ensure compliance.
Data custodian: The data custodian is responsible for the secure storage of data in compliance with data privacy regulations such as GDPR, ISO 27701, or HIPAA. The data custodian protects the data by ensuring it is encrypted, stored, and backed up. They implement the organization’s data retention policy and archive data that is outside of the legal data retention regulations.
Data steward: Data stewards are dedicated to maintaining data quality, diligently identifying and rectifying errors and inconsistencies. They also maintain detailed records and metadata, making data understandable and accessible to users. Beyond quality, they classify
data based on sensitivity and collaborate with data custodians to implement the necessary controls for compliance.

Chapter 23

Question 12

Risk identification

Answer 12

The first stage in risk management is the identification and classification of the asset. There are three key elements to risk assessment:
Risk: The risk is the probability that an event will occur that results in financial loss or loss of service. In the preceding example, the probability that the trash or gold would be taken. In IT security, it is the probability your system could be hacked or data stolen.
Threat: A threat is someone or something that wants to inflict loss on a company by exploiting vulnerabilities. In the preceding example, it’s the person who takes the gold. In IT security, it could be a hacker that wants to steal a company’s data.
Vulnerability: This is a weakness that helps an attacker exploit a system. In the preceding example, it is the fact that outside your front door is not a secured area. In IT security, it could be a weakness in a software package or a misconfiguration of a firewall.

Chapter 24

Question 13

4 types of Risk assessment

Answer 13

Assessing the impact or risk:
Ad hoc risk assessment: Ad hoc assessments are sporadic and arise in response to specific events or perceived threats. This type of assessment is tailored to focus on the immediate dangers and is characterized by its flexibility and swift implementation.
Recurring risk assessment: Recurring assessments are routine and scheduled to occur at predetermined intervals. This approach ensures that the organization’s security posture is regularly monitored, evolving threats are detected, and changes in the environment or operations are addressed. Regularly scheduled assessments enable organizations to stay vigilant and maintain an updated understanding of their risk profile, fostering a proactive security culture.
One-time risk assessment: One-time assessments are conducted for specific scenarios or projects, often at the inception of a new venture, system implementation, or organizational change. This approach provides a detailed one-time view of the risks associated with a
particular endeavor.
Continuous risk assessment: Continuous risk assessment goes above and beyond the periodic nature of recurring assessments, characterized by real-time monitoring and the analysis of risks. This dynamic approach integrates risk assessment seamlessly into the organization’s daily operations, allowing for instantaneous detection and response to threats as they arise. Continuous assessment is vital in today’s fastpaced and dynamic threat landscape as it empowers organizations to stay a step ahead of potential security breaches.

Chapter 24

Question 14

9 types of Risk analysis

Answer 14

Qualitative risk analysis: Qualitative risk analysis uses subjective judgment to categorize risks as high, medium, or low, focusing on the potential impact, such as the likelihood of occurrence.
Quantitative risk analysis: Quantitative risk analysis, on the other hand, assigns numerical values to risks identified as high in qualitative analysis. It quantifies and creates a precise measurement of the probability and the impact of risks, helping to determine the potential cost and formulate data-driven mitigation strategies. It provides a deeper understanding of the risk for more informed decision-making. One aspect of this is to calculate equipment loss, the process of which is explained in the following section.
Single Loss Expectancy (SLE): SLE represents the monetary value of the loss of a single item. Losing a laptop worth $1,000 while traveling, for instance, implies an SLE of $1,000.
Annualized Rate of Occurrence (ARO): ARO refers to the number of items lost annually. For example, if an IT team experiences the loss of six laptops in a year, the ARO is 6.
Annualized Loss Expectancy (ALE): This is calculated by taking the SLE and multiplying it by the ARO and represents the total expected loss per year, providing a foundation for insurance and risk management decisions.
Probability: Probability is a fundamental concept in risk analysis that describes the chance of a specific event occurring. It is quantified as a number between 0 and 10; the closer the number is to 10, the higher the probability that the event will occur. Assessing probability helps determine the frequency, or the number of times an event will happen in a given timeframe, with which a risk event might occur, enabling organizations to allocate resources more effectively to manage it.
Likelihood: Likelihood is synonymous with probability in risk analysis, representing the possibility of a risk materializing. It is often expressed in qualitative terms, such as high, medium, or low, providing an intuitive grasp of the risk’s occurrence.
Exposure Factor (EF): EF is a measure of the magnitude of loss or damage that can be expected if a risk event occurs. It is represented as a percentage, reflecting the portion of an asset’s value likely to be affected. By determining the EF, organizations can assess the extent of
damage a specific risk can inflict to produce more accurate risk valuations.
Impact: Impact is the consequence or the effect that a risk event has on an organization or a specific asset. It is often quantified monetarily, representing the potential loss in value. Impact assessment is crucial, as it provides insights into the severity of the risk and allows organizations to determine the necessary controls and response strategies to mitigate the risk.

Chapter 24

Question 15

3 elements of a Risk register

Answer 15

A comprehensive record of identified risks and their details:
KRIs: KRIs Key Risk Indicators, are an essential element of a risk register. They serve as metrics that provide an early signal of increasing risk exposure in various areas of the organization. KRIs act as early indicators of risk and so are instrumental in anticipating potential problems and allowing organizations to enact proactive measures to mitigate such risks. A KRI in a financial institution could be the number of failed transactions in each period, identifying potential issues in the transaction process that could lead to more significant risks if not addressed promptly.
Risk owners: Assigning risk owners is a fundamental step in constructing a risk register. A risk owner is an individual or team assigned the task of risk management. The risk owner is responsible for the implementation of risk mitigation strategies and monitoring the effectiveness of these strategies over time. For example, in a manufacturing firm, the production manager could be designated as the risk owner for operational risks associated with equipment failure or production delays. Establishing clear ownership ensures that there is a designated authority responsible for addressing and managing each identified risk.
Risk threshold: The risk threshold represents the level of risk that an organization is willing to accept or tolerate. Establishing a risk threshold is vital for maintaining a balance between risk and reward and ensuring that the organization does not undertake excessive risks that could jeopardize its objectives. If a risk surpasses the threshold level, it demands immediate attention and, possibly, a re-evaluation of the strategies and controls in place.

Chapter 24

Question 16

Risk tolerance

Answer 16

The organization’s capacity to withstand and manage risks

Chapter 24

Question 17

3 categories of Risk appetite

Answer 17

The amount of risk that an organization can bear:
Expansionary risk appetite: Organizations with an expansionary risk appetite typically embrace higher levels of risk in an effort to foster innovation and gain a competitive edge. These organizations often prioritize growth and expansion and seek higher returns and market
shares over stringent security protocols, potentially exposing them to a spectrum of threats.
Conservative risk appetite: In contrast to those with expansionary appetites, organizations with a conservative risk appetite prioritize security and risk mitigation over aggressive growth strategies. They have a carefully planned security control approach to risk management and often reject opportunities that are deemed too risky.
Neutral risk appetite: Organizations with a neutral risk appetite strike a balance between expansionary and conservative approaches. They assess each opportunity on a case-by-case basis, accepting only risks that are manageable and align with their strategic objectives. They face potential conflicts between business units with differing risk appetites as one unit might be seeking growth opportunities but be held back by another unit that deems ventures too risky.

Chapter 24

Question 18

6 Risk management strategies

Answer 18

Risk transference: In this approach, significant risks are allocated to a third party, often through insurance or outsourcing your IT systems. For example, companies recognizing the potential damages from a road traffic accident will purchase car insurance to transfer the financial risk to the insurer. Similarly, businesses are increasingly adopting cybersecurity insurance to cover potential financial losses, legal fees, and investigation costs stemming from cyberattacks.
Risk acceptance: Risk acceptance is the acknowledgment of a specific risk and the deliberate decision not to act to mitigate against the risk as it is deemed too low.
Risk exemption: Exemption refers to the act of relieving an individual, group, or entity from a specific obligation, rule, or policy that is generally applied across the organization. Exemptions are typically granted when adherence to a specific rule or policy is impractical or
unfeasible. They are usually formal and documented and have a specified duration, and they may require approval from regulatory or governing bodies on a case-by-case basis.
Risk exception: An exception in risk management pertains to an approved deviation from a set policy or standard. This deviation is typically temporary and is allowed due to the absence of a viable alternative, often with compensatory controls to mitigate associated
risks.
Risk avoidance: When the identified risk is too substantial, a decision may be made to abstain from the risky activity altogether. A practical example is an individual deciding not to jump from a considerable height without safety measures, due to the extreme risk involved.
Risk mitigation: Risk mitigation is a comprehensive strategy wherein identified risks are analyzed to determine their potential impacts, and suitable measures are employed to reduce the risk levels. An inherent risk is the raw risk that you face before you try to mitigate it. An
example of risk mitigation would be installing antivirus software on company devices to protect against viruses. Even after you mitigate a risk, there may be a small amount of risk remaining. This is called residual risk.

Chapter 24

Question 19

Risk reporting

Answer 19

Communicating the status of identified risks to stakeholders
Risk reporting is the process of systematically gathering, analyzing, and presenting information about risks within an organization.

Chapter 24

Question 20

4 Business impact analysis concepts

Answer 20

Recovery Point Objective (RPO): The RPO is determined by identifying the maximum age of files or data that an organization can afford to lose without experiencing unacceptable consequences. It’s fundamentally related to data backup frequency. For instance, if a company sets an RPO of three hours, it means the organization must perform backups at least every three hours to prevent any data loss beyond this acceptable threshold.
Recovery Time Objective (RTO): The RTO is the time when a business aims to restore its operations to an operational level after a disruption. In a practical scenario, if a disruption occurs at 1:00 P.M. and the RPO is set at three hours, the organization aims to have its
operations restored by 4:00 P.M. If the restoration process extends beyond the defined RPO, it can potentially have detrimental effects on the business and lead to loss of revenue, reputation, and customer trust.
Mean Time to Repair (MTTR): MTTR signifies the average duration needed to restore a malfunctioned system to its optimal operating condition. For instance, if a vehicle experiences a breakdown at 2:00 P.M. and its repair is completed by 4:00 P.M., this yields an MTTR of
two hours, denoting a relatively swift resolution.
Mean Time Between Failures (MTBF): MTBF stands as a paramount metric in evaluating and enhancing the reliability of systems and components. It provides insights into the average time a system or component operates without failure. It acts as a critical indicator of the inherent reliability and endurance of equipment or systems, providing a foundational basis for predictive maintenance and system optimization. Consider a scenario where a car is purchased on January 1 and it experiences breakdowns on January 2, 5, 6, and 8. In this case, the MTBF would indeed be low, two days, because there have been four failures in eight days. This implies the car is not reliable. A high MTBF is desirable as it denotes fewer failures and enhanced reliability. Thus, for a substantial investment, consumers would logically expect a
product with a higher MTBF, reflecting superior reliability and value.

Chapter 24

Question 21

4 types of Pen Testing

Answer 21

Unknown environment: Pen testers in an unknown environment (previously known as a black box) are provided with no preliminary information about the company. They focus on external exploitation strategies to unearth vulnerabilities, thereby emulating the approach of real-world attackers.
Partially known environment: Pen testers in a partially known environment (previously known as a gray box) are privy to limited internal information.
**Known environment: **Pen testers in a known environment (previously known as a white box) have comprehensive access to system and application details, including source code, and
provide a thorough and detailed analysis of security postures. They test applications prior to release to ensure that there are no vulnerabilities. They are normally on the payroll.
Bug bounty: A bug bounty works on a reward basis to uncover vulnerabilities that might escape notice during regular security audits. Participants (often called “bug hunters”) scrutinize
software applications, websites, and sometimes even hardware to detect security flaws, and they are rewarded proportionally according to the severity and impact of the discovered
vulnerabilities.

Chapter 25

Question 22

5 Vendor assessments

Answer 22

Penetration testing: Commonly known as pen testing, penetration testing is a structured and authorized examination of a company’s network, applications, or systems. It aims to identify and assess potential vulnerabilities that could be exploited by malicious entities. The intention is not to damage but to unveil weak points to help organizations strengthen their defenses. The methods applied during this form of testing are intrusive as they include actions such as attempting to gain unauthorized access, probing for weaknesses, or simulating cyberattacks, but are conducted in a controlled environment to prevent any real damage or unauthorized access to sensitive data.
Right-to-audit clause: Including a right-to-audit clause in agreements with vendors is crucial for maintaining transparency and trust. It grants organizations the right to conduct on-the-spot audits of vendors’ systems and processes, enabling them to verify compliance with agreedupon standards and regulatory requirements. This clause ensures continuous oversight, fosters accountability, and reinforces the vendor’s commitment to maintaining high-quality service and security standards.
Evidence of internal audits: Reviewing evidence from vendors’ internal audits provides insights into their internal control environment and risk management practices. Analyzing internal audit reports enables organizations to discern the effectiveness of a vendor’s controls and their ability to mitigate risks. This allows them to make more informed decisions and formulate risk management strategies and enhances overall operational resilience.
Independent assessments: Independent assessments, often conducted by third-party auditors, offer an unbiased evaluation of a vendor’s operations, security practices, and compliance status. These assessments provide organizations with an impartial perspective on the vendor’s risk profile, supporting the validation of internal controls and the identification of areas needing improvement or remediation.
Supply chain analysis: Supply chain analysis is essential as it uncovers risks associated with a vendor’s suppliers and subcontractors. It examines various components of a vendor’s supply chain, evaluating the stability, security, and reliability of each link. Understanding the
interdependencies and vulnerabilities within a vendor’s supply chain allows organizations to anticipate and manage potential disruptions and risks more effectively.

REMINDER: A right-to-audit clause in a contract allows the inspection of the provider at short notice.

Chapter 25

Question 23

2 Vendor selection considerations

Answer 23

Choosing vendors through comprehensive assessment:
Due diligence: Due diligence is essential to any vendor selection. It’s a rigorous investigation and evaluation process, in which organizations scrutinize potential vendors on various fronts, including financial stability, operational capabilities, compliance with relevant regulations, and past performance. By thoroughly assessing this information, organizations can predict the vendor’s reliability and performance consistency.
Conflicts of interest: Identifying and managing conflicts of interest is crucial to maintaining the impartiality and fairness of the vendor selection process. Organizations must evaluate any existing relationships or affiliations between decision-makers and potential vendors that could influence the selection process unduly, and subsequently address these conflicts of interest to uphold transparency. This ensures that the chosen vendors are genuinely aligned with the organization’s interests and are selected based on merit rather than biased inclinations or undue influences, which in turn fosters an environment of impartiality and fairness in vendor engagements and mitigates the risk of reputational damage and legal complications.

Chapter 25

Question 24

7 Agreement types

Answer 24

Deciding how you will work together:
Service-Level Agreement (SLA): An SLA is a contractual arrangement between a service provider and a recipient that outlines the expected level of service. It defines specific metrics to measure service standards, response, or resolution times and usually includes remedies or penalties for the provider if the agreed-upon service levels are not met.
Memorandum of Agreement (MOA): An MOA is legally binding. It meticulously outlines the terms and conditions and detailed roles and responsibilities of the parties involved. The MOA serves to clarify the expectations and obligations of each party to avoid disputes and ensure mutual understanding and cooperation.
Memorandum of Understanding (MOU): An MOU is a formal acknowledgment of a mutual agreement between two or more parties. It is more substantial than an informal agreement, reflecting a serious commitment from all involved parties, but generally lacks the binding enforceability of a legal contract. It serves primarily as a statement of intent.
Master Service Agreement (MSA): The MSA articulates the general terms and conditions governing a contractual relationship between the involved entities. It typically addresses aspects such as payment terms, dispute resolution mechanisms, intellectual property rights, confidentiality clauses, and liability provisions.
Work Order (WO)/Statement of Work (SOW): While an MSA outlines the terms and conditions of a contracted partnership, a WO or SOW looks at the specifics of individual tasks or projects. The SOW typically provides a detailed breakdown of the work to be performed,
the timelines for completion, the expected deliverables, and the agreedupon compensation.
Non-Disclosure Agreement (NDA): An NDA is a legally binding contract made between an organization and an employee or a business partner, in which the signee promises not to disclose trade secrets to others without proper authorization. The reason for this is to stop trade secrets or proprietary information from being sold on to competitors.
Business Partnership Agreement (BPA): A BPA is used between two companies who want to participate in a business venture to make a profit. It sets out how much each partner should contribute, their rights and responsibilities, the rules for the day-to-day running of the business, who makes the decisions, and how the profits are shared. It also establishes rules for termination of the partnership, either at a given point in time or if one of the partners dies or is otherwise unable or unwilling to continue their partnership.

REMINDER: An MSA outlines the terms and conditions of a contract and an SOW outlines the vendor’s task, the organization’s expectations, and predefined outcomes.

Chapter 25

Question 25

Vendor monitoring

Answer 25

Oversees vendor performance and compliance

Chapter 25

Question 26

Vendor Questionnaires

Answer 26

Questionnaires, in the context of vendor monitoring, are structured surveys or sets of inquiries systematically designed to gather detailed information about various aspects of a vendor’s operations. These surveys enable organizations to delve deeply into specific areas, such as financial stability, regulatory compliance, performance history, and security measures.

Chapter 25

Question 27

4 Rules of engagement considerations

Answer 27

Defines interaction boundaries and expectations
Clarity and alignment: Rules of engagement provide clarity by clearly defining the roles and responsibilities of both the organization and the vendor. They leave no room for ambiguity or assumptions, ensuring that everyone knows what is expected of them.
Conflict prevention: Misunderstandings and conflicts often arise from differing expectations. By establishing rules in advance, organizations can preemptively address potential sources of disagreement, reducing the likelihood of disputes.
Efficiency: With well-established rules, processes and workflows become more efficient. Both parties know how interactions and transactions should proceed, streamlining communication and reducing delays.
Risk mitigation: Rules of engagement can also include clauses related to risk management and compliance. For example, they can specify data security requirements, quality standards, and regulatory compliance, reducing the risk of legal and financial repercussions.

Chapter 25

Question 28

2 Compliance reporting types

Answer 28

Compliance reporting is a critical component that ensures organizations adhere to regulatory standards, industry best practices, and internal policies.
Internal: Internal compliance reporting involves the assessment and measurement of an organization’s adherence to its own security policies, standards, and procedures. In this way, organizations conduct a thorough self-examination to identify gaps and areas in need of
enhancement.
External: External compliance reporting focuses on demonstrating an organization’s adherence to external standards, regulations, and industry-specific requirements. These reports are often shared with regulatory bodies, partners, clients, and other stakeholders.

Chapter 26

Question 29

5 Consequences of non-compliance

Answer 29

Fines: GDPR’s article 83 sets fines according to the severity of the noncompliant practice.
Lower-tier fines: These fines can amount to up to €10 million or 2% of the organization’s global annual turnover, whichever is higher. These are typically imposed for less severe violations, such as failing to maintain records or failing to notify authorities of a data breach.
Upper-tier fines: These fines can be much more substantial, reaching up to €20 million or 4% of the organization’s global annual turnover, whichever is higher. Upper-tier fines are imposed for more serious violations, such as infringements of individuals’ rights or transferring
personal data to countries without adequate data protection measures.
Sanctions: Sanctions often encompass various legal and regulatory measures taken against organizations or entities for non-compliance or misconduct. Such legal actions can not only be financially draining but can also result in damage to an organization’s reputation and credibility.
Reputational damage: The trust of clients, partners, and stakeholders is invaluable, and non-compliance such as data breaches or regulatory violations can erode that trust rapidly. This may lead to a loss of customers, termination of partnership contracts, and withdrawal of
investor support. Rebuilding trust is a long and arduous process, making reputational damage one of the most severe consequences.
Loss of license: Certain industries, such as finance and healthcare, require licenses to operate. Non-compliance can lead to the revocation of these licenses, effectively shutting down an organization’s ability to carry out its core functions. Losing a license not only disrupts
operations but can also permanently damage an organization’s credibility in the industry.
Contractual impacts: Contractual ramifications can manifest when organizations become embroiled in legal disputes, facing lawsuits or becoming subjects of inquiries by regulatory authorities. Such legal actions can not only be financially burdensome but may also tarnish an organization’s reputation and credibility.

Chapter 26

Question 30

4 Compliance monitoring approaches

Answer 30

Ensuring adherence to regulations:
Due diligence/care: Effective compliance monitoring begins with due diligence. It involves the meticulous examination of an organization’s processes, practices, and policies to ensure they align with regulatory requirements. Due diligence isn’t just a box-ticking exercise; it’s a proactive effort to identify vulnerabilities and weaknesses, including comprehensive risk assessments and ongoing evaluation to maintain a strong security posture.
Attestation and acknowledgment: Attestation and acknowledgment involve the formal recognition and affirmation of an organization’s commitment to compliance. Attestation signifies that an organization acknowledges its responsibilities and will adhere to the prescribed regulations. These processes foster transparency and accountability, demonstrating an organization’s commitment to compliance.
Internal and external: Compliance monitoring operates on both internal and external fronts. Internally, organizations conduct selfassessments and audits to gauge their compliance with internal policies and industry-specific standards. Externally, regulatory bodies and thirdparty auditors scrutinize an organization’s compliance efforts. This dual perspective ensures a balanced evaluation of compliance measures.
**Automation: **Automation has become a game-changer in compliance monitoring. Robust software solutions and tools streamline compliance assessments, data tracking, and reporting. Automation not only enhances efficiency but also reduces the margin for error by enabling
the proactive identification and rectification of compliance gaps and fostering a culture of continuous improvement.
Data breaches: From a compliance perspective, a data breach is a crucial moment where legal rules and ethical duties come together. It highlights the need to protect personal information in our data-driven world. A customer could experience identity theft as a result of a data breach. Organizations must act quickly and openly to deal with breaches. Article 33 of GDPR deals with the notification of a personal data breach to the supervisory authority. Data controllers must report data breaches to the relevant data protection authority within 72 hours. HIPAA states notification must be made within 60 days.

Chapter 26

Question 31

3 Privacy Regulation types

Answer 31

Protecting individuals’ personal information and rights:

Legal implications: Legal consequences and obligations

Local/regional: Regulations specific to local or regional areas
National: Regulations at the national level
Global: Worldwide data protection regulations

Chapter 26

Question 32

5 Data comapliance terms

Answer 32

Data subject: The data subject is anyone whose personal information is being collected and stored, and the rights and protections of the data subject depend on which privacy regulations are applicable to them. The data subject is an important legal entity; for instance, they are granted the “right to be forgotten” in GDPR’s article 17, as discussed shortly.
Data controller versus data processor: The data controller’s duties include writing the policies that relate to data collection and processing, adhering to up-to-date regulations for each type of data, and ensuring that data subjects are acknowledged, their permission to use the data is granted, and all necessary procedures related to privacy notices are correctly implemented in their policies, promoting transparency and data protection.
Ownership: Data owners bear the vital role of safeguarding data and overseeing the enforcement of policies that govern its proper usage, ensuring the protection and responsible handling of data.
Data inventory and retention: Maintaining a data inventory involves the systematic cataloging of data, including its location, type, and usage. This process allows organizations to meet regulatory requirements, assess data security risks, and demonstrate compliance during audits. From a compliance standpoint, maintaining a data inventory is not just a best practice; it’s a necessity. It enables organizations to ensure that sensitive data is adequately protected, access is controlled, and data breaches are minimized. Compliance frameworks, such as GDPR,
HIPAA, or industry-specific standards, often stipulate specific data retention periods, driven by the type of the data and the region it was created in. HIPAA states that medical data must be retained for 6 years after the last entry, while in the UK, financial data has a retention period
of 6 years and medical data 8 years.
Right to be forgotten: GDPR’s article 17 (often referred to as the “right to be forgotten”) grants individuals the power to request the removal of their personal data held by an organization. This is done by contacting the data controller, who is legally bound to exercise their instructions, unless there is a legal reason why it cannot be deleted, such as an ongoing investigation by law enforcement.

Chapter 26

Question 33

Attestation

Answer 33

It involves the meticulous examination and validation of information, often by a qualified
independent party, to ensure its accuracy and compliance with established standards and regulations.

Chapter 27

Question 34

Purpose, Process, and Reporting of 3 Internal audits types

Answer 34

Compliance
Purpose: Compliance audits aim to verify that the organization is conducting its activities in accordance with the applicable rules and regulations.
Process: Compliance audits may review financial transactions, operational protocols, and employee activities to assess adherence to regulations.
Reporting: The findings of compliance audits are typically reported to senior management and the audit committee. This information is essential for decision-making and ensuring that the necessary corrective actions are taken.
Audit Committee
Purpose: The audit committee’s primary purpose is to provide oversight, governance, and an additional layer of assurance that the organization’s internal audit function is effective.
Process: The committee meets regularly with internal auditors to review audit plans, discuss findings, and ensure that the organization is addressing identified issues appropriately.
Reporting: The audit committee reports its findings and recommendations to the board of directors, which informs a wide range of strategic decisions that are essential for the organization’s overall performance, sustainability, and adherence to ethical and legal standards. It helps the board of directors make informed choices that align with the company’s mission and goals while maintaining its reputation and integrity.
Self-Assessments
Purpose: Self-assessments aim to identify and address internal weaknesses, streamline processes, and foster a culture of selfimprovement within the organization.
Process: Internal stakeholders (often with the guidance of internal auditors) assess various aspects of the organization, such as operational efficiency, quality control, and risk management.
Reporting: The outcomes of self-assessments are typically used internally, and the findings help guide decisions aimed at improving internal processes and operations.

Chapter 27

Question 35

Purpose, Process, and Reporting of 3 External audits types

Answer 35

Regulatory
Purpose: Regulatory compliance audits confirm that the organization is following the rules and regulations applicable to its industry.
Process: Auditors examine financial records, operational practices, and internal controls to assess the organization’s adherence to specific regulatory requirements.
Reporting: The findings of regulatory compliance audits are reported to both internal management and external stakeholders (including regulatory authorities) to demonstrate compliance and initiate corrective actions if necessary.
Examinations
Purpose: Detailed examinations aim to verify the completeness and accuracy of financial records and reduce the risk of financial misstatements or errors.
Process: Auditors review financial statements, transactions, and supporting documentation to ensure that they conform to Generally Accepted Accounting Principles (GAAPs) or International Financial Reporting Standards (IFRSs).
Reporting: The results of detailed examinations are included in audited financial statements, which are made available to shareholders, investors, and the public to provide an accurate representation of the organization’s financial health.
Assessment
Purpose: Assessments are intended to enhance operational efficiency, risk mitigation, and the overall effectiveness of internal controls.
Process: Auditors analyze internal control systems, risk management procedures, and governance structures to ensure they are resilient and aligned with best practices.
Reporting: Assessment findings are communicated to senior management and the board of directors, along with recommendations for improvements to internal controls and risk management practices. Independent Third-Party Audit
Purpose: Independent third-party audits establish credibility and trust by providing an impartial evaluation of an organization’s financial statements, operations, and compliance.
Process: Auditors follow a rigorous and standardized audit process, which includes risk assessment, testing, and validation of financial statements and controls.
Reporting: The auditors’ report, issued at the conclusion of the audit, provides an objective opinion on the fairness of the financial statements and the effectiveness of internal controls.

REMINDER: External audits ensure the company’s practices are aligned with industry standards.

Chapter 27

Question 36

7 types of Penetration testing

Answer 36

Assessing security through simulated attacks
Physical: Essentially checking the company’s physical infrastructure, physical penetration testing could be physically hacking into a security system or breaking into the building where servers are kept.
**Offensive: **Offensive penetration testing is a simulated attack approach performed by testers (often referred to as “ethical hackers”) to uncover vulnerabilities and weaknesses in an organization’s defenses. This could also be known as the red team in team exercises.
Defensive: Defensive penetration testing, on the other hand, focuses on assessing an organization’s readiness to defend against cyberattacks. It seeks to assess the efficiency of security measures and the effectiveness of incident response procedures. This is your blue team in team exercises.
Integrated: This approach combines various aspects of penetration testing, including an evaluation of both physical and digital security measures, to provide a holistic view of an organization’s security posture.
Known environment: In a known environment, testers (sometimes referred to as white hat hackers) are provided with extensive information about the organization’s systems and infrastructure. This allows them to focus on specific targets and vulnerabilities within the
environment.
Partially known environment: Penetration testers are given limited information about the organization’s systems and infrastructure in a partially known environment. This simulates a scenario where an attacker has acquired some knowledge about the target but not all.
These could be the gray hat hackers.
Unknown environment: In an unfamiliar setting, penetration testers operate without prior information about the organization’s systems, infrastructure, or security protocols. This simulates an attacker with no inside information attempting to breach the organization. These could be black hat hackers.
Reconnaissance: Information gathering before penetration
testing
Passive: Gathering data without direct interaction
Active: Interacting directly with the target’s systems

Question 37

2 types of reconnaissance

Answer 37

Information gathering before penetration testing
Passive: Gathering data without direct interaction
Active: Interacting directly with the target’s systems

Chapter 27

Question 38

3 Types of anomalous behavior

Answer 38

Risky: Risky behavior represents actions that, while not necessarily malicious, carry a heightened level of risk or potential harm to a system or organization. This can include actions such as granting excessive permissions, sharing login credentials, downloading suspicious files, or ignoring security warnings.
Unexpected: Unexpected behavior is characterized by actions or activities that deviate from established norms or historical patterns. It encompasses actions that may not align with a user’s typical behavior or system operation—for example, a user suddenly trying to access
sensitive data or excessive server memory consumption.
Unintentional: Unintentional behavior involves actions that occur due to human error or accidents. This can encompass misconfigurations, accidental data leaks, or actions taken by users who have been tricked by social engineering attacks. Unintentional behavior can be caused by a lack of awareness or insufficient training.

Chapter 28

Question 39

7 User guidance and training methods

Answer 39

Policy/handbooks: Clear and comprehensive policies and handbooks are an essential part of user awareness training. These might include standard operating procedures, acceptable use policies, security protocols, or the consequences of non-compliance. Effective policies should be regularly reviewed, updated, and communicated to all staff to
ensure ongoing adherence to the policy.
Situational awareness: Situational awareness is about identifying potential threats and vulnerabilities, understanding the consequences of actions, and making informed decisions to minimize risks. Consistent training can improve users’ capacity to maintain a heightened state of situational awareness and equip them with the skills necessary to avoid cyberattacks.
Insider threat: Insider threats can be among the most challenging to detect and mitigate. User training should include education about the types of insider threats that they may encounter, such as malicious insiders and unwitting accomplices. By fostering a culture of trust and vigilance, organizations can better prepare their workforce to identify and report suspicious behavior.
Password management: Training should cover the best practices of password creation, such as ensuring they are strong and unique and enabling multi-factor authentication (MFA).
Removable media and cables: The use of removable media and cables poses a potential security risk, as these can be vectors for malware or data leakage. User guidance should emphasize the importance of scanning removable media for threats and avoiding unknown devices, such as USB cables left on your desk or sent unexpectedly through the post.
Social engineering: Social engineering attacks prey on human psychology. Training should educate users about common social engineering tactics, such as phishing emails, smishing, or vishing (that is, voice phishing over the phone). Simulated phishing exercises can
help users develop resistance to these deceptive strategies.
Operational security: Operational security consists of securing day-today activities such as communication and data encryption, how to deal with suspicious events, and how the incident reporting process should be carried out.
Hybrid/remote work environments: Training should address secure remote access, VPN usage, home network security, and the risks associated with using personal devices for work.

Chapter 28

Question 40

Reporting and monitoring

Answer 40

Initial: Evaluating training effectiveness
Recurring: Retraining if staff’s guard is lowered
Development: Creating training materials
Execution: Delivery of training

Chapter 28