Lesson 14: Summarize Security Governance Concepts

Question 1

Define ‘security policies’

Answer 1

Authoritative documents defining the organization’s security commitment.

Question 2

Define ‘security standards’

Answer 2

Specify the methods used to implement technical and procedural requirements.

Question 3

Define ‘security procedures’

Answer 3

Detailed step-by-step instructions describing how to complete specific tasks and align to the requirements provided in standards.

Question 4

What is the purpose of organizational policies?

Answer 4

Establishes effective governance and ensures organizational compliance for operations, decision-making, and behaviors by defining rules and procedures as well as consequences.

Question 5

Define ‘governance’

Answer 5

The processes used to direct and control an organization, including the processes for decision-making and risk management to ensure compliance with regulations.

Question 6

What are polices in relation to governance?

Answer 6

Policies are the outputs of governance.

Question 7

Define ‘compliance’

Answer 7

Describes how well an organization adheres to regulations, policies, standards, and laws relevant to its operation.

Question 8

Define an ‘Acceptable Use Policy (AUP)’

Answer 8

A policy that governs employees’ use of company equipment and Internet services. ISPs may also apply AUPs to their customers.

Question 9

What rules and polices are addressed in an Acceptable Use Policy (AUP)?

Answer 9

Browsing behavior, appropriate content, software downloads, and handling sensitive information.

Question 10

What is the goal of implementing an ‘Acceptable Use Policy (AUP)’?

Answer 10

To ensure that users do not engage in activities that could harm the organization or its resources; Detail the consequences for non compliance.

Question 11

What should be included in an Acceptable Use Policy (AUP) to ensure compliance is met by users?

Answer 11

Details regarding how compliance is monitored and require employees to acknowledge their comprehension of the AUP’s rules via signature.

Question 12

Define ‘Information Security Policies’

Answer 12

A document or series of documents enlisting rules and guidelines detailing requirements for protecting technology and information assets from threats and misuse.

Question 13

Define ‘Business Continuity’/’Continuity of Operations Plans (COOP)’

Answer 13

A collection of processes that enable an organization to maintain normal business operations in the face of some adverse event.

Question 14

Define ‘Disaster Recovery Policies’

Answer 14

Details the steps required to recover from a catastrophic event such as a natural disaster, major hardware failure, or a significant security breach.

Question 15

Define ‘incident response policies’

Answer 15

Outlines the processes to be followed after a security breach; Details the steps for identifying, investigating, controlling, and mitigating the impact of incidents, including procedures for communicating about the incident to internal and external sources.

Question 16

Define ‘Software Development Life Cycle (SDLC) policies’

Answer 16

Governs the processes of planning, analysis, design, implementation, and maintenance of software and software development.

Question 17

Define ‘Change management polices’

Answer 17

Outlines how changes to IT systems and software are requested, reviewed, approved, and implemented, including all documentation requirements.

Question 18

Define a ‘Guideline’

Answer 18

Best practice recommendations that steer actions in a particular job role or department to achieve goals and complete tasks effectively.

Question 19

What is the purpose of a guideline?

Answer 19

To help individuals understand the required steps to comply with a policy or improve effectiveness.

Question 20

What is the difference between polices and guidelines?

Answer 20

Policies are mandatory and define strict rules; Guidelines provide recommendations and allow for more individual judgment and discretion.

Question 21

What are the 3 phases of ‘personnel management’ that involves HR?

Answer 21

1. Recruitment (hiring)
2. Operation (working)
3. Termination (firing/retiring)

Question 22

Define ‘onbarding’

Answer 22

The combined IT and HR process of bringing in a new employee, contractor, or supplier.

Question 23

Define an ‘organizational playbook’

Answer 23

A central repository of company policies and procedures.

Question 24

In a change management policy, what should be induced for major changes?

Answer 24

Organizations should attempt to trial the change first.

Question 25

In a change management policy, what should be included to mitigate a failed/harmful change?

Answer 25

A rollback (or remediation) plan, so that the change can be reversed.

Question 26

Define ‘offboarding’

Answer 26

Process of ensuring that all HR and other requirements are covered when an employee leaves an organization.

Question 27

Define a ‘standard’

Answer 27

Defines the expected outcome of a task, such as a particular configuration state for a server, or performance baseline for a service.

Question 28

What is the primary reason for adopting a standard?

Answer 28

To adhere to industry regulatory requirements.

Question 29

Define the ‘ISO/IEC 27001’ standard

Answer 29

International standard that provides an information security management system (ISMS) framework.

Question 30

Define the ‘ISO/IEC 27002’ standard

Answer 30

A companion standard to ISO 27001 and provides detailed guidance on specific controls to include in an ISMS.

Question 31

Define the ‘ISO/IEC 27017’ standard

Answer 31

Extension to ISO 27001 and specific to cloud services.

Question 32

Define the ‘NIST (National Institute of Standards and Technology) Special Publication 800-63’ standard

Answer 32

A US government standard for digital identity guidelines, including password and access control requirements.

Question 33

Define the ‘PCI DSS (Payment Card Industry Data Security Standard)’ standard

Answer 33

For organizations that handle credit cards from major card providers, including requirements for protecting cardholder data.

Question 34

Define the ‘FIPS (Federal Information Processing Standards)’ standard

Answer 34

Developed by NIST for federal computer systems in the United States that specify requirements for cryptography.

Question 35

How do regulatory standards facilitate auditing?

Answer 35

By providing a benchmark for evaluating organizational compliance and security practices.

Question 36

What is the difference between standards and policies?

Answer 36

Standards focus on implementation, whereas policies focus on business practices.

Question 37

What is the purpose of an internal password standard set by an organization?

Answer 37

Describes he specific technical requirements required to design and implement authentication systems as well as how passwords are managed within those systems.

Question 38

What should be outlined in a password standard?

Answer 38

Hashing algorithms; Salting mechanisms; Secure password transmission; Password resets; Use of Password managers.

Question 39

What is the purpose of an internal access control standard set by an organization?

Answer 39

To ensure that only authorized individuals can access the systems and data they need to do their jobs; Protects sensitive data and prevents accidental change/damage.

Question 40

What should be outlined in an access control standard?

Answer 40

Access control models; Acceptable methods to verify identities; Privilege Management; Authentication Protocols; Session management; Auditing of access.

Question 41

What is the purpose of internal physical security standards?

Answer 41

To define the protection of the infrastructure comprising the IT environment.

Question 42

What should be outlined in a physical security standard?

Answer 42

Building security/physical access controls; Workstation security; Datacenter/server room security; Equipment disposal; Visitor management.

Question 43

What is the purpose of internal encryption standards?

Answer 43

To identify the acceptable cipher suites and expected procedures needed to provide assurance that data remains protected.

Question 44

What should be outlined in an encryption standard?

Answer 44

Encryption Algorithms; Key Length; Key Management.

Question 45

Define ‘Due dilligence’

Answer 45

A legal term meaning that responsible persons have not been negligent in discharging their duties.

Question 46

Define the ‘Sarbanes-Oxley Act (SOX)’ law

Answer 46

Dictates requirements for the storage and retention of documents relating to an organization’s financial and business operations.

Question 47

Define ‘Federal Information Security Management Act (FISMA)’

Answer 47

Governs the security of data processed by federal government agencies.

Question 48

Define ‘General Data Protection Regulation (GDPR)’

Answer 48

Provisions and requirements protecting the personal data of European Union (EU) citizens.

Question 49

What is the purpose of General Data Protection Regulation (GDPR)?

Answer 49

EU citizens personal data cannot be collected, processed, or retained without the individual’s informed consent, unless there are other overriding considerations.

Question 50

Define ‘informed consent’ in regards to General Data Protection Regulation (GDPR)

Answer 50

Data must be collected and processed only for the stated purpose, and that purpose must be clearly described to the user in plain language, not legal jargon.

Question 51

How does General Data Protection Regulation (GDPR) protect subjects?

Answer 51

By giving data subjects (users) rights to withdraw consent, and to inspect, amend, or erase data held about them.

Question 52

Define the ‘California Consumer Privacy Act (CCPA)’ and its purpose

Answer 52

Provides California residents the right to know what personal information businesses collect about them, the purpose of collecting this data, and with whom they share it.

Question 53

Define ‘centralized security governance’

Answer 53

Decision-making authority primarily rests with a single core group or department that establishes policies, procedures, and guidelines.

Question 54

Define ‘decentralized security governance’

Answer 54

Distributes decision-making authority to different groups or departments to facilitate security-focused decisions based on localized needs and priorities.

Question 55

Define a ‘hybrid security governance’

Answer 55

Specific security processes and decisions are centralized, while others are delegated to business units or departments.

Question 56

What is the role of a governance committee?

Answer 56

SMEs and operational leaders that focus on specific issues, such as security, risk management, audit, or compliance providing in-depth analysis, recommendations, and operational support to the governance board to help drive decisions.

Question 57

What is the role of a governance board?

Answer 57

Executives with the ultimate decision-making authority and is responsible for setting the strategic direction and policies of the organization.

Question 58

What are the 4 roles of security/data governance?

Answer 58

1. Owner
2. Controller
3. Processor
4. Custodian

Question 59

Define the role of an ‘owner’ in security/data governance

Answer 59

An executive role that identifies what level of classification and sensitivity the data has, decides who should have access to it, and what level of security should be applied.

Question 60

Define the role of a ‘controller’ in security/data governance

Answer 60

The entity ensures data processing activities adhere to all legal requirements; Helps maintain legal and regulatory compliance.

Question 61

Define the role of a ‘processor’ in security/data governance

Answer 61

An entity trusted with a copy of personal data to perform storage and/or analysis on behalf of the data collector; Ensures that data is handled securely and in accordance with the rules established by the owner and controller roles.

Question 62

How do processors adhere to security/data governance?

Answer 62

By maintaining records of their processing activities, cooperate with supervisory authorities, and implement appropriate security measures to protect the data they handle.

Question 63

Define the role of a ‘custodian’ in security/data governance

Answer 63

Data steward - implements and enforces the security controls established by the data owner and controller; Responsible for managing the system on which data assets are stored, including being responsible for enforcing access control, encryption, and backup/recovery measures.

Question 64

What must be included when proposing a change request in change management?

Answer 64

Documentation, including details describing what will be changed, the reasons for the change, any potential impacts, and a rollback plan in case the change does not work as planned.

Question 65

When assessing a change request, what must be considered?

Answer 65

Each change must be subject to risk assessment to identify potential security impacts.

Question 66

What the role of an ‘owner’ in change management

Answer 66

Project managers/team leaders accountable for ensuring change is implemented as planned, risks are managed effectively, and there’s a clear plan for communication/training associated with the change.

Question 67

Define a ‘stakeholder’

Answer 67

A person who has a business interest in the outcome of a project or is actively involved in its work.

Question 68

Define ‘impact analysis’

Answer 68

Change management process of identifying and assessing the potential implications of a proposed change.

Question 69

How do test results affect change management?

Answer 69

Test results provide valuable insight into the likelihood of success and help identify potential issues without impacting business operations.

Question 70

How do ‘back out plans’ affect change management?

Answer 70

A well-defined back out plan helps to minimize downtime and reduces the risk of data loss or other severe impacts.

Question 71

What is the role of maintenance windows in change management?

Answer 71

A predefined, recurring time frame for implementing changes.

Question 72

How do ‘Standard Operating Procedures (SOPs)’ affect change management?

Answer 72

Written instructions that describe how to carry out routine operations or changes to ensure that changes are implemented consistently and effectively.

Question 73

Define an ‘allow list’ in regards to change management

Answer 73

A list of approved software, hardware, and specific change types that are not required to go through the entire change management process.

Question 74

Define a ‘deny list’ in regards to change management

Answer 74

Includes explicitly blocked software, hardware, and specific change types or high-impact changes that must always go through the full change management process, or individuals who are not authorized to implement or approve changes.

Question 75

Define ‘Version control’

Answer 75

Tracking and controlling changes to documents, code, or other important data.

Question 76

How can automation be used for security management?

Answer 76

Monitoring for threats, applying patches, maintaining baselines, or responding to incidents.

Question 77

What is the role of orchestration in security management?

Answer 77

Enhances automation by coordinating and streamlining the interactions between automated processes and systems.

Question 78

Define a ‘workforce multiplier’

Answer 78

A tool or automation that increases employee productivity, enabling them to perform more tasks to the same standard per unit of time.

Question 79

Define ‘Operator fatigue’

Answer 79

The mental exhaustion experienced by cybersecurity professionals.

Question 80

Define ‘technical debt’

Answer 80

Costs accrued by keeping an ineffective system or product in place, rather than replacing it with a better-engineered one.