Brainscape's Knowledge GenomeTM


Top Flashcards (Certified)
All Flashcards

CSIA 300 6982 Cybersecurity for Leaders and Managers > Chapter 1 - Understanding Cybersecurity Policy and Governance > Flashcards

Chapter 1 - Understanding Cybersecurity Policy and Governance Flashcards

(131 cards)

Start Studying
1
Q

What is the significance of cybersecurity policies?

A

Cybersecurity policies protect individuals, economies, critical infrastructure, and countries from harm due to misuse or compromise of information and systems.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What role does policy play in corporate culture and civil society?

A

Policy provides direction, structure, and order, influencing behavior within organizations and society.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What is the objective of cybersecurity-related policies?

A

To establish guidelines for protecting information and information systems from threats.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

List the characteristics of successful cybersecurity policies.

A
  • Clear objectives
  • Comprehensive scope
  • Adaptability
  • Stakeholder involvement
  • Regular updates
  • Effective communication
  • Implementation strategies
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Define the life cycle of a cybersecurity policy.

A

The life cycle includes stages such as development, implementation, evaluation, and revision.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

How does the U.S. Department of Homeland Security define critical infrastructure?

A

As assets, systems, and networks vital to the economy, security, and health of the nation, whose incapacitation would have a debilitating effect.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

What did Presidential Policy Directive 7 establish in 2003?

A

A national policy requiring federal entities to identify and protect critical infrastructure from attacks.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

What is the key focus of Presidential Policy Directive 21 issued in 2013?

A

To strengthen and maintain secure and resilient critical infrastructure through shared responsibility.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

What does Executive Order 13800 require from federal agencies?

A

Adoption of the Framework for Improving Critical Infrastructure Cybersecurity developed by NIST.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

What is the main goal of Executive Order 14028 issued by President Biden?

A

To improve the cybersecurity defenses of the U.S. government and private sector.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Fill in the blank: The Cyber Resilience Act (CRA) and AI Act are regulations released by the _______.

A

[European Union]

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

What are the three classifications of corporate culture?

A
  • Negative
  • Neutral
  • Positive
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

What is the difference between information security and cybersecurity policies?

A

Information security focuses on protecting data within an organization, while cybersecurity encompasses broader protection against attacks across all connections.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

What is the primary purpose of the Torah from a social perspective?

A

To articulate a codified social order and provide guidance for behavior and interactions within society.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

True or False: The U.S. Constitution was designed to be a static document without provisions for change.

A

False

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

How can corporate culture be shaped within an organization?

A

Both informally through individual treatment and formally through written policies.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

What is a key lesson learned from the U.S. Constitution regarding policy?

A

Policies need to be dynamic enough to adjust to changing environments.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

What role does policy play in protecting individual liberties?

A

Policy provides direction and structure to safeguard rights and freedoms.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

What are some examples of business-related rules from the Torah?

A
  • Not to use false weights and measures
  • Not to charge excessive interest
  • To be honest in all dealings
  • To pay wages promptly
  • To fulfill promises to others
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

What is a common impact of negative corporate culture?

A

A hostile environment where employees do not feel safe and customers are not valued.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

What is the focus of the EU CRA Roadmap?

A

Strengthening the European cybersecurity ecosystem and enhancing resilience against cyber incidents.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

What does cybersecurity encompass beyond traditional information security?

A
  • Cyber risk management
  • Threat intelligence
  • Supply chain security
  • Incident response
  • Vulnerability management
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

What is the role of guiding principles in corporate culture?

A

They synthesize the fundamental philosophy and beliefs of an organization.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

What is the difference in response between Company A and Company B after a data breach?

A

Company A blames management and avoids customer notification, while Company B seeks feedback, improves controls, and informs customers timely.

This illustrates the impact of corporate culture on incident response.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
What are the characteristics of a positive corporate culture regarding cybersecurity?
Focuses on protecting information, solicits input, engages in education, and allocates resources appropriately. ## Footnote Such a culture values employees and customers.
26
What is the philosophy of honoring the public trust?
To be careful stewards of the information entrusted to organizations, ensuring protection against unauthorized disclosure. ## Footnote It emphasizes the importance of privacy in various contexts.
27
What is the role of a cybersecurity policy?
To codify guiding principles, shape behavior, provide guidance, and serve as an implementation roadmap. ## Footnote It defines how an organization protects its information assets.
28
What are the objectives of a cybersecurity policy?
To protect the organization, employees, customers, and vendors from harm, and to ensure information integrity and availability. ## Footnote This includes safeguarding against both intentional and accidental damage.
29
Define 'cyber' in the context of cybersecurity.
'Cyber' refers to anything involving computers or computer networks, especially in terms of crime, terrorism, or warfare. ## Footnote It highlights the technological aspect of modern threats.
30
What is an information asset?
An information asset is data with context or meaning that holds value for an organization. ## Footnote Examples include customer data, employee records, and business plans.
31
What is a defense-in-depth strategy?
A layered security approach that ensures multiple security controls are in place to protect network and corporate assets. ## Footnote It allows for protection even if a single control fails.
32
List the layers included in a defense-in-depth strategy.
* Administrative activities * Physical security * Perimeter security * Host security solutions * Application security best practices * Encryption methods ## Footnote Each layer adds complexity but enhances overall security.
33
What is zero trust architecture?
A security model that advocates for 'never trust, always verify' to enhance identity-focused security. ## Footnote It shifts the security paradigm from being network-focused.
34
What are the characteristics of successful cybersecurity policy?
* Endorsed * Relevant * Realistic * Attainable * Adaptable * Enforceable * Inclusive ## Footnote These characteristics ensure policies are effective and widely accepted.
35
True or False: A successful cybersecurity policy must specify exactly how to implement its directives.
False. A good policy establishes what must be done and why, but not how. ## Footnote This allows for flexibility in implementation.
36
Fill in the blank: A cybersecurity policy must be ______ to the organization.
Relevant.
37
Why is it important for policies to be realistic?
To prevent employees from rejecting policies that do not reflect their operational reality. ## Footnote Unrealistic policies lead to non-compliance and frustration.
38
What should organizations do to ensure policies are attainable?
Involve key personnel in policy development and ensure expectations are reasonable. ## Footnote This helps in creating a clear path for success.
39
How can a cybersecurity policy remain adaptable?
By allowing changes in response to market conditions and innovations without compromising security. ## Footnote Static policies can hinder growth and innovation.
40
What is the significance of visible leadership in policy implementation?
Visible leadership demonstrates commitment to the policy and encourages compliance among employees. ## Footnote Leadership actions can motivate or demotivate adherence to policies.
41
What should organizations consider when implementing cybersecurity in a multi-cloud environment?
Focus on security, operational effectiveness, and understanding the responsibilities of cloud providers. ## Footnote This is crucial for maintaining data integrity and availability.
42
What is meant by 'going around' security?
The way to get things done that may introduce risks to the organization.
43
What was Company A's approach to developing its mobile app?
The programming manager instructed her team to keep the development process secret and not involve other departments.
44
What was Company B's approach to developing its mobile app?
The programming manager demanded security requirements be defined early in the software development cycle.
45
What is an adaptable cybersecurity policy?
A policy designed to support the organizational mission and encourage reassessment of current requirements.
46
What does the term 'enforceable' mean in the context of cybersecurity policy?
It means that controls can be implemented to support the policy and compliance can be measured.
47
True or False: Company A had controls in place to restrict Internet access to business use only.
False
48
What happens when a rule is broken without consequences?
The rule becomes essentially meaningless.
49
What should an effective cybersecurity policy include for external parties?
Consideration of third parties in the policy thought process.
50
What is the role of government in cybersecurity?
To protect critical infrastructure and citizens through regulation.
51
Define 'regulation' in the context of cybersecurity.
Intervention to restrain or cause uniform actions in cybersecurity practices.
52
What is the Gramm-Leach-Bliley Act (GLBA)?
Legislation aimed at protecting consumer financial information and ensuring its confidentiality.
53
What does the HIPAA Security Rule protect?
Individuals’ electronic personal health information (ePHI).
54
Fill in the blank: The _______ Act requires financial institutions to develop cybersecurity policies.
Gramm-Leach-Bliley
55
What is the primary objective of the Sarbanes-Oxley Act (SOX)?
To protect investors by improving the accuracy of corporate disclosures.
56
What are the six main goals of the Payment Card Industry Data Security Standard (PCI DSS)?
* Build and maintain a secure network and systems * Protect cardholder data * Maintain a vulnerability management program * Implement strong access control measures * Regularly monitor and test networks * Maintain an information security policy
57
What does the Children’s Online Privacy Protection Act (COPPA) require?
Websites directed at children to obtain verifiable parental consent before collecting personal information.
58
What rights does the California Consumer Privacy Act (CCPA) provide to consumers?
* Right to know about data collection * Right to request deletion of personal information * Right to opt out of data sales * Right to access data in a usable format
59
What are the requirements of the Defense Federal Acquisition Regulation Supplement (DFARS)?
Stringent cybersecurity requirements for contractors doing business with the DoD.
60
What is the purpose of the Federal Risk and Authorization Management Program (FedRAMP)?
To standardize the security assessment process for cloud products and services.
61
What does the General Data Protection Regulation (GDPR) aim to achieve?
Give individuals greater control over their personal data and harmonize data protection laws across the EU.
62
What does GDPR stand for?
General Data Protection Regulation ## Footnote GDPR is a regulation in EU law on data protection and privacy.
63
Which rights are granted to individuals under GDPR?
* Right to access and correct personal data * Right to data portability * Right to be forgotten * Requirement for explicit and informed consent ## Footnote These rights empower individuals regarding their personal data.
64
What are the potential fines for noncompliance with GDPR?
Up to 4% of global annual revenue or €20 million, whichever is higher.
65
What was the purpose of the NIS Directive?
To enhance cybersecurity across EU member states.
66
What sectors are targeted by the NIS Directive?
* Energy * Transportation * Health care * Financial services * Digital service providers ## Footnote These sectors are required to take appropriate security measures and report incidents.
67
What is the Data Protection Act 2018?
The U.K.'s implementation of the GDPR, with additional provisions and exceptions.
68
What is Cyber Essentials?
A U.K. government-backed certification scheme encouraging organizations to adopt fundamental cybersecurity practices.
69
List the five key controls outlined in Cyber Essentials.
* Secure configuration * Boundary firewalls and Internet gateways * Access control * Patch management * Malware protection
70
What does PIPEDA stand for?
Personal Information Protection and Electronic Documents Act ## Footnote PIPEDA is a Canadian law governing private-sector organizations' handling of personal information.
71
What are the Australian Privacy Principles (APPs)?
Principles guiding how personal information should be collected, stored, used, and disclosed.
72
What is the aim of POPIA?
To safeguard the processing of personal information by public and private entities in South Africa.
73
What is required under Japan's Personal Information Protection Act (PIPA)?
Organizations must obtain consent before collecting or using personal data.
74
What does India's Information Technology Act of 2000 primarily regulate?
Cyber activities including electronic commerce, governance, and cybercrimes.
75
What federal law governs the privacy of student records in the U.S.?
FERPA (Family Educational Rights and Privacy Act of 1974).
76
What is the California Security Breach Information Act?
Requires businesses or state agencies to notify residents of California of security breaches involving personal information.
77
What does the Massachusetts regulation 201 CMR 17 require?
Establishes minimum standards for safeguarding personal information of residents.
78
What is the role of the Information Commissioner’s Office (ICO) in the U.K.?
Responsible for enforcing data protection laws.
79
What are the responsibilities of the Board of Directors in the cybersecurity policy life cycle?
* Communicate guiding principles * Authorize policy * Champion the policy * Lead by example * Reauthorize or approve retirement
80
Fill in the blank: The first step in policy development is _______.
[Planning]
81
True or False: Noncompliance with PIPEDA can lead to legal action, including fines.
True
82
What is the main challenge in establishing global cybersecurity policies?
The complexity of public policy issues makes a global policy practically impossible to attain.
83
What are the key tasks in the policy development phase?
* Planning * Researching * Writing * Vetting * Approving
84
What organization oversees compliance with Australia’s Privacy Act?
Office of the Australian Information Commissioner (OAIC).
85
What is the first task in the vetting process of cybersecurity policies?
Consulting with internal and external experts including legal counsel, HR, compliance, cybersecurity professionals, auditors, and regulators.
86
Why is approval of cybersecurity policies considered cross-departmental?
Because cybersecurity policies affect the entire organization and require consensus and support from all affected departments.
87
What is required for the authorization of cybersecurity policies?
Agreement from executive management or an equivalent authoritative body.
88
Which two regulations require written cybersecurity policies that are board approved?
GLBA and HIPAA.
89
What are the three key tasks in the publication phase of a policy?
* Communication * Dissemination * Education
90
What is the goal of the communication task in policy publication?
To deliver the message that the policy is important to the organization.
91
True or False: Leaders who see their role as a privilege positively influence cybersecurity compliance.
False.
92
What does the dissemination task involve?
Making the policy available and accessible to the intended audience.
93
Why is ongoing training and education important in the context of cybersecurity policies?
It builds culture and reinforces understanding of policy objectives.
94
Fill in the blank: The ultimate goal of policy adoption is __________.
[normative integration]
95
What are the three key tasks in the adoption phase of a policy?
* Implementation * Monitoring * Enforcement
96
What is required for successful implementation of a policy?
Everyone involved must understand the intent of the policy and how it is to be applied.
97
What must be monitored post-implementation of a policy?
Compliance and policy effectiveness.
98
True or False: Policies must be enforced inconsistently to be effective.
False.
99
What are the two key tasks in the review phase of a policy?
* Soliciting feedback * Reauthorizing or retiring policies
100
What is the purpose of soliciting feedback on cybersecurity policies?
To ensure policies keep up with significant changes in the organization or technology infrastructure.
101
What happens to outdated policies during the review phase?
They should be refreshed; those no longer applicable should be retired.
102
What is the purpose of policies in organizations?
To address common foreseeable situations and guide decision-making.
103
List the seven common characteristics of a successful cybersecurity policy.
* Endorsed * Relevant * Realistic * Attainable * Adaptable * Enforceable * Inclusive
104
What does normative integration mean in the context of policy adoption?
The policy is expected behavior, and all others are considered deviant.
105
Which document serves as an excellent example of a strong, flexible, and resilient policy?
The U.S. Constitution.
106
What is the objective of a cybersecurity policy?
To protect an organization, its employees, customers, and partners from harm related to information misuse or damage.
107
True or False: Policies can remain static and never need to change.
False.
108
Who is responsible for approving the retirement of a policy?
Executive management or the board of directors.
109
What sector is not considered part of the 'critical infrastructure'?
Museums and arts.
110
What is the difference between cybercrime and cyber-espionage?
Cybercrime involves illegal activities for personal gain, while cyber-espionage involves spying on governments or organizations.
111
Fill in the blank: Policies should be reviewed __________.
[annually or sooner if significant change occurs]
112
Which phase of the cybersecurity policy life cycle involves communication, dissemination, and education?
Publication phase.
113
What is the difference between cybercrime, hacktivism, cyber-espionage, and cyber-warfare?
Cybercrime involves illegal activities conducted via the internet; hacktivism is politically motivated hacking; cyber-espionage is spying conducted through digital means; cyber-warfare refers to state-sponsored attacks against another state's information systems. ## Footnote Each of these terms represents a different motivation and context for cyber activities.
114
What are the similarities between cybercrime, hacktivism, cyber-espionage, and cyber-warfare?
All involve the use of technology to achieve goals, often bypassing legal and ethical norms, and they can lead to significant harm or disruption. ## Footnote These activities can overlap in methods and impacts, creating challenges for law enforcement and policy makers.
115
Are cyber threats escalating or diminishing?
Escalating. ## Footnote Trends indicate an increase in frequency, sophistication, and impact of cyber threats globally.
116
What is the objective of PROJECT 1.1: Honoring the Public Trust?
To find examples of policies or practices that banks and hospitals use to protect customer and patient information. ## Footnote This project emphasizes the importance of data privacy in sensitive sectors.
117
How do the policies or practices of banks compare to those of hospitals?
Both aim to protect sensitive personal information but may differ in regulatory frameworks and specific practices. ## Footnote Banks often focus on financial data protection, while hospitals emphasize health information privacy.
118
What are some regulatory requirements that bank policies or hospital policies may reference?
* GDPR * FedRAMP * NIS * HIPAA ## Footnote These regulations vary by industry and geographic region, influencing how institutions handle data protection.
119
What is the objective of PROJECT 1.2: Understanding Government Regulations?
To explore the impact of key government regulations on various industries, highlighting their influence on business practices and consumer rights. ## Footnote This project encourages analysis of regulations like HIPAA and GDPR.
120
What should students analyze regarding government regulations?
* Origins * Purposes * Enforcement * Effects on businesses and society ## Footnote Understanding these elements is crucial for assessing the effectiveness of regulations.
121
What is the focus of PROJECT 1.3: Developing Communication and Training Skills?
To introduce a new security policy requiring identification badges for students and employees. ## Footnote This project emphasizes the importance of effective communication and training in policy implementation.
122
What should the action plan for developing a cybersecurity policy at OK Credit Union include?
* Biggest challenge * Personnel involvement * OK Credit Union staff participation * Support building strategies * Handling employee resistance * Compliance issues ## Footnote These elements are critical for successful policy adoption.
123
What is the objective of PROJECT 1.4: Comparing the EU Cyber Resilience Act and the U.S. Executive Order on Improving the Nation’s Cybersecurity?
To explore, compare, and contrast the cybersecurity approaches of the EU and the U.S., analyzing strengths and weaknesses. ## Footnote This project highlights the importance of global cybersecurity strategies.
124
What are the main provisions of the EU Cyber Resilience Act (CRA)?
Establishes cybersecurity requirements for digital products in the EU market. ## Footnote The CRA aims to strengthen the overall cybersecurity posture within the EU.
125
What does the U.S. Executive Order on Improving the Nation’s Cybersecurity focus on?
Enhancing cybersecurity across federal agencies and promoting public-private partnerships. ## Footnote This order is part of a broader strategy to address national security concerns.
126
What methods should be used to compare the CRA and the Executive Order?
* Legislative content * Scope * Enforcement mechanisms * Impact assessment ## Footnote These methods provide a structured approach to analysis.
127
What are the implications of comparing the CRA and the Executive Order?
Understanding how each measure influences global cybersecurity norms and international cooperation. ## Footnote This comparison can inform future policy decisions.
128
What are some key elements to analyze regarding enforcement mechanisms?
* Compliance requirements * Penalties for noncompliance * Measures to ensure adherence ## Footnote Effective enforcement is essential for the success of cybersecurity regulations.
129
What are the expected impacts of the CRA and the Executive Order?
Improved cybersecurity resilience and enhanced protection against cyber threats. ## Footnote Both measures aim to create a safer digital environment.
130
What are the benefits of government regulations for consumers?
* Enhanced protection of personal information * Increased trust in services * Promotion of social welfare ## Footnote Regulations play a vital role in consumer protection.
131
What areas should future research focus on regarding cybersecurity policy?
Building on findings from comparative analyses and exploring emerging threats and technologies. ## Footnote Future research can help adapt policies to evolving challenges.

CSIA 300 6982 Cybersecurity for Leaders and Managers (8 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2025 Bold Learning Solutions. Terms and Conditions