Chapter 16 - Security Governance and Compliance

Question 1

Governance

Answer 1

Governance programs are the sets of procedures and controls put in place to allow an organization to effectively direct its work.

Question 2

Board of Directors

Answer 2

A Board of Directors has ultimate authority over a corporation as the owner’s representatives. Shareholders elect the members of this board to direct the actions of the corporation on their behalf.

Question 3

Independent Directors

Answer 3

Independent Directors have no significant relationship with the company other than their board membership.

Question 4

Chief Executive Officer (CEO)

Answer 4

The Chief Executive Officer is hired by the board of directors to manage the day-to-day operations of the corporation. The CEO is hired by the board, may be dismissed by the board, and has their performance reviews and compensation determined by the board.

Question 5

Centralized Governance Model

Answer 5

Centralized Governance Models use a top-down approach where a central authority creates policies and standards, which are then enforced throughout the organization.

Question 6

Decentralized Governance Model

Answer 6

Decentralized Governance Models use a bottom-up approach, where individual business units are delegated the authority to achieve cybersecurity objectives and then may do so in the manner they see fit.

Question 7

Policy

Answer 7

Policies are high-level statements of management intent. Compliance with policies is mandatory. An information security policy will generally contain broad statements about cybersecurity objectives.

Question 8

Standards

Answer 8

Standards provide mandatory requirements describing how an organization will carry out its information security policies. These may include the specific configuration settings used for a common operating system, the controls that must be put in place for highly sensitive information, or any other security objective.

Question 9

Procedures

Answer 9

Procedures are detailed, step-by-step processes that individuals and organizations must follow in specific circumstances. Similar to checklists, procedures ensure a consistent process for achieving a security objective.

Question 10

Guidelines

Answer 10

Guidelines provide best practices and recommendations related to a given concept, technology, or task. Compliance with guidelines is not mandatory, and guidelines are offered in the spirit of providing helpful advice.

Question 11

Compensating Control

Answer 11

Compensating Controls are designed to mitigate the risk associated with exceptions to security standards.

Question 12

Change Management

Answer 12

Change Management processes ensure that appropriate personnel review and approve changes before implementation and ensure that personnel test and document the changes.

Question 13

Impact Analysis

Answer 13

Impact Analysis is the process of evaluating changes to identify any security impacts before personnel deploy the changes in a production environment.

Question 14

Backout Plan

Answer 14

A Backout Plan allows personnel to undo the change and return the system to its previous state if necessary.

Question 15

What are the common tasks within a change management process?

Answer 15

1. Request the change
2. Review the change
3. Approve/reject the change
4. Test the change
5. Schedule and implement the change
6. Document the change

Question 16

Version Control

Answer 16

Version Control ensures that developers and users have access to the latest versions of software and that changes are carefully managed throughout the release process. A labeling or numbering system differentiates between different software sets and configurations across multiple machines or at different points in time on a single machine.

Question 17

Two-Person Control

Answer 17

Two-Person Control requires the participation of two people to perform a single sensitive action.

Question 18

Job Rotation

Answer 18

Job Rotation practices take employees with sensitive roles and move them periodically to other positions in the organization. The motivating force behind these efforts is that many types of fraud require ongoing concealment activities. If an individual commits fraud and is then rotated out of their existing assignment, they may not be able to continue those concealment activities due to changes in privileges and their replacement may discover the fraud themselves.

Question 19

Mandatory Vacations

Answer 19

Mandatory Vacations force employees to take annual vacations of a week or more and revokes their access privileges during that vacation period.

Question 20

Clean Desk Policy

Answer 20

Clean Desk Policies are designed to protect the confidentiality of sensitive information by limiting the amount of paper left exposed on unattended employee desks.

Question 21

Due Diligence

Answer 21

Due Diligence involves thoroughly vetting potential vendors to ensure that they meet the organization’s standards and requirements. This process should include an evaluation of the vendor’s financial stability, business reputation, quality of products or services, and compliance with relevant regulations.

Question 22

Conflicts of Interest

Answer 22

Conflicts of Interest arises when a vendor has a competing interest that could influence their behavior in a way that is not aligned with the best interests of the organization.

Question 23

Right-to-Audit Clause

Answer 23

The Right-to-Audit Clause allows the customer to conduct or commission audits on the vendor’s operations and practices to ensure compliance with terms and conditions.

Question 24

Supply Chain Analysis

Answer 24

Supply Chain Analysis is vital in understanding the risks associated with the vendor’s supply chain. This includes assessing the vendor’s suppliers and understanding the interdependencies and risks that could impact the vendor’s ability to deliver products or services.

Question 25

Questionnaires

Answer 25

Questionnaires collect information regarding the vendor’s practices and performance regularly.

Question 26

Service Level Agreements (SLAs)

Answer 26

Service Level Agreements are written contracts that specify the conditions of service that will be provided by the vendor and the remedies available to the customer if the vendor fails to meet the SLA.

Question 27

Memorandum of Understanding (MOU)

Answer 27

A Memorandum of Understanding is a letter written to document aspects of the relationship between a vendor and a customer. MOUs are an informal mechanism that allows the parties to document their relationship to avoid future misunderstandings.

Question 28

Memorandum of Agreement (MOA)

Answer 28

A Memorandum of Agreement is a formal document that outlines the terms and details of an agreement between parties, establishing a mutual understanding of the roles and responsibilities in fulfilling specific objectives. MOAs are generally more detailed than MOUs and may include clauses regarding resource allocation, risk management, and performance metrics.

Question 29

Business Partner Agreement (BPA)

Answer 29

Business Partner Agreements exist when two organizations agree to do business with each other in a partnership.

Question 30

Rules of Engagement

Answer 30

Rules of Engagement define the boundaries within which the vendor should operate. They normally include setting clear communication protocols, defining responsibilities, and establishing processes for issue resolution.

Question 31

Compliance Reporting

Answer 31

Compliance Reporting ensures that organizations meet the regulatory requirements and maintain transparency within the organization and with external stakeholders.

Question 32

Due Care

Answer 32

Due Care refers to the ongoing efforts to ensure that the implemented policies and controls are effective and continuously maintained. This means regularly reviewing and updating policies and taking proactive steps to ensure compliance.

Question 33

Maturity Model

Answer 33

A Maturity Model describes the current and desired positioning of an organization along a continuum of progress.

Question 34

What are the five security functions of the the NIST Framework Core?

Answer 34

1. Identify
2. Protect
3. Detect
4. Respond
5. Recover

Question 35

What are the four NIST Framework Implementation Tiers?

Answer 35

1. Partial
2. Informed
3. Repeatable
4. Adaptive

Question 36

NIST Risk Management Framework for Information Systems and Organizations (RMF)

Answer 36

Also known as NIST SP 800-37, the NIST RMF is a formal process for implementing security controls and authorizing system use. The RMF is a mandatory standard for federal agencies.

Question 37

ISO 27001

Answer 37

ISO 27001, also known as Information Security Management Systems, is a document including the following control objectives:

• Information security policies
• Organization of information security
• Human resource security
• Asset management
• Access control
• Cryptography
• Physical and environmental security
• Operations security
• Communications security
• System acquisition, development, and maintenance
• Supplier relationships
• Information security incident management
• Information security aspects of business continuity management
• Compliance with internal requirements, such as policies, and with external requirements, such as laws

Question 38

ISO 27002

Answer 38

The ISO 27002 standard goes beyond control objectives and describes the actual controls that an organization may implement to meet cybersecurity objectives. ISO designed this supplementary document for organizations that wish to:

• Select information security controls
• Implement information security controls
• Develop information security management guidelines

Question 39

ISO 27701

Answer 39

ISO 27701 contains standard guidance for managing privacy controls. It is important to remember that ISO 27001 covers cybersecurity while ISO 27701 cover privacy.

Question 40

ISO 31000

Answer 40

ISO 31000 provides guidelines for risk management programs. This document is not specific to cybersecurity or privacy but covers risk management in a general way so that it may be applied to any risk.

Question 41

Center for Internet Security (CIS)

Answer 41

The Center for Internet Security is an industry organization that publishes hundreds of security benchmarks for commonly used platforms.

Question 42

Role-Based Training

Answer 42

Role-Based Training makes sure that individuals receive the appropriate level of training based on their job responsibilities.

Question 43

Security Awareness

Answer 43

Security Awareness efforts are less formal efforts that are designed to remind employees about the security lessons they’ve already learned. Unlike security training, Security Awareness efforts don’t require a commitment of time to sit down and learn new material.