Domain 1: Governance, Risk & Compliance

Question 1

What is Governance?

Answer 1

Governance is accountability, authorization to make decisions, and oversight. Proper governance ensures that the organization’s strategies are aligned with its business, regulatory, and operating environment.

Question 2

What is Information Security Governance?

Answer 2

Information security governance is the framework for reducing information security risk to the organization. The framework should include:
* Definition of the information security strategy aligned with the organization’s governance and organizational goals.
* Information security organizational structure
* A methodology for risk management
* Information security management directives (including policies, standards, guidelines, and so on)
* Continuous measurement and improvement of the program

Question 3

What are some of the external and internal drivers that shape a security program?

Answer 3

External drivers that shape security programs, include regulatory drivers, industry best practices, risks and threats specific to the organisation.
Internal drivers that shape the information security program include leadership understanding and perception to ensure security is a priority at the highest levels, Management structure: to ensure CISO has communication with leadership, culture and climate, history, and lessons learned.

Question 4

What is a fundamental aspect of Security Governance?

Answer 4

Measuring and monitoring the governance program itself, which supports the organization’s understanding of the security return on investment (ROI).

Question 5

What are the factors that influence the size and spend of the CISO organisation?

Answer 5

Factors that can impact security organisations spending and sizing are extensive:
* value of assets, especially the assets most important
* type and frequency of risks and threats
* current state of the organization’s security posture
* Regulatory requirements

Question 6

Based on industry, and published numbers and trends, what are the numbers that align to CISO spending?

Answer 6

• security spending can range from $1,000 to $3,000 per full-time employee.
• security spending as a percentage of IT spending ranges from 1 percent to 15 percent
• surveys report 6 percent as an average and some report information security spending as a percentage of IT spending as high as 30
• range from .2 percent to .9 percent of company revenue.

Question 7

What are the elements of the CISO management structure regardless of organisation?

Answer 7

Should have the following elements:
* Clear lines of authority (chain of command): clearly defined lines of reporting and authority
* Situational awareness: provide the CISO with a view of the performance of the entire security program.
* Internal and external communication and reporting: provide ways of reporting the most essential information within the security organization as well as outside of it.

Question 8

What are the types of management structures?

Answer 8

The most common organisation types:
* Hierarchical (tiered): provides clear lines of reporting, tight controls, and well defined roles. But, can also be bureaucratic, causing slow decision making and added costs.
* Flat (horizontal): best suited for smaller organisations.
* Matrix: thought of hybrid of hierarchal and flat, where resources are reporting in a grid to multiple lines to share resources more efficiently. However, this can create confusion and even conflicting goals and priorities.

Question 9

What is the CIA triad?

Answer 9

• Confidentiality refers to the protection of data to ensure the data is only accessible by the people authorized to see it.
• Integrity refers to the accuracy of the data.
• Availability refers to the protection of systems to ensure reliable access to data and resources.

Question 10

What are the definitions of Security Vulnerabilities, Threats, Risks, and Exposures?

Answer 10

• Vulnerability: Any weakness that could potentially be exploited.
• Threat: A potentially damaging event associated with the exploitation of a vulnerability.
• Risk: The likelihood that a vulnerability could be exploited and the corresponding impact of such an event.
• Exposure: The potential that a security breach could occur.
• Countermeasure: A control that is put in place to mitigate a risk

Question 11

What the four steps of cyber attacks?

Answer 11

1. Reconnaissance: attacker conducts research to learn about the target by performing web searches, examining social media accounts of the organization and its employees, reading press releases and media articles, or even physically observing the organization’s employees or facilities.
2. Enumeration: identify the organization’s information assets and corresponding vulnerabilities to exploit in the next phase.
3. Exploitation: using attack methods for probing and exploiting specific vulnerabilities with the goal of gaining unauthorized access to the enterprise.
4. Action on objectives: Once the attacker gains access, they can exfiltrate or steal data, modify data, destroy data and otherwise disrupt the environment. Often the goal is expand laterally gaining access to other systems.

Question 12

What are the common attack methods used within exploitation?

Answer 12

i. Phishing
ii. Fake websites
iii. Malware
iv. Virus: A type of malware that is usually hidden inside another application
v. Trojan: A virus disguised as something useful
vi. Worm A virus that propagates itself to other systems
vii. Vulnerability-specific attacks

Question 13

What is risk management?

Answer 13

The process of identifying and assessing risk, reducing it to an acceptable level, and implementing the right controls to maintain that level.

Question 14

According to SP 800-39, what are the three tiers to ensure risk management is applied to the entire organisation?

Answer 14

Three tiers:
1. Organizational tier
2. Mission/business process: using “risk-aware” business processes or addressing risk via the enterprise architecture as a whole
3. Information system: SSDLC of a given system.

Question 15

What are the three components of Risk management?

Answer 15

Approach: Encompass all the activities and factors that go into implementing, managing, and improving the risk management program.
Process: Encompasses the activities from identifying the team, defining scope, the method of identifying risk (quantitative or qualitative), understanding risk levels, and finally making recommendations.
Method: The type of risk assessment methodology used to assess risk.

Question 16

What are the activities within the Risk Management approach component?

Answer 16

○ Organisation: establishing the acceptable risk levels for the organization and assets, choosing the risk mitigation approaches, and approving the mitigation results and the results of risk assessments. These ensure the risk decisions are commensurate with the business goals.
○ Implementation: risk management program is defined by a program charter, plan, and risk management policy that define the scope, goals, and requirements of the program. Ultimately this should include budget, staffing and procedures
○ Monitoring, reporting, and continuous improvement: There should, at a minimum, an informal review cycle to monitor the program. There should be a defined process for reporting and escalating any material risks discovered during risk assessments.
○ Maturity: Improve risk management over time. CMMI’s maturity levels from Initial to optimizing.

Question 17

What are the activities within the Risk Management: Process component?

Answer 17

○ Plan:
§ Identify the team: Which should include representatives from across the organisation.
§ Define the scope: System, business process, or function, region or department
§ Define model or method: There are essentially two approaches: quantitative analysis and qualitative analysis.
§ Use of tools: include configuration management, threat intelligence platforms
§ Understand acceptable risk levels: the residual risk, which is the risk that remains after controls or countermeasures are put in place
○ Collect information: specified by the risk assessment method.
○ Define Recommendations: are made to the decision-making authority, which we refer to as “management”. There are four choices: accept, transfer, mitigate, or avoid.

Question 18

What is the difference between Quantitative and Qualitative risk methods?

Answer 18

Quantitative Methods: calculate the monetary loss associated with a given threat.
§ Factors may include:
□ Asset value
□ Threat probability
□ Vulnerability
□ Impact of loss
□ Cost of countermeasures or controls
Qualitative Method: is used to determine the risk of a given threat applied to a given asset.
§ Factors including
□ Severity of threat
□ Likelihood of threat occurrence
□ Severity of impact to the business (also known as consequence)
□ Effectiveness of controls

Question 19

What are the frameworks for Risk management?

Answer 19

1. OCTAVE (Operationally Critical Threat, Asset, and Vulnerability Evaluation), with three variations: OCTAVE, OCTAVE-Allegro (a more streamlined framework), and OCTAVE-S (for small organizations). It relies on the idea that people working in the organization are best suited to understand and analyze risk, using a qualitative risk management framework.
2. FAIR (Factor Analysis of Information Risk), uses a quantitative risk framework. Provides a risk taxonomy that breaks risks down into specific factors and subfactors.
3. ISACA Risk IT Framework: is an IT-oriented framework, which includes three domains: Risk Governance, Risk Evaluation, and Risk Response, leveraging a hybrid of quantitative and qualitative methods.
4. ISO/IEC 27005 ISO/IEC 27005: an ISO standard for Security risk management, which implies a continual process for performing quantitative or qualitative risk analysis but does not contain a specific model. ISO 31000 is a robust risk management framework
   FISMA/FIPS/NIST RMF: provide a framework, processes, and models for performing qualitative risk analysis. It also provide libraries of security controls, resulting in an end-to-end framework

Question 20

What is a security plan and what are the components?

Answer 20

Security plan defines the complete information security program, and thus defines all security roles and responsibilities, and specifies strategic goals for the program. In addition, identifies all regulatory and business drivers and ensures the program presented in the plan is risk-based. Each component:
* Security streams of work: activities that are the core subject areas, or domains, of information security. E.g. Intrusion detection and monitoring, vulnerability management.
* Assets are systems, data, business units, departments, or critical areas of the enterprise to which the streams of work are applied.
* Security area of focus: aspects of the security program that require focus due to external drivers—usually regulatory drivers. e.g. PCI DSS, HIPPA, as well as internal drivers such as ISO 27000.
* Security projects: Specific activities that result from the application of streams of work against target and/or area of focus. e.g. implementation of SSO, deployment of IDPS
Security project management life cycle: ensures that security projects are well defined, properly documented, and executed, as well as provides for the proper control of resources, quality and results.

Question 21

What are the top level documents that make up the Security management directives, and which of them are mandatory?

Answer 21

• Standards: establish specific methods for meeting the requirements defined in policies.
• Processes or procedures: are step-by-step workflows or instructions
• Baselines: establish specific configurations for implementations of hardware or software.
  Guidelines: provide general direction or recommendations without specifying a requirement.

Question 22

What is asset Security? And why is it fundamental to the security plan?

Answer 22

identifying what assets the organization has and ultimately determining what types of controls are appropriate for each based on the risk. Asset security addresses implementing security throughout the data life cycle: Acquisition, Data Classification and Marking, Use & Archival, and Destruction.

Question 23

What is Security Operations? And the primary functions that make up security operations?

Answer 23

Focus on day-to-day functions to prevent, detect, and respond to security risks and threats. These functions include:
* Vulnerability, configuration, and patch management: should give the organization “situational awareness” or an accurate picture of all the assets and their configuration and patch status.
* Monitoring and logging.
* Incident handling: Usually follows a six step process:
○ Preparation: Predict what types of security events are likely to occur.
○ Identify: What type of event has occurred
○ Contain: the damage from spreading
○ Eradicate: what is causing the problem
○ Recover: from the event and return to normal operations
○ Lessons learned: activity to determine what actions could or should be undertaken.
* Forensics & investigations
Security Operations Centre: usually operates within the SIEM, and provides 24/7 monitoring to detect, prevent and respond to security events

Question 24

What is Security Engineering? And the main functions within Engineering?

Answer 24

domain that addresses the secure design and implementation of information systems. Security Engineering includes all aspects of the computing environment such as:
* OS security and protection mechanisms
* Network Security Design
* Enterprise security solutions (firewalls, AV, DLP, Endpoint security)
* Cloud computing

Question 25

What is physical security?

Answer 25

understanding of threats to the physical information systems, facilities, and personnel, as well as the controls to combat those threats. It also includes:
* Facility location
* Facility construction
* Physical security risks, threats, and countermeasures
* Personnel security

Question 26

What is Security compliance? And what role does it play in security?

Answer 26

An approach to governance designed to ensure alignment with applicable laws, regulations, standards, organizational policies, ethical conduct, and other business goals. Often focuses on regulatory compliance because the consequences of noncompliance.

External compliance focuses on complying with external laws, regulations, standards, or other industry mandates. Internal compliance focuses on internal policies, ethical conduct, or other business rules, and objectives.

Question 27

What are the main responsibilities for the Compliance team?

Answer 27

The responsibilities of the compliance team may include:
* Identification of external compliance requirements (for example, laws and regulations)
* Development and management of internal compliance requirements (for example, ethics)
* Development or guidance on policies, standards, and procedures
* Managing the organization’s privacy program
* Oversight and execution of compliance training initiatives
* Monitoring the program for violations and efficiency

In larger organisations, the compliance team typically reports to a CCO, and is effective if it facilitates communication and reporting that keeps the CEO and/or board of directors aware of compliance risk.

Question 28

What is Compliance management?

Answer 28

Enables organizations to put into place governance, policies, systems and processes, and reporting and measurement. ISO 19600:2014, Compliance management systems, and focuses on a cyclical approach similar to the Plan, Do, Check, Act (PDCA) cycle.
1. Plan: An inventory of applicable legal and regulatory drivers as well as internal requirements should be produced to identify compliance risk that affects the business. Involves identifying, measuring, and correcting instances of noncompliance.
2. Implement: After the plan has been developed, steps need to be under taken to address non-compliance.
a. Develop and maintain a specific policy, procedure, or documentation
b. Implement a particular control
c. Enforce disciplinary action for noncompliance or violation of internal requirements
d. Assess competence and administer training
Communicate compliance expectations to the organization
3. Evaluate: Internal & external compliance assessments conducted to determine actions that need to be taken to comply with laws, regulations, and other compliance requirements.
4. Maintain: As an organization’s technical infrastructure, business processes, or scope changes, new laws and regulations may govern the business that previously were not applicable.

Question 29

What are the primary laws & regulations? And who do they apply to?

Answer 29

• (FISMA) requires US federal agencies to build, document, and implement an agency-wide information security program to support agency operations.
  
  • Clinger-Cohen Act of 1996 is a US federal law that applies to federal agencies focused on improving the acquisition, use, and disposal of information technology.
  • Gramm-Leach-Bliley Act (GLBA), requires financial institutions to protect individuals’ non-public personal information.
  • (HIPAA) is a US federal regulation covering the handling of protected health information (PHI) and provides a framework for protecting the security and privacy of health information.
  • Family Educational Rights and Privacy Act (FERPA) is a US federal law focused on protecting the privacy and confidentiality of student educational records.
  • Sarbanes-Oxley Act (SOX) is a US federal law focused on holding board members and executives accountable for the accuracy of the financial statements of their organization.
  • PCI-DSS: applies globally to any organization that handles cardholder data. And the private-sector industry initiative administered and enforced by the Payment Card Industry Standards Council.
  • Privacy Act of 1974: applies to records and documents maintained by specific branches of the US federal government.
    General Data Protection Regulation (GDPR): applies to EU organizations that process personal data as well as to organizations outside the EU that provide services into the EU that involve processing EU citizen data.

Question 30

What are information security trends and best practices?

Answer 30

• OWASP: is an international organisation focused develops tools, guides, and best practice documents and organizes conferences focused on application security.
  
  • Cloud Security Alliance: is a non-profit organisation that provides tools, research, frameworks, and best practice documents on cloud security, governance, and compliance.
    
    • Center for Internet Security: non-profit organization focused on developing best practice tools, frameworks, and resources for information security. Also develops the CIS Controls and CIS Benchmarks, global standards for information security best practices.

Question 31

What is ethics? And what are the main components of an ethics program?

Answer 31

Refers to acting with integrity, accountability, and responsibility. CISO role in particular is one that must foster trust and credibility in the organization. An ethics program should have the following components:
* Set standards for ethical conduct within the information security organization
* Define ethics-related policies, standards, and guidelines
* Conduct ethics training for the information security staff
* Evaluate the performance and effectiveness of the program
* Maintain and improve ethical performance by applying lessons learned to the improvement of all aspects of the ethics program CCISO candidates should be aware of the EC-Council Code of Ethics

Question 32

What are the major security standards and frameworks used within the industry?

Answer 32

• ISO 27000 series: (ISMS) family of standards, serve as industry best practices for managing security holistically. ISO 27001 contains guidance on establishing a wholistic ISMS.
  
  • NIST Cybersecurity Framework: is a risk-based cybersecurity framework customizable to an organization’s needs and business requirements. Three main components that make up the CSF:
    ○ Framework core: made up of five functions: Identify, Protect, Detect, Respond, and Recover, where each function is composed of categories (control family).
    ○ Framework Implementation Tiers: Tiers range from Partial (Tier 1), Risk Informed (Tier 2), Repeatable (Tier 3), to Adaptive (Tier 4), where tiers align to maturity levels.
    ○ Framework Profiles: Profiles are used to evaluate the “Current” sate of an organization with a “Target” state.
  • Federal Information Processing Standards (FIPS): standards and guidelines issued by NIST for the security of US federal information systems.
  • NIST: support FIPS publications or developed as part of NIST’s responsibility under FISMA. Many private-sector organizations use NIST SP 800 series
  • Privacy Shield: goal of enabling US companies to receive personal data from the EU while complying with EU privacy laws.
    COBIT: best practice framework for governance and management of IT developed by ISACA.