GCGA Ch. 11 Implementing Policies to Mitigate Risks

Question 1

Change management programs

Answer 1

provide a formal process for approving and carrying out changes in a manner that is coordinated with all stakeholders and designed to minimize the risks associated with the change.

Question 2

Business process issues covered by change management programs

Answer 2

include an approval process, ownership, stakeholder analysis, impact analysis, testing, a backout plan, and the use of maintenance windows and standard operating procedures.

Question 3

Technical implications of change management plans

Answer 3

include updating security controls, identifying restricted activities, communicating downtime expectations, tracking dependencies, and avoiding disruptions by managing application and service restarts.

Question 4

Closing out change management processes

Answer 4

Change management processes should ensure that changes are not closed out until all documentation and diagrams are updated to reflect the impact of the change.

Question 5

Version control

Answer 5

a formal process used to track the current versions of software code and system/application configurations.

Question 6

Regulated data

Answer 6

data that is governed by external laws and regulations with which the organization must comply.

Question 7

Financial information

Answer 7

any data about monetary transactions related to an organization or an individual.

Question 8

Intellectual property

Answer 8

information that is crucial to the way that an organization runs its business. Intellectual property may consist of data that is protected by copyright, trademark, and/or patent law. Trade secrets are a type of intellectual property that remains sensitive and valuable to an organization because it is kept secret from competitors.

Question 9

Data classification systems

Answer 9

provide formal categories for identifying the sensitivity and criticality of data. Classification ensures that users understand the value of data, and the classifications help protect sensitive data.

Question 10

Public vs private data

Answer 10

Public data is available to anyone. It might be in brochures, press releases, or on websites. Private data is information about an individual that should remain private.

Question 11

Confidential data

Answer 11

information that an organization intends to keep secret among a certain group of people. Restricted data is another term for regulated data that is governed by outside obligations. Confidential data may also be restricted data depending upon the circumstances.

Question 12

Data retention policy

Answer 12

identifies how long data is retained, and sometimes specifies where it is stored.

Question 13

Data sanitization methods

Answer 13

ensure that data is removed or destroyed from devices before disposing of the devices.

Question 14

Incident response policy

Answer 14

defines incident response procedures. Organizations review and update incidents periodically and after reviewing lessons learned after actual incidents.

Question 15

Communication plan

Answer 15

identifies who to inform when an incident occurs. It also outlines the roles and responsibilities of various personnel, including a communication expert that would communicate with the media.

Question 16

First step in incident response

Answer 16

preparation. It includes creating and maintaining an incident response policy and includes prevention steps such as implementing security controls to prevent malware infections.

Question 17

Second step in incident response

Answer 17

analysis. After detecting a potential incident, personnel perform an analysis to confirm that a security incident is underway.

Question 18

Third step in incident response

Answer 18

containment. Next, they attempt to contain or isolate the problem. Disconnecting a computer from a network will isolate it.

Question 19

Fourth step in incident response

Answer 19

eradication attempts to remove all malicious components left after an incident. Recovery restores a system to its original state. Depending on the scope of the incident, administrators might completely rebuild the system, including applying all updates and patches.

Question 20

Reviewing lessons learned

Answer 20

A review of lessons learned helps an organization prevent a reoccurrence of an incident.

Question 21

Tabletop exercises vs simulations

Answer 21

Tabletop exercises are a type of scenario-based training where participants discuss and analyze a hypothetical incident in a non-threatening environment, whereas simulations involve recreating real-world incidents as closely as possible.

Question 22

Chain of custody

Answer 22

When collecting documentation and evidence, it’s important to follow specific procedures to ensure that the evidence is admissible in a court of law. A chain of custody provides assurances that personnel controlled and handled evidence properly after collecting it. It may start with a tag attached to the physical item, followed by a chain of custody form that documents everyone who handled it and when they handled it.

Question 23

Legal hold

Answer 23

refers to a legal obligation to maintain different types of data as evidence. Electronic discovery, or eDiscovery, is the identification and collection of electronically stored information. A legal hold requires an organization to protect existing data as evidence.

Question 24

Event logs

Answer 24

often help investigators reconstruct the timeline of an event by looking at the timestamps of entries. However, investigators need to consider any time offsets based on the time zone used by the logs.

Question 25

TTP

Answer 25

Investigators provide a report on their findings. They typically include tactics, techniques, and procedures (TTPs) used by attackers and recommendations based on the results.

Question 26

Order of volatility

Answer 26

order of volatility for data from most volatile to least volatile on a system is cache memory, regular RAM, a swap or paging file, and hard drive data.

Question 27

Snapshots

Answer 27

can capture data from almost any location, and the snapshot can be used for forensic analysis.

Question 28

Forensic artifacts

Answer 28

pieces of data that most users are unaware of, but digital forensic experts can extract and analyze the artifacts.

Question 29

Hard drive imaging

Answer 29

creates a forensic copy and prevents the forensic capture and analysis from modifying the original evidence. A forensic image is a bit-by-bit copy of the data and does not modify the data during the capture.

Question 30

Usage of hashes/checksums

Answer 30

Hashes or checksums are used to verify the integrity of captured data. They provide proof the capturing process did not modify data.

Question 31

Security Orchestration, Automation, and Response (SOAR) platforms

Answer 31

use internal tools to respond to low-level security events automatically, reducing administrator workload.

Question 32

SOAR playbook

Answer 32

provides a checklist of things to check for suspected incidents.

Question 33

SOAR runbook

Answer 33

implements the playbook checklist using available tools within the organization.

Question 34

Security governance

Answer 34

the set of responsibilities and processes established by an organization’s top-level management to direct, evaluate, and control the organization’s security efforts.

Question 35

Boards (company)

Answer 35

often consist of executives and high-ranking individuals within the organization who make critical decisions about security policy and strategy. Committees are usually specialized groups focusing on specific aspects of security, such as risk management or compliance. Government entities might have a role if the organization operates in a heavily regulated industry or if it deals with sensitive data like protected health information or national security matters.

Question 36

Centralized vs decentralized governance structures

Answer 36

centralized governance structures concentrate decision-making authority at the top of the organization. Decentralized structures allow different parts of the organization to make their own security decisions.

Question 37

Setting up/managing security governance

Answer 37

In setting up and managing security governance, organizations need to take into account a range of external considerations. These may include regulatory requirements, legal obligations, industry standards, and the security environment at local, regional, national, and global levels.

Question 38

Written security policies

Answer 38

administrative controls that identify an overall security plan for an organization and reduce overall risk. Procedures identify security controls used to enforce security policies. Common security policies include acceptable use policies (AUP), information security policies, business continuity and disaster recovery policies, incident response policies, software development lifecycle (SDLC) policies, and change management policies.

Question 39

Security standards

Answer 39

outline technical and business requirements for security. Common security standards include password standards, access control standards, physical security standards, and encryption standards.

Question 40

Security procedures

Answer 40

provide very specific step-by-step instructions for carrying out security-related tasks. Security guidelines offer advice on achieving security objectives. Common security procedures include change management procedures and employee onboarding/offboarding procedures.

Question 41

Security guidelines

Answer 41

optional advice, while compliance with policies, procedures, and standards is mandatory. Data owners have primary responsibility for a specific type of data within the organization. The data owner is typically a senior executive responsible for the area with oversight of the data.

Question 42

Data owners

Answer 42

typically have senior-level positions and can’t do the day-to-day work of data governance. For this reason, they typically delegate authority to data stewards on their teams who are responsible for carrying out the intent of the data owner’s requirements.

Question 43

Data custodian

Answer 43

responsible for routine daily tasks such as backing up data, storage of the data, and implementation of business rules.

Question 44

Data controller

Answer 44

the organization that is responsible for a dataset. A data processor handles information on behalf of a data controller.

Question 45

Supply chain

Answer 45

includes all the elements required to produce and sell products and services. Organizations should regularly conduct a supply chain analysis that identifies all of the vendors that make up their supply chain and assesses any risks associated with those relationships.

Question 46

Security controls used to assess and manage vendor relationships

Answer 46

include right-to-audit clauses, penetration testing, collecting evidence of internal audits, and conducting independent assessments.

Question 47

Conducting due diligence

Answer 47

involves a thorough evaluation of potential vendors’ capabilities, credentials, reputation, and financial stability.

Question 48

Conflict of interest

Answer 48

might arise if the vendor has business relationships that could influence their decision-making or compromise their ability to prioritize your organization’s needs.

Question 49

SLA

Answer 49

A service level agreement (SLA) is an agreement between a company and a vendor that stipulates performance expectations, such as minimum uptime and maximum downtime levels.

Question 50

MOUs

Answer 50

Memorandum of understandings (MOUs) expresses an understanding between two or more parties, indicating their intention to work together toward a common goal.

Question 51

BPA

Answer 51

A business partners agreement (BPA) is a written agreement that details the relationship between business partners, including their obligations toward the partnership.

Question 52

NDA

Answer 52

A non-disclosure agreement (NDA) is used between two entities to ensure that proprietary data is not disclosed to unauthorized entities.

Question 53

MSA

Answer 53

Master Services Agreements (MSA) provide structure to the agreements for vendors that you will work with repeatedly. Then, when you have a new project for the vendor, you write a simple work order (WO) or a statement of work (SOW) that contains the details of that specific project and references the general terms in the MSA.

Question 54

Compliance programs

Answer 54

ensure that an organization complies with all of its legal and contractual obligations.

Question 55

Due diligence

Answer 55

refers to the actions taken to ensure the organization is aware of all legal requirements applicable to its operations. It involves understanding the risks, regulations, and standards relevant to the business and taking the necessary steps to align with them. Due care, meanwhile, is the continuous effort to ensure the organization adheres to these requirements and addresses any identified non-compliance in a timely manner.

Question 56

Attestation

Answer 56

refers to the verification by individuals within the organization or third parties that the organization is compliant with the relevant rules and regulations.

Question 57

Acknowledgement

Answer 57

the recognition and acceptance of these compliance standards by employees and other stakeholders.

Question 58

The right to be forgotten

Answer 58

empowers individuals to request that their personal data be erased from a company’s records under specific circumstances.

Question 59

Data inventory

Answer 59

a detailed list of where important data is kept, who can get to it, and why it’s used. Data retention policies say how long data should be kept and how to get rid of it safely when it’s not needed anymore.

Question 60

User training

Answer 60

includes training personnel on security policies and reducing risks by training users on current technologies and threats.

Question 61

CBT

Answer 61

Computer-based training (CBT) allows students to learn at their own pace.

Question 62

Training programs

Answer 62

should help users recognize and properly respond to phishing attacks. Phishing simulations mimic the type of phishing campaigns used by attackers and allow an organization to safely check to see if employees will respond to phishing emails. Users should be trained to recognize anomalous behavior, such as risky, unexpected, or unintentional activity.

Question 63

Security awareness training

Answer 63

should cover a variety of relevant issues, including the insider threat, password management, removable media and cables, social engineering, operational security, and remote/hybrid work environments.