WEEK 2

Question 1

What is the current NIST guidance for how often to change your password, based on passage of time?
a) 30 days b) 42 days c) 90 days d) never

Answer 1

d. Never

Question 2

What do Regulations help to do?

Answer 2

• Mandate the “minimum standards for due care”
• Establish legally- defensible security practices
• Provide action able guidance
• Inform the types of security controls and techniques employed

Question 3

What is SP 800-37

Answer 3

Risk Management Framework

Question 4

What is SP 800-53

Answer 4

Security Controls for IT Systems

Question 5

What is SP 800-82

Answer 5

Security Controls for Industrial Control Systems

Question 6

What is SP 800-171

Answer 6

Security Controls for Nonfederal systems processing Controlled Unclassified Information

Question 7

Special Publication 800-37 is centered on the Risk Management Framework (RMF), which outlines six steps federal agencies must take to secure their information systems.

WHAT ARE THOSE SIX STEPS?

Answer 7

CSCAAM

1. Security CATEGORIZATION : based on impact analysis
2. Security control SELECTION
3. Security CONTROL implementation
4. Security control ASSESSMENT
5. Information system AUTHORIZATION
6. Security control MONITORING

Question 8

NIST SP 800-37

The overall goals of the guidelines in 800-37 are?

Answer 8

• To ensure that managing information system-related security risks aligns with the organization’s business objectives and overall risk strategy
• To ensure that security controls are integrated into the organization’s enterprise architecture and system development lifecycle
• To support continuous security monitoring and transparency of security and risk- related information
• To achieve more secure information and information systems within the federal government through the implementation of appropriate risk mitigation strategies

Question 9

The Purpose of NIST SP 800-53 Revision 4: (Security and Privacy Controls for Federal Information Systems and Organizations) is to?

Answer 9

1. To provide guidelines for selecting security controls for information systems supporting federal agencies. The guidelines apply to all components of an information system that process, store or transmit federal information.
2. To optimize security, this publication recommends first selecting an initial set of baseline security controls, then customizing these baseline controls, and finally supplementing the controls based on assessments of risk.

Question 10

EU-US Privacy Shield

Answer 10

• Designed by the U.S. Department of Commerce, and the European Commission and Swiss Administration
• Provide companies a mechanism to comply with data protection requirements when transferring personal data from the European Union and Switzerland to the United States in support of transatlantic commerce
• Self-certification model

Question 11

PCI-DSS

Payment Card Industry Data Security Standards

Answer 11

• Founded in 2006 by AMEX, Discover, JCB International, Master Card, and Visa
• Help merchants and financial institutions understand and implement standards
• Help vendor sunder stand and implement standards for creating secure payment solutions.

Question 12

Gramm- Leach- Bliley Act

Answer 12

Organizations that provide services to the financial industry
Originally SAS-70 requirements
SAS-70 replaced by Statement on Standards for Attestation Engagements No. 16 (SSAE-16)
SSAE-16 defined and formalized security audits, management duties, etc.

Question 13

Security Program: Set yourself up for success!

Answer 13

• Infrastructure Protection
• Application Security
• Security Operations
• Governance
• Project/Program Management • Business Partners

Question 14

Compliance Creep

Requirements expand over time

Answer 14

• Organization becomes subject to new requirements as business grows
• Baseline standards become more rigorous because of increasing oversight in industry
• Scope of organization’s business operation grows
• We almost never retire requirements (especially security)!

Question 15

Techniques for Compliance

Answer 15

1. Outsource compliance activities
   • Best as short-term solution
2. Add headcount to execute compliance as a project
3. Purchase a GRC (Governance, Risk, and
   Compliance) package or service
   • Most cost-effective, long-term solution
   • Scalable, little upfront costs

Question 16

Value in Compliance

Answer 16

• Compliance programs institute a sense of repeatability and accountability/tracking – improves efficiency and transparency of documentation
• Computer systems operate more efficiently when they are properly managed
• Business systems see fewer disruptions when configurations are managed consistently across the enterprise
• Couple with compliance requirements beyond security controls

Question 17

How many types of Auditors? and what are they?

Answer 17

FOUR

1. Internal Audit: Understand how management is addressing risk – report internally
2. External Audit: Usually an independent 3rd party Assessment (CPA Firms, Big 4, etc.) – report directly to Board of Directors
3. 3rd Party Attestation: Specialized compliance tests (e.g., PCI- DSS)
4. Regulatory Audits: Government bodies perform audits for compliance
   • E.g. FFIEC for compliance with regulatory obligations

Question 18

Preparing employees for an audit

Part 1

Answer 18

• Don’t“coach”employees–it makes them nervous and ticks off the auditor
• Don’t guess–“I don’t know” is perfectly reasonable.If followed up by “but this is the person/system I would go to in order to find out,” all the better
• Time is money–don’t waste it
• Don’t try to be a lawyer–speak straight forwardly, avoid
jargon
• Auditor is not a whistleblower hotline

Question 19

Preparing for an audit -part 2

Answer 19

• Prepare early–don’t rush the documentation
• Maintain a steady strain–a little at a time over time is
much better than rushing to document everything
• “Done right”&raquo_space; “Done quickly”
• Understand the requirements and start early
• Strategic Speed: reducing the time it takes to deliver value
• High performing companies encourage innovative thought, allow time for reflection and learn from the past

Question 20

Building Trust with Audit Team

Answer 20

• Align objectives and scope of audit prior to the event
• Identify criteria for evidence required–sample criteria
• Agree on how evidence will be requested (processes, tools, a format for requests, etc.)
• Agree on timeliness expectations for evidence
• Agree on how differences of opinion will be addressed

Question 21

1914 Federal Trade Commission Act

Answer 21

Prohibits “unfair or deceptive acts or practices in or affecting commerce”

This broad statement has far-reaching implications on cybersecurity
• Established (by extension) a minimum set of cybersecurity practices
• Protects the privacy and security of non-public information

Question 22

Sarbanes-Oxley Act (2002)

Answer 22

Not as prescriptive as GLBA from an IT perspective
Focused primarily on internal controls over financial reporting
Created a linkage between accounting and business process and the underlying IT infrastructure
Designed to restore confidence in the market as a result of Enron and Arthur Anderson

Question 23

An Effective Security Program

Answer 23

1. Designated Security Officer: Required by GLBA, HIPAA
2. Program to evaluate and assess risk: More than financial risk
   – cybersecurity, physical, process
3. Data classification: identify types of data and levels of protection required
4. Vendor due diligence: Need to hold vendors/partners accountable
5. Executive responsibility for internal controls: This requires C-Suite buy in
6. Board of Directors Oversight

Question 24

Three Questions to ask yourself

Answer 24

1. As a CISO, do I have any regulatory requirements?
2. As a CISO, how do I position my security program and organization for success in regard to compliance?
3. What policies, processes, or procedures should we leverage to successfully engage our auditors and/or regulators?