Chapter 8 - IT Security Policy Framework Approaches

Question 1

___________ is a framework for validating internal controls and managing enterprise risks.

Answer 1

COSO

Question 2

_____________ is heavily focused on financial operations and risk management.

Answer 2

COSO

Question 3

____________ is a framework and supporting tool set that align business and control requirements with technical issues.

Answer 3

COBIT

Question 4

______________ is an international governance and controls framework and a widely accepted standard for assessing, governing, and managing IT security and risks.

Answer 4

COBIT

Question 5

_____________ has produced a vast array of standards supporting a number of different industries and business models.

Answer 5

ISO

Question 6

The ____________ standards related to information security and IT risk are widely accepted as the leading international standards.

Answer 6

ISO

Question 7

_____________ is a widely accepted international framework and set of best practices for delivering IT services. It contains a comprehensive list of concepts, practices, and processes for managing IT services.

Answer 7

ITIL

Question 8

The Federal Information Security Management Act (FISMA) requires federal agencies to follow a common set of security standards. These standards are provided by _________ and are known as the ______________.

Answer 8

NIST

Federal Information Processing Standards (FIPS)

Question 9

____________ was first developed in 2008 by the SANS Institute, now managed by the Center for Internet Security.

Answer 9

CIS Critical Security Controls for Effective Cyber Defense

Question 10

The ______________ is a security framework for any organization that accepts, stores, or processes credit cards.

Answer 10

Payment Card Industry Data Security Standard (PCI DSS)

Question 11

TF: Organizations often combine multiple security policy frameworks to draw upon each of their strengths.

Answer 11

True

Question 12

The frameworks mentioned in the chapter share three characteristics:

Answer 12

1 - They are risk-based

2 - They speak to the organization’s risk appetite

3 - They deal with operation disruption and losses.

Question 13

The ______________ domain provides the business view and context for a risk evaluation. This ensures that risk activity aligns with the business goals, objectives, and tolerances. This includes aligning to business strategy. This domain ensures that the full range of opportunities and consequences is considered.

Answer 13

Risk Governance

Question 14

The ______________ domain ensures that technology risks are identified and presented to leadership in business terms. Formal risks are analyzed, and processes are created to assess impact. This domain also creates a risk repository of all known risks. This further enhances the risk analysis and reporting.

Answer 14

Risk Evaluation

Question 15

The ______________ domain ensures risks are reduced and remediated in the most cost-effective manner. This domain coordinates risk responses so that the right people are engaged at the right time. This prevents risks from increasing in magnitude. Processes are established to manage risk throughout the enterprise to an acceptable level.

Answer 15

Risk Response

Question 16

______________ oversight approves the controls and approach by which risk is to be managed.

Answer 16

Governance

Question 17

___________ oversight executes within the rules set by the governance body.

Answer 17

Management

Question 18

The _________________ role is the single point of contact responsible for data quality within the enterprise. This person deals with all aspects of information. This person establishes guidance on data handling and works closely with the business to understand how information drives profitability. A business person, as opposed to a technologist, typically fills this role.

Answer 18

head of information management

Question 19

_____________ are the individuals responsible for ensuring data quality within the business unit. They are the owners of the data. They approve access. They work closely with information management to ensure the business gets maximum value from the data. They define the business requirements for data and create descriptions of what the data is and how it will be used.

Answer 19

Data stewards

Question 20

_______________ are individuals in IT responsible for maintaining the quality of data. These individuals make decisions on how the data is to be handled given the requirements from the data steward. Whereas the data steward’s primary role is to design and plan, the _______________ primary role is implementation.

Answer 20

Data custodians

Question 21

_______________ are responsible for executing the policies and procedures such as backup, versioning, uploading, downloading, and database administration.

Answer 21

Data administrators

Question 22

___________________ have a highly restricted role. They grant access rights and assess threats to the information assurance (IA) program.

Answer 22

Data security administrators

Question 23

The ______________ helps set priorities, removes roadblocks, secures funding, and acts as a source of authority. The ______________ members are leaders across the organization. This combination ensures buy-in from the business for the information security program.

Answer 23

executive committee, security committee

Question 24

The ________________ provides important information on the risk appetite of the organization.

Answer 24

operational risk committee

Question 25

A _______________ monitors for intrusions and breaches. Team members monitor firewalls and network traffic. When a breach is discovered, they activate the _____________, which responds to breaches and helps the business recover.

Answer 25

security operations team incident response team (IRT)

Question 26

Some organizations have adopted the concept of _________________. In other words, data is not allowed to leave the organization until it’s been verified that the vendor’s control environment meets the organization’s own requirements.

Answer 26

permission to send

Question 27

The ______________ approach involves having two or more layers of independent controls to reduce risk. This leverages the redundancy of the layers so if one layer fails to catch the risk or threat, the next layer should.

Answer 27

layered security

Question 28

Implementing an _________________ is less about fraud and more about reducing potential errors in vital processes and functions.

Answer 28

organizational separation of duties

Question 29

In the Three-Lines-Of-Defense Model, the first line of defense is _____________. They identify risk, assess the impact, and mitigate the risk whenever possible.

Answer 29

the business unit

Question 30

In the Three-Lines-Of-Defense Model, the second line of defense is _____________. They are responsible for managing risk across the enterprise. They align controls and policies to ensure that the risk management program aligns with company goals.

Answer 30

the enterprise risk management program

Question 31

In the Three-Lines-Of-Defense Model, the third line of defense is _____________. This provides the board and executive management independent assurance that the risk function is designed and working well. It also acts as an adviser to the first and second lines of defense in risk matters.

Answer 31

the independent auditor

Question 32

_______________ risks are a broad category focused on an event that may change how the organization operates. Some examples might be a merger or an acquisition, a change in the industry, or a change in the customer. The key point is that it’s an event that affects the entire organization.

Answer 32

Strategic

Question 33

_______________ risks relate to the impact to the business of failing to comply with legal obligations. Noncompliance can be willful, or it can result from being unaware of local legal requirements. This can include regulatory requirements or legally binding contracts. Let’s say a company accepts the rules associated with processing credit cards but fails to implement PCI DSS. The card companies, under a binding contract, can force the merchant to stop taking credit cards.

Answer 33

Compliance

Question 34

_______________ risk is the potential impact when the business fails to have adequate liquidity to meet its obligations. This is when you fail to have adequate cash flow. For example, the consequences of failure to pay loans, payroll, and taxes would be financial risks. This lack of available funds can be due to a poor credit rating or operations too risky for banks to fund.

Answer 34

Financial

Question 35

________________ risks are a broad category that describes any event that disrupts the organization’s daily activities. The Office of the Comptroller of the Currency (OCC) defines this as “the risk of loss resulting from inadequate or failed internal processes, people and systems, or from external events.” In technology terms, it’s an interruption of the technology that affects the business process. This can be a coding error, slow network, system outage, or security breach.

Answer 35

Operational

Question 36

A ________________ risk results from negative publicity regarding an organization’s practices. This type of risk could lead to a loss of revenue or to litigation. These risks often overlap with other risk categories; for example, a financial issue is likely to have a deleterious impact on the organization’s reputation.

Answer 36

reputational

Question 37

_______________ is a broad category of non-IT-specific events that introduce risk to the line of business. Typically, this category of risk relates to events that are outside the organization’s control. For example, political unrest can occur in another country where the organization has a call center. The political unrest is a non-IT event. Lack of personnel showing up for work could impact IT operations. Although these risks may be outside of the organization’s control, they can still be planned for in much the same way natural disasters are planned for.

Answer 37

Other risks

Question 38

What is the difference between Governance, Risk Managfement, and Compliance (GRC) and Enterprise Risk Management (ERM)?

Answer 38

GRC is more a series of tools to centralize policies, document requirements, and assess and report on risk. ERM focuses on value delivery. This shifts the discussion from organizations’ budgetary requirements for risk mitigation, compared with how their expenditures enhance value. ERM takes a broad look at risk, whereas GRC is technology-focused.

Question 39

TF: The security committee is the key committee for the CISO.

Answer 39

True

Question 40

Which of the following is NOT an IT security policy framework? A - COBIT B - ISO C - ERM D - OCTAVE

Answer 40

C - ERM

Question 41

Which of the following are PCI DSS network requirements? A - Network segregation B - Penetration testing C - Virus scanning D - All of the above E - A and B only

Answer 41

D - All of the above

Question 42

Which of the following are common IT framework characteristics? A - Risk-based management B - Aligned business risk appetite C - Reduced operation disruption and losses D - Established path from requirements to control E - All of the above F - A and C only

Answer 42

E - All of the above

Question 43

Which of the following applies to both GRC and ERM? A - Defines an approach to risk B - Applies a rigid framework to eliminate redundant controls, policies, and efforts C - Passively enfroces security policy D - Seeks line of sight into root causes of risk

Answer 43

A - Defines an approach to risk

Question 44

TF: The underlying concept of segregation of duties (SOD) is that individuals execute high-risk transactions as they receive preapproval.

Answer 44

False

Question 45

TF: A risk management and metrics team is generally the first team to respond to an incident.

Answer 45

False

Question 46

TF: Once you decide not to eliminate risk but to accept it, you can ignore the risk.

Answer 46

False

Question 47

Which of the following is NOT a key area of improvement noted after COBIT implementation? A - Value delivery B - Decentralization of the risk function C - Better resourcing of IT D- Better communication

Answer 47

B - Decentralization of the risk function

Question 48

A security team's organizational structure defines the team's ________________ or __________________.

Answer 48

priorities or specialties.

Question 49

TF: Implementing a governance framework can allow an organization to systemically identify and prioritize risks.

Answer 49

True

Question 50

The more layers of approval required for SOD, the more ______________ or ___________ it is to implement the process.

Answer 50

expensive or burdensome

Question 51

Asking to borrow someone's keycard is an example of ________________.

Answer 51

social engineering

Question 52

TF: All organizations should have a full-time team dedicated to collecting, reviewing, and reporting to demonstrate adherence to regulations.

Answer 52

False.