Cybersecurity Policy Midterm

Name who should participate in a security awareness program.

1. CIO 2. System admin 3. Receptionist D.) All of the above. Basically Everyone.

What is required in developing a security strategy within your means?

1. Conduct capacity planning 2. Ensure the availability of adequate resources and capabilities 3. deliver security strategy within the required system performance

What should a company manager do when they outsource security?

1. Discuss security and compliance requirements, 2. put them in a contract 3. enforce those rules

What are the type of changes an organization can go through? MAOD

1. Mergers 2. Acquisitions 3. Outsourcing 4. Divestitures

Metrics provide management with insights into what? VAP

1. Validity 2. Acceptability 3. Performance

The Enterprise Security Policy Life Cycle has how many phases?

4 phases

True or False: A policy that no one knows still provides value because it is a formal document in the organization.

False.

What should contracts be reviewed for?

For potential security implications

What should you consider when determining costs in an organization?

Impact on performance, maintenance, licensing, help desk calls, monitoring efforts, patching Remember cost should never outweigh benefits

How should a data classification scheme be documented?

In a written classification guidance document that is deployed throughout the organization.

What value does a policy have if no one understands it?

It has no value

When reviewing contracts, is it a high or low-security risk when an associated with third-party service?

It is high security risk. Must be careful, informed. This needs to come from senior management.

Why is security participation in the change process important?

It is important in order to maintain the security info in the organization

Where is configuration management included?

It is included in the hardware, software, firmware and documentation of an automated system throughout the system life cycle.

What is one of the primary reasons why organizations outsource security?

It is mostly for cost

Configuration management maintains what?

It maintains a systems integrity with respect to the approved settings. These settings can be changed though. This can be adjusted, recreated or destroyed.

Does outsourcing lead to lower costs?

It may not lead to lower costs.

What does data classification mean?

It means assigning a level of sensitivity to data

What should security policy framework ensure?

It must ensure that employees and external parties know what their responsibilities are

What does cybersecurity governance framework provide?

It provides a set of practices and structures that ensure effective oversight of security activities.

When integrating cyber security into a firms culture, what is the single most critical factor for success?

Need support from the top (executives, board of directors)

Securing the enterprise takes embedding security into? PTP

People, technology, process

Good alignment will drive what? RPW

Resources, priorities, and work efforts.

What should be done with periods of change in an organization?

Review security policies, procedures to reflect any new changes.

What is residual risk

Risk that remains after all measures have been applied.

What is role based training?

Role-based Training puts the training in the context of a specific role and what it takes to perform in that role.

What are Standards?

Serve as specifications for the implementation of policy and dictate mandatory requirements

What should happen in the control change process?

Should be documented, approved by management, create rollback plans if possible.

What is interconnection security agreement with third parties? Should they be discussed and agreed?

This is when you have a network connection with a third party. Security requirements should be discussed and agreed.

What is the disposal phase?

This is when you retire the policy. Make sure the new one is set before you replace.

When should the classification system be reviewed?

This should be reviewed periodically

What is the implementation phase and compliance phase?

This is when the policy is published and communicated to everyone. Compliance is also involved here. Everyone must comply

What is the development phase?

This is when you develop a policy. You plan, research, and write the policy. This is when it gets staffed and approved.

Handing over a critical business process or technology changes what?

Changes the risk profile of the firm

what dwarfs most procurement contracts? CSD

Complexity, Scope, Duration

What is the maintenance phase? 5 things

1. This is when you ensure that personnel are aware of the policy 2. Keep policy current 3. Monitory activities 4. Report compliance 5. Enforce that everyone is complying

What is the CIA triad?

C.) Confidentiality, Integrity, Availability

What best describes the role of policy?

D.) All of the above 1. To codify guiding principles 2. To shape behavior 3. To serve as a roadmap

If an enterprise has additional policies... What are they and where are they found?

1. Acceptable use policy, social media policy, data privacy policy 2. Can be found in HR, procurement, contracts, legal, compliance

What three things does cybersecurity provide?

1. CIA 2. A security policy for the organization 3. A security process for the organization (standards, process, guidelines)

Determining the way in which data is classified within the organization, is an important step that ensures what? What is it based on?

1. setting protection priorities 2. Ensures that the right info is protected 3. Based on due regard for performance, security, and business requirements

How long does it typically take for companies to successfully outsource security operations and normalize the outsourcing relationship?

6 - 18 months.

What will a gap analysis show?

A gap analysis will show what is missing and where the organization needs to go.

Who is typically the information owner?

A senior representative of the business unit. They have authority on that data.

What definition is confidentiality?

A.) The property that information is not made available or disclosed to unauthorized individuals, entities, or processes.

How must data be protected?

According to the policies and procedures of an organization

What two things should organizations analyze when outsourcing security?

Analyze costs and risks

How often should policies be reviewed and updated?

Annually or after a major change (Merger, acquisition)

What are Guidelines?

Are akin to suggestions or advice. Guidelines are not mandatory

What are the seven characteristics of a successful policy? ERRAAEI

B.) 1. Endorsed 2. Relevant 3. Realistic 4. Attainable 5. Adaptable 6. Enforceable 7. Inclusive

Which of the following risk types best describes an example of insurance?

B.) Risk Transfer

What does successful enterprise security mostly depend on?

Depends on full participation of its stakeholders

Name the phases of the Enterprise Security Policy Life Cycle DIMD

Development, Implementation, Maintenance, Disposal.

Which three questions can metrics help answer?

C.) 1. Am I implementing the tasks for which I am responsible 2. How efficiently or effectively am I accomplishing those tasks 3. What impact are those tasks having on the mission of my organization.

When should an awareness and training program be changed?

C.) Continuously changing to adapt to the needs of the environment, culture, and mission

A cyber security policy is a directive that defines?

C.) How an organization protects information assets and systems against cyber-attacks and non-malicious incidents.

What risk type relates to negative public opinion?

C.) Reputation Risk

Which risk is best described as the expression of (the likelihood of occurrence after controls are applied) x (expected loss)?

C.) Residual Risk

A successful security manager will ensure year end budget reviews reflect what?

C.) Spent all the funds that are allocated.

Who does CISO usually report to?

CIO or someone who reports to the CIO

Who is responsible for implementing the organizations security program?

CISO

What is the CISO responsible for?

Confidentiality and Integrity

should costs outweigh benefits?

Cost should never outweigh benefits

What strengthens everyones commitment to the policy?

Creating a direct tie between security policy and individual performance

True or False: Data classification should apply to data in electronic form only?

False

True or False: Economic stability of an organization or market performance have no bearing on budget allocations

False

What does it indicate when a cyber security program is said to be "strategically aligned"?

D.) All of the above 1. It supports business objectives 2. It adds value 3. It maintains compliance with regulatory requirements

To avoid conflict of interest, the CISO could report to which individual?

D.) COO (Chief Compliance/Operations Officer

What security objective is most important to an organization? hint: CIA

D.) This depends on the organization. There is no set objective.

What does configuration management ensure?

Ensures that all system baselines are maintained.

True or False: While outsourced, the governance, compliance, and risk-management are no longer the responsibility of the customer organization and its management?

False

What are the three phases one should consider approaching security training? IPO

Initial, periodic, ongoing

What does proper life cycle management begin with?

It begins with the classification of data

What does security governance consider in an organization?

It considers the business requirements of an organization to ensure that security is adequately mitigated and compliant. This is more of an oversight from managers and board of directors.

What two things should security personnel remember when reviewing contracts?

That security has a financial cost and is a balance

Data classification is the responsibility of?

The information owner

What problems can contractors pose when you outsource security?

They may not have the same level of commitment.

what do MSSPs provide?

They provide security services to those who cant afford them.

What does it mean when you get certification and accreditation from a third party?

This is when a 3rd party expert comes in, reviews your security policy and puts it in a certification report.

What are some samples of data classification levels?

Top Secret, public, internal only, confidential, highly confidential

True or False: A security awareness program is an important part of building a culture of security throughout the organization.

True

True or False: Metrics are used to measure the effectiveness of the security awareness and training programs.

True

True or false: Does senior management need to determine their risk tolerance or appetite?

True

What areas are frequently outsourced?

Vulnerability management and SOC

What is attestation in security?

When an executive signs a legal document verifying that the organization is in compliance with standards.

What is BIA (Business impact analysis)

source of info concerning different lines of business and how they relate to the IT process. For example, if an event occurs, how will it impact IT services and what plans do you have in place to mitigate that.

What is policy exemption?

When someone is exempt from a policy. This needs to be documented.

A properly aligned security program understands that it is about what?

that it understands that it is about the business and not the technology

What will an ERM focus on? (Enterprise risk management)

Will focus on the risk impact to the organizations overall financial and strategic objectives.

Do Security leaders need to wear multiple hats?

Yes, need to balance security and business needs.

What should you know before drafting a security policy?

You should know that organization's environment

What is risk acceptance?

a strategy in which the organization accepts the potential risk, continues to operate with no controls, and absorbs any damages that occur

What are procedures?

are base guidelines on how policy and standards are carried out. Procedures focus on actions or steps, with specific starting and ending points.

How can you increase security awareness in an organization?

company can creates a security awareness program.

What is the most important aspect of information security strategy?

developing a system wide security policy

Why is a security awareness program important to company culture?

it builds a culture of security throughout the organization

What is data criticality?

its the function of how important data availability is to the organization

What does a CBA look at?

looks at risk based, cost effective controls and security controls.

If management is risk averse, what two things will be discussed in board rooms?

risk assessment and risk mitigation will be discussed

If management is unconcerned with risk, what will be discussed?

risk assessment will be discussed to determine what actions are necessary to comply with regulatory requirements