Chapter 16 Security Governance and Compliance

Questions and Answers

What is the primary purpose of a board of directors in a publicly traded company?

To directly control all employees

To manage the daily operations of the company

To hire and manage the CEO (correct)

To create products and services

How is the governance model of nonprofit organizations different from that of publicly traded companies?

Nonprofits do not have a board of directors

Nonprofits have no governance framework

Nonprofits are always run by a single owner

Nonprofit board members can be elected by members or self-perpetuating (correct)

What is the role of the CEO in the management hierarchy of a company?

To manage all middle managers directly

To serve only as a liaison to the shareholders

To hire individual contributors without oversight

To execute the board's decisions and manage senior executives (correct)

In privately owned organizations, what can a sole owner do regarding governance?

Serve as both CEO and the board

What does a Governance, Risk, and Compliance (GRC) program aim to integrate?

Governance, risk management, and compliance

What aspect of governance is directly connected to information security?

Information security governance

What is a major consideration regarding the size of the management hierarchy in an organization?

To ensure a reasonable number of direct subordinates for each manager

Which of the following best describes how owners control privately owned organizations?

Directly or through a board they control

What is a characteristic of a centralized governance model?

It utilizes a top-down approach for policy creation.

Which document type is NOT typically included in an organization's information security policy framework?

Operations Manual

Which of the following best describes decentralized governance models?

Business units have the freedom to achieve cybersecurity objectives as they see fit.

Why might management need to be involved in cybersecurity procedures?

To provide support for traction in other areas of the organization.

Which of these documents specifies how to implement a policy in practice?

Procedures

Which type of governance model is primarily associated with for-profit businesses?

Centralized governance

What role may regulatory agencies play in an organization's governance structure?

They enforce and regulate industry standards.

What distinguishes guidelines from policies in an information security framework?

Policies provide a framework, whereas guidelines suggest best practices.

What is the purpose of compensating controls?

To provide alternative means to achieve objectives when original controls cannot be met.

Why might an organization need to run an outdated operating system?

The business requires specific software that only functions on that version.

What is a likely approach when an organization uses an outdated operating system?

Isolate the outdated system on a network with restricted access.

What must organizations develop alongside compensating controls?

Remediation plans to return to compliance with original controls.

How frequently should policy monitoring occur?

It should be an ongoing process.

What challenge does the use of compensating controls address?

The impossibility of meeting every required security control in every circumstance.

What does the use of compensating controls imply for organizations?

They are seeking alternative methods to manage risk while being non-compliant.

What is an important aspect of the compensating controls process offered by PCI DSS?

It provides a formal process for establishing compensating controls.

What is the primary purpose of keeping documentation current when completing a change?

To reflect the impact of the change on systems and policies

What is a benefit of following personnel management best practices?

Reducing the risk of cybersecurity incidents caused by employees

Which principle states that individuals should only have the minimum permissions necessary for their job functions?

Least privilege

What issue can occur when employees change positions within an organization without privilege review?

Privilege creep

In what scenario is separation of duties particularly important?

When handling sensitive job functions

What commonly poses a risk to organizations in the context of finance?

Overseeing all accounting processes by one individual

What does least privilege often require for successful implementation?

Regular updates to employee access permissions

What is a key aspect of educating users about social engineering attacks?

Teaching skepticism towards unsolicited communications

Which of the following is NOT a typical component of personnel management best practices?

Providing unrestricted access to all employees

In operational security, why is it important to discuss sensitive information in secure areas?

It minimizes the risk of unauthorized access.

Which of the following is a best practice for securing data in hybrid or remote work environments?

Employing VPNs for secure connections

What is an effective approach to the frequency of security training?

Using annual refresher trainings after initial training

How should the development of security training programs begin?

By assessing the organization’s security landscape

Which practice helps in recognizing anomalous behavior among users?

Regularly updating users on behavioral norms

What essential element should users understand regarding remote work policies?

Specific procedures and guidelines for data security

Why is it important for organizations to remind users of their security responsibilities?

It enhances awareness of evolving threats.

Study Notes

Corporate Governance Structure

• Shareholder owners delegate authority to an elected board of directors, which hires a CEO.
• The CEO subsequently hires senior executives, forming a hierarchical structure which varies based on organizational size.
• Publicly traded companies and nonprofits follow similar governance models, with elections determining board membership in nonprofits.
• Privately owned entities have diverse governance models, often depending on ownership structure.

Governance, Risk, and Compliance (GRC) Programs

• GRC programs integrate governance, risk management, and compliance efforts within an organization.
• Information security governance is an extension of corporate governance aimed at managing cybersecurity effectively.

Types of Governance Structures

• Centralized governance models impose a top-down approach, where a central authority enforces policies organization-wide.
• Decentralized governance allows individual units to achieve cybersecurity objectives flexibly.
• Understanding the difference between centralized and decentralized models is crucial for exam preparation.

Internal Governance Framework

• Governance structures may include various internal committees with subject matter experts (SMEs).
• Regulatory agencies (e.g., U.S. Treasury) influence governance in sectors like banking.

Information Security Policy Framework

• An information security policy framework comprises multiple document types to define the organization’s cybersecurity program.
• Document types include policies, standards, procedures, and guidelines, each serving different roles in cybersecurity management.

Compensating Controls

• Compensating controls provide alternative means to address security requirements that cannot be met directly.
• Commonly adopted by organizations to mitigate risk while managing compliance with standards like PCI DSS.

Policy Monitoring and Revision

• Ongoing policy monitoring assesses the effectiveness of security policies within the organization.
• Documentation of changes in policy, procedures, and other relevant materials must be updated consistently.

Personnel Management Best Practices

• Employees need access to systems but must be managed to limit cybersecurity risks.
• Implementing the principle of least privilege restricts permissions to the minimum required for job functions.

Separation of Duties

• Separation of duties prevents a single individual from possessing all privileges needed for sensitive tasks, reducing risk in critical functions like accounting.

Security Awareness Training

• Users should be trained to recognize social engineering attempts and respond appropriately to unsolicited requests for sensitive information.
• Operational security practices must be taught for day-to-day operations, emphasizing access controls and confidentiality.

Hybrid/Remote Work Security

• Best practices for securing data in remote or hybrid work environments include VPN usage, secure Wi-Fi, and ensuring physical device security.

Training Frequency and Development

• Initial training is vital when onboarding new employees, with annual refresher courses recommended to stay updated on threats and policies.
• Development of security training programs should begin with a thorough risk assessment, allowing tailored content for the organization's challenges.

Description

Test your knowledge on the hierarchy of corporate governance. This quiz will cover the roles of shareholders, boards of directors, CEOs, and management levels within an organization. Understand how authority and responsibilities are delegated in a corporate environment.