Cybersecurity 2 Governance Quiz

Questions and Answers

What is the primary purpose of an Information Security Management System (ISMS)?

• To ensure compliance with financial regulations
• To increase employee productivity
• To enhance customer satisfaction
• To protect and manage an organization's information (correct)

Which of the following is NOT a benefit of ISO 27001?

• Secure information in all forms
• Ensure complete protection against all cyber attacks (correct)
• Adapt to evolving security threats
• Reduce costs associated with information security

How many controls are there in ISO 27001?

• 75
• 135
• 47
• 114 (correct)

Which of the following is a component of the NIST Cybersecurity Framework (CSF)?

Core cybersecurity outcomes (C)

Which area does NOT fall under the ISO 27001 controls?

Quality assurance testing (A)

What does an ISMS help organizations adapt to?

Evolving security threats (A)

Which of the following describes the Core component of the NIST CSF?

It outlines cybersecurity goals in a hierarchical structure. (B)

How does ISO 27001 help with the security of information?

By integrating security into everyday business practices (B)

What are the potential consequences of a cyber attack on critical infrastructure?

Widespread disruption and chaos (D)

What characteristic of cyber warfare makes it challenging to assign blame?

Attribution operates within a gray zone (D)

How does the speed of cyber warfare compare to traditional warfare?

It happens much faster (D)

What will future warfare likely incorporate?

Cyber and kinetic attacks, as well as information warfare (D)

Which aspect of cyber warfare complicates legal considerations?

It operates within a gray zone (D)

What is a key feature of attackers in cyber warfare?

They quickly develop new methods (C)

What does the term 'multi-domain warfare' refer to?

The integration of various forms of attacks, including cyber (A)

Which of the following is NOT an example of critical infrastructure likely targeted by cyber attacks?

Social media platforms (A)

What is the main purpose of IT security governance?

To authorize decisions about cybersecurity risks (C)

Who is responsible for ensuring compliance with policies and determining information classification?

Data Owner (C)

Which role primarily ensures that data meets regulatory requirements and business needs?

Data Steward (C)

What is a key responsibility of a Data Custodian?

Implementing security controls according to classification rules (D)

What role does a Data Protection Officer hold within an organization?

Oversees the data protection strategy (D)

Which of the following statements best describes a cybersecurity policy?

A high-level document outlining an organization's vision for cybersecurity (B)

What is the role of a Data Processor in an organization?

Processes personal data on behalf of the data controller (B)

What does effective IT security governance help align with an organization's objectives?

Security strategies and business objectives (D)

What is the primary focus of the CIS Critical Security Controls framework?

Improving organizational security posture (D)

Which of the following outlines the steps in the NIST Risk Management Framework?

Categorize, Select, Implement, Assess, Authorize, Monitor (B)

What are the three major areas of the NIST Cybersecurity Framework?

Framework core, Implementation tiers, Profile (B)

Which ISO standard is specifically related to information security management systems?

ISO IEC 27001 (D)

What distinguishes a type 1 audit from a type 2 audit in SSAE 18 / SOC 2?

Type 1 examines controls at a point in time, while type 2 assesses controls over several months. (A)

What is the role of the Cloud Controls Matrix (CCM)?

To map controls to various standards and regulations for cloud security. (A)

Which of the following statements about ISO IEC 27701 is true?

It is designed for privacy information management systems. (D)

Which organization developed the Cloud Controls Matrix (CCM)?

Cloud Security Alliance (A)

What is the primary focus of the GOVERN function in cybersecurity?

Establishing and monitoring cybersecurity policies and strategies (D)

Which of the following is included in the IDENTIFY function?

Understanding the organization's current cybersecurity risks (B)

How does the GOVERN function contribute to enterprise risk management?

By establishing the organization’s risk management expectations (C)

What role does the IDENTIFY function play in relation to organizational policies?

It aims to inform improvement opportunities within policies and practices (D)

In the context of the PROTECT function, which statement is accurate?

It involves the use of safeguards to address cybersecurity risks (D)

What is an outcome of the GOVERN function?

Informing how to achieve other functions' outcomes (D)

Which aspect is NOT associated with the IDENTIFY function?

Direct implementation of cybersecurity tools (B)

What does the GOVERN function establish within an organization?

Cybersecurity risk management strategies and policies (D)

Flashcards

IT Security Governance

The decision-making framework for managing cybersecurity risks within an organization, ensuring accountability and alignment with business objectives.

Data Governance

The process of managing and controlling the use of data within an organization, ensuring compliance with policies and regulations.

Data Owner

The person responsible for classifying information assets, setting access criteria, and ensuring compliance with policies.

Data Controller

The entity that determines the purposes and means of processing personal data.

Data Processor

An entity that processes personal data on behalf of the data controller.

Data Custodian

The person responsible for implementing security controls and classification rules for data.

Data Steward

Ensures that data meets business needs and regulatory requirements.

Data Protection Officer (DPO)

Oversees the organization's data protection strategy, ensuring compliance with privacy regulations.

Cybersecurity Policy

A high-level document outlining an organization's vision, goals, and responsibilities for cybersecurity.

CIS Critical Security Controls

A set of 20 essential security controls, organized by priority, based on organization size.

NIST Risk Management Framework (RMF)

A framework mandated for US federal agencies, requiring six lifecycle steps to manage cybersecurity risks.

NIST Cybersecurity Framework (CSF)

A framework designed for commercial use, including core functions, implementation tiers, and profiles.

ISO/IEC Frameworks

A collection of standards addressing various security and risk management aspects, including ISO 27001, 27002, 27701, and 31000.

SSAE 18 / SOC 2

Auditing standards used to assess the effectiveness of controls and security practices, with type 1 (single point) and type 2 (periodic) audits.

Cloud Controls Matrix

A framework for aligning cloud security controls to standards and regulations.

ISO 27001

An international standard specifying requirements for an Information Security Management System (ISMS).

Information Security Management System (ISMS)

A comprehensive system designed to protect and manage sensitive information, ensuring compliance with regulations.

Benefits of ISO 27001

Includes enhanced security, resilience against cyberattacks, reduced risks from negligence, and integrated security practices.

ISO 27001 Controls

Comprises 114 security controls across various dimensions, including physical access, staff awareness, incident management, and encryption.

NIST Cybersecurity Framework 2.0 (CSF)

Assists organizations in managing cybersecurity risks and enhancing resilience.

Govern (CSF Core Component)

Establishes cybersecurity expectations, risk management strategy, and overall governance.

Identify (CSF Core Component)

Understanding organizational assets and related cybersecurity risks.

Protect (CSF Core Component)

Implementing safeguards to manage identified risks.

Cyber Warfare Trends

Targeted attacks on critical infrastructure, gray-zone operations, rapid evolution of attack methods, and convergence of warfare tactics.

Gray Zone Operations

Cyberattacks that make it difficult to attribute responsibility and accountability, blurring the lines between warfare and crime.

Cyber, Kinetic, and Information Warfare

The convergence of cyberattacks, physical attacks, and information manipulation to achieve strategic objectives.

Study Notes

Governance

• IT security governance dictates decision-making authority regarding cybersecurity risks within organizations.
• Ensures accountability and oversight in mitigating risks and aligning security strategies with business objectives and regulations.
• Data governance is critical for managing decisions about data within organizations.

Key Roles in Data Governance

• Data Owner: Ensures compliance with policies, classifies information assets, and sets access criteria.
• Data Controller: Determines purposes and methods for processing personal data.
• Data Processor: Processes personal data on behalf of the data controller.
• Data Custodian: Implements classification and security controls according to data owner rules.
• Data Steward: Ensures that data satisfies business needs and regulatory requirements.
• Data Protection Officer: Oversees the organization’s data protection strategy.

Cybersecurity Policies

• High-level documents outline an organization's vision, including goals, scope, and responsibilities for cybersecurity.
• Emphasize commitment to security and compliance with frameworks like:
  • CIS Critical Security Controls: Focuses on 20 essential security controls based on organization size.
  • NIST Risk Management Framework: Required for US federal agencies with six lifecycle steps: categorize, select, implement, assess, authorize, and monitor.
  • NIST Cybersecurity Framework: Designed for commercial use, incorporating core functions, implementation tiers, and profiles.
  • ISO/IEC Frameworks: Includes ISO 27001, 27002, 27701, and 31000 addressing various security and risk management standards.
  • SSAE 18 / SOC 2: Auditing standards with type 1 (single point in time) and type 2 (periodic evaluation) audits.
  • Cloud Controls Matrix: Aligns cloud security controls to standards and regulations.

ISO 27001 Overview

• Specifies requirements for an Information Security Management System (ISMS).
• ISMS protects and manages all forms of information and ensures compliance with information security regulations.

Benefits of ISO 27001

• Secures diverse information formats (digital, paper, cloud).
• Enhances resilience against cyberattacks and evolving threats.
• Minimizes risks from staff negligence and inadequate procedures.
• Ingrains security into daily business practices.

ISO 27001 Controls

• Comprises 114 controls across various security dimensions, including:
  • Physical access control and firewall policies.
  • Security staff awareness programs and threat monitoring procedures.
  • Incident management processes and data encryption.

NIST Cybersecurity Framework 2.0 (CSF)

• Aids organizations in managing cybersecurity risks and resilience.
• Core Components include:
  • Govern: Establishes risk management strategy and cybersecurity expectations.
  • Identify: Understands organizational assets and related cybersecurity risks.
  • Protect: Implements safeguards to manage identified risks.

Cyber Warfare Trends

• Targets critical infrastructure leading to widespread chaos.
• Operates in a gray zone complicating attribution and legal accountability.
• Advances at speeds faster than conventional warfare, with evolving attack methodologies.
• Future conflicts expected to merge cyber, kinetic, and information warfare tactics.

Description

This quiz focuses on IT security governance and its role in managing cybersecurity risks within an organization. Participants will explore key concepts related to authority, accountability, and oversight in the context of cybersecurity. Test your understanding of governance frameworks and best practices.