Cybersecurity 2 Governance Quiz

Questions and Answers

What is the primary purpose of an Information Security Management System (ISMS)?

To ensure compliance with financial regulations

To increase employee productivity

To enhance customer satisfaction

To protect and manage an organization's information (correct)

Which of the following is NOT a benefit of ISO 27001?

Secure information in all forms

Ensure complete protection against all cyber attacks (correct)

Adapt to evolving security threats

Reduce costs associated with information security

How many controls are there in ISO 27001?

75

135

47

114 (correct)

Which of the following is a component of the NIST Cybersecurity Framework (CSF)?

Core cybersecurity outcomes

Which area does NOT fall under the ISO 27001 controls?

Quality assurance testing

What does an ISMS help organizations adapt to?

Evolving security threats

Which of the following describes the Core component of the NIST CSF?

It outlines cybersecurity goals in a hierarchical structure.

How does ISO 27001 help with the security of information?

By integrating security into everyday business practices

What are the potential consequences of a cyber attack on critical infrastructure?

Widespread disruption and chaos

What characteristic of cyber warfare makes it challenging to assign blame?

Attribution operates within a gray zone

How does the speed of cyber warfare compare to traditional warfare?

It happens much faster

What will future warfare likely incorporate?

Cyber and kinetic attacks, as well as information warfare

Which aspect of cyber warfare complicates legal considerations?

It operates within a gray zone

What is a key feature of attackers in cyber warfare?

They quickly develop new methods

What does the term 'multi-domain warfare' refer to?

The integration of various forms of attacks, including cyber

Which of the following is NOT an example of critical infrastructure likely targeted by cyber attacks?

Social media platforms

What is the main purpose of IT security governance?

To authorize decisions about cybersecurity risks

Who is responsible for ensuring compliance with policies and determining information classification?

Data Owner

Which role primarily ensures that data meets regulatory requirements and business needs?

Data Steward

What is a key responsibility of a Data Custodian?

Implementing security controls according to classification rules

What role does a Data Protection Officer hold within an organization?

Oversees the data protection strategy

Which of the following statements best describes a cybersecurity policy?

A high-level document outlining an organization's vision for cybersecurity

What is the role of a Data Processor in an organization?

Processes personal data on behalf of the data controller

What does effective IT security governance help align with an organization's objectives?

Security strategies and business objectives

What is the primary focus of the CIS Critical Security Controls framework?

Improving organizational security posture

Which of the following outlines the steps in the NIST Risk Management Framework?

Categorize, Select, Implement, Assess, Authorize, Monitor

What are the three major areas of the NIST Cybersecurity Framework?

Framework core, Implementation tiers, Profile

Which ISO standard is specifically related to information security management systems?

ISO IEC 27001

What distinguishes a type 1 audit from a type 2 audit in SSAE 18 / SOC 2?

Type 1 examines controls at a point in time, while type 2 assesses controls over several months.

What is the role of the Cloud Controls Matrix (CCM)?

To map controls to various standards and regulations for cloud security.

Which of the following statements about ISO IEC 27701 is true?

It is designed for privacy information management systems.

Which organization developed the Cloud Controls Matrix (CCM)?

Cloud Security Alliance

What is the primary focus of the GOVERN function in cybersecurity?

Establishing and monitoring cybersecurity policies and strategies

Which of the following is included in the IDENTIFY function?

Understanding the organization's current cybersecurity risks

How does the GOVERN function contribute to enterprise risk management?

By establishing the organization’s risk management expectations

What role does the IDENTIFY function play in relation to organizational policies?

It aims to inform improvement opportunities within policies and practices

In the context of the PROTECT function, which statement is accurate?

It involves the use of safeguards to address cybersecurity risks

What is an outcome of the GOVERN function?

Informing how to achieve other functions' outcomes

Which aspect is NOT associated with the IDENTIFY function?

Direct implementation of cybersecurity tools

What does the GOVERN function establish within an organization?

Cybersecurity risk management strategies and policies

Study Notes

Governance

• IT security governance dictates decision-making authority regarding cybersecurity risks within organizations.
• Ensures accountability and oversight in mitigating risks and aligning security strategies with business objectives and regulations.
• Data governance is critical for managing decisions about data within organizations.

Key Roles in Data Governance

• Data Owner: Ensures compliance with policies, classifies information assets, and sets access criteria.
• Data Controller: Determines purposes and methods for processing personal data.
• Data Processor: Processes personal data on behalf of the data controller.
• Data Custodian: Implements classification and security controls according to data owner rules.
• Data Steward: Ensures that data satisfies business needs and regulatory requirements.
• Data Protection Officer: Oversees the organization’s data protection strategy.

Cybersecurity Policies

• High-level documents outline an organization's vision, including goals, scope, and responsibilities for cybersecurity.
• Emphasize commitment to security and compliance with frameworks like:
  • CIS Critical Security Controls: Focuses on 20 essential security controls based on organization size.
  • NIST Risk Management Framework: Required for US federal agencies with six lifecycle steps: categorize, select, implement, assess, authorize, and monitor.
  • NIST Cybersecurity Framework: Designed for commercial use, incorporating core functions, implementation tiers, and profiles.
  • ISO/IEC Frameworks: Includes ISO 27001, 27002, 27701, and 31000 addressing various security and risk management standards.
  • SSAE 18 / SOC 2: Auditing standards with type 1 (single point in time) and type 2 (periodic evaluation) audits.
  • Cloud Controls Matrix: Aligns cloud security controls to standards and regulations.

ISO 27001 Overview

• Specifies requirements for an Information Security Management System (ISMS).
• ISMS protects and manages all forms of information and ensures compliance with information security regulations.

Benefits of ISO 27001

• Secures diverse information formats (digital, paper, cloud).
• Enhances resilience against cyberattacks and evolving threats.
• Minimizes risks from staff negligence and inadequate procedures.
• Ingrains security into daily business practices.

ISO 27001 Controls

• Comprises 114 controls across various security dimensions, including:
  • Physical access control and firewall policies.
  • Security staff awareness programs and threat monitoring procedures.
  • Incident management processes and data encryption.

NIST Cybersecurity Framework 2.0 (CSF)

• Aids organizations in managing cybersecurity risks and resilience.
• Core Components include:
  • Govern: Establishes risk management strategy and cybersecurity expectations.
  • Identify: Understands organizational assets and related cybersecurity risks.
  • Protect: Implements safeguards to manage identified risks.

Cyber Warfare Trends

• Targets critical infrastructure leading to widespread chaos.
• Operates in a gray zone complicating attribution and legal accountability.
• Advances at speeds faster than conventional warfare, with evolving attack methodologies.
• Future conflicts expected to merge cyber, kinetic, and information warfare tactics.

Description

This quiz focuses on IT security governance and its role in managing cybersecurity risks within an organization. Participants will explore key concepts related to authority, accountability, and oversight in the context of cybersecurity. Test your understanding of governance frameworks and best practices.