5.2 – Regulations, Standards, and Frameworks

Questions and Answers

What does the GDPR focus on?

• Managing vulnerabilities in systems
• Providing guidelines for secure networks
• Protecting private information (correct)
• Preventing credit card fraud

What is the main purpose of PCI DSS?

• Ensuring websites follow GDPR
• Creating an EU policy
• Protecting credit card transactions (correct)
• Maintaining international laws

What is a key aspect of GDPR regarding private information?

• Allowing websites to gather information freely
• Putting control of data in individuals' hands (correct)
• Providing detailed credit card policies
• Exporting data outside the EU

Which organization administers the guidelines for PCI DSS?

Payment card industry (B)

What is the primary reason for an IT security professional to track compliance regulations closely?

To avoid fines that could amount to millions of dollars (D)

What action can individuals in the EU take under GDPR?

Control where their private information is stored (A)

Why is ongoing testing necessary under PCI DSS guidelines?

To maintain security controls for credit card data (A)

In addition to data security, what other aspect of an organization's business may have specific regulations associated with it?

Financial transactions (A)

Apart from fines, what other consequence can an organization face for not following compliance regulations?

Incarceration or jail time (A)

What potential penalty is highlighted as the worst-case scenario for an IT security professional if compliance regulations are not followed?

Loss of employment (C)

Where could compliance regulations be based according to the text?

National laws (D)

What is the significance of understanding the scope of compliance regulations for an organization?

To ensure proper adherence to regulations (B)

What is one of the challenges mentioned when it comes to implementing security frameworks?

Different organizations may have unique security requirements. (C)

Why are security frameworks valuable for IT security professionals?

They help in understanding security processes and guide in following them. (B)

What can security frameworks help in determining?

Tasks to undertake and prioritize. (D)

In what way can security frameworks assist in improving security processes?

By helping build security processes from scratch or enhancing existing ones. (A)

Why do organizations need to refer to security frameworks?

To understand and implement necessary security processes effectively. (B)

What role do compliance and regulations play in organizations' approach to cybersecurity?

Compliance and regulations guide organizations in setting up unique security requirements. (D)

What is the name of the suite of reports associated with trust services criteria or security controls?

SOC 2 (C)

What is the primary focus of a type I audit?

Examining controls at a specific date and time (C)

Which organization is responsible for creating the cloud controls matrix framework (CCM)?

CSA (C)

What is the minimum length requirement for a type II audit?

6 months (C)

What aspect of security controls does a SOC 2 audit typically focus on?

Firewalls and intrusion detection (C)

What type of organizations are more likely to undergo the series of audits described in the text?

Large organizations (D)

What is the purpose of the CIS critical security controls framework?

To assist smaller organizations with security posture (C)

What is a key advantage of the NIST RMF framework?

It contains six steps for system lifecycle management (D)

What distinguishes the NIST CSF framework from the NIST RMF framework?

CSF focuses on organizational cybersecurity approaches, while RMF emphasizes risk management (D)

Which International Organization for Standardization framework focuses on privacy management?

ISO/IEC 27701 (B)

What does the ISO/IEC 27002 framework provide?

A code of practice for information security controls (C)

Why might an organization consider the NIST CSF framework?

For implementing cybersecurity approaches in a commercial setting (A)

What distinguishes SSAE SOC 2 types I and II frameworks?

They are related to audits and from AICPA (C)

'Identify, protect, detect, respond, and recover' are part of which framework core?

NIST CSF (B)

Why is it important to follow hardening guidelines for servers and operating systems?

To prevent potential data leakage and unauthorized access. (D)

Where can you typically find detailed security information for very complex software implementations?

On websites, blogs, and manufacturer's resources. (A)

What is a common concern when it comes to web servers that are publicly facing?

Potential data leakage and unauthorized access. (B)

Why is it essential to have the right configurations in place for publicly accessible servers?

To prevent data leakage and unauthorized access. (C)

What might happen if a server's default configuration is left unchanged?

There may be a risk of providing unauthorized access or data leakage. (B)

What are hardening guides used for when configuring devices?

To enhance device security by enabling safe configurations. (D)

What is a key practice mentioned in a web server hardening guide to prevent information leakage?

Adding banner information and enabling directory browsing (D)

Why is it important to configure SSL for encrypted communication with a web server?

To ensure secure communication between clients and the server (D)

What should be the minimum password length and complexity for user accounts configured on operating systems?

Minimum password length and complexity (D)

Why is it important to constantly monitor security on a system through antivirus or anti-malware software?

To detect and prevent malicious activities (A)

What specific function does application server software serve in relation to a web server?

It isolates the web server from the data itself (D)

Why is it crucial to disable capabilities outside the scope of an application server in its configuration?

To ensure security by reducing attack surface (C)

What should be done to default authentication settings on networking infrastructure devices like switches and routers?

They should be altered from default to prevent unauthorized access (A)

Why are security patches critical for purpose-built networking devices like switches and routers?

They address vulnerabilities and enhance security (A)

What is the primary reason for regularly updating the operating system on networking infrastructure devices?

To apply the latest security patches (C)

Why is it recommended to configure application server software with limited access to the operating system?

To reduce the attack surface and enhance security (D)