Security Governance and Operational Agreements

Questions and Answers

What characterizes transient cookies?

• Available after the session has ended.
• Sent to multiple domains if allowed.
• Stored on the machine’s hard disk drive.
• Stored in memory and discarded during session teardown. (correct)

What is a key feature of secure cookies?

• They can be transmitted in clear text.
• They are shared across different domains.
• They expire immediately after session teardown.
• They must be supported by the web browser to be effective. (correct)

Which type of control is designed to identify and react to incidents that have already occurred?

• Compensating control
• Preventative control
• Detective control (correct)
• Corrective control

What results can arise from non-compliance with regulations?

Sanctions and fines (B)

What is an essential aspect of effective patch management?

Testing patches in a sandboxed environment prior to deployment. (B)

What is the primary purpose of governance in security management?

To provide strategy and direction (D)

Which best describes centralized patch management?

A server pushes patches to endpoint devices. (A)

What is the primary purpose of sandboxing?

To isolate a component from other operational components. (B)

Which document type outlines the step-by-step instructions for completing tasks within an organization?

Procedures (D)

Which component of security governance is mainly responsible for overseeing mission fulfillment in an organization?

Committee (D)

How does decentralized patch management function?

Clients pull patches from a vendor’s repository. (D)

Which of the following methods is NOT typically part of patch management?

Rolling out patches in a single phase. (B)

Which type of policy defines how an organization manages and protects its information assets?

Information Security Policy (B)

What is the focus of a Privacy Policy within an organization?

Expectations of privacy regarding employees (B)

What is the role of attestation services in patch management?

Provide a means to query running module hashes. (C)

Which type of control provides a backup mechanism to help mitigate risks in security management?

Compensating control (B)

What is one potential outcome of receiving punitive actions for non-compliance?

Damage to reputation (D)

Which type of control is specifically aimed at preventing security incidents from occurring in the first place?

Preventative control (B)

What is the primary objective of the Change Management procedures?

To manage changes without increasing risk (D)

Which agreement establishes a comprehensive legal relationship between a service provider and a customer/client?

Master Service Agreement (MSA) (C)

What is the role of the Data Privacy Officer (DPO) under GDPR?

To protect data subject information in compliance with GDPR (C)

Which is NOT a data protection method mentioned in the content?

Data Backup (D)

What type of data does the term 'regulated data' refer to?

Data that is required to be protected by government or industry regulation (A)

Which document method emphasizes actions to be performed within a project?

Work Order (WO) (B)

What characterizes a Memorandum of Understanding (MOU)?

An informal understanding that lacks legal weight (A)

Which of the following is NOT a method for risk identification?

Social media monitoring (A)

Which classification label corresponds to 'Medium' criticalness?

Sensitive (D)

What is the typical outcome of the usage phase in the information life-cycle model?

Information in an unencrypted state (D)

What is the primary purpose of offboarding procedures?

Recouping allocated resources during employment termination (B)

In the Change Management approval process, what is established during change approval?

Version control and testing of the change (A)

Which of the following is NOT a type of operational agreement mentioned?

Operational Plan (OP) (C)

What is the main purpose of risk management?

To enhance strategic, long-term success by managing risks (B)

Which of these roles is NOT involved as per the data policy components?

Data facilitator (C)

What is a risk register primarily used for?

Identifying, tracking, and assigning risks within an organization (C)

How is the likelihood in a risk matrix primarily assessed?

Based on statistics and historical threat data (D)

What type of risk assessment occurs on a regular schedule due to contractual or regulatory requirements?

Recurring risk assessment (A)

Which of the following describes the qualitative risk analysis?

It is based on human opinion or judgment. (C)

What is a disadvantage of quantitative risk analysis?

It requires numerical values that may obscure certain risks. (C)

What formula represents Single Loss Expectancy (SLE)?

SLE = Asset Value * Exposure Factor (B)

When an incident causes a building worth $1,000,000 to suffer a 70% loss, what is the Single Loss Expectancy (SLE)?

$700,000 (C)

What is a key risk indicator?

A signal that an emerging risk trend may affect the organization (C)

Which risk management approach aims to minimize loss as much as possible?

Conservative (A)

What does the term 'risk tolerance' refer to?

The maximum loss a company can accept without action (D)

What happens to risks that fall below the risk threshold?

They are ignored altogether. (D)

Which protocol is primarily used for key generation and distribution in WLAN?

802.1X (D)

What is the frequency range used by the 802.11b protocol?

2.4 GHz (A)

Which encryption protocol is used by WPA2 for message confidentiality?

AES-128 (D)

What is the maximum bandwidth of the 802.11ac protocol?

3.5 Gbps (C)

Which feature is specific to WPA3 compared to WPA2?

192-bit AES key size (A)

What modulation technique is used in 802.11n?

OFDM (C)

When does the data transference phase occur in WLAN?

After key generation and distribution (A)

Which authentication method is part of WPA2's mutual authentication process?

EAP-TLS (A)

What is a characteristic of the Bluetooth Host Controller Interface (HCI)?

It enables wireless communication (D)

Which of the following protocols is NOT part of WPA3's mutual authentication?

PSK (C)

Study Notes

### Security Governance

• Organizational policies focus on information security, privacy, acceptable usage, employment, and change management.
• Regulatory compliance is verified through internal and external audits.
• Non-compliance can lead to significant consequences, including sanctions, fines, and reputational damage.
• Governance structure includes management (board and committees) and government agencies.
• Security hierarchy of documents includes policies, standards, procedures, and guidelines.
• Organizational policies include:
  • Information Security policy: defines how an organization manages and protects information.
  • Privacy policy: defines employee privacy expectations.
  • Acceptable Use Policy (AUP): defines acceptable use of company resources.
  • Employment policy: covers employee-employer lifecycle.
  • Change Management policy: defines change management approach, roles, and responsibilities.

Operational Agreements

• Operational agreements include Master Service Agreements (MSA), Service-Level Agreements (SLA), Statement of Work (SoW) / Work Order (WO), Business Partnership Agreement (BPA), Non-Disclosure Agreement (NDA), Memorandum of Agreement (MOA), and Memorandum of Understanding (MOU).

Data Policy

• Data policy components include roles and responsibilities, like data owner, data custodian/steward, data controller, and data processor.
• The General Data Protection Regulation (GDPR) defines data subject, Data Privacy Officer (DPO), and their responsibilities.
• The information lifecycle model encompasses creation, processing, dissemination, usage, storage, and disposal of data.

Asset Management

• Asset management involves maintaining positive control throughout the asset's lifetime.
• Steps include:
  • Acquisition and procurement
  • Assignment and accountability
  • Asset monitoring and tracking
  • Decommissioning and disposal

Risk Management

• Risk management involves identifying, monitoring, and reducing risk to an acceptable level.
• Management establishes risk appetite, which can be expansionary, neutral, or conservative.
• Risk tolerance defines the acceptable variance in business objective performance.
• Risk Identification methods include process analysis, interviews, asset tracking, cognitive computing, and workshops.
• Risk assessment can be one-time, ad hoc, recurring, or continuous.
• Qualitative risk analysis relies on human judgment and opinions, offering insights into the impact beyond financial implications.
• Quantitative risk analysis utilizes numerical values for impact and likelihood, supporting cost-benefit analysis.
• Single Loss Expectancy (SLE) and Annualized Loss Expectancy (ALE) are used to quantify financial risk.

Secure Cookies

• Secure cookies are configured to prevent them being sent to a domain other than the originator.
• Server configuration settings ensure cookies aren't sent in clear text.
• Success depends on browser support.

Patch Management

• Patch management involves updating the security baseline of firmware, applications, or operating systems to address vulnerabilities and introduce new features.
• Patches can be deployed through centralized or decentralized management systems.
• Effective patch management requires careful monitoring and tracking of deployed patches.

Sandboxing

• Sandboxing creates a controlled environment to isolate components from other operational components.
• Sandboxing restricts access to system resources like memory and storage locations.
• Sandboxing techniques include firewall ACLs, hypervisors, memory managers, and physical isolation.

Bluetooth Technology

• Laptops and controllers communicate over an ad hoc network via the Bluetooth Host Controller Interface (HCI)
• The latest versions of Bluetooth use AES-CCM for frame confidentiality and authenticity
• Bluetooth Secure Authentication uses HMAC-SHA256 with mutual authentication

Wireless Local Area Network (WLAN)

• IEEE 802.11 WLAN protocols deliver data, management, and control frames
• WLAN phases include discovery, authentication, key generation/distribution, data transference, and termination
• Discovery uses management frames like beacon and association frames
• Authentication uses protocols like 802.1X and EAP
• Data-in-transit protection protocols are used during data transference

Wireless Site Survey

• Wi-Fi analyzer, monitor mode, and signal quality assessments are used during this phase
• RFI heat maps are used for assessing radio frequency interference

Wireless Network Protocols and Frequencies

• 802.11a: 5 GHz, 54 Mbps, OFDM modulation
• 802.11b: 2.4 GHz, 11 Mbps, DSSS modulation
• 802.11g: 2.4 GHz, 54 Mbps, OFDM/DSSS modulation
• 802.11n: 2.4 GHz & 5 GHz, 600 Mbps, OFDM/DSSS modulation
• 802.11ac: 5 GHz, 3.5 Gbps, QAM/OFDM/DSSS modulation
• 802.11ax: 2.4 GHz & 5 GHz, 9.6 Gbps, QAM/OFDM/DSSS modulation

Wi-Fi Protected Access (WPA)

• WPA2 is NIST FIPS 140-2 compliant and uses CCMP with AES encryption
• CCMP uses CBC-MAC for packet authenticity and AES-128 for message confidentiality
• WPA2 supports mutual authentication through EAP protocols such as EAP-TLS, PEAP, EAP-TTLS, and EAP-FAST
• WPA3 requires Wi-Fi certification and authenticates AP and client before association
• WPA3 uses IEEE 802.11w Management Frame Protection (MFP)
• CCMP provides data origin authentication and replay protection
• WPA3 uses SAE in personal mode and 128-bit AES key size
• WPA3 enterprise mode uses 192-bit AES key size and supports EAP-TLS, PEAP, and EAP-TTLS

Network Switch Monitoring

• In order to monitor all network traffic passing through a switch, a configuration must be made to the switch to enable mirroring.
• Mirroring allows the switch to send a copy of all network traffic to a monitoring device for analysis.
• This can be used for security, troubleshooting, and performance monitoring.

Description

This quiz covers key concepts in security governance, including organizational policies on information security, privacy, and change management. Additionally, it highlights the importance of regulatory compliance and the hierarchical structure of security documentation. Test your knowledge on how governance impacts organizational practices and operational agreements.