Chapter 16: Security Governance and Compliance

Key Phrase: "One way to comply"

Explanation:
Correct Answer (B): Joe is writing a guideline because the key phrase “one way” suggests a non-mandatory approach to compliance. Guidelines offer recommendations rather than enforceable rules.

Why others are wrong:

• A: Policy - Policies are mandatory and define required behaviors, which is not indicated in the scenario.

• C: Procedure - A procedure would involve a detailed step-by-step process, which isn’t described here.

• D: Standard - Standards are also mandatory and enforceable, but Joe is describing one option for compliance, not a strict requirement.

Key Phrase: "Compensating controls"

Explanation:
Correct Answer (A): PCI DSS compensating controls must meet the same rigor as the original control, but they cannot be used across different requirements. The original requirement must be met independently, and compensating controls should address gaps in specific requirements.

Why others are wrong:

• B: Controls must meet the intent of the original requirement - This is correct. Compensating controls should fulfill the original intent of the requirement.

• C: Controls must meet the rigor of the original requirement - This is also true; compensating controls should not be less rigorous than the original control.

• D: Compensating controls must provide a similar level of defense as the original requirement - This is correct as well. Compensating controls should offer an equivalent level of protection.

Key Phrase: "Personal information of EU residents"

Explanation:
Correct Answer (C): The General Data Protection Regulation (GDPR) governs the handling of personal data for residents of the European Union, imposing strict privacy requirements.

Why others are wrong:

• A: HIPAA - HIPAA applies to the healthcare industry and U.S. citizens' health data.

• B: FERPA - FERPA applies to educational institutions in the U.S. and governs student records, not personal data in general.

• D: PCI DSS - PCI DSS applies to payment card information, not general personal data privacy.

Key Phrase: "Core security functions"

Explanation:
Correct Answer (B): The NIST Cybersecurity Framework includes the following five core functions: Identify, Protect, Detect, Respond, and Recover. "Contain" is not one of them.

Why others are wrong:

• A: Identify - This is one of the five core functions: understanding assets, risks, and vulnerabilities.

• C: Respond - This is a core function: responding to detected cybersecurity events.

• D: Recover - This is a core function: restoring capabilities after a cybersecurity event.

Key Phrase: "Privacy controls"

Explanation:
Correct Answer (C): ISO 27701 specifically provides guidelines on privacy controls and how to integrate them with ISO 27001, which is focused on information security management.

Why others are wrong:

• A: ISO 27002 - ISO 27002 provides guidelines on the implementation of information security controls, not privacy-specific ones.

• B: ISO 27001 - ISO 27001 is focused on information security management systems, not specifically privacy.

• D: ISO 31000 - ISO 31000 provides guidelines on risk management, not privacy.

Key Phrase: "Approved by the CEO or high-level executive"

Explanation:
Correct Answer (D): Policies usually require approval from senior leadership, such as the CEO, because they are mandatory and set the direction for the organization’s security practices.

Why others are wrong:

• A: Standard - While standards are important, they often do not require CEO approval, though they do need executive endorsement.

• B: Procedure - Procedures are operational and often approved by department heads or managers, not necessarily the CEO.

• C: Guideline - Guidelines are optional and do not typically require high-level approval.

Key Phrase: "Umbrella agreement"

Explanation:
Correct Answer (C): An MSA (Master Service Agreement) is a long-term contract that outlines the general terms and conditions for all future work with a vendor, including security requirements. It serves as the overarching agreement, with project-specific details covered in statements of work (SOWs).

Why others are wrong:

• A: BPA - A BPA (Blanket Purchase Agreement) is typically used for purchasing goods and services in an ongoing relationship, not specifically for security terms.

• B: MOU - An MOU (Memorandum of Understanding) is a non-binding agreement that outlines general intentions but doesn't typically cover detailed security terms.

• D: SLA - An SLA (Service Level Agreement) focuses on service performance and quality, not overarching terms or security conditions.

Key Phrase: "Independent security benchmarks"

Explanation:
Correct Answer (B): The Center for Internet Security (CIS) is known for creating independent security benchmarks, such as the CIS Controls and CIS Benchmarks, which help organizations secure a wide range of hardware and software platforms.

Why others are wrong:

• A: Microsoft - Microsoft creates security guidelines but does not focus on independent benchmarks for a wide range of vendors.

• C: Cloud Security Alliance - The Cloud Security Alliance (CSA) focuses on security in cloud computing, not broad platform benchmarks.

• D: Cisco - Cisco provides security tools and recommendations, but it doesn’t create independent benchmarks for other vendors' platforms.

Key Phrase: "Schedule and coordinate changes"

Explanation:
Correct Answer (C): Maintenance windows are pre-scheduled times during which changes to information systems (such as updates or patches) are performed. These windows minimize disruption and ensure that systems are not altered during critical operations.

Why others are wrong:

• A: Impact analysis - Impact analysis is used to assess the potential effects of a change, but it doesn’t schedule or coordinate the changes themselves.

• B: Backout plans - A backout plan is a procedure for reversing a change if something goes wrong, not a method for scheduling changes.

D: Version control - Version control is used to manage different versions of software or documents, but it does not schedule or coordinate changes.

Key Phrase: "Typically found in information security policy"

Explanation:
Correct Answer (B): Specific technical details like AES-256 encryption are generally included in a security standard, not the overarching information security policy, which is more concerned with guiding principles and high-level requirements.

Why others are wrong:

• A: Statement of the importance of cybersecurity - This would be found in the information security policy, as it sets the tone and importance of cybersecurity in the organization.

• C: Delegation of authority - This is often included in a policy to clarify who is responsible for security decisions and actions.

• D: Designation of responsible executive - Policies typically identify the person or role responsible for ensuring the policy is followed.