Cybersecurity Essentials Module 8 Quiz Answers
Module 8: Governance and Compliance Quiz Question Answers
1. Which of the following measures can an organization implement to manage user threats?
- Conduct post-configuration penetration tests
- Implement LAN server configuration standards
- Disable internal USB ports
- Implement IPS
2. The ability to carry out highly specialized review and evaluation of incoming cybersecurity information to determine if it is useful for intelligence is covered in what category of the National Cybersecurity Workforce Framework?
- Security provision
- Oversight and development
- Protect and defend
Explanation: The National Institute of Standards and Technologies (NIST) created the National Cybersecurity Workforce Framework to support organizations seeking cybersecurity professionals. The framework organizes cybersecurity work into seven categories:
- Operate and maintain – Provides the support, administration and maintenance required to ensure effective and efficient IT system performance and security.
- Protect and defend – Identifies, analyzes, and mitigates threats to internal systems and networks.
- Investigate – Investigates cybersecurity events and/or cyber-attacks involving IT resources.
- Collect and operate – Provides specialized denial and deception operations and collection of cybersecurity information.
- Analyze – Performs highly specialized review and evaluation of incoming cybersecurity information to determine its usefulness for intelligence.
- Oversee and govern – Provides leadership, management, direction or development and advocacy so an organization may effectively conduct cybersecurity work.
- Securely provision – Conceptualizes, designs, procures or builds secure IT systems.
3. What is the primary goal of IT security governance?
- To provide a set of policies and procedures to manage sensitive data
- To provide oversight to ensure that risks are adequately mitigated
- To define a set of controls that an organization should implement
- To make decisions to mitigate risk
Explanation: IT security governance determines who is authorized to make decisions about cybersecurity risks within an organization. It demonstrates accountability and provides oversight to ensure that any risks are adequately mitigated and that security strategies are aligned with the organization’s business objectives and are compliant with regulations.
4. Matching. Select from lists and then submit.
Match the data governance role to the correct function.
- Oversees an organization’s data protection strategy – Data protection officer
- Processes personal data on behalf of the data controller – Data processor
- Ensures compliance with policies and procedures – Data owner
- Determines the purposes and means of personal data processing – Data controller
- Implements the classification and security controls for data – Data custodian
5. An organization does not have policies in place to establish standardization for approved applications and operating system configurations. What type of policies does it need to develop?
- System-specific policies
- Issue-specific policies
- A master cybersecurity policy
- Acceptable use policies
Explanation: System-specific policy: This type of policy is developed for specific devices or computer systems and aims to establish standardization for approved applications, software, operating system configurations, hardware and hardening countermeasures within an organization.
6. Cybersecurity professionals may have access to sensitive data. What one factor should they understand to help them make informed ethical decisions in relation to this data?
- Cloud provider agreements
- A potential bonus
- Partnerships with third parties
- Laws governing the data
Explanation: Professional ethics are principles that govern the behavior of a person or group in a business environment. A cybersecurity specialist needs to understand both the law and the interest of the organization to be able to make right decisions.
7. What law protects the privacy of an employee’s personal information from being shared with third parties?
Explanation: The Gramm-Leach-Bliley Act (GLBA) is a piece of legislation that mainly affects the financial industry. However, a portion of that legislation also provides opt-out provisions for individuals, putting them in control of how the information they share with an organization during a business transaction is used. The GLBA restricts information sharing with third party organizations.
8. Which of the following frameworks identifies controls based on the latest information about common cyber attacks and provides benchmarks for various platforms?
- The National Cybersecurity Workforce
Explanation: The Center for Internet Security (CIS) developed a set of critical security controls to help organizations with different levels of resources and expertise at their disposal to improve their cyber defenses.
9. Which industry-specific law governs payment card data protection?
Explanation: The Payment Card Industry Data Security Standard (PCI DSS) is a set of contractual rules that seek to protect payment cardholder payment data during a transaction and reduce fraud. In theory, the PCI DSS is a voluntary standard. However, in practice, any organization that stores, processes or transmits cardholder data that fails to comply with the PCI DSS standard may face significantly higher transaction fees, fines up to $500,000 and, in extreme circumstances, lose the ability to process payment cards.
10. What federal act law would an individual be subject to if they knowingly accessed a government computer without permission?
Explanation: Enacted in 1986 as an amendment to the Comprehensive Crime Control Act of 1984, CFAA prohibits unauthorized access to computer systems. Knowingly accessing a government computer without permission or accessing any computer used in or affecting interstate or foreign commerce is a criminal offense. The Act also criminalizes the trafficking of passwords or similar access information, as well as knowingly transmitting a program, code or a command that results in damage.