Module 8: Governance and Compliance Quiz Answers

Explanation: The National Institute of Standards and Technologies (NIST) created the National Cybersecurity Workforce Framework to support organizations seeking cybersecurity professionals. The framework organizes cybersecurity work into seven categories:

• Operate and maintain – Provides the support, administration and maintenance required to ensure effective and efficient IT system performance and security.
• Protect and defend – Identifies, analyzes, and mitigates threats to internal systems and networks.
• Investigate – Investigates cybersecurity events and/or cyber-attacks involving IT resources.
• Collect and operate – Provides specialized denial and deception operations and collection of cybersecurity information.
• Analyze – Performs highly specialized review and evaluation of incoming cybersecurity information to determine its usefulness for intelligence.
• Oversee and govern – Provides leadership, management, direction or development and advocacy so an organization may effectively conduct cybersecurity work.
• Securely provision – Conceptualizes, designs, procures or builds secure IT systems.

Explanation: IT security governance determines who is authorized to make decisions about cybersecurity risks within an organization. It demonstrates accountability and provides oversight to ensure that any risks are adequately mitigated and that security strategies are aligned with the organization’s business objectives and are compliant with regulations.

Explanation: System-specific policy: This type of policy is developed for specific devices or computer systems and aims to establish standardization for approved applications, software, operating system configurations, hardware and hardening countermeasures within an organization.

Explanation: Professional ethics are principles that govern the behavior of a person or group in a business environment. A cybersecurity specialist needs to understand both the law and the interest of the organization to be able to make right decisions.

Explanation: The Gramm-Leach-Bliley Act (GLBA) is a piece of legislation that mainly affects the financial industry. However, a portion of that legislation also provides opt-out provisions for individuals, putting them in control of how the information they share with an organization during a business transaction is used. The GLBA restricts information sharing with third party organizations.

Explanation: The Center for Internet Security (CIS) developed a set of critical security controls to help organizations with different levels of resources and expertise at their disposal to improve their cyber defenses.

Explanation: The Payment Card Industry Data Security Standard (PCI DSS) is a set of contractual rules that seek to protect payment cardholder payment data during a transaction and reduce fraud. In theory, the PCI DSS is a voluntary standard. However, in practice, any organization that stores, processes or transmits cardholder data that fails to comply with the PCI DSS standard may face significantly higher transaction fees, fines up to $500,000 and, in extreme circumstances, lose the ability to process payment cards.

Explanation: Enacted in 1986 as an amendment to the Comprehensive Crime Control Act of 1984, CFAA prohibits unauthorized access to computer systems. Knowingly accessing a government computer without permission or accessing any computer used in or affecting interstate or foreign commerce is a criminal offense. The Act also criminalizes the trafficking of passwords or similar access information, as well as knowingly transmitting a program, code or a command that results in damage.