Chapter 4

Governance and Risk Management

NIST’s Cybersecurity Framework provides guidelines around the governance structure necessary to implement and manage cybersecurity policy operations, risk management, and incident handling across and outside of the organization. The framework was created to help protect the United States critical infrastructure, but it is used by many nongovernment organizations to build a strong cybersecurity program.

This chapter also includes a discussion of risk management because it is a fundamental aspect of governance, decision making, and policy. The NIST Cybersecurity Framework includes several references to ISO/IEC standards, as well as other sources for organizations to help create an appropriate risk management process. In the case of the ISO/IEC standards, risk management is important enough that it warrants two sets of standards: ISO/IEC 27005 and ISO/IEC 31000. In addition, the Information Security Policies (ISO 27002:2013 Section 5) and Organization of Information Security (ISO 27002:2013 Section 6) are closely related, so we address all of these domains in this chapter.

• Cybersecurity directives should be codified in a written policy document.

• It is important that management participate in policy development and visibly support the policy.

• Management must strategically align cybersecurity with business requirements and relevant laws and regulations.

Internationally recognized security standards such as ISO 27002:2013 and the NIST Cybersecurity Framework can provide a framework, but ultimately each organization must construct its own security strategy and policy taking into consideration organizational objectives and regulatory requirements.

An integrated approach recognizes that security and success are intertwined. The integrated approach is illustrated in Figure 4-2.

One of the drawbacks of a silo-based approach is that organizational silos do not share the same priorities, goals, or even the same tools, so each silo or department operates as individual business units or entities within the enterprise. Silos occur because of how an organization is structured. Managers are responsible for one specific department within an organization, and each manager has different priorities, responsibilities, and vision. This can be problematic for a good cybersecurity program. Often, stakeholders are not aware of the priorities and goals of other departments, and there is little communication, collaboration, and teamwork among these business units.

When strategically aligned, security functions as a business enabler that adds value. Security is an expected topic of discussion among decision makers and is given the same level of respect as other fundamental drivers and influencing elements of the business. This doesn’t happen magically. It requires leadership that recognizes the value of cybersecurity, invests in people and processes, encourages discussion and debate, and treats security in the same fashion as every other business requirement. It also requires that cybersecurity professionals recognize that the true value of cybersecurity is protecting the business from harm and achieving organizational objectives. Visible management support coupled with written policy formalizes and communicates the organizational commitment to cybersecurity.

• Gramm-Leach-Bliley Act (GLBA)

• Health Insurance Portability and Accountability Act (HIPAA)

• Sarbanes-Oxley (SOX)

• Family Educational Rights and Privacy Act (FERPA)

• Federal Information Systems Management Act (FISMA)

• Payment Card Industry Data Security Standard (PCI DSS)—not a government regulation, but very relevant and with an international audience

• The New York Department of Financial Services (DFS) Cybersecurity Regulation 23 NYCRR 500.

All the listed regulations and standards require covered entities to have in place written policies and procedures that protect their information assets. They also require the policies to be reviewed on a regular basis. Each of these legislative acts better secured each person’s private information and introduced governance to reduce fraudulent reporting of corporate earnings.

Many organizations find that they are subject to more than one set of regulations. For example, publicly traded banks are subject to both GLBA and SOX requirements, whereas medical billing companies find themselves subject to both HIPAA and GLBA. Organizations that try to write their policies to match federal state regulations find the task daunting. Fortunately, the regulations published to date have enough in common that a well-written set of cybersecurity policies based on a framework such as the ISO 27002 can be mapped to multiple regulatory requirements. Policy administrative notations often include a cross-reference to specific regulatory requirements.

A good governance program examines the organization’s environment, operations, culture, and threat landscape against industry standard frameworks. It also aligns compliance to organization risk and incorporates business processes. In addition, having a good governance and appropriate tools allows you to measure progress against mandates and achieve compliance standards.

To have a strong cybersecurity program, you need to ensure business objectives take into account risk tolerance and that the resulting policies are accountable. Governance includes many types of policies. The sections that follow cover examples of the most relevant policies.

https://www.cisco.com/c/en/us/about/security-center/security-vulnerability-policy.html

The following URL is another example—the CERT/CC vulnerability disclosure policy:

http://www.cert.org/vulnerability-analysis/vul-disclosure.cfm

Because executive management is responsible for and can be held legally liable for the protection of information assets, it is incumbent upon those in leadership positions to remain invested in the proper execution of the policy as well as the activities of oversight that ensure it. The National Association of Corporate Directors (NACD), the leading membership organization for Boards and Directors in the U.S., recommends five essential principles:

• Approach cybersecurity as an enterprise-wide risk management issue, not just an IT issue.

• Understand the legal implications of cyber risks.

• Boards should have adequate access to cybersecurity expertise; cyber-risk management should be given adequate time on board agendas.

• Directors should set expectations that management will establish an enterprise cyber-risk management framework.

• Boards need to discuss details of cyber-risk management and risk treatment.

Policies should be reviewed at planned intervals to ensure their continuing suitability, adequacy, and effectiveness.

The most successful CISOs successfully balance security, productivity, and innovation. The CISO must be an advocate for security as a business enabler while being mindful of the need to protect the organization from unrecognized harm. The CISO must be willing to not be the most popular person in the room. This position generally reports directly to a senior functional executive (CEO, COO, CFO, General Counsel) and should have an unfiltered communication channel to the Board of Directors.

In smaller organizations, this function is often vested in the non-executive-level position of Information Security Officer (ISO). A source of conflict in many companies is whom the ISO should report to and if the ISO should be a member of the IT team. It is not uncommon or completely out of the question for the position to report to the CIO. However, this chain of command can raise questions concerning adequate levels of independence. To ensure appropriate segregation of duties, the ISO should report directly to the Board or to a senior officer with sufficient independence to perform assigned tasks. Security officers should not be assigned operational responsibilities within the IT department. They should have sufficient knowledge, background, and training, as well as a level of authority that enables them to adequately and effectively perform their assigned tasks. Security decision making should not be a singular task. Supporting the CISO or ISO should be a multidisciplinary committee that represents functional and business units.

• Compliance Officer: Responsible for identifying all applicable cybersecurity-related statutory, regulatory, and contractual requirements.

• Privacy Officer: Responsible for the handling and disclosure of data as it relates to state, federal, and international law and customs.

• Internal audit: Responsible for measuring compliance with Board-approved policies and to ensure that controls are functioning as intended.

• Incident response team: Responsible for responding to and managing security-related incidents.

• Data owners: Responsible for defining protection requirements for the data based on classification, business need, legal, and regulatory requirements; reviewing the access controls; and monitoring and enforcing compliance with policies and standards.

• Data custodians: Responsible for implementing, managing, and monitoring the protection mechanisms defined by data owners and notifying the appropriate party of any suspected or known policy violations or potential endangerments.

• Data users: Are expected to act as agents of the security program by taking reasonable and prudent steps to protect the systems and data they have access to.

Each of these responsibilities should be documented in policies, job descriptions, or employee manuals.

As documented in Table 4-1, a variation of the CMM can be used to evaluate enterprise cybersecurity maturity. Contributors to the application of the model should possess intimate knowledge of the organization and expertise in the subject area.

As Figure 4-4 illustrates, the result is easily expressed in a graphic format and succinctly conveys the state of the cybersecurity program on a per-domain basis. The challenge with any scale-based model is that sometimes the assessment falls in between levels, in which case it is perfectly appropriate to use gradations (such as 3.5). This is an effective mechanism for reporting to those responsible for oversight, such as the Board of Directors or executive management. Process improvement objectives are a natural outcome of a CMM assessment.

The Board of Directors (or organizational equivalent) is generally the authoritative policy-making body and is responsible for overseeing the development, implementation, and maintenance of the cybersecurity program. The use of the term “oversee” is meant to convey the Board’s conventional supervisory role, leaving day-to-day responsibilities to management. Executive management should be tasked with providing support and resources for proper program development, administration, and maintenance, as well as ensuring strategic alignment with organizational objectives.

• Demographic

• Economic

• Technological

• Regulatory

• Personnel related

Examples of change drivers include company acquisition, new products, services or technology, regulatory updates, entering into a contractual obligation, and entering a new market. Change can introduce new vulnerabilities and risks. Change drivers should trigger internal assessments and ultimately a review of policies. Policies should be updated accordingly and subject to reauthorization.

Let’s take a look at the example illustrated in Figure 4-5.

In Figure 4-5, two companies are shown (Company A and Company B). Company A acquired Company B. Company B never had the resources to create an appropriate cybersecurity governance and had never updated its cybersecurity policies. As a result, several vulnerable systems now present a risk for Company A. In this example, Company A extends its cybersecurity policies and program to completely replace those of Company B.

• ID.GV-1: Organizational information security policy is established.

• ID.GV-2: Information security roles and responsibilities are coordinated and aligned with internal roles and external partners.

• ID.GV-3: Legal and regulatory requirements regarding cybersecurity, including privacy and civil liberties obligations, are understood and managed.

• ID.GV-4: Governance and risk management processes address cybersecurity risks.

Each subcategory related to governance has several informative references that can be beneficial to you when establishing your cybersecurity program and governance. The informative references (standards and guidelines) related to ID.GV-1 (organizational information security policy is established) are shown in Figure 4-6. The informative references include the standards and guidelines that you learned in Chapter 3, “Cybersecurity Framework,” except the Control Objectives for Information and Related Technologies (COBIT). COBIT is a framework created by international professional association ISACA for IT management and governance. It defines a set of controls organized around a logical framework of IT processes and enablers.

Figure 4-7 shows the informative references related to the ID.GV-2 subcategory.

Figure 4-8 shows the informative references related to the ID.GV-3 subcategory.

Figure 4-9 shows the informative references related to the ID.GV-4 subcategory.

• Gramm-Leach-Bliley (GLBA) Section 314-4: “In order to develop, implement, and maintain your cybersecurity program, you shall (a) Designate an employee or employees to coordinate your cybersecurity program.”

• HIPAA/HITECH Security Rule Section 164-308(a): “Identify the security official who is responsible for the development and implementation of the policies and procedures required by this subpart [the Security Rule] for the entity.”

• Payment Card Industry Data Security Standard (PCI DDS) Section 12.5: “Assign to an individual or team the following cybersecurity management responsibilities: establish, document, and distribute security policies and procedures; monitor and analyze security alerts and information, and distribute to appropriate personnel; establish, document, and distribute security incident response and escalation procedures to ensure timely and effective handling of all situations; administer user accounts, including additions, deletions, and modifications; monitor and control all access to data.”

• 23 NYCRR 500: Cybersecurity Requirements for Financial Services Companies—Section 500.02: “Cybersecurity Program. Each Covered Entity shall maintain a cybersecurity program designed to protect the confidentiality, integrity and availability of the Covered Entity’s Information Systems.”

• European Global Data Protection Regulation (GDPR): “The principles of data protection should apply to any information concerning an identified or identifiable natural person. Personal data which have undergone pseudonymisation, which could be attributed to a natural person by the use of additional information should be considered to be information on an identifiable natural person. To determine whether a natural person is identifiable, account should be taken of all the means reasonably likely to be used, such as singling out, either by the controller or by another person to identify the natural person directly or indirectly. To ascertain whether means are reasonably likely to be used to identify the natural person, account should be taken of all objective factors, such as the costs of and the amount of time required for identification, taking into consideration the available technology at the time of the processing and technological developments.”

• European Directive on Security of Network and Information Systems (NIS Directive): “Member States preparedness by requiring them to be appropriately equipped, e.g. via a Computer Security Incident Response Team (CSIRT) and a competent national NIS authority, cooperation among all the Member States, by setting up a cooperation group, in order to support and facilitate strategic cooperation and the exchange of information among Member States. They will also need to set a CSIRT Network, in order to promote swift and effective operational cooperation on specific cybersecurity incidents and sharing information about risks, a culture of security across sectors which are vital for our economy and society and moreover rely heavily on ICTs, such as energy, transport, water, banking, financial market infrastructures, healthcare and digital infrastructure. Businesses in these sectors that are identified by the Member States as operators of essential services will have to take appropriate security measures and to notify serious incidents to the relevant national authority. Also key digital service providers (search engines, cloud computing services and online marketplaces) will have to comply with the security and notification requirements under the Directive.”

• 201 CMR 17: Standards for the Protection of Personal Information of the Residents of the Commonwealth – Section 17.0.2: “Without limiting the generality of the foregoing, every comprehensive cybersecurity program shall include, but shall not be limited to: (a) Designating one or more employees to maintain the comprehensive cybersecurity program.”

Creating a culture of security requires positive influences at multiple levels within an organization. Security champions reinforce by example the message that security policies and practices are important to the organization. The regulatory requirement to assign security responsibilities is a de facto mandate to create security champions.

• Guiding principles

• Regulatory requirements

• Risks related to achieving their business objectives

Risk is the potential of an undesirable or unfavorable outcome resulting from a given action, activity, and/or inaction. The motivation for taking a risk is a favorable outcome. Managing risk implies that other actions are being taken to either mitigate the impact of the undesirable or unfavorable outcome and/or enhance the likelihood of a positive outcome.

The following are a few key concepts of the governance of cybersecurity risk:

• An organization’s assessment of cybersecurity risk and potential risk responses considers the privacy implications of its cybersecurity program.

• Individuals with cybersecurity-related privacy responsibilities report to appropriate management and are appropriately trained.

• Process is in place to support compliance of cybersecurity activities with applicable privacy laws, regulations, and Constitutional requirements.

• Process is in place to assess implementation of the foregoing organizational measures and controls.

These key concepts are categorized and illustrated in Figure 4-10.

For example, a venture capitalist (VC) decides to invest a million dollars in a startup company. The risk (undesirable outcome) in this case is that the company will fail and the VC will lose part or all of her investment. The motivation for taking this risk is that the company could become wildly successful and the initial backers make a great deal of money. To influence the outcome, the VC may require a seat on the Board of Directors, demand frequent financial reports, and mentor the leadership team. Doing these things, however, does not guarantee success.

Risk tolerance is how much of the undesirable outcome the risk taker is willing to accept in exchange for the potential benefit—in this case, how much money the VC is willing to lose. Certainly, if the VC believed that the company was destined for failure, the investment would not be made. Conversely, if the VC determined that the likelihood of a three-million-dollar return on investment was high, she may be willing to accept the tradeoff of a potential $200,000 loss.

The NIST Cybersecurity Framework includes several references under the subcategory “ID.GV-4: Governance and risk management processes address cybersecurity risks.”

Risk taking can be beneficial and is often necessary for advancement. For example, entrepreneurial risk taking can pay off in innovation and progress. Ceasing to take risks would quickly wipe out experimentation, innovation, challenge, excitement, and motivation. Risk taking can, however, be detrimental when it is considered or influenced by ignorance, ideology, dysfunction, greed, or revenge. The key is to balance risk against rewards by making informed decisions and then managing the risk commensurate with organizational objectives. The process of managing risk requires organizations to assign risk-management responsibilities, establish the organizational risk appetite and tolerance, adopt a standard methodology for assessing risk, respond to risk levels, and monitor risk on an ongoing basis.

• Reducing the risk by implementing one or more countermeasures (risk reduction)

• Sharing the risk with another entity (risk sharing)

• Transferring the risk to another entity (risk transference)

• Modifying or ceasing the risk-causing activity (risk avoidance), or a combination thereof

Risk reduction is accomplished by implementing one or more offensive or defensive controls to lower the residual risk. An offensive control is designed to reduce or eliminate vulnerability, such as enhanced training or applying a security patch. A defensive control is designed to respond to a threat source (for example, a sensor that sends an alert if an intruder is detected). Prior to implementation, risk reduction recommendations should be evaluated in terms of their effectiveness, resource requirements, complexity impact on productivity and performance, potential unintended consequences, and cost. Depending on the situation, risk reduction decisions may be made at the business unit level, by management or by the Board of Directors.

Risk transfer or risk sharing is undertaken when organizations desire and have the means to shift risk liability and responsibility to other organizations. This is often accomplished by purchasing insurance.

Risk sharing shifts a portion of risk responsibility or liability to other organizations. The caveat to this option is that regulations such as GLBA (financial institutions) and HIPAA/HITECH (health-care organizations) prohibit covered entities from shifting compliance liability.

Risk avoidance may be the appropriate risk response when the identified risk exceeds the organizational risk appetite and tolerance, and a determination has been made not to make an exception. Risk avoidance involves taking specific actions to eliminate or significantly modify the process or activities that are the basis for the risk. It is unusual to see this strategy applied to critical systems and processes, because both prior investment and opportunity costs need to be considered. However, this strategy may be very appropriate when evaluating new processes, products, services, activities, and relationships.

There is no silver bullet to accept and set risk appetite; however, the method used should be owned by the Board of Directors executives and should reflect the collective informed views of the Board. The risk appetite should be defined in measurable terms. The use of subjective measures such as high, medium, and low are not a proper way of classifying such risk because these measurements mean different things to different people. The risk appetite and tolerance should be articulated in terms of acceptable variance in the organization’s objectives (including its budget). For instance, the company executives may be willing to tolerate a minimum return on capital of 3% against a budget of 15%. Subsequently, the executives need to determine the risk categories for which an appetite will be set, including all material risks.

• Inherent risk is the level of risk before security measures are applied.

• A threat is a natural, environmental, technical, or human event or situation that has the potential for causing undesirable consequences or impact. Cybersecurity focuses on the threats to confidentiality (unauthorized use or disclosure), integrity (unauthorized or accidental modification), and availability (damage or destruction).

• A threat source is either (1) intent and method targeted at the intentional exploitation of a vulnerability, such as criminal groups, terrorists, bot-net operators, and disgruntled employees, or (2) a situation and method that may accidentally trigger a vulnerability, such as an undocumented process, severe storm, and accidental or unintentional behavior.

• NIST provides several definitions for what is a vulnerability:

  • A weakness in an information system, system security procedures, internal controls, or implementation that could be exploited or triggered by a threat source.

  • A weakness in a system, application, or network that is subject to exploitation or misuse.

  • A weakness in an information system, system security procedures, internal controls, or implementation that could be exploited by a threat source.

• Vulnerabilities can be physical (for example, unlocked door, insufficient fire suppression), natural (for example, facility located in a flood zone or in a hurricane belt), technical (for example, misconfigured systems, poorly written code), or human (for example, untrained or distracted employee).

• Impact is the magnitude of harm.

• The likelihood of occurrence is a weighted factor or probability that a given threat is capable of exploiting a given vulnerability (or set of vulnerabilities).

• A control is a security measure designed to prevent, deter, detect, or respond to a threat source.

• Residual risk is the level of risk after security measures are applied. In its most simple form, residual risk can be defined as the likelihood of occurrence after controls are applied, multiplied by the expected loss. Residual risk is a reflection of the actual state. As such, the risk level can run the gamut from severe to nonexistent.

Let’s consider the threat of obtaining unauthorized access to protected customer data. A threat source could be a cybercriminal. The vulnerability is that the information system that stores the data is Internet facing. We can safely assume that if no security measures were in place, the criminal would have unfettered access to the data (inherent risk). The resulting harm (impact) would be reputational damage, cost of responding to the breach, potential lost future revenue, and perhaps regulatory penalties. The security measures in place include data access controls, data encryption, ingress and egress filtering, an intrusion detection system, real-time activity monitoring, and log review. The residual risk calculation is based on the likelihood that the criminal (threat source) would be able to successfully penetrate the security measures, and if so, what the resulting harm would be. In this example, because the stolen or accessed data are encrypted, one could assume that the residual risk would be low (unless, of course, they were also able to access the decryption key). However, depending on the type of business, there still might be an elevated reputation risk associated with a breach.

• OCTAVE (Operationally Critical Threat, Asset, and Vulnerability Evaluation).

• Factor Analysis of Information Risk (FAIR).

• NIST Risk Management Framework (RMF). The NIST Risk Management Framework includes both risk assessment and risk management guidance.

The original development of FAIR led to the creation of the FAIR Institute, which is an expert nonprofit organization that is helping the members to mature by providing learning opportunities, sharing of best practices, and exploration of possible new applications of the FAIR standard. Information about FAIR and the FAIR Institute can be obtained at https://www.fairinstitute.org. The Open Group adopted FAIR and is also evangelizing its use among the community.

The NIST Risk Assessment methodology, as defined in SP 800-30: Guide to Conducting Risk Assessments, is divided into four steps:

STEP 1. Prepare for the assessment.

STEP 2. Conduct the assessment.

STEP 3. Communicate the results.

STEP 4. Maintain the assessment.

These steps are illustrated in Figure 4-11.

It is unrealistic that a single methodology would be able to meet the diverse needs of private and public-sector organizations. The expectation set forth in NIST SP 800-39 and 800-30 is that each organization will adapt and customize the methodology based on size, complexity, industry sector, regulatory requirements, and threat vector.

It is essential that cybersecurity policies remain relevant and accurate. At a minimum, policies should be reviewed and reauthorized annually. Change drivers are events that modify how a company operates and are a trigger for policy review. Compliance with policy requirements should be assessed and reported to executive management.

A cybersecurity audit is a systematic evidence-based evaluation of how well the organization conforms to established criteria. Audits are generally conducted by independent auditors, which implies that the auditor is not responsible for, has not benefited from, and is not in any way influenced by the audit target. A capability maturity model (CMM) assessment is an evaluation of process maturity for a given area. In contrast to an audit, the application of a CMM is generally an internal process. Audits and maturity models are good indicators of policy acceptance and integration.

Governance is the process of managing, directing, controlling, and influencing organizational decisions, actions, and behaviors. The Board of Directors is the authoritative policy-making body. Executive management is tasked with providing support and resources. Endorsed by the Board of Directors and executive management, the CISO (or equivalent role) is vested with cybersecurity program management responsibility and accountability. The chain of command for the CISO should be devoid of conflict of interest. The CISO should have the authority to communicate directly with the Board of Directors.

Discussion, debate, and thoughtful deliberation result in good decision making. Supporting the CISO should be a Cybersecurity Steering Committee, whose members represent a cross-section of the organization. The steering committee serves in an advisory capacity with particular focus on the alignment of business and security objectives. Distributed throughout the organization are a variety of roles that have cybersecurity-related responsibilities. Most notably, data owners are responsible for defining protection requirements, data custodians are responsible for managing the protection mechanisms, and data users are expected to act in accordance with the organization’s requirements and to be stewards of the information in their care.

Three factors influence cybersecurity decision making and policy development: guiding principles, regulatory requirements, and risks related to achieving their business objectives. Risk is the potential of an undesirable or unfavorable outcome resulting from a given action, activity, and/or inaction. Risk tolerance is how much of the undesirable outcome the risk taker is willing to accept in exchange for the potential benefit. Risk management is the process of determining an acceptable level of risk, identifying the level of risk for a given situation, and determining if the risk should be accepted or mitigated. A risk assessment is used to calculate the level of risk. A number of publicly available risk assessment methodologies are available for organizations to use and customize. Risk acceptance indicates that the organization is willing to accept the level of risk associated with a given activity or process. Risk mitigation implies that one of four actions (or a combination of actions) will be undertaken: risk reduction, risk sharing, risk transference, or risk avoidance.

Risk management, governance, and information policy are the basis of an information program. Policies related to these domains include the following policies: Cybersecurity Policy, Cybersecurity Policy Authorization and Oversight, CISO, Cybersecurity Steering Committee, Cybersecurity Risk Management Oversight, Cybersecurity Risk Assessment, and Cybersecurity Risk Management.

A. It supports business objectives.

B. It adds value.

C. It maintains compliance with regulatory requirements.

D. All of the above.

2. How often should cybersecurity policies be reviewed?

A. Once a year

B. Only when a change needs to be made

C. At a minimum, once a year and whenever there is a change trigger

D. Only as required by law

3. Cybersecurity policies should be authorized by ____________.

A. the Board of Directors (or equivalent)

B. business unit managers

C. legal counsel

D. stockholders

4. Which of the following statements best describes policies?

A. Policies are the implementation of specifications.

B. Policies are suggested actions or recommendations.

C. Policies are instructions.

D. Policies are the directives that codify organizational requirements.

5. Which of the following statements best represents the most compelling reason to have an employee version of the comprehensive cybersecurity policy?

A. Sections of the comprehensive policy may not be applicable to all employees.

B. The comprehensive policy may include unknown acronyms.

C. The comprehensive document may contain confidential information.

D. The more understandable and relevant a policy is, the more likely users will positively respond to it.

6. Which of the following is a common element of all federal cybersecurity regulations?

A. Covered entities must have a written cybersecurity policy.

B. Covered entities must use federally mandated technology.

C. Covered entities must self-report compliance.

D. Covered entities must notify law enforcement if there is a policy violation.

7. Organizations that choose to adopt the ISO 27002:2103 framework must ________________.

A. use every policy, standard, and guideline recommended

B. create policies for every security domain

C. evaluate the applicability and customize as appropriate

D. register with the ISO

8. Evidence-based techniques used by cybersecurity auditors include which of the following elements?

A. Structured interviews, observation, financial analysis, and documentation sampling

B. Structured interviews, observation, review of practices, and documentation sampling

C. Structured interviews, customer service surveys, review of practices, and documentation sampling

D. Casual conversations, observation, review of practices, and documentation sampling

9. Which of the following statements best describes independence in the context of auditing?

A. The auditor is not an employee of the company.

B. The auditor is certified to conduct audits.

C. The auditor is not responsible for, has not benefited from, and is not in any way influenced by the audit target.

D. Each auditor presents his or her own opinion.

10. Which of the following states is not included in a CMM?

A. Average

B. Optimized

C. Ad hoc

D. Managed

11. Which of the following activities is not considered a governance activity?

A. Managing

B. Influencing

C. Evaluating

D. Purchasing

12. To avoid conflict of interest, the CISO could report to which of the following individuals?

A. The Chief Information Officer (CIO)

B. The Chief Technology Officer (CTO)

C. The Chief Financial Officer (CFO)

D. The Chief Compliance Officer (CCO)

13. Which of the following statements best describes the role of the Cybersecurity Steering Committee?

A. The committee authorizes policy.

B. The committee helps communicate, discuss, and debate on security requirements and business integration.

C. The committee approves the InfoSec budget.

D. None of the above.

14. Defining protection requirements is the responsibility of ____________.

A. the ISO

B. the data custodian

C. data owners

D. the Compliance Officer

15. Designating an individual or team to coordinate or manage cybersecurity is required by _________.

A. GLBA

B. 23 NYCRR 500

C. PCI DSS

D. All of the above

16. Which of the following terms best describes the potential of an undesirable or unfavorable outcome resulting from a given action, activity, and/or inaction?

A. Threat

B. Risk

C. Vulnerability

D. Impact

17. Inherent risk is the state before __________________.

A. an assessment has been conducted

B. security measures have been implemented

C. the risk has been accepted

D. None of the above

18. Which of the following terms best describes the natural, environmental, technical, or human event or situation that has the potential for causing undesirable consequences or impact?

A. Risk

B. Threat source

C. Threat

D. Vulnerability

19. Which of the following terms best describes a disgruntled employee with intent to do harm?

A. Risk

B. Threat source

C. Threat

D. Vulnerability

20. Which of the following activities is not considered an element of risk management?

A. The process of determining an acceptable level of risk

B. Assessing the current level of risk for a given situation

C. Accepting the risk

D. Installing risk-mitigation technologies and cybersecurity products

21. How much of the undesirable outcome the risk taker is willing to accept in exchange for the potential benefit is known as _________.

A. risk acceptance

B. risk tolerance

C. risk mitigation

D. risk avoidance

22. Which of the following statements best describes a vulnerability?

A. A vulnerability is a weakness that could be exploited by a threat source.

B. A vulnerability is a weakness that can never be fixed.

C. A vulnerability is a weakness that can only be identified by testing.

D. A vulnerability is a weakness that must be addressed regardless of the cost.

23. Which of the following are benefits of security controls?

A. Detect threats

B. Deter threats

C. Prevent cyber-attacks and breaches

D. All of the above

24. Which of the following is not a risk-mitigation action?

A. Risk acceptance

B. Risk sharing or transference

C. Risk reduction

D. Risk avoidance

25. Which of the following risks is best described as the expression of (the likelihood of occurrence after controls are applied) × (expected loss)?

A. Inherent risk

B. Expected risk

C. Residual risk

D. Accepted risk

26. Which of the following risk types best describes an example of insurance?

A. Risk avoidance

B. Risk transfer

C. Risk acknowledgement

D. Risk acceptance

27. Which of the following risk types relates to negative public opinion?

A. Operational risk

B. Financial risk

C. Reputation risk

D. Strategic risk

28. Which of the following is not true about compliance risk as it relates to federal and state regulations?

A. Compliance risk cannot be avoided

B. Compliance risk cannot be transferred

C. Compliance risk cannot be accepted

D. None of these answers are correct

29. Which of the following statements best describes organizations that are required to comply with multiple federal and state regulations?

A. They must have different policies for each regulation.

B. They must have multiple ISOs.

C. They must ensure that their cybersecurity program includes all applicable requirements.

D. They must choose the one regulation that takes precedence.

30. Which of the following are subcategories of the NIST Cybersecurity Framework that are related to cybersecurity governance?

A. ID.GV-1: Organizational information security policy is established.

B. ID.GV-2: Information security roles and responsibilities are coordinated and aligned with internal roles and external partners.

C. ID.GV-3: Legal and regulatory requirements regarding cybersecurity, including privacy and civil liberties obligations, are understood and managed.

D. ID.GV-4: Governance and risk management processes address cybersecurity risks.

E. All of these answers are correct.

1. Explain how this statement relates to the concept of strategic alignment.

2. The risk assessment domain was included in the ISO 27002:2005 edition and then removed in ISO 27002:2013. Why do you think they made this change?

3. What are the major topics of ISO 27005?

1. Explain the criteria they should use to develop their policies. Who should authorize the policies?

2. Should the policies apply to the independent contractors? Why or why not?

3. What type of documentation should they provide their customers?

1. Research and write a description of each (including pros and cons).

2. Are they in the public domain, or is there a licensing cost?

3. Is training available?

“201 CMR 17.00: Standards for the Protection of Personal Information of Residents of the Commonwealth,” official website of the Office of Consumer Affairs & Business Regulation (OCABR), accessed 04/2018, http://www.mass.gov/ocabr/docs/idtheft/201cmr1700reg.pdf.

“Family Educational Rights and Privacy Act (FERPA),” official website of the US Department of Education, accessed 04/2018, https://www2.ed.gov/policy/gen/guid/fpco/ferpa/index.html.

“HIPAA Security Rule,” official website of the Department of Health and Human Services, accessed 04/2018, https://www.hhs.gov/hipaa/for-professionals/security/index.html.

European Global Data Protection Regulation (GDPR) website, accessed 04/2018, https://ec.europa.eu/info/strategy/justice-and-fundamental-rights/data-protection_en.

“The Directive on Security of Network and Information Systems (NIS Directive),” accessed 04/2018, https://ec.europa.eu/digital-single-market/en/network-and-information-security-nis-directive.

“New York State 23 NYCRR 500: Cybersecurity Requirements for Financial Services Companies,” accessed 04/2018, http://www.dfs.ny.gov/legal/regulations/adoptions/dfsrf500txt.pdf.

Bejtlich, Richard, “Risk, Threat, and Vulnerability 101,” accessed 04/2018, http://taosecurity.blogspot.com/2005/05/risk-threat-and-vulnerability-101-in.html.

NIST’s Glossary of Key Information Security Terms, accessed 04/2018, http://nvlpubs.nist.gov/nistpubs/ir/2013/NIST.IR.7298r2.pdf.

DeMauro, John, “Filling the Cybersecurity Officer Role within Community Banks,” accessed 04/2018, www.practicalsecuritysolutions.com/articles/.

“Duty of Care,” Legal Information Institute, Cornell University Law School, accessed 04/2018, https://www.law.cornell.edu/wex/duty_of_care.

AIG Study, “Is Cyber Risk Systemic?”, accessed 04/2018, https://www.aig.com/content/dam/aig/america-canada/us/documents/business/cyber/aig-cyber-risk-systemic-final.pdf.

Godes, Scott, Esq., and Kristi Singleton, Esq. “Top Ten Tips for Companies Buying Cybersecurity Insurance Coverage,” accessed 04/2018, http://www.acc.com/legalresources/publications/topten/tttfcbcsic.cfm.

“Cybersecurity Governance: Guidance for Boards of Directors and Executive Management, Second Edition,” IT Governance Institute, 2006.

Matthews, Chris, “Cybersecurity Insurance Picks Up Steam,” Wall Street Journal/Risk & Compliance Journal, August 7, 2013, accessed 04/2018, https://blogs.wsj.com/riskandcompliance/2013/08/07/cybersecurity-insurance-picks-up-steam-study-finds/.

“PCI DDS Requirements and Security Assessment Procedures,” accessed 04/2018, https://www.pcisecuritystandards.org/pci_security/standards_overview.

“Process & Performance Improvement,” Carnegie Mellon Software Engineering Institute, accessed 04/2018, www.sei.cmu.edu/process/.

Swenson, David, Ph.D., “Change Drivers,” accessed 04/2018, http://faculty.css.edu/dswenson/web/Chandriv.htm.

“The Security Risk Management Guide,” Microsoft, accessed 04/2018, https://technet.microsoft.com/en-us/library/cc163143.aspx.

“What Is the Capability Maturity Model (CMM)?” accessed 04/2018, http://www.selectbs.com/process-maturity/what-is-the-capability-maturity-model.

“European Union Cybersecurity-Related Legislation,” accessed 04/2018, https://www.securityroundtable.org/wp-content/uploads/2017/05/eu-cybersecurity-legislation-executive-advisory-report.pdf.

NIST Computer Security Resource Center Publications, accessed 04/2018, https://csrc.nist.gov/publications.

NIST Cybersecurity Framework, accessed 04/2018, https://www.nist.gov/cyberframework.

FAIR and The FAIR Institute, accessed 04/2018, https://www.fairinstitute.org.