Governance, Risk, and Compliance (D486)

Correct Answer:

B. Tokenization

Explanation:

Tokenization replaces sensitive data, such as Social Security numbers, with a non-sensitive equivalent (a "token") that has no exploitable meaning. The actual data is stored securely in a separate database, and only authorized systems can map the token back to the original value. This technique is widely used for protecting sensitive financial and personal information while maintaining functionality in business applications.

Why other options are wrong:

A. Encryption – While encryption protects data by converting it into a secure format, the original data can still be retrieved by decrypting it with a key. Tokenization is more suitable in this case because it eliminates the risk of exposing actual SSNs.

C. Data masking – Data masking replaces sensitive information with a fake but similar-looking value for display purposes. However, it is not intended for actual database protection and does not allow retrieval of the original data when needed.

D. Data washing – This is not a recognized security technique. It might refer to data cleansing, which is used for correcting or removing incorrect or duplicate data, but it does not secure sensitive data like SSNs.

Correct Answer

C. Change management

Explanation

Change management is a structured approach that ensures changes to a system are implemented in a controlled and coordinated manner. It helps prevent unintended disruptions by ensuring that each change is properly documented, tested, and reviewed before being deployed. One of its core principles is to avoid making multiple changes simultaneously, as this can complicate troubleshooting and increase the risk of failure.

Why Other Options Are Wrong

A. Due diligence

Due diligence refers to the careful assessment and review of security risks, legal considerations, and best practices before making business or security decisions. While it promotes careful decision-making, it does not specifically address the process of implementing changes to a system.

B. Acceptable use

An acceptable use policy defines how employees can use company resources and technology. It focuses on appropriate and inappropriate behaviors rather than managing changes to computer systems.

D. Due care

Due care refers to taking reasonable precautions to protect company assets, including security controls and risk mitigation strategies. While it supports security best practices, it does not specifically mandate how system changes should be handled.

Correct Answer

A. Potential fine

Explanation

Regulations like the General Data Protection Regulation (GDPR) enforce strict penalties for non-compliance, making potential fines a major factor in an organization’s risk assessment. Under GDPR, organizations can face fines up to 4% of their annual global revenue or €20 million (whichever is higher) for serious violations. This financial risk incentivizes companies to align their policies with compliance requirements to avoid legal and monetary consequences. Additionally, organizations may suffer reputational damage and legal action from data breaches, further increasing the risk.

Why Other Options Are Wrong

B. Their annual loss expectancy (ALE)

ALE is a metric used in risk assessment to estimate expected financial losses from security incidents. While GDPR fines can impact financial risk calculations, compliance is primarily driven by legal obligations rather than internal financial projections like ALE.

C. Their recovery time objective (RTO)

RTO refers to the time it takes for systems to be restored after a disruption. While disaster recovery and business continuity are important, they are not the primary drivers of regulatory compliance. GDPR and similar regulations focus more on data protection and privacy laws than system recovery.

D. The likelihood of occurrence

While organizations assess risks based on how likely a security incident or data breach is to happen, GDPR compliance is required regardless of the probability of a breach. The severity of non-compliance penalties makes it a priority, even if the risk of a breach seems low.

Correct Answer

A. Regulations require financial transactions to be stored for seven years

Explanation

A data retention policy outlines how long an organization must retain different types of data before disposal. In many industries, regulations require financial transaction records to be kept for a minimum period, often seven years, to comply with legal and auditing standards. This helps ensure accountability, regulatory compliance, and data availability for audits.

Why Other Options Are Wrong

B. Employees must remove and lock up all sensitive and confidential documents when not in use

This describes a clean desk policy, which ensures that sensitive information is not left unattended. While a clean desk policy is important for security, it is separate from a data retention policy, which deals with how long data is stored.

C. It describes a formal process of managing configuration changes made to a network

This describes a change management policy, which ensures that modifications to network configurations follow an approval process. A data retention policy is concerned with data storage duration, not network changes.

D. It is a legal document that describes a mutual agreement between parties

A legal document outlining agreements between parties is typically a contract, such as a Service Level Agreement (SLA) or a Non-Disclosure Agreement (NDA). A data retention policy, however, specifically governs how long data must be stored and when it should be deleted.

Correct Answer

B. Site risk assessment

Explanation

A site risk assessment evaluates potential hazards at a physical location, including natural disasters like floods, earthquakes, and hurricanes. Reviewing FEMA flood maps is a key part of this process, as it helps organizations assess environmental risks before selecting a site. This assessment ensures that organizations make informed decisions regarding disaster preparedness and mitigation strategies.

Why Other Options Are Wrong

A. Business impact analysis (BIA)

A BIA identifies critical business functions and the impact of disruptions but does not focus on specific site risks. While flood risks could be considered in a BIA, the process primarily evaluates operational consequences, recovery time, and dependencies. It does not typically involve reviewing flood maps or assessing physical locations.

C. Crime prevention through environmental design

This approach focuses on reducing crime through architectural and design strategies, such as improving lighting, access control, and surveillance. While security concerns are important, this concept is unrelated to evaluating flood risks or natural disaster planning. It does not involve using FEMA flood maps for site selection.

D. Business continuity planning

Business continuity planning (BCP) ensures that an organization can maintain operations during and after a disaster. While site risk assessment contributes to BCP planning, it is a separate step in disaster recovery planning that specifically evaluates potential physical hazards. Business continuity planning focuses on broader operational recovery strategies.

Correct Answer

D. Parking policy

Explanation

A parking policy is not a common security policy type because it pertains to physical vehicle management rather than IT or cybersecurity. Security policies typically focus on protecting information, networks, and employee conduct within the organization.

Why Other Options Are Wrong

A. Acceptable use policy

An acceptable use policy (AUP) defines how employees can use company resources, such as internet access and company-owned devices, to prevent security breaches and misuse.

B. Social media policy

A social media policy establishes guidelines for employees' online behavior to protect company data, maintain brand reputation, and prevent security risks related to social media use.

C. Password policy

A password policy sets requirements for password complexity, expiration, and storage to enhance authentication security and reduce unauthorized access risks.

Correct Answer

B. A heat map

Explanation

A heat map is a visual representation of risk that uses colors to indicate severity and likelihood, helping management prioritize risk responses. Risks with higher likelihood and impact are often displayed in red, while lower risks appear in green or yellow. This method allows for quick decision-making regarding risk mitigation strategies.

Why Other Options Are Wrong

A. Risk plots are incorrect because while risk plots can be used to display data, a heat map is a more common and effective tool for visually ranking risks.

C. Their recovery time objective (RTO) is incorrect because RTO refers to the maximum acceptable downtime for a system after a failure, not a tool for ranking risks.

D. The likelihood of occurrence is incorrect because while likelihood is a factor in assessing risk, it does not provide a ranked or visually intuitive representation like a heat map does.

Correct Answer

B. The source code for a product

Explanation

Privacy practices are typically documented in formal privacy policies, customer agreements, or compliance reports to inform users about data handling and protection. However, privacy practices are not generally codified in source code, as source code focuses on the functionality of the software rather than legal or policy-related documentation.

Why Other Options Are Wrong

A. A formal privacy notice

Privacy notices are explicitly written policies that inform users about how their data is collected, stored, and shared. They are a standard way to record privacy practices.

C. The terms of the organization's agreement with customers

Many companies include privacy-related clauses in their terms of service agreements, ensuring customers understand their rights and how their data will be managed.

D. None of the above

Since privacy policies are not typically included in source code, this option is incorrect.

Correct Answer

A. ISO 27002

Explanation

ISO 27002 is an internationally recognized standard that provides guidelines and best practices for implementing an information security management system (ISMS). It is designed to help organizations establish, implement, maintain, and continually improve their security controls. This makes it the best choice for Caroline’s company in guiding their information security efforts.

Why Other Options Are Wrong

B. ISO 27017 is a standard focused on cloud security, providing guidelines for cloud service providers and customers. While it is useful for cloud environments, it is not the best choice for a general information security management system.

C. NIST 800-12 is a U.S.-based standard that provides a broad overview of computer security principles, but it does not serve as a direct international guide for implementing ISMS. It is more of an introductory resource rather than a comprehensive framework.

D. NIST 800-14 focuses on security principles and practices but does not provide a structured approach to implementing an ISMS. Unlike ISO 27002, it is not widely recognized as an international standard for information security management.