14 Security Governance
Mini Quiz Answers

Question 1: A corporation is creating security documentation. They create two separate documents: one states that "all customer data must be encrypted" and the other specifies "AES256 must be used for all data encryption." The compliance officer needs to understand which document holds higher authority and how they differ in purpose. How should these documents be described?

Question 1 Explanation: The first document is a policy and the second is a standard. Policies state high-level requirements like "all customer data must be encrypted" and hold the greatest authority. Standards specify exact technical requirements like "AES-256 must be used" and are mandatory to implement the policy.

They are not equal authority, and they are not guidelines or procedures. A guideline is more of a suggestion, and a procedure is a step-by-step instruction on how to implement something.

Question 2: An employee receives a company laptop and signs a document stating they will not use it for personal gaming or streaming videos, they will not install unauthorized software, and must return the laptop upon termination of their employment. The document also outlines consequences for violations. Which critical security policy is the employee acknowledging?

Question 2 Explanation: BCP is a Business Continuity Plan, a plan for continuing normal business operations following an incident.

The employee is acknowledging the Acceptable Use Policy (AUP). This policy defines permitted and prohibited activities on company equipment, such as no personal gaming, no unauthorized software, and return procedures.

DRP is a Disaster Recovery Plan, and SLA is a Service Level Agreement – none of these cover user behavior.

Question 3: A financial institution updates its password policy annually. It needs to ensure every department is using the latest version of the policy, not outdated documents. Auditors require proof of which version was in effect during specific periods. Which governance control provides this?

Question 3 Explanation: Automated enforcement applies policies but doesn't track versions or documents.

Governance board approval gives authority to make changes, but doesn't maintain version history.

Avoiding single points of failure is about system reliability, not documentation.

Version control and change management provides this capability. It tracks every policy change, ensures staff use current versions, and creates an audit trail showing which version was active during specific periods.

Question 4: A company headquartered in California processes customer data from both European Union residents and Californian citizens. After discovering a data breach affecting 10,000 records, they must comply with breach notification requirements. Which legal requirements must they comply with?

Question 4 Explanation: They must comply with both CCPA (California Consumer Privacy Act) and GDPR (the European Union's General Data Protection Regulation). GDPR applies because they process data from EU residents (GDPR applies to any company in the world that does business in the EU, no matter where it is based). CCPA applies because they operate in California.

HIPAA (the Health Insurance Portability and Accountability Act) applies to healthcare data in the United States only.

Question 5: A healthcare organization uses a Cloud-based electronic medical records system. The hospital's senior management determines what data is collected and how it is used. The Cloud provider hosts the infrastructure and processes the data according to the hospital's instructions. What are the correct data governance roles for the hospital and Cloud provider?

Question 5 Explanation: The hospital is a data controller and the Cloud provider is a data processor. A controller determines what data is collected and how it's used. A processor handles data on behalf of the controller according to their instructions.

A data owner is a senior-level staff member or business leader responsible for the governance of data sets. A data steward is responsible for day-to-day management of data.

Question 6: A security team manually configures firewall rules across 500 servers. They often experience misconfigurations causing vulnerabilities. What should they follow to configure the servers correctly?

Question 6 Explanation: "Rules" is not a formal term in the policy hierarchy.

Policies are high-level documents that do not give specific configuration settings.

Guidelines are optional recommendations.

Standards ensure consistent, secure implementation. Standards provide specific, mandatory requirements for configurations like firewall rules across all systems.

Question 7: A software patch was accidentally deployed early, during the middle of the working day, and has negatively affected business operations. The Chief Executive Officer (CEO) demands that the systems return to full operations immediately. What part of the change management plan will assist in this task?

Question 7 Explanation: The rollback plan will assist. A rollback plan is specifically designed to return systems to their previous status when a change causes problems.

Impact analysis identifies risks before deployment of patches.

A staging environment is for testing.

Separation of duties divides responsibilities but does not help reverse changes.

Question 8: A Security Operations Center (SOC) for a large financial institution deals with high volumes of alerts and potential threats. They are considering implementing automation and orchestration in security operations. What is the PRIMARY benefit of automation in SOC operations?

Question 8 Explanation: The primary benefit is that automation performs repetitive tasks quickly and consistently, reducing human error. It handles routine actions like log analysis and alert triage faster than manual work.

Although automation does reduce analyst fatigue, automation does not simplify alert types or reduce false positives, it only executes tasks.

It is not about firing staff or regulatory compliance.

Question 9: A manufacturing plant experiences a major flood that destroys the primary data center. Management activates a secondary facility in another state to continue operations. Which plan is being executed?

Question 9 Explanation: Change Management is a process for controlling major changes in the organization.

A Disaster Recovery Plan focuses on restoring IT systems and data

The Business Continuity Plan is being executed. This plan maintains essential business operations to keep the organization running.

A Serious Incident Plan is not a typical term used in security.

Question 10: Management teams of a large government organization want to be prepared in the event of a major natural disaster like floods or earthquakes. They prepare a secondary facility in a different region. To save costs, this facility has servers and workstations installed, but they are powered down. Only a small number of staff work in the facility, like security guards. If the organization needed to use the facility, it would take some time to transfer staff and data there. What is the best description of this site?