You are concerned with stealthy threat actors, who can be a nation-state or sponsored groups, gain unauthorized access to organizational networks and remain undetected for an extended period to conduct large-scale targeted intrusions for specific goals. Which of the following is the best to discover and hunt this type of attack?
A. Have security analysts conduct analysis with data from various sources
B. Create microsegments and establish a software-defined perimeter
C. Implement an anomaly-based intrusion prevention system
D. Install a hardened padded cell with anonymized data to observe attackers
You intend to monitor, detect, and prevent unknown malicious traffic on your network. Which of the following is the best solution?
A. An appliance that authenticates devices to grant network access
B. A host that examines and filters network packets between zones
C. A device that imitates a legitimate server and behaves like “baiting” a suspect
D. A node that blocks traffic by comparing a sample of traffic against a known baseline
You found out that your organization engages in fraud and violates laws and regulations. Which of the following is the best way for you to report the fraud?
A. Act based on the roles and responsibilities of the whistleblowing program policy
B. Refer to the program plan of corporate compliance and ethics
C. Lookup the employee manual
D. Report to the regulatory authority
To identify, analyze, and prioritize business continuity requirements is crucial to initiate the business continuity management (BCM) program. Which of the following should be conducted first?
A. Determining the scope of the BCM program
B. Understanding the organization and its context
C. Understanding the needs and expectations of stakeholders
D. Develop project plans
John Smith posts an interesting question about policy framework and due diligence today as follows:
Due diligence, generally speaking, is a cautious investigation that informs decision-making or a course of proactive and preemptive actions. Due care is the reasonable care used by a prudent man to implement the decision, exercise one’s duties, or conduct any activities; negligence, or without exercising due care, might lead to litigations.
Due diligence can be explicitly measured by a standard, while due care is implicit and determined by court judges.
Standard of Due Diligence
The definition of due diligence varies across contexts or industries. There should be a “standard of due diligence” for each context to measure if due diligence is fulfilled. For example, a lawyer is subject to legal due diligence. Kayode Omosehin, Esq. has a good explanation of this topic.
However, when it comes to information security, what is the standard of “security due diligence,” and who is subject to the standard? The CISSP CBK 4th edition proposed a list of tasks as the following diagram shows:
The management is typically in charge of the creation of Policies, Standards, or Procedures (or policy framework). IMO, setting up the policy framework is the management’s due diligence as policies stand for management intention, and the fact that policies entail informed decisions is proactive in nature.
Public traded companies in the US are subject to the Sarbanes-Oxley Act (SOX). Which of the following best describes the position of SOX?
C. Common law