You intend to monitor, detect, and prevent unknown malicious traffic on your network. Which of the following is the best solution?
A. An appliance that authenticates devices to grant network access
B. A host that examines and filters network packets between zones
C. A device that imitates a legitimate server and behaves like “baiting” a suspect
D. A node that blocks traffic by comparing a sample of traffic against a known baseline
You found out that your organization engages in fraud and violates laws and regulations. Which of the following is the best way you should follow?
A. Act based on the roles and responsibilities of the whistleblowing program policy
B. Refer to the program plan of corporate compliance and ethics
C. Lookup the employee manual
D. Report to the regulatory authority
To identify, analyze, and prioritize business continuity requirements is crucial to initiate the business continuity management (BCM) program. Which of the following should be conducted first?
A. Determining the scope of the BCM program
B. Understanding the organization and its context
C. Understanding the needs and expectations of stakeholders
D. Develop project plans
John Smith posts an interesting question about policy framework and due diligence today as follows:
Due diligence, generally speaking, is a cautious investigation that informs decision-making or a course of proactive and preemptive actions. Due care is the reasonable care used by a prudent man to implement the decision, exercise one’s duties, or conduct any activities; negligence, or without exercising due care, might lead to litigations.
Due diligence can be explicitly measured by a standard, while due care is implicit and determined by court judges.
Standard of Due Diligence
The definition of due diligence varies across contexts or industries. There should be a “standard of due diligence” for each context to measure if due diligence is fulfilled. For example, a lawyer is subject to legal due diligence. Kayode Omosehin, Esq. has a good explanation of this topic.
However, when it comes to information security, what is the standard of “security due diligence,” and who is subject to the standard? The CISSP CBK 4th edition proposed a list of tasks as the following diagram shows:
The management is typically in charge of the creation of Policies, Standards, or Procedures (or policy framework). IMO, setting up the policy framework is the management’s due diligence as policies stand for management intention, and the fact that policies entail informed decisions is proactive in nature.
Public traded companies in the US are subject to the Sarbanes-Oxley Act (SOX). Which of the following best describes the position of SOX?
C. Common law
Which of the following best aligns with Zero Trust concepts?
A. Group resources into smaller segments protected by a segmentation gateway
B. Issue a security policy to prohibit connections from public places, e.g., cafeteria
C. Revise the contract to require vendors and contractors to work on-site
D. Allow remote workers to connect to corporate networks by VPN only
Zero Trust is a Cybersecurity Paradigm for a Fine-grained, Dynamic, and Data-centric Access Control that supports visibility.
(Access control is mediating the usage of resources by authentication, authorization, and accounting based on the principles of need-to-know and least privileges.)
Zero Trust Cybersecurity Paradigm
The following diagram summarizes my study of Zero Trust that synthesizes various sources, such as Jericho Forum, DoD GIG/Black Core, Forrester’s Zero Trust Network, Google’s BeyondCorp, CSA’s SDP, and NIST SP 800-207.