08. Exercise: Obligation Sources

Exercise: Obligation Sources

Review the following sources of compliance obligations to gain a better understanding of how standards specify the security controls and actions for an organization.

Review these obligation sources

Task Description:

Review the following sources of compliance obligations to gain a better understanding of how standards specify the security controls and actions for an organization.

Task List:

Task Feedback:

Good job! Existing compliance frameworks may be used to guide organizational controls and can be a great source for identifying potential security risks as well.

Now that you have reviewed the compliance frameworks, try to answer the following questions.

Question 1

Select the most appropriate answer. To whom does PCI-DSS apply?
SOLUTION: All entities involved in processing credit cards and that store, process, or transmit cardholder data

Question 2

Select all that apply. PCI-DSS requires a formal approval process for testing changes to network connects and changes to firewall and router configurations. What are they?
SOLUTION:
  • Examine documented procedures
  • Sample network configuration changes, Interview personnel, and examine records
  • Sample actual firewall changes, compare to change records, and interview personnel

Question 3

What is the NCSC's recommendation for TLS?
SOLUTION: Use only v1.2 or higher

Question 4.

Select two. The NCSC provides two separate examples of security standards that may be followed to demonstrate that an organization's engineering practices adhere to secure development standards. What are they?
SOLUTION:
  • Safecode ‘Fundamental Practices for Secure Software Development'
  • ISO/IEC 27034

Question 5.

How many characters must a memorized secret contain.
SOLUTION: At least 8

Next Concept