14. Exercise: Control Assessment
Exercise: Control Assessment
Review the controls below to determine whether or not they meet specified control objectives.
Answer the following scenario:
QUESTION:
A compliance obligation requires that your organization maintain a cybersecurity incident response policy which details how and when cybersecurity response teams are contracted in the event of an incident. Your organization has a cybersecurity incident response policy but it refers to a separate policy that details how to contact team members. Do your controls meet the obligation? Why or why?
ANSWER:
These controls probably meet the obligation. Why? Even though contact procedures are not specifically contained in the Incident Response Policy, it is likely that an assessor would understand that your organization maintains a separate policy and contact procedures. One note: The assessor may additionally interview individuals to ensure that they are aware of the separate policy.
Answer the following scenario:
QUESTION:
A compliance obligation requires that your organization train users to construct and use secure passwords. While you don't currently do training related to passwords, you do have every system setup to require users to use a lengthy minimum password length and forces every user to construct a strong password. Does this control meet the obligation. Why or why not?
ANSWER:
This control likely does not meet the control objective. Why? While your organization may already use systems to force users to maintain minimum password standards, it is possible for a user to construct a relatively weak password within certain parameters. The control objective asks that users are actively trained on password construction.
Answer the following scenario:
QUESTION:
A customer Master Service Agreement has a clause which states "Vulnerability management procedures must be in place to remediate vulnerabilities in a timely manner". Your organization has a policy which states vulnerabilities will be remediated on the following schedule (High - 30 days, Medium 60 days, Low 120 days). You additionally have procedures for remediating vulnerabilities. Do your organization's policy and procedures meet this obligation? Why or Why not?
ANSWER:
Probably, however, you may need to test the process or work with your Governance team to test the process in order to ensure it is working effectively. Your organization seemingly has the procedures required by the control objective but when policies or procedures establish benchmarks for your organization, it is important to make sure your organization is following through.
Answer the following scenario:
QUESTION:
PCI-DSS v.3.2.1 Section 1.1.3 requires that organizations maintain a "current diagram that shows all cardholder data flows across systems and networks. Your organization outsources all credit card transaction to a 3rd party credit card processor so no card holder data ever enters your network or system so your organization does not maintain this type of diagram. Does this still meet the PCI-DSS requirement? Why or why not?
ANSWER:
This is a bit of a trick question. As we described in the first part of the Compliance section, PCI-DSS does not apply to organizations that don't process, store, or transmit card holder data. Your organization is unable to comply with PCI-DSS and does not need to maintain this diagram.
Answer the following scenario:
QUESTION:
Your organization is attempting to comply with a new information security standard. That standard has a control objective related to password management that states "All network user accounts must contain passwords that are at least 12 characters in length, are complex, and expire after 120 days". You have asked your system administrators if the organization meets this objective and the system administrators have told you that the "User directory service which allows employees to log into the network is configured for 12 character, complex passwords which expire after 90 days". Does this control meet the objective? Why or why not?
ANSWER:
Again, this one is tricky. It all depends what "network user accounts" means as it relates to the new information security standard. If "network user accounts" means employee accounts then it appears your controls do meet the objective. If "network user accounts" means any user account that exists on the network, you must seek additional information about the construction of passwords related to items like service accounts and infrastructure accounts for items like firewalls, routers, and etc.