Explore policies and frameworks vital for regulating cyber security in an organisation.
THM Room : https://tryhackme.com/room/cybergovernanceregulation
TASK 1 Introduction
I am ready to start the room.
No Answer.
TASK 2 Why is it important?
The term used for legal and regulatory frameworks that govern the use and protection of information assets is called?
“Regulation: A rule or law enforced by a governing body to ensure compliance and protect against harm.”
Answer : Regulation
Health Insurance Portability and Accountability Act (HIPAA) targets which domain for data protection?
“Health Insurance Portability and Accountability Act (HIPAA) Healthcare A US-based official law to maintain the sensitivity of health-related information of citizens.”
Answer : Healthcare
TASK 3 Information Security Frameworks
The step that involves periodic evaluation of policies and making changes as per stakeholder’s input is called?
“Review and update: Periodically review and update the document to ensure it remains relevant and practical. Monitor compliance and adjust the document based on feedback and changes in the threat landscape or regulatory environment.”
Answer : Review and update
A set of specific steps for undertaking a particular task or process is called?
Answer : Procedure
TASK 4 Governance Risk and Compliance (GRC)
What is the component in the GRC framework involved in identifying, assessing, and prioritising risks to the organisation?
“Risk Management Activities: Identify potential risks, their possible outcomes, and countermeasures such as financial fraud risks, fraudulent transactions through cyber-attack, stolen credentials through phishing, fake ATM cards, etc.”
Answer : Risk Management
Is it important to monitor and measure the performance of a developed policy? (yea/nay)
Answer : YEA
TASK 5 Privacy and Data Protection
What is the maximum fine for Tier 1 users as per GDPR (in terms of percentage)?
“Tier 1: More severe violations, including unintended data collection, sharing data with third parties without consent, etc. Maximum penalty amounting to 4% of the organisation’s revenue or 20 million euros (whichever is higher).”
Answer : 4
In terms of PCI DSS, what does CHD stand for?
Following the given link in the “PCI DSS Applicability Information” section, you’ll find the answer.
Answer : cardholder data
TASK 6 NIST Special Publications
Per NIST 800-53, in which control category does the media protection lie?
Answer : physical
Per NIST 800-53, in which control category does the incident response lie?
Answer : administrative
Which phase (name) of NIST 800-53 compliance best practices results in correlating identified assets and permissions?
Answer : map
TASK 7 Information Security Management and Compliance
Which ISO/IEC 27001 component involves selecting and implementing controls to reduce the identified risks to an acceptable level?
“Risk treatment: Involves selecting and implementing controls to reduce the identified risks to an acceptable level.”
Answer : Risk treatment
In SOC 2 generic controls, which control shows that the system remains available?
Answer : availability
TASK 8 Conclusion
Click the View Site button at the top of the task to launch the static site in split view. What is the flag after completing the exercise?
Answer : THM{SECURE_1001}