Home Governance & Regulation
Post
Cancel

Governance & Regulation

Explore policies and frameworks vital for regulating cyber security in an organisation.

THM Room : https://tryhackme.com/room/cybergovernanceregulation

TASK 1 Introduction

I am ready to start the room.

No Answer.

TASK 2 Why is it important?

“Regulation: A rule or law enforced by a governing body to ensure compliance and protect against harm.”

Answer : Regulation

Health Insurance Portability and Accountability Act (HIPAA) targets which domain for data protection?

“Health Insurance Portability and Accountability Act (HIPAA) Healthcare A US-based official law to maintain the sensitivity of health-related information of citizens.”

Answer : Healthcare

TASK 3 Information Security Frameworks

The step that involves periodic evaluation of policies and making changes as per stakeholder’s input is called?

“Review and update: Periodically review and update the document to ensure it remains relevant and practical. Monitor compliance and adjust the document based on feedback and changes in the threat landscape or regulatory environment.”

Answer : Review and update

A set of specific steps for undertaking a particular task or process is called?

Answer : Procedure

TASK 4 Governance Risk and Compliance (GRC)

What is the component in the GRC framework involved in identifying, assessing, and prioritising risks to the organisation?

“Risk Management Activities: Identify potential risks, their possible outcomes, and countermeasures such as financial fraud risks, fraudulent transactions through cyber-attack, stolen credentials through phishing, fake ATM cards, etc.”

Answer : Risk Management

Is it important to monitor and measure the performance of a developed policy? (yea/nay)

Answer : YEA

TASK 5 Privacy and Data Protection

What is the maximum fine for Tier 1 users as per GDPR (in terms of percentage)?

“Tier 1: More severe violations, including unintended data collection, sharing data with third parties without consent, etc. Maximum penalty amounting to 4% of the organisation’s revenue or 20 million euros (whichever is higher).”

Answer : 4

In terms of PCI DSS, what does CHD stand for?

Following the given link in the “PCI DSS Applicability Information” section, you’ll find the answer.

Answer : cardholder data

TASK 6 NIST Special Publications

Per NIST 800-53, in which control category does the media protection lie?

Answer : physical

Per NIST 800-53, in which control category does the incident response lie?

Answer : administrative

Which phase (name) of NIST 800-53 compliance best practices results in correlating identified assets and permissions?

Answer : map

TASK 7 Information Security Management and Compliance

Which ISO/IEC 27001 component involves selecting and implementing controls to reduce the identified risks to an acceptable level?

“Risk treatment: Involves selecting and implementing controls to reduce the identified risks to an acceptable level.”

Answer : Risk treatment

In SOC 2 generic controls, which control shows that the system remains available?

Answer : availability

TASK 8 Conclusion

Click the View Site button at the top of the task to launch the static site in split view. What is the flag after completing the exercise?

Flag Flag

Answer : THM{SECURE_1001}

This post is licensed under CC BY 4.0 by the author.