Compliance, as it applies to IT departments, involves following rules and regulations that are meant to protect sensitive data of all types. It can govern everything from IT decision-making and purchasing, to configurations, and the policies and procedures a company must create and enforce to uphold this important task.
Rightfully so, many businesses are taking the obligation of compliance very seriously. After all, there is a lot at stake when fines and penalties can be levied against you (among other legal repercussions) for noncompliance.
As an IT pro, it’s important to know you what you’re up against. Answer these questions from our recent Compliance IQ Quiz – or verify your IQ from your earlier exam – to see how your knowledge stacks up when it comes to IT compliance.
Despite InfoSec folklore, the actors most often involved in a breach of sensitive information are coming from outside your company. Unfortunately, understanding the source of these threats is only half the battle when it comes to maintaining IT security and compliance.
1.) Which of the following three types of cyberattacks can be classified as an external threat?
A) Technical attacks
B) Phishing attacks
C) Physical attacks
D) All of the above
HINT: Watch our "IT Security Threats and Risk Management” video (15:47 - 34:35). Click here.
Answer: D) All of the above
It is true that most threats to your data and compliance initiatives come from beyond the four walls of your organization, but that doesn’t mean your fellow employees can't somehow be involved.
2.) Which of the following exploits is classified as "a form of social engineering in which a message, typically an email, with a malicious attachment or link is sent to a victim with the intent of tricking the recipient to open an attachment."
HINT: Would you know if your network was breached? Read this article on solarwinds.com.
Answer: C) Phishing
If your business interacts with sensitive data that falls under the protection of HIPAA, PCI, NCUA, SOX, GLBA, or other frameworks, then compliance should be on your radar.
3.) Poll: Which of the following industries does your business serve? (Select all that apply)
A) Financial services
See who participated in the quiz in this chart, below:
No locale, industry, or organization is bulletproof when it comes to the compromise of data, even with a multitude of compliance frameworks governing the methods used to prevent unlawful use or disclosure of sensitive data.
4.) In the past year, which industry experienced the highest number of breaches of sensitive information? For reference, we have highlighted the key compliance frameworks that guide these industries.
A) Financial services - PCI DSS, NCUA, SOX GLBA, and more
B) Healthcare - HIPAA
C) Technology - ISO, COBIT, and more
D) Federal - FISMA, NERC CIP, GPG 13, and more
E) Education - FERPA F) Other
HINT: Check out Verizon’s 2016 Data Breach Investigation Report. Click here.
Answer: A) Financial services
If your business must comply with a major IT regulatory framework or scheme, you may be subject to serious penalties for noncompliance.
5.) Not adhering to a compliance program can have severe consequences, especially when breaches are involved. Which of the following can result from noncompliance?
A) Withdrawal or suspension of a business-critical service
B) Externally defined remediation programs
D) Criminal liability
E) All of the above
HINT: Read this Geek Speak post titled The Cost of Noncompliance. Think big picture and across all frameworks.
Answer: E) IT compliance violations are punishable by all of these means, and more.
The cost of a breach goes well beyond the fines and penalties levied by enforcement agencies. It also includes the cost of detecting the root cause of a breach, remediating it, and notifying those affected. There are also legal expenditures, business-related expenses, and loss of revenue by damaged brand reputation to take into account, as well.
6.) True or False: The price that businesses pay for sensitive data breaches is on the rise globally.
HINT: You do the math!
Answer: True. According to the Ponemon Institute, the cost associated with a data breach has risen year over year to a current $4 million.
Healthcare is increasingly targeted by cyberattacks, including a spree of high-profile breaches and increased enforcement efforts from the OCR over the past few years.
7.) What type of data are hackers after if your business is in the healthcare industry?
A) CD or CHD
HINT: Read this post: Top 3 Reasons Why Compliance Audits Are Required.
Answer: B) ePHI - Electronic Protected Health Information
Other Definitions: CD/CHD - Cardholder Data; ePHI - Electronic Protected Health Information; PII - Personally Identifiable Information; IP - Intellectual Property
Despite the higher black market value of healthcare data, 2016 saw a greater volume of compromised PCI data. This makes it all the more important to understand this framework.
8.) Which response most accurately describes PCI DSS compliance?
A) The organization can guarantee that credit card data will never be lost
B) The organization has followed the rules set forth in the Payment Card Industry Data Security Standards, and can offer proof in the form of documentation
C) The organization is not liable if credit card data is lost or stolen
D) The organization does not store PAN or CVV data under any circumstances
HINT: Check out this article: Best Practices for Compliance.
Answer: B) The organization has followed the rules set forth in the Payment Card Industry Data Security Standards, and can offer proof in the form of documentation.
According to the Verizon 2016 Data Breach Investigation Report, 89% of breaches had a financial or espionage motive. With a long history of unified compliance efforts, the banking industry certainly takes this seriously, and so should you.
9.) True or False: The Federal Financial Institute of Examiners Council (FFIEC) is empowered to prescribe uniform principles, standards, and report forms to promote uniformity in the supervision of financial institutions.
HINT: See footnote #3 from the The Cost of Noncompliance.
Though your aim as an IT pro may be to get compliance auditors off your back, the cybersecurity threat landscape is constantly changing.
10.) True or False: If your organization passed its first compliance audit, that means its network is secure.
HINT: Watch our Becoming and Staying Compliant video (10:06- 11:09). Click here.
Answer: False. Continuous IT compliance is key to meeting and maintaining regulatory requirements long-term.
Any feedback on this quiz or burning questions come as a result? Share a comment, we’d love hear your thoughts.