Hello folks,
In this write up, we will provide the answers of the Governance & Regulation room which is a part of the Security Engineer learning path under Threats and Risks. This is accessible to TryHackMe subscribers only. By successfully completing these challenges you will gain access to tickets that can boost your chances of winning incredible prizes.
You can access the room by clicking here.
Task 1 Introduction
This task will let you know the learning objectives and prerequisites of this room.
I am ready to start the room.
No answer required
Task 2 Why is it important?
In this task, you will learn about some important terminologies like Governance, Compliance and Regulation and relevant Laws.
Q 2.1- The term used for legal and regulatory frameworks that govern the use and protection of information assets is called?
A 2.1- Regulation
Q 2.2- Health Insurance Portability and Accountability Act (HIPAA) targets which domain for data protection?
A 2.2- Healthcare
Task 3 Information Security Frameworks
In this task, you will understand Information Security Frameworks which includes Policies, Standards, Guidelines, Procedures and Baselines and also, how to develop Governance documents.
Q 3.1- The step that involves periodic evaluation of policies and making changes as per stakeholder’s input is called?
A 3.1- Review and update
Q 3.2- A set of specific steps for undertaking a particular task or process is called?
A 3.2- Procedure
Task 4 Governance Risk and Compliance (GRC)
In this task, you will understand the Governance and Risk Compliance (GRC) framework and its components. Also, you will learn about the guidelines for developing GRC programs.
Q 4.1- What is the component in the GRC framework involved in identifying, assessing, and prioritising risks to the organisation?
A- 4.1- Risk Management
Q 4.2- Is it important to monitor and measure the performance of a developed policy? (yea/nay)
A 4.2- Yea
Task 5 Privacy and Data Protection
In this task, you will understand the concept of Privacy and Data protection using General Data Protection Regulation (GDPR)and Payment Card Industry Data Security Standard (PCI DSS).
Q 5.1- What is the maximum fine for Tier 1 users as per GDPR (in terms of percentage)?
A 5.1- 4
Q 5.2- In terms of PCI DSS, what does CHD stand for?
A 5.2- Cardholder Data
Task 6 NIST Special Publications
In this task, you will get an understanding of NIST Special Publications such as NIST 800-53 and NIST 800-63B.
Q 6.1- Per NIST 800-53, in which control category does the media protection lie?
A 6.1- Physical
Q 6.2- Per NIST 800-53, in which control category does the incident response lie?
A 6.2- Administrative
Q 6.3- Which phase (name) of NIST 800-53 compliance best practices results in correlating identified assets and permissions?
A 6.3- Map
Task 7 Information Security Management and Compliance
In this task, you will get an understanding of Information Security Management and Compliance such as ISO/IEC 27001 and Service Organisation Control 2 (SOC 2)
Q 7.1- Which ISO/IEC 27001 component involves selecting and implementing controls to reduce the identified risks to an acceptable level?
A 7.1- Risk treatment
Q 7.2- In SOC 2 generic controls, which control shows that the system remains available?
A 7.2- Availability
Task 8 Conclusion
Q 8.1- What is the flag after completing the exercise?
A 8.2- THM{SECURE_1001}
Please do comment below if you want to get the detailed write up of this room.
You can check out our other blogs here.
Happy Pentesting!!!
Team CyberiumX
This is one of the best explanations I’ve come across. Thanks!