03. Industry Standards and Frameworks for Information Security Flashcards

1
Q

Industry Standards and Frameworks for InfoSec

An Information Security Program will/may use or adopt several types of frameworks such as…

A
  1. Control Frameworks
  2. Risk Management Frameworks
  3. Architecture Frameworks
  4. Security Program Management Frameworks

213

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Industry Standards and Frameworks for InfoSec

Control Frameworks include…

A
  1. CIS CSC
  2. ISO/IEC 27002
  3. NIST SP 800-53
  4. PCI DSS
  5. NIST CSF
  6. COBIT
  7. ETSI TEchnical Report (TR) 103 305-1
  8. HITRUST CSF

213

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Industry Standards and Frameworks for InfoSec

Risk Management Frameworks include…

A
  1. ISO/IEC 27005
  2. ISO/IEC 31000
  3. NIST CSF
  4. NIST SP 800-37

213

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Industry Standards and Frameworks for InfoSec

Architecture Frameworks include…

A
  1. Zachman
  2. TOGAF

The Open Group Architecture Framework

213

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Industry Standards and Frameworks for InfoSec

Security Program Management Frameworks include…

A
  1. ISO/IEC 27001
  2. NIST CSF
  3. COBIT
  4. ETSI TR 103 787-1

213

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Control Frameworks

An advantage of an organisation adopting an industry-standard control framework is that they are used by thousands of companies and they are…

A

regularly updated to reflect changing business practivces, emerging threats, and new technologies

213

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Control Frameworks

A strategist should select a control framework based on its…

A

alignment to the industry

214

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Control Frameworks

Where a control framework has been selected based on its industry alignment, the strategist should institude a process for…

A

developing additional controls based on the results of risk assessments to meet the specific needs of the organisation

214

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Control Frameworks: COBIT

COBIT has 4 domains…

A
  1. Plan and Organise
  2. Acquire and Implement
  3. Delivery and Support
  4. Monitor and Evaluate

215

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Control Frameworks: COBIT

COBIT is not primarily a security control framework. It is an IT process framework that includes security processes interspersed. The security and risk related processes are…

A
  1. Ensure Risk Optimization
  2. Manage Risk
  3. Manage Security
  4. Manage Security Resources
  5. Monitor, Evaluate, and Assess compliance with external requirements

215

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Control Frameworks: ITIL / ISO/IEC 20000

ITIL is a framework of…

A

IT Service Delivery and Management Processes

ITIL is not a security framework but a process framework for IT Service Management

215

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Control Frameworks: ISO/IEC 27002

ISO/IEC 27002:
Information Technology - Security Techniques - Code of practice for information security controls is..

A

An international standard controls framework

ISO 27002 provides full explanations on controls
ISO 27001 is high level and includes the controls in an appendix but not in detail

216

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Control Frameworks: HIPAA

HIPPA
Health Insurance Portability and Accountability Act establishes requirements for…

A

protecting electronic protected health information (ePHI)

216

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Control Frameworks: HIPAA

HIPAA requirements fall into 3 main categories…

A
  1. Administrative safeguards
  2. Physical safeguards
  3. Technical safeguards

216

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Control Frameworks: HIPAA

Each control within the framework is labeled as either…

A

Required or addressable

Required MUST be implemented
Addressable is considered optional if the control does not apply or the risk is negligible

216

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Control Frameworks: NIST SP 800-53

NIST SP 800-53 is one of the most…

A

well known and adopted security control frameworks

216

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

Control Frameworks: NIST SP 800-53

NIST SP 800-53 is required for all…

A

US Government information systems and private industry that store or process federal government information

216

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

Control Frameworks: NIST SP 800-53

NIST SP 800-53 controls are organised into 18 categories…

A
  1. Access Control
  2. Awareness and Training
  3. Audit and Accountability
  4. Security Assessment and Authorisation
  5. Configuration Management
  6. Contingiency Planning
  7. Identification and Authentication
  8. Incident Response
  9. Maintenance
  10. Media Protection
  11. Physical and Environmental Protection
  12. Planning
  13. Personnel Security
  14. Risk Assessment
  15. System and Services Acquisition
  16. System and Communications protection
  17. System and Information Integrity
  18. Program Management

216/217

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

Control Frameworks: NIST SP 800-171

NIST SP 800-171 is a framework of requirements for…

A

the protection of controlled unclassified information (CUI)

Required for all infomration systems in private industry that store or process CUI for federal government

217

20
Q

Control Frameworks: NIST SP 800-171

NIST SP 800-171 is organised into 13 categories…

A
  1. Access Control
  2. Awareness and Training
  3. Audit and Accountability
  4. Configuration Mnaagement
  5. Indeitifcation and Authentication
  6. Incident Response
  7. Maintenance
  8. Media Protection
  9. personnel Security
  10. Physical Protection
  11. Risk Assessment
  12. Security Assessment
  13. System and Communications Protection

217

21
Q

Control Frameworks: NIST SP 800-171

A framework of assessments and assessor certifications used to enforce compliance of NIST SP 800-171

A

Cybersecurity Maturity Model Certification
(CMMC)

217

22
Q

Control Frameworks: NIST CSF

The NIST CSF is a risk based life-cycle methodology used for…

A

assessing risk, enacting controls, and measuring control effectiveness

217

23
Q

Control Frameworks: NIST CSF

The 3 core components of the NIST CSF…

A
  1. Framework Core
  2. Framework Implementation Tiers
  3. Framework Profile

218

24
Q

Control Frameworks: NIST CSF

The set of 5 functions within the Framework core of NIST CSF

A
  1. Identify
  2. Detect
  3. Protect
  4. Respond
  5. Recover

217

25
Q

Control Frameworks: NIST CSF

5 Maturity levels defined within the Framework Implementation Tiers of the NIST CSF

A
  1. Partial
  2. Risk
  3. Informed
  4. Repeatable
  5. Adaptive

218

26
Q

Control Frameworks: NIST CSF

The Frameowkr Profile within the NIST CSF aligns elements of the Framework Core with the organisations…

A
  1. Business requirements
  2. Risk tolerance
  3. Available resources

218

27
Q

Control Frameworks: NIST CSF

Organisations implementing NIST CSF first perform an assessment by measuring maturity of the Framework Core i.e. Identify, Detect, Protect, Respond, Recover. The organisation then determins the maturity levels they desire to reach for each Framework core. The identified differences are considered…

A

gaps that need to be filled through sevearl means

Hiring additional resources
Training resources
Adding or changing business processes or procedures
Changing system or device configuration
Acquiring new systems or devices

218

28
Q

Control Frameworks: CIS CSC

CIS CSC - Center for Internet Securtiy Critical Security Controls is a…

A

well-known control framework with 18 sections

218

29
Q

Control Frameworks: PCS DSS

The Payment Card Industry Data Security Standard is a control framework specifically for protecting credit card numbers and related information when…

A

stored, processed and transmitted on an organisations network

219

30
Q

Control Frameworks: PCS DSS

The PCI DSS has 12 control objectives…

A
  1. Install and maintain a firewall configuration to protect cardholder data.
  2. Do not use vendor-supplied defaults for system passwords and other security parameters.
  3. Protect stored cardholder data.
  4. Encrypt transmission of cardholder data across open, public networks.
  5. Protect all systems against malware and regularly update antivirus software or programs.
  6. Develop and maintain secure systems and applications.
  7. Restrict access to cardholder data by business need to know.
  8. Identify and authenticate access to system components. .
  9. Restrict physical access to cardholder data.
  10. Track and monitor all access to network resources and cardholder data.
  11. Regularly test security systems and processes
  12. Maintain a policy that addresses information security for all personnel

219

31
Q

Control Frameworks: PCS DSS

PCI DSS is mandatory for all organisations…

A

storing, processing, or transmitting credit card data

219

32
Q

Control Frameworks: PCS DSS

Organisations that store, process or transmit high volumes of credit card data are required to undergo…

A

annual on-site audits

219

33
Q

Information Security Management Frameworks

Information security management frameworks are business process models that include…

A

essential processes and activities needed by most organisations

219

34
Q

Information Security Management Frameworks

Information Security Management Frameworks are risk-centric because the identification of risk is a key driver for activities in other parts of the framework to…

A

reduce risk to acceptable levels

219

35
Q

Information Security Management Frameworks

ISO/IEC 27001 is a well-known international standard which defines the requirements and steps to run an…

A

Information Security Management System
(ISMS)

An ISMS is a set of processes used to assess risk, develop policy and controls, and manage all processes found in infosec program

219

36
Q

Information Security Management Frameworks

COBIT 2019 is a…

A

controls and governance framework for managing an IT organisation

COBIT 2019 for Information Security is an additional standard that explains each component of the frameowkr from an information security perspective

220

37
Q

Information Security Management Frameworks

The NIST CSF is an outcomes based security management and control framework that guides an organisation in…

A
  1. Understanding its maturity levels
  2. Assessing risk
  3. Identifying gaps
  4. Developing action plans for strategic improvement

220

38
Q

Information Security Management Frameworks

ETSI CYBER Cybersecurity for SMEs Part 1: Cybersecurity Standardisation Essentials is a published documentation that describes a…

A

Top-down approach to developing and managing cybersecurity programs

220

39
Q

Information Security Architecture

  1. Security management frameworks describe….
  2. Control frameworks are…
A
  1. Activities in an information security program
  2. Collections of security controls

The activity might be “access management” and the controls might be “RBAC or MAC” etc..

220

40
Q

Enterprise Architecture (EA)

A business function and a technical model which consists of activities that ensure IT systems meet important business needs

A

Enterprise Architecture
(EA)

EA may include business functions being mapped to IT environments and systems at all levels

220

41
Q

Information Security Architecture

A subset (special topic) within Enterprise Architecture concerned with the protective characteristics found in many components in an overall EA

A

Information Security Architecture

220

42
Q

Information Security Architecture

The purpose of an Enterprise Architecture and Enterprise Security Architecture is…

A
  1. All hardware and software fulfil a stated purpose
  2. Components work well together
  3. Structure and consistency in infrastructure through the organisation
  4. Infrastructure resources are used efficiently
  5. Infrastructure is scalable and flexible
  6. Elements can be upgraded as needed
  7. Elements can be added as needed

220

43
Q

Information Security Architecture

The 2 main layers that exist within Information Security Architecture

A
  1. Policy
  2. Standards

  1. Defines characterstics of the overall environment i.e. the need for centralised authentication
  2. Defines standards to be used i.e. specific protocols, methods of authentication, configuration and hardening etc..

221

44
Q

Information Security Architecture

Centralised functions within an information security architecture help amplify the workfroce so that a relatively small staff level can…

A

effectively manage hundreds or thousands of devices

221

45
Q

Information Security Architecture

Examples of modern information security architecture centralised functions that amplify a small staff workforce to manage devices…

A
  1. Authentication
  2. Encryption Key Management
  3. Monitoring
  4. Device Management
  5. Software Development

  1. Utilising central identity and access management services i.e. AD
  2. Centralised certificate authorities (CA)
  3. Centralised monitoring of all systems - SIEM as example
  4. Centralised configuration management or distribution servers as example
  5. Formal architectures implemented describing end to end software development environment

221