1B: Compare and Contrast Security Control and Framework Types Flashcards
After a poorly handled security breach, a company updates its security policy to include an improved incident response plan. Which of the following security controls does this update address?
Corrective
What cyber security framework (CSF) focuses exclusively on IT security, rather than IT service provisioning?
National Institute of Standards and Technology (NIST)
The _____ requires federal agencies to develop security policies for computer systems that process confidential information.
Computer Security Act (1987)
The ____ mandates the implementation of risk assessments, internal controls and audit procedures. This act is not for any specific entity.
Sarbanes-Oxley Act (2002)
The _____ governs the security of data processed by federal government agencies. This act requires agencies to implement an information security program
Federal Information Security Management Act (2002)
The ______ is a United States federal law that requires financial institutions to explain how they share and protect their customers’ private information.
Gramm-Leach-Bliley Act (1999)
The IT department head returns from an industry conference feeling inspired by a presentation on the topic of cybersecurity frameworks. A meeting is scheduled with IT staff to brainstorm ideas for deploying security controls by category and function throughout the organization. What ideas are consistent with industry definitions?
-Deploy a technical control to enforce network access policies.
-Schedule quarterly security awareness workshops as a preventive control to prevent social engineering attacks.
-Deploy agents to file servers to perform continuous backups to cloud storage as a corrective control to mitigate the impact of malware.
What is a technical control?
A technical control is enforced by computer hardware and software, such as an access control list (ACL) configured on a network firewall.
What is an Operational control?
Operational controls are categorized as those performed by people, such as security guards.
What is a preventive control?
A preventive control such as user education and training is one that eliminates or reduces the likelihood of an attack before it can take place
What is a corrective control?
A corrective control such as backup is used following an attack to eliminate or mitigate its impact.
What is a managerial control?
Monitoring of risk and compliance is a type of managerial control
A company has an annual contract with an outside firm to perform a security audit on their network. The purpose of the annual audit is to determine if the company is in compliance with their internal directives and policies for security control. Which broad class of security control that accurately demonstrates the purpose of the audit?
Managerial
You have implemented a secure web gateway that blocks access to a social networking site. How would you categorize this type of security control?
It is a technical type of control (implemented in software) and acts as a preventive measure.
A company has installed motion-activated floodlighting on the grounds around its premises. What class and function is this security control?
It would be classed as a physical control and its function is both detecting and deterring.
A firewall appliance intercepts a packet that violates policy. It automatically updates its Access Control List to block all further packets from the source IP. What THREE functions are the security control performing?
Detective, corrective, and preventative.
If a security control is described as operational and compensating, what can you determine about its nature and function?
That the control is enforced by a person rather than a technical system, and that the control has been developed to replicate the functionality of a primary control, as required by a security standard.
What term is used to describe the property of a secure network where a sender cannot deny having sent a message?
Non-repudiation
What is CIS?
Center for Internet Security
A not-for-profit organization (founded partly by SANS). It publishes the well-known “Top 20 Critical Security Controls” (or system design recommendations).
What is Cloud Security Alliance?
Industry body providing security guidance to CSPs, including enterprise reference architecture and security controls matrix.
What is a compensating control?
A security measure that takes on risk mitigation when a primary control fails or cannot completely meet expectations.
What is a corrective control?
A type of security control that acts after an incident to eliminate or minimize its impact.
What is a detective control?
A type of security control that acts during an incident to identify or record that it is happening.
What is a deterrent control?
A type of security control that discourages intrusion attempts.
