3.1 Explain use cases and purpose for frameworks, best practices and secure configuration guides. Flashcards
A network engineer runs and analyzes vulnerability assessment scans on a weekly basis per company policy. Identify this type of security control.
Administrative
Administering vulnerability assessments on an application to avoid attacks is an administrative control. Administrative controls, also known as operational controls, are mandated by organizational policy and guidelines.
Technical controls use technology to reduce vulnerabilities and exploits in a system. Firewalls, intrusion detection systems and antivirus software are examples of technical controls.
Physical security controls can be touched. Access logs, video surveillance, and security guards are all examples of physical security control implementation.
Availability is part of the CIA security triad and ensures systems are operational and available to end users.
A small office will install a new wireless access point. Options for configuration include manual mode and a step-by-step wizard. Which resource will provide guidance in setting up the new device in manual mode?
Vendor specific guide
Vendor specific guides provide instructions on how to install and securely configure hardware and software specifically for a certain vendor. The administrator would refer to a Windows firewall guide instruction.
Regulatory frameworks are based on specific laws and regulations and ensure compliance of those standards. They are highly controlled and regulated. Medical records are governed by regulatory laws.
Industry-specific frameworks are governed according to the type of product provided. Financial information is covered under industry specific standards.
A non-regulatory framework is not enforced by a law or statute. Instead, non-regulatory frameworks identify their own standards and best practices to meet company needs and be successful.
A network administrator installs a proxy to examine data and make rule-based decisions about whether to forward or refuse the request. The company adds cipher locks to the server room for security purposes. What is this an example of?
Control diversity
Control diversity includes the use of multiple control types, such as administrative, technical and physical, working together to create a layered security practice. The proxy is a technical control, while the locks are a physical control.
The use of multiple vendors is considered vendor diversity. This method increases security by adding several layers and provides defense in depth to the network.
Single layer security is the use of a single control to protect assets. Using two separate controls makes this scenario diverse.
User training teaches users new functionality as well as proper policies and procedures for company and software. Users should complete training before use of a system, to prevent incidents and understand what to do in the event of one.
A company purchases a new hardware-based firewall to install as part of a DMZ within its network. Which of the following will provide the best instruction for installation?
Vendor specific guide
Vendor specific guides provide instructions on how to install and securely configure hardware and software, specifically for a certain vendor. The firewall would be most accurately installed by using the brand’s guide.
General purpose guides help increase security in hardware and software by providing instructions to configure a system based on roles and appliance.
Regulatory frameworks are based on specific laws and regulations and ensure compliance of those standards. They are highly controlled and regulated.
User training teaches users new functionality as well as proper policies and procedures for company and software.
A software application contains sensitive transmittal information, and an end-user is taking it out in the field on a laptop. The end-user must understand how to protect and dispose of the data. Which one of the following should prepare for this?
User training
A company implements a framework using its own predefined standards and practices. Which of the following frameworks does this follow?
Non-regulatory
A non-regulatory framework is not enforced by a law or statute. Instead, non-regulatory frameworks identify their own standards and best practices to meet company needs and be successful.
Regulatory frameworks are based on specific laws and regulations and ensure compliance of those standards. They are highly controlled and regulated. Medical records are governed by regulatory laws.
Industry-specific frameworks are governed according to the type of product provided. Financial information is covered under industry-specific standards.
International frameworks are governed by international standards, laws and regulations. These statutes are implemented globally versus nationally.
A startup company adds a firewall, an IDS, and a backup system to its infrastructure. At the end of the week, they will install HVAC in the server room. The company has scheduled penetration testing every month. Which type of layered security does this represent?
Control diversity
A general practitioner has opened a new office in the area. As part of the Health Insurance Portability and Accountability Act (HIPAA), the office administrator will need to protect health and medical data based on current laws and regulations. Which framework will the administrator need to employ?
Regulatory
A risk assessment at a corporation revealed that internal processes did not follow published standards. However, the custom processes in place did follow industry best practices. Which of the following frameworks does the corporation practice?
Non-regulatory
A non-regulatory framework is not enforced by a law or statute. Instead, non-regulatory frameworks identify their own standards and best practices to meet company needs and be successful.
Regulatory frameworks are based on specific laws and regulations and ensure compliance of those standards. They are highly controlled and regulated. Medical records are governed by regulatory laws.
Industry-specific frameworks are governed according to the type of product provided. Financial information is covered under industry-specific standards.
International frameworks are governed by international standards, laws and regulations. These statutes are implemented globally versus nationally.
Company data gets leaked out to the general public, prompting the CIO to send an email to inform all employees of a mandatory operations security briefing. What is this an example of?
User training
What does the use of technical, physical, and administrative security implementation represent?
Control diversity
A security engineer conducts a penetration test against an application on the company network to assess security controls implemented on a system. What type of control diversity is this?
Administrative
Administering penetration tests on an application to avoid attacks is an administrative control. Administrative controls are mandated by company policy.
Technical controls use technology to reduce vulnerabilities and exploits in a system. Technical controls have to be administered by an individual.
Physical security controls can be touched. Gates, fire extinguishers, and proximity cards are examples of physical security controls.
Least privileged is a control management principle, in which individuals are only granted privileges and access to perform their tasks. Least privilege can reduce risk by limiting access to data otherwise not necessary to a user.
A company policy states that the IT department must conduct monthly risk assessments, to quantify and qualify risks within the organization, which include creating a plan of action and milestones. What is this an example of?
Administrative control
A network administrator installs a proxy to examine data and make rule-based decisions about whether to forward or refuse the request. The company adds cipher locks to the server room for security purposes. What is this an example of?
Control diversity
An application utilizes regulations to focus on trade standards and process improvement globally. What type of framework does this suggest is in place?
International
International frameworks are governed by international standards and are to be implemented globally versus nationally.
The National Institute of Standards and Technology framework regulates the cybersecurity risks and activities in the United States. It is part of the U.S. Department of Commerce and considered a national framework.
Regulatory frameworks are based on specific laws and regulations and ensure compliance of those standards. Medical records are governed by regulatory laws.
Industry-specific frameworks are governed according to the type of product provided. Financial information (i.e. credit card, bank account) is covered under industry-specific standards.
