5.0 - Governance, Risk, & Compliance Flashcards
1
Q
What are the three categories of Security Control?
A
- Managerial (Controls that address security design and implementation; policies)
- Operational (Controls that are implemented by people; security guards, awareness programs)
- Technical (firewalls, antivirus, etc.)
2
Q
List examples of Corrective control types?
A
- an IPS blocking an attacker
- Using backups to mitigate a ransomware infection
- A backup site when a storm hits
3
Q
List examples of Compensating control types?
A
- re-imaging a device from backup
- A hot site
- a backup power generator
- Or, per an alternative definition, anything put in place as an easier/cheaper alternative to a better control.
4
Q
Explain
GDPR
A
- General Data Protection Regulation
- Allows individuals in the EU to control what happens with their info
- Users must be aware of where data is stored and can control its export / where it goes
- “Right to be forgotten” – user requests for deletion of their data must be followed
- Every website must provide a detailed privacy policy
5
Q
Define
PCI DSS
A
- Payment Card Industry Data Security Standard
- A standard for protecting credit card info
- Not a set of laws or regulations, but guidelines managed by the payment card industry
6
Q
What are the 6 control objectives of PCI DSS?
A
- Build and maintain a secure network and systems
- Protect cardholder data
- Maintain a vulnerability management program
- Implement strong access control measures
- Regularly monitor and test networks
- Maintain an information security policy
7
Q
Define
Security Framework
A
- A guide for creating a security program
- Document processes
- Defines tasks and prioritizes projects
8
Q
Explain
CIS CSC
A
- Center for Internet Security Critical Security Controls for Effective Cyber Defense
- A security framework, designed to help you improve cyber defenses
- Twenty key actions (the CSCs)
- Categorized with different recommendations for different organization sizes
9
Q
Explain
NIST RMF
A
- National Institute of Standards and Technology Risk Management Framework
- A security framework
- mandatory for US federal agencies, and any organization that handles federal data
10
Q
Explain
NIST CSF
A
- National Institute of Standards and Technology Cybersecurity Framework
- Designed for commercial organizations; voluntary rather than mandatory.
11
Q
What security frameworks are useful at an international level?
A
- ISO/IEC has several frameworks
* International Organization for Standardization / International Electrotechnical Commission
12
Q
Define
SSAE SOC 2 Type I/II
A
- an auditing standard from the American Institute of CPAs (AICPA)
- The Statement on Standards for Attestation Engagements (SSAE)
- Include several reports. The suite of reports related to security controls is SOC 2
- System and Organization Controls (SOC) Number 2
- Audit covers firewalls, intrusion detection, MFA, etc.
13
Q
Difference between SOC 2 Type 1 and SOC 2 Type 2?
A
- a Type I audit tests security controls in place at a particular point in time
- a Type II audit tests controls over a period of at least six consecutive months
14
Q
Define
ISO 27001
A
- an international specification for information security management systems
- details documentation, management responsibility, internal audits, continual improvement, and corrective and preventive action
- Organizations meeting all requirements can be certified as ISO 27001 compliant
15
Q
Define
ISO 37000
A
- international guidelines for risk management
- can be applied across a variety of industries, to any size company
- guidelines only; not requirements. There is no certification of compliance.
16
Q
Define
CSA
A
- Cloud Security Alliance
- A not-for-profit organization that focuses on security in the cloud
- Developed the CCM (Cloud Controls Matrix)
17
Q
Define
CCM
A
- Cloud Controls Matrix
- a security framework
- Developed by CSA (Cloud Security Alliance)
- Cloud-specific security controls
- Controls are mapped to standards, best practices, and regulations