5.0 - Governance, Risk, & Compliance Flashcards

1
Q

What are the three categories of Security Control?

A

• Managerial (Controls that address security design and implementation; policies)

• Operational (Controls that are implemented by people; security guards, awareness programs)

• Technical (firewalls, antivirus, etc.)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

List examples of Corrective control types?

A

• an IPS blocking an attacker

• Using backups to mitigate a ransomware infection

• A backup site when a storm hits

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

List examples of Compensating control types?

A

• re-imaging a device from backup

• A hot site

• a backup power generator

• Or, per an alternative definition, anything put in place as an easier/cheaper alternative to a better control.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Explain

GDPR

A

• General Data Protection Regulation

• Allows individuals in the EU to control what happens with their info

• Users must be aware of where data is stored and can control its export / where it goes

• “Right to be forgotten” – user requests for deletion of their data must be followed

• Every website must provide a detailed privacy policy

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Define

PCI DSS

A

• Payment Card Industry Data Security Standard

• A standard for protecting credit card info

• Not a set of laws or regulations, but guidelines managed by the payment card industry

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

What are the 6 control objectives of PCI DSS?

A

• Build and maintain a secure network and systems

• Protect cardholder data

• Maintain a vulnerability management program

• Implement strong access control measures

• Regularly monitor and test networks

• Maintain an information security policy

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Define

Security Framework

A

• A guide for creating a security program

• Document processes

• Defines tasks and prioritizes projects

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Explain

CIS CSC

A

• Center for Internet Security Critical Security Controls for Effective Cyber Defense

• A security framework, designed to help you improve cyber defenses

• Twenty key actions (the CSCs)

• Categorized with different recommendations for different organization sizes

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Explain

NIST RMF

A

• National Institute of Standards and Technology Risk Management Framework

• A security framework

• mandatory for US federal agencies, and any organization that handles federal data

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Explain

NIST CSF

A

• National Institute of Standards and Technology Cybersecurity Framework

• Designed for commercial organizations; voluntary rather than mandatory.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

What security frameworks are useful at an international level?

A

• ISO/IEC has several frameworks

• International Organization for Standardization / International Electrotechnical Commission

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Define

SSAE SOC 2 Type I/II

A

• an auditing standard from the American Institute of CPAs (AICPA)

• The Statement on Standards for Attestation Engagements (SSAE)

• Include several reports. The suite of reports related to security controls is SOC 2

• System and Organization Controls (SOC) Number 2

• Audit covers firewalls, intrusion detection, MFA, etc.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Difference between SOC 2 Type 1 and SOC 2 Type 2?

A

• a Type I audit tests security controls in place at a particular point in time

• a Type II audit tests controls over a period of at least six consecutive months

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Define

ISO 27001

A

• an international specification for information security management systems

• details documentation, management responsibility, internal audits, continual improvement, and corrective and preventive action

• Organizations meeting all requirements can be certified as ISO 27001 compliant

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Define

ISO 37000

A

• international guidelines for risk management

• can be applied across a variety of industries, to any size company

• guidelines only; not requirements. There is no certification of compliance.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Define

CSA

A

• Cloud Security Alliance

• A not-for-profit organization that focuses on security in the cloud

• Developed the CCM (Cloud Controls Matrix)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

Define

CCM

A

• Cloud Controls Matrix

• a security framework

• Developed by CSA (Cloud Security Alliance)

• Cloud-specific security controls

• Controls are mapped to standards, best practices, and regulations

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

What does this stand for?

AUP

A

• Acceptable Use Policy

19
Q

Define:

Job Rotation

A

• Keep people moving between responsibilities

• No one person maintains control for long periods of time

• Benefits of cross-training, but also security as an individual is less likely to take advantage of vulnerabilities if they do not stay in one place for as long, and subsequent workers will see their work

20
Q

Define:

Mandatory Vacations

A

• Rotates others through the job to ensure that fraud is not occurring

• Rarely seen in the business world but may be important in high-security environments

21
Q

What are two examples of Separation of Duties?

A

• Split knowledge: No single person has all the details

• Dual Control: Two people must be present to perform the function

22
Q

Define:

CBT

A

• Computer-Based Training

• Automated pre-built training that users receiving

23
Q

Define

MOU

A

• Memorandum of Understanding

• Informal letter of intent; not a contract, not binding

• Often used when a contract is not possible

• Both sides agree on the contents of the memorandum

24
Q

Define

MSA

A

• Measurement Systems Analysis

• A process that assesses a measurement system, and calculates the amount of uncertainty in the measurement

• Used with quality management systems, i.e., Six Sigma

25
Q

Define

BPA

A

• Business Partnership Agreement

• Provides details when going into an agreement with a third party

• Details what the owner’s stake might be, decision-making agreements, contingency arrangements, financial contract, etc.

26
Q

Difference between EOL and EOSL?

A

• End of Life means the manufacturer stops selling a product, but may continue to update and support it

• End of Service Life means no more updates, and support is no longer available (though there may be a premium-cost support option)

27
Q

Define

Data Steward

A

• Oversees how data is used

• Manages governance process

• Ensures compliance with any applicable laws and standards

• Responsible for data accuracy, privacy, and security

• Associates sensitivity labels to the data (personal, public, or restricted)

28
Q

Describe four Risk Management Strategies

A

• Acceptance: just take the risk

• Avoidance: Stop participating in the high-risk activity entirely

• Transference: Buy insurance so the risk is carried by the insurer

• Mitigation: Decrease the risk level by adding security

29
Q

Define

Inherent Risk

A

• Risk that exists by nature of an activity in the absence of any controls

• Considers the impact and the likelihood

30
Q

Define

Residual Risk

A

• What remains of the inherent risk after current security controls are taken into consideration

31
Q

Define:

SLE

A

• Single Loss Expectancy

• park of risk assessment

• the expected monetary loss if a single event occurs

32
Q

Define:

ARO

A

• Annualized Rate of Occurrence

• part of risk assessment

• describes the expected likelihood of an event occurring

33
Q

Define

ALE

A

• Annualized Loss Expectancy

• part of risk assessment

• Multiply the ARO by the SLE to determine the ALE

34
Q

Define

MTTR

A

• Mean Time to Repair

• The time required to fix a given issue

35
Q

Define

MTBF

A

• Mean Time Between Failures

• The predicted time between outages

36
Q

Define

DRP

A

• Disaster Recovery Plan

• A step-by-step guide for resuming operations after a disaster has occurred

37
Q

Define

PIA

A

• Privacy Impact Assessment

• An assessment for any given project of how private customer data may be impacted.

• Used to determine how an organization collects, processes, stores, and shares PII.

• How will the new processes or products affect customer privacy?

• Helps in fixing privacy issues before they become a problem.

38
Q

Define

Data Minimization

A

• The principle of collecting and retaining only data that is necessary

• Required by many regulations, such as HIPAA and GDPR

• In principle, also applies to how data is used and accessed; you should only be able to access data required for the task at hand

39
Q

Define

Data Owner

A

• The person accountable / responsible for the set data

• often a senior officer

• E.g. VP of Sales owns the customer relationship data

• E.g. Treasurer owns the financial information

40
Q

Define

Data Controller

A

• Manages the purposes and means by which personal data is processed

• E.g. payroll department defines payroll amounts and timeframes

• (but they don’t necessarily process payroll, which would be done by the data processor)

41
Q

Define

Data Processor

A

• Processes data on behalf of the data controller

• Often a third-party

• E.g. Payroll company (data processor) processes payroll and stores employee information on behalf of a payroll department (the data controller)

42
Q

Define

Data Custodian / Steward

A

• Responsible for data accuracy, privacy, and security

• Associates sensitivity labels to the data

• Ensure compliance with applicable laws and standards

• Manages access rights to the data

• Implements security controls

43
Q

Define

DPO

A

• Data Protection Officer

• Responsible for the organization’s data privacy

• Sets policies, implements processes and procedures