5.1 - 5.3 Flashcards
Security controls
P revent sec events limit impact and damage
Managerial controls, with policies and standards
Operational controls with security
Guards and awareness programs
Technicals controls with firewalls and antivirus
Control types
Preventive controls like locks, guards and firewalls
Detective controls, doesn’t stop but just detects like motion detector and IDS
Corrective controls to correct something after it occurs like IPS to block hacker, backups when random ware, backup sire options when disaster
Deterrent controls like warning sign, banner on sign in, lights in building
Compensating control restores using other meansxloke reimage from back up, a hot site, back up power,
Physical control like fence or doorlock
Compliance
Can be fine if not followings regs so need to know scope of geography
Pci dss for credit cards
Security framework
Center for internet security cis csc 20 key actions by technologists
Nist rmf for federal gov, six steps
Nist csf cybersec framwork to identify protect detect respond and recover
Iso/iec international electrotechnical commission iso 27001 information sec management system iso 27002 security controls iso 27701 privacy info management pims iso 31000 detailed standards
Ssae soc 2 type 1/2 for sec audits firewalls security intrusion or detection, gives a detailed sec assessment of testing
Cloud security alliance csa with cloud control matrix ccm
Secure config
Guidelines for which features of which devices need to be active or inactive
Web server hardening
Os hardening
Application hardening from app servers and their permissions with limited access to os
Network infrastructure devices and changing default settings
Personnel sec
Acceptable use policies to document when a rule is broken
Job rotation, seperation of duties, dual control and mandatory vaca to check of person was doing it right
Clean desk policy
Rights and permission at minimum
Background check nda and social media check
Gamification training
User training
Third party risk management
Vendors and risks
Supply chain
Business partners
Service level agreement or mou or measurement system analysis or business partnership agreement or nda
Managing data
Needs rules a d regs a d accountability
Data steward manages governance
Identify labels and segmenting data and secure
Data retention policy
Credential policy
Cm credential management need to reside server side, with encryption, with their own personal account
Service or Third party accounts who log into our network needs 2fa and needs segmentation with audits
Admin and root acct offers complete access
Organizational policies
Change management to upgrade devices which may need to be configured well to not disrupt other failures
Change control: understand scope, risk, plan, approval for change, back out plan and document everything
Asset management