CCSA Training Flashcards
Framework Profile represents
Represents the outcomes based on business needs an organization has selected from the Framework Categories and Subcategories.
Current Profile
Indicated the cyber security outcomes that are currently being achieved.
Target Profile
Indicates the outcomes needed to achieve the desired cyber security risk management goals
What are the tiers of Framework implementation?
- Partial
- Risk Informed
- Repeatable
- Adaptive
What is the partial risk management process?
Organizational cyber security risk management practices are not formalized, and risk is managed in an ad how and sometimes reactive manner.
Partial Integrated Risk Management Program?
There is limited awareness of cyber security risk at the organizational level and an organizational-wide approach to managing cyber security risk has not been established.
Partial External Partcipation
The organization is usually unaware of the cyber supply chain risks of the products and services it provides and that it uses.
Risk Informed (Risk Management)
Prioritization of cyber security is directly informed by organizational risk objectives, the threat environment, or business/mission requirements.
Risk Informed (Integrated Risk Management Program)
Cyber security is shared within the organization on an informal basis.
Risk Informed(External Participation)
The organization collaborated with and receives some information from other entities and generated some of its own information, but may not share information with others.
Repeatable (Risk Management Process)
Organizational cyber security practices are regularly updated based on the application of risk management processes to changes in business/mission requirements and a changing threat and technology landscape.
Repeatable (Integrated Risk Management Program)
Risk-Informed policies, processes, and procedures are defined implemented as intended, and reviewed.
Repeatable (External Partcipation)
It collaborates with and receives information from other entities regularly that complements internally generated information, and shares information with other entities.
Adaptive (Risk Management Process)
The organization adapts its cybersecurity practices based on previous and current cybersecurity activities, including lessons learned and predictive indicators
Adaptive (Integrated Risk Management Program)
The organization can quickly and efficiently account for changes to business/mission objectives in how risk is approached and communicated.
Adaptive (External Participation)
The organization understands its role, dependencies, and dependents in the larger ecosystem and contributes to the community’s broader understanding of risks.
Functions
Organize basic cybersecurity activities at their highest level.
Categories
Are the subdivisions of a function into groups of cybersecurity outcomes closely tied to programmatic needs and particular activities.
Subcategories
Further divide a category into specific outcomes of technical and/or management activities.
Informative References
Are specific sections of standards, guidelines, and practices common among critical infrastructure sectors that illustrate a method to achieve the outcomes associated with each subcategory.
5 types of cybersecurity framework
- Identify
- Protect
- Detect
- Respond
- Recover
Identify
Develop an organizational understanding to manage cybersecurity risk to systems, people, assets, data, and capabilities
Protect
Develop and implement appropriate safeguards to ensure delivery of critical services
Detect
Develop and implement appropriate activities to identify the occurrence of a cybersecurity event
Respond
Develop and implement appropriate activities to take action regarding a detected cybersecurity incident
Recover
Develop and implement appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to a cybersecurity incident.
NIST Cybersecurity Framework
- Profile
- Tiers
- Functions
- Categories
- Subcategories
- Informative References
Two types of profiles
Current and Target
Framework Core Structures
Categories are made up of subcategories and subcategories are made up of informative references/
Framework Functions
Identify ID, Protect PR, Detect DE, Respond RS, and Recover RC
Identify categories
Asset management, business environment, governance, risk assessment, risk management strategy, and supply chain risk management
Protect categories
Identify management and access controls, awareness and training, data security, information protection process and procedures, maintenance , and protective technology.
Detect categories
Anomalies and events, security continuous and monitoring, and detection processes
Respond categories
Response planning, communications, analysis, mitigation, and improvements
Recover categories
Recovery planning, improvements, and communications
Cybersecurity framework
- Identify
- Protect
- Detect
- Respond
- Recover
CEA
Cybersecurity Enhancement Act of 2014
CIS
Center for Internet Security
COBIT
Control Objectives for Information and Related Technology
CSC
Critical Security Control
DHS
Department of Homeland Security
EO
Executive Order
IEC
International Electrotechnical Commission
IR
Interagency Report
ISO
International Organization for Standardization
OT
Operational Technology
RFI
Request for Information
RMP
Risk Management Process
SCRM
Supply Chain Risk Management
SP
Special Publication
DoD
Department of Defense
How many Domains are in CMMC?
17
DIB
Defense Industrial Base
How many level descriptions are there in CMMC?
5
CMMC
Cybersecurity Maturity Model Certification
DFARS
Defense Federal Acquisition Regulation Supplement
CUI
Controlled Unclassified Information
Definition of CMMC
Certification process that measures DIB sector company’s ability to protect FCI and CUI.
FCI
Federal Contract Information
CMMC Model Framework
Models consists of domains, domains consist of capabilities, and capabilities consist of practices and processes
How many capabilities in CMMC?
43
Level 1 of CMMC process
Performed
Level 1 Practices of CMMC?
Basic Cyber Hygiene
Level 2 of Processes (CMMC)
Documented
CMMC Level 2 Practices
Intermediate Cyber Hygiene
CMMC Level 3 Processes
Managed
CMMC Level 3 Practices
Good Cyber Engine
CMMC Level 4 Processes
Reviewed
CMMC Level 4 Practices
Proactive
CMMC Level 5 Processes
Optimizing
CMMC Level 5 Practices
Advanced/Progressive
Level 1 focuses on
The protection of FCI and consists only of practices that correspond to the basic safeguarding requirements specified
Level 2 requires
An organization that can establish and document practices and policies to guide the implementation of their CMMC efforts
Level 3 requires
An organization establish, maintain, and resource a plan demonstrating the management of activities for practice implementation
Level 3 focuses on
The protection of CUI
Level 4 requirements
An organization review and measure practices for effectiveness
Level 4 focuses on
The protection of CUI from the APTs and encompasses a subset of enhanced security requirements
Level 5 requires
An organization to standardize and optimize process implementation across the organization
Level 5 focuses on
The protection of CUI from the APTs
CMMC Domain 1
Access Control
CMMC Domain 2
Asset Management
CMMC Domain 3
Audit and Accountability
CMMC Domain 4
Awareness and Training
CMMC Domain 5
Configuration Management
CMMC Domain 6
Identification Authentication
CMMC Domain 7
Incident Responses
CMMC Domain 8
Maintenance
CMMC Domain 9
Media Protection
CMMC Domain 10
Personal Security
CMMC Domain 11
Physical Protection
CMMC Domain 12
Recovery
CMMC Domain 13
Risk Management
CMMC Domain 14
Security Assessment
CMMC Domain 15
Situational Awareness
CMMC Domain 16
System and Communications Protections
CMMC Domain 17
System and Information Integrity
C###
Capability number ###
CERT
Computer Emergency Response Team
CFR
Code of Federal Regulations
CIS
Center for Internet Security
CMMC
Cybersecurity Maturity Model Certification
CNSSI
Committee on National Security Systems Instructionss
CSF
Cybersecurity Feamework
CSP
Credential Service Provider
CUI
Controlled Unclassified Information
CVE
Common Vulnerabilities and Exposures
DFARS
Defense Federal Acquisition Regulation Supplement
DNS
Domain Name System
FAR
Federal Acquisition Regulation
FCI
Federal Contact Information
FIPS
Federal Information Processing Standards
IEC
International Electrotechnical Commission
ISO
International Organization for Standardization
ISCM
Information Security Continuous Monitoring
L#
Level number #
MA
Maintenance
ML
Maturity Level
ML#
Maturity Level number #
MP
Media Protection
N/A
Not Applicable
NAS
National Aerospace Standard
NCSC
National Cyber Security Standard
NCSC
National Cyber Security Centre
NISTIR
NIST Interagency Report
OUSD AandS
Office of the Under Secretary of Defense for Acquisition and Sustainment
TTP
Tactics, techniques, and procedures
UK
United Kingdom
URL
Uniform Resource Locator
US
United States
VolP
Voice over Internet Protocol
Col
Volume
NIST SP 800-171 R2 Purpose
To provide federal agencies with recommended security requirements for protecting the confidentiality of CUI
NIST SP 800-171 Target Audience
Public and Private sectors
CUI
Controlled Unclassified Information
CUI Definition
A non-classified information that must be safeguarded by implementing a uniform set of requirements and information security controls directed at securing sensitive government information
Basic security requirements section
Are obtained from FIPS 200 which provides the high-level and fundamental security requirements for federal information and systems
Derived security requirement actions
Supplement the basic security requirements, are taken from security controls in SP 800-53
How many Distinct Categories are there?
14
What are the 14 Distinct Categories?
Access Control, Awareness and Training, Audit and Accountability, Configuration Management, Identification and Authentication, Incident Response, Maintenance, System and Information Integrity, System and Communications Protections, Security Assessment, Risk Assessment, Physical Protection, Personnel Protection, and Media Protection
CSIRT responsible for?
Providing incident response services to part or all of an organization.
CSIRT
Computer Security Incident Response Team
Incident Response Plan provides
The roadmap for implanting the incident response capability
SOP
Standard Operating Procedures
SOP Definition
Are a delineation of the specific technical processes techniques, checklists, and forms used by the incident response team
Incident Response Team
Law Enforcement Agencies, Software and Support Vendors, Customer, Constituents and Media, Other Incident Response Team, Internet Service Provider, and Incident Reporters
Incident Response Life Cycle
Preparation, Detection & Analysis, Containment Eradication & Recovery, and Post-Incident Activity
None
No effect to the organization’s ability to provide all services to all users
Low
Minimal effect
Medium
Organization has lost the ability to provide a critical service to a subset of system users
High
Organization is no longer able to provide some critical services to any users
Four Areas Covered in Incident Security
Preparation, Detection & Analysis, Containment, Eradication & Recovery, and Post Incident Activity
NIST and Risk Assessment
Scope of Risk Assessment, Asset Inventory, Threats, Vulnerabilities, Risk Evaluation, Risk Treatment, Version History, and Executive Summary
Risk Assessment Process
- Prepare for Assessment
- Conduct the Assessment
- Communicate results
- Maintain Assessment
Vulnerability Assessment
Process of identifying, quantifying and prioritizing the security issues in a system or network.
Issues to look for
Data Access vulnerabilities and Network Access vulnerabilities
4 ways to address a risk
Eliminate the risk, Reduce the risk to an acceptable level, Transfer the risk to a third-party, and to Accept the risk
Vulnerability Scan
Runs internal and external network vulnerability scans at least quarterly and after any significant change in the network
Internal Vulnerability Scans
Perform quarterly internal scan and rescans as needed until all “high” risk vulnerabilities are resolved
External Vulnerability
Performs rescans as needed until passing scans are achieved
Wireless Assessment
Implement processes to test for the presence of wireless access points, and detect and identify all authorized and unauthorized wireless access points on a quarterly basis
Penetration Testing main objective
To determine security weaknesses
External Penetration Testing Goal
To gain unauthorized elevated access to an externally accessible system
Web Application Penetration Testing
Gain anonymous access to authenticated sections of the application and to gain access to other client data within the application
Penetration Testing goals
Determine whether and how a malicious user can gain unauthorized access to assets that affect the fundamental security of the system, files, and logs
Internal Pen test
Perform penetration test at least annually and after any significant infrastructure or application upgrade or modification
Exploitable Vulnerabilities
Found during penetration testing mush be reviewed and corrected
Detect and Prevent Intrusions
Used to detect or prevent intrusions of the network
Change-Detection Mechanism
To alert personnel to unauthorized modification of critical system files, configuration files, or content files
Firewalls
Are devices that control computer traffic allowed between an entity’s networks and untrusted network as well as traffic into and out of more sensitive areas within an entity’s internal trusted networks
DMZ
Demilitarized Zone
Information Security Policies
Develop and secure approval from management, publish, and communicate and train all members of the workforce on an information security policy
Review of the Policies for Information Security
Are it be reviewed and evaluated periodically and if changes occur within the facility that affects a particular approved policy statement
Organization of Information Security
Information security roles and responsibilities, segregation of duties, contact with authorities and Contact with special interest groups, and Information security in project management
Mobile device policy
Develop specific policies, plans, and procedures to address members of the workforce who use mobile devices
Risk Assessment
Conduct an accurate and through the assessment of risk and vulnerabilities to the CIA of sensitive information, including PII
Risk Management
Obtain timely information about technical vulnerabilities of information systems being used
Risk Management definition
A timeline to react to notifications of potentially relevant technical vulnerabilities
Breach notification
Establish a formal information security even reporting procedure
Information Security Incident Management
Implement training that augments the certification or other qualifications of workforce members and use tools so as to strengthen the value of preserved evidence.
ISO 27001 Requirement # 10
Cryptography
Cryptography Objective
To ensure proper and effective use of cryptography to protect the CIA of Information
ISO 27001 Requirement # 12.3
Cryptographic Controls
Cryptographic Controls Objective
To protect the CIA of information by cryptographic means
ISO 27001 Requirement #18.1.5
Regulation Cryptographic Controls
Regulation Cryptographic Controls Objective
To avoid breaches of legal, statutory, regulatory, or contractual obligations related to information security and of any security requirements
Protected stored Cardholder Data
Protection methods such as encryption, truncation, masking, and hashing are critical components of cardholder data protection
Encrypt Transmission
Encrypt transmission of sensitive data across open, public networks
NIST offers
Guidance for encryption data at rest and in transmit
Encryption
Is the conversation of data into a form that cannot be read with the decryption key or password.
Tow addressable IS related to encryptions?
Access and Control Standard & Transmission Security Standard
Purpose of Encryption Policy
To implement a mechanism to encrypt sensitive information in transmit, storage, usage, or processing, whenever deemed appropriate
Encryption Policy
Evaluate the need for and use of encryption to maintain the confidentiality and integrity of sensitive information being transmitted, stored, used, or processed
