Chapter 11 – Legal and Compliance Part II Flashcards
What are KRIs (Key Risk Indicators)?
Metrics used by an organization to inform management of impending negative impacts to operations; involves algorithms and rating systems ascribed to factors selected by analysts and management for an early-warning system.
What are KPIs (Key Performance Indicators)?
Backward-looking metrics to gauge business critical initiatives, objectives, or goals; measurable benchmarks against defined goals.
What is Risk Appetite/Tolerance?
How the organization views risks; senior management dictates the amount of risk an organization is willing to take.
What are Risk Profiles?
Comprehensive analysis of the possible risks to the organization; includes a survey of various operations the organization is engaged in, public perception, pending legislation, and stability of countries where the organization operates.
What are Physical Controls?
Physical access to assets that reduces the impact of a physical event; examples include locks, fire suppression, fences, and guards.
What are Technical Controls?
Also known as logical controls; controls that enhance the CIA triad; examples include encryption, ACLs, audit trails, and logs.
What are Administrative Controls?
Processes and activities that provide aspects of security; examples include background checks, scheduled log reviews, mandatory vacations, and robust security policies.
What is the Risk Management Framework (RMF)?
A structured approach to managing risk, including standards like ISO 31000:2018 and NIST SP 800-37.
What is ISO 31000:2018?
An international standard focusing on designing, implementing, and reviewing risk management processes and practices.
What is NIST SP 800-37?
A methodology for handling all organizational risk in a holistic, comprehensive, and continual manner; relies on automated solutions.
What is ENISA?
The EU Agency for Network and Information Security; responsible for producing guidelines on cloud computing security risks.
What is COBIT?
A framework for developing, implementing, monitoring, and improving IT governance and management practices.
What is ISO/IEC 31010:2009?
A standard for risk management techniques.
What are Risk Management Metrics?
A scale used to evaluate risk levels: 5 – Critical; 4 – High; 3 – Moderate; 2 – Low; 1 – Minimal.
What is ISO/IEC 15408-1:2009?
Common Criteria Assurance Framework providing assurances for security claims by vendors.
What is ISO 28000:2007?
A standard that applies to security controls in supply chains.
What is CSA STAR?
A framework for evaluating cloud providers; registry of security controls designed for vendor management.
What is CCM (Cloud Controls Matrix)?
A list of security controls and principles appropriate for cloud environments, cross-referenced to other control frameworks.
What is CAIQ (Consensus Assessments Initiative Questionnaire)?
A self-assessment by cloud providers detailing evaluation of practice areas and control groups.
What are the levels of the CSA STAR Program?
Level One: Self-Assessment; Level Two: CSA STAR Attestation; Level Three: CSA STAR Continuous Monitoring.
What is PKI?
A framework of programs, procedures, communication protocols, and public key cryptography that enables secure communication.
What is OWASP?
An international nonprofit that focuses on identifying software vulnerabilities and educating developers in secure coding practices.
What are some common software vulnerabilities identified by OWASP?
Broken Access Control; Cryptographic Failures; Injection; Insecure Design; Security Misconfiguration; Vulnerable and Outdated Components; Identification and Authentication Failures; Software and Data Integrity Failures; Security Logging and Monitoring Failures; Server-Side Request Forgery (SSRF).
What are Joint Operating Agreements?
Agreements that provide nearby relocation sites to limit disruption to the organization’s own facility.
What is the OSI Model?
A model consisting of seven layers: Physical; Data Link; Network; Transport; Session; Presentation; Application.
What is SSO?
Single Sign-On; allows a user to access multiple applications with a single set of credentials.
What is the Cross-Certification Model?
A model where every participating organization must review and approve every other organization; does not scale well.
What is FPE (Format-Preserving Encryption)?
A technique used to scramble data while keeping its structural arrangement.
What are Logging Levels?
Levels of logging: OFF > FATAL > ERROR > WARN > INFO > DEBUG > TRACE > ALL.
What does the OFF logging level do?
Turns off logging.
What does the FATAL logging level indicate?
Indicates a serious problem or corruption; the application is about to stop.
What does the ERROR logging level indicate?
Indicates an inability to access a service/file; a severe issue is stopping functions within the application.
What does the WARN logging level indicate?
Indicates an unexpected application problem.
What does the INFO logging level indicate?
Indicates normal behavior of applications.
What does the DEBUG logging level provide?
Provides detailed diagnostic information for troubleshooting.
What does the TRACE logging level capture?
Captures all details about application behavior, including events in third-party libraries.
What does the ALL logging level show?
Shows all or custom-defined logs.
What is the Management Plane?
Technology that allows an admin to remotely manage a fleet of servers and configure cloud resources.
Who is the Information Commissioner?
Responsible for enforcing the UK’s GDPR and offering advice to groups whose information is held.
What is the NIS Directive (EU2016/1148)?
The first piece of EU-wide cybersecurity legislation; requires notification to competent authorities.
What is NIST 800-145?
The NIST definition of Cloud Computing; describes a model for enabling on-demand network access to shared computing resources.
What is NIST 800-146?
Describes cloud computing benefits and guidelines for organizations regarding opportunities and risks.
What are Functional requirements?
Performance aspects necessary for a business task; e.g., a salesperson must connect to the organization’s network remotely.
What are Nonfunctional requirements?
Aspects that are desired but not necessary for a business task; e.g., the remote connection must be secure.
What are DFDs (Data Flow Diagrams)?
Useful in systems/software engineering to establish functional requirements before technology selection.
What is Eucalyptus?
Software for building AWS-compatible private/hybrid cloud computing environments; supports multitenancy.
What is ISO/IEC 17788?
An overview of cloud computing and a set of terms and definitions.
What is NIST 500-292?
Guidance on the adoption of cloud computing into the Federal Government.
What is Metastructure?
Protocols and mechanisms that provide the interface between the infrastructure layer and other layers.
What is PRE (Proxy Re-Encryption)?
Allows a proxy to convert ciphertext encrypted under one key into an encryption of the same message under another key.
What is Software-Defined Infrastructure?
Technical computing infrastructure entirely under the control of software with no human intervention.
What is Chaos Engineering?
A method of testing software that introduces failure scenarios to verify resilience.
What is Microsoft’s Security Development Lifecycle (SDL)?
A software development process aimed at reducing security issues and vulnerabilities.
What is NIST 800-92?
Guidance on log management.
What is NIST 800-40?
Guidance on enterprise patch management planning.
What are the types of backups?
Full, Copy, Differential, Incremental.
What is a Differential backup?
Backs up all data changed since the last full backup; quicker than a full backup but uses more storage until the next full backup.
What is an Incremental backup?
Backs up data that changed since the last backup; time-consuming to restore data.