Chapter 5 - Governance, Risk, and Compliance Flashcards
Managerial Controls
Controls that address security design and implementation
Security policies, standard operating procedures
Operational Controls
Controls that are implemented by people
Security guards, awareness programs
Technical Controls
Controls implemented by system
Operating systems, firewalls, anti-virus
Control Type - Preventative
Physically control access
Door lock, security guard, firewall
Control Type - Detective
May not prevent access but identifies and records any intrusion attempt
Motion detector, IDS/ IPS
Control Type - Corrective
Designed to mitigate damage
IPS - block an attacker, Backups - mitigate a ransomware infection, Backup site - can provide options when a storm hits
Control Type - Deterrent
May not directly prevent access but discourages an intrusion attempts
Warning signs, login banner
Control Type - Compensating
Doesn’t prevent an attack but can restore using other means
Re-image or restore from backup, hot site, backup power system, generator
Control Type - Physical
Real-world security
Fences, locks, man traps
Security Controls
Prevent security events, minimize the impact, and limit the damage
General Data Protection Regulation (GDPR)
A set of rules and regulations that allows someone in the EU to control what happens with their private information
Name, address, photo, email, bank
Controls export of personal data and can decide where it goes
National, Territory, or State Laws
Payment Card Industry Data Security Standard (PCI DSS)
A standard for protecting credit cards and transactions
Objectives: build/maintain a secure network and systems, protect cardholder data, maintain vulnerability management program, implement strong access control, regularly monitor, information security policies
Center for Internet Security (CIS) Critical Security Controls for Effective Cyber Defense (CSC)
Improves security posture of organization
Has 20 keys actions and is designed for implementation
National Institute of Standards and Technology (NIST) Risk Management Framework (RMF)
Mandatory for US federal agencies and organizations that handle federal data
Six step process: categorize, select, implement, assess, authorize, monitor
National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF)
A voluntary commercial implementation framework
Framework core - identify, protect, detect, respond, recover
Framework implementation tiers - view and process of handling risk
Framework profile - standards, guidelines, and practices of core
International Organization for Standardization (ISO)/ International Electrotechnical Commission (IEC)
27001/ 27002/ 27701/ 31000
ISO/ IEC 27001 - standard for information security management systems (ISMS)
ISO/ IEC 27002 - Code of practice for information security controls
ISO/ IEC 27701 - Privacy information Management systems (PIMS)
ISO 31000 - International standards for risk management practices
SSAE SOC 2 Type I/II
American Institute of Certified Public Accountants auditing standard
SOC 2 - Trust services criteria (security controls)
Type I Audit - Tests controls in place at a particular point in time
Type II Audit - Tests controls over a period of at least six consecutive months
Cloud Security Alliance (CSA)
Security in cloud computing
Not-for-profit organization
Cloud Control Matrix
Cloud-specific security controls
Controls are mapped to standards, best practices, and regulations
Reference Architecture
Methodology and tools, assessing internal organization, security capabilities, and building a road map
Platform/ Vendor-specific Hardening Guides
Guides that are specific to the software and platform
Get feedback from manufacturer or internet interest group
Web Server Hardening Guide
Provides information on how to prevent data leakage and server access, what permissions the server should run on, configuring SSL, and monitoring/ reporting on access logs
Operating System Hardening Guide
Provides latest OS updates/ service packs, user accounts limitations and password complexity/ length, and how to control network access and security
Application Server Software
Middleware - between web server and database
Disables all unnecessary devices, updates security patches, and limits access and rights
Network Infrastructure Devices
Switches, routers, firewalls, IPS, etc.
Purpose-built devices, configure authentication, and check with manufacturer for known updates
Acceptable Use Policy
Detailed documentation of acceptable use of a companies assets
Used by an organization to limit legal liability
Job Rotation
Keep people moving between responsibilities so no one person maintains control for long periods of time
Mandatory Vacation
Rotate others through job to make sure everything is operating correctly
Not used often but especially important in high security environment
Separation of Duties
Split knowledge - No one person has all of the details
Example: half of a safe combination
Dual control - two people must be present to perform a task
Example: two keys opening a safe (or launch missile)
Least Privilege
Rights and permissions set to the bar minimum so a user only has exact access needed to perform an objective
Clean Desk Space
Whenever leaving desk, not important information is left on desk
Background Checks
Pre-employment screening to verify the applicant’s claims, discover criminal history, workers compensation claims
Non-disclosure Agreements (NDA)
Confidentiality agreement where both sides decide what information can be shared and what information should be kept private
Social Media Analysis
Gathering information from social media platforms to be able to see what the potential employee is like outside of a professional atmosphere
Onboarding
Bring a new person into the organization
IT agreements need to be signed, create accounts, provide hardware
Offboarding
Someone leaving the organization in a pre-planned way
Returning of hardware, access of data, deactivate accounts
User Training
Helps the user in operating the system in efficient way by learning, executing, and implementation policies
Gamification
Train while giving people points, competing with other, and collecting badges
Capture the Flag
Security competition where someone hacks into a system in order to steal the flag and create simulations
Phishing Campaigns
A scam that impersonates a reputable person or organization with the intent to steal credentials or sensitive information
Phishing Simulations
Send simulated emails/ make vishing calls
See which users need additional training is susceptible
Computer-based Training (CBT)
Automated pre-built training to do on your own time
What I am doing now
Role-based Training
Specialized training that requires each user to experience with their unique security responsibilities
Third Party Risk Management - Vendors
Important company data is shared
Perform a risk assessment for each vendor and use contracts
Payroll, travel, raw material, customer relations
Third Party Risk Management - Supply Chain
The system involved when creating a product
Perform a supply chain assessment
Organizations, people, activities, and resources
Third Party Risk Management - Business Partners
Closer to data than a vendor
Involves communication over trusted connection
Service Level Agreement (SLA)
Sets a minimum set of service terms for a particular service or product
Between customers and service providers
uptime, response time agreement
Memorandum of Understanding (MOU)
Memo sent between two different parties so that they understand what the requirements might be for a particular business process
Measurement of Systems Analysis (MSA)
Provides a way for a company to evaluate and assess the quality of the process used in their measurement systems
Business Partnership Agreement (BPA)
A legally binding document that determines the roles and responsibilities between two individuals or entities acting as business partners
End of Life (EOL)
When a manufacturer stops selling a product but may still support the product
Security patches, updates
End of Service Life (EOSL)
When a manufacturer stops selling and supporting the product
Security patches, updates
Could maybe pay a premium fee to get security patch or update
Data Classification
Identify data types - use and protect data efficiently
Personal, public, restricted, etc.
Data Governance
Rules, processes, and accountability associated with an organization’s data - data is used in the right ways
Data steward
Data Retention
Keep files that change frequently for version control
Corporate tax information, customer PII, tape backups, etc.
Credential Management
All that stands between the outside world and all of the data
Everything needs to reside on the server and not the client
Encryption
Personnel Accounts
An account on a computer associated with a specific person
Storage and files can be private to that user
Third-party Accounts
Access to external third-party systems
Cloud platforms for payroll, enterprise resource planning, etc.
Device Accounts
Access to devices
Mobile devices
Mobile Device Manager
Service Accounts
Used exclusively by services running on a computer
No interactive/ user access
Web server, database server, etc.
Administrator/ Root Accounts
Elevated access to one or more systems
Complete access to operating system
Manage hardware, drivers, and software installation
Change Management
How to make a change
Upgrade software, change firewall configuration, modify switch ports
Have clear policies
Frequency, duration, installation process, fallback procedures
Change Control
A formal process for managing change
Avoid downtime, confusion, and mistakes
Asset Management
Identify and tracking computing assets - hardware and data
Respond fast to security problem
Who, what, and where
Risk Assessment
Identifying assets that could be affected by an attack as well as the threats that could affect those assets and the amount of risk of the attack
External Threats
Outside the organization
Hacker, former employee
Internal Threats
Inside the organization
Employees, partners
Legacy Systems
Outdated or older technologies that may not be supported by the manufacturer or may not have security updates
Multiparty Risks
Breaches involving multiple parties
Personal information held by an organization for customers
Intellectual Party (IP) Theft
Theft of ideas, inventions, and creative expressions
Human error, hacking, employees with access
Software Compliance/ Licensing
The process of ensuring that your company is only using software it is authorized to use
Not too many licenses and not too few licenses
Risk Management Strategy - Acceptance
Not making changes and taking the risk
Risk Management Strategy - Avoidance
Stop participating in a high-risk activity
Risk Management Strategy - Transference
Buying some cybersecurity insurance - helps financially if a threat occurs
Cybersecurity Insurance
Helps an organization pay for any financial losses they may incur in the event of a cyberattack or data breach
Risk Management Strategy - Mitigation
Decrease the risk level by investing in security systems
Risk Register
Document used as a risk management tool
Applies possible solutions to the identified risks
Monitors the results
Risk Matrix/ Heat Map
Visually determining the risk assessment based on color that help make strategic decisions
Combines the likelihood of an event with the potential impact
Risk Control Assessment
After determining risks we need to build and maintain security systems based on the requirements
Risk Control Self-assessment
A procedure for assessing and examining operational hazards and the efficacy of risk management controls
Risk Awareness
Having an understanding of what risks exist, what impact they can have, and how to deal with them, but also constantly keeping an open eye for new risks
Inherent Risk
Risk that exists in the absence of security controls
Impact + likelihood
Residual Risk
Inherent risks combined with the effectiveness of security controls
Inherent risk + control effectiveness
Control Risk
Define methods, procedures, technologies, or other measures that can help the organization mitigate the risks
Risk Appetite
How much an organization may be willing to take
Regulations That Affect Risk Posture
Protection of personal information, disclosure of information breaches
HIPPA, GDPR
Risk Assessment - Qualitative
Identifying significant risk factors and displaying visually with a traffic light grid or similar method
Red, yellow, green
Risk Assessment - Quantitative
Method using measurable, objective data to determine an asset’s value, the probability of loss and other associated risks
Likelihood of Occurrence
How likely it is that something will happen
ARO
Impact
How much something happening will effect the organization
Life, property, safety, finance, and reputation
Asset Value
The value or amount spent on a singular asset
Computer = $1,000
Single-loss Expectancy (SLE)
Describes how much money an organization is going to lose if that single event occurs
If computer that is $1,000 the SLE is $1,000
Annualized Loss Expectancy (ALE)
ARO x SLE
ARO = 7, SLE = $1,000; 7 x 1,000 = $7,000 (ALE)
Annualized Rate of Occurrence (ARO)
Describes the likelihood of an attack or disaster of occurring per year
Disasters - Environmental Threats
Tornadoes, hurricanes, earthquakes, or severe weather
Disasters - Person-made Threats
Created by a person
Human-intent, negligence, or error
Arson, crime, civil disorder, fires, riots, etc.
Disasters - Internal
Threats from employees or partners
Disasters - External
Threats from outside the organization
Recovery Time Objective (RTO)
How long it would take to get back up and running to a particular service level
Do not need to get to complete recover but need to get to a certain point
Recovery Point Objective (RPO)
Set an objective to meet a certain set of minimum requirements to get a system up and running
Part of it may be available but part of it may be unavailable
Mean Time to Repair (MTTR)
Time required to fix the issue
Mean Time Between Failures (MTBF)
Predicting the time between failures or outages
Functional Recovery Plans
A set of processes and procedures that can take us from the very beginning of solving the issue all the way through to getting back up and running - step-by-step guide
Contact information, technical processes, recover and test
Single Point of Failure
A part of a system that, if it fails, will stop the entire system from working
Disaster Recovery Plan (DRP)
Detailed step-by-step plan for resuming operations after a disaster has occurred
Application, data center, building, campus, region, etc.
Mission Essential Functions
Functions that are the most essential to an organization depending on the type of disaster that occurred
Identification of Critical Systems
Identifying critical systems that are the most essential to an organization depending on the type of disaster that occurred
Site Risk Assessment
Assessments that have been adapted to a specific site, and only contain relevant information for that particular project
Applications, personnel, equipment, work environment
Consequences - Reputation Damage
Opinion of the organization becomes negative in turn can have an impact on products, services, and stock price
Consequences - Identity Theft
Company or customer information becomes public
Consequences - Fines
Can be fined in someone’s PII becomes available due to the company’s fault
Consequences - IP Theft
Stealing company secrets that could make them go out of business
Internal Escalation
Providing a process of importance for when internal employees find breaches
External Escalation
Providing a process of importance for when a breach is too difficult to find or manage - ask a third party
Public Notifications and Disclosures
Information the public of a previous notification breach that can inform them before it happens to them
Data Types - Public
No restrictions on viewing the data - everyone can see it
Data Types - Private
Restricted access for viewing the data - must be authorized
Might require NDA
Data Types - Sensitive
Intellectual property, PII, PHI
Data Types - Confidential
Very sensitive - must be authorized to view
Data Types - Critical
Data should always be available
Processes we use in the organization or public
Data Types - Proprietary
Information that is private and the property of an organization
Trade secrets
Data Types - Personally Identifiable Information (PII)
Data that can be used to identify and individual
Name, DOB, biometric information, etc.
Data Types - Protected Health Information (PHI)
Health information associated with an individual
Health status, health insurance, health records
Data Types - Financial Information
Internal company financial information
Customer financial details
Data Types - Government Data
Open data that is transferred between government entities
May be protected by law
Data Types - Customer Data
Data associated with customers
Could be user-specific details
Data Minimization
Only collecting data that would be used to perform the necessary function
HIPPA, GDPR
Data Masking
Hide some of the original data
Data obfuscation
Bank card ****2671
Tokenization
Replacing sensitive data with a non-sensitive placeholder
SSN - 226-12-1112 is now SSN 691-61-8539
Anonymization
Make it impossible to identify individual data from a dataset
Pseudo-anonymization
Replacing personal information with pseudonyms
Random placement
James Messer -> Jack O’Neill -> Sam Carter -> Daniel Jackson
Data Owners
Person who is responsible for a certain set of data
Treasurer own financial data
Data Controller
Manages the purposes and means by which personal data is processed
Payroll department
Data Processor
Processes the data on behalf of the data controller
Often a third-party
Payroll company
Data Custodian/ Steward
Responsible for data accuracy, privacy, and security of data
Set labels to the data
Laws and regulations
Access rights
Data Protection Officer (DPO)
Responsible for the organization’s privacy
Policies, implements processes and procedures
Information Lifecycle
Creation and receipt - create data internally/receive data externally
Distribution - records are sorted and stored
Use - business decisions, create products and services
Maintenance - ongoing data retrieval and transfers
Disposition - Archiving or disposal of data
Privacy Impact Assessment (PIA)
Understanding how processes and products will affect the privacy of a organization’s customers or data
New projects, initiatives, systems, processes, strategies, policies, business relationships etc
Terms of Agreement
A set of legal conditions used to ensure that all parties involved in a contract or transaction understand the responsibilities and obligations of each party
Privacy Notice
Documents the handling of personal data
Provides additional data options and contact information
