CPA ISC - S1 Flashcards
What are the 5 components of NIST CSF?
- Identify
- Protect
- Detect
- Respond
- Recover
What is NIST CSF Implementation Tier 1?
- Ad Hoc
- Not integrated into organizational processes
- Cybersecurity is isolated
What is NIST CSF Implementation Tier 2?
- Cybersecurity may be isolated from organizational processes
- Organization is aware of cybersecurity
- Awareness is there but response is inconsistent
What is NIST CSF Implementation Tier 3?
- Documented policies and procedures
- Organizational risk approach
- Collaborates with and contributes to security community at large
What is NIST CSF Implementation Tier 4?
- Iterative improvements
- Cybersecurity is prioritized organizational wide
- Organization external participation is robust
What is a NIST Current Profile?
The current state of organizational risk management.
What is a NIST Target Profile?
The desired future state of organizational risk management.
What are the 5 steps to using organizational profiles?
SGCAI (Some Guy Created A I)
1. Scope of org profile
2. Gather info to prepare org profile
3. Create org profile
4. Perform gap analysis between current and target profiles
5. Implement action plan to rectify gaps
What are the 8 components of NIST Privacy?
- Identify
- Govern
- Control
- Communicate
- Protect
- Detect
- Respond
- Recover
What is NIST SP 800-53?
It is the standard for federal information security systems. This establishes controls for systems and organizations.
What was the Safe Harbor Framework and Privacy Shield in 2016?
The Safe Harbor Framework was a joint framework between the EU and USA to allow data transfer between the two more freely and legally. However, an EU court struck this down as it was not secure enough.
The Privacy Shield of 2016 was the same thing but was also struck down by an EU court.
What are examples of Primary Cardholder Data?
- Account number
- Cardholder name
- Expiration date
- Service code
What are examples of Sensitive Authentication Data for a cardholder?
- Card verification code
- Card PIN
What is Center for Internet Security (CIS) Controls?
CIS Controls are recommended set of actions, processes, and best practices that can be adopted and implemented by organizations to strengthen their cybersecurity defenses.
What are the 3 CIS Controls design principles?
- Context
- Coexistance
- Consistency
CIS Control Design Principle - Context
An enhancement to the scope and practical applicability of safeguards through incorporation of examples and explanations.
CIS Control Design Principle - Coexistance
Alignment with evolving industry standards and frameworks, including NIST’s CSF 2.0 framework.
CIS Control Design Principle - Consistency
Disruption to controls users are minimized, limiting impact on implementation groups.
What are the 3 CIS Controls Implementation Groups?
- IG1
- IG2
- IG3
IG1 (CIS)
- Small or medium sized organizations
- Limited cybersecurity defense mechanisms
Main focus is to keep company operational
IG2 (CIS)
- Organizations that have IT Staff
- Various risk profiles
- Can tolerate short interruptions in service
IG3 (CIS)
- Organizations have security experts
- Breaches can cause significant damage to the public
CIS Control 1: Inventory and Control of Enterprise Assets
This control helps organizations actively track and manage all IT assets connected to a company’s IT infrastructure physically or virtually within a cloud environment.
Examples:
1. Inventory List
2. Identify devices connected to a company’s network
CIS Control 2: Inventory and Control of Software Assets
This control provides recommendations for organizations to track and actively manage all software applications so that only authorized software is installed on company devices. This control also provides guidance on finding unmanaged and unauthorized software already installed so that it can be removed and remediated.
Examples:
1. Establish Software Inventory List
2. Address Unauthorized Software
3. Allowlist Authorized Software to ensure only authorized software can be accessed or executed
CIS Control 3: Data Protection
This control helps organizations develop ways to securely manage the entire life cycle of their data, from their initial identification and classification data to its disposal.
Examples:
1. Establish and maintain a data management process
2. Document data flows
3. Encrypt sensitive data in transit
CIS Control 4: Secure Configuration of Enterprise Assets and Software
This control helps organizations establish and maintain secure baseline configurations for their enterprise assets, including network devices, mobile and portable end-user devices, non-computing assets such as Internet of Things (IoT) devices, operating systems, and other corporately managed hardware or software applications.
Examples:
1. Change default configurations
2. Implement and manage a firewall on end-user devices and servers
3. Enforce remote wipe capabilities on portable end-user devices
CIS Control 5: Account Management
This control outlines best practices for companies to manage credentials and authorization for user accounts, privileged user accounts, and service accounts for company hardware and software applications.
Examples:
1. Establish SSO and MFA
2. Use unique passwords
3. Disable dormant accounts
CIS Control 6: Access Control Management System
This control expands on Control 5 Account Management by specifying the type of access that user accounts should have.
Examples:
1. Establish an access granting and revoking process
2. Centralize access controls
3. Define and maintain role-based access controls
CIS Control 7: Continuous Vulnerability Management
This control assists organizations in continuously identifying and tracking vulnerabilities within its infrastructure so that it can remediate and eliminate weak points or windows of opportunity for bad actors.
Examples:
1. Perform operating system patch management
2. Remediate detected vulnerabilities
CIS Control 8: Audit Log Management
This control establishes an enterprise log management process so that organizations can be alerted and rec cover from an attack in real time.
Examples:
1. Establish and maintain an Audit Log Management Process
2. Collect Audit Logs
3. Standardize time synchronization
4. Centralize and retain audit logs
CIS Control 9: Email and Web Browser Protections
This control provides recommendations on how to detect and protect against cybercrime attempted through email or the internet by directly engaging employees.
Examples:
1. Use URL filtering
2. Block unnecessary file types
3. Restrict browser extensions
CIS Control 10: Malware Defenses
This control assists companies in preventing the installation and propagation of malware onto company assets and its network.
Examples:
1. Deploy anti-malware software
2. Enable anti-exploitation features
3. Use behavior-based anti-malware software
CIS Control 11: Data Recovery
This control establishes data backup, testing, and restoration processes that allow organizations to effectively recover company assets to a pre-incident state.
Examples:
1. Perform automated backups
2. Protect recovery data
3. Establish and maintain an isolated instance of recovery data
CIS Control 12: Network Infrastructure Management
This control establishes procedures and tools for managing and securing a company’s network infrastructure (both physical and virtual devices).
Examples:
1. Maintain a secure network architecture
2. Ensure remote devices utilize a VPN
3. Maintain architecture diagrams
CIS Control 13: Network Monitoring and Defense
This control establishes processes for monitoring and defending a company’s network infrastructure against internal and external security threats.
Examples:
1. Centralize security event alerting
2. Collect network traffic flow logs
3. Deploy port-level access control
What is a Denial of Service (DoS) Attack?
This is when the perpetrator gains access to a network and overloads it with traffic so that it is effectively rendered useless.
What is Ransomware?
This is when an attacker gains access to a system and blocks employees from accessing it, then demands payment to restore access.
CIS Control 14: Security Awareness and Skills Training
This control guides organizations in establishing a security awareness and training program to reduce cybersecurity risk.
Examples:
1. Establish a training program
2. Train employees on social engineering attacks
3. Train employees on how to report a security incident
CIS Control 15: Service Provider Management
This control helps organizations develop processes to evaluate third party service providers that have acc ess to sensitive data or that are responsible for managing some or all of a company’s IT functions.
Examples:
1. Establish an inventory of service providers
2. Classify service providers
3. Monitor service providers
CIS Control 16: Application Software Security
This control establishes safeguards that manage the entire life cycle of software that is acquired, hosted, or developed in-house to detect, deter and resolve cybersecurity weaknesses before they are exploited.
Examples:
1. Establish a severity rating system
2. Train developers in app security
3. Conduct app penetration testing and threat modeling
CIS Control 17: Incident Response Management
This control provides the recommendations necessary to establish an incident response management program to detect, respond, and prepare for potential cybersecurity attacks.
Examples:
1. Designate incident personnel
2. Conduct post-incident reviews
3. Conduct routing incident response exercises
CIS Control 18: Penetration Testing
This control helps organizations test the sophistication of their cybersecurity defense system in place by simulating actual attacks in an effort to find and exploit weaknesses.
Examples:
1. Perform penetration tests
2. Remediate penetration test findings
3. Validate security measures
What are the 6 principles for a governance system?
VHDDTE - Very Healthy Dieters Do Try Everything
Value to stakeholder
Holistic approach
Dynamic governance system
Distinct governance from management
Tailored to enterprise needs
End-to-End governance system
What are the 3 principles for a governance framework?
CFA
Conceptual Model
Flexible and Open
Aligned to Major Standards
COBIT Core Model
- Governance Objectives
- Management Objectives
What are the segments of governance objectives in the COBIT core model?
Evaluate, Direct, and Monitor (EDM)
What are the segments of management objectives in the COBIT core model?
- Align, Plan, and Organize (APO)
- Build, Acquire, and Implement (BAI)
- Deliver, Service, and Support (DSS)
- Monitor, Evaluate, and Assess (MEA)
Extensible Business Reporting Language (XBRL)
XBRL is specifically designed for exchanging financial information over the World Wide Web.
What is parity checking?
Parity checking is a method where the number of bits in the total number of bytes in a transmitted message is added up. Then, a zero or a one is added to make the parity even or odd. If and when a transmitted message is modified and the number of bits has changed, the system detects this and triggers a resending of the message.
This ultimately helps keep transmitted data safe.
