Cyber Threat Management - Module 1 Flashcards
What is a data owner?
A person who ensures compliance with policies and procedures, assigns the proper classification to information assets, and determines the criteria for accessing information assets.
What is a data controller?
A person who determines the purpose for which and the way in which personal data is processed.
What is a data processor?
A person or organization that processes personal data on behalf of the data controller.
What is a data custodian?
A person who implements the classification and security controls for the data in accordance with the rules set out by the data owner. Responsible for the technical control of the data.
What is a data steward?
A person who ensures that data supports an organizations business needs and meets regulatory requirements.
What is a data protection officer?
a person who oversees an organization’s data protection strategy.
What 5 things go into a cybersecurity policy?
An organization’s commitment to security.
Sets standards of behavior and security requirements for carrying out activities, processes and operations, and protecting technology and information assets within an organization.
Ensures that the acquisition, use and maintenance of system operations, hardware and software is consistent across the org.
Defines legal consequences of policy violators.
Gives the security team the support they need from senior management.
What is an organization policy?
Provides guidance for how work should be carried out in an org. Might include change management, change control or asset management policies
Out of standards, baselines, procedures, and guidelines; what is optional and non-binding?
Guidelines which are non-binding recommendations.
What is the Federal Information Security Management Act? (Includes 7 things)
o Risk assessments.
o An annual inventory of IT systems.
o Policies and procedures to reduce risk.
o Security awareness training.
o Testing and evaluation of all IT system controls.
o Incident response procedures.
o A continuity of operations plan.
What is the Gramm-Leach-Bliley Act? (GLBA)
legislation that affects the finance industry. Provides opt-out provisions for individuals, putting them in control of how the information is shared. GLBA restricts information sharing with third party orgs.
What is Sarbanes-Oxley Act? (SOX)
overhauled financial and corporate accounting standards following several high-profile corporate accounting scandals in 2002. Targeted financial standards and practices of publicly traded firms in the US.
Description of the PCI DSS
in 2006, a Security Standards Council composed of the top orgs in the payment card industry designed a private sector initiative to improve the confidentiality of network communications. PCI DSS (Payment Card Industry Data Security Standard) is technically voluntary in theory but in practice orgs that fail may face significantly higher transaction rates, fines up to $500,000 and, in extreme situations, lose the ability to to process payment cards.
What is the Electronic Communications Privacy Act of 1986? (ECPA)
aims to ensure workplace privacy and protect a range of electronic communications such as email and telephone(y) conversations from unauthorized interception, access, use and disclosure.
What is the Computer Fraud and Abuse Act 1986? (CFFA)
Prohibits unauthorized access to computer systems.
What are 9 exceptions to the FOIA?
- National security and foreign policy information.
- Internal personnel rules and practices of an agency.
- Information specifically exempted by statute.
- Confidential business information.
- Inter or intra-agency communications subject to deliberative process, litigation, and other privileges
- Information that, if disclosed, would constitute a clearly unwarranted invasion of privacy.
- Law enforcement records that implicate one set of enumerated concerns.
- Agency information about financial institutions.
- Geological and geophysical information concerning wells.
What is FERPA?
Family Education Records and Privacy Act; federal law that pertains to the access of education records. Parents must approve disclosure of students educational records to public entities prior to actual disclosure. When a student turns 18 or enters a post-secondary education institution at any age, their rights under FERPA transfer from the parents to student.
What is COPPA?
Children’s Online Privacy Protection Action; Protects privacy of those under 13 years of age by imposing certain requirements on website operators and online services under US jurisdiction.
What is CIPA?
Children’s Internet Protection Act; passed by US Congress in 2,000 AD to protect children under the age of 17 from exposure to offensive Internet content and obscene material.
What is VPPA?
Video Privacy Protection Act, Originally enacted to prevent the sharing of videotape, DVD and video game rental information to third parties. Amended in 2013 to allow orgs such as Netflix to collect customer consent that allows them to store rental/watch histories and make them public for up to 2 years.
HIPPA
Health Insurance Portability and Accountability Act, Required the creation of national standards to impose safeguards for the physical storage, maintenance, transmission, and access to individuals’ health information.
What does California Senate Bill 1386 require?
Disclosure of any personal data security breach. Other states have followed suit.
What are the 6 steps of a PIA? (Privacy Impact Assessment)
- Establish PIA scope.
- Identify key stakeholders.
- Document how the org handles PII.
- Review legal and regulatory requirements.
- Document any potential issues when comparing requirements and current practices.
- Review findings with key stakeholders.
What are the twelve domains of cybersecurity?
Risk assessment – Determines the quantitative and qualitative value of risk related to a specific situation or threat.
Security policy – Adresses the constraints and behaviors of individuals within an org and often specifies how data can be accessed and what data is accessibly by whom.
Org of information security – Governance model set out by an org for infosec.
Asset management – Inventory of and classification scheme for information assets within an org.
HR Security – Refers to security procedures in place that relate to employees joining, moving within and leaving the org.
Physical and environmental security – Refers to physical protection of an orgs facilities and data.
Communications and operations management – Refers to management of technical security controls of an orgs systems and networks.
Information systems aquisiton, development, and maintenance – Refers to security as an integral part of an orgs info systems.
Access control – Describes how an org restricts access rights to networks, systems, application functions and data to prevent unauthorized user access.
Infosec incident management – Describes an orgs approach to the anticipation of and response to infosec incidents.
Business continuity management – Describes the ability of an org to protect, maintain, and recover business-critical activities following a disruption of information systems.
Compliance – Describes the process of ensuring conformance with infosec policies, standards, and regulations.
Control objectives are…?
Define the high level requirements for implementing a comprehensive infosec management system within an org, and usually provides a checklist to use during an ISMS audit. Passing this audit indicates an org is ISO 27001 compliant.
Controls are…?
Controls set how to accomplish an org’s control objectives. Establish guidelines for implementing, maintaining, and improving the management of infosec within an org.
ISO 27000 defines security objectives for data in…?
In process, at rest (in storage), and in transit.
Basic controls; orgs with limited resources and cybersecurity expertise should implement:
Inventory and control of hardware and software assets.
Continuous vulnerability management.
Controlled use of admin privileges.
Secure configurations for hardware and software.
Maintenance, monitoring, and analysis of audit logs.
Foundational controls; orgs with moderate resources and cybersecurity expertise should implement basic controls as well as:
Email and web browser protections.
Malware defense.
Limitation and control of network ports, protocols and services.
Data recovery capabilities.
Secure configuration of network devices.
Boundary defense.
Data protections.
Controlled access based on “Need to know” principle.
Wireless access control.
Account monitoring and control.
Organizational controls; orgs with significant resources and cybersecurity expertise should implement basic and foundational controls, in addition to:
Security awareness training program.
Application software security.
Incident response and management.
Pentests and red team exercises
The CSA (Cloud Security Alliance) does…?
Provide security guidance to any org that uses cloud computing. Their Cloud Controls Matric (CCM) is a cybersecurity control framework that maps cloud-specific security controls to leading standards, best practices, and regulations. It is composed of 197 control objectives that are structured in 17 domains.
