Domain 1 - part 3 Flashcards
Controls implemented with or by automated or electronic systems. firewalls, electronic badge readers, access control list. Example would be routers
technical/logical controls
Controls implemented through a tangible mechanism. walls, fence, guards, locks. Physical controls systems are linked to technical/logical systems, such as badge readers connected to door locks.
Physical controls
Controls implemented through policy and procedure. includes access control processes and requiring multiple to conduct a specific operation. often enforced in conjunction with physical and/or technical controls, such as an access-granting policy for new user that requires login and approval by the hiring manager
Administrative controls
often performed with automated tools that reviews the org IT env for know vulnerabilities cataloging and often sending alerts for any detection. This method detect only detect know vulnerabilities.
Vulnerability assessment
external, person has no access, and its not safe
simulate external attack and test orgs security defenses
Penetration testing
financial fraud
Coso
Publishes the Risk it framework as connecting risk management from a strategic perspective with risk related it management
isaca
SP 800-37 extremely influential and important on how US federal government agencies address risk.
nist
Both discuss risk from a holistic org perspective and specifically related to IT security is also endorsed by Europeoan union agency for network and information security as a means of managing risk
iso -Risk framework
standard 27001 ENISA
created by Microsoft a threat classification system used to inform software developers during the dev process
STRIDE
threat where attacker poses as entity other than the attacker, often as an authorized user
spoofing identify
attacker attempts to modify the target date in an unauthorized way
tampering with data
attacker as a participant of a transaction can deny or conceal the attacker’s participation in that transaction.
repudiation
can include both inadvertent release of data (authorized user gives it to attacker accidentally) or malicious access to data is where the attacker gets unauthorized access
information disclosure
an attack on the availability aspect of the CIA triad; creating a situation in the target where authorized users cannot get access to the system/app/data
Denial of Service DoS
when an attacker not only gains access to the target but can attain a level of control with which to completely disable/destroy the entire target system
elevation of privilege
Applicable list of security and privacy controls. one series only requires to be followed by federal agencies in the US. It can be applied to any kind of org as the methods and concepts are universal.
ISO 27001/27002
Created by ISACA maintain and document enterprise IT security functions for an org. Uses a governance and process perspective for resource management and its intended to address IT performance security operations risk management and regulatory compliance.
COBIT
Can generally be rated according to three factors: impact, likelihood, and exposure
risk assessment
the damage/harm/seriousness caused if the risk is realized. can be measured monetarily as an effect to health and human safety, and/or the criticality of the affected asset to the org. The BIA is an excellent tool for use of impact.
impact
probability or the measure of the possibility the risk will be realized. This is a form of prediction.
likelihood
establishing the realistic potential for the org to face certain types of threats.
exposure
typically split into two categories candidate should understand these for the purpose of adhering to the CBK
Risk analysis
when the org does not have a sufficient availability of time, budget, or personnel trained in this to put toward the effort. High-Med-Low
Qualitative
should produce objective, discrete numeric values. org should opt for this when they have sufficient time, budget, and personnel trained to put toward the effort
Quantitative
remains after the security controls are put into place
residual risk
parties must establish a mutual understanding of exactly what will be provided under which terms and at what times includes detailed description of both performance and security function. Defines the minimum requirements and codifies prevision. Include a discrete objective
SLA
adherence to a mandate regardless of the source. The action on the part of the org to fulfill the mandate and the tools, processes, and documentation that demonstrates adherence.
compliance
the right of a human being to control the manner and extent to which information about him or her is distributed. mandates take all forms: contractual, regulatory, and customary.
privacy
tools, processes, and activities used to perform compliance reviews
audits
legal concept pertaining to the duty owed by a provider to a customer.
due care
activity used to demonstrate or provide due care. reviewing vendors and suppliers for adequate provision of security measure proper review of personnel before granting access to the org data or before hiring
due diligence
Is publishing a policy insufficient form of due diligence
True- to meet the legal duty an org must also have a documented monitoring and enforcement capability in place and active to ensure the org is adhering to the policy
contract between entities that issue credit cards in the US and the entity which is the merchant that accepts the cards as payment.
PCI-DSS
are set by government bodies
regulations
EU addressed personal privacy, deeming it individual human right. Associated with IT and data security in the world, influencing laws in many other countries and regions.
general data protection regulations - GDPR
American federal law that affects medical providers and includes stipulations regarding the collection and dissemination of the health-related personal info, referred to in the Act and the industry as electronic protected health information. -ePHI
HIPPA - Health insurance portability and accountability act
Federal us law that allowed banks to merge with insurance providers and includes protection, collection, and dissemination requirements for the personal information of individual account holders.
Graham-Leach-Bliley Act - GLBA
created by us congress as a reponse to a series of dramatic frauds committed by publicly traded corps in the 1990s. Contains security, privacy, and availability requirements of great interest to IT security practitioners as resulting industry standards (SSAE 16) created for a mechanism for SOX audits have been accepted
SOX
severely restrictive of privacy data collection and dissemination and requires intense security for such data
Canada’s personal info protection and electronic documents act - PIPEDA
US national law applicable only to federal gov agencies, requires all covered entities to comply with NIST guidance and standards for securing IT env under those agencies control FedRAMP- Federal Risk and Authorization management program
Federal info systems management act - Fisma
intangible asests can include proprietary material such as software owed by the org. proprietary software between the vendor and the customer through the use of a license, an agreement codifying the terms price duration number of copies that govern the use of the software
intellectual property - IP
tools often create an additional layer of access control within the org for those files/data sets that contain proprietary material.
DRM
access controls follow the product material wherever the material goes
persistency
solution subject to a centralized administrative function that allows the owner of the ip to update and modify permissions as necessary
dynamic policy control
solution should recognize a time limit on permissions for specific data sets/files.
automatic expiration
solution should ensure that every protected element each file or data set is able to recognize and annotate access events open/view/running/copying, etc on itself and maintain that record
continuous audit trail
solution should function properly within the env of whoever is running the DRM and work in concert with that org existing access control methodologies and tools. The DRM solution can integrate with the orgs file structure, email, etc
interoperability
a multilateral export control restriction program involving 41 participating countries agree not to distribute export certain technologies, including both weapons and of more concern to our field cryptographic tools, to regions where an accumulation of these materials might disturb the local balance of power between nation-states.
Wassenaar agreement
expressively intended to prevent the personal data of EU citizens from going to any country that does not have a national personal privacy law that is in accordance with EU law in terms of breadth and individual protection. The US does not adhere to this
GDPR-
voluntary US program for American companies that want to do business that involves processing privacy data of EU citizens. Voluntary mechanism for US companies to agree to follow EU data protection law
Privacy Shield
any data about a human being that could be used to identify that person such as name, tax id number, ssn, home address, mobile telephone number, specific computer data mac address ip of machine, credit card number, bank acct number, facial photo
PII - personally identifiable information
creates or collects the data, is legally responsible for the protection of the data in their control and liable for any unauthorized release of the data.
data owner/controller
person/role within the org who usually manages the data on a day-to-day basis on behalf of the data owner./controller. Could be a dba or system admin or anyone with priv access to the system or data set.
data custodian
employee signs a formal agreement not to make any unauthorized disclosure of any of the orgs proprietary/sensitive info both during and after the term of employment
Non-disclosure agreement - NDA
actions processes and tools ensuring an org can continue critical operations during a contingency
Business continuity - BC
efforts are those tasks and activities required to bring an org back from contingency operations and reinstate needs of the org.
Disaster recovery -DR
measure of how long an org can survive an interruption of critical functions, if exceeded the org will no longer be a viable unit
Max allowable downtime MAD
target time set for recovering from any interruption must necessarily be less than MAD. SEnior management sets this based on their knowledgeable needs of the org. A goal for recovering availability of the critical path. This is a temporary state the org will endure until it can return to normal
Recovery time objective - RTO
how much data an org can lose before it is no longer viable Senior management sets this
Recovery point objective - RPO
effort to detemine the value of each asset belonging to the org as well as potential risk of losing assets, the threats likely to affect the org, and potential common threats to be realized.
Business impact analysis -BIA
