Domain 5 Flashcards
What are the mechanisms employed to minimize exposure to risk and mitigate the effects of loss
Using the security attributes of confidentiality, integrity, and availability (CIA) associated with data
Security controls
What controls do not require a technical team to administer and are generally handled by the human resources department (HR)Examples include background checks, employee training, and organizational policies
Managerial
What is a policy or procedure used to limit security riskThese security controls are primarily implemented and executed by people, as opposed to systems
Operational control
What controls use some form of technology to address a physical security issue
These security controls are primarily implemented and executed by the information system through mechanisms contained in its hardware, software, or firmware components
Technical
What controls are barriers that are designed to stop an attacker from gaining unauthorized access to an asset
For example, this could be may include antivirus/antimalware software, firewall, or intrusion prevention systems (IPS
Preventive
What controls detect abnormalities and send alerts during an unauthorized access to an assetFor example, this includes intrusion detection systems (IDSs) and security information and event management systems (SIEMs
Detective
What controls mitigate the damage after a disruption or attack
Examples include vulnerability patching and restores from a backup
Corrective
What controls are warnings to discourage inappropriate or illegal behavior
For example, this includes warning messages about unauthorized access to an asset or a strict security policy stating severe consequences for employees who violate the policy
Deterrent
What controls (also known as alternative controls) are used when all the other controls cannot mitigate the risk
Compensating
What controls are used to deter or deny unauthorized access to facilities, equipment and resources and to protect personnel and property from damage or harm
Examples include fences, doors, locks and fire extinguishers
Physical
What specifies requirements for collecting personal information in the European Union (EU)
For all firms that wish to trade with the EU, there is now a set of privacy regulations that will require specific programs to address the requirements
(GDPR)General Data Protection
What laws are the system of rules, or statutes, made by the government of a country, state, or city
Statutes are enacted by a legislative body and then signed by the ranking official (president/governor
What is a set of contractual rules governing how credit card data is to be protected (see the sidebar “PCI DSS Objectives and Requirements
Payment Card Industry Data Security Standard (PCI DSS)
National Institute of Standards and provides recommended strategies to the U.S. government and others on how to handle a wide range of issues, includingrisk from cybersecurity issues
Technology (NIST) Risk Management Framework (RMF)/Cybersecurity Framework (CSF)The National Institute of Standards and Technology (NIST)
What is the international standard defining an information security management system (ISMS)What is one of many related standards in the 27000 family, what is a document that defines security techniques and a code of practice for information security controls
International Organization for Standardization (ISO)
What reports focus on internal controls related to compliance or operationsA SOC Type I report evaluates whether proper controls are in place at a specific point in timeA SOC Type II report is done over a period of time to verify operational efficiency and effectiveness of the controls
SSAE SOC 2 Type I/IISSAE SOC 2
What issued the first comprehensive best-practice document for secure cloud computing, “Security Guidance for Critical Areas of Focus for Cloud Computing,” and has become the industry body for frameworks, benchmarks, and standards associated with cloud computing worldwid
Cloud security alliance
What is a meta-framework of cloud-specific security controls, mapped to leading standards, best practices, and regulationsThis document uses 16 domains to cover 133 security control objectives to address all key aspects of cloud security
The Cloud Controls Matrix (CCM)
The Cloud Security Alliance has an that has developed this for cloud deployments and servicesThis framework serves as both a methodology and a set of tools that can be utilized by security professionals , and risk management professionals
Reference architecture
Enterprise Architecture Working Group (EAWG)
What secure configuration guides offer guidance for setting up and operating computer systems to a secure level that is understood and documentedAs each organization may differ, the standard for a benchmark is a consensus-based set of knowledge designed to deliver a reasonable set of security across as wide a base as possible
Benchmarks /secureBenchmarks
Many different web servers are used in enterprises, but the market leaders are Microsoft, Apache, and NginxWeb servers offer a connection between users (clients) and web pages (data being provided), and as such they are prone to attacks
Web server
What is the interface for the applications that we use to perform tasks and the actual physical computer hardware
Comprehensive, proscriptive configuration guides for all major operating systems are available from their respective manufacturers, from the Center for Internet Security and from the DoD DISA STIGs program
The operating system (OS)
What are the part of the enterprise that handles specific tasks we associate with IT systemsWhether it is an e-mail server, a database server, a messaging platform, or any other server, an application server is where the work happens
Application server
What devices are the switches, routers, concentrators, firewalls, and other specialty devices that make the network function smoothly
Properly configuring these devices can be challenging but is very important because failures at this level can adversely affect the security of traffic being processed by them
Network infrastructure
What is a policy that compels employees to rotate into different jobs, or at least rotate some of their dutiesThis practice can deter fraud (such as sabotage) and prevent information misuse as well
Job rotation
What is a set of rules defined by the organization that detail the type of behavior that is permitted when using company assets. This should contain explicit language defining procedural requirements and the responsibilities of users
Acceptable use policy (AUP)
Some organizations have a policy that requires employees in sensitive positions to take off five or ten consecutive business days
It is common for organizations to also schedule audits to coincide with mandatory vacations to increase the likelihood of discovering fraud and other crimes
Mandatory vacation
What responsibilities provides assurance that a single person cannot compromise a critical system or organizational security
It also creates a checks-and-balances system in which two or more users can verify what each other are doing and must work together to perform certain tasks
Separation of duties
What refers to granting users only the privileges necessary to perform their work and nothing moreThis includes permissions to data and rights to perform tasks on systems and it also applies to system access for example, logging on to computers with or without full administrative privileges
Least privilege
What ensures that employees are cognizant of items being left out on their desk
This prevents malicious individuals from walking around the office and stumbling across sensitive information
Clean desk space
What are used to identify an individual’s previous activities
Most background checks are conducted prior to employment and can include an individual’s criminal, financial or driving records
Background checks
What is a legal contract between two or more parties that details confidential information the parties will share
Non-disclosure agreement (NDA)
Whether used for marketing, communications, customer relations, or some other purpose, social media networks can be considered a form of third party
One of the challenges in working with social media networks and/or applications is their terms of use
Social media analysis
When these kind of personnel, ensure that the personnel are aware of and understand their responsibilities with respect to securing company information and assets
Onboarding
What refers to the processes and procedures used when an employee leaves an organizationFrom a security perspective, this process for personnel is very important
Off boarding
What is important to ensure that users are aware of and are following appropriate policies and procedures as part of their workplace activities
As in all personnel-related training, two elements need attention
User training
What is the use of games to facilitate user train
Gamification
what is hands-on computer skill training where a user is tested to see if they can perform specific actions
Many hacking competitions are variations of capture-the-flag events
Capture the flag
What are a series of connected phishing attacks against an organization
Since this is an operational method of social engineering, the greater the level of institutional, organizational, and personal knowledge one possesses about their target, the greater the chance of success
Phishing campaigns
To help users learn and identify phishing attacks, there are methods of running tests against users
A phishing attempt is sent to a user, and should they fall prey to it, the system notifies the user that this was only a drill and that they should be more cautious
Phishing simulations
What is the use of a computer program to manage training of usersSelf-paced modules can facilitate skill development across a wide range of skills, and the flexibility of CBT is very attractive
Computer-based training (CBT)
For training to be effective, it needs to be targeted to the user with regard to their role in the subject of the training. which regard to information security responsibilities is an important part of information security training
Role-based training
There is a wide range of methods of training, and for the best results, which is the most important to match the training methods to the material for the best outcome
Diversity of training techniques
Which is the practice of assessing third-party risks and then developing the necessary mitigations
Third-party risk management
What are firms or individuals that supply materials or services to a business
These items are purchased as part of a business process and represent some form of a value proposition for the firm purchasing them
Vendors
An organization might perform a assessment for the purposes of reducing vulnerability and ensuring business continuity
Using the risk management process tools, organizations assess the risks and uncertainties caused by logistics-related activities or resources from partners in the supply chai
Supply Chain
What can be enrolled in a business effort for multiple reasons: to share risk, share liability, share costs, leverage specialty expertise, and more
The key to understanding and navigating business partners with respect to cybersecurity and risk is to ensure that the risks and responsibilities on both partners are understood and agreed to before the risk event occurs
Business partners
A service level agreement (SLA) is a negotiated agreement between parties detailing the expectations between a customer and a service provider
SLAs essentially set the requisite level of performance of a given contractual service
Service level agreement (SLA)
What are also commonly used between different units within an organization to detail expectations associated with the common business interest, including security requirements
Memorandum of understanding (MOU)MOUs/MOAs
What is a field of study that examines measurement systems for accuracy and precision
Measurements and measurement systems have to be calibrated to ensure they are evaluating the actual object of interest
Measurement systems analysis (MSA)
What is a legal agreement between partners that establishes the terms, conditions, and expectations of the relationship between the partners
A business partnership agreement (BPA)
What is it when the manufacturer quits selling an itemIn most cases, the manufacturer no longer provides maintenance services or updatesIn some cases, this date is announced to be a future date, after which support ends
End of Life (EOL)
What is the term used to denote that something has reached the end of its “useful life” When this occurs, the provider of the item or service will typically no longer sell or update it
End of service life (EOSL)
Whenever information is shared with a party, inside or outside the company, if the sharing entity wishes to have contractual terms to limit sharing or disclosure, an this is used
NDA
System integration with internal and third parties frequently involves the sharing of this. This can be shared for the purpose of processing or storage
Data
Organizations deal with many different types of information, and they need to recognize that not all information is of equal importance or sensitivity
This requires hidden information into various categories, each with its own requirements for its handling
Classification
This is the process of managing the availability, usability, integrity, and security of the data in enterprise systems
This must be done by policy, as it involves a large number of data owners and users
Governance