Domain 5 Flashcards
1
Q
What are the mechanisms employed to minimize exposure to risk and mitigate the effects of loss
Using the security attributes of confidentiality, integrity, and availability (CIA) associated with data
A
Security controls
2
Q
What controls do not require a technical team to administer and are generally handled by the human resources department (HR)Examples include background checks, employee training, and organizational policies
A
Managerial
3
Q
What is a policy or procedure used to limit security riskThese security controls are primarily implemented and executed by people, as opposed to systems
A
Operational control
4
Q
What controls use some form of technology to address a physical security issue
These security controls are primarily implemented and executed by the information system through mechanisms contained in its hardware, software, or firmware components
A
Technical
5
Q
What controls are barriers that are designed to stop an attacker from gaining unauthorized access to an asset
For example, this could be may include antivirus/antimalware software, firewall, or intrusion prevention systems (IPS
A
Preventive
6
Q
What controls detect abnormalities and send alerts during an unauthorized access to an assetFor example, this includes intrusion detection systems (IDSs) and security information and event management systems (SIEMs
A
Detective
7
Q
What controls mitigate the damage after a disruption or attack
Examples include vulnerability patching and restores from a backup
A
Corrective
8
Q
What controls are warnings to discourage inappropriate or illegal behavior
For example, this includes warning messages about unauthorized access to an asset or a strict security policy stating severe consequences for employees who violate the policy
A
Deterrent
9
Q
What controls (also known as alternative controls) are used when all the other controls cannot mitigate the risk
A
Compensating
10
Q
What controls are used to deter or deny unauthorized access to facilities, equipment and resources and to protect personnel and property from damage or harm
Examples include fences, doors, locks and fire extinguishers
A
Physical
11
Q
What specifies requirements for collecting personal information in the European Union (EU)
For all firms that wish to trade with the EU, there is now a set of privacy regulations that will require specific programs to address the requirements
A
(GDPR)General Data Protection
12
Q
What laws are the system of rules, or statutes, made by the government of a country, state, or city
Statutes are enacted by a legislative body and then signed by the ranking official (president/governor
A
13
Q
What is a set of contractual rules governing how credit card data is to be protected (see the sidebar “PCI DSS Objectives and Requirements
A
Payment Card Industry Data Security Standard (PCI DSS)
14
Q
National Institute of Standards and provides recommended strategies to the U.S. government and others on how to handle a wide range of issues, includingrisk from cybersecurity issues
A
Technology (NIST) Risk Management Framework (RMF)/Cybersecurity Framework (CSF)The National Institute of Standards and Technology (NIST)
15
Q
What is the international standard defining an information security management system (ISMS)What is one of many related standards in the 27000 family, what is a document that defines security techniques and a code of practice for information security controls
A
International Organization for Standardization (ISO)
16
Q
What reports focus on internal controls related to compliance or operationsA SOC Type I report evaluates whether proper controls are in place at a specific point in timeA SOC Type II report is done over a period of time to verify operational efficiency and effectiveness of the controls
A
SSAE SOC 2 Type I/IISSAE SOC 2
17
Q
What issued the first comprehensive best-practice document for secure cloud computing, “Security Guidance for Critical Areas of Focus for Cloud Computing,” and has become the industry body for frameworks, benchmarks, and standards associated with cloud computing worldwid
A
Cloud security alliance
18
Q
What is a meta-framework of cloud-specific security controls, mapped to leading standards, best practices, and regulationsThis document uses 16 domains to cover 133 security control objectives to address all key aspects of cloud security
A
The Cloud Controls Matrix (CCM)
19
Q
The Cloud Security Alliance has an that has developed this for cloud deployments and servicesThis framework serves as both a methodology and a set of tools that can be utilized by security professionals , and risk management professionals
A
Reference architecture
Enterprise Architecture Working Group (EAWG)
20
Q
What secure configuration guides offer guidance for setting up and operating computer systems to a secure level that is understood and documentedAs each organization may differ, the standard for a benchmark is a consensus-based set of knowledge designed to deliver a reasonable set of security across as wide a base as possible
A
Benchmarks /secureBenchmarks
21
Q
Many different web servers are used in enterprises, but the market leaders are Microsoft, Apache, and NginxWeb servers offer a connection between users (clients) and web pages (data being provided), and as such they are prone to attacks
A
Web server
22
Q
What is the interface for the applications that we use to perform tasks and the actual physical computer hardware
Comprehensive, proscriptive configuration guides for all major operating systems are available from their respective manufacturers, from the Center for Internet Security and from the DoD DISA STIGs program
A
The operating system (OS)
23
Q
What are the part of the enterprise that handles specific tasks we associate with IT systemsWhether it is an e-mail server, a database server, a messaging platform, or any other server, an application server is where the work happens
A
Application server
24
Q
What devices are the switches, routers, concentrators, firewalls, and other specialty devices that make the network function smoothly
Properly configuring these devices can be challenging but is very important because failures at this level can adversely affect the security of traffic being processed by them
A
Network infrastructure
25
What is a policy that compels employees to rotate into different jobs, or at least rotate some of their dutiesThis practice can deter fraud (such as sabotage) and prevent information misuse as well
Job rotation
26
What is a set of rules defined by the organization that detail the type of behavior that is permitted when using company assets. This should contain explicit language defining procedural requirements and the responsibilities of users
Acceptable use policy (AUP)
27
Some organizations have a policy that requires employees in sensitive positions to take off five or ten consecutive business days
It is common for organizations to also schedule audits to coincide with mandatory vacations to increase the likelihood of discovering fraud and other crimes
Mandatory vacation
28
What responsibilities provides assurance that a single person cannot compromise a critical system or organizational security
It also creates a checks-and-balances system in which two or more users can verify what each other are doing and must work together to perform certain tasks
Separation of duties
29
What refers to granting users only the privileges necessary to perform their work and nothing moreThis includes permissions to data and rights to perform tasks on systems and it also applies to system access for example, logging on to computers with or without full administrative privileges
Least privilege
30
What ensures that employees are cognizant of items being left out on their desk
This prevents malicious individuals from walking around the office and stumbling across sensitive information
Clean desk space
31
What are used to identify an individual’s previous activities
Most background checks are conducted prior to employment and can include an individual’s criminal, financial or driving records
Background checks
32
What is a legal contract between two or more parties that details confidential information the parties will share
Non-disclosure agreement (NDA)
33
Whether used for marketing, communications, customer relations, or some other purpose, social media networks can be considered a form of third party
One of the challenges in working with social media networks and/or applications is their terms of use
Social media analysis
34
When these kind of personnel, ensure that the personnel are aware of and understand their responsibilities with respect to securing company information and assets
Onboarding
35
What refers to the processes and procedures used when an employee leaves an organizationFrom a security perspective, this process for personnel is very important
Off boarding
36
What is important to ensure that users are aware of and are following appropriate policies and procedures as part of their workplace activities
As in all personnel-related training, two elements need attention
User training
37
What is the use of games to facilitate user train
Gamification
38
what is hands-on computer skill training where a user is tested to see if they can perform specific actions
Many hacking competitions are variations of capture-the-flag events
Capture the flag
39
What are a series of connected phishing attacks against an organization
Since this is an operational method of social engineering, the greater the level of institutional, organizational, and personal knowledge one possesses about their target, the greater the chance of success
Phishing campaigns
40
To help users learn and identify phishing attacks, there are methods of running tests against users
A phishing attempt is sent to a user, and should they fall prey to it, the system notifies the user that this was only a drill and that they should be more cautious
Phishing simulations
41
What is the use of a computer program to manage training of usersSelf-paced modules can facilitate skill development across a wide range of skills, and the flexibility of CBT is very attractive
Computer-based training (CBT)
42
For training to be effective, it needs to be targeted to the user with regard to their role in the subject of the training. which regard to information security responsibilities is an important part of information security training
Role-based training
43
There is a wide range of methods of training, and for the best results, which is the most important to match the training methods to the material for the best outcome
Diversity of training techniques
44
Which is the practice of assessing third-party risks and then developing the necessary mitigations
Third-party risk management
45
What are firms or individuals that supply materials or services to a business
These items are purchased as part of a business process and represent some form of a value proposition for the firm purchasing them
Vendors
46
An organization might perform a assessment for the purposes of reducing vulnerability and ensuring business continuity
Using the risk management process tools, organizations assess the risks and uncertainties caused by logistics-related activities or resources from partners in the supply chai
Supply Chain
47
What can be enrolled in a business effort for multiple reasons: to share risk, share liability, share costs, leverage specialty expertise, and more
The key to understanding and navigating business partners with respect to cybersecurity and risk is to ensure that the risks and responsibilities on both partners are understood and agreed to before the risk event occurs
Business partners
48
A service level agreement (SLA) is a negotiated agreement between parties detailing the expectations between a customer and a service provider
SLAs essentially set the requisite level of performance of a given contractual service
Service level agreement (SLA)
49
What are also commonly used between different units within an organization to detail expectations associated with the common business interest, including security requirements
Memorandum of understanding (MOU)MOUs/MOAs
50
What is a field of study that examines measurement systems for accuracy and precision
Measurements and measurement systems have to be calibrated to ensure they are evaluating the actual object of interest
Measurement systems analysis (MSA)
51
What is a legal agreement between partners that establishes the terms, conditions, and expectations of the relationship between the partners
A business partnership agreement (BPA)
52
What is it when the manufacturer quits selling an itemIn most cases, the manufacturer no longer provides maintenance services or updatesIn some cases, this date is announced to be a future date, after which support ends
End of Life (EOL)
53
What is the term used to denote that something has reached the end of its “useful life” When this occurs, the provider of the item or service will typically no longer sell or update it
End of service life (EOSL)
54
Whenever information is shared with a party, inside or outside the company, if the sharing entity wishes to have contractual terms to limit sharing or disclosure, an this is used
NDA
55
System integration with internal and third parties frequently involves the sharing of this. This can be shared for the purpose of processing or storage
Data
56
Organizations deal with many different types of information, and they need to recognize that not all information is of equal importance or sensitivity
This requires hidden information into various categories, each with its own requirements for its handling
Classification
57
This is the process of managing the availability, usability, integrity, and security of the data in enterprise systems
This must be done by policy, as it involves a large number of data owners and users
Governance
58
This is the management of the data lifecycle with an emphasis on when data reaches its end of useful life for an organization
Retention
59
Who requires credentials to access specific system resources as part of their job duties, Management of who gets what credentials is part of the access and authorization management system and should be managed via a credential policy
Personnel
60
Whether credentials for a system or physical access, these credentials should be managed by policies to ensure they are issued when needed to the correct parties, and when access is no longer needed, they are revoked appropriately
Third-party
61
What are physical items that require access to a network or enterprise system
To have this access, they require credentials just like human users
Devices
62
What are special accounts that are used to provision permissions for service, or non-human-initiated system activity
Many computer systems have automated services that function as either part of, in addition to, the operating system to enable certain functionalities
Service accounts
63
What has elevated privileges and require closer scrutiny as to who is issued these credentials and how they are used and monitored
Administrator/root accounts
64
What is a process to ensure proper procedures are followed when modifications to the IT infrastructure are made
Without a process to manage the change, an organization might suddenly find itself unable to conduct business
Change management
65
What is the process of how changes to anything are sourced, analyzed, and managed. This is a subset of change management, focused on the details of a change and how it is documented
Change control
66
What is the policies and processes used to manage the elements of the system, including hardware, software, and the data that is contained within them
Asset management
67
What threats come from outside the organization and, by definition, begin without access to the system
Access is reserved for users who have a business need to know and have authorized accounts on the system
External
68
What threats include disgruntled employees and well-meaning employees who make mistakes or have an accidentInternal threats tend to be more damaging, as theperpetrator has already been granted some form of access
Internal
69
What are older, pre-existing systems. But age really isn’t the issue—the true issue behind what makes this what it is the concept of technical debtTechnical debt is the cost occurred over time as a result of not maintaining a system completely
Legacy Systems
70
The overall risk equation gets complicatedwhen a system has multiple parties, each with its own risk determination
Multiparty
71
What can seriously damage a company’s future healthIf a firm spends a lot of resources developing a product or a market and then is undercut by other parties that don’t have to spend those resources, sales can disappear and future revenue streams can dry up
Intellectual property (IP)
IP Theft
72
What source of this software is via licensing and in many cases trustCopies of many software products can be made and used without licenses, and this creates software compliance/licensing risk
Software compliance/licensing
73
An organization might accept the risk (based on their risk tolerance) after a cost/benefit analysis determines that the cost of countermeasures would outweigh the cost of asset loss due to a risk
Acceptance
74
An organization might avoid the risk by selecting alternate options that have less associated risk than the default optionFor example, an organization might require employees to fly to destinations rather than allowing them to drive
Avoidance
75
What organization might transfer, or assign, the risk by placing the cost of loss onto another entity internal or external to the organization
For example, an organization might purchase insurance or outsource some responsibilities
Transference
76
A common method of transferring risk is to purchase this. This allows risk to be transferred to a third party that manages specific types of risk for multiple parties, thus reducing the individual cost
Cybersecurity insurance
77
Risk can also be mitigated through the application of controls that reduce the impact of an attack
Controls can alert operators so that the level of exposure is reduced through process intervention
Mitigation
78
To manage risk, there needs to be a measurement of loss, and potential loss, and much of this information comes by way of risk analysis
This is performed via a series of specific exercises that reveal presence and level of risk across an enterprise
Risk Analysis
79
What is a list of the risks associated with a systemIt also can contain additional information associated with the risk element, such as categories to group like risks, probability of occurrence, impact to the organization, mitigation factors, and other data
Risk register
80
What is used to visually display the results of a qualitative risk analysis
Risk matrix/heat map
81
What is a tool used by the Financial Industry Regulatory Authority (FINRA) to assess a series of risks associated with their member institutions
Risk control assessment
82
What is a technique that employs management and staff of all levels to identify and evaluate risks and associated controls
This information is collected and analyzed to produce a more comprehensive map of risks and the controls in place to address it
Risk control self-assessment
83
What is knowledge of risk and consequences. This is essential for wide ranges of personnel, with the content tailored to their contributions to the enterprise
Risk awareness
84
What is defined as the amount of risk that exists in the absence of controls. This is the current risk level given the existing set of controls, rather than the hypothetical notion of an absence of any controls
Inherent risk
85
The presence of risks in a system is an absolute—they cannot be removed or eliminated
As mentioned previously in this chapter, four actions can be taken to respond torisk: accept, transfer, avoid, and mitigate
Residual risk
86
What is a term used to specify risk associated with the chance of a material misstatement in a company’s financial statements
This risk can be manifested in a couple ways: either there isn’t an appropriate set of internal controls to mitigate a particular risk or the internal controls set in place malfunctioned
Control risk
87
What is the term used to describe a firm’s tolerance for risk
Even within a sector, with companies of the same size, operating in roughly the same areas, there can be differences in the level of risk each feels comfortable in accepting
Risk appetiteRisk
88
The Sarbanes-Oxley Act of 2002 protects investors from corporate fraud and bad financial reportingThe Payment Card Industry Data Security Standard (PCI-DSS) is a set of security standards and policies for companies to follow in order to optimize security for consumer payment cards and associated private data
Regulations that affect risk posture
89
What risk assessment is the process of subjectively determining the impact of an event that affects a project, program, or business. This usually involves the use of expert judgment and models to complete the assessment
Qualitative
90
This risk assessment is the process of objectively determining the impact of an event that affects a project, program, or business. This usually involves the use of metrics and models to complete the assessment
Quantitative
91
What does it mean when the chance that a particular risk will occur
For qualitative measures, the likelihood of occurrence is typically defined on an annual basis so that it can be compared to other annualized measures If defined quantitatively, it is used to create rank-order outcomes
Likelihood of occurrence
92
Impact
What event is a measure of the actual loss when a threat exploits
93
What is the amount of money it would take to replace an asset
This term is used with the exposure factor (EF), a measure of how much of an asset is at risk, to determine the single-loss expectancy (SLE
Asset value
94
What is the value of a loss expected from a single event. It is calculated using the following formula
:SLE = asset value (AV) ×exposure factor
Single-loss expectancy (SLE)
95
What is a representation of the frequency of the event, measured in a standard year
Annualized rate of occurrence (ARO)
96
What are major events that cause disruptions
The timescale of the disruption can vary, as can the level of disruption, but the commonality is that the external event that caused the disruption is one that cannot be prevented
Disasters
97
What changes can come from a wide variety of sources—weather, lightning, storms, and even solar flares—and these can cause changes to the system in a manner that disrupts normal operations
Environmental
98
What threats are those that are attributable to the actions of a person
But these threats aren’t limited to hostile actions by an attacker; they include accidents by users and system administrator
Person-made
99
These are threats an organization can control
For example, an organization might assess the risk of implementing a data loss prevention system to ensure that corporate data is not exposed to unauthorized personnel
On the other hand, these types of threats are threats an organization is unable to controlFor example, an organization can’t control weather, protestors, or external hackers.
Internal vs. extern
100
What identifies mission critical processes.
This analyzes the business impact if these critical processes are interrupted due to a disaster
Business impact analysis (BIA)
101
The term is used to describe the target time that is set for the resumption of operations after an incident
This is a period of time that is defined by the business, based on the needs of the business
Recovery time objective (RTO)
102
What is totally different concept from RTO, is the time period representing the maximum period of acceptable data loss
This defines the frequency of backup operations necessary to prevent unacceptable levels of data
Recovery point objective (RPO)
103
What is a common measure of how long it takes to repair a given failure
This is the average time, and it may or may not include the time needed to obtain parts
Mean time to repair (MTTR)
104
What is a common measure of reliability of a system and is an expression of the average time between system failures
The time between failures is measured from the time a system returns to service until the next failure
Mean time between failures (MTBF)
105
What is the way to represent the next step—the transition from operations under business continuity back to normal operations
Just as the transition to business continuity operations needs to be planned, so too does the functional recovery plan
Functional recovery plans
106
What is any system component whose failure or malfunctioning could result in the failure of the entire system
Single point of failure
107
What is the plan a firm creates to manage the business impact of a disaster and to recover from its impacts
Disaster recovery plan (DRP)
108
What are those that, should they not occur or be performed properly, will directly affect the mission of the organization
Mission-essential functions are those that must be restored first after a business impact to enable the organization to restore its operations
Mission-essential functions
109
What enables the security team to properly prioritize defenses to protect the systems and data in a manner commensurate with the associated risk
Identification of critical systems
110
What is a risk assessment tailored for a specific site
For organizations with multiple locations, these are specific to the risks associated with each site
Site Risk Assessment
111
What is a form of damage against a firm’s brand
Customers exert a choice when they engage in a commerce transaction, and businesses spend a lot of time and resources on building brands that facilitate the purchase decision towards their firm
Reputation damage
112
What occurs when a criminal, using stolen information, assumes the identity of another individual to obtain and use credit in the victim’s nameIf the data disclosure results in loss of customer personal information, regulations may hold a firm responsible for sharing in the risk of identity theft for the victims
Identity theft
113
Regulatory agencies sometimes can levy fines when regulations are not followed
Fines
114
What is a major organizational consequence when it occurs, because when it occurs, the damage may not become evident until the material is used by a competitor
IP theft
115
Understanding and being prepared to issue __________ ___ ________ because once a breach occurs, the timelines to do the correct things are short and the penalties can be significant
Notifications of breaches
116
When a data breach occurs in the enterprise, it is important to have a process for escalating the incident up through your organization
Most data breaches are discovered as part of some incident response process, and the breach needs to have its own response separate from the initiating incident
Escalation
117
Many laws and regulations covering information breaches require ______ __________ of computer security breaches in which unencrypted confidential information of any resident may have been compromised
Public notifications and disclosures
118
What can cover basic protection needs, or the sources of the data, and thus are not a taxonomy but rather a set ofmanagement labels used to alert users of specific requirements
Data Types
119
What is data that can be seen by the public and has no needed protections with respect to confidentiality
It is important to protect the integrity of public data, lest one communicate incorrect data as being true
Public data
120
What is labeled private if its disclosure to an unauthorized party would potentially cause harm or disruption to the organization
Passwords could be considered private
Private Data
121
What is a generalized term that typically represents data classified as restricted from general or public release
Sensitive
122
This is labeled confidential if its disclosure to an unauthorized party would potentially cause serious harm to the organization
Confidential Data
123
What is labeled critical if its disclosure to an unauthorized party would potentially cause extreme harm to the organization
This data should be defined by policy, and that policy should include details regarding who has the authority to release the data
Critical Data
124
Whatis data that is restricted to a company because of potential competitive useIf a company has data that could be used by a competitor for any particular reason (say, internal costs and pricing data), then it needs to be labeled and handled in a manner to protect it from release to competitors
Proprietary
125
What refers to information that can be used to distinguish or trace an individual’s identity, either alone or when combined with other personal or identifying information that is linked or linkable to a specific individual
Personally identifiable information (PII)
126
The Health Insurance Portability and Accountability Act (HIPAA) regulations define protected health information (PHI) as any information, whether oral or recorded in any form or medium thatis created or received by a health care provider, health plan, public health authority, employer, life insurer, school or university, or health care clearinghouse
Health information
127
What is a major source of PIIItems such as bank accounts, loans, and payment amounts can all be leveraged against knowledge-based authentication systems to achieve access to even more information, such as credit reports
Financial information
128
What can include PII about people, and this information needs protection in accordance with current rules and regulations
Government data
129
What is the primary source of PII in an enterprise’s systemsThis information was collected in response to a specific business need, and it requires appropriate levels of protection to prevent disclosure or release
Customer data
130
Limiting the collection of personal information to that which is directly relevant and necessary to accomplish a specified purpose
Data minimization
131
What involves the hiding of data by substituting altered values
What hides personal or sensitive data but does not render it unusable
Data masking
132
What assigns a random value that can be reversed or traced back to the original data
Tokenization
133
What is the process of protecting private or sensitive information by removing identifiers that connect the stored data to an individual
Anonymization
134
What is the method of replacing private identifiers with fake identifiers
Pseudo-anonymization
135
The ownership and asset protection responsibilities of an organization lies with the _______ owner. The _____ owner is responsible for the protection of data at rest, in transit, and in use
Data owners
136
Who is the person responsible for managing how and why data is going to be used by the organization
Data controller
137
What is the entity that processes data given to it by the data controller. Data processors do not own the data, nor do they control it
data processor
138
What is the role responsible for the day-to-day caretaking of data
The data owner sets the relevant policies, and the steward or custodian ensures they are followed
Data custodian/steward
139
What is the C-level executive who is responsible for establishing and enforcing data privacy policy and addressing legal and compliance issuesThe data privacy officer is responsible for ensuring legal compliance with data privacy regulations
Data protection officer (DPO)
140
Understanding the lifecycle of information assets—from the point of collection, use, and storage as well as how the assets are shared, protected, and ultimately destroyed—is important if one is to properly handle the information
Information life cycle
141
What is a structured approach to determining the gap between desired privacy performance and actual privacy performanceOrganizations that collect, use, store, or process personal information are required to conduct a privacy ______ ________
Impact assessment
142
The legal description of terms of agreement (commonly known as terms and conditions) is a set of items that both parties agree upon before some joint activityThis is used all the time with any external-facing interface, where you have the responding party agree to a published terms of agreement document before granting them access or processing their data elements
Terms of agreement
143
What is an exterior-facing statement that describes how the organization collects, uses, retains, and discloses personal information
Privacy notices are also referred to as a privacy statement or a fair processing statement
Privacy notice
