Domain 5 Flashcards
Which Service Organization Control (SOC) level of reporting in the Statements on Standards for Attestation Engagements (SSAE) assesses the ongoing effectiveness of the security architecture of a system in a certain period of time?
A Service Organization Control (SOC) Type II report provides assurances about the effectiveness of controls in place in an organization within a given timeframe.
operational security control
is implemented primarily by people rather than systems. For example, security guards and training programs are operational controls rather than technical controls.
technical control
control includes hardware or software mechanisms used to protect assets. Antivirus software, firewalls, and intrusion detection systems are examples of a technical control.
compensating control
does not prevent an attack but can restore functionality of systems through other means, such as a backup.
3
corrective control
responds to, and fixes, an incident and prevents reoccurrence. Antivirus software is an example of a corrective control.
preventive control
aims to prevent security incidents in a system. Security training and change management are examples of a preventive security control.
detective control
identifies when incidents or vulnerabilities have occurred. Auditing and monitoring are examples of detective controls.
managerial security
control provides the guidance, policies, and procedures for implementing a secure environment, such as an acceptable use policy.
A company is determining what should be in a contract with a new Cloud Service Provider (CSP). Which resource from the Cloud Security Alliance will give the company the baseline level of security competency that the CSP should meet?
The not-for-profit organization Cloud Security Alliance (CSA) produces various resources to assist cloud service providers (CSP) in setting up and delivering secure cloud platforms. The cloud controls matrix lists specific controls and assessment guidelines that should be implemented by CSPs. For cloud consumers, the matrix acts as a starting point for cloud contracts and agreements as it provides a baseline level of security competency that the CSP should meet.
Cloud Security Alliance Cloud Controls Matrix (CSA CCM)
is a framework that provides guidance in security domains, including application security, identity and access management, mobile security, encryption and key management, and data center operations.
National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF)
provides a security policy for how private sector organizations can assess and improve their ability to prevent, detect, and respond to cybersecurity attacks.
International Organization for Standardization (ISO)
is an international standard for information technology security.
Statements on Standards for Attestation Engagements (SSAE)
is an audit specification guide developed for accountants.
Which of the following requires evidence that a specific user can have data collected about them?
The European Union’s General Data Protection Regulation (GDPR) states as one of its requirements that personal data cannot be collected, processed or retained without the individual’s informed consent. Informed consent means that the data must be collected and processed only for the stated purpose, and that purpose must be clearly described to the user in plain language, not legalese. There are other methods where information can be collected, such as legal obligation, contractual obligation, legitimate interest, vital interest, or public task.
Gramm–Leach–Bliley Act (GLBA)
is a federal law in the United States and is a vertical law for the financial sector.
Sarbanes-Oxley Act (SOX)
mandates the implementation of risk assessments, internal controls, and audit procedures in the United States.
International Organization for Standardization (ISO) 27001
is a standard that sets out the best practice specification for an information system. The ISO guides information security by addressing people and processes as well as technology.
International Organization for Standardization (ISO) 27002
is a supplementary standard that focuses on the information security controls that organizations might choose to implement.
International Organization for Standardization (ISO) 27701
provides specific requirements and guidance for establishing, implementing, maintaining, and continually improving an information system with private data.
International Organization for Standardization (ISO) 31000
is a risk management framework that assists an organization in integrating risk management into day to day functions.
The Cloud Security Alliance Cloud Controls Matrix (CSA CCM) maps to which of the following compliance standards?
The National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) provides a security policy for how private sector organizations can assess and improve their ability to prevent, detect, and respond to cybersecurity attacks. It maps to CSA CCM.
The Sarbanes-Oxley (SOX) Act helps to protect investors from fraudulent financial reporting by large corporations. It maps to CSA CCM.
The International Organization for Standardization (ISO) is an international standard for information technology security. It maps to CSA CCM.
A company needs to evaluate the overall security posture of the firm. Analyze the following options to determine which is the best solution.
The Center for Internet Security (CIS) publishes the “20 CIS Controls.” The Risk Assessment Method (CIS-RAM) can be used to perform an overall evaluation of security posture.
Department of Defense Cyber Exchange
provides Security Technical Implementation Guides (STIGs) with hardening guidelines for a variety of software and hardware solutions.
National Checklist Program (NCP)
by the National Institute of Standards and Technology (NIST), provides checklists and benchmarks for a variety of operating systems and applications.