Domain 6 Flashcards
What occurs when a customer is dissuaded from leaving a provider even when it’s the best decision?
Vendor lock-in
What’s an industry standard that provides guidance for eDiscovery programs?
ISO 27050
What provides industry standard guidance for information privacy programs?
ISO 27701
Who is the entity that uses the data on behalf of the owner/controller?
Data processor
Who is the person the PII describes?
Data subject
Who is the entity that creates the PII?
Data owner/controller
Who are entities that regulate the use of PII?
Regulators
Is it proper to script a testimony in court?
No, but coaching is okay
Is deploying a firewall a risk mitigation strategy?
Yes
________ is a strategy where an organization decides to accept the potential risks and associated outcomes of a particular security threat rather than avoiding or mitigating it
Risk acceptance
What is a metric that indicates the degree to which your organization requires its information to be protected against confidentiality leaks or compromised data integrity?
Risk tolerance - how much risk you can tolerate
What is when an org completely avoids the activity that carries the potential risk.
Risk avoidance
This is when you transfer the risk to another party when accepting or avoiding the risk yourself is not feasible
Risk transfer
If the risk then happens, the responsibility or loss will not fall solely on one party.
Risk sharing
What is the act of adding extra resources, time, or personnel to mitigate the potential impact of a risk.
Risk buffering
Involves creating a contingency plan or “Plan B” for certain risks.
Risk strategizing
This is the performance of tests (usually many tests) to verify that a project is secure and functions as intended.
Risk testing
This allows an organization to determine the potential financial implications of a risk event.
Risk quantification
This is the implementation of risk controls to mitigate potential hazards or bad outcomes that may arise during a project or with an enterprise.
Risk reduction
This uses digital tools and technologies to transform how businesses recognize, evaluate, control, and reduce risks.
Risk digitization
What function tests the effectiveness of controls?
Audit
This is when you communicate a change in privacy practices to customers.
Notice
This is when you offer customers an opportunity to opt out of use of their data.
Choice and consent
This principle says individuals should be able to review and update their personal information.
Access
T/F: SOX is applicable to all companies.
False, only publicly traded companies
What protects your personal student information?
FERPA
What happens when an org decides that taking no action is the most beneficial route to managing a risk?
Risk acceptance
What standard applies only to financial institutions but regulates privacy of customers financial info?
GLBA
What’s the proper course of action when records are not available?
Write a statement of scope limitation that describes issue and impact on the audit.
What prohibits entities w/in a country that has no nationwide privacy laws from gathering or processing privacy data belonging to EU citizens?
GDPR
- Their country has no laws that comply w/ EU laws
- Entity creates contractual language that complies w/ EU laws and has language approved by each EU country from which the entity wishes to gather citizen data.
- Entity voluntarily subscribes to its own nation’s privacy shield program
Conditions that allow gathering/processing privacy data for EU citizens for GDPR
What’s used to capture the impact on intangible factors such as customer confidence, employee morale, and reputation in a BIA?
Qualitative tools
What are audit standards for service providers?
SAS 70 and SSAE 18
_________ are how SSAE 18 audits are conducted.
SOC reports
What’s the way to verify that an organization is following some specific best practices before you outsource a business function to that organization.
SOC (service organization controls) report
What report is based on the Trust Services Criteria (formerly known as the Trust Service Principles) established by the AICPA and focuses on:
Security
Availability
Processing integrity
Confidentiality
Privacy
SOC 2
What report evaluates the management’s description of a service organization’s system and the suitability of the design and operating effectiveness of controls over an extended period of time.
SOC2 Type2
What report evaluates the management’s description of a service organization’s system and the suitability of the design of controls at a specific point in time.
SOC2 Type1
What is the current AICPA audit standard?
SSAE 18
What law helps ensure public companies engage in non-deceptive business accounting practices.
SOX
What requires publicly traded companies doing business in the U.S. to establish financial reporting standards, including safeguarding data, tracking attempted breaches, logging electronic records for auditing, and proving compliance.
SOX compliance
Does digital forensics include creation of data?
No
This includes reviewing the organization’s current position/performance as revealed by an audit against a given standard.
Gap analysis
This is a method of assessing the performance of a business unit to determine whether business requirements or objectives are being met
Gap analysis
What’s a good tool for analyzing financial risk?
Quantitative risk assessment
What’s a good tool for intangible risks?
Qualitative risk assessment
What describes privacy requirements for cloud providers, including annual audit mandate?
ISO 27018
What does NIST SP 800-37 describe?
Risk management framework
SSN, DL#, state ID#, credit/debit #, bank acct #, medical records, health insurance info are all covered by _____.
California’s data breach notification law
What gives a customer better assurance of not being constrained to a given provider?
When the customer can ensure their data will not be ported to a proprietary data format or system
T/F: A platform-agnostic data set is less portable and more subject to vendor lock in.
False, it’s more portable and less subject
The ease and speed at which a customer can access their own data can influence:
How readily the data might be moved to another provider.
What’s the greatest motivating factor for a provider to meet SLAs?
financial penalties
What’s the quantitative analysis of all risks facing an organization and their potential impact?
Org’s risk profile
What’s the amount of risk an org is willing to accept?
Risk appetite
T/F: Risk appetite is a conceptual target, whereas risk profile is an assessment of the actual situation.
True
What addresses the privacy aspect of cloud computing for consumers and was the first international set of privacy controls in the cloud?
ISO 27018
What documents a relationship b/w two orgs?
memorandum of agreement
What is required to prevent possible destruction of pertinent evidence?
litigation hold
PHI is a form of PII that includes _____.
health info
What’s the risk that a vendor will not be able to continue operations and a shutdown will adversely impact customers?
Vendor viability
What is it called when a vendor prevents a customer from gaining access to their info?
vendor lockout
What lowers the probability or impact of risk occuring?
Risk mitigation
What addresses issues of data confidentiality?
NDAs
Forbids the transfer of data to countries that lack adequate privacy protections
GDPR
Requires CSPs to hand over data to aid in investigation of serious crimes, even if stored in another country.
Clarifying Lawful Overseas Use of Data (CLOUD) Act
US companies can’t export to Cuba, Iran, North Korea, Sudan, and Syria.
Computer export controls
Dept of Commerce details limitations on export of encryption products outside the US.
Encryption export controls
The basis for privacy rights is in the Fourth Amendment to the U.S. Constitution.
Privacy US
Legal rules that are created by government entities, such as legislatures/congress.
Laws
Rules that are created by governmental agencies.
Regulations
Dictate a reasonable level of performance. They can be created by an organization for its own purposes (internal) or come from industry bodies or trade groups (external).
Standards
A set of guidelines helping organizations improve their security posture.
Frameworks
7 articles of constitution
I - legislative
II - executive
III - judicial
IV - defines relationship b/w state/fed gov
V - amending constitution
VI - constitution is supreme law of land
VII - establishes federal gov
Interpretations made by courts over time establish a body of law that other courts may refer to when making their own decisions.
case law
Is a set of judicial precedents passed down as case law through many generations.
common law
_____ means “responsible or answerable in law; legally obligated”.
Liable
Occurs when one person claims that another person has failed to carry out a legal duty that they were responsible for.
Civil liability
Civil cases are brought to court by one party, called the _____, who is accusing another party of a violation, called the _____.
claimant / respondent
Are another form of civil violation that do not involve a contract but instead, involve harm to one party caused by the actions of another party.
torts
Is a commonly occurring tort that occurs when one party causes harm to another party by their action or lack of action.
negligence
The person accused of negligence must have an established responsibility to the accuser.
duty of care
The basis for privacy rights is in the _____ to the U.S. Constitution.
Fourth Amendment
Cuba, Iran, North Korea, Sudan, and Syria are all countries the ______.
US can’t export to
_____ are the legal rules that are created by government entities, such as legislatures/congress.
Laws
_____ are the rules that are created by governmental agencies.
Regulations
_____ dictate a reasonable level of performance.
Standards - they can be internal or external
_____ are a set of guidelines helping organizations improve their security posture.
Frameworks
_____ policies, procedures, and regulations that govern the daily operations of government and government agencies.
Administrative law - HIPPA
Article I establishes the _____ branch.
legislative
Article II establishes the _____ branch.
executive
Article III establishes the _____ branch.
judicial
Article IV defines the relationship between the _____
federal government and state governments
Article V creates a process for _____
amending the Constitution
Article VI contains the supremacy clause, establishing that _____
the Constitution is the supreme law of the land.
Article VII sets forth the process for _____
the initial establishment of the federal government.
Treated as private disputes between parties and handled in civil court.
Contract law
_____ occurs when one person claims that another person has failed to carry out a legal duty that they were responsible for.
Civil liability
Civil cases are brought to court by one party, called the _____, who
is accusing another party of a violation, called the _____.
claimant / respondent
Another form of civil violation that do not involve a contract but
instead, involve harm to one party caused by the actions of another party.
torts
A commonly occurring tort that occurs when one party causes harm to another party by their action or lack of action.
negligence
The accuser must have suffered some type of harm, be it financial, physical, emotional, or reputational.
damages
A reasonable person must be able to conclude that the injury caused to the accuser must be a result of the breach of duty by the accused.
causation
All of the following rest with:
Responsibility for compliance with laws and regulations
Researching and planning response in case of conflicting laws
Ensuring necessary audit and incident response data islogged and retained
Any additional due diligence and due care
the customer
An international organization comprised of 38 member states from around the world, publishes guidelines on data privacy.
OECD - org for economic co-operation and development
Comprised of 21 member economies in the Pacific Rim. Incorporates many standard privacy practices into their guidance, such as preventing harm, notice, consent, security, and accountability.
asia-pacific economic cooperation privacy framework
Mandates privacy for individuals, defines companies’ duties to protect personal data, and prescribes punishments for companies violating these laws. Includes mandatory notification timelines in the event of data breach.
GDPR
1996 U.S. law regulates the privacy and control of health information data.
HIPPA
An industry standard for companies that accept, process, or receive payment card transactions.
PCI DSS
Exists to solve the lack of an US equivalent to GDPR, which impacts rights and obligations around data transfer.
Privacy Shield
Law was enacted in 2002 and sets requirements for U.S. public companies to protect financial data when stored and used.
SOX
____ are required by law.
statutory requirements
_____ may also be required by law but refer to rules issued by a regulatory body that is appointed by a government entity .
regulatory requirements
_____ are required by a legal contract between private parties. These agreements often specify a set security controls or a compliance framework that must be implemented by a vendor
contractual requirements
3 important considerations to include in maintaining ____ are 1) vendor selection, 2) architecture, 3) due care obligations
chain of custody
When considering a cloud vendor, eDiscovery should be considered as a ____ during the selection and contract negotiation phases.
security requirement
The burden of recording and preserving potential evidence is the responsibility of _____.
customer
_____ provide guidance on best practices for collecting digital evidence and conducting forensics investigations in the cloud.
ISO/IEC and CSA
Addresses common issues and solutions needed to address Digital Forensics and Incident Response (DFIR) in cloud environments.
NIST 8006
Guide for digital evidence analysis.
ISO 27042
Guide for incident investigation principles and processes
ISO 27043
In any cloud computing environment, the legal responsibility for
data privacy and protection rests with _____
the cloud consumer
- Transferring entity (the data owner) must ensure that the receiver of the data holds and processes it in accordance with the principles of Australian privacy law.
- Data owner (controller) is responsible for data privacy commonly achieved through contracts that require recipients to maintain or exceed the data owner’s privacy standards
Australian Privacy Act
The ____ remains responsible for any data breaches by or on behalf of the recipient entities in Australia.
entity transferring the data out
A national level law that restricts how commercial businesses may collect, use, and disclose personal information and covers information about an individual that is identifiable to that specific individual.
Personal Information Protection and Electronic Documents Act (PIPEDA)
The right to be informed
The right of access
The right to rectification
The right to erasure (the right to be forgotten)
The right to restrict processing
The right to data portability
The right to object
Rights in relation to automated decision making and profiling
GDPR
Deals with the handling of data while maintaining privacy and rights of an individual.It is international as it was created by the EU, which has 27 different countries as members, and applies to ANY company with customers in the EU. Includes a 72 hour notification deadline in the case of data breach
GDPR
Focuses on services of banks, lenders, and insurance and severely limits services they can provide and the information they can share with each other
GLBA
- The Financial Privacy Rule, which regulates the collection and disclosure of private financial information
- The Safeguards Rule, which stipulates that financial institutions must implement security programs to protect such information
- The Pretexting provisions, which prohibit the practice of pretexting (accessing private information using false
3 main sections of GLBA
An international agreement between the United States (U.S.) and the European Union that allows the transfer of personal data from the European Economic Area (EEA) to the U.S. by U.S. based companies.
Privacy Shield
Notice
Choice
Security
Access
Accountability for onward transfer
Data integrity and purpose limitation
Recourse, enforcement, and liability
7 principles of privacy shield agreement
Created privacy protection for electronic communications like email or other digital communications stored on the Internet and extends the Fourth Amendment of the U.S. Constitution to the electronic realm
The Stored Communication Act (SCA) of 1986
Details the people’s “right to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures”
4th amendment
Under HIPAA, PHI may be stored by cloud service providers as long as
the data is adequately protected
- Aids in evidence collection in investigation of serious crimes
- Created in 2018 due to the problems that FBI faced in forcing Microsoft to hand over data stored in Ireland.
- Requires U.S. based companies to respond to legal requests for data no matter where the data is physically located.
Clarifying Lawful Overseas Use of Data (CLOUD) Act
- Was published in July 2014 as a component of the ISO 27001 standard.
- Adherence to these privacy requirements enables customer trust in the CSP.
- Major CSPs such as Microsoft, Google, and Amazon all maintain
ISO 27018
Consent: Personal data obtained by a CSP may not be used for marketing purposes unless expressly permitted by the subject. A customer should be permitted to use a service without requiring this consent.
Control: Customers shall have explicit control of their own data and how that data is used by the CSP.
Transparency: CSPs must inform customers of where their data resides AND any subcontractors that may process personal data.
Communication: Auditing should be in place, and any incidents should be communicated to customers.
Audit: Companies (CSP, in this case) must subject themselves to an independent audit on an annual basis.
ISO 27018
Widely incorporated into the SOC 2 framework as an optional criterion. Organizations that pursue a SOC 2 audit can include these privacy controls if appropriate. Similar to ISO 27018, which is an optional extension of the controls defined in ISO 27002. An audit of these controls results in a report that can be shared with customers or potential customers, who can use it to assess a service provider’s ability to protect sensitive data.
Generally Accepted Privacy Principles (GAPP)
- Management - The organization defines, documents, communicates, and assigns accountability for its privacy policies and procedures.
- Notice - The organization provides notice of its privacy policies and procedures. The organization identifies the purposes for which personal information is collected, used, and retained.
- Choice and consent - The organization describes the choices available to the individual, and secures implicit or explicit consent regarding the collection, use, and disclosure of the personal data.
- Collection - Personal information is collected only for the purposes identified in the notice provided to the individual.
- Use, retention, and disposal - The personal information is limited to the purposes identified in the notice the individual consented to.
- Access - The organization provides individuals with access to their personal information for review or update.
- Disclosure to third parties - Personal information is disclosed to third parties only for the identified purposes and with implicit or explicit consent of the individual.
- Security for privacy - Personal information is protected against both physical and logical unauthorized access.
- Quality - The organization maintains accurate, complete, and relevant personal information that is necessary for the purposes identified.
- Monitoring and enforcement - The organization monitors compliance with its privacy policies and procedures. It also has procedures in place to address privacy related complaints and disputes.
Generally Accepted Privacy Principles (GAPP)
This is designed to identify the privacy data being collected, processed, or stored by a system, and assess the effects of a data breach
A privacy impact assessment (PIA)
assessment scope, data collection methods, and plan for data retention
Things you need to define to conduct a PIA
A methodical examination of an environment to ensure compliance with regulations and to detect abnormalities, unauthorized occurrences, or outright crimes.
auditing
Auditing is a _____ control.
detective
Security audits and effectiveness reviews are key elements in displaying _____.
due care
Acts as a “trusted advisor” to the organization on risk, educating stakeholders, assessing compliance
internal auditor
Can provide more continuous monitoring of control effectiveness and policy compliance
internal audit
Audits of controls over the hypervisor will usually be the purview of the _____
CSP
VMs deployed on top of hardware are usually owned by the _____
customer
This is a set of standards defined by the AICPA (American Institute of CPAs). Designed to enhance the quality and usefulness of System and Organization Control (SOC) reports. Includes audit standards and suggested report formats to guide and assist auditors.
SSAE 18
Deals mainly with financial controls and are used primarily by CPAs auditing financial statements
SOC1
Report that assesses the design of security processes at a specific point in time
SOC2Type1
Assesses how effective those controls are over time by observing operations for at least six months. Often require an NDA due to sensitive contents.
SOC2Type2
Contain only the auditor’s general opinions and non sensitive data, is publicly shareable
SOC3
Who issues ISAE
International Auditing and Assurance Standards Board
The ISAE 3402 standard is roughly equivalent to the _____ reports in the SSAE
SOC 2
- Can be used by cloud service providers, cloud customers, or auditors and consultants
- Designed to demonstrate compliance to a desired level of assurance
- STAR consists of two levels of certification, which provide increasing levels of assurance
Security Trust Assurance and Risk (STAR) certification program comes from CSA
This is a complimentary offering that documents the security controls provided by the CSP
STAR Level 1 self-assessment
This requires the CSP to engage an independent auditor to evaluate the CSP’s controls against the CSA standard
STAR Level 2 third party audit
Determining the scope of an audit is usually a joint activity performed by
the organization being audited and their auditor.
Document and define audit program objectives
Gap analysis or readiness assessment
Define audit objectives and deliverables
Identifying auditors and qualifications
audit planning activities
Audit fieldwork:
Audit reporting:
Audit follow up:
audit phases
Quantify risk
Develop and execute risk mitigation strategies
Provide formal reporting on status of mitigation efforts
ISMS functions
A process of matching applicable controls with the organization’s specific circumstances to which they apply.
Tailoring
A set of standardized definitions for employees that describe how they are to make use of systems or data.
Functional policy
Acceptable use
Email use
Passwords and access management
Incident response
Data classification
Network services
Vulnerability scanning
Patch management
Functional policies example
Policies related to proper use of company resources, like expense reimbursements and travel
Organizational policies
regulates organizations involved in power generation and distribution.
NERC/CIP - north american electric reliability corporation critical infrastructure protection
the act of picking a subset of the system’s physical infrastructure to inspect.
sampling
Whether a supplier has a risk management program in place, and if so whether the risks identified by that program are being adequately mitigated are primary focus areas in _____.
SCRM
T/F: Unlike traditional risk management activities, SCRM in a CSP scenario often requires customers to take an indirect approach –reviewing audit reports.
True
Describes the risk present in the organization based on all the identified risks and any associated mitigations in place.
Risk profile
Describes the amount of risk an organization is willing to accept without mitigating.
Risk appetite
Regulated industries will be more apt to:
mitigation , transference , and avoidance
Smaller orgs and startups will be more apt to simply _____ risks to avoid cost of treatment.
accept
Anyone who processes personal data on behalf of the data controller.
data processor
The person or entity that controls processing of the data.
data controller
Ensures the organization complies with data regulations.
data protection officer (dpo)
The individual or entity that is the subject of the personal data.
data subject
Usually a member of senior mgmt. CAN delegate some day
to day duties. CANNOT delegate total responsibility.
data owner
Usually someone in the IT dept. DOES implement controls for data owner. DOES NOT decide what controls are needed.
data custodian
It is a crime to destroy, change, or hide documents to prevent their use in official legal processes.
SOX Section 802
Companies must keep audit related records for a minimum of five years.
SOX Section 804
States that a data controller “must be able to demonstrate that personal data are processed in a manner transparent to the data subject.” The obligations for transparency begin at the data collection stage and apply “throughout the lifecycle of processing.” Stipulates that communication to data subjects must be “concise, transparent, intelligible and easily accessible, and use clear and plain language.”
GDPR Article 12
The practice of modifying risk, usually to lower it. Typically begins with identifying and assessing risks by measuring the likelihood and impact. Risks most likely to occur and impactful would be prioritized.
risk treatment
Deliberately choosing to take no other risk management strategy and to simply continue operations as normal in the face of the risk.
risk acceptance
Cyber insurance is an example of _____
risk transference
applying security controls is
risk mitigation
Where the organization changes business practices to completely eliminate the potential that a risk will materialize.
risk avoidance
Risk treatments for countering and minimizing loss or unavailability of services or apps due to vulnerabilities
security controls
safeguards are _____, countermeasures are ______
proactive / reactive
“Cloud Computing Synopsis and Recommendation
NIST 800-146
____contains several standards related to building and running a risk management program.
ISO 31000
Produces useful resources related to cloud specific risks that organizations should be aware of and plan for when designing cloud computing systems. This guide identifies various categories of risks and recommendations for organizations to consider when evaluating cloud computing. These include research recommendations to advance the field of cloud computing, legal risks, and security risks.
ENISA
patching levels
time to deploy patches
intrusion attempts
mean time to detect (mttd)
mean time to contain (mttc)
mean time to resolve (mttr)
metrics for cyber risk management
Metrics that deviate from expected parameters are _____ and should be reviewed
no longer effective
Designing a supply chain risk management (SCRM) program to
assess CSP or vendor risks is a _____practice. Actually performing the assessment is an example of _____.
due diligence / due care
Enables an objective evaluation to validate that a particular product or system satisfies a defined set of security requirements. Assures customers that security products they purchase have been thoroughly tested by independent third-party testers and meets customer requirements. The certification of the product only certifies product capabilities.
ISO/IEC 15408-1
defines how robust the security capabilities are in the evaluated product
evaluation assurance level (EAL) - associated with ISO 15408-1
ENISA has published a standard for certifying the cybersecurity
practices present in cloud environments. The framework, _____ defines a set of evaluation criteria for various cloud service and deployment models. The goal is producing security evaluation results that allow comparison of the security posture across different cloud providers.
EU Cybersecurity Certification Scheme on Cloud Services (EUCS)
supply chain
vendor mgmt
system integration
third party risks
This is defined as any contract that two or more parties enter into as a service agreement that should address compliance and process requirements the customer is passing along to CSP
MSA
Stipulate performance expectations such as maximum downtimes and often include penalties if the vendor doesn’t meet expectations.
SLAs
Are SLAs legally binding?
Yes
Uptime guarantees
SLA violation penalties
SLA violation penalty exclusions and limitations
Suspension of service clauses
Provider liability
Data protection and management
Disaster recovery and recovery point objectives
Security and privacy notifications and timeframes
SLA terms
Legal document usually created after an MSA has been executed and governs a specific unit of work. MSA may document services and prices, and this covers requirements, expectations, and deliverables for a project.
SoW
MSA focus is ___, SOW focus is ___.
overall and ongoing / limited and specific
In many cases, vendor management will include activities related to _____ risks.
operational
Does security team conduct vendor viability assessment?
No, b/c it’s operational
A _____ is a specific article of related information that specifies the agreement between the contracting parties.
contract clause
This is an area where legal counsel must be consulted
litigation
Any customer compliance requirements that flow to the provider must be _____.
documented and agreed upon in the contract.
_____ is designed to help an organization reduce the financial impact of risk by transferring it to an insurance carrier.
Cyber risk insurance
Investigation
Direct business losses
Recovery costs
Legal notifications
Lawsuits
Extortion
Food and related expenses
things cyber risk insurance covers
Direct monetary losses associated with downtime or data recovery, overtime for employees, and, oftentimes, reputational damages to the organization.
Direct business losses
These may include costs associated with replacing hardware or provisioning temporary cloud environments during contingency operations.
Recovery costs
Provides a set of practices and guidance for managing cybersecurity risks in supplier relationships. This standard is particularly useful for organizations that use ISO 27001 for building an ISMS or ISO 31000 for risk management
ISO 27036:2021
Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations
NIST SP 800-161
An overview of the ICT supply chain risks and challenges, and vision for the way forward, published in 2015
ENISA publication “Supply Chain Integrity”
Key Practices in Cyber Supply Chain Risk Management: Observations from Industry
NIST IR 8276
