Domain 6 Flashcards

1
Q

What occurs when a customer is dissuaded from leaving a provider even when it’s the best decision?

A

Vendor lock-in

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What’s an industry standard that provides guidance for eDiscovery programs?

A

ISO 27050

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What provides industry standard guidance for information privacy programs?

A

ISO 27701

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Who is the entity that uses the data on behalf of the owner/controller?

A

Data processor

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Who is the person the PII describes?

A

Data subject

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Who is the entity that creates the PII?

A

Data owner/controller

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Who are entities that regulate the use of PII?

A

Regulators

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Is it proper to script a testimony in court?

A

No, but coaching is okay

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Is deploying a firewall a risk mitigation strategy?

A

Yes

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

________ is a strategy where an organization decides to accept the potential risks and associated outcomes of a particular security threat rather than avoiding or mitigating it

A

Risk acceptance

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

What is a metric that indicates the degree to which your organization requires its information to be protected against confidentiality leaks or compromised data integrity?

A

Risk tolerance - how much risk you can tolerate

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

What is when an org completely avoids the activity that carries the potential risk.

A

Risk avoidance

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

This is when you transfer the risk to another party when accepting or avoiding the risk yourself is not feasible

A

Risk transfer

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

If the risk then happens, the responsibility or loss will not fall solely on one party.

A

Risk sharing

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

What is the act of adding extra resources, time, or personnel to mitigate the potential impact of a risk.

A

Risk buffering

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Involves creating a contingency plan or “Plan B” for certain risks.

A

Risk strategizing

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

This is the performance of tests (usually many tests) to verify that a project is secure and functions as intended.

A

Risk testing

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

This allows an organization to determine the potential financial implications of a risk event.

A

Risk quantification

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

This is the implementation of risk controls to mitigate potential hazards or bad outcomes that may arise during a project or with an enterprise.

A

Risk reduction

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

This uses digital tools and technologies to transform how businesses recognize, evaluate, control, and reduce risks.

A

Risk digitization

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

What function tests the effectiveness of controls?

A

Audit

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

This is when you communicate a change in privacy practices to customers.

A

Notice

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

This is when you offer customers an opportunity to opt out of use of their data.

A

Choice and consent

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

This principle says individuals should be able to review and update their personal information.

A

Access

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
T/F: SOX is applicable to all companies.
False, only publicly traded companies
26
What protects your personal student information?
FERPA
27
What happens when an org decides that taking no action is the most beneficial route to managing a risk?
Risk acceptance
28
What standard applies only to financial institutions but regulates privacy of customers financial info?
GLBA
29
What's the proper course of action when records are not available?
Write a statement of scope limitation that describes issue and impact on the audit.
30
What prohibits entities w/in a country that has no nationwide privacy laws from gathering or processing privacy data belonging to EU citizens?
GDPR
31
1. Their country has no laws that comply w/ EU laws 2. Entity creates contractual language that complies w/ EU laws and has language approved by each EU country from which the entity wishes to gather citizen data. 3. Entity voluntarily subscribes to its own nation's privacy shield program
Conditions that allow gathering/processing privacy data for EU citizens for GDPR
32
What's used to capture the impact on intangible factors such as customer confidence, employee morale, and reputation in a BIA?
Qualitative tools
33
What are audit standards for service providers?
SAS 70 and SSAE 18
34
_________ are how SSAE 18 audits are conducted.
SOC reports
35
What's the way to verify that an organization is following some specific best practices before you outsource a business function to that organization.
SOC (service organization controls) report
36
What report is based on the Trust Services Criteria (formerly known as the Trust Service Principles) established by the AICPA and focuses on: Security Availability Processing integrity Confidentiality Privacy
SOC 2
37
What report evaluates the management’s description of a service organization’s system and the suitability of the design and operating effectiveness of controls over an extended period of time.
SOC2 Type2
38
What report evaluates the management’s description of a service organization’s system and the suitability of the design of controls at a specific point in time.
SOC2 Type1
39
What is the current AICPA audit standard?
SSAE 18
40
What law helps ensure public companies engage in non-deceptive business accounting practices.
SOX
41
What requires publicly traded companies doing business in the U.S. to establish financial reporting standards, including safeguarding data, tracking attempted breaches, logging electronic records for auditing, and proving compliance.
SOX compliance
42
Does digital forensics include creation of data?
No
43
This includes reviewing the organization's current position/performance as revealed by an audit against a given standard.
Gap analysis
44
This is a method of assessing the performance of a business unit to determine whether business requirements or objectives are being met
Gap analysis
45
What's a good tool for analyzing financial risk?
Quantitative risk assessment
46
What's a good tool for intangible risks?
Qualitative risk assessment
47
What describes privacy requirements for cloud providers, including annual audit mandate?
ISO 27018
48
What does NIST SP 800-37 describe?
Risk management framework
49
SSN, DL#, state ID#, credit/debit #, bank acct #, medical records, health insurance info are all covered by _____.
California's data breach notification law
50
What gives a customer better assurance of not being constrained to a given provider?
When the customer can ensure their data will not be ported to a proprietary data format or system
51
T/F: A platform-agnostic data set is less portable and more subject to vendor lock in.
False, it's more portable and less subject
52
The ease and speed at which a customer can access their own data can influence:
How readily the data might be moved to another provider.
53
What's the greatest motivating factor for a provider to meet SLAs?
financial penalties
54
What's the quantitative analysis of all risks facing an organization and their potential impact?
Org's risk profile
55
What's the amount of risk an org is willing to accept?
Risk appetite
56
T/F: Risk appetite is a conceptual target, whereas risk profile is an assessment of the actual situation.
True
57
What addresses the privacy aspect of cloud computing for consumers and was the first international set of privacy controls in the cloud?
ISO 27018
58
What documents a relationship b/w two orgs?
memorandum of agreement
59
What is required to prevent possible destruction of pertinent evidence?
litigation hold
60
PHI is a form of PII that includes _____.
health info
61
What's the risk that a vendor will not be able to continue operations and a shutdown will adversely impact customers?
Vendor viability
62
What is it called when a vendor prevents a customer from gaining access to their info?
vendor lockout
63
What lowers the probability or impact of risk occuring?
Risk mitigation
64
What addresses issues of data confidentiality?
NDAs
65
Forbids the transfer of data to countries that lack adequate privacy protections
GDPR
66
Requires CSPs to hand over data to aid in investigation of serious crimes, even if stored in another country.
Clarifying Lawful Overseas Use of Data (CLOUD) Act
67
US companies can’t export to Cuba, Iran, North Korea, Sudan, and Syria.
Computer export controls
68
Dept of Commerce details limitations on export of encryption products outside the US.
Encryption export controls
69
The basis for privacy rights is in the Fourth Amendment to the U.S. Constitution.
Privacy US
70
Legal rules that are created by government entities, such as legislatures/congress.
Laws
71
Rules that are created by governmental agencies.
Regulations
72
Dictate a reasonable level of performance. They can be created by an organization for its own purposes (internal) or come from industry bodies or trade groups (external).
Standards
73
A set of guidelines helping organizations improve their security posture.
Frameworks
74
7 articles of constitution
I - legislative II - executive III - judicial IV - defines relationship b/w state/fed gov V - amending constitution VI - constitution is supreme law of land VII - establishes federal gov
75
Interpretations made by courts over time establish a body of law that other courts may refer to when making their own decisions.
case law
76
Is a set of judicial precedents passed down as case law through many generations.
common law
77
_____ means “responsible or answerable in law; legally obligated”.
Liable
78
Occurs when one person claims that another person has failed to carry out a legal duty that they were responsible for.
Civil liability
79
Civil cases are brought to court by one party, called the _____, who is accusing another party of a violation, called the _____.
claimant / respondent
80
Are another form of civil violation that do not involve a contract but instead, involve harm to one party caused by the actions of another party.
torts
81
Is a commonly occurring tort that occurs when one party causes harm to another party by their action or lack of action.
negligence
82
The person accused of negligence must have an established responsibility to the accuser.
duty of care
83
The basis for privacy rights is in the _____ to the U.S. Constitution.
Fourth Amendment
84
Cuba, Iran, North Korea, Sudan, and Syria are all countries the ______.
US can't export to
85
_____ are the legal rules that are created by government entities, such as legislatures/congress.
Laws
86
_____ are the rules that are created by governmental agencies.
Regulations
87
_____ dictate a reasonable level of performance.
Standards - they can be internal or external
88
_____ are a set of guidelines helping organizations improve their security posture.
Frameworks
89
_____ policies, procedures, and regulations that govern the daily operations of government and government agencies.
Administrative law - HIPPA
90
Article I establishes the _____ branch.
legislative
91
Article II establishes the _____ branch.
executive
92
Article III establishes the _____ branch.
judicial
93
Article IV defines the relationship between the _____
federal government and state governments
94
Article V creates a process for _____
amending the Constitution
95
Article VI contains the supremacy clause, establishing that _____
the Constitution is the supreme law of the land.
96
Article VII sets forth the process for _____
the initial establishment of the federal government.
97
Treated as private disputes between parties and handled in civil court.
Contract law
98
_____ occurs when one person claims that another person has failed to carry out a legal duty that they were responsible for.
Civil liability
99
Civil cases are brought to court by one party, called the _____, who is accusing another party of a violation, called the _____.
claimant / respondent
100
Another form of civil violation that do not involve a contract but instead, involve harm to one party caused by the actions of another party.
torts
101
A commonly occurring tort that occurs when one party causes harm to another party by their action or lack of action.
negligence
102
The accuser must have suffered some type of harm, be it financial, physical, emotional, or reputational.
damages
103
A reasonable person must be able to conclude that the injury caused to the accuser must be a result of the breach of duty by the accused.
causation
104
All of the following rest with: Responsibility for compliance with laws and regulations Researching and planning response in case of conflicting laws Ensuring necessary audit and incident response data islogged and retained Any additional due diligence and due care
the customer
105
An international organization comprised of 38 member states from around the world, publishes guidelines on data privacy.
OECD - org for economic co-operation and development
106
Comprised of 21 member economies in the Pacific Rim. Incorporates many standard privacy practices into their guidance, such as preventing harm, notice, consent, security, and accountability.
asia-pacific economic cooperation privacy framework
107
Mandates privacy for individuals, defines companies’ duties to protect personal data, and prescribes punishments for companies violating these laws. Includes mandatory notification timelines in the event of data breach.
GDPR
108
1996 U.S. law regulates the privacy and control of health information data.
HIPPA
109
An industry standard for companies that accept, process, or receive payment card transactions.
PCI DSS
110
Exists to solve the lack of an US equivalent to GDPR, which impacts rights and obligations around data transfer.
Privacy Shield
111
Law was enacted in 2002 and sets requirements for U.S. public companies to protect financial data when stored and used.
SOX
112
____ are required by law.
statutory requirements
113
_____ may also be required by law but refer to rules issued by a regulatory body that is appointed by a government entity .
regulatory requirements
114
_____ are required by a legal contract between private parties. These agreements often specify a set security controls or a compliance framework that must be implemented by a vendor
contractual requirements
115
3 important considerations to include in maintaining ____ are 1) vendor selection, 2) architecture, 3) due care obligations
chain of custody
116
When considering a cloud vendor, eDiscovery should be considered as a ____ during the selection and contract negotiation phases.
security requirement
117
The burden of recording and preserving potential evidence is the responsibility of _____.
customer
118
_____ provide guidance on best practices for collecting digital evidence and conducting forensics investigations in the cloud.
ISO/IEC and CSA
119
Addresses common issues and solutions needed to address Digital Forensics and Incident Response (DFIR) in cloud environments.
NIST 8006
120
Guide for digital evidence analysis.
ISO 27042
121
Guide for incident investigation principles and processes
ISO 27043
122
In any cloud computing environment, the legal responsibility for data privacy and protection rests with _____
the cloud consumer
123
- Transferring entity (the data owner) must ensure that the receiver of the data holds and processes it in accordance with the principles of Australian privacy law. - Data owner (controller) is responsible for data privacy commonly achieved through contracts that require recipients to maintain or exceed the data owner’s privacy standards
Australian Privacy Act
124
The ____ remains responsible for any data breaches by or on behalf of the recipient entities in Australia.
entity transferring the data out
125
A national level law that restricts how commercial businesses may collect, use, and disclose personal information and covers information about an individual that is identifiable to that specific individual.
Personal Information Protection and Electronic Documents Act (PIPEDA)
126
The right to be informed The right of access The right to rectification The right to erasure (the right to be forgotten) The right to restrict processing The right to data portability The right to object Rights in relation to automated decision making and profiling
GDPR
127
Deals with the handling of data while maintaining privacy and rights of an individual.It is international as it was created by the EU, which has 27 different countries as members, and applies to ANY company with customers in the EU. Includes a 72 hour notification deadline in the case of data breach
GDPR
128
Focuses on services of banks, lenders, and insurance and severely limits services they can provide and the information they can share with each other
GLBA
129
- The Financial Privacy Rule, which regulates the collection and disclosure of private financial information - The Safeguards Rule, which stipulates that financial institutions must implement security programs to protect such information - The Pretexting provisions, which prohibit the practice of pretexting (accessing private information using false
3 main sections of GLBA
130
An international agreement between the United States (U.S.) and the European Union that allows the transfer of personal data from the European Economic Area (EEA) to the U.S. by U.S. based companies.
Privacy Shield
131
Notice Choice Security Access Accountability for onward transfer Data integrity and purpose limitation Recourse, enforcement, and liability
7 principles of privacy shield agreement
132
Created privacy protection for electronic communications like email or other digital communications stored on the Internet and extends the Fourth Amendment of the U.S. Constitution to the electronic realm
The Stored Communication Act (SCA) of 1986
133
Details the people’s “right to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures”
4th amendment
134
Under HIPAA, PHI may be stored by cloud service providers as long as
the data is adequately protected
135
- Aids in evidence collection in investigation of serious crimes - Created in 2018 due to the problems that FBI faced in forcing Microsoft to hand over data stored in Ireland. - Requires U.S. based companies to respond to legal requests for data no matter where the data is physically located.
Clarifying Lawful Overseas Use of Data (CLOUD) Act
136
- Was published in July 2014 as a component of the ISO 27001 standard. - Adherence to these privacy requirements enables customer trust in the CSP. - Major CSPs such as Microsoft, Google, and Amazon all maintain
ISO 27018
137
Consent: Personal data obtained by a CSP may not be used for marketing purposes unless expressly permitted by the subject. A customer should be permitted to use a service without requiring this consent. Control: Customers shall have explicit control of their own data and how that data is used by the CSP. Transparency: CSPs must inform customers of where their data resides AND any subcontractors that may process personal data. Communication: Auditing should be in place, and any incidents should be communicated to customers. Audit: Companies (CSP, in this case) must subject themselves to an independent audit on an annual basis.
ISO 27018
138
Widely incorporated into the SOC 2 framework as an optional criterion. Organizations that pursue a SOC 2 audit can include these privacy controls if appropriate. Similar to ISO 27018, which is an optional extension of the controls defined in ISO 27002. An audit of these controls results in a report that can be shared with customers or potential customers, who can use it to assess a service provider’s ability to protect sensitive data.
Generally Accepted Privacy Principles (GAPP)
139
1. Management - The organization defines, documents, communicates, and assigns accountability for its privacy policies and procedures. 2. Notice - The organization provides notice of its privacy policies and procedures. The organization identifies the purposes for which personal information is collected, used, and retained. 3. Choice and consent - The organization describes the choices available to the individual, and secures implicit or explicit consent regarding the collection, use, and disclosure of the personal data. 4. Collection - Personal information is collected only for the purposes identified in the notice provided to the individual. 5. Use, retention, and disposal - The personal information is limited to the purposes identified in the notice the individual consented to. 6. Access - The organization provides individuals with access to their personal information for review or update. 7. Disclosure to third parties - Personal information is disclosed to third parties only for the identified purposes and with implicit or explicit consent of the individual. 8. Security for privacy - Personal information is protected against both physical and logical unauthorized access. 9. Quality - The organization maintains accurate, complete, and relevant personal information that is necessary for the purposes identified. 10. Monitoring and enforcement - The organization monitors compliance with its privacy policies and procedures. It also has procedures in place to address privacy related complaints and disputes.
Generally Accepted Privacy Principles (GAPP)
140
This is designed to identify the privacy data being collected, processed, or stored by a system, and assess the effects of a data breach
A privacy impact assessment (PIA)
141
assessment scope, data collection methods, and plan for data retention
Things you need to define to conduct a PIA
142
A methodical examination of an environment to ensure compliance with regulations and to detect abnormalities, unauthorized occurrences, or outright crimes.
auditing
143
Auditing is a _____ control.
detective
144
Security audits and effectiveness reviews are key elements in displaying _____.
due care
145
Acts as a “trusted advisor” to the organization on risk, educating stakeholders, assessing compliance
internal auditor
146
Can provide more continuous monitoring of control effectiveness and policy compliance
internal audit
147
Audits of controls over the hypervisor will usually be the purview of the _____
CSP
148
VMs deployed on top of hardware are usually owned by the _____
customer
149
This is a set of standards defined by the AICPA (American Institute of CPAs). Designed to enhance the quality and usefulness of System and Organization Control (SOC) reports. Includes audit standards and suggested report formats to guide and assist auditors.
SSAE 18
150
Deals mainly with financial controls and are used primarily by CPAs auditing financial statements
SOC1
151
Report that assesses the design of security processes at a specific point in time
SOC2Type1
152
Assesses how effective those controls are over time by observing operations for at least six months. Often require an NDA due to sensitive contents.
SOC2Type2
153
Contain only the auditor’s general opinions and non sensitive data, is publicly shareable
SOC3
154
Who issues ISAE
International Auditing and Assurance Standards Board
155
The ISAE 3402 standard is roughly equivalent to the _____ reports in the SSAE
SOC 2
156
- Can be used by cloud service providers, cloud customers, or auditors and consultants - Designed to demonstrate compliance to a desired level of assurance - STAR consists of two levels of certification, which provide increasing levels of assurance
Security Trust Assurance and Risk (STAR) certification program comes from CSA
157
This is a complimentary offering that documents the security controls provided by the CSP
STAR Level 1 self-assessment
158
This requires the CSP to engage an independent auditor to evaluate the CSP’s controls against the CSA standard
STAR Level 2 third party audit
159
Determining the scope of an audit is usually a joint activity performed by
the organization being audited and their auditor.
160
Document and define audit program objectives Gap analysis or readiness assessment Define audit objectives and deliverables Identifying auditors and qualifications
audit planning activities
161
Audit fieldwork: Audit reporting: Audit follow up:
audit phases
162
Quantify risk Develop and execute risk mitigation strategies Provide formal reporting on status of mitigation efforts
ISMS functions
163
A process of matching applicable controls with the organization’s specific circumstances to which they apply.
Tailoring
164
A set of standardized definitions for employees that describe how they are to make use of systems or data.
Functional policy
165
Acceptable use Email use Passwords and access management Incident response Data classification Network services Vulnerability scanning Patch management
Functional policies example
166
Policies related to proper use of company resources, like expense reimbursements and travel
Organizational policies
167
regulates organizations involved in power generation and distribution.
NERC/CIP - north american electric reliability corporation critical infrastructure protection
168
the act of picking a subset of the system’s physical infrastructure to inspect.
sampling
169
Whether a supplier has a risk management program in place, and if so whether the risks identified by that program are being adequately mitigated are primary focus areas in _____.
SCRM
170
T/F: Unlike traditional risk management activities, SCRM in a CSP scenario often requires customers to take an indirect approach –reviewing audit reports.
True
171
Describes the risk present in the organization based on all the identified risks and any associated mitigations in place.
Risk profile
172
Describes the amount of risk an organization is willing to accept without mitigating.
Risk appetite
173
Regulated industries will be more apt to:
mitigation , transference , and avoidance
174
Smaller orgs and startups will be more apt to simply _____ risks to avoid cost of treatment.
accept
175
Anyone who processes personal data on behalf of the data controller.
data processor
176
The person or entity that controls processing of the data.
data controller
177
Ensures the organization complies with data regulations.
data protection officer (dpo)
178
The individual or entity that is the subject of the personal data.
data subject
179
Usually a member of senior mgmt. CAN delegate some day to day duties. CANNOT delegate total responsibility.
data owner
180
Usually someone in the IT dept. DOES implement controls for data owner. DOES NOT decide what controls are needed.
data custodian
181
It is a crime to destroy, change, or hide documents to prevent their use in official legal processes.
SOX Section 802
182
Companies must keep audit related records for a minimum of five years.
SOX Section 804
183
States that a data controller “must be able to demonstrate that personal data are processed in a manner transparent to the data subject.” The obligations for transparency begin at the data collection stage and apply “throughout the lifecycle of processing.” Stipulates that communication to data subjects must be “concise, transparent, intelligible and easily accessible, and use clear and plain language.”
GDPR Article 12
184
The practice of modifying risk, usually to lower it. Typically begins with identifying and assessing risks by measuring the likelihood and impact. Risks most likely to occur and impactful would be prioritized.
risk treatment
185
Deliberately choosing to take no other risk management strategy and to simply continue operations as normal in the face of the risk.
risk acceptance
186
Cyber insurance is an example of _____
risk transference
187
applying security controls is
risk mitigation
188
Where the organization changes business practices to completely eliminate the potential that a risk will materialize.
risk avoidance
189
Risk treatments for countering and minimizing loss or unavailability of services or apps due to vulnerabilities
security controls
190
safeguards are _____, countermeasures are ______
proactive / reactive
191
“Cloud Computing Synopsis and Recommendation
NIST 800-146
192
____contains several standards related to building and running a risk management program.
ISO 31000
193
Produces useful resources related to cloud specific risks that organizations should be aware of and plan for when designing cloud computing systems. This guide identifies various categories of risks and recommendations for organizations to consider when evaluating cloud computing. These include research recommendations to advance the field of cloud computing, legal risks, and security risks.
ENISA
194
patching levels time to deploy patches intrusion attempts mean time to detect (mttd) mean time to contain (mttc) mean time to resolve (mttr)
metrics for cyber risk management
195
Metrics that deviate from expected parameters are _____ and should be reviewed
no longer effective
196
Designing a supply chain risk management (SCRM) program to assess CSP or vendor risks is a _____practice. Actually performing the assessment is an example of _____.
due diligence / due care
197
Enables an objective evaluation to validate that a particular product or system satisfies a defined set of security requirements. Assures customers that security products they purchase have been thoroughly tested by independent third-party testers and meets customer requirements. The certification of the product only certifies product capabilities.
ISO/IEC 15408-1
198
defines how robust the security capabilities are in the evaluated product
evaluation assurance level (EAL) - associated with ISO 15408-1
199
ENISA has published a standard for certifying the cybersecurity practices present in cloud environments. The framework, _____ defines a set of evaluation criteria for various cloud service and deployment models. The goal is producing security evaluation results that allow comparison of the security posture across different cloud providers.
EU Cybersecurity Certification Scheme on Cloud Services (EUCS)
200
supply chain vendor mgmt system integration
third party risks
201
This is defined as any contract that two or more parties enter into as a service agreement that should address compliance and process requirements the customer is passing along to CSP
MSA
202
Stipulate performance expectations such as maximum downtimes and often include penalties if the vendor doesn’t meet expectations.
SLAs
203
Are SLAs legally binding?
Yes
204
Uptime guarantees SLA violation penalties SLA violation penalty exclusions and limitations Suspension of service clauses Provider liability Data protection and management Disaster recovery and recovery point objectives Security and privacy notifications and timeframes
SLA terms
205
Legal document usually created after an MSA has been executed and governs a specific unit of work. MSA may document services and prices, and this covers requirements, expectations, and deliverables for a project.
SoW
206
MSA focus is ___, SOW focus is ___.
overall and ongoing / limited and specific
207
In many cases, vendor management will include activities related to _____ risks.
operational
208
Does security team conduct vendor viability assessment?
No, b/c it's operational
209
A _____ is a specific article of related information that specifies the agreement between the contracting parties.
contract clause
210
This is an area where legal counsel must be consulted
litigation
211
Any customer compliance requirements that flow to the provider must be _____.
documented and agreed upon in the contract.
212
_____ is designed to help an organization reduce the financial impact of risk by transferring it to an insurance carrier.
Cyber risk insurance
213
Investigation Direct business losses Recovery costs Legal notifications Lawsuits Extortion Food and related expenses
things cyber risk insurance covers
214
Direct monetary losses associated with downtime or data recovery, overtime for employees, and, oftentimes, reputational damages to the organization.
Direct business losses
215
These may include costs associated with replacing hardware or provisioning temporary cloud environments during contingency operations.
Recovery costs
216
Provides a set of practices and guidance for managing cybersecurity risks in supplier relationships. This standard is particularly useful for organizations that use ISO 27001 for building an ISMS or ISO 31000 for risk management
ISO 27036:2021
217
Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations
NIST SP 800-161
218
An overview of the ICT supply chain risks and challenges, and vision for the way forward, published in 2015
ENISA publication “Supply Chain Integrity"
219
Key Practices in Cyber Supply Chain Risk Management: Observations from Industry
NIST IR 8276