Domain 6 Flashcards
1
Q
Purpose of Security Audit and Assessment
A
- Security assessments audit tests or other activities can be two types
- Formal - Evaluation against compliance standards which may be a legal regulatory or contract requirement
performed by people outside the organization
- Informal
provides insight into an observations about the system being evaluated
not for direct purpose of meeting compliance and typically done in house
2
Q
Assessments
A
- evaluation of controls to meet management expectations
- primarily related to risk management compliance
- Sarbanes-Oxley act
- Hippa
- or if you’re in the European Union GDPR - Often precede a audit to identify and address weaknesses in the environment
3
Q
Testing perspectives
A
- NIST SP 800 - 15 - Describes testing as working from the internal network and assuming the identity of a trusted inside her own attacker who has penetrated the perimeter defenses
- 2012 Carnegie Mellon conducted a study titled “threat study illicit cyber activity involving fraud and U.S. financial sector”
- including eighty major cases of financial fraud 67 were internal actors and 13 were external
4
Q
Standards and frameworks
A
- As of twenty 21133 nations have enacted laws regarding the protection data pertaining to privacy and identity
- Organizations free from legal or marketplace requirements are considered low hanging fruit or soft targets
5
Q
NIST risk management framework
A
- NIST RMF SP 800 – 37
- NIST SP 800 – 53 Security and privacy controls for information systems and organizations
- NIST SP 800 – 171 protecting controlled unclassified information in non federal systems
6
Q
ISO 27,000 information security management system
A
- series of standards that can be used as an assessment or audit framework
- primarily used outside of the United states
7
Q
Service organization control SOC reports
A
- American Institute of certified public accountants (AICPA) Framework for evaluating internal controls over financial reporting
- Use widely outside the US by orgs that deal directly or indirectly with orgs in the US
8
Q
Soc Type 1
A
- internal controls over finances
- Soc 1 type 1 alters the performance of a set of controls at a particular point in time
- Example would be QuickBooks and the report would be useful during early stage vendor evaluations to verify control readiness - Soc 1 type 2 reports on the performance of controls over a specified.
- An example would be auditing a company that uses NetSuite for financial accounting this compliance type will be useful due to the ability to effectively measure controls over a specific time period for things such as regulatory audits and ongoing trust
9
Q
SOC 2
A
- Trust services criteria
- Security
- Availability
- confidentiality
- processing integrity
- privacy - also has two types
- type 1 verifies the designs of controls within the organization at the time of the assessment
- type 2 goes further assessing when the controls are working effectively usually based on a specific. - Type 1 deals with financial accounting and reporting and type 2 deals with trust services
10
Q
SOC 3
A
- Designed to be a publicly releasable summary statement of how well these services meet the trust services criteria principles
11
Q
SAS 70: One Size was not supposed to fit all
A
- Was created for the specific purpose of helping users and their auditors rely on controls over a service provider in the context of the users financial statement
- Replaced by soc reports
12
Q
International adoption of SSAE
A
- Two types of reports that can be issued for ISAE 3402/SSAE 16 type 1 and type 2
- type 1 covers the point in time
- type 2 interrogates the effectiveness of the controls by means of testing for a set time generally not less than six months but not more than 12 - 5 sections
- Section 1 = service auditors independent report or an opinion
- Section 2 = written attestation or assertion of controls by the service org
- Section 3 = description of internal controls
- Section 4 = service orders information that includes the test of operating effectiveness
- Section 5 = additional information that the service needs to supply
13
Q
Log reviews
A
- major control frameworks emphasized the importance of logs
- NIST 800 – 92 Guide to computer security log management
- prominent regulations that drive the need for diligent law reviews
- the gramm leach Bliley Act
- Hippa
- SOX
- PCI DSS
14
Q
Compliance and substantive testing
A
- tests are generally categorized as compliance or substantive
- compliance - might compare a sample of the organization’s employees entitled to access the system with name users the expected outcome should show the two lists are identical
- substantive - Evaluates the proper operation of the process
provides a higher degree of assurance that a process is performing as expected but generally takes more time and resources to execute
15
Q
synthetic performance monitoring
A
- sometimes called proactive monitoring
- external agents running scripted transactions against a web application
- meant to follow steps the typical user might follow the search view product login and check out to access the experience of user
- Variety of systems can benefit from synthetic performance monitoring
- website monitor
- database monitoring
- TCP port monitoring
- SLA validation