Domain 6 Flashcards

1
Q

Purpose of Security Audit and Assessment

A
  • Security assessments audit tests or other activities can be two types
    - Formal - Evaluation against compliance standards which may be a legal regulatory or contract requirement
     performed by people outside the organization
    - Informal
     provides insight into an observations about the system being evaluated
     not for direct purpose of meeting compliance and typically done in house
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Assessments

A
  • evaluation of controls to meet management expectations
  • primarily related to risk management compliance
    - Sarbanes-Oxley act
    - Hippa
    - or if you’re in the European Union GDPR
  • Often precede a audit to identify and address weaknesses in the environment
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Testing perspectives

A
  • NIST SP 800 - 15 - Describes testing as working from the internal network and assuming the identity of a trusted inside her own attacker who has penetrated the perimeter defenses
  • 2012 Carnegie Mellon conducted a study titled “threat study illicit cyber activity involving fraud and U.S. financial sector”
    - including eighty major cases of financial fraud 67 were internal actors and 13 were external
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Standards and frameworks

A
  • As of twenty 21133 nations have enacted laws regarding the protection data pertaining to privacy and identity
  • Organizations free from legal or marketplace requirements are considered low hanging fruit or soft targets
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

NIST risk management framework

A
  • NIST RMF SP 800 – 37
  • NIST SP 800 – 53 Security and privacy controls for information systems and organizations
  • NIST SP 800 – 171 protecting controlled unclassified information in non federal systems
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

ISO 27,000 information security management system

A
  • series of standards that can be used as an assessment or audit framework
  • primarily used outside of the United states
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Service organization control SOC reports

A
  • American Institute of certified public accountants (AICPA) Framework for evaluating internal controls over financial reporting
  • Use widely outside the US by orgs that deal directly or indirectly with orgs in the US
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Soc Type 1

A
  • internal controls over finances
  • Soc 1 type 1 alters the performance of a set of controls at a particular point in time
    - Example would be QuickBooks and the report would be useful during early stage vendor evaluations to verify control readiness
  • Soc 1 type 2 reports on the performance of controls over a specified.
    - An example would be auditing a company that uses NetSuite for financial accounting this compliance type will be useful due to the ability to effectively measure controls over a specific time period for things such as regulatory audits and ongoing trust
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

SOC 2

A
  • Trust services criteria
    - Security
    - Availability
    - confidentiality
    - processing integrity
    - privacy
  • also has two types
    - type 1 verifies the designs of controls within the organization at the time of the assessment
    - type 2 goes further assessing when the controls are working effectively usually based on a specific.
  • Type 1 deals with financial accounting and reporting and type 2 deals with trust services
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

SOC 3

A
  • Designed to be a publicly releasable summary statement of how well these services meet the trust services criteria principles
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

SAS 70: One Size was not supposed to fit all

A
  • Was created for the specific purpose of helping users and their auditors rely on controls over a service provider in the context of the users financial statement
  • Replaced by soc reports
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

International adoption of SSAE

A
  • Two types of reports that can be issued for ISAE 3402/SSAE 16 type 1 and type 2
    - type 1 covers the point in time
    - type 2 interrogates the effectiveness of the controls by means of testing for a set time generally not less than six months but not more than 12
  • 5 sections
    - Section 1 = service auditors independent report or an opinion
    - Section 2 = written attestation or assertion of controls by the service org
    - Section 3 = description of internal controls
    - Section 4 = service orders information that includes the test of operating effectiveness
    - Section 5 = additional information that the service needs to supply
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Log reviews

A
  • major control frameworks emphasized the importance of logs
  • NIST 800 – 92 Guide to computer security log management
  • prominent regulations that drive the need for diligent law reviews
    - the gramm leach Bliley Act
    - Hippa
    - SOX
    - PCI DSS
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Compliance and substantive testing

A
  • tests are generally categorized as compliance or substantive
    - compliance - might compare a sample of the organization’s employees entitled to access the system with name users the expected outcome should show the two lists are identical
    - substantive - Evaluates the proper operation of the process
     provides a higher degree of assurance that a process is performing as expected but generally takes more time and resources to execute
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

synthetic performance monitoring

A
  • sometimes called proactive monitoring
  • external agents running scripted transactions against a web application
  • meant to follow steps the typical user might follow the search view product login and check out to access the experience of user
  • Variety of systems can benefit from synthetic performance monitoring
    - website monitor
    - database monitoring
    - TCP port monitoring
    - SLA validation
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Synthetic transactions in practice

A
  • practical example would be found in Microsoft’s center operation manager software
    o you can create a variety of synthetic transactions to monitor databases websites and TCP port usage
17
Q

Negative testing

A
  • Design that provide evidence of the application behavior if there’s unexpected or invalid data
  • aimed at detecting possible application crashes in different situations
  • lines can tend to be blurred between negative testing and misuse casings due to the demand for ultra high reliability and fail safe operation or controls shutdown forces requirements analysis and design engineers to build these system with such out of limits conditions in mind
18
Q

Test coverage analysis

A
  • If the testing program has achieved statement coverage it means that 100% of the statements in these software has been executed as part of a test at least once
  • the following examples of structural coverage types
    o statement coverage
    o decision coverage
    o condition coverage
    o multi condition leverage
    o loop coverage
    o path coverage
    o data flow coverage
    o populating required fields
    o correspondence between data and field types
    o allow number of characters
    o allow data bounds and limits