Exam1 Flashcards
A category of security control that gives oversight of the information system. Risk assessments, vulnerability assessments.
Managerial Control
help ensure that the day-to-day operations of an organization comply with the security policy. Awareness and training, configuration management, media protection, physical and environment protection.
Operational Control
Attempt to prevent an incident before it occurs. n Hardening, training, Security guards, change management, account disablement policy
Preventative Control
A category of security control that is implemented as a system (hardware, software, or firmware). Technical controls may also be described as logical controls. Encryption, antivirus software, IDSs, IPSs, Firewalls, Least privilege
Technical Control
Attempt to discover incidents after they have occurred. Log monitoring, SIEM systems, security audit, video surveillance, Motion detection, IDSs
Detective Control
Attempt to reverse the impact of an incident; includes IPS, backups, and system recovery. Backups and system recovery, incident handling processes.
Corrective Control
Attempt to discourage individuals from causing an incident. Cable locks, physical locks
Deterrent Control
Are alternative controls when a primary control is not feasible
Compensating Control
Refer to controls you can physically touch
Physical Control
A legal framework that sets guidelines for the collection and processing of personal information of individuals within the European Union (EU)
General Data Protection Regulation (GDPR)
*Gramm-Leach-Bliley Act (GLBA)
*Health Insurance Portability and Accountability Act (HIPAA)
*California Consumer Privacy Act (CCPA)
National, territory, or state laws
an information security standard used to handle credit cards from major card brands. The standard is administered by the Payment Card Industry Security Standards Council, and its use is mandated by the card brands. It was created to better control cardholder data and reduce credit card fraud.
Payment Card Industry Data Security Standard (PCI DSS)
Consensus-developed secure configuration guidelines for hardening (benchmarks) and prescriptive, prioritized, and simplified sets of cybersecurity best practices (configuration guides)
Center for Internet Security (CIS)
An agency of the United States Department of Commerce whose mission is to promote American innovation and industrial competitiveness.
National Institute of Standards and Technology (NIST)
A process that integrates security and risk management activities into the system development life cycle through an approach to security control selection and specification that considers effectiveness, efficiency, and constraints due to applicable laws, directives, Executive Orders, policies, standards, or regulations
Risk management framework (RMF)
A set of industry standards and best practices created by NIST to help organizations manage cybersecurity risks
Cybersecurity Framework (CSF)
An independent organization that establishes standards. They develop standards for a wide variety of industrial and commercial applications, and some directly address cybersecurity topics.
International Organization for Standardization (ISO)
Information Security Management, provides information on security management system (ISMS) requirements. Organizations that implement is the ISMS requirements can go through a three stage certification process.
ISO 27001
Information Technology Security Techniques, is a complement to ISO 27001. While ISO 27001 outlines the requirements to become certified, this standard provides organizations with a best practices guideline.
ISO 27002
An extension to ISO 27001 and is a framework for managing privacy controls to reduce the risk of privacy breach to the privacy of individuals.
ISO 27701
An international standard for enterprise risk management that provides a universally recognized paradigm for practitioners and companies employing risk management processes to replace the myriad of existing standards, methodologies, and paradigms that differed between industries, subject matters, and regions
ISO 31000
assesses the system design/assesses the ongoing effectiveness of the security architecture over a period of 6-12 months
SSAE SOC 2 Type I/II
A nonprofit organization with a mission to promote best practices for using cloud computing securely.
Cloud Security Alliance (CSA)
A de-facto standard for cloud security assurance and compliance.
Produced by the Cloud Security Alliance (CSA)
Cloud control matrix
A document or set of documents to which a project manager or other interested party can refer for best practices. The lists and charts of functions, departments, products, and security practices that create a common vocabulary for IT and management to use to discuss current and future success make up the reference architecture.
reference architecture
Offer guidance for setting up and operating computer systems to a secure level that is understood and documented.
Benchmarks/secure configuration guides
Hardening guides that are specific to the software or platform.
No system is secure with the default configurations.
you may need some guidelines to keep everything safe.
Get feedback from the manufacturer or Internet interest groups.
Platform/Vendor specific guides
Devices that run behind the scenes that keep our networks running but user’s don’t directly interact with. (switches, routers, firewalls, IPS, etc)
Network Infrastructure Devices
Requires a user to agree to follow it to be provided access to corporate email, information systems, and the Internet
Acceptable Use Policy (AUP)
Assesses the design of a company’s controls at a specific point in time. This type of report is often used as a short-term solution for companies that are trying to close a deal quickly, are new, or have recently made changes to their data security systems.
SOC 2 Type 1
Assesses how well a company’s controls function over a period of time, usually between three and twelve months. This type of report is more comprehensive than a Type 1 report and provides insights into how effective the controls are.
SOC 2 Type 2
What is the difference between SOC 2 Type 1 and Type 2?
SOC 2 Type 1 evaluates whether controls are designed properly at a point of time, whereas SOC 2 Type 2 evaluates whether controls are designed and functioning as intended over a specified period of time.
____is an application that is managed and hosted by the CSP. CSCs access it using a web browser, mobile application, application programming interfaces (APIs), or
lightweight client application. In this model, the CSC only worries about the application’s configuration, not the underlying resources.
Software as a Service (SaaS)
___ abstracts and provides platforms, such as application platforms (e.g., a place to develop and run code), databases, file storage, and collaborative environments.
Other examples include application processing environments for machine learning, big data
processing, or API access to SaaS functions. The key differentiator is that, with PaaS, the CSC
does not manage the underlying infrastructure.
Platform as a Service (PaaS)
___offers access to a resource pool of fundamental computing infrastructure, such as network, or storage. In IaaS the CSCis responsible for managing the underlying virtual infrastructure, such as virtual machines, networking, storage, and running
applications.
Infrastructure as a Service (IaaS)
A concept that has employees rotate through different jobs to learn the processes and procedures in each job. helps to prevent or expose dangerous shortcuts or even fraudulent activity.
job rotation
A requirement that all employees take time off from work, which allows the organization to audit the individual’s areas of responsibility.
Mandatory Vacation Policy
Dividing responsibilities between two or more people to limit fraud and promote accuracy of accounting records.
Separation of Duties
a principle that users be granted the privilege for some activity only if there is a justifiable need to grant this authorization
Least Privilege
A policy designed to ensure that all confidential or sensitive materials, either in paper form or electronic, are removed from a user’s workspace and secured.
Clean Desk Space
Procedures used to verify the truthfulness and accuracy of information that applicants provide about themselves and to uncover negative, job-related background information not provided by applicants
Background checks
A legal contract between at least two parties that outlines confidential material, knowledge, or information that the parties wish to share with one another for certain purposes but wish to restrict access to or by third parties
Non-Disclosure Agreement (NDA)
The process of scouring the Internet to gather personal information and create a fuller profile of each potential juror’s attitudes, interests, and experiences
Social Media Analysis
Programs that help employees to integrate and transition to new jobs by making them familiar with corporate policies, procedures, culture, and politics by clarifying work-role expectations and responsibilities
Onboarding
Facilitates employee departure from the company by assisting the completion of exit tasks, including exit interviews, forms completion, the return of company property, and ensuring that employees receive the appropriate extended benefits.
Offboarding
Instructing employees as to the security reasons behind security restrictions.
User training
Selective use of game design and game mechanics to drive employee engagement in non-gaming business scenarios.
Gamification
Training event where learners must identify a token within a live network environment.
Capture the Flag
Sending simulated phishing messages to users; Users that respond to the messages can be targeted for follow-up training
Phishing Campaigns
Exercises to help employees recognize phishing emails.
Phishing Simulations
