Foundations of Cybersecurity Module 3 Flashcards

1
Q

The purpose of security frameworks include…

A

protecting personally identifiable information, known as PII, securing financial information, identifying security weaknesses, managing organizational risks, and aligning security with business goals.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Frameworks 1/4

The first core component is….

A

…identifying and documenting security goals. For example, an organization may have a goal to align with the E.U.’s General Data Protection Regulation, also known as GDPR. GDPR is a data protection law established to grant European citizens more control over their personal data. A security analyst may be asked to identify and document areas where an organization is out of compliance with GDPR.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Frameworks 2/4

The second core component is…

A

…setting guidelines to achieve security goals. For example, when implementing guidelines to achieve GDPR compliance, your organization may need to develop new policies for how to handle data requests from individual users.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Frameworks 3/4

The third core component is…

A

…implementing strong security processes. In the case of GDPR, a security analyst working for a social media company may help design procedures to ensure the organization complies with verified user data requests. An example of this type of request is when a user attempts to update or delete their profile information.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Frameworks 4/4

The fourth core component is…

A

…monitoring and communicating results. As an example, you may monitor your organization’s internal network and report a potential security issue affecting GDPR to your manager or regulatory compliance officer.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

CIA triad

A

a foundational model that helps inform how organizations consider risk when setting up systems and security policies. CIA stands for confidentiality, integrity, and availability.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

The National Institute of Standards and Technology (NIST)

A

a U.S.-based agency that develops multiple voluntary compliance frameworks that organizations worldwide can use to help manage risk. The more aligned an organization is with compliance, the lower the risk.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

a regulation that applies to organizations that work with electricity or that are involved with the U.S. and North American power grid. These types of organizations have an obligation to prepare for, mitigate, and report any potential security incident that can negatively affect the power grid. They are also legally required to adhere to the Critical Infrastructure Protection (CIP) Reliability Standards defined by the FERC.

A

FERC-NERC

The Federal Energy Regulatory Commission - North American Electric Reliability Corporation

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

a U.S. federal government program that standardizes security assessment, authorization, monitoring, and handling of cloud services and product offerings. Its purpose is to provide consistency across the government sector and third-party cloud providers.

A

FedRAMP - The Federal Risk and Authorization Management Program

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

a nonprofit with multiple areas of emphasis. It provides a set of controls that can be used to safeguard systems and networks against attacks. Its purpose is to help organizations establish a better plan of defense. CIS also provides actionable controls that security professionals may follow if a security incident occurs.

A

CIS - Center for Internet Security

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

a European Union (E.U.) general data regulation that protects the processing of E.U. residents’ data and their right to privacy in and out of E.U. territory. For example, if an organization is not being transparent about the data they are holding about an E.U. citizen and why they are holding that data, this is an infringement that can result in a fine to the organization. Additionally, if a breach occurs and an E.U. citizen’s data is compromised, they must be informed. The affected organization has 72 hours to notify the E.U. citizen about the breach.

A

GDPR - General Data Protection Regulation

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

an international security standard meant to ensure that organizations storing, accepting, processing, and transmitting credit card information do so in a secure environment. The objective of this compliance standard is to reduce credit card fraud.

A

PCI DSS - Payment Card Industry Data Security Standard

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

a U.S. federal law established in 1996 to protect patients’ health information. This law prohibits patient information from being shared without their consent. It is governed by three rules:

Privacy

Security

Breach notification

A

HIPAA -The Health Insurance Portability and Accountability Act

Organizations that store patient data have a legal obligation to inform patients of a breach because if patients’ Protected Health Information (PHI) is exposed, it can lead to identity theft and insurance fraud. PHI relates to the past, present, or future physical or mental health or condition of an individual, whether it’s a plan of care or payments for care. Along with understanding HIPAA as a law, security professionals also need to be familiar with the Health Information Trust Alliance (HITRUST®), which is a security framework and assurance program that helps institutions meet HIPAA compliance.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

created to establish international standards related to technology, manufacturing, and management across borders. It helps organizations improve their processes and procedures for staff retention, planning, waste, and services.

A

ISO - International Organization for Standardization

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

he American Institute of Certified Public Accountants® (AICPA) auditing standards board developed this standard. The ______ and __________ are a series of reports that focus on an organization’s user access policies at different organizational levels such as:

Associate

Supervisor

Manager

Executive

Vendor

Others

They are used to assess an organization’s financial compliance and levels of risk. They also cover confidentiality, privacy, integrity, availability, security, and overall data safety. Control failures in these areas can lead to fraud.

Pro tip: There are a number of regulations that are frequently revised. You are encouraged to keep up-to-date with changes and explore more frameworks, controls, and compliance. Two suggestions to research: the Gramm-Leach-Bliley Act and the Sarbanes-Oxley Act.

A

System and Organizations Controls (SOC type 1, SOC 2)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Information that relates to the past, present, or future physical or mental health or condition of an individual

A

Protected health information (PHI):

17
Q

A type of security design composed of multiple components, such as tools and processes, that are used to protect an organization from risks and external threats

A

Security architecture:

18
Q

Safeguards designed to reduce specific security risks

A

Security controls:

19
Q

Guidelines for making appropriate decisions as a security professional

A

Security ethics:

20
Q

Guidelines used for building plans to help mitigate risk and threats to data and privacy

A

Security frameworks:

21
Q

Practices that help support, define, and direct security efforts of an organization

A

Security governance:

22
Q

The idea that data is accessible to those who are authorized to access it

A

Availability: