Governance, Risk and Compliance Flashcards
Types of controls categories (3)
Managerial, technical, operational
Difference between managerial and operational controls
Managerial is high-level risk management, assesment and mitigation plans, usually at the policy, plan and procedure level.
Operational is targeted to employee’s day-to-day operations, including physical security.
AUP
Acceptable Use Policy
Risk formula
Probability times impact
SLE
Single Loss Expectancy
EF
Exposure Factor
Define Exposure Factor
cost of theat event divided by value of asset
Define SLE
cost of a threat event (value * EF)
ARO
Average Rate of Occurence
ALE
Average Loss Expectancy
Define ALE
The Average Loss Expectancy is the SLE * ARO
MTTF
Mean Time to Fail (one-time)
RTO
Recovery Time Objective
RPO
Recovery Point Objective
Ways to handle risk (3 + 2)
Mitigation, Acceptance and Transference + Avoidance and Deterrence
Change Management
Evaluation the impact of changes in the system as a whole
DLP
Data Loss Prevention
Two locking doors with a space between them
Mantrap
Cold vs Warm vs Hot Site
Cold is only backup space, with no IT infrastructure, needs equipment. Warm already has office space and critical IT equipment. Hot is ready to go with all infrastructure and systems needed.
Disaster Recovery Sites can be either ____ or _____
shared or exclusive
Incremental vs Differential Backup
Differential only saves files changed since the last full backup (only requires one delta), incremental are several deltas.
BCP
Business Continuity Plan
DRP
Disaster Recovery Plan
BIA
Business Impact Analysis
BCP uses ____ to determine impact of down or lost systems
BIA
RAID 0
Striping
RAID 1
Mirroring
RAID 5
Striping + Parity
RAID 6
Striping + Double Parity
RAID 10
Striping + Mirroring
RAID 5 requires at least _ disks
3 disks
RAID 10 requires at least _ disks
4 disks
CIA
Confidentiality, Integrity and Availability
Security posture
baseline
Threat assessment
Only identifies threats, part of risk assessment
Vulnerability assessment
Identifies vulnerabilities, and therefore threats and risks, part of risk assessment
Banner grabbing
Used for service recognition during port or vulnerability scans
Scan from an administrative account
Credentialed scan
Scan as an unauthorized user
Non-credentialeed scan
XSRF/CSRF
Cross-site request forgery
AAA
Authentication, Authorization, and Accounting
Diversity
Having different vendors for resiliency
Diversity
Having different vendors for resiliency
Windows specific security update
Hotfix
Security control types (6)
Compensating, Corrective, Detective, Deterrent, Physical and Preventative
There are _ control categories.
3
There are _ control types.
6
PCI DSS
Payment Card Information Data Security Standard
PCI DSS, unlike GDPR, is an example of industry __-_____.
self-governance
CCPA
California Consumer Privacy Act
CIS CSC
Center for Information Security (CIS) Critical Security Controls (CSC)
Top 20 controls are published by the
Center for Information Security (CIS)
NIST RMF has _ steps.
7 steps
NIST RMF
NIST Risk Management Framework
RMF vs NIST CSF
CSF was made for critical sectors, but it’s also used elsewhere.
NIST CSF Categories (5)
Identify, Protect, Detect, Respond, Recover
NIST CSF has _ categories.
5 categories
ISO/IEC 27701:2019
Requirements and guidence for implementation and mantaining a Privacy Information Management System (PIMS)
PIMS
Privacy Information Management System
PIMS guidelines are found on ISO
27701
ISO 31000:2018
Risk Management Guidelines
ISO 27000:2018
Overview of Information Security Management Systems and vocabulary
ISMSs
Information Security Management Systems
SOC 2 assesment
Service and Organizations Controls on Cybersecurity, under Statement on Standards for Attestation Engagements 18 (SSAE-18).
Cybersecurity assesment related to SSAE-18 from the AICPA
SOC 2
Two key artifacts of the Cloud Security Alliance (CSA) frameworks
Cloud Control Matrix (CCM) and Enterprise Architecture
Enterprise Architecture
CSA Cloud methodology for cloud service capabilities
Example of benchmarks and secure configuration guides
DoD Security Technical Implementation Guides (STIGs)
DoD STIGs
Security Technical Implementation Guides
RMF phases (7)
Prepare, Categorize systems, Select Controls, Implement, Assess controls, Systems Authorization by an authority, Continuous Monitoring
RMF phases are meant to be implemented in an _____ manner
iterative manner
Due Care vs Due Diligence vs Due Process
Due Care is ensuring day-to-day safe activities, due diligence is mantaining security procedures and evaluating them, due process regards employee rights and fairness when being investigated.
EOSL
Equipment end of service line
In the context of third-party risk management, MSA means
Measurement Systems Analysis
In the context of a BPA, a general partnership implies
equal sharing of profits and liabilities
A joint venture is a general partnership that has a
shorter time-frame
Risk Assessment Phases (4)
Asset ID, Risk Analysis, Determine Risk Likelihood and Impact, Identify Cost of Solutions
Inherent Risk vs Control Risk vs Residual Risk
Inherent is without controls, control is because of control failure or inadequacy, residual is what’s left after controls are implemented.
COOP
Continuity of Operations Plan
BCP is composed of
BIA, DRP, COOP
BCP is composed of (3 + 2)
Risks, Sites + BIA, DRP, COOP
MEFs
Mission Essential Functions
PIA
Privacy Impact Assessment (PIA)
A PIA starts with a…
PTA (Privacy Threshold Analysis)
In the context of testing a DRP, AAR is
After-action reporting
MTTR
Mean Time To Repair
In the context of PIA, PHI is
Protected Health Information
In the context of GDPR, SPI is
Sensitive Personal Information, including PII, PHI, beliefs, standpoints, genetic data, sexual orientatrion, etc
At least in the US, the term “data owner” has been succeeded by
data steward, or data custodian
The __________ determines what data will be collected and how it will be used within an organization
Data controller
The overall program for the entire organization is called _____ management, while changes at the actual host or network level of baseline configurations is called ______ management.
change, configuration
In DLP, tokenization refers to
Replacing sensitive data by tokens that refers to the actual data somewhere else.
In the context of cloud storage, a CASB is
Cloud Access Security Broker, acting as an intermediary between users and cloud providers, enforcing enterprise security policy
DevOps is characterized by
Bringing together PMs, Developers and Operations to enable rapid software development
A mantrap is also called a…
Access Control Vestibule
In the context of electronic locks, fail safe vs fail secure
Fail safe disengages a lock in an emergency, fail secure engages it.
Perimeter Lightning must be
turned from dask to dawn
access control model that will allow you to assign specific access policies depending on which network a user is on and not necessarily on the actual identity of the specific user.
Rule based AC
In MAC, access is controlled by
The OS
In DAC, ___ ___ define what users can access data.
data owners
