Governance, Risk, and Compliance Flashcards by Bryan Kruep

Security risks are out there
- Many different types to consider

Assets are also varied
- Data, physical property, computer systems

Prevent security events, minimize the impact, and limit the damage

Security controls

How well did you know this?

Not at all

Perfectly

Controls that addresses security design and implementation

Security policies, standard operating procedures

Managerial control

How well did you know this?

Not at all

Perfectly

Controls that are implemented by people

Security guards, awareness programs

Operational controls

How well did you know this?

Not at all

Perfectly

Controls implemented using systems

Operating system controls

Firewalls, anti-virus

Technical controls

How well did you know this?

Not at all

Perfectly

Physically control access

Door lock

Security guard

Firewall

Preventive (control type)

How well did you know this?

Not at all

Perfectly

May not prevent access

Identifies and records any intrusion attempt

Motion detector, IDS/IPS

Detective (control type)

How well did you know this?

Not at all

Perfectly

Designed to mitigate damage

IPS can block an attacker

Backups can mitigate a ransomware infection

A backup site can provide options when a storm hits

Corrective (control type)

How well did you know this?

Not at all

Perfectly

May not directly prevent access

Discourages an intrusion attempt

Warning signs, login banner

Deterrent (control type)

How well did you know this?

Not at all

Perfectly

Doesn’t prevent an attack

Restores using other means

Re-image or restore from backup

Hot-site

Backup power system

Compensating (control type)

How well did you know this?

Not at all

Perfectly

Fences, locks, mantraps

Real-world security

Physical (control type)

How well did you know this?

Not at all

Perfectly

Meeting the standards of law, policies, and regulations

A healthy catalog of regulations and laws
- Across many aspects of business and life
- Many are industry-specific or situational

Penalties
- Fines, incarceration, loss of employment

Scope
- Covers national territory, or state laws
- Domestic and international requirements

Compliance

How well did you know this?

Not at all

Perfectly

European Union regulation
- Data protection and privacy for individuals in the EU
- Name, address, photo, email address, bank details, posts on social networking websites, medical information, a computer’s IP address, etc

Controls export of personal data
- Users can decide where their data goes

Gives individuals control of their personal data
- A right to be forgotten

Site privacy policy
- Details all of the privacy rights for a user

European Union data protection and privacy

Personal data must be protected and managed for privacy

General Data Protection Regulation (GDPR)

How well did you know this?

Not at all

Perfectly

A standard for protecting credit cards

Six control objectives
- Build and maintain a secure network and systems
- Protect cardholder data
- Maintain a vulnerability management program
- Implement strong access control measures
- Regularly monitor and test networks
- Maintain and information security policy

Payment Card Industry Data Security Standard (PCI DSS)

How well did you know this?

Not at all

Perfectly

Secure your data

Often a complex problem
- Unique organizational requirements
- Compliance and regulatory requirements
- Many different processes and tools are available
- Documented process
- A guide for creating a security program
- Define tasks and prioritize projects

Security frameworks

How well did you know this?

Not at all

Perfectly

Critical Security Controls for Effective Cyber Defense

Improve cyber defenses
- Twenty key actions (the critical security controls)
- Categorized for different organizational sizes

Designed for implementation - Written for IT professionals
- Includes practical and actionable tasks

Center for Internet Security (CIS)

How well did you know this?

Not at all

Perfectly

Mandatory for US federal agencies and organizations that handle federal data

Six step process
- Step 1: Categorize - Define the environment
- Step 2: Select - Pick appropriate controls
- Step 3: Implement - Define proper implementation
- Step 4: Access - Determine if controls are working
- Step 5 Authorize - Make a decision to authorize the system
- Step 6 Monitor - Check for ongoing compliance

National Institute of Standards and Technology - Risk Management Framework (NIST RMF)

How well did you know this?

Not at all

Perfectly

Framework Core
- Identify, Protect, Detect, Respond, and Recover

Framework Implementation Tiers
- An organization’s view of cybersecurity risk and processes to manage the risk

Framework Profile
- The alignment of standards, guidelines, and practices to the Framework Core

National Institute of Standards and Technology - Cybersecurity Framework (NIST CSF)

How well did you know this?

Not at all

Perfectly

Standard for Information Security Management System (ISMS)

ISO/IEC 27001

How well did you know this?

Not at all

Perfectly

Code of practice for information security controls

ISO/IEC 27002

How well did you know this?

Not at all

Perfectly

Privacy Information Management Systems (PIMS)

ISO/IEC 27701

How well did you know this?

Not at all

Perfectly

International standards for risk management practices

ISO 31000

How well did you know this?

Not at all

Perfectly

The American Institute of Certified Public Accountants auditing standard Statement on Standards for Attestation Engagements number 18

SSAE 18

How well did you know this?

Not at all

Perfectly

Trust Services Criteria (security controls)
- Firewalls, intrusion detection, and multi-factor authentication

SOC 2

How well did you know this?

Not at all

Perfectly

Tests controls in place at a particular point in time

Type I audit

How well did you know this?

Not at all

Perfectly

Tests controls over a period of at least six consecutive months

Type II audit

Security in cloud computing - Not-for-profit organization Cloud Controls Matrix (CCM) - Cloud-specific security controls - Controls are mapped to standards, best practices, and regulations Enterprise Architecture - Methodology and tools - Access internal IT groups and cloud providers - Determine security capabilities - Build a roadmap

Cloud Security Alliance (CSA)

No system is secure with the default configurations - You need some guidelines to keep everything safe Hardening guides are specific to the software or platform - Get feedback from the manufacturer or Internet interest group - They'll have the best details Other general-purpose guides are available online

Secure configurations

Access a server with your browser - The fundamental server on the Internet - Microsoft Internet Information Server, Apache HTTP Server, et al Huge potential for access issues - Data leaks, server access Secure configuration - Information leakage: Banner information, directory browsing - Permissions: Run from a non-privileged account, configure file permissions - Configure SSL: Manage and install certificates - Log files: Monitor access and error logs

Web server hardening

Many and varied - Windows, Linux, iOS, Android, et al Updates - Operating system updates/service packs, security patches User accounts - Minimum password lengths and complexity - Account limitations Network access and security - Limit network access Monitor and secure - Anti-virus, anti-malware

Operating system hardening

Programming languages, runtime libraries, etc - Usually between the web server and the database - Middleware Very specific functionality - Disable all unnecessary services Operating system updates - Security patches File permissions and access controls - Limit rights to what's required - Limit access from other devices

Application server

Switches, routers, firewalls, IPS, etc - You never see them, but they're always there Purpose-build devices - Embedded OS, limited OS access Configure authentication - Don't use the defaults Check with the manufacturer - Security updates - Not usually updated frequently - Updates are usually important

Network infrastructure devices

What is an acceptable use of company assets? - Detailed documentation - May be documented in the Rules of Behavior Covers many topics - Internet use, telephones, computers, mobile devices, etc Used by an organization to limit legal liability - If someone is dismissed, these are the well-documented reasons why

Acceptable use policy (AUP)

Keep people moving between responsibilities - No one person maintains control for long periods of time

Job rotation

Rotate others through the job - The longer the vacation, the better chance to identify fraud - Especially important in high-security environments

Mandatory vacations

Split knowledge - No one person has all of the details - Half of the safe combination

Separation of duties

Two people must be present to perform the business function - Two keys open a safe (or launch a mission)

Dual control

When you leave, nothing is left on your desk - Limit the exposure of sensitive data to third-parties

Clean desk policy

Rights and permissions should be set to the bare minimum - You only get exactly what's needed to complete your objective All user accounts must be limited - Applications should run with minimal privileges Don't allow users to run with administrative privileges - Limits the scope of malicious behavior

Least privilege

Pre-employment screening Verify the applicant's claims Discover criminal history, workers compensation claims, etc Legalities vary by country Adverse actions - An action that denies employment based on this - May require extensive documentation - Can also include existing employees

Background checks

Confidentiality agreement/Legal contract - Prevents the use and dissemination of confidential information Confidentiality agreement between parties - Information in the agreement should not be disclosed Protects confidential information - Trade secrets - Business activities - Anything else listed Unilateral or bilateral (or multilateral) - One-way or mutual Foreign contract - Signatures are usually required

Non-disclosure agreement (NDA)

Gather data from social media Facebook, Twitter, Linkedin, Instagram Build a personal profile Another data point when making a hiring decision

Social media analysis

Bring a new person into the organization - New hires or transfers IT agreements need to be signed - May be part of the employee handbook or a separate AUP Create accounts - Associate the user with the proper groups and departments Provide required IT hardware - Laptops, tablets, etc

On-boarding

This process should be pre-planned - You don't want to decide how to do things at this point What happens to the hardware and the data? Account information is usually deactivated - But not always deleted

Off-boarding

Gamification - Score points, compete with others, collect badges Capture the flag (CTF) - Secure competition - Hack into a server to steal data (the flag) - Can involve highly technical simulations - A practical learning environment Phishing simulation - Send simulated phishing emails - Make vishing calls - See which users are susceptible to phishing attacks without being a victim of phishing Computer-based training (CBT) - Automated pre-built training - May include video, audio, and Q&A - Users all receive the same training experience

User training

Before providing access, train your users - Detailed security requirements Specialized training - Each user role has unique security responsibilities Also applies to third-parties - Contractors, partners, suppliers Detailed documentation and records - Problems later can be severe for everyone

Role-based security awareness training

Every organization works with vendors - Payroll, customer relationship management, email marketing, travel, raw materials Important company data is often shared - May be required for cloud-based services Perform a risk assessment - Categorize risk by vendor and manage the risk Use contracts for clear understanding - Make sure everyone understands the expectations - Use the contract to enforce a secure environment

Vendors

The system involved when creating a product - Involves organizations, people, activities, and resources Assessment - Get a product or service from supplier to customer - Evaluate coordination between groups - Identify areas of improvement - Assess the IT systems supporting the operation - Document the business process changes

Supply chain

Much closer to your data than a vendor - May require direct access - May be a larger security concern than an outside hacker Often involves communication over a trusted connection - More difficult to identify malicious activity Partner risk management should be included - Requirements for best practices, data handling, intellectual property Include additional security between partners - Firewalls and traffic filters

Business partners

Minimum terms for services provided Uptime, response time agreement, etc Commonly used between customers and service providers

Service Level Agreement (SLA)

Both sides agree on the contents Usually includes statements of confidentiality Informal letter of intent; not a signed contract

Memorandum of Understanding (MOU)

Don't make decisions based on incorrect data! Used with quality management systems Access the measurement process Calculate measurement uncertainty

Measurement system analysis (MSA)

Going into business together Owner stake Financial contract Decision-making agreements Prepare for contingencies

Business Partnership Agreement (BPA)

Manufacturer stops selling a product May continue supporting the product Important for security patches and updates

End of life (EOL)

Manufacturer stops selling a product Support is no longer available for the product No ongoing security patches or updates May have a premium-cost support option

End of service life (EOSL)

Rules, processes, and accountability associated with an organization's data - Data is used in the right ways Formal rules for data - Everyone must know and follow the processes

Data governance

Manages the governance process Responsible for data accuracy, privacy, and security Associates sensitivity labels to the data Ensures compliance with any applicable laws and standards

Data steward

Identify data types - Personal, public, restricted, etc - Use and protect data efficiently Associate governance controls to the classification levels - How the data class should be managed

Data classification

Laws and regulations regarding certain types of data GDPR - General Data Protection Regulation

Data compliance

Keep files that change frequently for version control - Files change often - Keep at least a week, perhaps more Recover from virus infection - Infection may be identified immediately - May need to retain 30 days of backups Often legal requirements for data retention - Email storage may be required over years - Some industries may legally store certain data types - Different data types have different storage requirements - Corporate tax information, customer PII, tap backups, etc

Data retention

All that stands between the outside world and all of the data - The data is everything Passwords must not be embedded in the application - Everything needs to reside on the server, not the client Communication across the network should be encrypted - Authentication traffic should be impossible to see

Credential management

An account on a computer associated with a specific person - The computer associates the user with a specific identification number Storage and files can be private to the user - Even if another person is using the same computer No privileged access to the operating system - Specifically not allowed on a user account This is the account type most people will see - Your user community

Personnel accounts

Access to external third-party systems - Cloud platforms for payroll, enterprise resource planning, etc Third-party access to corporate systems - Access can come from anywhere Add additional layers of security - 2FA (two factor authentication) - Audit the security posture of third-parties Don't allow account sharing - All users should have their own account

Third-party accounts

Access to devices - Mobile devices Local security - Device certificate - Require screen locks and unlocking standards - Mange through a Mobile Device Manager (MDM) Add additional security - Geography-based - Include additional authentication factors - Associate a device with a user

Device accounts

Used exclusively by services running on a computer - No interactive/user access - Web server, database server, etc Access can be defined for a specific service - Web server rights and permissions will be different than a database server Commonly use usernames and passwords - You'll need to determine the best policy for password updates

Service accounts

Elevated access to one or more systems - Super user access Complete access to the system - Often used to manage hardware, drivers, and software installation This account should not be used for normal administration - User accounts should be used Needs to be highly secured - Strong passwords, 2FA - Scheduled password changes

Administrator/root accounts

How to make a change - Upgrade software, change firewall configuration, modify switch ports One of the most common risks in the enterprise - Occurs very frequently Often overlooked or ignored - Did you feel that bite? Have clear policies - Frequency, duration, installation process, fallback procedures Sometimes extremely difficult to implement - It's hard to change corporate culture

Change management

A formal process for managing change - Avoid downtime, confusion, and mistakes Nothing changes without the process - Determine the scope of the change - Analyze the risk associated with the change - Create a plan - Get end-user approval - Present the proposal to the change control board - Have a backout plan if the change doesn't work - Document the changes

Change control

Identify and track computing assets - Usually an automated process Respond faster to security problem - you know who, what, and where Keep an eye on the most valuable assets - Both hardware and data Track licenses - You know exactly how many you'll need Verify that all devices are up to date - Security patches, anti-malware signature updates, etc

Asset management

Identify assets that could be affected by an attack - Define the risk associated with each asset - Hardware, customer data, intellectual property Identify threats - Loss of data, disruption of services, etc Determine the risk - High, medium, or low risk Assess the total risk to the organization - Make future security plans External threats - Outside the organization - Hacker groups, former employees Internal threats - Employees and partners - Disgruntled employees Legacy systems - Outdated, older technologies - May not be supported by the manufacturer - May not have security updates - Depending on the age, may not be easily accessible

Risk assessments

Breaches involving multiple parties - Often trusted business relationships - Events often involve many different parties

Multi-party risk

Theft of ideas, inventions, and creative expressions Human error, hacking, employees with access, etc Identify and protect IP Educate employees and increase security Stealing company secrets Can out an organization out of business

Intellectual Property (IP) theft

Operational risk with two few licenses Financial risk with budgeting and over-allocated licenses Legal risk if proper licensing is not followed

Software compliance/licensing

A business decision; we'll take the risk!

Risk Acceptance

Stop participating in a high-risk activity

Risk Avoidance

Buy some cybersecurity insurance

Risk Transference

Decrease the risk level Invest in security systems

Risk Mitigation

Every project has a plan, but also has risk - Identify and document the risk associated with each step - Apply possible solutions to the identified risks - Monitor the results

Risk register

View the results of the risk assessment - Visually identify risk based on color - Comes the likelihood of an event with the potential impact - Assists with making strategic decisions

Evaluating risk

Impact + Likelihood Risk that exists in the absence of controls Some models include the existing set of controls

Inherent risk

Inherent risk + control effectiveness Risk that exists after controls are considered Some models base it on including additional controls

Residual risk

The amount of risk an organization is willing to take

Risk appetite

Risk has been determined - Heat maps have been created Time to build cybersecurity requirements - Based on the identified risks Find the gap - Often requires a formal audit - Self-assessments may be an option Build and maintain security systems based on the requirements - The organizational risk determines the proper controls Determine if existing controls are compliant or non-compliant - Make plans to bring everything into compliance

Risk control assessment

A constantly changing battlefield - New risks, emerging risks - A nearly overwhelming amount of information - Difficult to manage a defense Knowledge is key - Part of every employee's daily job role - Part of the onboarding process for employees and partners Maintaining awareness - Ongoing group discussions - Presentations from law enforcement - Attend security conferences and programs

Risk awareness

Many of them - Regulations tend to regulate Regulations directly associated to cybersecurity - Protection of personal information, disclosure of information breaches Requires a minimum level of information security

Regulations that affect risk posture

Privacy of patient records New storage requirements, network security, protect against threats

Health Insurance Portability and Accountability Act (HIPAA)

Identify significant risk factors - Ask opinions about the significance - Display visually with traffic light grid or similar method

Qualitative risk assessment

Likelihood - Annualized Rate of Occurrence (ARO) SLE (Single Loss Expectancy) - What is the monetary loss if a single event occurs? - Laptop stolen (asset value or AV) = $1000 ALE (Annualized Loss Expectancy) - ARO * SLE - Seven laptops stolen a year (ARO) * $1000 (SLE) = $7000 The business impact can be more than monetary

Quantitative risk assessment

Environment threats - Tornado, hurricane, earthquake, severe weather Person-made threats - Human intent, negligence, or error - Arson, crime, civil order, fires, riots, etc Internal and external - Internal threats are from employees - External threats are from outside the organization

Disaster types

Get up and running quickly Get back to a particular service level

Recovery time objective (RTO)

How much data loss is acceptable? Bring the system back online; how far back does data go?

Recovery point objective (RPO)

Time required to fix the issue

Mean time to repair (MTTR)

Predict the time between outages

Mean time between failures (MTBF)

Recover from an outage - Step-by-step guide Contact information - Someone is on-call - Keep everyone up to date Technical process - Reference the knowledge base - Follow the internal processes Recover and test - Confirm normal operation

Functional recovery plan

A single event can ruin your day - Unless you make some plans Network configuration - Multiple devices Facility/Utilities - Backup power, multiple cooling devices People/Location - A good hurricane can disrupt personnel travel There's no practical way to remove all points of failure - Money drives redundancy

Removing single points of failure

Detailed plan for resuming operations after a disaster - Application, data center, building, campus, region, etc Extensive planning prior to the disaster - Backups - Off-site data replication - Cloud alternatives - Remote site Many third-party options - Physical locations - Recovery Services

Disaster Recovery Plan (DRP)

Life - The most important consideration Property - The risk to buildings and assets Safety - Some environments are too dangerous to work Finance - The resulting financial cost Reputation - An event can cause status or character problems

Impact of DRP

All locations are a bit different - Even those designed to be similar Recovery plans should consider unique environments - Applications - Personnel - Equipment - Work environment

Site risk assessment

Creation and receipt - Create data internally or receive data from a third-party Distribution - Records are sorted and stored Use - Make business decisions, create products and services Maintenance - Ongoing data retrieval and data transfers Disposition - Archiving or disposal of data

Information life cycle

Opinion of the organization becomes negative Can have an impact on products or services Can impact stock price

Reputation damage

Company and/or customers information becomes public May require public disclosure Credit monitoring costs

Identify theft

Breaches are often found by technicians Provide a process for making those findings known

Internal escalation process (Notification)

Know when to ask for assistance from external resources Security experts can find and stop an active breach

External escalation process (Notification)

Almost everything can affect privacy - New business relationships, product updates, website features, service offering Privacy risk needs to be identified in each initiative - How could the process compromise customer privacy?

Privacy impact assessment (PIA)

Fix privacy issues before they become a problem Provides evidence of a focus on privacy Avoid data breach Shows the importance of privacy to everyone

Advantages of Privacy impact assessment

Terms of use, terms and conditions Legal agreement between service provider and user User must agree to the terms to use the service

May be required by law Documents the handling of personal data May provide additional data options and contact information

Privacy notice, privacy policy

Not all data has the same level of sensitivity - License tag numbers vs health records Different levels require different security and handling - Additional permissions - A different process to view - Restricted network access

Labeling sensitive data

Data that is the property of an organization May also include trade secrets Often data unique to an organization

Proprietary

Data that can be used to identify an individual Name, DOB, mother's maiden name, biometric information

Personally Identifiable Information (PII)

Health information associated with an individual Health status, health care records, payments for health care, and much more

Protected Health Information (PHI)

No restrictions on viewing the data

Public/Unclassified

Restricted access, may require a non-disclosure agreement (NDA)

Private/Classified

Intellectual property, PII, PHI

Sensitive

Very sensitive, must be approved to view

Confidential

Data should always be available

Critical

Internal company financial information Customer financial details

Financial Information

Open data Transfer between government entities May be protected by law

Government data

Data associated with customers May include user-specific details Legal handling requirements

Customer data

Replace sensitive data with a non-sensitive placeholder - SSN 266-12-1112 is now 691-61-8539 Common with credit card processing - Use a temporary token during payment - An attacker capturing the card numbers can't use them later This isn't encryption or hashing - The original data and token aren't mathematically related - No encryption overhead

Tokenization

Minimal data collection - Only collect and retain necessary data Included in many regulations - HIPAA has a "Minimum Necessary" rule Some information may not be required - Do you need a telephone number or address? Internal data use should be limited - Only access data required for the task

Data minimization

Make it impossible to identify individual data from a dataset - Allows for data use without privacy concerns Many different anonymization techniques - Hashing, masking, etc Convert from detailed customer purchase data - Remove name, address, change phone number to ### ### #### - Keep product name, quantity, total, and sale date Cannot be reversed - No way to associate the data to a user

Anonymization

High-level data relationships - Organizational responsibilities, not always technical

Data responsibility

Data obfuscation - Hide some of the original data Protects PII - And other sensitive data May only be hidden from view - The data may still be intact in storage - Control the view based on permissions Many different techniques - Substituting, shuffling, encrypting, masking out, etc

Data masking

Replace personal information with pseudonyms Often used to maintain statistical relationships May be reversible - Hide the personal data for daily use or in case of breach - Convert it back for other processes Random and consistent replacements

Pseudo-anonymization

Accountable for specific data, often a senior officer VP of Sales owns the customer relationship data Treasurer owns the financial information

Data owner

Manages the purposes and means by which personal data is processed

Data controller

Processes data on behalf of the data controller - Often a third-party of different group

Data processor

Payroll department (data controller) defines payroll amounts and timelines Payroll company (data processor) processes payroll and stores employee information

Payroll controller and processor

Responsible for data accuracy, privacy, and security Associates sensitive labels to the data Ensures compliance with any applicable laws and standards Manages the access rights to the data Implements security controls

Data custodian/steward

Responsible for the organization's data privacy Set policies, implements processes and procedures

Data protection officer