ICS1 Flashcards

Question 1

Q

Application of Information Technology is the systematic implementation of…

Answer

A

Hardware and software so data can be
-Transmitted
-Modified
-Accessed
-Stored securely and efficiently

Question 2

Q

Name three NIST Frameworks

Answer

A

-NIST Cybersecurity Framework
-NIST Privacy Framework
-NIST 800-53 Security and Privacy controls for informations systems and organizations

Question 3

Q

NIST Cybersecurity Framework primary components

1

Answer

A

Voluntary framework
1. Framework Core
2. Framework implementation tiers
3. Framework profile

Question 4

Q

Purpose of NIST CSF

Answer

A

To develop a set of plain language controls for protection of IT infrastructure

Question 5

Q

What are the NIST CSF Framework Core Areas of Focus

Answer

A

Identify
Protect
Detect
Respond
Recover

Question 6

Q

What is the purpose of the NIST CSF Framework Core Focus Areas?

Answer

A

Things to help develop a program to identify, assess, and manage cyber security risks in a cost effective and repeatable manner. Each core area represent points in the security risk management life cycle and are performed concurrently

Question 7

Q

NIST CSF - Core Area - IDENTIFY

1

Answer

A

Keep record of:
- Assets used to support information processing operations
- Users both internal and external
-Systems

Question 8

Q

NIST CSF - Core Area - PROTECT

1

Answer

A

Focuses on:
- Safegaurds and access controls to networks, applications, and other devices.
- Updates to security software
-Encryption of information
-Data backups
-Plans for disposing of files/devices
-User training

Question 9

Q

NIST CSF - Core Area - DETECT

1

Answer

A

Deploy tools to:
-Detect active attacks
-Monitor network access points, devices, unauthorized personal access, and high risk employee behavior or use of high risk devices

Question 10

Q

NIST CSF - Core Area - RESPOND

1

Answer

A

Develop response policies addressing how to:
-contain a cybersecurity event
-react using planned responses to mitigate losses

Question 11

Q

NIST CSF - Core Area - RECOVER
1

Answer

A

Restoration of network to normal operations through:
-repairing equiptment
-restoring back up files/env.
-positioning employees to rebound w/ right responses

Question 12

Q

1 NIST CFS - Categories/Sub categories of Functions or Core Areas

Answer

A

Core areas have categories that are tied to specific activities/company needs

and further into subcategories for mgmt and technical activities to help achieve outcomes.

Question 13

Q

NIST CFS - Implementation Tiers - purpose

1

Answer

A

Provides a measure of an organizations informaiton security infrastructure sophistication.

The 4 tiers act as a benchmark to identify the degree to which informaiton security practices are integrated throughout an organization.

Question 14

Q

How does an organization deteremine their implementation tier?

Answer

A

Based on perception of its own risk given the cybersecurity policies in place.

Question 15

Q

NIST CFS Implementation Tiers vs. Framework Profiles?

Answer

A

Profiles determine success or failure of information security implementation

Tiers inform the org as to the effectiveness of those profiles.

Question 16

Q

1 NIST CFS - Implementation Tiers - List Them

Answer

A

Divided into four levels:
1. Partial (Lowest)
2. Risk-Informed
3. Repeatable
4. Adaptive

Question 17

Q

Question 18

Q

NIST CFS - Implementation Tiers - division

Answer

A

Tiers are subdivided into
1. Risk Management process
2. Risk management program integration
3. External participation

Question 19

Q

NIST CFS Implementation Tier - Partil

Answer

A

incident mgmt is not incorporated into processes.

RM Process/Program Integration - RM is ad hoc/reactive
External Participation - corporate cybersecurity is isolated, does not evaluate external risks.

Question 20

Q

NIST CFS - Implementation Tier - Risk Informed

Answer

A

Involves cybersecurity awareness but not security managed

RM Process - cybersecurity prioritization is based on org. risk, and mgmt approves cybersecurity efforts - CS may be isolated from org processes.

Awareness of environmental security risks impact org, but inconsistent actions to respond to risk.

Question 21

Q

NIST CSF - Implementation Tier - Repeatable

Answer

A

Integrated into planning and regularly communicated.

RMP - Cybersecurity planning and in policies
RMPM - org risk approach
External participation - org collabs w/ and contributes to security community & governance structures to manage cyber risk.

Question 22

Q

NIST CFS Implementation Tier - Adaptive

Answer

A

RPP - Org. cybersecurity is based on iterative improvement based on incidents and is responsive to evolving threats
RMPM - org. wide affair - cyber risk is prioritized to other risks
External participation - robustly participates in external info sharing and frequency contributes to community.

Question 23

Q

1 NIST CFS - Framework profiles - purpose

Answer

A

Mechanism by which companies measure cybersecurity risk and how to minimize risk. - implementation guides w/ industry insights

should consider - org goals, industry goals, legal/reg requirements, best practices, RM priorities.

Question 24

Q

1 NIST CFS - Framework profiles - Categories

Answer

A

Current profile - current state of org. RM
Target profile - desired future state
Gap analysis - differences between 2

Question 25

Q

1 NIST Privacy Framework

Answer

A

To protect individuals data as used in data processing applications

any industry

Question 26

Q

What concepts are present in both NIST Cyber Security Framework and Privacy Frameworks

Answer

A

similar structures, RM approaches but applied to each subject matter differently.

Identify, Protect

Question 27

Q

1 NIST Privacy Framework - Core

Answer

A

Identify, Govern, Control, Communicate, Protect

Question 28

Q

1 NIST Privacy Framework - Core - Identify

Answer

A

What are the privacy risks related to data processing?

Inventory/mapping, business env., RA, data processing ecosystem RM.

Question 29

Q

1 NIST Privacy Framework - Core -Govern

Answer

A

What is the best governance structure ?

Governance P&P, RM strategy, awareness/trainings, monitoring review.

Question 30

Q

1 NIST Privacy Framework - Core - Control

Answer

A

What is the best management structure

data processing P&P, mgmt, and disassociated processing.

Question 31

Q

1 NIST Privacy Framework - Core - Communication

Answer

A

How to drive dialog around privacy risk related to data processing activities.

Question 32

Q

1 NIST Privacy Framework - Core - Protect

Answer

A

What safeguards should be in place, five categories

data protection p&p,
identity mgmt, authentication and
access control
, data security, maintenance, protective technology.

Question 33

Q

NIST Privacy Framework Core - subdivisions

Answer

A

Functions are subdivided into categories to address privacy program considerations, and further subdivided to sub-categories.

Question 34

Q

1 NIST Privacy Framework profile

Answer

A

Mirrors Cybersecurity framework (current, target, gap analysis)

Question 35

Q

1 NIST Privacy Framework Implementation Tiers

Answer

A

Mirrors cybersecurity framework (partial, risk informed, repeatable, adaptive)

Question 36

Q

1 NIST SP 800-53 - what is it

Answer

A

Set of security and privacy controls applicable to all Info systems and the standard for federal info security systems.

Question 37

Q

1 NIS SP 800-53 purpose

Answer

A

designed for protecting info systems against sophisticated threats

establishes controls for systems/orgs that can be implemented within org/system that process, store or transmit information.

Helps to identify security and privacy controls needed to manage risk and satisfy requirements by OMB A-130 and FISMA.

Question 38

Q

1 Office of Management Budget CircularA-130

Answer

A

requires controls for federal Info Systems

Question 39

Q

1 Federal IS Moderization Act (FISMA)

Answer

A

required implementation of minimum controls to protect federal info and IS.

Question 40

Q

1 Target Audience of NIST SP 800-53

Answer

A

System admins : individuals with system, info security, privacy, or RM and oversight responsibilities

-System developers: program managers, engineers, developers

-logistical personnel: procurement, system integrators property managers

security/privacy personnel and assessment and monitoring personnel

-Commerical entities (3rd party vendors) producing products/system/services that support security or privacy.

Question 41

Q

1 NIST SP 800-53 Organizational Responsibilities

Answer

A

Well defined security and privacy requirement for systems/orgs.
Use of trustworthy system components (
Rigorous security and privacy planning and system development life cycle mgmt.
Application of security and privacy practices for system integration of info systems.

-Documented practices

Continuous monitoring of info system to eval effectiveness of controls.

Question 42

Q

1 NIST SP 800-53 Control Families

Answer

A

They cover org. risk and are subdivided into controls and control enhancements. Controls are to be implemented for family conformance enhancements are best practices (some recommended, some required for baseline conformance)

Question 43

Q

1 NIST SP 800-53 Control Implementation approaches

Answer

A

3 approaches that are to be implemented on a per control basis:

Common - inheritable, implement controls at org. level, which are adopted by Info Systems.
System Specific - at info system level
Hybrid - org level where appropriate and remainder at system level.

Question 44

Q

2 Privacy laws

Answer

A

regulate how those entrusted w/ private information collect, process, maintain and disclose it.

Question 45

Q

2 General Data Protection Regulation

Answer

A

EU enacted one comprehensive data privacy law that applies and governs how all entrusted w/ personal data handle that info.

imposes steep penalties and fines

Question 46

Q

2 Where does GDPR apply?

Answer

A

Data processors based in EU, or those offering services to those in EU, or where public international law applies.

Question 47

Q

2 GDPR Princpals

Answer

A

Lawfulness, Fairness, Transparency
Purpose Limitation
Data minimization
Accuracy
5.Storage Limit
Integrity/Confidentiality

Question 48

Q

2 Safe Harbor Framework

Answer

A

support transatlantic commerce, EU/US, transmit data -

EU declarer invalid replaced with Privacy Shield, which also was invalid.

Question 49

Q

2 four categories of costs incurred for data breach

Answer

A

Detection/escalation
notification
Response
Loss of business/rev. (during downtime)”

Question 50

Q

2 HIPPA covered entities

Answer

A

Health care providers that transmit info electronically, health plans, health care clearing houses, business associates who are service providers who need access to PHI

Question 51

Q

2 Who can PHI be disclosed to w/o permission

Answer

A

individuals,
for treatment, payment, and health care operations
incident to otherwised permitted use and disclosure
With valid auth
Redacted for research, public health or health care ops
public interst and benefit activities provided by law

Question 52

Q

2 Under HIPPA for electornic PHI MUST

Answer

A

ENSURE - confidentiality, integrity and availability of electronic PHI
PROTECT against reasonably anticipated threats to security of info, impermissible use or disclosures
ENSURE compliance by workforce

Question 53

Q

2 HIPPA - Administrative Safeguards

Answer

A

Security mgmt processes
assigned security responsibilties, 3. workforce security
Info access mgmt
security awareness/training, 6. security incident procedures
contingency plans,
evaluation.

Question 54

Q

2 HIPPA - Physical Safegaurds

Answer

A

facility access, workstation use/security, device/media controls

Question 55

Q

2 HIPPA - Technical Safegaurds

Answer

A

access controls, audit controls, data integrity controls, person/entity authentication, transmission security

Question 56

Q

2 HITECH

Answer

A

Health Information Tech for Economic and Clinical Health Act

Amended HIPPA to increase penalties, patients option to obtain records electronically, and add business associates as covered entities, breach notification rule.

Question 57

Q

2 HITECH - Breech Notification Rule

Answer

A

w/in 60 days to impacted people

Question 58

Q

2 Payment Card Industry Data Security Standards (PCI DSS)

Answer

A

Data protected includes cardholder data, authentication data - Account data

Six goals and 12 requirements
1. Build/Maintain a secure network of system
2. Protect account data
3. vulnerability mgmt program
4. strong access control measures
5. Regular monitor/test
6. maintain info sec policy”

Question 59

Q

3 Center for Internet Security Controls (CIS) - define

Answer

A

recommended set of actions, processes and best practices to strengthen cybersecurity defenses.,
(Supported by SANS institute)

Controls are task focused and organized by activity (instead of who manages the device) a total of 18 controls and 153 subcategories of safeguards.

Question 60

Q

3 CIS Design Principles

Answer

A

Align - controls should map to other top CS standards
Measurable - simple, measurable and avoid vague language
Offense Informs Defense - controls drafted based on events
Focus - help prioritize most critical problems and avoid resolving every issue
Feasible -

Question 61

Q

3 CIS Implementation

Answer

A

Implementation of CIS can be tailored to org. size by using one of three implementation groups, these are self assessed categories that ID subset of the CIS controls which are critical to adopt given size.

Question 62

Q

3 CIS Implementation Groups - 1

Answer

A

Small or Medium sized org that have limited cybersecurity defense mechinism in place.

Main focus - keep operational since limited expertise, not sensitive data, cant sustain long periods of downtime.

Question 63

Q

CIS Implementation Group 2

Answer

A

Orgs that have IT staff who support departments that have various risk profiles.

Sensitive client data and can tolerate short term disruption.

Biggest concern - lost of trust

Question 64

Q

CIS Implementation Group 3

Answer

A

Orgs have security experts in all domains w/in CS.

Sensitive data assets subject to compliance or reg oversight.

Attacks cause significant damage to company/public.

Answer 64

A

helps organizations actively track/manage all IT assets
connect to IT infrastructure physically or virtually/cloud. Also focus on external devices connect via guest network

-Gives visibility on how data flows, which device contains sensitive data to help prioritize security/maintenance

Answer 65

A

portable end-user devices that periodically connect to network and then disappear - makes it hard to have a holistic view of inventory.

Answer 66

A

Track and actively manage all software applications so that only authorized software is installed on company devices

-Guidance on finding unmanaged and unauthorized software already installed so it can be removed and remediated.

Control lists and policies should be in place

(operating systems, programming software, business applications, drivers, open-source software, some firmware)

Answer 67

A

info on if software patches are installed, applications reaching end of life support are renewed or transitioned out, safeguards needed are in place

Answer 68

A

Develop ways to securely manage the entire life cycle of their data, from the initial identification and classification data to its disposal.

Must identify, archive, label, and classify their data to understand implications of data being lost or compromised

Answer 69

A

Labeled at discretion of the enterprise and should be assigned based on sensitivity (i.e. internal, public, sensitive, and confidential)

Answer 70

A

After sensitivity is defined, mapping should be developed to ID software that access, and allow consolidation of sensitive classification into one network.

Answer 71

A

Establish and maintain secure baseline configurations for enterprise assets (hardware/software - network devices, mobile/end user, IoT, operating systems).

Answer 72

A

Many are sold with preconfigured settings that can present vulnerabilities, therefore should have control activities to assess configurations and modify and move to continuous monitoring.

Answer 73

A

CIS Benchmark Program or NIST National Checklist Program Repository

Answer 74

A

process of making an organization less vulnerable to attacks, examples include removing unused software, closing network ports, changing default passwords, turning off non essential services.

Answer 75

A

best practices managing credentials and authorization for user accounts, privledge user accounts, and service accounts for hardware/software.

Answer 76

A

central account mgmt, acceptable use policy and account safety guidelines, credential are sensitive info, training for users, password requirements, controls for inactivity, and account lockouts.

Answer 77

A

Specifies the types of access that user accounts should have.

Answer 78

A

least privledge or “need to know”
only what is needed to do job

Answer 79

A

Protocols for granting access and revoking access, MFA or privledge account management for security, a comprehensive solution for provisioning and de-provisioning access

Answer 80

A

Assist in continuously identifying and tracking vulnerabilities within infrastructure so they can be remediated and eliminate weak points/widows of opportunity.

Answer 81

A

unknown vulnerabilities - no known solution to weak point

Answer 82

A

Classification schemes like Common Vulnerablity Scoring System or Common Vulnerabilites Exposure

Answer 83

A

Establishes and enterprise log management process so that organizations can be alert and recover for an attack in real time using log collection and analytic features.

Answer 84

A

How to detect and protect against cybercrime attempted through email or internet by engaging w/ EE.

Answer 85

A

policies and tools to enforce URL filtering, blocking certain file types, restrict users add-ons

URL filtering can be done by Domain Name System (DNS) filtering - which blocks users from accessing certain domains on a blacklist.

Answer 86

A

Prevent the installation and propagation of malware onto company assets and its network. Endpoint assets and devices can be leveraged as entry points and targets

Answer 87

A

viruses, worms, spyware, adware, keyloggers, ransomware

can cause damage by stealing intellectual property, log-ins, destroying data, or encryption for ransom.

Answer 88

A

solution should be centrally managed, maintained, and deployed to all potential entry points.

Autorun/auto play features should be disabled

Answer 89

A

Living off the land approach minimizes likelihood attacker will get caught by using organization’s existing tools against them - quick window

Answer 90

A

Establishes data backup, testing, restoration processes that allow organizations to effectively recover company assets to a pre-incident state.

backup and restorage methods will be based on data value, sensitivity, classification, and retention requirements.

Answer 91

A

automating back-up process, off site storage and encryption. These should be tested once per quarter - restore using test bed environment

Answer 92

A

procedures and tools for managing and securing a company’s network infrastructure (both physical/virtual devices - firewall, gateways routers, switches, wireless access points).

Answer 93

A

network architecture documenation/diagrams should be kept up to date to reflect network topology and layout

Should include critical vendor contract info to increase likelihood for upgrade/patches timely,

Monitor for end of life network components to make upgrades or mitigating controls

Continuously identify and remediate insecure default network config settings, misconfig network, insecure protocol usage, outdated network software

Answer 94

A

Processes for monitoring and defending network infrastructure against threats.

Answer 95

A

ways networks are attacked.

DoS - gain access to network and overloading it with traffic so it is rendered useless.

Answer 96

A

Establish event logging and alerting mechanisms tools such as security info and event management (SIEM) to help centralize and assist in log analysis.

Traffic flow monitoring, alerting and detection safeguards can also be implemented (network intrusion prevention system, next-gen firewall, data loss prevention end point detection systems)

Answer 97

A

guides in establishing security awareness and training program to reduce cybersecurity risk.

Answer 98

A

Develop processes to evaluate 3rd party service providers that have access to data or manage IT functions.

Answer 99

A

Processes to oversees service provider life cycle

Providers should be assessed and their performance and standards catalogued from initial engagement through decommissioning for adherence to security standards, protocols, and best practices. SOC audit reports can be used.

Answer 100

A

Safegaurds that manage the entire life cycle of software that is aquired, hosted or developed to detect, deter and resolve cybersecurity weaknesses before they are exploited.

Answer 101

A

Buffer overflows,
corss site scripting - xxs inject content and code into a website to take over
Sql injections - sql query to extract or corrupt data
race conditions - two apps share the same data, race to get data first

Answer 102

A

Consider if best practices/safegaurds are followed (secure design standards, secure code reviews, security testing tools)

introuce application security as early as possible

process in place to inventory 3rd party components, tools, and apps (ensuring software up to date, configurations are reviewed, compensating controls for attach mitigation) SAAS can be an weak spot

can implemenet bug bounty programs

Answer 103

A

Establish incident response management program to detect, respond, and prepare for cybersecurity attacks.

Answer 104

A

-Designation of key contact,
- establishment of incident response team
-development of communications plans for notifying impacted business units, stakeholders, and regulatory agencies.
-Exercises/test the incident response process

Answer 105

A

Test sophistication of cybersecurity defense system in place by simulating attacks in an effort to find and exploit weaknesses.

Begins with discovery or observation of env., followed by scans to find vulnerablities that can gain access, results are studied, revise controls - at least annually for large orgs w/ significant risks

Answer 106

A

-ISACA developed
-Most widely used IT governance standards
-Provides a roadmap to implement best practices for IT governance and management

Answer 107

A

-Governance - BOD

-Management - daily planning/admin of operations CEO, CFO, COO

-Internal Stakeholders - BOD/MGMT, managers, assurance providers, RM

External stakeholders - regulators, investors, business partners

Answer 108

A

Formed by princples, standards and regulations (Cobit 5, 6 principals for governance systems 3 principals of governance framework, community collabor, regs)

The core model can be customized through design factors and focus areas to arrive at a enterprise governance system.

There are Framework guides (Intro/Methodology and governance and mgmt objecgices) a Design guide and implemenation guide that can be refernced.

Answer 109

A

VHDDTE (very healthy diet do try everything)
1. Provide Stakeholder VALUE
2. HOLISTIC Approach
3. DYNAMIC Governance System
4. Governance DISTINCT From Management
5. TAILOR Enterprise Needs
6. END to END Governance System

Answer 110

A

governance system should create value for stakeholders by balancing benefits, risks, and resources through well designed governance system with actionable strategy.

Answer 111

A

governance systems for IT can comprise diverse components, collectively providing an holistic model (18 CIS controls)

Answer 112

A

When a change in one governance system occurs, the impact on all others should be considered so they system continues to meet demands - system that is dynamic enough that it can be relevant while adjusting

Answer 113

A

Management activites and governance systems should be clearly distinguished from each other as they have different functions

Answer 114

A

Customized to each company, using design factors to prioritize and tailor the system. No one size fits all.

Answer 115

A

More than just the IT function should be considered - all processes involving information and technology should be factored.

Answer 116

A

Should identify key components and relationships between those components to provide for greater automation and max consistency.

Answer 117

A

Ability to change adding relevant content and removing irrelevant content, while keeping consistency and integrity.

Answer 118

A

align with regulations, frameworks, and standards

Answer 119

A

Responsibility of BOD
Evaluate, direct, monitor - evaluate strategic objectives, direct management to achieve those objectives, and monitor if they are being met.
1. Ensuring benefits delivery
2. governance framework setting
3. risk optimizatoin
4. resource optimization
5. stakeholder engagement

Answer 120

A

Focus on aligning technology’s overall strategy, planning how to utilize technology in business operations, organizing resources for most efficient and effective usage.

Managed data is one of the most significant objectives

Things such as: IT infrastructure, budgeting, HR, vendors, quality, security, managing risk.

Answer 121

A

building, acquiring, and Implementation of IT solutions in business processes

11 objectives on requirements definitions, ID solutions, managing capacity, dealing with org and IT change, managing knowledge, administering assets, managing configuration

Answer 122

A

Address the delivery, service, and support of IT services. 6 objectives cover managed operations, service requests, managed problems, continuity, security services, business process controls.

Answer 123

A

address IT conformance with performance targets and control objectives w/ external requirements : managed performance,

Through continuous monitoring, evaluations and assessments
of IT systems, controls and components.

Answer 124

A

factors collectively or individually contribute to successful execution of governance system over IT and systems.

Answer 125

A

Process - activities to ach. overall tech goals
Org Structure - decision making entities in org
principals, policies, and frameworks - guidance to turn desired behavior into practice
information -
cultuer, ethics, behavior
people skills and competencies
service infrastructure and applications

Answer 126

A

Influence design of IT governance system, 11 factors

Answer 127

A

primary and secondary strategy like growth and acquisition, innovation/differentiation, cost leadership strategies, and client service/stability strategies

Answer 128

A

goals support the strategy and are structured based on the balance scorecard dimensions (which are financial, customer, interal, and growth)

Answer 129

A

addresses current risk exposure and maps which risks exceed appetite - risks include IT operational incidents, software adoption and usage problems, noncompliance, tech-based innovation, and geopolitical issues

Answer 130

A

regular IT audit findings of poor IT quality or controls, insufficient IT resources, frustration between IT and departments, hidden IT spending, problems with data quality, noncompliance w/ regs.

Answer 131

A

Environment in which company operates - classified as normal or high due to geopolitical issues, industry, or economic issues.

Answer 132

A

Compliance demands can be low (minimal demands), normal (typical for the industry), or high

Answer 133

A

system not critical for operating or maintain business

Answer 134

A

immediate impact on business ops and continuity if fails

Answer 135

A

drives innovation but not required for critical business ops

Answer 136

A

crucial for both innovation and business ops

Answer 137

A

type of IT procurement model from outsources to cloud to built in house or hybrid

Answer 138

A

methods to implement new IT projects - agile, DevOps, traditional waterfall or hybrid

Answer 139

A

emerging technologies adopted as soon as possible to gain edge

Answer 140

A

emerging technologies adopted after proven

Answer 141

A

very late to adopt new technologies

Answer 142

A

Large - FT count > 250 , small/medium with 50-250 FT.

Brainscape's Knowledge GenomeTM

ICS1 Flashcards

Regulations, Standards, Framework

Brainscape's Knowledge Genome^TM