ISC 1 Flashcards
NIST
National Institute of Standards and Technology Framework (1901) (1995 - Info Security). Here to protect us
Why do we need IT?
Organizations adopt technology to enhance or support business operations; protect digital records and assets; safeguards physical assets
NIST Cybersecurity Framework
Voluntary framework that includes three components to manage cybersecurity risk:
1. Framework
2. Framework Implementation
3. Framework Profile
CS Framework Core ComponentsDRRIP
Identify
Protect
Detect
Respond
Recover
Identify ID
Keep records of: assets of the organization, system users internal/external, information process operations and all system used
Protect
Focus on deploying safeguards and access controls to networks, applications, and devices.
Performing regular updates to security software
Performing data backups, developing plans for disposing of files or unused devices and user training
Detect
Deploy tools to: Detect cyber security attacks.
Monitor network access points, user devices, unauthorized personnel access.
Respond
Develop response polices addressing how to:
Contain a cybersecurity event
React using planned responses that mitigate losses
Notify
Recover
Focuses on:
Supporting the restoration of a company’s network to normal operations
Restoring backed up files or environments
Implementation Tiers
How sophisticated is a company’s security infrastructure?
Inform an organization as to the effectiveness of those profiles.
Tiers act as a benchmark, identifying the degree to which information security practices are integrated throughout an organization.
CSF Framework Profiles
Determine success or failure of information security implementation. Implementation guides with insight specific to a particular industry
Tier Levels
Tier 1 (partial)
Tier 2 (risk informed)
Tier 3 (Repeatable)
Tier 4 (Adaptive)
Tier Categories
Risk management process
Integrated risk management program
External participation
Tier 1 (partial)
Risk management Process: Ad hoc and reactive
Integrated Risk Management: Not integrated into organization processes
External Participation: does not evaluate external risks, cybersecurity is isolated
Tier 2 (Risk Informed)
Risk Management Process: CS prioritization is based on org risk, and management approves CS efforts
Integrated Risk Management: org is aware of CS but not managing securely
External Participation: there is awareness but inconsistent actions are taken to respond to those risks
Tier 3 (Repeatable)
Risk Management Process: org utilizes CS in planning and has enshrined CS practices in formal policies
Integrated Risk Management: a org risk approach to CS where CS is integrated into planning and regularly communicated
External Participation: org collabs w/ and contributes to security community at large. Has gov structures internally to manage cyber risk
Tier 4 (Adaptive)
Risk Management Process: org CS is based on iterative improvements based on internal/external cyber incidents
Integrated Risk Management: managing CS is a org wide affair, cyber risk is prioritized
External Participation: org robustly participates in external info sharing activities
Current Profile
Current state of the org risk managment
Target profile
Desired future state of org risk management
Gap Analysis
Identifies differences between the current and desired state
NIST Privacy Framework
Protect individuals data as used in data processing applications. Developed to be industry agnostic and to account for cultural and individual constructs around privacy
Privacy Framework Core Components (PICCG)
Identify
Govern
Control
Communicate
Protect
Govern
What is the best governance structure for privacy risks related to the company’s data processing activities?
Control
What is the best management structure for privacy risks related to data processing activities
Communicate
How should the org drive dialogue around privacy risks related to data processing activities
NIST SP 800-53 Framework
Set of security and privacy controls applicable to all info systems and now the standard for federal info security systems. Designed for protecting, care about effectiveness not cost
SP 800-53 Security and Privacy Requirements
OMB - requires the controls for federal information systems
FISMA - requires the implementation of minimum controls to protect federal info and info systems
Common (Inheritable) Control
Implement controls at the org level, which are adopted by info systems
System Specific Control
Implement controls at the information system level
Hybrid Control
Implement controls at the org level where appropriate and the rest at the info system level
Data Breach Costs
Detection and escalation: Cost to detect
Notification: costs to notify parties
Post-breach Response: Cost to rectify effects
Loss of Business and Revenue: temp lost do to down time
HIPAA
Health Insurance Portability and Accountability Act required the department of health and human services to adopt national standards promoting health care privacy and security
HIPPA Security Rule
Specifically governs electronic PHI. Under the security Rule all covered entities must:
ensure the confidentiality, integrity, and availability of all electronic PHI;
Protect against reasonably anticipated threats;
Ensure compliance
HITECH
Amended HIPPA:
Increased penalties for HIPPA violations
Required that patients receive the option to obtain records in electronic form
Breach rule to notify within 60 days of discovery
GDPR (Data Protection) Principals
European Unions general applicability law regulating the privacy of data
Lawfulness, Fairness, Transparency
GDPR
Data must be processed lawfully, fairly, and in a transparent manner
Purpose Limitation
GDPR
Data must be processed for specified, explicate, and legitimate purposes
Data Minimization
GDPR
Data processing must be adequate, relevant, and limited to what is necessary
Accuracy
GDPR
Data must be accurate and kept updated