ISC 1 Flashcards

1
Q

NIST

A

National Institute of Standards and Technology Framework (1901) (1995 - Info Security). Here to protect us

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Why do we need IT?

A

Organizations adopt technology to enhance or support business operations; protect digital records and assets; safeguards physical assets

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

NIST Cybersecurity Framework

A

Voluntary framework that includes three components to manage cybersecurity risk:
1. Framework
2. Framework Implementation
3. Framework Profile

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

CS Framework Core ComponentsDRRIP

A

Identify
Protect
Detect
Respond
Recover

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Identify ID

A

Keep records of: assets of the organization, system users internal/external, information process operations and all system used

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Protect

A

Focus on deploying safeguards and access controls to networks, applications, and devices.
Performing regular updates to security software
Performing data backups, developing plans for disposing of files or unused devices and user training

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Detect

A

Deploy tools to: Detect cyber security attacks.
Monitor network access points, user devices, unauthorized personnel access.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Respond

A

Develop response polices addressing how to:
Contain a cybersecurity event
React using planned responses that mitigate losses
Notify

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Recover

A

Focuses on:
Supporting the restoration of a company’s network to normal operations
Restoring backed up files or environments

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Implementation Tiers

A

How sophisticated is a company’s security infrastructure?
Inform an organization as to the effectiveness of those profiles.
Tiers act as a benchmark, identifying the degree to which information security practices are integrated throughout an organization.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

CSF Framework Profiles

A

Determine success or failure of information security implementation. Implementation guides with insight specific to a particular industry

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Tier Levels

A

Tier 1 (partial)
Tier 2 (risk informed)
Tier 3 (Repeatable)
Tier 4 (Adaptive)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Tier Categories

A

Risk management process
Integrated risk management program
External participation

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Tier 1 (partial)

A

Risk management Process: Ad hoc and reactive
Integrated Risk Management: Not integrated into organization processes
External Participation: does not evaluate external risks, cybersecurity is isolated

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Tier 2 (Risk Informed)

A

Risk Management Process: CS prioritization is based on org risk, and management approves CS efforts
Integrated Risk Management: org is aware of CS but not managing securely
External Participation: there is awareness but inconsistent actions are taken to respond to those risks

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Tier 3 (Repeatable)

A

Risk Management Process: org utilizes CS in planning and has enshrined CS practices in formal policies
Integrated Risk Management: a org risk approach to CS where CS is integrated into planning and regularly communicated
External Participation: org collabs w/ and contributes to security community at large. Has gov structures internally to manage cyber risk

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

Tier 4 (Adaptive)

A

Risk Management Process: org CS is based on iterative improvements based on internal/external cyber incidents
Integrated Risk Management: managing CS is a org wide affair, cyber risk is prioritized
External Participation: org robustly participates in external info sharing activities

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

Current Profile

A

Current state of the org risk managment

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

Target profile

A

Desired future state of org risk management

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

Gap Analysis

A

Identifies differences between the current and desired state

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

NIST Privacy Framework

A

Protect individuals data as used in data processing applications. Developed to be industry agnostic and to account for cultural and individual constructs around privacy

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

Privacy Framework Core Components (PICCG)

A

Identify
Govern
Control
Communicate
Protect

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

Govern

A

What is the best governance structure for privacy risks related to the company’s data processing activities?

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

Control

A

What is the best management structure for privacy risks related to data processing activities

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Q

Communicate

A

How should the org drive dialogue around privacy risks related to data processing activities

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
26
Q

NIST SP 800-53 Framework

A

Set of security and privacy controls applicable to all info systems and now the standard for federal info security systems. Designed for protecting, care about effectiveness not cost

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
27
Q

SP 800-53 Security and Privacy Requirements

A

OMB - requires the controls for federal information systems
FISMA - requires the implementation of minimum controls to protect federal info and info systems

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
28
Q

Common (Inheritable) Control

A

Implement controls at the org level, which are adopted by info systems

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
29
Q

System Specific Control

A

Implement controls at the information system level

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
30
Q

Hybrid Control

A

Implement controls at the org level where appropriate and the rest at the info system level

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
31
Q

Data Breach Costs

A

Detection and escalation: Cost to detect
Notification: costs to notify parties
Post-breach Response: Cost to rectify effects
Loss of Business and Revenue: temp lost do to down time

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
32
Q

HIPAA

A

Health Insurance Portability and Accountability Act required the department of health and human services to adopt national standards promoting health care privacy and security

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
33
Q

HIPPA Security Rule

A

Specifically governs electronic PHI. Under the security Rule all covered entities must:
ensure the confidentiality, integrity, and availability of all electronic PHI;
Protect against reasonably anticipated threats;
Ensure compliance

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
34
Q

HITECH

A

Amended HIPPA:
Increased penalties for HIPPA violations
Required that patients receive the option to obtain records in electronic form
Breach rule to notify within 60 days of discovery

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
35
Q

GDPR (Data Protection) Principals

A

European Unions general applicability law regulating the privacy of data

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
36
Q

Lawfulness, Fairness, Transparency

GDPR

A

Data must be processed lawfully, fairly, and in a transparent manner

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
37
Q

Purpose Limitation

GDPR

A

Data must be processed for specified, explicate, and legitimate purposes

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
38
Q

Data Minimization

GDPR

A

Data processing must be adequate, relevant, and limited to what is necessary

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
39
Q

Accuracy

GDPR

A

Data must be accurate and kept updated

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
40
Q

Storage Limitation

GDPR

A

Data must be stored only for as long as necessary. storing it for longer periods is permitted for public interest archiving, scientific or historical research, or statistical purposes.

41
Q

Integrity and Confidentiality

GDPR

A

Data must be processed securely and protected against unauthorized access, accidental loss, destruction, or damage

42
Q

Payment Card Industry Data Security Standard

A

A framework to apply to promote data security when processing payments

43
Q

Build and Maintain a Secure Network and System

PCI DSS

A
  1. Install and maintain a firewall configuration to protect cardholder data
  2. Do not use vendor supplied defaults for system passwords
44
Q

Protect cardholder Data

PCI DSS

A
  1. Protect stored cardholder data
  2. Encrypt transmission of cardholder data across open networks
45
Q

Maintain a Vulnerability Management Program

PCI DSS

A
  1. Protect all systems against malware and regularly update anti-virus software programs
  2. Develop and maintain secure system applications
46
Q

Implement Strong Access Control Measures

PCI DSS

A
  1. Restrict access to cardholder data through need to know restrictions
  2. Identify and authenticate access to system components
47
Q

Regularly Monitor and Test Networks

PCI DSS

A
  1. Track and monitor all access to network resources and cardholder data
  2. Regularly test security systems and processes
48
Q

CIS

A

The Center for Internet Security. Controls are a recommended set of actions, processes, and best practices that can be adopted and implemented by organizations to strengthen their cybersecurity defenses.

49
Q

CIS Control Principles OFFAM

A

Offense Informs Defense
Focus
Feasible
Align
Measurable

50
Q

Align

CIS Principle

A

Controls should map to other top cybersecurity standards like NIST VS, COBIT, HIPPA

51
Q

Measurable

CIS Principle

A

Controls should be simple and measurable, avoiding vague language

52
Q

Offense Informs Defense

CIS Prinicple

A

Controls are drafted based on data from actual CS attacker behavior and how to defend against it

53
Q

Focus

CIS Principle

A

Controls should help prioritize the most critical problems and avoid resolving every CS issue

54
Q

Feasible

CIS Principle

A

All recommendations should be practical

55
Q

IG1

A

Group is for small or mid sized orgs that have limited CS defense mechanisms in place

56
Q

IG2 (includes IG1)

A

Group is for companies that have IT staff who support multiple departments that have various risk profiles and typically handle sensitive client data

57
Q

IG3 (Includes IG1 and IG2)

A

Group for companies that have security experts in all domains within CS such as penetration testing, risk management, and application security.

58
Q

CIS Control 01

A

Inventory and Control of Enterprise Assets: Helps orgs actively track and manage all IT assets connected to a company’s IT infrastructure physically or virtually with a cloud environment

59
Q

CIS Control 2

A

Inventory and Control of Software Assets: Provides recommendations for orgs to track and actively manage all software applications so that only authorized software can be installed

60
Q

CIS Control 3

A

Data Protection: Helps orgs develop ways to securely manage the entire life cycle of their data

61
Q

CIS Control 4

A

Configuration of Enterprise Assets and Software: this control helps orgs establish and maintain secure baseline configurations for their enterprise assets

62
Q

CIS Control 5

A

Account Management: Outlines best practices for companies to manage credentials and authorization for user accounts, privileged user accounts, and service accounts for company hardware and software applications

63
Q

CIS Control 6

A

Access Control Management: Control expands on 5 by specifying the type of access that user accounts should have

64
Q

CIS Control 7

A

Continuous Vulnerability Management: Control assists org in continuously identifying and tracking vulnerabilities within its infrastructure so that it can remediate and eliminate weak points or windows

65
Q

CIS Control 8

A

Audit Log Management: Control establishes an enterprise log management process so that organizations can be alerted and recover from an attack in real time

66
Q

CIS Control 10

A

Malware Defense: assists companies in preventing the installation and propagation of malware onto company assets and its network

66
Q

CIS Control 9

A

Email and Web Browser Protections: Provides recommendations on how to detect and protect against cybercrime attempted through email or the internet

67
Q

CIS Control 11

A

Data Recovery: Establishes data backup, testing, and restoration processes that allow organizations to effectively recover company assets

68
Q

CIS Control 12

A

Network Infrastructure Management: This control establishes procedures and tools for managing and securing a company’s network infrastructure

69
Q

CIS Control 13

A

Network Monitoring and Defense: Establishes processes for monitoring and defending a company’s network infrastructure against internal and external security threats

70
Q

CIS Control 14

A

Security Awareness and Skill Training: Guides organizations in establishing a security awareness and training program to reduce cybersecurity risk

71
Q

CIS Control 15

A

Service Provider Management: helps organizations develop processes to evaluate third party service providers that have access to sensitive data or that are responsible for managing some or all of a company’s IT functions

72
Q

CIS Control 16

A

Application Software Security: establishes safeguards that manage the entire life cycle of software that is acquired, hosted, or developed in house to detect, deter and resolve CS weaknesses before they are exploited

73
Q

CIS Control 17

A

Incident Response Management: Provides the recommendations necessary to establish an incident response management program to detect, respond, and prepare for potential CS attacks

73
Q

CIS Control 18

A

Penetration Testing: Control helps organizations test the sophistication of their CS defense system in place by simulating actual attacks in effort to find and exploit weakness.

74
Q

COBIT

A

Control Objectives for Information and Related Technologies
provides a road map that organizations can use to implement best practices for IT governance and management.

75
Q

COBIT Principles for Governance System GETPHD

A

Governance Distinct from Management (Distinct)
End to end governance system (End to end)
Tailored to enterprise needs (Tailored)
Provide stakeholder Value (Value)
Holistic approach (Holistic)
Dynamic governance system (Dynamic)

76
Q

COBIT Principles for a Governance Framework BOA

A

Based on conceptual model
Open and flexible
Aligned to major standards

77
Q

Provide stakeholder Value (Value)

A

gov system should create value for the company’s stakeholders by balancing benefits, risks, and resources

78
Q

Holistic approach (Holistic)

A

gov systems for IT can comprise diverse components, collectively providing a holistic model.

79
Q

Dynamic governance system (Dynamic)

A

When a change in one gov system occurs, the impact on all others should be considered so that the system continues to meet the demands of the organization. continue to be relevant while adjusting as a new challenge arises

80
Q

Governance Distinct from Management (Distinct)

A

Management activities and governance systems should be clearly distinguished from each other because they have different functions

81
Q

Tailored to enterprise needs (Tailored)

A

gov models should be customized to each individual company, using design factors to prioritize and tailor the system

82
Q

End to end governance system (End to end)

A

All processes in the org involving info and tech should be factored into an end to end approach

83
Q

COBIT Governance Objectives

A

One domain: evaluate, direct, and monitor (EDM): those charged with governance evaluate strategic objectives, direct management to achieve those objectives, and monitor whether they are being met

84
Q

COBIT Management Objectives

A

Four domains
Align, plan and organize (APO)
Build, acquire, and implement (BAI)
Deliver, service, and support (DSS)
Monitor, evaluate, and assess (MEA)

85
Q

Objectives of EDM Domain

A

Ensuring benefits delivery
Governance framework setting
Risk optimization
Resource optimization
Stakeholder engagement

86
Q

APO Domain

A

Focuses on aligning information tech overall strategy, planning how to utilize technology in business operation of the organization, and organizing the resources for their most effective and efficient usage. 14 objectives - managed data is most significant

87
Q

BAI Domain

A

Addresses the building, acquiring, and implementation of information technology solutions in the organizations business processes. 11 objectives, offering guidance on requirements definition, identifying solutions, managing capacity, availability, org change…

88
Q

DSS Domain

A

Addresses the delivery, service, and support of IT services. 6 objectives - service request is most important

89
Q

MEA Domain

A

Addresses information tech conformance to the company’s performance targets and control objectives along with external requirements. Accomplished through continuous monitoring, evaluation, and assessment of info tech systems. 4 objectives - managed system of internal control is most important

90
Q

COBIT Components to Satisfy Objectives

A

Processes: activities to achieve goals
Organizational Structures: decision making entities
Principals, Policies and Frameworks:
Information: info needed for gov system to work
Culture, Ethic, and Behavior: tone at top
People, Skills, and Competencies: needed to make sound decisions
Services, Infrastructure, and Applications: gov system tools and resources needed for info tech processing

91
Q

COBIT Design Factors

A

Enterprise Strategy
Enterprise Goals
Risk Profile
Information and Technology Issues
Threat Landscape
Compliance Requirements
Role of IT
Sourcing Model for IT
IT Implementation Methods
Technology Adoption Strategy
Size of Company

92
Q

COBIT Publications

A

Designed so that companies could adopt its recommendations in a way that is customized to their own needs

93
Q

COBIT 2019 Framework: Introduction and Methodology

A

Introduces the core concepts of the framework

94
Q

COBIT 2019 Framework: Governance and Management Objectives

A

Provides a outline of the 40 management and governance objectives, components and references

95
Q

COBIT 2019 Design Guide: Designing an Information and Technology Governance Solution

A

Covers design topics that influence governance as well as a guideline for designing a customized gov system

96
Q

COBIT 2019 Implementation Guide: Implementing and Optimizing an Information nd Technology Governance Solution

A

Provides a road map for continuous improvements when designing information tech gov systems -used in conjunction with design guide