ISC S1 Flashcards
National Institute of Standards and Technology (NIST) Cybersecurity Framework components are?
Framework Core
Framework Implementation Tiers
Framework Profile
NIST CSF Core Components (Functions) are?
Identify - Creates records of the assets held by company. Includes processing operations, internal and external users, and systems.
Protect - Focuses on safeguards. Includes access controls, updates to security software, encryption of information, data backups, disposing of files or devices, and employee training.
Detect - Identifies tools and resources to detect active cybersecurity attacks. Includes monitoring network access points, user devices, unauthorized personnel access, and high-risk employee behavior or high-risk devices.
Respond - Outlines how to contain a cybersecurity event, react using planned responses, and notify all affected parties.
Recover - Restoration of network. Includes repairing equipment, restoring backed up files, and positioning employees to rebound with the right response.
Explain the NIST CSF Implementation Tiers
These tiers are a measure of a company’s information security infrastructure sophistication. They do not serve to implement the five core components (functions). They act as a benchmark for identifying the degree to which information security practices are integrated throughout the company. The company with select a tier based on its risk with its current cybersecurity policies.
Define the Implementation Tiers Levels
Tier 1 (Partial) - Ad hoc and not integrated in company processes.
Tier 2 (Risk-Informed) - There is awareness of security risks but inconsistent actions are taken to respond.
Tier 3 (Repeatable) - Cybersecurity is integrated into planning and regularly communicated among senior leaders.
Tier 4 (Adaptive) - Cyber risk is prioritized throughout the company. Contributes to the cybersecurity community.
Define the NIST Framework Profiles?
Measures a company’s cybersecurity risk and establishes a roadmap to ensure the organization can minimize such risk. Are like guides with insight specific to a particular industry. Should factor in company goals, industry goals, legal and regulatory requirements, industry best practices, and risk management priorities. A company wants to write out their current, target, and gap analysis to see how to improve.
What are the different NIST CSF Profiles
Current Profile - Current state of the company risk management.
Target Profile - Desired future state of company risk management.
Gap Analysis - Identifies differences between the current and desired state.
What is the NIST Privacy Framework?
Created in 2020 to protect individuals’ data as used in data processing applications. Industry-agnostic and accounts for cultural and individual constructs around privacy. Is like the framework core but adds three more components.
What are the NIST Privacy Framework Components (Functions)
Identify-P - Company’s privacy risks related to data processing activities?
Govern-P - What is the best governance structure for privacy risks related to the company’s data processing activities?
Control-P - What is the best management structure for privacy risks related to data processing activities?
Communicate-P - How should the company drive dialogue around privacy risks related to data processing activities?
Protect-P - What are the safeguards that should be in place around privacy risks related to data processing activities?
Detect - How should the organization detect data privacy events?
Respond - How should the company respond to data privacy events?
Recover - How should the company continue business after data privacy events?
Difference in Implementation Tiers between NIST CSF and Privacy.
Privacy added the workforce subdivision to all tiers.
In privacy progression is recommended based on accomplishing goals in prior tiers.
Define NIST SP 800-53 (Security and Privacy Controls)
Is a catalog of privacy and security controls for information systems.
Are stricter standard than NIST CSF or Privacy Frameworks.
Designed for protecting information systems against sophisticated threats. Cost is expensive and there are nearly 1,200 detailed controls.
Was originally intended for federal agencies.
What are the three NIST SP 800-53 control implementation approaches that are to be implemented on a per-control basis.
Common (Inheritable) - Implement controls at the organizational level, which are adopted by information systems.
System-Specific - Implement controls at the information system level.
Hybrid - Implement controls at the organization level where appropriate and the remainder at the information system level.
Stop shaking!
Define the General Data Protection Regulation (GDPR)
Unlike the US, the European Union as enacted one comprehensive data privacy law. This is applied generally and governs how all entrusted with personal data should handle such information.
One of the strictest privacy laws in the world.
What are the four categories of expenditures related to data breaches?
Detection and Escalation - The cost to detect a breach, such as forensics and investigative efforts.
Notification - The cost to notify necessary parties, such as consumers and regulators.
Post-breach Response - The cost to rectify the effects of the breach, such as paying regulatory fines, implementing credit-monitoring services for consumers, and providing ongoing communication to consumers.
Loss of Business and Revenue - Revenue is temporarily lost during downtime caused by data breaches, and this can ultimately lead to loss of customers, which creates a more permanent loss of revenue.
What are the three safeguards required by HIPAA?
Administrative - Include security management processes, assigned security responsibility, workforce security, information access management, training, incident procedures, contingency plans, and evaluation.
Physical - Include facility access controls, workstation use, workstation security, and device and media controls.
Technical - Include access control, audit controls, data integrity controls, person or entity authentication, and transmission security.
Define Health Information Technology for Economic and Clinical Health (HITECH)
Added to HIPAA in 2009.
Increased penalties for HIPAA violations.
Require patients receive the option to obtain records in electronic form.
Added “business associates” as a covered entity.
*Significant change = Breach notification within 60 days after discovery.
When does the GDPR apply?
*Data processors based in the EU, even if processing takes place outside of the EU.
*Data processors not based in the EU if the processor is offering goods or services to those in the EU or is monitoring the behavior of those in the EU.
*Data processors not based in the EU but where EU law applies via public international law (EU embassies).
What are the six GDPR principles that must be followed when processing data?
Lawfulness, Fairness, Transparency - Data must be processed lawfully, fairly, and in a transparent manner.
Purpose Limitation - Specified, explicit, and legitimate purposes.
Data Minimization - Must be adequate, relevant, and limited to what is necessary.
Accuracy - Accurate and kept updated.
Storage Limitation - Stored only for as long as is necessary. Can store longer for public interest archiving, scientific or historical research, or statistical purposes.
Integrity and Confidentiality - Must be processed securely and protected against unauthorized or unlawful processing, accidental loss, destruction, or damage.
Define the Center for Internet Security (CIS) Controls.
Is a set of actions, processes, and best practices that can be adopted and implemented by organizations to strengthen their cybersecurity defenses.
The controls are task-focused and organized by activities.
What are the five CIS Control design principles?
Align - Controls should map to other top cybersecurity standards.
Measurable - Should be simple and measurable, avoiding vague language.
Offense Informs Defense - Controls are drafted based on data from actual cybersecurity attacker behavior and how to defend against it.
Focus - Controls should help prioritize the most critical problems and avoid resolving every cybersecurity issue.
Feasible - All recommendations should be practical.
Define the CIS Controls Implementation Groups.
*Allows companies to pick a group of tailored controls by their size.
IG1 - For small or medium sized organizations that have limited cybersecurity. Data used is not sensitive.
IG2 (Includes IG1) - Have IT staff who support multiple departments that have various risk profiles. Have sensitive data.
IG3 (Includes IG2) - This group has security experts in all the domains within cybersecurity. Sensitive data and likely subject to compliance with standards or regulatory oversight.
