Lessons 25-29 Flashcards
THIRD-PARTY RISK MANAGEMENT
Is a composite of activities used to research and source third parties, conduct due diligence investigations, negotiate contracts, manage relationships, evaluate performance, and make payments
THIRD-PARTY OVERSIGHT
The implementation of strategies to manage uncertainty, identify vulnerabilities, and ensure compliance and continuity.
RIGHT TO AUDIT
A “right to audit” contract provision (clause) grants the contract holder the right to conduct or oversee an audit of the service provider’s facilities and practices.
MOU
memorandum of understanding is a non-binding document that outlines the intentions and areas of cooperation between parties
MOA
memorandum of agreement is a legally enforceable document that establishes a contractual relationship between parties.
BPA
business partner agreement is a comprehensive legal document that outlines the terms and conditions of a relationship between two or more businesses or entities
SLA
a service-level agreement codifies service and support requirements and may include incentives and or penalties.
MSA
a master services agreement outlines general terms and conditions. It serves as a framework for future agreements or projects between the parties.
SOW
a statement of work that defines tasks, deliverables, timelines, and performance expectations for a particular project or engagement between a client and a service provider
WO
a work order is transactional and used for individual service requests, often within the context of ongoing business relationships.
Data minimization-
approach limits data collection to only what is required to fulfill a specific purpose
RIGHT TO BE FORGOTTEN
Pertains to an individual’s right to have their personal information removed or deleted from online platforms, search engine results, or other publicity accessible sources.
Data controller-
determines the purposes for which, and the means by which, personal data is processed
Data processor
processes personal data on behalf of the data controller
Data protection officer
ensures that an organization is in compliance with privacy regulations as defined in the GDPR: independence is required.
Data masking
a technique used to protect sensitive data by replacing it with fictional or de-identified data
Tokenization
a technique to secure and desensitize data by replacing the original data with an unrelated value of the same length and format
Anonymization
the process in which individually identifiable data is altered in such a way that it no longer can be related back to a given individual
Pseudo-anonymization-
a method to substitute identifiable data with a reversible consistent value.
PRIVACY IMPACT ASSESSMENT (PIA)
is a process used to evaluate how an organization’s projects, systems, or practices affect the privacy of individuals’ personal data. It helps identify and mitigate privacy risks, ensuring that data handling complies with privacy laws and regulations.
PRIVACY STATEMENT
Describes how an organization collects, uses, shares, and protects personal information collected from individuals
INFORMATION SECURITY ASSESSMENT
Is the process of determining how effectively the entity being evaluated meets specific security criteria
Examination
the process of interviewing, reviewing, inspecting, studying, and observing to facilitate understanding, comparing to standards or baselines, or to obtain evidence (audit)
Testing-
the process of exercising objects under specified conditions to compare actual and expected behavior (penetration testing)
Assurance
is the measure of confidence that intended controls, plans, and processes are effective in their application. An audit is to provide independent assurance based on evidence.
Audit evidence
all the information that is used by the auditor in arriving at the conclusions on which the auditor’s opinion is based.
AUDIT PLAN
A high-level description of audit work to be performed in a specific time frame
Evidence sampling-
applying a procedure to less than 100% of the population
PENETRATION TESTING
To evaluate the security of a target by identifying and attempting to exploit vulnerabilities, improper configurations, and hidden points of entry (ethical hacking)
Known environment-
the testers have much knowledge about the target system or network. With this level of knowledge, the testing team can do an in-depth analysis, target assessments, and explore potential attack vectors.
Partially known environment
the organization provides restricted or selective information to the testers this approach can simulate scenarios where an attacker gains partial information through recon, or social engineering
Unknown environment-
no information is provided to the testers. The testers need to discover vulnerabilities, conduct recon, identify potential entry points, and perform exploitation attempts.
RULES OF ENGAGEMENT
ROE agreement details the parameters and expected assessor conduct of the penetration test.
OFFENSIVE AND DEFENSIVE PENETRATION TESTING
It’s designed to simulate an attack and evaluate preventive and deterrent controls, detection, and response capability
Offensive team
offensive penetration testing teams emulate the behaviors and techniques of likely attackers.
Defensive team
teams are tasked with detective and defensive activities.
Integrated team-
teams actively engage in monitoring, detection, and response activities during the testing process with a focus on information sharing and cooperation ( feedback bridge)
Passive Recon
information gathering using publicly available resources. The target has no knowledge of the activity. Examples: IP addresses, external relationships, people/personnel info, content of interest, web, email, remote access portals
Active Recon.
using technical tools to probe and discover information. Active recon may be intrusive and discovered. Examples- network connections, open ports, enumeration, vulnerabilities.
Escalation of privilege
- the act of exploiting a vulnerability to gain elevated access to a resource.
Pivoting
the act of using a weakness in one system to access a better-protected system
Proof-of-concept (POC) exploitation
is the process of providing evidence that the vulnerability is exploitable
Compromise exploitation
the process of fully exploiting the vulnerability without regard to potential damage
NIST SETA MODEL [SP800-50]
Security Education, Training, and Awareness (SETA)
This model is designed to enhance an organization’s information security by educating and training employees about security policies, procedures, and practices.
BRIEFING
Is insight and understanding for the long-term
SECURITY AWARENESS
Security awareness programs should be inclusive of all levels of the organization and extend to consultations, and contractors. The objective is to influence behavior.
ad hoc
something created or done for a specific purpose as needed, without prior planning or a fixed structure.
