Module 3 - 01-1 Flashcards
Frameworks and Controls
Define Security Frameworks
Guidelines used for building plans to help mitigate risks and threats to data and privacy
Define Security Lifecycle
A constantly evolving set of policies and standards that define how an organization manages risks, follows established guidelines, and meets regulatory compliance, or laws
What is the Purpose of Security Frameworks (5)?
- Protecting personally identifiable information (PII)
- Securing financial information
- Identifying security weaknesses
- Managing organizational risks
- Aligning security with business goals.
How many Core Components does the Security Framework have?
Four (4)
What are the Core Components of Security Frameworks (4)?
- Identifying and documentation security goals
- Setting guidelines to achieve security goals
- Implementing strong security processes
- Monitoring and communicating results
Frameworks allow ____
analysts to work alongside other members of the security team to document, implement, and use the policies and procedures that have been created.
It’s essential for an entry-level analyst to understand this process because it directly affects the work they do and how they collaborate with others.
Define Security Controls
Safeguards designed to reduce specific security risks
Security frameworks and controls are ___
vital to managing security for all types of organizations and ensuring that everyone is doing their part to maintain a low level of risk
Define the CIA Triad
A foundational cybersecurity model that helps inform how organizations consider risk when setting up systems and security policies
What does CIA stand for?
- Confidentiality
- Integrity
- Availability
Define Confidentiality
Only authorized users can access specific assets or data
Define Integrity
Data is correct, authentic, and reliable
Define Availability
Data is accessible to those who are authorized to access it
Define Asset
An item perceived as having value to an organization
Define Value
Determined by the cost associated with the asset in question
What does NIST stand for?
National Institute of Standards and Technology
(NIST)
(U.S. Based Agency)
Define NIST
A U.S.-based agency that develops multiple voluntary compliance frameworks that organizations worldwide can use to help manage risk
What does CSF stand for?
The Cybersecurity Framework
(CSF)
What does NIST CSF stand for?
National Institute of Standards and Technology:
the Cybersecurity Framework
(NIST CSF)
(U.S. Based Agency)
Define NIST CSF
A voluntary framework that consists of standards, guidelines, and best practices to manage cybersecurity risk.
(security teams use it as a baseline to manage short & long-term risk)
Define Compliance
The process of adhering to internal standards and external regulations
What does RMF stand for?
The Risk Management Framework
(RMF)
What does NIST RMF stand for?
National Institute of Standards and Technology:
the Risk Management Framework
(NIST RMF)
What does FERC-NERC stand for?
The Federal Energy Regulatory Commission -
North American Electric Reliability Corporation
(FERC-NERC)
Define FERC-NERC
A regulation that applies to organizations that work with electricity or that are involved with the U.S. and North American power grid.
They are also legally required to adhere to the Critical Infrastructure Protection (CIP) Reliability Standards defined by the FERC.
What does CIP stand for?
Critical Infrastructure Protection (CIP) Reliability Standards defined by the FERC
What does FedRAMP® stand for?
The Federal Risk and Authorization Management Program
(FedRAMP®)
Define FedRAMP
A U.S. federal government program that standardizes security assessment, authorization, monitoring, and handling of cloud services and product offerings
What does CIS stand for?
Center for Internet Security
(CIS®)
Define CIS
A nonprofit with multiple areas of emphasis.
It provides a set of controls that can be used to safeguard systems and networks against attacks.
What does GDPR stand for?
E.U.’s General Data Protection Regulation
(GDPR)
Define GDPR
A data protection law established to grant European citizens more control over their personal data.
A European Union (E.U.) general data regulation that protects the processing of E.U. residents’ data and their right to privacy in and out of E.U. territory
What does PCI DSS stand for?
Payment Card Industry Data Security Standard
(PCI DSS)
Define PCI DSS
An international security standard meant to ensure that organizations storing, accepting, processing, and transmitting credit card information do so in a secure environment
What does HIPAA stand for?
The Health Insurance Portability and Accountability Act
Define HIPAA
A U.S. federal law established in 1996 to protect patients’ health information. This law prohibits patient information from being shared without their consent.
What three rules govern HIPAA?
- Privacy
- Security
- Breach notification
What does PHI stand for?
Protected Health Information (PHI)
Also known as Patients’ Health Information
What does PHI relate to?
The past, present, or future physical or mental health or condition of an individual, whether it’s a plan of care or payments for care
What does HITRUST® stand for?
Health Information Trust Alliance (HITRUST®)
Define HITRUST
A security framework and assurance program that helps institutions meet HIPAA compliance
What does ISO stand for?
International Organization for Standardization (ISO)
Define ISO
To establish international standards related to technology, manufacturing, and management across borders
What does (Accounting) SOC stand for?
System and Organizations Controls (SOC)
(SOC type 1 ; SOC type 2)
What does AICPA stand for?
American Institute of Certified Public Accountants® (AICPA)
Who developed (Accounting) SOC?
The American Institute of Certified Public Accountants® (AICPA) auditing standards board developed this standard.
Define (Accounting) SOC
The SOC1 and SOC2 are a series of reports that focus on an organization’s user access policies at different organizational levels such as:
* Associate
* Supervisor
* Manager
* Executive
* Vendor
* Others
They are used to assess an organization’s financial compliance and levels of risk. They also cover confidentiality, privacy, integrity, availability, security, and overall data safety.
Define United States Presidential Executive Order 14028
On May 12, 2021, President Joe Biden released an executive order related to improving the nation’s cybersecurity to remediate the increase in threat actor activity. Remediation efforts are directed toward federal agencies and third parties with ties to U.S. critical infrastructure.
A security _____ is a set of guidelines used for building plans to help mitigate risk and threats to data and privacy.
framework
Security frameworks are guidelines used for building plans to help mitigate risk and threats to data and privacy.
An organization requires its employees to complete a new data privacy training program each year to reduce the risk of a data breach. What is this training requirement an example of?
Security control
Data confidentiality
Personally identifiable information (PII) Cybersecurity Framework (CSF)
Security Control
Security controls are safeguards designed to reduce specific security risks.
What is a foundational model that informs how organizations consider risk when setting up systems and security policies?
General Data Protection Regulation law (GDPR)
Sensitive personally identifiable information (SPII)
Cybersecurity Framework (CSF)
Confidentiality, integrity, and availability (CIA) triad
Confidentiality, integrity, and availability (CIA) triad
The CIA triad is a foundational model that helps inform how organizations consider risk when setting up systems and security policies.
True or False?
Security teams use the NIST Cybersecurity Framework (CSF) as a baseline to manage short and long-term risk.
True
Security teams use the NIST CSF as a baseline to manage short and long-term risk. The CSF is a voluntary framework that consists of standards, guidelines, and best practices to manage cybersecurity risk.
