Module 3 Flashcards
What are Security Frameworks?
Guidelines used for building plans to help mitigate risk and threats to data and privacy
What is the name for guidelines used for building plans to help mitigate risk and threats to data and privacy?
Security Frameworks
What is a Security Life Cycle?
A constantly evolving set of policies and standards that define how an organisation manages risks, follows established guidelines, and meets regulatory compliance or laws.
What is the name for a constantly evolving set of policies and standards that define how an organisation manages risks, follows established guidelines, and meets regulatory compliance or laws.
Security Life Cycle
What are the purposes of Security Frameworks?
- Protecting PII
- Securing financial information
- Identifying security weaknesses
- Managing organisational risks
- Aligning security with business goals
What are the Four Core Components of Frameworks?
- Identifying and documenting security goals
- Setting guidelines to achieve security goals
- Implementing strong security processes
- Monitoring and communicating results
What are Security Controls?
Safeguards designed to reduce specific security risks
What is the CIA Triad?
A foundational model that helps inform how organisations consider risk when setting up systems and security policies
What does the “CIA” in “CIA Triad” stand for?
Confidentiality. Integrity. Availability.
What is meant by Confidentiality?
Only authorised users can access specific assets or data
What is meant by Integrity?
Data is correct, authentic, and reliable
What is meant by Availability?
Data is accessible to those who are authorised to access it
What is an “Asset”?
An item perceived as having value to an organisation
What is the NIST Cybersecurity Framework (CSF)?
A voluntary framework that consists of standards, guidelines, and best practices to manage cybersecurity risk
What does NIST stand for?
National Institute of Standards and Technology
Why are disgruntled employees some of the most dangerous threat actors?
They often have access to sensitive information and know where to find it
What is the NIST?
A U.S-based agency that develops Compliance Frameworks that organisations worldwide can use to help manage risk.
What are two examples of NIST frameworks?
- NIST CSF (Cybersecurity Framework)
- NIST RMF (Risk Management Framework)
What are he Federal Energy Regulatory Commission - North American Electric Reliability Corporation (FERC-NERC)?
A regulation that applies to organisations that work with electricity or that are involved with the North American Power Grid.
What does “CIP” stand for?
Critical Infrastructure Protection
What does FERC stand for?
The Federal Energy Regulatory Commission
What does NERC stand for?
North American Electric Reliability Corporation
What does FedRAMP stand for?
The Federal Risk and Authorization Management Program
What is the Federal Risk and Authorization Management Program (FedRAMP) ?
U.S. government program that standardises security assessment, authorisation, monitoring, and handling of cloud services and product offerings
What is the purpose of the Federal Risk and Authorization Management Program (FedRAMP)?
To provide consistency across the government sector and third-party cloud providers
What does CIS stand for?
Center for Internet Security
What is the Center for Internet Security (CIS) ?
A nonprofit with multiple areas of emphasis that provides a set of controls that can be used to safeguard systems and networks against attacks
What is the purpose of the Center for Internet Security (CIS)?
- To help organisations establish a better plan of defence
- Provide actionable controls that security professionals may follow if a security incident occurs
What does GDPR stand for?
General Data Protection Regulation
What’s is the General Data Protection Regulation (GDPR)?
An E.U. general data regulation that protects the processing of E.U. residents’ data and their right to privacy in and put of E.U. territory
Under GDPR, how long does an organisation have to alert an E.U. citizen if their data compromised?
72 hours
What does PCI DSS stand for?
Payment Card Industry Data Security Standard
What is the Payment Card Industry Data Security Standard (PCI DSS)?
An international security standard meant to ensure that organisations storing, accepting, processing, and transmitting credit card information do so in a secure environment
What is the aim of the Payment Card Industry Data Security Standard (PCI DSS)?
To reduce credit card fraud
What does HIPAA stand for?
The Health Insurance Portability and Accountability Act
What is the Health Insurance Portability and Accountability Act (HIPAA)?
A U.S. federal law established to protect patients’ health information
When was HIPAA established?
1996
What three rules is HIPAA governed by?
- Privacy
- Security
- Breach notification
What does HITRUST stand for?
Health Information Trust Alliance
What is the Health Information Trust Alliance (HITRUST)?
A security framework and assurance program that helps institutions meet HIPAA compliance
What is the name of a security framework and assurance program that helps institutions meet HIPAA compliance?
Health Information Trust Alliance (HITRUST)
What does ISO stand for?
International Organization for Standardization
Why was the International Organization for Standardization (ISO) created?
- To establish international standards related to technology, manufacturing, and management across borders
- To help organisations improve their processes and procedures for staff retention, planning, waste, and services
Who developed the System and Organizations Controls (SOC type 1, SOC type 2)?
The American Institute of Certified Public Accountants (AICPA) auditing standards board.
What are the System and Organizations Controls (SOC type 1, SOC type 2)?
A series of reports that focus on an organisation’s user access policies at different organisational levels
What are the System and Organizations Controls (SOC type 1, SOC type 2) used for?
Used to assess an organisation’s financial compliance and levels of risk.
They also cover:
- Confidentiality
- Privacy
- Integrity
- Security
- Overall data safety
When was the United States Presidential Executive Order 14028 released?
May 12th, 2021, by President Joe Biden
What are Security Ethics?
Guidelines for making appropriate decisions as a security professional.
What is the name given to guidelines for making appropriate decisions as a security professional?
Security Ethics
What are ethical principles in security?
- Confidentiality
- Privacy protections
- Laws
What are Laws?
Rules that are recognised by a community and enforced by a governing entity.
What is the name given to rules that are recognised by a community and enforced by a governing entity?
Laws
What is the name given to a person who is not a member of law enforcement who decides to stop a crime on their own.
Vigilante
What is a Vigilante?
A person who is not a member of law enforcement who decides to stop a crime on their own.
According to the International Court of Justice (ICJ), a person or group can deploy a counterattack if:
The counterattack…
- Will only affect the party that attacked first
- Is a direct communication asking the initial attacker to stop
- Does not escalate the situation
- Effects can be reversed
What does ICJ stand for?
International Court of Justice
Explain “Confidentiality” in relation to ethics
Relating to ethics, confidentiality means that there needs to be a high level of respect for privacy to safeguard private assets and data.
What is Privacy Protection?
Safeguarding personal information from unauthorised use.
What is the name given to safeguarding personal information from unauthorised use?
Privacy Protection
Explain Privacy Protection in relation to ethics
Security professionals hold an ethical obligation to
- secure private information
- identify security vulnerabilities
- manage organisational risks
- align security with business goals
Explain Laws in relation to ethics
Security professionals have an ethical obligation to protect their organisation, its internal infrastructure, and the people within the organisation.
Whay must security professionals do to fulfil their ethical responsibilities in relation to Laws?
- Remain unbiased and conduct work honestly, responsibly, and with the highest respect for the law.
- Be transparent and just, and rely on evidence.
- Ensure they are consistently invested in the work they are doing in order to appropriately and ethically address issues that arise.
- Stay informed and strive to advance their skills so they can contribute to the betterment of the cyber landscape