Módulo 11 - Security Governance Concepts Flashcards
List:
Key roles in security governance
- Owner
- Controller
- Processor
- Custodian
List:
Governance guidelines
- Structure to support corporate objectives
- Leverage expertise
- Establish policies, processes, and standards
- Change management
- Use automation and orchestration tools
List:
Examples of global and regional privacy laws
- General Data Protection Regulation (GDPR)
- California Consumer Privacy Act (CCPA)
- Health Insurance Portability and Accountability Act (HIPAA)
- Federal Information Security Management Act (FISMA)
- Personal Information Protection and Electronic Documents Act (PIPEDA)
- Privacy Act 1988 (Australia)
List:
Sectors and corresponding cybersecurity laws - Healthcare
HIPAA, GDPR
List:
Sectors and corresponding cybersecurity laws - Financial Services
Gramm-Leach-Bliley Act, PCI DSS
List:
Sectors and corresponding cybersecurity laws - Telecommunications
Communications Assistance for Law Enforcement Act (CALEA)
List:
Sectors and corresponding cybersecurity laws - Energy
North American Electric Reliability Corporation (NERC)
List:
Sectors and corresponding cybersecurity laws - Education & Children:
FERPA, CIPA, COPPA
List:
Sectors and corresponding cybersecurity laws - Government
FISMA, CJIS, GSC
List:
Examples of cybersecurity frameworks and regulations
- GDPR
- CCPA
- NIST
- ISO 27K
- CMMC
Define:
Security governance
Manages:
- Cybersecurity risks
- Policies, standards, and guidelines
In order to prorect assets and align security with organizational objectives.
Define:
Centralized governance
A governance model where decision-making authority resides with a core group or department, promoting consistency and standardization across the organization.
Define:
Decentralized governance
A governance model that distributes decision-making authority to different groups or departments, allowing tailored security practices based on localized needs.
Define:
Hybrid governance
A governance structure combining centralized oversight with decentralized implementation, balancing standardization with flexibility.
Define:
Owner (security role)
A high-ranking employee responsible for classifying data, determining access levels, and ensuring security measures align with business objectives.
Define:
Controller (security role)
Defines the purposes and means of processing personal data, ensuring compliance
DPO
Define:
Processor (security role)
An entity, such as a cloud service provider, that processes personal data on behalf of the controller, ensuring secure handling and compliance.
Define:
Custodian (security role)
An entity, often the IT department, responsible for the safe custody, storage, and implementation of security controls for data.
Acronym:
GDPR
General Data Protection Regulation
Acronym:
CCPA
California Consumer Privacy Act
Acronym:
HIPAA
Health Insurance Portability and Accountability Act
Acronym:
FISMA
Federal Information Security Management Act
Acronym:
NIST
National Institute of Standards and Technology
Acronym:
CMMC
Cybersecurity Maturity Model Certification
Define:
Policies
High-level, authoritative documents outlining an organization’s security commitment and guiding decision-making, risk mitigation, and compliance.
Define:
Standards
Specific methods and outcomes used to implement technical and procedural requirements, ensuring consistency and compliance.
Define:
Procedures
Step-by-step instructions detailing how to perform specific tasks aligned with standards and policies.
Define: Playbooks
Centralized, standardized strategies and tactics guiding personnel in operational consistency, quality improvement, and incident response.
Define: Acceptable Use Policy (AUP)
A policy defining acceptable user behavior regarding network and computer systems, including browsing, content, and software usage.
List: Common organizational policies
- Acceptable Use Policy (AUP)
- Information Security Policies
- Business Continuity & COOP
- Disaster Recovery
- Incident Response
- Software Development Life Cycle (SDLC)
- Change Management
List: Industry standards
- ISO/IEC 27001 (ISMS framework)
- ISO/IEC 27002 (detailed guidance on ISMS controls)
- ISO/IEC 27017 (cloud-specific extension)
- ISO/IEC 27018 (PII in public clouds)
- NIST SP 800-63 (digital identity)
- PCI DSS (payment card data)
- FIPS (cryptographic standards)
List: Internal security standards examples
- Password standards
- Access control standards
- Physical security standards
- Encryption standards
List: Key components of encryption standards
- Encryption algorithms
- Key length
- Key management
List: Benefits of playbooks
- Consistency in operations
- Knowledge sharing and continuity
- Risk mitigation and quality assurance
- Incident response and crisis management
Acronym: ISMS
Information Security Management System
Acronym: PCI DSS
Payment Card Industry Data Security Standard
Acronym: FIPS
Federal Information Processing Standards
Acronym: SDLC
Software Development Life Cycle
Compare: Policies vs. Standards
Policies define high-level rules for security and compliance, while standards provide specific methods to implement those rules.
Compare: Standards vs. Procedures
Standards define expected outcomes and configurations, while procedures detail the step-by-step tasks to achieve those outcomes.
Compare: Centralized vs. Decentralized security governance
Centralized governance centralizes decision-making for consistency, while decentralized governance allows localized control for flexibility.
What is the role of guidelines in security governance?
Guidelines provide flexible recommendations to steer actions and help individuals align with policies and improve effectiveness.
Why are playbooks critical for incident response?
Playbooks detail emergency procedures and contingency plans, helping teams respond quickly and effectively to security incidents.
How do standards support compliance?
Standards provide a measurable framework for implementing controls, ensuring regulatory requirements and best practices are met.
What is Change Management?
Change management is a systematic approach to managing changes in IT infrastructure to minimize risks and disruptions while maximizing value.
Define: Allow List in Change Management.
An allow list specifies approved changes, software, or individuals to streamline the change management process.
Define: Deny List in Change Management.
A deny list blocks unauthorized or high-risk changes, software, or actions to prevent unintended impacts.
What is Version Control?
Version control tracks and manages changes to documents, code, or configurations, ensuring consistency and providing rollback capabilities.
What are the steps in a typical change management approval process?
- Submit Request for Change (RFC)
- Review by change manager or committee
- Formal approval by stakeholders
- Implementation with testing and rollback plans
- Post-implementation review and documentation.
What should every change request include?
Details of the change, reasons, potential impacts, a rollback plan, and documentation.
What are the critical elements of a change implementation plan?
- Testing procedures
- Rollback or remediation plans
- Scheduling to minimize downtime
- Stakeholder communication.
How can allow and deny lists impact change management?
Allow lists streamline trusted changes; deny lists prevent risky changes. Improperly configured lists can disrupt software updates or patching.
What is the risk of dependencies in change management?
Changes to one system may unintentionally disrupt dependent systems, causing broader outages or downtime.
Which documents are impacted by change management?
- Change requests
- Policies and procedures
- System/process documentation
- Configuration management
- Training materials
- Incident response and recovery plans.
How often should documentation be updated in change management?
Documentation should be updated whenever significant changes occur, ensuring accuracy and alignment with current processes.
What steps should be taken for a legacy system update?
- Extensive testing for compatibility
- Detailed implementation and rollback plans
- Use of virtualization or custom solutions
- Update documentation and ensure training.
What factors must be considered for changes requiring downtime?
- Scheduling during maintenance windows
- Notifying stakeholders
- Mitigating impacts on dependent services
- Implementing post-change performance monitoring.
Compare: Allowed vs. Blocked changes.
Allowed changes are pre-approved, routine, or low-risk. Blocked changes are high-risk, unauthorized, or incompatible with systems.
Compare: Scheduled vs. Unscheduled Downtime.
Scheduled downtime is planned for maintenance, minimizing disruption. Unscheduled downtime occurs unexpectedly due to issues or failures.
What are examples of changes requiring service restarts?
- Software upgrades and patches
- Configuration changes
- Infrastructure updates
- Security feature implementations.
What is the role of stakeholders in change management?
Stakeholders review, approve, and provide insights into proposed changes to minimize risks and ensure alignment with objectives.
What is Automation in IT operations?
Automation uses software to perform repetitive, rule-based tasks like monitoring threats, applying patches, and maintaining baselines to improve efficiency and reduce errors.
What is Orchestration in IT operations?
Orchestration coordinates and streamlines automated processes across systems to enable seamless, integrated workflows in complex environments.
What is a Standard Baseline in Configuration Management?
A standard baseline is a predefined set of approved configurations used as a reference to maintain the desired state of a system.
What is the role of automation in change management?
Automation reduces human error, speeds up implementation, and provides clear audit trails for tracking changes.
How does orchestration improve incident response?
Orchestration automates threat detection, isolation, reporting, and ticket generation, reducing reaction times and enabling faster resolutions.
What are the key benefits of automation in security operations?
- Reduces operator fatigue
- Improves efficiency and accuracy
- Frees staff for strategic tasks
- Enforces standardized baselines
- Enhances threat detection and response.
How does automation benefit infrastructure management?
Automation ensures consistency, saves time, enhances scalability, strengthens security, and simplifies auditing and compliance.
How can automation improve staff retention?
By reducing repetitive tasks, automation allows staff to focus on more rewarding and creative work, increasing job satisfaction.
What are the key challenges of implementing automation and orchestration?
- Complexity in integration
- High initial cost
- Risk of single points of failure
- Accruing technical debt
- Need for ongoing support and updates.
What is Technical Debt in the context of automation?
Technical debt arises when automation tools are implemented hastily, resulting in poor documentation, brittle systems, and increased maintenance costs.
How can automation handle newly added hardware in a network?
Automation enforces standard configurations, ensuring new hardware is up-to-date, secure, and consistent with organizational policies.
What happens if a critical automated system fails?
It creates a single point of failure that can disrupt multiple areas, causing widespread operational problems.
Compare: Automation vs. Orchestration.
Automation handles repetitive tasks independently, while orchestration coordinates automated tasks across systems to create integrated workflows.
How can orchestration reduce response times to security threats?
Orchestration automatically isolates affected systems, generates reports, notifies teams, and documents incidents without human intervention.
What is the importance of audit trails in automation?
Audit trails track automated changes and processes, supporting compliance, investigation, and transparency.
