new ISC S1 Flashcards
NIST Cybersecurity Framework core
-Identify
-protect
-detect
-respond
-recover
NIST Privacy framework core
-Identify
-govern
-control
-communicate
-protect
-detect
-respond
-recover
NIST SP 800-53 security privacy control for information system and organization
- the standard for federal information system
-stricter standard than privacy and Cybersecurity framework
-standard is designed to protect at all cost against sophisticated threats
NIST SP 800-53 helps orgs identify needs and manage risk to satisfy the following requirements:
-Office of Management and Budget ( OMB) circular A-130: requires controls for federal information system
-Federal information security modernization act ( FISMA): requires minimum control to protect federal information system
NIST SP 800-53 divide into 20 controls
-AC- Access control
-AT-Awareness and training
-AU-Audit and accountability
-CA-assessment, authorization and monitoring
-CM-configuration management 配置
-CP-Contingency planning ( How is company prepared for downtime)
-IA-Identify and Authenticate ( how is identification and authentication managed)
-IR -incident response
-MA-maintenance
-MP-media protection
-PE-physical and environmental protection
-PL-planning
-PM-program management
-PS-personnel security
-PT-Personal identifiable information processing and transparency
-RA-risk assessment
-SA-system and service acquisition
-SC-system and communication protection
-SI-system and information integrity
-SR-supply chain management
SP 800-53 has three approach to implementation models
-common ( inheritable) control ( overall organization level)
-system-specific control (at information system level)
-hybrid control
Privacy and data security standards
-HIPAA-health insurance portability and accountability act
(portability means the ease of transfer or adaptation, accountability means being responsible and answerable for actions)
-GDPR -general protection regulation
-PCI DSS- Payment card industry data security standards
HIPAA-health insurance portability and accountability act
-governs privacy of electronic protected health information
GDPR-General data protection regulation (EU)
-regulating the privacy of all data
-data processors based in EU or provide service to those in EU
GDPR-general data protection regulation six principles
-Lawfulness, fairness, transparency: In accordance with laws.
-Purpose limitations: Can’t use data for things it wasn’t intended for.
-Data minimization: Can’t store anything more than what is necessary. Ex. SSN
-Accuracy: Data must be accurate and kept updated.
-Storage limitation: Can only store data for a limited time or as long as needed.
-Integrity and Confidentiality: Data must be processed securely and be protected.
PCI DSS- payment card industry data security standards- 6 goals
- build and maintain a secure Network and system 维护系统安全
- protect account data 账户数据
- maintain a vulnerability management program 漏洞管理计划
- implement storage access control measures 存储 ACESS 控制
- regular monitor and test networks 监测和测试网路
- maintain an information security policy 信息安全
CIS-center for internet security
-recommendations and best practices for organizations to adopt in order to strengthen cybersecurity defenses
CIS control 3 implementation group
-IG1 (Most Basic) - small/medium size company
Cybersecurity expertise is limited
Data is not super sensitive; no PII, no PHI, no bank/credit info
The company cannot sustain long periods of downtime
Similar to Tier 1 and Tier 2 of NIST CSF (partial/risk-informed)
-IG2 (Includes IG1) -Mid-sized companies with advanced capabilities.
Have sensitive client data
Can tolerate a little bit of downtime
Based on reputation so could lose trust in the event of a data breach
Similar to Tier 3 (repeatable) of NIST CSF
-IG3 (Includes IG1 & IG2) -Have a lot of security experts within all domains of cybersecurity
Large companies with highly sensitive data subject to compliance with standards
Attacks on this company could cause significant damage to the company and the public.
Similar to the Tier 4 (adaptive) of the NIST CSF
CIS controls 1-9
-Control 01: inventory and control of enterprise assets : control to help manage IT assets connected to infrastructure: physically or virtually
-Control 02: inventory and control of software assets ( operating systems, applications) : control give guidance to find unmanaged and unauthorized software
-Control 3: data protection
-Control 4: Secure configuration 安全配置 of enterprise assets and software : firewalls, data loss
-Control 5: account management
-Control 6: access control management
-Control 7: continuous vulnerability management 漏洞管理
-Control 8: audit log management
-Control 9: Email and Web brower protections
CIS control -Control 01: inventory and control of enterprise assets
control to help manage IT assets connected to infrastructure: physically or virtually (ie: device)
CIS control-Control 05: account management
- manage credentials/ authorization for accounts
CIS control-Control 06: access control management
-granting access and revoking access base on the job duties
CIS control-control 10: Malware defenses 恶意软件防御
-assist companies in preventing the installation of malware on company assets
-anti-malware solution
CIS control-control 11: data recovery
-establish data backup, testing and restoration to recover assets to a pre-incident state
-automating the backup process, utilizing off-site storage
CIS control-control 12: Network infrastructure management
-establish procedures/ tools for managing company’s network infrastructure ( ie: Physical/Virtual devices like firewalls, gateways, routers, switches, access points)
- to ensure the network components are up to date
-continuously identify and remediate insecure default network configuration setting (持续识别并修复不安全的默认网络配置设置)
-Sanity check (Sanity check ensures hardware/software works flawlessly.)
CIS control-control 13: Network Monitoring and defense
-Establishes processes for monitoring and defending a company’s network infrastructure.
-two ways network can be attacked: Denial of Service (DoS) attacks 使其超载,以致于实际上变得毫无用处 and Ransomware.
CIS control- control 14: Security awareness and skills training
-guides organizations in establishing security awareness/ training programs to reduce cyber risk
CIS control-control 15: service provider management (SOC)
-this control helps organization develop processes to evaluate third party service providers
CIS control-control 16 : application software security
-Manage the security life cycle of in-house developed, hosted, or acquired software to prevent, detect, and remediate security weaknesses before they can impact the enterprise.
-bug bounty program ( employee are paid for finding flaws)
CIS control- control 17: incident response management
-Provides the recommendations necessary to establish an incident response management program to Detect, Respond, and Prepare for potential cyber-Attacks.
-law regulations: HIPAA, GDPR EU
CIS control-control 18: Penetration testing 渗透测试
- simulate a real world cyberattack to identify vulnerabilities that could be exploiting ( exploitation refers to the act of taking advantage of a vulnerability, flaw, or weakness in a system, software, or network to gain unauthorized access or control)
-different with Control 7, Vulnerability testing without exploiting them, focus on detecting potential flaws
6 principles for a governance system
-Provide stakeholder value
-Holistic approach 整体的
-dynamic governance system
-Governance distinct from management
-Tailored to enterprise needs
-End to end governance system
3 principles for a governance framework
-Based on conceptual model : governance frameworks should identify key components as well as relationship between those components to provide for greater automation and maximize consistency
-open and flexible
-aligned to major standards
COBIT core model
-Governance objectives
-Management objectives
Governance objectives:
evaluate, direct and monitor -only one domain
Ensuring benefits delivery.
Ensuring Governance framework setting.
Ensured Risk optimization. (Important)
Ensured Resource optimization.
Ensured Stakeholder engagement. (Important)
Management objectives ( four domains)
-Align, plan and organize ( APO)
-Build, acquire, and implement
-Deliver, service and support
-Monitor, Evaluate, and Assess
Management objective: Align, plan and organize
-Focuses on aligning information technology’s overall strategy, planning how to utilize technology in business, and organizing the resources for their most effective usage.
-managed data is one of the most significant
Management objective: build, acquire, and implement (BAI)
-Addresses the building, acquiring, and implementation of information technology solutions in the organization’s business processes
Management objective: Deliver, service and support
-Addresses the delivery, service and support of IT services
Management objective: monitor, evaluate, and assess
-Addresses information technology’s conformance to 符合 the company’s performance targets and control objectives along with external requirements.
