NOT Priority Flashcards
Domains of ISO 27001
Information security policies Organization of information security Human resource security Asset management Access control Cryptography Physical and environmental security Operations security Communications security System acquisition, development, and maintenance Supplier relationships Information security incident management Information security aspects of business continuity management Compliance
NIST Control Families
AC: Access Control AT: Awareness and Training AU: Audit and Accountability CA: Security Assessment and Authorization CM: Configuration Management CP: Contingency Planning IA: Identification and Authentication IR: Incident Response MA: Maintenance MP: Media Protection PE: Physical and Environmental Protection PL: Planning PS: Personnel Security RA: Risk Assessment SA: System and Services Acquisition SC: System and Communications Protection SI: System and Information Integrity PM: Program Management
List primary set of regulations, standards and guidelines that impact cloud computing
ISO/IEC 27001 ISO/IEC 27002 ISO/IEC 27017 SOC 1, SOC 2, and SOC 3 PCI DSS HIPAA NIST SP 800-53 and FedRAMP NIST 800-145 ISO 17789 ISO 17788
TCI Reference Model
Trusted Cloud Initiative (TCI) Reference Model
The TCI reference model is a guide for cloud providers, allowing them to create a holistic architecture (including the physical facility of the data center, the logical layout of the network, and the processes necessary to utilize both) that cloud customers can purchase and use with comfort and confidence.
EU Privacy - Collection Limitation Principle
There should be limits to the collection of personal data and any such data should be obtained by lawful and fair means and where appropriate with the knowledge or consent of the data subject
EU Privacy - Data Quality Principle
Personal data should be relevant to the purposes for which they are to be used and to the extent necessary for those purposes should be accurate complete and kept up to date
EU Privacy Principle - Purpose Specification
The purposes for which personal data are collected should be specified no later than at he time of data collection and the subsequent use limited to the fulfillment of those purposes or such others as are not incompatible with those purposes and as are specified on each occasion of the change purpose
EU Privacy Principle - Use Limitation Principle
Personal data should not be disclosed, made available or otherwise used for purposes other than those specified in accordance with the Purpose Specification Principle except:
a. with the consent of the data subject
b. by the authority of the law
EU Privacy Principle - Security Safeguard Principle
Personal data should be protected by reasonable security safeguards against such risks as loss or unauthorized access, destruction, use, modification, or disclosure of data
EU Privacy Principle - Open Principle
The should be a general policy of openness about developments, practices, and policies with respect to personal data
Means should be readily available of establishing the existence and nature of personal data, and the main purposes of their user, as well as the identity and usual residence of the data controller
EU Privacy Principle - Individual Participation Principle
Individuals should have the right to:
a. obtain from the data controller or otherwise confirmation of whether or not the data controller has data relating to them
b. to have communicated to them, data relating to them within a reasonable time; at a charge, if any, that is not excessive; in a reasonable manner; and in the form that is readily intelligible to them
c. to be given reasons if a request made under subparagraph a and b is denied and to be able to challenge such denial and
d. to challenge data relating to them and, if the challenge is successful to have the data erased, rectified, completed or amended
EU Privacy Principle - Accountable Principle
A data controller should be accountable for complying with measures which give effect to the principles stated above
EU Privacy Principle - The Right to be Forgotten/Erased
The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay if one of a number of conditions applies
Undue delay is considered about a month
Reasonable steps must be taken to verify the person requesting erasure is the actual data subject
Privacy Maturity Model (PMM)
A maturity model for demonstrating an organizations capability maturity around protecting PII, created by AICPA and CICA - American and Canadian CPA standards organizations, based on Capability Maturity Model standard (SSE-CMM) by Canegie-Mellon University Software Engineering Institute (SEI)
HIPAA
The handling and protection of PHI is governed by the Health Insurance Portability and Accountability Act
HIPAA controls who can access PHI and under what circumstances they can do so. HIPAA also regulates things like data retention, archiving, and other physical and technical safeguards
Cardholder data
Cardholder data is a specific subset of PII that is related to holders of credit or debit cards. This data includes information such as the primary account number (PAN), security codes, expiration dates, and any other information that can be used to identify a particular individual cardholder.
Describe US Data Jurisdiction Requirements
strong protections for intellectual property
industry-specific legislation (GLBA for banking/insurance, HIPAA for medical care, and so forth) or with contractual obligations (PCI).
Many strong, granular data breach notification
Describe Europe Data Jurisdiction Requirements
Europe provides good intellectual property protections. It has massive, exhaustive, comprehensive personal privacy protections, including the EU General Data Protection Regulation.
Describe Asia Data Jurisdiction Requirements
disparate levels of intellectual property protection.
Act on the Protection of Personal Information, Japan adheres to the EU model, and Singapore does the same.
all IT traffic and communications in China must be accessible by the Chinese government.
Describe South/Central America Data Jurisdiction Requirements
various intellectual property mechanisms.
Argentina, which with its Personal Data Protection Act is in direct correlation with the EU legislation
Describe Australia/New Zealand Data Jurisdiction Requirements
strong intellectual property protections and very strong privacy protections, with the Australian Privacy Act mapping directly to the EU statutes.
Cloud Security Alliance 2019 “Egregious Eleven” Threats?
Data breaches
Misconfiguration and inadequate change control
Lack of cloud security architecture and strategy
Insufficient identity, credential, access, and key management
Account hijacking
Insider threat
Insecure interfaces and APIs
Weak control plane
Metastructure and applistructure failures
Limited cloud usage visibility
Abuse and nefarious use of cloud services
What should be known in order to decide how to handle risk within an organization?
What are these steps also applied to?
An inventory of all assets (Inventory Assets)
A valuation of each asset (Valuation Assets)
A determination of critical paths, process and assets of which without the organization could not operate (Determination of Criticality))
A clear understanding of risk appetite
BIA
What should you expect about Cloud Provider services with respect to Single Points of Failure (SPOF)?
In a cloud environment, customers should expect that the provider has no SPOFs within their facilities and architecture; part of the benefit of moving to the cloud is the ability of cloud providers to offer a robust and resilient service that is not susceptible to failures due to SPOFs.
Are all SPOFs critical assets of an organization?
No.
How should cloud resources be treated that is comparable to traditional IT environments/architecture?
It is best to treat all resources in a cloud environment as if they are in the DMZ and harden them accordingly.
The cloud provider should ensure that all devices in the data center are secured such what conditions are met?
All devices should be hardened:
All guest accounts are removed
All unused ports are closed.
No default passwords remain.
Strong password policies are in effect.
Any admin accounts are significantly secured and logged. All unnecessary services are disabled.
Physical access is severely limited and controlled.
Systems are patched, maintained, and updated according to vendor guidance and industry best practices.
What risks should cloud customers focus on?
Customers must bear in mind the risks related to the way they access the cloud, which often takes the form of a bring your own device (BYOD) environment and always involves remote access.
What can be done by the CSP or customer to prevent data breaches?
- Understand CSPs shared responsibility model to protect data
- Intrusion detection and incident response management
- CSPs should be transparent about what they do to prevent data breaches and wha the customer must do
- Prevent misconfiguration and inadequate change control
Examples of misconfiguration
Default credentials and settings
excessive permissions
lack of basic security hygiene