NOT Priority Flashcards

1
Q

Domains of ISO 27001

A
Information security policies 
Organization of information security 
Human resource security 
Asset management 
Access control 
Cryptography 
Physical and environmental security 
Operations security 
Communications security 
System acquisition, development, and maintenance 
Supplier relationships 
Information security incident management
Information security aspects of business continuity management 
Compliance
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

NIST Control Families

A
AC: Access Control
AT: Awareness and Training 
AU: Audit and Accountability 
CA: Security Assessment and Authorization 
CM: Configuration Management 
CP: Contingency Planning 
IA: Identification and Authentication 
IR: Incident Response 
MA: Maintenance 
MP: Media Protection 
PE: Physical and Environmental Protection 
PL: Planning 
PS: Personnel Security 
RA: Risk Assessment 
SA: System and Services Acquisition
SC: System and Communications Protection 
SI: System and Information Integrity 
PM: Program Management
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

List primary set of regulations, standards and guidelines that impact cloud computing

A
ISO/IEC 27001 
ISO/IEC 27002 
ISO/IEC 27017 
SOC 1, SOC 2, and SOC 3 
PCI DSS 
HIPAA 
NIST SP 800-53 and FedRAMP
NIST 800-145
ISO 17789
ISO 17788
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

TCI Reference Model

A

Trusted Cloud Initiative (TCI) Reference Model

The TCI reference model is a guide for cloud providers, allowing them to create a holistic architecture (including the physical facility of the data center, the logical layout of the network, and the processes necessary to utilize both) that cloud customers can purchase and use with comfort and confidence.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

EU Privacy - Collection Limitation Principle

A

There should be limits to the collection of personal data and any such data should be obtained by lawful and fair means and where appropriate with the knowledge or consent of the data subject

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

EU Privacy - Data Quality Principle

A

Personal data should be relevant to the purposes for which they are to be used and to the extent necessary for those purposes should be accurate complete and kept up to date

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

EU Privacy Principle - Purpose Specification

A

The purposes for which personal data are collected should be specified no later than at he time of data collection and the subsequent use limited to the fulfillment of those purposes or such others as are not incompatible with those purposes and as are specified on each occasion of the change purpose

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

EU Privacy Principle - Use Limitation Principle

A

Personal data should not be disclosed, made available or otherwise used for purposes other than those specified in accordance with the Purpose Specification Principle except:

a. with the consent of the data subject
b. by the authority of the law

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

EU Privacy Principle - Security Safeguard Principle

A

Personal data should be protected by reasonable security safeguards against such risks as loss or unauthorized access, destruction, use, modification, or disclosure of data

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

EU Privacy Principle - Open Principle

A

The should be a general policy of openness about developments, practices, and policies with respect to personal data

Means should be readily available of establishing the existence and nature of personal data, and the main purposes of their user, as well as the identity and usual residence of the data controller

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

EU Privacy Principle - Individual Participation Principle

A

Individuals should have the right to:

a. obtain from the data controller or otherwise confirmation of whether or not the data controller has data relating to them
b. to have communicated to them, data relating to them within a reasonable time; at a charge, if any, that is not excessive; in a reasonable manner; and in the form that is readily intelligible to them
c. to be given reasons if a request made under subparagraph a and b is denied and to be able to challenge such denial and
d. to challenge data relating to them and, if the challenge is successful to have the data erased, rectified, completed or amended

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

EU Privacy Principle - Accountable Principle

A

A data controller should be accountable for complying with measures which give effect to the principles stated above

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

EU Privacy Principle - The Right to be Forgotten/Erased

A

The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay if one of a number of conditions applies

Undue delay is considered about a month

Reasonable steps must be taken to verify the person requesting erasure is the actual data subject

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Privacy Maturity Model (PMM)

A

A maturity model for demonstrating an organizations capability maturity around protecting PII, created by AICPA and CICA - American and Canadian CPA standards organizations, based on Capability Maturity Model standard (SSE-CMM) by Canegie-Mellon University Software Engineering Institute (SEI)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

HIPAA

A

The handling and protection of PHI is governed by the Health Insurance Portability and Accountability Act

HIPAA controls who can access PHI and under what circumstances they can do so. HIPAA also regulates things like data retention, archiving, and other physical and technical safeguards

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Cardholder data

A

Cardholder data is a specific subset of PII that is related to holders of credit or debit cards. This data includes information such as the primary account number (PAN), security codes, expiration dates, and any other information that can be used to identify a particular individual cardholder.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

Describe US Data Jurisdiction Requirements

A

strong protections for intellectual property

industry-specific legislation (GLBA for banking/insurance, HIPAA for medical care, and so forth) or with contractual obligations (PCI).

Many strong, granular data breach notification

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

Describe Europe Data Jurisdiction Requirements

A

Europe provides good intellectual property protections. It has massive, exhaustive, comprehensive personal privacy protections, including the EU General Data Protection Regulation.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

Describe Asia Data Jurisdiction Requirements

A

disparate levels of intellectual property protection.
Act on the Protection of Personal Information, Japan adheres to the EU model, and Singapore does the same.

all IT traffic and communications in China must be accessible by the Chinese government.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

Describe South/Central America Data Jurisdiction Requirements

A

various intellectual property mechanisms.

Argentina, which with its Personal Data Protection Act is in direct correlation with the EU legislation

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

Describe Australia/New Zealand Data Jurisdiction Requirements

A

strong intellectual property protections and very strong privacy protections, with the Australian Privacy Act mapping directly to the EU statutes.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

Cloud Security Alliance 2019 “Egregious Eleven” Threats?

A

Data breaches
Misconfiguration and inadequate change control
Lack of cloud security architecture and strategy
Insufficient identity, credential, access, and key management
Account hijacking
Insider threat
Insecure interfaces and APIs
Weak control plane
Metastructure and applistructure failures
Limited cloud usage visibility
Abuse and nefarious use of cloud services

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

What should be known in order to decide how to handle risk within an organization?

What are these steps also applied to?

A

An inventory of all assets (Inventory Assets)
A valuation of each asset (Valuation Assets)
A determination of critical paths, process and assets of which without the organization could not operate (Determination of Criticality))
A clear understanding of risk appetite

BIA

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

What should you expect about Cloud Provider services with respect to Single Points of Failure (SPOF)?

A

In a cloud environment, customers should expect that the provider has no SPOFs within their facilities and architecture; part of the benefit of moving to the cloud is the ability of cloud providers to offer a robust and resilient service that is not susceptible to failures due to SPOFs.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Q

Are all SPOFs critical assets of an organization?

A

No.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
26
Q

How should cloud resources be treated that is comparable to traditional IT environments/architecture?

A

It is best to treat all resources in a cloud environment as if they are in the DMZ and harden them accordingly.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
27
Q

The cloud provider should ensure that all devices in the data center are secured such what conditions are met?

A

All devices should be hardened:

All guest accounts are removed
All unused ports are closed.
No default passwords remain.
Strong password policies are in effect.
Any admin accounts are significantly secured and logged. All unnecessary services are disabled.
Physical access is severely limited and controlled.
Systems are patched, maintained, and updated according to vendor guidance and industry best practices.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
28
Q

What risks should cloud customers focus on?

A

Customers must bear in mind the risks related to the way they access the cloud, which often takes the form of a bring your own device (BYOD) environment and always involves remote access.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
29
Q

What can be done by the CSP or customer to prevent data breaches?

A
  1. Understand CSPs shared responsibility model to protect data
  2. Intrusion detection and incident response management
  3. CSPs should be transparent about what they do to prevent data breaches and wha the customer must do
  4. Prevent misconfiguration and inadequate change control
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
30
Q

Examples of misconfiguration

A

Default credentials and settings
excessive permissions
lack of basic security hygiene

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
31
Q

What should you consider when mitigating threats to IAM and key management?

A

Use strong passwords and multifactor authentication to protect access to sensitive data.

Understand your cloud provider’s IAM services and examine the tradeoffs between on-prem and cloud-native IAM solutions. Along these lines, you should understand your CSP’s ability to support federated identity and what that means for your organization.

Practice least privilege and allow only the minimal amount of access for cloud users.

Remove unused credentials to minimize exposure through unnecessary accounts.

Develop a robust key management plan that includes key rotation (automatic, where feasible)

32
Q

What can be used to combat/mitigate limited cloud usage visibility?

A

Cloud Access Security Brokers (CASBs) can play a role in controlling which applications are in use and analyzing the activities within a cloud environment.

Web Application Firewalls (WAFs) are also helpful in providing awareness of connections to cloud services, including analysis of activities and identification of malicious trends.

training and awareness programs that inform employees on how to properly use authorized cloud resources.

33
Q

Cloud based disaster recovery (DR) and business continuity (BC) planning considerations?

A

Understand how the shared responsibility model applies to BCP/DR.

Understand any supply chain risks that exist (for example, vendor or third-party factors that may impact your ability to conduct BCP/DR activities).

Consider the need to keep backups offsite or with another CSP.

Ensure that SLAs cover all aspects of BCP/DR that concern your organization, including RPOs, RTOs, points of contact, roles and responsibilities, and so on.

SLAs should clearly describe requirements for redundancy and failover, as well as address mitigating single points of failure in the cloud environment.

34
Q

What are considerations in a typical cost benefit analysis of migrating to the cloud?

A
  1. Demand Trends - Steady vs. cyclical demand
  2. Staffing - CapEx vs OpEx
  3. Loosing or decreasing ownership and control
  4. Organizational focus
35
Q

Privacy Shared Concerns in the cloud?

A

A major challenge for cloud environments

There are currently no international directive, laws or regulations, each country or group of countries might have their own specific directives or no directives at all

36
Q

IaaS Security Considerations/Concerns?

A
  1. Colocation and multitenancy - assume your systems and data are collocated with other tenants and protect them accordingly
  2. VM attacks - CSP is responsible for preventing, detecting, and responding to malicious activity between VMs
  3. Hypervisor Attacks - exposes host and all VMs and their hosted apps - VM escape
  4. Network Security - virtual networks, less physical endpoints, single point access - limited NICs to all VMs
  5. Denial of Service attacks
  6. Loss of control - lack of control over where VM are located or what data is running on them
37
Q

PaaS Security Considerations?

A
  1. Resource Isolation - if a customer is able to break out of isolation, other customers can be negatively impacted; CSP should NOT give shell access to CSC on host VM
  2. User Permissions - each tenant/service must be allowed to manage user level permissions
  3. User access management - balance quick provisioning vs proper and secure authentication and authorization; ensure good administration e.g. provisioning and deprovisioning; good intel - monitor, report based on policy, audit, analyze
  4. Malware, backdoors, and other malicious threats - Autoscaling can grow impacts and damages of malware
38
Q

SaaS Security Considerations?

A
  1. Data comingling - multi tenancy means application vulnerabilities (e.g. XSS, SQL injection, etc.) can expose potentially all customers data; ensure SaaS has Data Segregation
  2. Data access policies - customer should compare SaaS solution vs org data access policies to ensure org data is protected in SaaS solution; ensure access is monitored, logged and reviewed
  3. Web Application security - SaaS is exposed to the internet so vulnerable to attack
39
Q

Why does cloud make compliance with laws more complex?

A

Cloud provider, a 3rd party processor is introduced in the cloud
Questions arise around jurisdiction, where does the data physically reside because that impacts the laws the customer must follow

40
Q

What can CSPs and customers do to mitigate the threat of Unauthorized access or usage?

A

CSP
Require multiple parties to approve access to customer data, where possible
Mechanism to detect access to customer data and processes to validate access was legitimate

Customers
Use Hardware Security Modules, where possible

41
Q

DLP considerations in cloud

A
  1. Highly distributed and replicated cloud data
  2. Performance will be negatively impacted
  3. DLP implementation in the cloud are expensive because of the pay for what you use model
42
Q

Data Controls

A

how to PROTECT/RESTRICT access to Actors by Function, if not authorized, to uphold confidentiality

e.g. use DRM/IRM to protect enterprise date when used or shared

43
Q

IRM Tool Traits

A

IRM uses data tags/labels or metadata

Rudimentary Reference Checks

Online Reference Checks

Local Agent Checks

Presence of Licensed Media

Support-Based Licensing

44
Q

Rudimentary Reference Checks of IRM tool

A

The content itself can automatically check for proper usage or ownership. e.g. authz granted for book tests based on contents of book

45
Q

Online Reference Checks

A

requires user to enter product key that is checked against online database to unlock the product

46
Q

Local Agent Checks

A

user installs reference tool that checks the protected content against the user’s license

47
Q

Presence of Licensed Media

A

Some IRM tools require the presence of licensed media, such as disks, in the system while the content is being used. The IRM engine is on the media, often installed with some cryptographic engine that identifies the unique disk and the licensed content and allowing usage based on that relationship.

48
Q

Support-Based Licensing

A

IRM implementations predicated on the need of continual support for content; this is particularly true of production software. Licensed software might be allowed ready access to updates and patches, while the vendor could prevent unlicensed versions from getting this type of support.

49
Q

Data Processing

A

Processing is anything that can be done to data: copying it, printing it, destroying it, utilizing it.

50
Q

Cloud secure data lifecycle

A
  1. Create. Data is either generated from scratch or existing data is modified/updated.
  2. Store. Data is saved into a storage system or repository.
  3. Use. Data is processed by a user or application.
  4. Share. Data is made accessible by other users or systems.
  5. Archive. Data is transferred from readily accessible storage to a more long-term, static storage state.
  6. Destroy. Data is deleted and removed from storage, making it permanently inaccessible and unusable.
51
Q

CSP responsibilities in SaaS?

A
  1. Data segmentation using encryption and other tech

2. Conducting vulnerability scans and pen testing to identify and fix findings before exploited

52
Q

CSA Enterprise Architecture - Description

A

Cloud Security Alliance Enterprise Architecture is both a methodology and a set of tools that enable security architects, EAs, and risk management professionals to leverage a common set of solutions to fulfill their common needs to be able to assess where their internal IT and cloud providers are in terms of security capabilities and to plan a roadmap to meet the security needs of the business.

53
Q

CSA Enterprise Architecture - Components

A

Business Operations Support Services (BOSS)
Information Technology Operation and Support (ITOS)
Services (Presentation, Application, Information, and Infrastructure)
Security and Risk Management

54
Q

What type of disasters should you be concerned with as a security professional?

A

Malicious cyber attacks
Accidental disruptions
Natural disasters
Major system failures

55
Q

Incident Response Lifecycle

A

steps taken before, during and after an incident

56
Q

Tenant

A

One or more cloud service users sharing access to a set of cloud resources

57
Q

Sub-roles of the cloud service provider per ISO 17789?

A
Operations Manager
Deployment Manager
Cloud Service Manager
Business Manager
Customer Support
Intercloud Provider
Security & Risk Manager
Network Provider
58
Q

Regulators

A

The entities that ensure organizations are in compliance with the regulatory framework for which they’re responsible. These can be government agencies, certification bodies, or parties to a contract.

For example the Federal Trade Commission (FTC), the Securities and Exchange Commission (SEC), and auditors commissioned to review compliance with contracted or asserted standards (such as PCI DSS and ISO)

59
Q

Cloud service operations manager?

Standard role is defined in?

A

Oversees and manages the operation and performance of cloud services provided to customers.

Prepares system, monitors services, provide audit data

1SO17789 CSP Role

60
Q

Technical account manager

A

Provides account support and high-level technical guidance to cloud customers.

61
Q

Deployment manager?

Standard role is defined in?

A

Define environment and processes
Define and gather metrics
Define deployment steps

ISO 17789

62
Q

Cloud Service Manager?

Standard role is defined in?

A

Provide service
Deploy and provision service
Service Level Management

ISO 17789

63
Q

Business Manager?

Standard role is defined in?

A

Manage business plan, customer relations and financial processing

ISO 17789

64
Q

Customer Support?

Standard role is defined in?

A

Handles customer requests

ISO 17789

65
Q

Intercloud Provider?

Standard role is defined in?

A

Manage peer cloud services, perform peering, federation, intermediation, aggregation and arbitrage

ISO 17789

66
Q

Security & Risk Manager?

Standard role is defined in?

A

Manage security and risk
Design/Implement service continuity
Ensure compliance

ISO 17789

67
Q

Network Manager?

Standard role is defined in?

A

Provide Network connectivity
Deliver network services and network management services

ISO 17789

68
Q

List subroles of Cloud Service Customer (CSC) of ISO 17789

A

Cloud Service User
Cloud Service Administrator
Cloud Service Business Manager
Cloud Service Integrator

69
Q

Cloud Service Admin?

Standard and Type of subrole?

A

Monitor service,
Administer security, billing and usage

1SO17789 CSC Role

70
Q

Cloud Service Business Manager

Standard and Type of subrole?

A

Purchase Service
Request audit reports

1SO17789 CSC Role

71
Q

Cloud Service Integrator?

Standard and Type of subrole?

A

Connect systems to the cloud

1SO17789 CSC Role

72
Q

List subroles of Cloud Service Partner (CSN) of ISO 17789

A

Cloud Service Developer
Cloud Auditor
Cloud Service Broker/Cloud Access Security Broker

73
Q

Cloud Service Developer

Standard and Type of subrole?

A

Design, create, maintain service components
Compose and test services

1SO17789 CSN Role

74
Q

Cloud Service Backup Provider

Is this role part of a security standard? If so which one?

A

a 3rd party that manages cloud-based back up responsibilities

1SO17789 Role

75
Q

Cloud Computing Adoption Lifecycle

A
Cloud Proof of Concept
Cloud Strategy and Roadmap Adoption
Cloud Modeling and Architecture Adoption
Cloud Implementation Planning
Cloud Implementation
Cloud Expansion
Cloud Integration and Interoperability
Cloud Collaboration
Cloud Steady State
76
Q

What guidelines should be considered when implementing a cloud solution for the enterprise

A
  1. Involve all stakeholders in the process of aligning the business and legal requirements
  2. Establish common objectives for supporting and achieving cloud management practices
  3. Monitor, review, and update document cloud management policies and procedures