Other Standards Flashcards

1
Q

SOC

A

Service Organization Controls

reporting framework, which gives organizations the flexibility to be audited based on the needs of the particular organization.

audit reports are performed in accordance with Statements on Standards for Attestation Engagements (SSAE)

audits performed by CPAs

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

AICPA

A

American Institute of Certified Public Accounts

manages the SSAE (Statement on Standards of Attestation Engagements)

SOC reports align to SSAE 18

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

SOC 1

A

SOC 1 is a control report that focuses strictly on an organization’s financial reporting controls

Primarily used by Auditors and Controller’s Offices

—Extra info—-
statements and a service organization’s controls that can impact a customer’s financial statements. A service organization that performs payroll or credit card processing would require a SOC 1 report.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

SOC 2

A

SOC 2 reports evaluate an organization based AICPA’s five “Trust Services Principles: Security, Availability, Processing Integrity, Confidentiality, and Privacy.” These reports are restricted to regulators and company’s management team, and usually are only shared with NDA and provider engagement (no contract & NDA, no SOC 2)

SOC 2 reports are tightly controlled, due to the sensitivity of their contents.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

SOC 3

A

SOC 3 takes the same information contained in a SOC 2 report but sensitive data about controls and tests are removed. In essence, a SOC 3 report will indicate whether an organization has demonstrated each of the five Trust Services principles. SOC 3 reports are intended to be publicly available (usually for marketing)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

PCI DSS - Description, Why was it created, What does it contain?

A

Payment Card Industry Data Security Standard

An information security standard that governs all organizations that accept, store, or transmit branded cardholder (credit/debit) data and/or sensitive authentication data from the major credit card companies (VISA, MC, AMEX, Discover)

There are 6 goals broken down into 12 requirements that an organization must meet to fullfill PCI DSS

Seeks to standardize controls around cardholder data to reduce credit card fraud

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

List Goals of PCI DSS aligned to requirements

A
  1. Build and maintain a secure network and systems
    1: Install and maintain a firewall configuration to
    protect cardholder data.
    2: Do not use vendor-supplied defaults for system passwords and other
    security parameters.
  2. Protect cardholder data
    3: Protect stored cardholder data.
    4: Encrypt transmission of cardholder data across open, public networks.
  3. Maintain a vulnerability management program
    5: Protect all systems against malware and regularly update anti-virus software
    or programs.
    6: Develop and maintain secure systems and applications.
  4. Implement strong access control measures
    7: Restrict access to cardholder data by business need to know.
    8: Identify and authenticate access to system components.
    9: Restrict physical access to cardholder data.
  5. Regularly monitor and test networks
    10: Track and monitor all access to network resources and cardholder data.
    11: Regularly test security systems and processes.
  6. Maintain an information security policy
    12: Maintain a policy that addresses information security for all personnel.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

FedRAMP

A

Federal Risk and Authorization Management Program a US government-wide program established to create a standardized approach to security assessment, authorization, and continuous monitoring of cloud products and service.

Enforces NIST guidelines for any CSP that provides service to USG

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

NIST 800-145 Definition of Cloud Computing

A

Cloud computing is a MODEL for enabling ubiquitous, convenient, ON DEMAND NETWORK ACCESS to a SHARED POOL of configurable computing resources that can be rapidly PROVISIONED and released with MINIMAL management effort or SERVICE PROVIDER interaction

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

List viewpoints of ISO 17789 CCRA

A

User View
Functional View
Implementation View
Deployment View

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

ISO 17789 CCRA User View

A

The system context, the parties, roles and sub-roles and cloud computing activities

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

ISO 17789 CCRA Functional View

A

The functions necessary for the support of cloud computing activities

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

ISO 17789 CCRA Implementation View

A

The functions necessary for the implementation of a cloud service within service parts and/or infrastructure parts

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

ISO 17789 CCRA Deployment View

A

How the functions of a cloud service are technically implemented within already existing infrastructure or within new elements to be introduced in the infrastructure

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

List 4 Functional Layers of ISO 17789 CCRA

A

User Layer
Access Layer
Service Layer
Resource Layer

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Define ISO 17789 CCRA User Layer

A

Functional components supporting activities of the cloud service partners (CSN) and cloud service customers (CSC)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

Define Access Layer of ISO 17789 CCRA

A

Functional components that facilitate DISTRIBUTION and INTERCONNECTION

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

Define Service Layer of ISO 17789 CCRA

A

Functional components that provide the cloud service plus related administration and business capabilities; and the orchestration capability necessary to realize them

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

Define Resource Layer of ISO 17789 CCRA

A

Functional components that represent the resources needed to implement the cloud computing system

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

What are ISO 17788 Cloud Service Capabilities?

A

Infrastructure Capabilities
Platform Capabilities
Software Capabilities

21
Q

Information Security Management System (ISMS)

A

an ISMS is a set of people, processes, and technologies that manages the overall security of a company’s systems and data

audited using standards ISO 27001 and ISO 27002

22
Q

Key Principles of ISO 27018 and descriptions for each

A
  1. Consent - CSP cannot use personal data for advertising and marketing purposes unless the customer gives consent
  2. Control - The customer is in control of how their information is used
  3. Transparency - CSP must notify the customer where their data resides, disclose the use of sub-contractors to process PII data and make clear commitments about how PII data is handled
  4. Communication - CSP should notify customers of a data breach
  5. Independent, yearly audit - CSP must have a 3rd party audit conducted annually to remain compliant
23
Q

Which SOC reports have Type I and Type II

A

SOC 1 and SOC 2

24
Q

What is a Type I SOC report?

A

Evaluates the CONTROL’S DESIGN to ensure it meets the CONTROLS OBJECTIVE

Audit will determine if control matches managements description of the control at a single POINT in time

Report will attest that the provider does what they say they do

25
Q

What is a SOC Type II report?

A

Contains the same info as Type I and additionally adds the results of TESTING and MONITORING those controls to show how effective they are over a PERIOD of time

HINT: microsoft SOC type II engagement last a year

26
Q

Define and List the ‘Trust Service Principles’ or the ‘Trust Service Criteria’?

How and for what are they used?

A

SOC reports can evaluate up to 5 separate ‘Trust Service Principles’ or the ‘Trust Service Criteria’

  1. Confidentiality - Sensitive data the org owns
  2. Integrity - Data processing integrity, processing requests completely, timely accurately
  3. Availability - System, services and data availability
  4. Privacy - sensitive PII may be regulated by HIPAA, GDPR, etc.
  5. Security - Controls that don’t fall neatly into the other principles/criteria
27
Q

FIPS Level 1

A

The LOWEST level of security. The basic requirement is that at least ONE APPROVED ALGORITHM is in use by the cryptographic module.

FIPS Level 1 ALLOWS implementations of cryptographic modules that execute SOFTWARE and firmware on general purpose, UNEVALUATED operating systems;

28
Q

FIPS Level 2

A

Security Level 2 adds additional physical security considerations to those in Level 1 by REQUIRING CRYPTOGRAPHIC MODULE to show EVIDENCE of TAMPERING (tamper-evident tape or pick-resistant locks, for example). The goal with this level is to provide visible assurance of a device’s INTEGRITY.

29
Q

FIPS Level 3

A

This FIPS Security Level adds even further physical security assurance by REQUIRING requiring that modules take steps to DETECT TAMPERING and respond by PROTECTING the module and any data within. An example of this level would be detecting that the hardware has been breached and erasing all plaintext data within the module to prevent unauthorized access.

30
Q

FIPS Level 4

A

The highest level of security, which requires rigid testing and scrutiny. Devices
certified at this level require that cryptographic modules are fully surrounded by protections that are able to detect any and all unauthorized access attempts. A successful penetration of the physical barrier requires immediate erasure of any sensitive plaintext data within the module. Additionally, Level 4 devices require that cryptographic modules are protected against environmental attacks.

31
Q

Common Criteria (CC)

A

CC establishes processes for PRODUCTS to be EVALUATED by INDEPENDENT LABORATORIES to determine their level of SECURITY. CC is a ISO standard (ISO 15408) and is internationally recognized as the gold standard for identifying secure IT products.

Can test CIA

International base - test once, applied everywhere

Results in a Pass/Fail

32
Q

Four components of CC?

A

Target of Evaluation - TOE

Protection profiles

Security Target (ST)

Evaluation Assurance Levels (EALs):

33
Q

What are the EAL ratings?

A

EAL 1: FUNCtionally tested
EAL 2: STRUCturally tested
EAL 3: METHODically tested and checked
EAL 4: METHodically DESIGN, tested, & REVIEWED
EAL 5: SEMI-formally DESIGN and tested
EAL 6: SEMI-formally VERIFIED design and tested
EAL 7: FORMALLY VERIFIED design and tested

All tested, if verified its design and tested

34
Q

FIPS

A

Federal Information Processing Standard

35
Q

FIPS 140-2

A

standard released by NIST of the US government related to the ASSESSMENT and VALIDATION of CRYPTOGRAPHIC MODULES/CRYPTOSYSTEMS for use by the federal government

FIPS 140-2 assessment is completed by one of several independent THIRD PARTY LABS, who rates each product’s security between LEVELS 1 and 4.

36
Q

What is a Target of Evaluation in Common Criteria?

A

Target of Evaluation - TOE - An IT product or system that is subject to evaluation

The product that is being evaluated/tested

37
Q

What is a Common Criteria - Protection Profile?

A

Protection profiles: These profiles establish a set of security standards unique to a specific type of product, such as operating systems, firewalls, antivirus, and so on.

An implementation independent, industry specific set of security requirements for a category of Target of Evaluation (TOE) that meets specific consumer needs.

38
Q

What is a Common Criteria Security Target?

A

Security Target (ST) - Specific security attributes of TOE written by the vendor

A document that specifies the security properties and the vendor’s desired rating for their product

Testing verifies the validity of this document

39
Q

Describe Common Criteria Evaluation Assurance Levels?

A

Evaluation Assurance Levels (EALs): An EAL is a numeric score that is assigned to a product to describe how thoroughly it was tested during the CC process. EALs range from 1 through 7, with the higher levels providing more assurance of the product’s security claims. This doesn’t mean the product is more secure if has a EAL it just means it was tested better.

40
Q

What are the two parts of the Common Criteria Rating?

A

Functionality

Assurance

41
Q

ISO 22237-2 Protection Class 1

A

General office space

Usually public or semi public space

42
Q

ISO 22237-2 Protection Class 2

A
  1. Personnel entrance to data center
  2. Docking bay
  3. Storage space

(usually area that is accessible to all authorized personnel - employee and visitors)

43
Q

ISO 22237-2 Protection Class 3

A
  1. Telecommunication space
  2. Electric space
  3. Mechanical space
  4. Holding space
  5. Testing space

(usually area that is accessible to authorized personnel only - restricted to specific employee and visitors)

44
Q

ISO 22237-2 Protection Class 4

A
  1. Control room space
  2. Data center space
  3. Main distributor space
  4. Computer room space

(usually area that is accessible to specific employee with NTK)

45
Q

ISO 22237-2 Availability Class 1

A

Single path power (no resilience) - planned maintenance or unplanned outages can cause service outages in dependent systems

46
Q

ISO 22237-2 Availability Class 2

A

Single path power distribution (resilience is provided by redundancy of components) with no redundant environmental control or telecom cabling

47
Q

ISO 22237-2 Availability Class 3

A

Multipath power distribution (resilience provided by redundancy of systems) resilience and concurrent repair/operate solutions; environmental control contain redundant components with multipath telecommunication cabling using fixed infrastructure

48
Q

ISO 22237-2 Availability Class 4

A

Multipath power distribution (fault tolerant even during maintenance) along with multipath environmental control by redundant systems and multipath telecom cabling using fixed infrastructure with diverse pathways

49
Q

List Uptime Institutes Data Center Site Infrastructure Tier Standard Tiers

A

Tier I: Basic Site Infrastructure
Tier II: Redundant Site Infrastructure Capacity Components
Tier III: Concurrently Maintainable Site Infrastructure
Tier IV: Fault Tolerant Site Infrastructure