Other Standards Flashcards
SOC
Service Organization Controls
reporting framework, which gives organizations the flexibility to be audited based on the needs of the particular organization.
audit reports are performed in accordance with Statements on Standards for Attestation Engagements (SSAE)
audits performed by CPAs
AICPA
American Institute of Certified Public Accounts
manages the SSAE (Statement on Standards of Attestation Engagements)
SOC reports align to SSAE 18
SOC 1
SOC 1 is a control report that focuses strictly on an organization’s financial reporting controls
Primarily used by Auditors and Controller’s Offices
—Extra info—-
statements and a service organization’s controls that can impact a customer’s financial statements. A service organization that performs payroll or credit card processing would require a SOC 1 report.
SOC 2
SOC 2 reports evaluate an organization based AICPA’s five “Trust Services Principles: Security, Availability, Processing Integrity, Confidentiality, and Privacy.” These reports are restricted to regulators and company’s management team, and usually are only shared with NDA and provider engagement (no contract & NDA, no SOC 2)
SOC 2 reports are tightly controlled, due to the sensitivity of their contents.
SOC 3
SOC 3 takes the same information contained in a SOC 2 report but sensitive data about controls and tests are removed. In essence, a SOC 3 report will indicate whether an organization has demonstrated each of the five Trust Services principles. SOC 3 reports are intended to be publicly available (usually for marketing)
PCI DSS - Description, Why was it created, What does it contain?
Payment Card Industry Data Security Standard
An information security standard that governs all organizations that accept, store, or transmit branded cardholder (credit/debit) data and/or sensitive authentication data from the major credit card companies (VISA, MC, AMEX, Discover)
There are 6 goals broken down into 12 requirements that an organization must meet to fullfill PCI DSS
Seeks to standardize controls around cardholder data to reduce credit card fraud
List Goals of PCI DSS aligned to requirements
- Build and maintain a secure network and systems
1: Install and maintain a firewall configuration to
protect cardholder data.
2: Do not use vendor-supplied defaults for system passwords and other
security parameters. - Protect cardholder data
3: Protect stored cardholder data.
4: Encrypt transmission of cardholder data across open, public networks. - Maintain a vulnerability management program
5: Protect all systems against malware and regularly update anti-virus software
or programs.
6: Develop and maintain secure systems and applications. - Implement strong access control measures
7: Restrict access to cardholder data by business need to know.
8: Identify and authenticate access to system components.
9: Restrict physical access to cardholder data. - Regularly monitor and test networks
10: Track and monitor all access to network resources and cardholder data.
11: Regularly test security systems and processes. - Maintain an information security policy
12: Maintain a policy that addresses information security for all personnel.
FedRAMP
Federal Risk and Authorization Management Program a US government-wide program established to create a standardized approach to security assessment, authorization, and continuous monitoring of cloud products and service.
Enforces NIST guidelines for any CSP that provides service to USG
NIST 800-145 Definition of Cloud Computing
Cloud computing is a MODEL for enabling ubiquitous, convenient, ON DEMAND NETWORK ACCESS to a SHARED POOL of configurable computing resources that can be rapidly PROVISIONED and released with MINIMAL management effort or SERVICE PROVIDER interaction
List viewpoints of ISO 17789 CCRA
User View
Functional View
Implementation View
Deployment View
ISO 17789 CCRA User View
The system context, the parties, roles and sub-roles and cloud computing activities
ISO 17789 CCRA Functional View
The functions necessary for the support of cloud computing activities
ISO 17789 CCRA Implementation View
The functions necessary for the implementation of a cloud service within service parts and/or infrastructure parts
ISO 17789 CCRA Deployment View
How the functions of a cloud service are technically implemented within already existing infrastructure or within new elements to be introduced in the infrastructure
List 4 Functional Layers of ISO 17789 CCRA
User Layer
Access Layer
Service Layer
Resource Layer
Define ISO 17789 CCRA User Layer
Functional components supporting activities of the cloud service partners (CSN) and cloud service customers (CSC)
Define Access Layer of ISO 17789 CCRA
Functional components that facilitate DISTRIBUTION and INTERCONNECTION
Define Service Layer of ISO 17789 CCRA
Functional components that provide the cloud service plus related administration and business capabilities; and the orchestration capability necessary to realize them
Define Resource Layer of ISO 17789 CCRA
Functional components that represent the resources needed to implement the cloud computing system
What are ISO 17788 Cloud Service Capabilities?
Infrastructure Capabilities
Platform Capabilities
Software Capabilities
Information Security Management System (ISMS)
an ISMS is a set of people, processes, and technologies that manages the overall security of a company’s systems and data
audited using standards ISO 27001 and ISO 27002
Key Principles of ISO 27018 and descriptions for each
- Consent - CSP cannot use personal data for advertising and marketing purposes unless the customer gives consent
- Control - The customer is in control of how their information is used
- Transparency - CSP must notify the customer where their data resides, disclose the use of sub-contractors to process PII data and make clear commitments about how PII data is handled
- Communication - CSP should notify customers of a data breach
- Independent, yearly audit - CSP must have a 3rd party audit conducted annually to remain compliant
Which SOC reports have Type I and Type II
SOC 1 and SOC 2
What is a Type I SOC report?
Evaluates the CONTROL’S DESIGN to ensure it meets the CONTROLS OBJECTIVE
Audit will determine if control matches managements description of the control at a single POINT in time
Report will attest that the provider does what they say they do
What is a SOC Type II report?
Contains the same info as Type I and additionally adds the results of TESTING and MONITORING those controls to show how effective they are over a PERIOD of time
HINT: microsoft SOC type II engagement last a year
Define and List the ‘Trust Service Principles’ or the ‘Trust Service Criteria’?
How and for what are they used?
SOC reports can evaluate up to 5 separate ‘Trust Service Principles’ or the ‘Trust Service Criteria’
- Confidentiality - Sensitive data the org owns
- Integrity - Data processing integrity, processing requests completely, timely accurately
- Availability - System, services and data availability
- Privacy - sensitive PII may be regulated by HIPAA, GDPR, etc.
- Security - Controls that don’t fall neatly into the other principles/criteria
FIPS Level 1
The LOWEST level of security. The basic requirement is that at least ONE APPROVED ALGORITHM is in use by the cryptographic module.
FIPS Level 1 ALLOWS implementations of cryptographic modules that execute SOFTWARE and firmware on general purpose, UNEVALUATED operating systems;
FIPS Level 2
Security Level 2 adds additional physical security considerations to those in Level 1 by REQUIRING CRYPTOGRAPHIC MODULE to show EVIDENCE of TAMPERING (tamper-evident tape or pick-resistant locks, for example). The goal with this level is to provide visible assurance of a device’s INTEGRITY.
FIPS Level 3
This FIPS Security Level adds even further physical security assurance by REQUIRING requiring that modules take steps to DETECT TAMPERING and respond by PROTECTING the module and any data within. An example of this level would be detecting that the hardware has been breached and erasing all plaintext data within the module to prevent unauthorized access.
FIPS Level 4
The highest level of security, which requires rigid testing and scrutiny. Devices
certified at this level require that cryptographic modules are fully surrounded by protections that are able to detect any and all unauthorized access attempts. A successful penetration of the physical barrier requires immediate erasure of any sensitive plaintext data within the module. Additionally, Level 4 devices require that cryptographic modules are protected against environmental attacks.
Common Criteria (CC)
CC establishes processes for PRODUCTS to be EVALUATED by INDEPENDENT LABORATORIES to determine their level of SECURITY. CC is a ISO standard (ISO 15408) and is internationally recognized as the gold standard for identifying secure IT products.
Can test CIA
International base - test once, applied everywhere
Results in a Pass/Fail
Four components of CC?
Target of Evaluation - TOE
Protection profiles
Security Target (ST)
Evaluation Assurance Levels (EALs):
What are the EAL ratings?
EAL 1: FUNCtionally tested
EAL 2: STRUCturally tested
EAL 3: METHODically tested and checked
EAL 4: METHodically DESIGN, tested, & REVIEWED
EAL 5: SEMI-formally DESIGN and tested
EAL 6: SEMI-formally VERIFIED design and tested
EAL 7: FORMALLY VERIFIED design and tested
All tested, if verified its design and tested
FIPS
Federal Information Processing Standard
FIPS 140-2
standard released by NIST of the US government related to the ASSESSMENT and VALIDATION of CRYPTOGRAPHIC MODULES/CRYPTOSYSTEMS for use by the federal government
FIPS 140-2 assessment is completed by one of several independent THIRD PARTY LABS, who rates each product’s security between LEVELS 1 and 4.
What is a Target of Evaluation in Common Criteria?
Target of Evaluation - TOE - An IT product or system that is subject to evaluation
The product that is being evaluated/tested
What is a Common Criteria - Protection Profile?
Protection profiles: These profiles establish a set of security standards unique to a specific type of product, such as operating systems, firewalls, antivirus, and so on.
An implementation independent, industry specific set of security requirements for a category of Target of Evaluation (TOE) that meets specific consumer needs.
What is a Common Criteria Security Target?
Security Target (ST) - Specific security attributes of TOE written by the vendor
A document that specifies the security properties and the vendor’s desired rating for their product
Testing verifies the validity of this document
Describe Common Criteria Evaluation Assurance Levels?
Evaluation Assurance Levels (EALs): An EAL is a numeric score that is assigned to a product to describe how thoroughly it was tested during the CC process. EALs range from 1 through 7, with the higher levels providing more assurance of the product’s security claims. This doesn’t mean the product is more secure if has a EAL it just means it was tested better.
What are the two parts of the Common Criteria Rating?
Functionality
Assurance
ISO 22237-2 Protection Class 1
General office space
Usually public or semi public space
ISO 22237-2 Protection Class 2
- Personnel entrance to data center
- Docking bay
- Storage space
(usually area that is accessible to all authorized personnel - employee and visitors)
ISO 22237-2 Protection Class 3
- Telecommunication space
- Electric space
- Mechanical space
- Holding space
- Testing space
(usually area that is accessible to authorized personnel only - restricted to specific employee and visitors)
ISO 22237-2 Protection Class 4
- Control room space
- Data center space
- Main distributor space
- Computer room space
(usually area that is accessible to specific employee with NTK)
ISO 22237-2 Availability Class 1
Single path power (no resilience) - planned maintenance or unplanned outages can cause service outages in dependent systems
ISO 22237-2 Availability Class 2
Single path power distribution (resilience is provided by redundancy of components) with no redundant environmental control or telecom cabling
ISO 22237-2 Availability Class 3
Multipath power distribution (resilience provided by redundancy of systems) resilience and concurrent repair/operate solutions; environmental control contain redundant components with multipath telecommunication cabling using fixed infrastructure
ISO 22237-2 Availability Class 4
Multipath power distribution (fault tolerant even during maintenance) along with multipath environmental control by redundant systems and multipath telecom cabling using fixed infrastructure with diverse pathways
List Uptime Institutes Data Center Site Infrastructure Tier Standard Tiers
Tier I: Basic Site Infrastructure
Tier II: Redundant Site Infrastructure Capacity Components
Tier III: Concurrently Maintainable Site Infrastructure
Tier IV: Fault Tolerant Site Infrastructure
