S1 Flashcards
CIS controls:
Control 1: Inventory and Control of Enterprise Assets– manage (inventory, track and correct) all enterprise assets within the enterprise’s infrastructure to minimize the window of opportunity for attackers. Monitor public and private industry sources for new threat and vulnerability.
Control 2: active management of all software on the network.
Control 3: Data protection– Develop processes and technical control to identify, classify, securely handle, retain, and dispose of data.
Control 4: Secure configuration of Enterprise Assets and Software– Establish and maintain secure configuration of enterprise assets (end-user devices, such as portable and mobile; network devices; non-computing/Internet of things(IoT) devices; and servers) connected to the infrastructure physically, virtually, remote and within cloud environments, to accurately know the totality of assets that need to be monitored and protected within the enterprise.
Control 5: account management — Assign and manage authorization to credentials for user accounts, including administrator accounts as well as service accounts, to enterprise assets and software.
Control 6: Access control management: identify the type of access user accounts should have. Organizations should follow “need-to-know” and “least privilege” role assignments. The goal is for users to only have access to systems, services and data needed to perform their job.
Control 7: Continuous vulnerability management— Covers the development of a plan to assess and track vulnerabilities on all enterprises assets within infrastructure.
Control 8: Covers the collection, review and retention of audit logs or events that could help detect, understand, or recover from attacks.
Control 9: Email and web Browser protections– Improve protections and detection of threats from email and web vectors, opportunities for attackers to manipulate human behavior through direct engagement.
Control 18: Penetration testing— test the effectiveness and resiliency of enterprise assets through identifying and exploiting weaknesses in controls (people, processes, and technology) and simulating the objective and actions of an attacker.
Control 13: Network monitoring and defense— operate processes and tooling to establish and maintain comprehensive network monitoring and defense against security threats across the enterprise’s network infrastructure and user base.
Control 16: Application software security— manage the security life cycle of in-house developed, hosted, or acquired software to prevent, detect, and remediate security weaknesses before they can impact the enterprise.
Control 17: 99-99
CIS controls:
Center for internet security (CIS) controls: recommended set of actions and processes and best practices that can be adopted and implemented by organizations to strengthen their cybersecurity defense.
Continuous vulnerability management: regular review of the cyberenvironment to identify weak points.
inventory and control of enterprise assets: actively track and manage all it assets connected to a company’s it infrastructure to remediate and eliminate weak points.
Access control management: identify the type of access user accounts should have. Organizations should follow “need-to-know” and “least privilege” role assignments. The goal is for users to only have access to systems, services and data needed to perform their job.
Account management: assign and manage authorization to credentials for user accounts, including administrator accounts as well as service accounts, to enterprise assets and software.
Controls v. Control Enhancement
controls are the objectives to be implemented for family baseline conformance and control enhancements are best practices.
Inheritance/common controls are controls implemented at the organizations level and adopted/ inherited by information systems.
Baseline controls are required to be in conformance to the control family. Baseline controls do not enhance existing controls.
GDPR
For companies located in EU, the scope of GDPR fully applies to data processing organizations even though the processing takes place outside of the EU.
NIST Privacy Framework Core Functions
Communicate: helps the org determine how the organization should drive dialogue around privacy risks related to data processing activities.
Govern: helps the org determine what the best governance structure is for privacy risks related to data processing activities.
Identify: helps the org determine what the company’s privacy risks related to data processing activities are.
Control: helps the org determine what the best management structure is for privacy risks related to data processing activities.
HIPAA Requirements
Covered entities are required to protect against reasonably anticipated threats to the security of information.
COBIT 2019:
Three principles:
- Based on conceptual model
- Aligned to major standards
- open and flexible
COBIT design factors:
Threat landscape: the environment in which the company operates.
Enterprise strategy: Strategies that generally include a primary and secondary strategy, such as growth/acquisition, innovation/differentiation, cost leadership, and client service strategies.
IT implementation methods: the methods can be used to implement new IT projects, such as agile etc.
Risk profile: profile addressing current risk exposure for the organization and maps out which risks exceed the organization’s risk appetite.
