S1 - Regulation, Standards, and Frameworks Flashcards
NIST Privacy Framework Core Functions:
Protect Function
Has 5 categories:
> data protection policies processes and procedures
> identity management, authentication & access control
> data security
>maintenance
> protective technology.
When incident management not integrated into organizational processes and is often ad hoc (“for this situation”), this risk management program integration would fall under
Tier 1 (partial) implementation tier
pq no esta fully integrated entonces es partial.
NIST CSF
Tiers:
> Tier 2 (risk informed) implementation involves cybersecurity awareness by the rest of the organization but does not involve being securely managed.
> Tier 3 (repeatable) implementation involves an organizational risk approach to cybersecurity where it is integrated into planning and regularly communicated among senior leadership
> Tier 4 (adaptive) implementation involves the prioritization of managing cyber risks similar to other forms of organizational risks.
These are recognized framework profiles under NIST
The current profile and the target profile
DON’T EXIST =>historic profile and the industry profile
NIST Privacy Framework Core Functions best describes how the organization should drive dialogue around privacy risks related to data processing activities?
Communicate Function
Controls are the objectives to be implemented for family baseline conformance, whereas control enhancements are best practices
Controls are the objectives to be implemented for family baseline conformance, whereas control enhancements are best practices
Types of controls:
> Control Enhancements = best practices
Control Baseline. = required to be in conformance to the control family
Control Inheritance. = implemented at the organizational level and adopted/inherited by information systems.
Redacted = permitted to disclose
No violation of HIPAA
Under the HIPAA Security Rule,
covered entities are required to protect against reasonably anticipated threats to the security of information. These requirements are in place to protect the security of protected health information (PHI) for patients.
general data protection regulation (GDPR)
Even though the processing for takes place outside of the EU in the U.S., the scope of GDPR still fully applies.
protected health information (PHI)
protected health information (PHI)
CIS Critical Security Controls Version 8
Control 06: Access Control Management
(KEY: Access - has the CONTROL to create, assign & manage)
Use processes and tools to create, assign, manage, and revoke access credentials and privileges for user, administrator, and service accounts for enterprise assets and software.
CIS Critical Security Controls Version 8
Control 05: Account Management
(KEY: Account no crea pero al igual assign & manage)
Use processes and tools to assign and manage authorization to credentials for user accounts, including administrator accounts, as well as service accounts, to enterprise assets and software.
CIS Critical Security Controls Version 8
Control 02: Inventory and Control of Software Assets
Actively manage (inventory, track, and correct) all software (operating systems and applications) on the network so that only authorized software is installed and can execute, and that unauthorized and unmanaged software is found and prevented from installation or execution.
CIS Critical Security Controls Version 8
Control 08: Audit Log Management
Collect, alert, review, and retain audit logs of events that could help detect, understand, or recover from an attack.
CIS Critical Security Controls Version 8
Control 01: Inventory and Control of Enterprise Assets
Actively manage (inventory, track, and correct) all enterprise assets (end-user devices, including portable and mobile; network devices; non-computing/Internet of Things (IoT) devices; and servers) connected to the infrastructure physically, virtually, remotely, and those within cloud environments, to accurately know the totality of assets that need to be monitored and protected within the enterprise. This will also support identifying unauthorized and unmanaged assets to remove or remediate.