S1 - Regulation, Standards, and Frameworks Flashcards

1
Q

NIST Privacy Framework Core Functions:
Protect Function

A

Has 5 categories:
> data protection policies processes and procedures
> identity management, authentication & access control
> data security
>maintenance
> protective technology.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

When incident management not integrated into organizational processes and is often ad hoc (“for this situation”), this risk management program integration would fall under

A

Tier 1 (partial) implementation tier

pq no esta fully integrated entonces es partial.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

NIST CSF
Tiers:

A

> Tier 2 (risk informed) implementation involves cybersecurity awareness by the rest of the organization but does not involve being securely managed.

> Tier 3 (repeatable) implementation involves an organizational risk approach to cybersecurity where it is integrated into planning and regularly communicated among senior leadership

> Tier 4 (adaptive) implementation involves the prioritization of managing cyber risks similar to other forms of organizational risks.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

These are recognized framework profiles under NIST

A

The current profile and the target profile

DON’T EXIST =>historic profile and the industry profile

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

NIST Privacy Framework Core Functions best describes how the organization should drive dialogue around privacy risks related to data processing activities?

A

Communicate Function

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Controls are the objectives to be implemented for family baseline conformance, whereas control enhancements are best practices

A

Controls are the objectives to be implemented for family baseline conformance, whereas control enhancements are best practices

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Types of controls:

A

> Control Enhancements = best practices
Control Baseline. = required to be in conformance to the control family
Control Inheritance. = implemented at the organizational level and adopted/inherited by information systems.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Redacted = permitted to disclose

A

No violation of HIPAA

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Under the HIPAA Security Rule,

A

covered entities are required to protect against reasonably anticipated threats to the security of information. These requirements are in place to protect the security of protected health information (PHI) for patients.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

general data protection regulation (GDPR)

A

Even though the processing for takes place outside of the EU in the U.S., the scope of GDPR still fully applies.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

protected health information (PHI)

A

protected health information (PHI)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

CIS Critical Security Controls Version 8
Control 06: Access Control Management
(KEY: Access - has the CONTROL to create, assign & manage)

A

Use processes and tools to create, assign, manage, and revoke access credentials and privileges for user, administrator, and service accounts for enterprise assets and software.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

CIS Critical Security Controls Version 8
Control 05: Account Management
(KEY: Account no crea pero al igual assign & manage)

A

Use processes and tools to assign and manage authorization to credentials for user accounts, including administrator accounts, as well as service accounts, to enterprise assets and software.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

CIS Critical Security Controls Version 8
Control 02: Inventory and Control of Software Assets

A

Actively manage (inventory, track, and correct) all software (operating systems and applications) on the network so that only authorized software is installed and can execute, and that unauthorized and unmanaged software is found and prevented from installation or execution.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

CIS Critical Security Controls Version 8
Control 08: Audit Log Management

A

Collect, alert, review, and retain audit logs of events that could help detect, understand, or recover from an attack.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

CIS Critical Security Controls Version 8
Control 01: Inventory and Control of Enterprise Assets

A

Actively manage (inventory, track, and correct) all enterprise assets (end-user devices, including portable and mobile; network devices; non-computing/Internet of Things (IoT) devices; and servers) connected to the infrastructure physically, virtually, remotely, and those within cloud environments, to accurately know the totality of assets that need to be monitored and protected within the enterprise. This will also support identifying unauthorized and unmanaged assets to remove or remediate.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

CIS Critical Security Controls Version 8
Control 04: Secure Configuration of Enterprise Assets and Software
(KEY: configuration=establish +maintains)

A

Establish and maintain the secure configuration of enterprise assets (end-user devices, including portable and mobile; network devices; non-computing/IoT devices; and servers) and software (operating systems and applications).

18
Q

CIS Critical Security Controls Version 8
Control 03: Data Protection
(KEY: Data -Dispose)

A

Develop processes and technical controls to identify, classify, securely handle, retain, and dispose of data.

19
Q

CIS Critical Security Controls Version 8
Control 07: Continuous Vulnerability Management
(KEY: develops a plan)

A

Develop a plan to continuously/periodically assess and track vulnerabilities on all enterprise assets within the enterprise’s infrastructure, in order to remediate and minimize the window of opportunity for attackers. Monitor public and private industry sources for new threat and vulnerability information.

I.E. underscores the criticality of regular review of the cyberenvironment to identify weaknesses in order to help deter attackers?

20
Q

CIS Critical Security Controls Version 8
Control 09: Email and Web Browser Protections

A

Improve protections and detections of threats from email and web vectors, as these are opportunities for attackers to manipulate human behavior through direct engagement.

21
Q

CIS Critical Security Controls Version 8
Control 18: Penetration Testing

A

Test the effectiveness and resiliency of enterprise assets through identifying and exploiting weaknesses in controls (people, processes, and technology) and simulating the objectives and actions of an attacker.

22
Q

CIS Critical Security Controls Version 8
Control 13: Network Monitoring and Defense

A

Operate processes and tooling to establish and maintain comprehensive network monitoring and defense against security threats across the enterprise’s network infrastructure and user base.

23
Q

CIS Critical Security Controls Version 8
Control 16: Application Software Security

A

Manage the security life cycle of in-house developed, hosted, or acquired software to prevent, detect, and remediate security weaknesses before they can impact the enterprise.

24
Q

CIS Critical Security Controls Version 8
Control 17: Incident Response Management

A

Establish a program to develop and maintain an incident response capability (e.g., policies, plans, procedures, defined roles, training, and communications) to prepare, detect, and quickly respond to an attack.

25
Q

CIS Critical Security Controls Version 8
Control 12: Network Infrastructure Management

A

Establish, implement, and actively manage (track, report, correct) network devices in order to prevent attackers from exploiting vulnerable network services and access points.

26
Q

CIS Critical Security Controls Version 8
Control 14: Security Awareness and Skills Training..

A

Establish and maintain a security awareness program to influence behavior among the workforce to be security conscious and properly skilled to reduce cybersecurity risks to the enterprise.

27
Q

CIS Critical Security Controls Version 8
Control 10: Malware Defenses.

A

Prevent or control the installation, spread, and execution of malicious applications, code, or scripts on enterprise assets.

28
Q

CIS Critical Security Controls Version 8
Control 11: Data Recovery.

A

Establish and maintain data recovery practices sufficient to restore in-scope enterprise assets to a pre-incident and trusted state.

29
Q

principles for a governance framework under COBIT 2019

A

> Based on conceptual model
open and flexible
aligned to major standards.

30
Q

COBIT core model
Build, Acquire, and Implement (BAI)
KEY: Manage org & programas

A

includes 11 objectives, such as managed programs, managed projects, managed requirements definition, managed IT changes, and managed assets.

i.e. managed knowledge, managed organizational change, and managed availability and capacity.

31
Q

COBIT core model
Deliver, Service, and Support (DSS)
[KEY: DDS=Dentist = problems & CONTINUITY)

A

includes six objectives, such as managed operations, service requests and incidents, managed problems, managed continuity, managed security services, and managed business process controls.

32
Q

COBIT core model
Evaluate, Direct, and Monitor (EDM)
(KEY: EDM-STAKEHOLDER)

A

includes five objectives: Ensured governance framework setting and maintenance, ensured benefits delivery, ensured risk optimization, ensured resource optimization, and ensured stakeholder engagement.

33
Q

COBIT core model
Align, Plan, and Organize (APO)
KEY: Manage people, portfolio/budget

A

includes 14 objectives, such as managed strategy, managed innovation, managed portfolio, managed risk, and managed data

I.E. managed security, managed human resources, and managed budget and costs.

34
Q

COBIT core model
Monitor, Evaluate, and Assess (MEA)

A

four objectives : Managed assurance, managed performance and conformance monitoring, managed system of internal control, and managed compliance with external requirements.

35
Q

components of the governance system

A

Processes; organizational structures; principles, policies, and frameworks; information; culture, ethics, and behavior; people, skills, and competencies; and services, infrastructure, and applications.

36
Q

COBIT design factors
Threat landscape

A

described as the environment in which the company operates and may be classified as normal or high due to factors such as the industry sector or economic issues

37
Q

COBIT design factors
Enterprise strategy

A

defined as strategies that generally include a primary and secondary strategy, such as growth/acquisition, innovation/differentiation, cost leadership, and client service strategies.

38
Q

COBIT design factors
IT implementation methods

A

defined as the methods that can be used to implement new IT projects, such as Agile, DevOps, Waterfall, or a hybrid of such methods.

39
Q

COBIT design factors
Risk profile

A

described as a profile addressing current risk exposure for the organization and maps out which risks exceed the organization’s risk appetite

40
Q

IT system that is not critical core operation but is INNOVATIVE=

A

TURNAROUND

KEY= le da la vuelta con la inovacion… Y entonces me deara la media vuleta (luis miguel es inovador)