S2-m1 Flashcards
The supporting IT architecture within most modern companies has…
multiple, interconnected technological components, with the core infrastructure involving a combination of:
-on-premises and outsourced hardware
-software
-specialized personnel
Who supports the infrastructure?
some orgs manage this infrastructure themselves, but many are relying on third party providers to support their IT operations
SOC 2 Engagements
Examinations in which a third party evaluates and reports on a service organizations system controls as it relates to the AICPA five trust services criteria
AICPA Five Trust Services Criteria
- Security
- Availability
- Processing integrity
- Confidentiality
- Privacy
EUDs
End user devices are electronic machines, typically computers or mini computers, that directly interact with employees or consumers at the edge of a network, meaning they are the point in a chain of applications or an organizations IT architecture that interfaces with a human. Desktops, laptops…
Network Infrastructure
refers to the hardware, software, layout, and topology of network resources that enable connectivity and communication between devices on a computer network
Modem
Connects a network to n internet service providers network, usually through a cable connection. It is the device that brings internet into a home or office. Each modem has a public IP address
Routers
Manage network traffic by connecting devices to form a network. They read the source and destination fields in information packet headers to determine the most efficient path through the network for the packet to travel.
Switches
Similar to routers in that they connect and divide devices within a computer network. However, switches do not perform as many advanced functions as a router, like assigning IP addresses. Connects devices by splitting signal
Gateways
Converts protocols. A computer or device that acts as an intermediary between different networks. It transforms data from one protocol into another so that information can flow between networks
Edge Enabled Devices
Devices allow computing, storage, and networking functions closer to the devices where the data or system requests originates, rather than a distant central location
Servers
Physical or virtual machines that coordinate the computers, programs, and data that are part of the network. Most business networks use a client/server model in which the client sends a request to the server and it provides a response or executes some action
Firewalls
Software applications or hardware devices that protect a persons or companies network traffic by filtering it through security protocols with the predefined rules. Intended to prevent un authorized access into the organization and to prevent employees from downloading malicious programs
Basic Packet Filtering
Firewall
Work by analyzing network traffic that is transmitted in packets (data communicated); and determine whether that firewall software is configured to accept the data
Circuit level Gateways
Firewall
Verify the source of a packet and meet rules and policies set by the security team
Application level Gateways
Firewall
Gatways inspect the packet itself. Very resource intensive
Network topology
refers to the physical layout of equipment, or nodes in a network, which is essential for understanding how to properly engineer the network for optimal performance
What are the different requirments for components?
Topoolgy
length adn type of connecting cables, data transmisssion rates, and physical position of each node in the network. These are based on size of the network, the performance needs of the organization, and the environment in which the network is built.
Bus Topology
This layout is either in a linear or tree form, with each node connected to a single line or cable. Data can be transmitted by any node on the system at the same time, which can cause signal interference.
Mesh Topology
There are numerous connections between nodes, with all nodes being connected in a full mesh topology and only some connected in a partial mesh toplogy. Common in wireless networks, allows for high levels of traffic but is costly
Ring Topology
Nodes are connected in a circular path in ring topologies. When data is transferred to a destination device, it must first go through every other device between the source and destination. There are unidirectional ring paths that allow data transmission to move in one direction, and there are multidirectional paths that flow two way data transmission. Data transmission collision is minimized or eliminated - can result in slow network performance
Star Topology
Data passes through a central hub that acts as a switch or server, and then transmits to peripheral devices that act as clients. Multiple hubs in case one fails, only nodes connected to that hub will stop functioning. Easier to identify damaged cables.
How do devices in a network communicate with other devices?
Protocols; the type of protocol governs the way data is transmitted based on the method used like cable/port/wireless
Open System Interconnection Model
Helps explain how these protocols work; and how networking devices communicate with each other
Application Layer 7
OSI
Serves as the interface between applications that a person uses and the network protocol needed to transmit a message. Does not represent actual application being used. Hypertext Transfer Protocol (HTTP), File Transfer Protocol (FTP)
Presentation Layer 6
OSI
Transforms data received from the Application layer into a format that other devices using the OSI model can interpret, such as standard formats for videos, images, and web page. Encryption occurs at this layer. American Standard Code for Information Interchange (ASCII), JPEG, MPEG
Session Layer 5
OSI
Allows sessions between communicating devices to be established and maintained. Sessions allow networking devices to have dialogue with each other. Remote Procedure Call (RPC), Structured Query Language (SQL
Transport Layer 4
OSI
Supports and controls the communication connections between devices. This involves setting the rules for how devices are referenced, the amount of data that can be transmitted, validating the data’s integrity and determining whether data has been lost. Transmission Control Protocol (TCP), User Datagram Protocol (UDP), Secure Sockets Layers (SSL)
Network Layer 3
OSI
Adds routing and address header or footers to data, such as source and destination IP addresses, so that the message reaches the correct devices. This layer also detects errors. Internet Protocol (IP), NAT, IPSec, IMGP
Data Link Layer 2
OSI
Data packets are formatted for transmission. this is determined by the hardware and networking technology, which is usually Ethernet. This layer also adds Media Access Control MAC addresses, which are device identifiers that act as source and destination reference numbers. ISDN, PPTP, L2TP
Physical Layer 1
OSI
Converts the message sent from the Data Link layer into bits so it can be transmitted to other physical devices. Also receives messages from other physical devices and converts those back from bits to a format that can be interpreted by the Data Link layer. HSSI, SONET
What does network infrastructure architecture refer to?
Refers to the way an organization structures its network from a holistic design standpoint, considering factors such as:
-geographical layout
-physical and logical layout
network protocols used
Local Area Networks (LAN)
Provide network access to a limited geographic area such as a home or single location office
Wide Area Networks (WAN)
Provides access to a larger geographic area such as cities, regions, or countries. Largest example is the internet
Software-defined Wide are Networks (SD-WAN)
Monitors the performance of WAN connections and manages traffic to optimize connectivity. In WAN, the control and management of the network is integrated into the hardware.
Virtual Private Networks (VPN)
These are virtual connections through a secure channel or tunnel that provide remote and secure access to an existing network. Commonly referred to as remote desktop connections
What is software?
consists of the applications, procedures, or programs that provide instructions for a computer to execute
Operating Systems
software that orchestrates the global functioning of a group of applications, hardware, and their performance by acting as an intermediary between these resources to allow a user to execute specific tasks. An OS defines the parameters for managing a systems memory, processes, records, devices, and user interface.
Firmware
software that is locally embedded in hardware instructs the hardware how to operate and is commonly known as firmware. Firmware operates like software but exists locally on the machine directing the function of the physical components, such as the motherboard and microprocessor. Is not updated frequently or at all
What is Cloud Computing?
A computing model that uses shared resources over the internet. Cloud customers rent storage space, processing power, proprietary software, or a combination of the three on remote servers from another company.
What is infrastructure elasticity?
Cloud Computing
renting only as much as needed on a minute to minute basis
Infrastructure as a Service (IaaS)
The CSP provides an entire virtual data center of resources in a IaaS model, and organizations can outsource servers, storage, hardware, networking services, and networking components to third party providers, which is generally billed on a per use basis. The company is responsible for keeping the environment in which it operates consistently up and running; virtually managing the performance.
CSP is responsible for the physical management of that infrastructure
What is a CSP?
A cloud service provider is a third party that provides cloud computing services such as application delivery, hosting, or monitoring to customers. CSP performs all maintenance and tech support on the hardware
Platform as a Service (Paas)
The CSP provides proprietary tools or solutions remotely that are used to fulfill a specific business purpose. Tools facilitate the creation of programs and delivery of services, such as; building an online platform to sell merchandise; advertise products; or build other websites; all of which run on a CSPS hosted infrastructure
Softwas as a Service (Saas)
The CSP provides a business application or software that organizations use to perform specific functions or processes. Generally purchase service through licensing
What are the 4 types of cloud computing deployment models?
Public
Private
Hybrid
Community
Public
Cloud Computing Deployment Model
Is owned and managed by a CSP that makes the cloud services available to people or organizations who want to use or purchase them.
Private
Cloud Computing Deployment Model
the cloud is created for a single organization and is managed by the organization or a CSP. The cloud infrastructure can exist on or off the organizations premises.
Hybrid
Cloud Computing Deployment Model
The could in a hybrid model is composed of two or more clouds, with at least one being a private cloud, that remain unique cloud entities but with technology in place that facilitates the portability of data and applications between each entity
Community
Cloud Computing Deployment Model
A infrastructure shared by multiple organizations to support a common interest, such as companies banding together for regulatory compliance, a common mission, or collaboration with industry peers.
Do CSPs end up in a SOC 2 report?
Yes if we think that the CSP is critical for the service organization in question to comply with certain rules.
Cloud Controls Matrix
A framework designed for best practices regarding cloud security, data protection, and compliance in a cloud environment
COSO Enterprise Risk Management - Integrating With Strategy and Performance
framework categorizes methods for addressing an organizations risk into five components with 20 supporting principles
COSO components
Governance and Culture
Strategy and Objective Setting
Performance
Review and Revision
Information, Communication, and Reporting
Governance and Culture
COSO Component
Sets the company’s tone and reinforces the importance of having oversight of enterprise risk management. Culture is related to the company’s target behaviors and values and involves understanding risk.
1. board risk oversight
2. Establishes operating structures
3. defines culture desired
4. Demonstrates commitment to core values
5. Attracts, develops, retains capable individuals
Strategy and Objective Setting
COSO Component
Considered with enterprise risk management and strategy during the strategic planning process. A company’s risk appetite should be aligned with its strategy, and business objectives should be put into place to help achieve that level of appetite through identifying risk, assessing, and responding.
6. analyzes business context
7. defines risk apetite
8. evaluates alt strats
9. Formulates business objectives
Performance
COSO Component
Requires that organizations prioritize their risk based on risk appetite so that business objectives are assessed, met, and reported to key stakeholders.
10. Identify risk
11. address severity of risk
12. Prioritizes risks
13. Implementation of risk Reponses
14. Develops portfolio view
Review and Revision
COSO Component
Involves reviewing a company’s performance over time and making revisions to functions when needed.
15. asses substantial change
16. Reviews risks and performance
17. Pursues Improvements in enterprise risk management
Information, Communication, and Reporting
COSO Component
Recommends that a continual process be in place that supports sharing both internal external information throughout the organization.
18. Leverages info and tech
19. Communicated risk info
20. reports risk, culture, and performance
Internal Environment
COSO Framework Component
Serves as the foundation for a companies risk appetite, helping a company understand the level at which it wants to outsource technology functions
Applicablity to Organizations Considerations of Cloud Computing
Objective Setting
COSO Framework Component
Management should understand how outsourcing technology functions will help it reach, or potentially higher, its objectives
Applicablity to Organizations Considerations of Cloud Computing
Event Identification
COSO Framework Component
Management must understand how adopting a CSP could make event identification more complex or easier
Applicablity to Organizations Considerations of Cloud Computing
Risk Assement
COSO Framework Component
Management should understand the risks of its cloud strategy, understanding the impact to its risk profile, inherent and residual risks, and likelihood of the impact of all risks.
Applicablity to Organizations Considerations of Cloud Computing
Risk Response
COSO Framework Component
Management should determine whether its risk response will be to avoid a risk, reduce its likelihood, share the risk by transferring a portion of it to ant other entity or accept the risk.
Applicablity to Organizations Considerations of Cloud Computing
Control Activities
COSO Framework Component
The org should understand how traditional controls such as detective, preventative, automated, and manual as well as entity level controls are modified in a cloud environment
Applicablity to Organizations Considerations of Cloud Computing
Information and communication
COSO Framework Component
Management should understand how operating in the cloud will affect the timeliness, availability, and dissemination of info and communication
Applicablity to Organizations Considerations of Cloud Computing
Monitoring
COSO Framework Component
Management should modify its monitoring mechanisms to accommodate new complexities introduced by adopting a cloud solution.
Applicablity to Organizations Considerations of Cloud Computing
Cloud Risks
- The rate of competitor adoption
- being in the same risk ecosystem
- Transparency
- Reliablity and performance
- Lack of application portability
- Security and compliance
- Cyber attacks
- Data leakage
- IT organizational change
- CSP long term viability
What are some benefits of using CSP?
flexible pricing, reduction of on site hardware, processing data more efficiently by accessing advanced computing power. Also make organizations more resilient by enhancing their disaster recovery capabilities and making them more immune to system failures.
Business processes-as-a-service (BPaaS)
provider delivers business process outsourcing services to a user, such as managing the revenue cycle for a company.
What are risks a company should consider when considering a CSP?
-the rate at which other companies are adopting the cloud
-being in the same cloud as other tenants
-reliability of the provider
-security and compliance
-data leaking
-long term viability of the CSP
