Security Controls and stuff Flashcards
What is a security control?
Something designed to give a system or data asset the properties of confidentiality, integrity, availability, and non-repudiation. Controls can be divided into three broad categories
What is a Technical Control?
the control is implemented as a system (hardware, software, or firmware). For example, firewalls, antivirus software, and OS access control models are technical controls. Technical controls may also be described as logical controls.
What is an Operational control?
the control is implemented primarily by people rather than systems. For example, security guards and training programs are operational controls rather than technical controls.
What is a Managerial Control?
the control gives oversight of the information system. Examples could include risk identification or a tool allowing the evaluation and selection of other security controls.
What is a Preventive Control Function type
the control acts to eliminate or reduce the likelihood that an attack can succeed. A preventative control operates before an attack can take place. Access control lists (ACL) configured on firewalls and file system objects are preventative-type controls. Anti-malware software also acts as a preventative control, by blocking processes identified as malicious from executing. Directives and standard operating procedures (SOPs) can be thought of as administrative versions of preventative controls.
What is a Detective Security Control Functional type
the control may not prevent or deter access, but it will identify and record any attempted or successful intrusion. A detective control operates during the progress of an attack. Logs provide one of the best examples of detective-type controls.
What is a Corrective control
the control acts to eliminate or reduce the impact of an intrusion event. A corrective control is used after an attack.
What is a Physical control
controls such as alarms, gateways, locks, lighting, security cameras, and guards that deter and detect access to premises and hardware are often classed separately
What is a deterrent function?
the control may not physically or logically prevent access, but psychologically discourages an attacker from attempting an intrusion. This could include signs and warnings of legal penalties against trespass or intrusion.
What is a Compensating function
the control serves as a substitute for a principal control, as recommended by a security standard, and affords the same (or better) level of protection but uses a different methodology or technology.
What is the cloud controls matrix
Lists specific controls and assesment guidelines that should be implemented by CSPs,the matrix acts as a starting point for cloud contracts and agreements as it provides a baseline level of security competency that the CSP should meet.
What is security guidance
A best practice summary analyzing the unique challenges of cloud environments and how on-premises controls can be adapted to them
What is enterprise reference architecture
Best practice methodology and tools for CSPs to use in architecting cloud solutions
The statements on standards for Attestation Engagements (SSAE)
audit specifications developed by the American Institute of Certified Public Accountants
What Archives
refer to sets of data. Since data retention is a high-priority, the systems admin should establish and/or review an archive plan to ensure data sets are held for the appropriate length of time.
What is a workflow?
An onboarding process that involves identifying the roles and permissions users need. A workflow is often a visual representation of an organization, organized by permissions and account types.
What is Privilege bracketing?
An account management practice that involves giving users permission to a resource for the duration of a specific project or a need-to-know situation
What is User Account Control (UAC)?
A windows-specific function that prevents users from invoking administrative privileges without specific authorization
What is a Memorandum of Understanding (MOU)?
a preliminary or exploratory agreement to express an intent to work together. MOUs usually tend to be relatively informal and do not act as binding contracts
What is a Memorandum of Agreement (MOA)?
a formal agreement or contract that contains specific obligations rather than a broad understanding.
What is a Business Partners Agreement (BPA)?
a type of partner agreement that large IT companies, such as Microsoft and Cisco, set up with resellers and solution providers.
What is Training Diversity?
a mix of training techniques in the form of workshops, seminars, gamification, etc. to foster user engagement and retention.
What is Gamification?
a training technique to engage users by adding game-like elements to content to encourage participation.
What is Vendor diversity?
a “defense in depth” practice of implementing security controls from different vendors.
