WK 3 Protect against threats, risks and vulnerability's

Question 1

What is a Security Framework

Answer 1

They are guidelines used for building plans to help mitigate risks and threats to data and privacy.

Security frameworks provide a structured approach to implementing a security lifecycle. The security lifecycle is a constantly evolving set of policies and standards that define how an organization manages risks, follows established guidelines, and meets regulatory compliance, or laws.

Question 2

4 core components of Security Frameworks

Answer 2

1. Identifying and documenting security goals
2. Setting guidelines to achieve security goals
3. Implementing security processes
4. Monitoring and communicating results

Question 3

What is purpose of having Security frameworks?

Answer 3

The purpose of security frameworks include protecting personally identifiable information, known as PII, securing financial information, identifying security weaknesses, managing organizational risks, and aligning security with business goals.

Question 4

Example Identifying and documenting security goals

Answer 4

For example, an organization may have a goal to align with the E.U.’s General Data Protection Regulation, also known as GDPR. GDPR is a data protection law established to grant European citizens more control over their personal data. A security analyst may be asked to identify and document areas where an organization is out of compliance with GDPR.

Question 5

Example of setting guidelines to achieve security goals

Answer 5

For example, when implementing guidelines to achieve GDPR compliance, your organization may need to develop new policies for how to handle data requests from individual users.

Question 6

Example of Implementing security processes

Answer 6

In the case of GDPR, a security analyst working for a social media company may help design procedures to ensure the organization complies with verified user data requests. An example of this type of request is when a user attempts to update or delete their profile information.

Question 7

Example of Monitoring and communicating results

Answer 7

As an example, you may monitor your organization’s internal network and report a potential security issue affecting GDPR to your manager or regulatory compliance officer.

Question 8

What are Security Controls?

Answer 8

Security controls are safeguards designed to reduce specific security risks.

For example, your company may have a guideline that requires all employees to complete a privacy training to reduce the risk of data breaches. As a security analyst, you may use a software tool to automatically assign and track which employees have completed this training.

Question 9

What does CIA Triad stand for?

Answer 9

CIA stands for confidentiality, integrity, and availability.

Question 10

What is the CIA triad?

Answer 10

The CIA (confidentiality, integrity, and availability) triad is a foundational cybersecurity model that helps inform how organizations consider risk when setting up systems and security policies

Question 11

What is Confidentiality?

Answer 11

Only authorized users can access specific assets or data.

For example, strict access controls that define who should and should not have access to data, must be put in place to ensure confidential data remains safe.

Question 12

What is integrity?

Answer 12

the data is correct, authentic, and reliable.

To maintain integrity, security professionals can use a form of data protection like encryption to safeguard data from being tampered with.

Question 13

What is Availability ?

Answer 13

Data is accessible to those who are authorised to access it.

Question 14

What is an Asset?

Answer 14

An asset is an item perceived as having value to an organisation.

Value is determined by the cost associated with the asset in question.

Question 15

What is the NIST CSF?

U.S.-based National Institute of Standards and Technology:

Answer 15

The NIST Cybersecurity Framework is a voluntary framework that consists of standards, guidelines, and best practices to manage cybersecurity risk.

Security teams use this as a baseline to manage long and short term risk

Question 16

What is Compliance?

Answer 16

Compliance is the process of adhering to internal standards and external regulations.

Question 17

(Control, frameworks and compliance standards)

The Federal Energy Regulatory Commission - North American Electric Reliability Corporation (FERC-NERC)

Answer 17

FERC-NERC is a regulation that applies to organizations that work with electricity or that are involved with the U.S. and North American power grid.

These types of organizations have an obligation to prepare for, mitigate, and report any potential security incident that can negatively affect the power grid. They are also legally required to adhere to the Critical Infrastructure Protection (CIP) Reliability Standards defined by the FERC.

Question 18

(Control, frameworks and compliance standards)

The Federal Risk and Authorization Management Program (FedRAMP®)

Answer 18

FedRAMP is a U.S. federal government program that standardizes security assessment, authorization, monitoring, and handling of cloud services and product offerings. Its purpose is to provide consistency across the government sector and third-party cloud providers.

Question 19

(Control, frameworks and compliance standards)

Center for Internet Security (CIS®)

Answer 19

CIS is a nonprofit with multiple areas of emphasis. It provides a set of controls that can be used to safeguard systems and networks against attacks. Its purpose is to help organizations establish a better plan of defense. CIS also provides actionable controls that security professionals may follow if a security incident occurs.

Question 20

(Control, frameworks and compliance standards)

General Data Protection Regulation (GDPR)

Answer 20

GDPR is a European Union (E.U.) general data regulation that protects the processing of E.U. residents’ data and their right to privacy in and out of E.U. territory. For example, if an organization is not being transparent about the data they are holding about an E.U. citizen and why they are holding that data, this is an infringement that can result in a fine to the organization. Additionally, if a breach occurs and an E.U. citizen’s data is compromised, they must be informed. The affected organization has 72 hours to notify the E.U. citizen about the breach.

Question 21

(Control, frameworks and compliance standards)

Payment Card Industry Data Security Standard (PCI DSS)

Answer 21

PCI DSS is an international security standard meant to ensure that organizations storing, accepting, processing, and transmitting credit card information do so in a secure environment. The objective of this compliance standard is to reduce credit card fraud.

Question 22

(Control, frameworks and compliance standards)

The Health Insurance Portability and Accountability Act (HIPAA)

Answer 22

HIPAA is a U.S. federal law established in 1996 to protect patients’ health information. This law prohibits patient information from being shared without their consent. It is governed by three rules:

Privacy

Security

Breach notification

Organizations that store patient data have a legal obligation to inform patients of a breach because if patients’ Protected Health Information (PHI) is exposed, it can lead to identity theft and insurance fraud. PHI relates to the past, present, or future physical or mental health or condition of an individual, whether it’s a plan of care or payments for care. Along with understanding HIPAA as a law, security professionals also need to be familiar with the Health Information Trust Alliance (HITRUST®), which is a security framework and assurance program that helps institutions meet HIPAA compliance.

Question 23

(Control, frameworks and compliance standards)

International Organization for Standardization (ISO)

Answer 23

ISO was created to establish international standards related to technology, manufacturing, and management across borders. It helps organizations improve their processes and procedures for staff retention, planning, waste, and services.

Question 24

(Control, frameworks and compliance standards)

System and Organizations Controls (SOC type 1, SOC type 2)

Answer 24

The American Institute of Certified Public Accountants® (AICPA) auditing standards board developed this standard. The SOC1 and SOC2 are a series of reports that focus on an organization’s user access policies at different organizational levels such as:

Associate

Supervisor

Manager

Executive

Vendor

Others

They are used to assess an organization’s financial compliance and levels of risk. They also cover confidentiality, privacy, integrity, availability, security, and overall data safety. Control failures in these areas can lead to fraud.

Question 25

Hacktivist

Answer 25

A person who uses hacking to achieve a political goal

Question 26

Privacy protection

Answer 26

The act of safeguarding personal information from unauthorized use

Question 27

Protected health information (PHI)

Answer 27

Information that relates to the past, present, or future physical or mental health or condition of an individual

Question 28

Security architecture:

Answer 28

A type of security design composed of multiple components, such as tools and processes, that are used to protect an organization from risks and external threats

Question 29

Security ethics

Answer 29

Guidelines for making appropriate decisions as a security professional

Question 30

Security frameworks

Answer 30

Guidelines used for building plans to help mitigate risk and threats to data and privacy

Question 31

Security governance

Answer 31

Practices that help support, define, and direct security efforts of an organization