1B: Security Control and Framework Types
0.0(0)
Learn
Practice Test
Spaced Repetition
Match
FlashcardsCard Sorting
1/9
Earn XP
Description and Tags
Study Analytics
Name | Mastery | Learn | Test | Matching | Spaced |
|---|
No study sessions yet.
10 Terms
1
New cards
Security Control Implementation Categories
1. Technical - implemented as a system (hardware, software, firmware). Also described as logical controls.
2. Operational - implemented primarily by people rather than systems (security guards, training programs)
3. Managerial - gives oversight of the information system (risk identification, evaluation of other controls)
2. Operational - implemented primarily by people rather than systems (security guards, training programs)
3. Managerial - gives oversight of the information system (risk identification, evaluation of other controls)
2
New cards
Security Control Functional Types
1. Preventative - Operates before an attack can take place to eliminate or reduce the likelihood an attack can succeed. Ex: Access Control List (ACL), SOPs, Anti-malware software.
2. Detective - Used during an attack to identify and record any attempted or successful intrusion. Ex: Logs.
3. Corrective - Used after an attack to eliminate or reduce the impact of an intrusion. Ex: backup system, patch management system.
4. Physical - Alarms, locks, cameras, guards, etc. that deter and detect access to premises and hardware
5. Deterrent - May not physically or logically prevent access, but psychologically discourages an attacker. Ex: signs and warnings of legal penalties.
6. Compensating - Serves as a substitute for a principal control. Same or better level of protection but uses a different methodology or technology.
2. Detective - Used during an attack to identify and record any attempted or successful intrusion. Ex: Logs.
3. Corrective - Used after an attack to eliminate or reduce the impact of an intrusion. Ex: backup system, patch management system.
4. Physical - Alarms, locks, cameras, guards, etc. that deter and detect access to premises and hardware
5. Deterrent - May not physically or logically prevent access, but psychologically discourages an attacker. Ex: signs and warnings of legal penalties.
6. Compensating - Serves as a substitute for a principal control. Same or better level of protection but uses a different methodology or technology.
3
New cards
Cybersecurity Framework (CSF)
a list of activities and objectives undertaken to mitigate risks
4
New cards
NIST CSF
Distinct from other frameworks by focusing exclusively on IT Security.
5
New cards
International Organization for Standards (ISO) Frameworks
ISO 27001 - Information Security management standard that contains more specific security standards such as 27002 (security controls), 27017/27018 (cloud security) and 27701 (personal data and privacy)
ISO 21k - cybersecurity framework
ISO 31k - overall framework for enterprise risk management (ERM)
ISO 21k - cybersecurity framework
ISO 31k - overall framework for enterprise risk management (ERM)
6
New cards
Cloud Security Alliance (CSA)
not-for-profit organization that produces various resources to assist cloud service providers (CSP) in setting up and delivering secure cloud platforms.
7
New cards
Center for Internet Security (CIS)
not-for-profit org that produces the well-known "20 CIS Controls" and benchmarks for different aspects of cybersecurity.
8
New cards
Sarbanes-Oxley Act (SOX)
Mandates the implementation of risk assessments, internal controls, and audit procedures.
9
New cards
Privacy
Distinct concept from security. Requires that collection and processing of personal information be both secure and fair.
10
New cards
General Data Protection Regulation (GDPR)
personal data cannot be collected, processed, or retained without the individual's informed consent.