2. Information security gouvernance and compliance

0.0(0)
learnLearn
examPractice Test
spaced repetitionSpaced Repetition
heart puzzleMatch
flashcardsFlashcards
Card Sorting

1/27

encourage image

There's no tags or description

Looks like no tags are added yet.

Study Analytics
Name
Mastery
Learn
Test
Matching
Spaced

No study sessions yet.

28 Terms

1
New cards

HIPAA

Health Insurance Portability and Accountability Act includes security and privacy rules that affect healthcare providers, insurers, health information and their business associates.

2
New cards

PCI DSS

Payment Card Industry Data Security Standard provides detailed rules about the storage, processing, and transmission of credit and debit card information. PCI DSS is not a law but rather a contractual obligation that applies to credit card merchants and service providers worldwide

3
New cards

GLBA

Graham-Leach-Bliley Act covers the handling of personally identifiable information by U.S.fincancial institutions, such as colleges and universities that administer student loans, real estate appraisers, and debt collectors. GLBA requires that those institutions have a formal security program and designate an individual as having overall responsibility for that program

4
New cards

SOX

Sarhanes-Oxley Act applies to the financial records of U.S. publicity traded companies and requires that those companies have a strong degree of assurances for the IT systems that store and process those records

5
New cards

GDPR

General Data Protection Regulation implements security and privacy requirements for the personal information of European Union residents worldwid

6
New cards

FERPA

Family Educational Rights and Privacy Act requires that U.S. educational institutions implement security and privacy controls for student educational records

7
New cards

COBIT

  • Control Objectives For Information Technology

  • IT management and gouvernance framework promoted by ISACA

  • Two sets of foundational principles, consisting of

    • Six principles a governance system within an organization

    • Three principles for a governance framework covering many organizations

8
New cards

Six principles/concepts for governance system of COBIT

  • Each enterprise needs a gouvernance system to satisfy stakeholder needs and to generate value from the use of information and technology

  • A governance system for enterprise information and technology is build from a number of components that can be of different types and work togheter in a holistic way

  • A gouvernance system should be dynamic

  • A governancen system should clearly distinguish between governance and management activities and structures

  • A gouvernance system should be tailored to the enterprise’s needs

  • A governance system should cover the enterprise end-to-end, focusing not only on the IT function but on all technology and information processing the enterprise puts in place to archive its goals

9
New cards

Three principles/concepts for governance framework of COBIT

  • A governance framework should be base upon a conceptual model

  • a governance framework should be open and flexible, It should allow the addition of new content and the ability to address new issue in the most flexible way, while maintaining integrity and consistency

  • A gouvernance framework should align to relevant major related standards, frameworks and regulations

10
New cards

Five domains of COBIT

  • Evaluate, Direct and Mnitor (EDM) objectives provide the effective IT governance and the selection and monitoring of strategic goals

  • Align, Plan and Organize (APO) objectives describe how the IT functions should be organized and how it should structure its work

  • Build, Acquire and Implement (BAI) objective describe how the IT organization should create and aquire new information systems and integrate them into the business

  • Deliver, Service and Support (DSS) objectives describe how the organization should manage the operational tasks of information technology

  • Monitor, Evaluate and Assess (MEA) objectives describe how the organization should measure it effectiveness against performance targets, control objectives and any external requirementss it faces

11
New cards

Seven major components for a governance system

  • Processes

  • Services, infrastructure and applications

  • People, skills and competencies

  • Culture, ethics and behavior

  • Information

  • Principles, policies and procedures

  • Organization structures

12
New cards

NIST

  • National Institute for Standards and Technology

  • Responsible for developing security standards accros the U.S. federal government,

  • Documents and standards have wide applicatibility across the privat sector

  • Commonly referred to by nongovernmental security analysts

13
New cards

NIST Cybersecurity Framework (CSF)

  • Provides a broad structure for cybersecurity controls

  • Designed to assist organizations attempting to meet one or more of the following objecties:

    • Describe their current cybersecurity postures

    • Describe their target state for cybersecurity

    • Identify and prioritize opportunities for imporvement within the context of continuous and repeatable process

    • Assess progress toward the target state

    • Communicate among internal and external stakeholders about cybersecurity risk

  • It includes three components:

    • The Framework Core is a set of five functions

      • Identify

      • Protect

      • Detect

      • Respond

      • Recover

      and divides these functions into

      • categories

      • subcategories

      • informative references

    • The Framework Implementation assesses how an organization is positioned to meet cybersecurity objectives (maturity model)

    • Framework profiles describe how a specific organization might approach the security functions covered by the Framework Core. An organization might use a framework profile to describe its current state and then a separat profile to describe it desired future state.

14
New cards

NIST Cybersecurity Framework Tiers

  1. Partial

    This tier includes companies with on-demand or no security procedures. Businesses in Tier 1 are categorized as having very little awareness of cybersecurity risk. They frequently fail to prioritize cybersecurity measures properly. 

    Companies at this level must take steps to comprehend and effectively handle cybersecurity concerns. Tier 1 applies to your organization if you lack the time to commit to risk management processes, staff, or financial resources to implement a security program.

  2. Informed

    The majority of corporate executives are now aware of the main threats they face, including malware, state-sponsored attacks, and other bad actors. Additionally, they most likely have policies in place to stay safe against and mitigating such risks. Although tier 2 organizations have a fair amount of knowledge, they often lack a coordinated strategy and uniform departmental rules.

    Similarly, they could also be aware of the threats to their supply chains and assets, but they lack the authority to take effective governance measures to address such threats.

  3. Repeatable

    The third tier is for companies with risk management and cybersecurity best practices that have received executive approval. Businesses in this category are often more equipped to deal with vulnerabilities, cybersecurity risks, and threats.

    Businesses in tier 3 devote more effort to measuring themselves against their competitors and working together with other businesses in their sector to guarantee best practice alignment.

  4. Adaptive

    The topmost tier requires the greatest time and money to deploy, but it is essential in heavily regulated industries like banking, healthcare, and critical infrastructure. High-tech solutions are incorporated into adaptive information security, such as security incident and event management (SIEM), adaptive policies and procedures, and machine learning-powered detection and response capabilities.

    These organizations contribute to the community’s broader awareness of risks by acknowledging their function, dependencies, and dependents within the larger ecosystem.

15
New cards

NIST Risk Management Framework (RMF)

  • Formal process for implementing security controls and authorizing systems use

  • Mandatory standard for federal agencies

  • Provides a formalized process that federal agencies must follow for select, implement and assess risk-based security and privacy controls.

16
New cards

ISO Standards (ISO)

International Organization for Standardization publishes as series of standards that offer best practices for cybersecurity and privacy

17
New cards

ISO 27001

A standard titled “Information technology - Security techniques - Information securits management systems - Requirements”

The standard includes control objectives covering

  • Information security policies

  • Organization of information security

  • Human resource security

  • Asset management

  • Access control

  • Cryptography

  • Physical and environmental security

  • Operations security

  • Communications security

  • System acquisition, development and maintenance

  • Supplier relationships

  • Information security incident management

  • Information security aspects of business continuity management

  • Compliance with internal requirements, such as policies and with external equirements, such as laws

18
New cards

ISO 27002

Goes beyond control objectives and describes the actual controls that an organization may implement to meet cybersecurity objectives:

  • Select information security controls

  • Implement information security controls

  • Develop information security management guidelines

19
New cards

ISO 27004

Helps to implement a consistent process for monitoring, measurement, analysis and evaluation of security management functions

20
New cards

ISO 27701

Contains standard guidance for managing privacy controls. ISO views the document as extension to ISO 27001 and 27002

21
New cards

ISO 31000

Provides guidelines for risk management process and covers the risk management in a general way (not specific to cybersecurity or privacy)

22
New cards

Audit

  • Formal review of an organzations security program

  • Requires rigorous formal testing of controls

  • Result in a formal statement from the auditor regarding the entitiys compliance

  • May be conducted by internal audit groups or the at equest of management by audit firms

  • Typically requested by an organizations governing body or a regulator

23
New cards

Service organization control 1 (SOC 1)

Assess the organization controls that might impact the accurancy of financial reporting

24
New cards

Service organization control 2 (SOC 2)

  • Assess the organization’s controls that affect the security

    • Confidentiality

    • Integrity

    • Availability

    • Privacy

    of information stored in a system.

  • Results are confidential and normally only shared outside the organization under NDA

25
New cards

Service organization control 3 (SOC 3)

  • Assess also the organization’s controls that affect the security

    • Confidentiality

    • Integrity

    • Availability

    • Privacy

    of information stored in a system.

  • Results are indended for public disclosure

26
New cards

SOC Report Type 1

Provide the auditor’s opinion on the description provided by management and the suitability of the design of the controls as of a specifc date.

27
New cards

SOC Report Type 2

Also provide the auditor’s opinion on the operating effectiveness of the controls - that is, the auditor actually confirms that the controls are functioning properly over a period of time

28
New cards

Assessment

Less formal review of security controls

Typically requested by the security organization itself in an effort ot engage process improvement

The accessor typically gathers information by interviewing employees and taking them at their word rather than performing the rigorous independent testing asscociated with an audit