Studied by 0 people
Looks like no one added any tags here yet for you.
Managerial Control
Controls that are based on overall risk management, the use of cybersecurity audits.
Operational Control
Ensuring that policy and procedures used are limited by security risk, instructions to a guard.
Technical Control
control uses some form of technology to address physical security issues, like automated and machine involved
Preventive Control
a control that prevents specific actions from occurring, like a mantrap prevents a human from entering a facility
Detective Control
A control that is designed to identify any threat that has reached the system, like an IDS
Corrective Control
A control used after an event to minimize the extent of damage, like load balancers and redundant systems act on to ease system overuse.
Deterrent Control
A control that attempts to discourage security violations before they occur, salt on password hashes
Compensating Control
Control that provides an alternative to normal controls that for some reason cannot be used, fire suppression systems are an example of this.
Physical Control
one that prevents specific physical actions from occurring, such a mantraps prevent tailgating, the use of covers over critical buttons is a form of physical control
General Data Protection Regulation (GDPR)
Mandates a baseline set of standards for companies that handle EU citizens' data to better safeguard the processing and movement of citizens' personal data
PCI DSS (Payment Card Industry Data Security Standard)
Protects customer credit card information and is designed to reduce fraud.
Center for Internet Security
Is a set of top 20 security controls that should be implemented as a baseline for cybersecurity risk management
NIST (National Institute of Standards and Technology) Risk Management Framework (RMF)
Mandatory for agencies dealing with federal data, six step process:
1. categorize
2. select
3. implement
4. assess
5. authorize
6. monitor
Cybersecurity Framework CSF
a commercial framework that is defined by: identify, protect, detect, respond, and recover
International Organization for Standardization (ISO)
SSAE SOC 2 report focuses on internal controls related to compliance and ops, SOC type 1 reports evaluate whether proper controls are in place at a specific time and SOC type 2 is done over a period of time to evaluate the effectiveness of controls
Cloud Security Alliance (CSA)
A nonprofit organization with a mission to promote best practices for using cloud computing securely.
Cloud Control matrix
A list of security controls for the cloud
reference architecture
a broad framework that describes all aspects of cloud security
Benchmarks/secure configuration guides
Guidelines to help setup and operate computer systems to a secure level that is understood and documented.
Platform/Vendor specific guides
Hardening guides that are specific to the software or platform.
Web server guides
The connection between the user and the public are always prone to attacks, setting up a external facing application for security is key for unnecessary risks
OS guides
This is the interface that we use to perform tasks and the hardware of the computer, configuration guides are available for each type of platform
Application server
A part of the enterprise that handles specific tasks that we associate with IT systems, ensure that this gets proper configuration with building the servers.
Network Infrastructure Devices
Routers, switches, firewalls, concentrators are all devices that need to be properly configured so that day-to-day processes are tampered with.
Acceptable Use Policy
A policy that goes hand and hand with the internet usage policy which states what is considered acceptable behavior for computer system users.
job rotation
This provides a better experience for workers to gain knowledge of all departments of a company, it also helps ensure no fraudulent activity occurs which improves security awareness
Mandatory Vacations
When an organization requires that an employee take a certain amount of days of vacation consecutively, so that no one person controls a part of a company, having at least two people do the same job ensures higher security overall.
Separation of Duties
Dividing responsibilities between two or more people to limit fraud and promote accuracy of records, it also ensures that not one person has all the keys to the company.
Least Privilege
states that a user should only have a level of access permissions required to perform their job
clean desk space
sensitive information must not be left unsecured in the work area when the worker is not present at act as a custodian
background check
the process of looking up and compiling criminal records, commercial records and financial records of an individual or an organization before they're hired.
Non-Disclosure Agreement (NDA)
a legal contract between at least two parties that outlines confidential material, knowledge, or information that the parties wish to share with one another for certain purposes but wish to restrict access to or by third parties.
social media analysis
Analytic method used by companies to ensure workers aren't browsing the web publicly, whether that be through AUPs,P2P or even BitTorrent
onboarding
programs that help employees to integrate and transition to new jobs by making them familiar with corporate policies, procedures, culture, and politics by clarifying work-role expectations and responsibilities.
Offboarding
Facilitates employee departure from the company by assisting the completion of exit tasks, including exit interviews, forms completion, the return of company property, and ensuring that employees receive the appropriate extended benefits.
user training
To ensure that users are aware of and are following appropriate policies and procedures as part of their workplace activities, this can include: gamification, role-based training, phishing simulations, computer-based training, phishing campaigns, and capture the flag
diversity of training techniques
To ensure to match the material to the method of learning to learners, and then test outcomes to ensure successful training has been achieved
Service Level Agreement (SLA)
Part of a service contract where the service expectations are formally defined between parties
Memorandum of Understanding (MOU)
legal documents describing bilateral agreements that express intended actions with respect to some common pursuit or goal
measurement systems analysis
The analysis of the measurement system to determine the accuracy and precision of the data obtained from the measurement.
Business partner agreement
legal agreement between partners that establish the terms, conditions, and expectations of the relationship between partners.
end of life
Term used to describe a products reached the end of it's useful life
end of service
Term used to describe a products end of support from the manufacturer with no updates or services to the product
data governance
The process of managing availability, usability, integrity, and security of data in enterprise systems
data retention
The management of the data lifecycle with an emphasis on when data reaches its end of useful life for an organization.
change management policies
Ensures proper procedures are followed when modifications to the IT infrastructure are made, this about the main process of applying change
change control policies
The process of how changes to anything are sourced, analyzed, and managed, more so the details of how change management occurs.
asset management policies
The policies and processes used to manage the elements of the system, including hardware, software, and the data that is contained within them.
Third-party Risk Management
Vendors, supply chains, business partners, all describe what needs to be accounted for when defining risk with...
Credential Policies
Policies that refer to the processes, services, and software used to store, manage, and log the use of user credentials
Credential Policy Types:
Personnel, Third party, devices, service accounts, admin/root accounts
Risk Types
External, Internal, Multiparty, IP theft, legacy systems, and software compliance/licensing
Acceptance
A business willing to take on a known risk to the company
Avoidance
A business completely stopping a business operation so that they won't endure any risk.
Transference
To buy cybersecurity insurance allows for another company to deal with the risk your business has acquired, this process is called...
Mitigation
A business lessens the impact from a risk by either updating the systems or looking for better systems to use.
Software compliance/licensing risk
Many copies of many software products can be made and used without licenses. and this creates this....
risk analysis
performed via a series of specific exercises that reveal the presence and level of risk across an enterprise
Risk Register
A list of risks associated with a specific system, it contains addt. information associated with each risk too.
Risk Matrix
A matrix that lists an organization's qualitative vulnerabilities, with ratings that assess each one in terms of likelihood and impact on business operations, reputation, and other areas.
Risk Control Assessment
Tool used by the Financial Industry Regulatory Authority (FINRA) to assess a series of risks associated with their member institutions.
Risk Control Self-Assessment
The technique that employs management and staff of all levels to identify and evaluate risks and associated controls
Risk awareness
The knowledge of risk and consequences from them, essential for wide ranges of personnel to know risk associated directly with their role.
Inherent Risk
The amount of risk that exists in the absence of controls
Residual Risk
the risk that remains after known controls are accounted for
Control Risk
risk associated with the chance of a material mis-statement in a company's financial statements
Risk Appetite
Term used to describe a firm's tolerance for risk
Regulations that affect risk posture
Sarbanes Oxley - financial regulations on protecting data
PCI-DSS - credit card data
Qualitative Risk Assessment
determines the risk of an environmental hazard based on human perception rather than data, an example is the matrix/heat map
Quantitative Risk Assessment
analysis of the numerical probabilities of a situation that deals with metric models, ALE, SLE, etc
Likelihood of occurrence
The chance that a particular risk will occur, the measure can be qualitative or quantitative, for qualitative its defined on an annual basis to other annualized measures, for quantitative it's used to create a ranked order
Impact
life - the most important consideration
property - risk to buildings and assets
safety - some environments are to dangerous to work
finance - resulting financial cost
reputation - an event can cause the status or character problems with your company
Asset Value (AV)
The amount of money it would take to replace an asset
Single Loss Expectancy (SLE)
The expected monetary loss every time a risk occurs,
AV * EF =
Annualized Loss Expectancy (ALE)
How much of a single asset is stolen per year?
SLE * ARO =
Annualized Rate of Occurrence (ARO)
The probability that a risk will occur in a particular year.
Disaster
A major event that causes disruptions
Disaster types
Person, Environment, Internal/External
Business Impact Analysis (BIA)
The process used to determine the sources and relative impact values of risk elements in a process.
Recovery Time Objective (RTO)
Used to describe the target time that is set for the resumption of operations after an incident, how long will it take to get back and running to a particular service level? Relative to business Continuity
Recovery Point Objective (RPO)
The time period representing the maximum period of acceptable data loss, when systems startup how far back does the data go? Relative to Backup frequency
Mean Time to Repair (MTTR)
A common measure of how long it takes to repair a given failure.
= (total downtime) / (number of breakdowns)
Mean Time Between Failures (MTBF)
a common measure of reliability of a system and is an expression of the average time between system failures
= (start of downtime- start of uptime) / number of failures
Functional Recovery Plans
Recover from an outage, contact information, technical process, recover and test
Single point of Failure
A component or entity that, should it fail, would adversely affect the entire system, ensure proper backups or substitute options are available
disaster recovery plan
A detailed process for recovering information or an IT system in the event of a catastrophic disaster such as a fire or flood.
Mission Essential Functions
Operations that are core to the success of the business, What are the critical systems that define company goals?
Site Risk Assessment
A risk assessment tailored for a specific location of the company
Company Consequences of Privacy and data breaches
Reputation, Identity theft, IP theft, Fines
Escalation
Ensure to create a process or policy that states how breaches reach IT or related personnel to solve these issues
Public Notification and Disclosure
Originally created from California SB 1386, the public has the right to know any breaches or data related incidents with in companies, this law varies from state to state and nations.
Data Classification
the measurements of data to ensure sensitivity labeling and handling so that personnel know whether data is sensitive and understand the levels of protection required
Data classification types:
Private, Sensitive, Confidential, Critical, and Proprietary
PHI (Protected Health Information)
Any information concerning a patient's health, medical condition, diagnosis, or treatment; it can include financial information
Data Types:
Classifications, PII, PHI, Financial, government, and customer
Data minimization
The keeping of only essential data to a person or company, no need to keep addt. information for risk of exposure
Data Masking
a program that protects privacy by replacing personal information with fake values, for example *** ** *** 4567, does not render data unusable
Tokenization
Replaces sensitive data with unique symbols. for example: SNN 456-78-8999 is 345-45-6789
Anonymization
The act of permanently and completely removing personal identifiers from data, such as converting personally identifiable information (PII) into aggregated data.
Pseudo-anonmization
replaces personal information with pseudonyms, for example, Professor Messer is John Doe
