Fiszki: Security+ 601 Part 5 | Quizlet

Managerial Control

Controls that are based on overall risk management, the use of cybersecurity audits.

Operational Control

Ensuring that policy and procedures used are limited by security risk, instructions to a guard.

Technical Control

control uses some form of technology to address physical security issues, like automated and machine involved

Preventive Control

a control that prevents specific actions from occurring, like a mantrap prevents a human from entering a facility

Detective Control

A control that is designed to identify any threat that has reached the system, like an IDS

Corrective Control

A control used after an event to minimize the extent of damage, like load balancers and redundant systems act on to ease system overuse.

Deterrent Control

A control that attempts to discourage security violations before they occur, salt on password hashes

Compensating Control

Control that provides an alternative to normal controls that for some reason cannot be used, fire suppression systems are an example of this.

Physical Control

one that prevents specific physical actions from occurring, such a mantraps prevent tailgating, the use of covers over critical buttons is a form of physical control

General Data Protection Regulation (GDPR)

Mandates a baseline set of standards for companies that handle EU citizens' data to better safeguard the processing and movement of citizens' personal data

PCI DSS (Payment Card Industry Data Security Standard)

Protects customer credit card information and is designed to reduce fraud.

Center for Internet Security

Is a set of top 20 security controls that should be implemented as a baseline for cybersecurity risk management

NIST (National Institute of Standards and Technology) Risk Management Framework (RMF)

Mandatory for agencies dealing with federal data, six step process:
1. categorize
2. select
3. implement
4. assess
5. authorize
6. monitor

Cybersecurity Framework CSF

a commercial framework that is defined by: identify, protect, detect, respond, and recover

International Organization for Standardization (ISO)

SSAE SOC 2 report focuses on internal controls related to compliance and ops, SOC type 1 reports evaluate whether proper controls are in place at a specific time and SOC type 2 is done over a period of time to evaluate the effectiveness of controls

Cloud Security Alliance (CSA)

A nonprofit organization with a mission to promote best practices for using cloud computing securely.

Cloud Control matrix

A list of security controls for the cloud

reference architecture

a broad framework that describes all aspects of cloud security

Benchmarks/secure configuration guides

Guidelines to help setup and operate computer systems to a secure level that is understood and documented.

Platform/Vendor specific guides

Hardening guides that are specific to the software or platform.

Web server guides

The connection between the user and the public are always prone to attacks, setting up a external facing application for security is key for unnecessary risks

OS guides

This is the interface that we use to perform tasks and the hardware of the computer, configuration guides are available for each type of platform

Application server

A part of the enterprise that handles specific tasks that we associate with IT systems, ensure that this gets proper configuration with building the servers.

Network Infrastructure Devices

Routers, switches, firewalls, concentrators are all devices that need to be properly configured so that day-to-day processes are tampered with.

Acceptable Use Policy

A policy that goes hand and hand with the internet usage policy which states what is considered acceptable behavior for computer system users.

job rotation

This provides a better experience for workers to gain knowledge of all departments of a company, it also helps ensure no fraudulent activity occurs which improves security awareness

Mandatory Vacations

When an organization requires that an employee take a certain amount of days of vacation consecutively, so that no one person controls a part of a company, having at least two people do the same job ensures higher security overall.

Separation of Duties

Dividing responsibilities between two or more people to limit fraud and promote accuracy of records, it also ensures that not one person has all the keys to the company.

Least Privilege

states that a user should only have a level of access permissions required to perform their job

clean desk space

sensitive information must not be left unsecured in the work area when the worker is not present at act as a custodian

background check

the process of looking up and compiling criminal records, commercial records and financial records of an individual or an organization before they're hired.

Non-Disclosure Agreement (NDA)

a legal contract between at least two parties that outlines confidential material, knowledge, or information that the parties wish to share with one another for certain purposes but wish to restrict access to or by third parties.

social media analysis

Analytic method used by companies to ensure workers aren't browsing the web publicly, whether that be through AUPs,P2P or even BitTorrent

onboarding

programs that help employees to integrate and transition to new jobs by making them familiar with corporate policies, procedures, culture, and politics by clarifying work-role expectations and responsibilities.

Offboarding

Facilitates employee departure from the company by assisting the completion of exit tasks, including exit interviews, forms completion, the return of company property, and ensuring that employees receive the appropriate extended benefits.

user training

To ensure that users are aware of and are following appropriate policies and procedures as part of their workplace activities, this can include: gamification, role-based training, phishing simulations, computer-based training, phishing campaigns, and capture the flag

diversity of training techniques

To ensure to match the material to the method of learning to learners, and then test outcomes to ensure successful training has been achieved

Service Level Agreement (SLA)

Part of a service contract where the service expectations are formally defined between parties

Memorandum of Understanding (MOU)

legal documents describing bilateral agreements that express intended actions with respect to some common pursuit or goal

measurement systems analysis

The analysis of the measurement system to determine the accuracy and precision of the data obtained from the measurement.

Business partner agreement

legal agreement between partners that establish the terms, conditions, and expectations of the relationship between partners.

end of life

Term used to describe a products reached the end of it's useful life

end of service

Term used to describe a products end of support from the manufacturer with no updates or services to the product

data governance

The process of managing availability, usability, integrity, and security of data in enterprise systems

data retention

The management of the data lifecycle with an emphasis on when data reaches its end of useful life for an organization.

change management policies

Ensures proper procedures are followed when modifications to the IT infrastructure are made, this about the main process of applying change

change control policies

The process of how changes to anything are sourced, analyzed, and managed, more so the details of how change management occurs.

asset management policies

The policies and processes used to manage the elements of the system, including hardware, software, and the data that is contained within them.

Third-party Risk Management

Vendors, supply chains, business partners, all describe what needs to be accounted for when defining risk with...

Credential Policies

Policies that refer to the processes, services, and software used to store, manage, and log the use of user credentials

Credential Policy Types:

Personnel, Third party, devices, service accounts, admin/root accounts

Risk Types

External, Internal, Multiparty, IP theft, legacy systems, and software compliance/licensing

Acceptance

A business willing to take on a known risk to the company

Avoidance

A business completely stopping a business operation so that they won't endure any risk.

Transference

To buy cybersecurity insurance allows for another company to deal with the risk your business has acquired, this process is called...

Mitigation

A business lessens the impact from a risk by either updating the systems or looking for better systems to use.

Software compliance/licensing risk

Many copies of many software products can be made and used without licenses. and this creates this....

risk analysis

performed via a series of specific exercises that reveal the presence and level of risk across an enterprise

Risk Register

A list of risks associated with a specific system, it contains addt. information associated with each risk too.

Risk Matrix

A matrix that lists an organization's qualitative vulnerabilities, with ratings that assess each one in terms of likelihood and impact on business operations, reputation, and other areas.

Risk Control Assessment

Tool used by the Financial Industry Regulatory Authority (FINRA) to assess a series of risks associated with their member institutions.

Risk Control Self-Assessment

The technique that employs management and staff of all levels to identify and evaluate risks and associated controls

Risk awareness

The knowledge of risk and consequences from them, essential for wide ranges of personnel to know risk associated directly with their role.

Inherent Risk

The amount of risk that exists in the absence of controls

Residual Risk

the risk that remains after known controls are accounted for

Control Risk

risk associated with the chance of a material mis-statement in a company's financial statements

Risk Appetite

Term used to describe a firm's tolerance for risk

Regulations that affect risk posture

Sarbanes Oxley - financial regulations on protecting data
PCI-DSS - credit card data

Qualitative Risk Assessment

determines the risk of an environmental hazard based on human perception rather than data, an example is the matrix/heat map

Quantitative Risk Assessment

analysis of the numerical probabilities of a situation that deals with metric models, ALE, SLE, etc

Likelihood of occurrence

The chance that a particular risk will occur, the measure can be qualitative or quantitative, for qualitative its defined on an annual basis to other annualized measures, for quantitative it's used to create a ranked order

Impact

life - the most important consideration
property - risk to buildings and assets
safety - some environments are to dangerous to work
finance - resulting financial cost
reputation - an event can cause the status or character problems with your company

Asset Value (AV)

The amount of money it would take to replace an asset

Single Loss Expectancy (SLE)

The expected monetary loss every time a risk occurs,

AV * EF =

Annualized Loss Expectancy (ALE)

How much of a single asset is stolen per year?

SLE * ARO =

Annualized Rate of Occurrence (ARO)

The probability that a risk will occur in a particular year.

Disaster

A major event that causes disruptions

Disaster types

Person, Environment, Internal/External

Business Impact Analysis (BIA)

The process used to determine the sources and relative impact values of risk elements in a process.

Recovery Time Objective (RTO)

Used to describe the target time that is set for the resumption of operations after an incident, how long will it take to get back and running to a particular service level? Relative to business Continuity

Recovery Point Objective (RPO)

The time period representing the maximum period of acceptable data loss, when systems startup how far back does the data go? Relative to Backup frequency

Mean Time to Repair (MTTR)

A common measure of how long it takes to repair a given failure.

= (total downtime) / (number of breakdowns)

Mean Time Between Failures (MTBF)

a common measure of reliability of a system and is an expression of the average time between system failures

= (start of downtime- start of uptime) / number of failures

Functional Recovery Plans

Recover from an outage, contact information, technical process, recover and test

Single point of Failure

A component or entity that, should it fail, would adversely affect the entire system, ensure proper backups or substitute options are available

disaster recovery plan

A detailed process for recovering information or an IT system in the event of a catastrophic disaster such as a fire or flood.

Mission Essential Functions

Operations that are core to the success of the business, What are the critical systems that define company goals?

Site Risk Assessment

A risk assessment tailored for a specific location of the company

Company Consequences of Privacy and data breaches

Reputation, Identity theft, IP theft, Fines

Escalation

Ensure to create a process or policy that states how breaches reach IT or related personnel to solve these issues

Public Notification and Disclosure

Originally created from California SB 1386, the public has the right to know any breaches or data related incidents with in companies, this law varies from state to state and nations.

Data Classification

the measurements of data to ensure sensitivity labeling and handling so that personnel know whether data is sensitive and understand the levels of protection required

Data classification types:

Private, Sensitive, Confidential, Critical, and Proprietary

PHI (Protected Health Information)

Any information concerning a patient's health, medical condition, diagnosis, or treatment; it can include financial information

Data Types:

Classifications, PII, PHI, Financial, government, and customer

Data minimization

The keeping of only essential data to a person or company, no need to keep addt. information for risk of exposure

Data Masking

a program that protects privacy by replacing personal information with fake values, for example *** ** *** 4567, does not render data unusable

Tokenization

Replaces sensitive data with unique symbols. for example: SNN 456-78-8999 is 345-45-6789

Anonymization

The act of permanently and completely removing personal identifiers from data, such as converting personally identifiable information (PII) into aggregated data.

Pseudo-anonmization

replaces personal information with pseudonyms, for example, Professor Messer is John Doe