ICS1 Flashcards

Question

1 NIST Privacy Framework

Answer 1

To protect individuals data as used in data processing applications any industry

Answer 2

similar structures, RM approaches but applied to each subject matter differently. Identify, Protect

Answer 3

Identify, Govern, Control, Communicate, Protect

Answer 4

What are the privacy risks related to data processing? Inventory/mapping, business env., RA, data processing ecosystem RM.

Answer 5

What is the best governance structure ? Governance P&P, RM strategy, awareness/trainings, monitoring review.

Answer 6

What is the best management structure - data processing P&P, mgmt, and disassociated processing.

Answer 7

How to drive dialog around privacy risk related to data processing activities.

Answer 8

What safeguards should be in place, five categories 1. data protection p&p, 2. identity mgmt, authentication and access control 3. , data security, maintenance, protective technology.

Answer 9

Functions are subdivided into categories to address privacy program considerations, and further subdivided to sub-categories.

Answer 10

Mirrors Cybersecurity framework (current, target, gap analysis)

Answer 11

Mirrors cybersecurity framework (partial, risk informed, repeatable, adaptive)

Answer 12

Set of security and privacy controls applicable to all Info systems and the standard for federal info security systems.

Answer 13

designed for protecting info systems against sophisticated threats establishes controls for systems/orgs that can be implemented within org/system that process, store or transmit information. Helps to identify security and privacy controls needed to manage risk and satisfy requirements by OMB A-130 and FISMA.

Answer 14

requires controls for federal Info Systems

Answer 15

required implementation of minimum controls to protect federal info and IS.

Answer 16

- System admins : individuals with system, info security, privacy, or RM and oversight responsibilities -System developers: program managers, engineers, developers -logistical personnel: procurement, system integrators property managers - security/privacy personnel and assessment and monitoring personnel -Commerical entities (3rd party vendors) producing products/system/services that support security or privacy.

Answer 17

- Well defined security and privacy requirement for systems/orgs. - Use of trustworthy system components ( - Rigorous security and privacy planning and system development life cycle mgmt. - Application of security and privacy practices for system integration of info systems. -Documented practices - Continuous monitoring of info system to eval effectiveness of controls.

Answer 18

They cover org. risk and are subdivided into controls and control enhancements. Controls are to be implemented for family conformance enhancements are best practices (some recommended, some required for baseline conformance)

Answer 19

3 approaches that are to be implemented on a per control basis: 1. Common - inheritable, implement controls at org. level, which are adopted by Info Systems. 2. System Specific - at info system level 3. Hybrid - org level where appropriate and remainder at system level.

Answer 20

regulate how those entrusted w/ private information collect, process, maintain and disclose it.

Answer 21

EU enacted one comprehensive data privacy law that applies and governs how all entrusted w/ personal data handle that info. imposes steep penalties and fines

Answer 22

Data processors based in EU, or those offering services to those in EU, or where public international law applies.

Answer 23

1. Lawfulness, Fairness, Transparency 2. Purpose Limitation 3. Data minimization 4. Accuracy 5.Storage Limit 6. Integrity/Confidentiality

Answer 24

support transatlantic commerce, EU/US, transmit data - EU declarer invalid replaced with Privacy Shield, which also was invalid.

Answer 25

1. Detection/escalation 2. notification 3. Response 4. Loss of business/rev. (during downtime)"

Answer 26

Health care providers that transmit info electronically, health plans, health care clearing houses, business associates who are service providers who need access to PHI

Answer 27

1. individuals, 2. for treatment, payment, and health care operations 3. incident to otherwised permitted use and disclosure 4. With valid auth 5. Redacted for research, public health or health care ops 6. public interst and benefit activities provided by law

Answer 28

1. ENSURE - confidentiality, integrity and availability of electronic PHI 2. PROTECT against reasonably anticipated threats to security of info, impermissible use or disclosures 3. ENSURE compliance by workforce

Answer 29

1. Security mgmt processes 2. assigned security responsibilties, 3. workforce security 4. Info access mgmt 5. security awareness/training, 6. security incident procedures 7. contingency plans, 8. evaluation.

Answer 30

facility access, workstation use/security, device/media controls

Answer 31

access controls, audit controls, data integrity controls, person/entity authentication, transmission security

Answer 32

Health Information Tech for Economic and Clinical Health Act Amended HIPPA to increase penalties, patients option to obtain records electronically, and add business associates as covered entities, breach notification rule.

Answer 33

w/in 60 days to impacted people

Answer 34

Data protected includes cardholder data, authentication data - Account data Six goals and 12 requirements 1. Build/Maintain a secure network of system 2. Protect account data 3. vulnerability mgmt program 4. strong access control measures 5. Regular monitor/test 6. maintain info sec policy"

Answer 35

recommended set of actions, processes and best practices to strengthen cybersecurity defenses., (Supported by SANS institute) Controls are task focused and organized by activity (instead of who manages the device) a total of 18 controls and 153 subcategories of safeguards.

Answer 36

1. Align - controls should map to other top CS standards 2. Measurable - simple, measurable and avoid vague language 3. Offense Informs Defense - controls drafted based on events 4. Focus - help prioritize most critical problems and avoid resolving every issue 5. Feasible -

Answer 37

Implementation of CIS can be tailored to org. size by using one of three implementation groups, these are self assessed categories that ID subset of the CIS controls which are critical to adopt given size.

Answer 38

Small or Medium sized org that have limited cybersecurity defense mechinism in place. Main focus - keep operational since limited expertise, not sensitive data, cant sustain long periods of downtime.

Answer 39

Orgs that have IT staff who support departments that have various risk profiles. Sensitive client data and can tolerate short term disruption. Biggest concern - lost of trust

Answer 40

Orgs have security experts in all domains w/in CS. Sensitive data assets subject to compliance or reg oversight. Attacks cause significant damage to company/public.

Answer 41

- helps organizations actively track/manage all IT assets connect to IT infrastructure physically or virtually/cloud. Also focus on external devices connect via guest network -Gives visibility on how data flows, which device contains sensitive data to help prioritize security/maintenance

Answer 42

portable end-user devices that periodically connect to network and then disappear - makes it hard to have a holistic view of inventory.

Answer 43

Track and actively manage all software applications so that only authorized software is installed on company devices -Guidance on finding unmanaged and unauthorized software already installed so it can be removed and remediated. Control lists and policies should be in place (operating systems, programming software, business applications, drivers, open-source software, some firmware)

Answer 44

info on if software patches are installed, applications reaching end of life support are renewed or transitioned out, safeguards needed are in place

Answer 45

Develop ways to securely manage the entire life cycle of their data, from the initial identification and classification data to its disposal. Must identify, archive, label, and classify their data to understand implications of data being lost or compromised

Answer 46

Labeled at discretion of the enterprise and should be assigned based on sensitivity (i.e. internal, public, sensitive, and confidential)

Answer 47

After sensitivity is defined, mapping should be developed to ID software that access, and allow consolidation of sensitive classification into one network.

Answer 48

Establish and maintain secure baseline configurations for enterprise assets (hardware/software - network devices, mobile/end user, IoT, operating systems).

Answer 49

Many are sold with preconfigured settings that can present vulnerabilities, therefore should have control activities to assess configurations and modify and move to continuous monitoring.

Answer 50

CIS Benchmark Program or NIST National Checklist Program Repository

Answer 51

process of making an organization less vulnerable to attacks, examples include removing unused software, closing network ports, changing default passwords, turning off non essential services.

Answer 52

best practices managing credentials and authorization for user accounts, privledge user accounts, and service accounts for hardware/software.

Answer 53

- central account mgmt, acceptable use policy and account safety guidelines, credential are sensitive info, training for users, password requirements, controls for inactivity, and account lockouts.

Answer 54

Specifies the types of access that user accounts should have.

Answer 55

least privledge or "need to know" only what is needed to do job

Answer 56

Protocols for granting access and revoking access, MFA or privledge account management for security, a comprehensive solution for provisioning and de-provisioning access

Answer 57

Assist in continuously identifying and tracking vulnerabilities within infrastructure so they can be remediated and eliminate weak points/widows of opportunity.

Answer 58

unknown vulnerabilities - no known solution to weak point

Answer 59

Classification schemes like Common Vulnerablity Scoring System or Common Vulnerabilites Exposure

Answer 60

Establishes and enterprise log management process so that organizations can be alert and recover for an attack in real time using log collection and analytic features.

Answer 61

How to detect and protect against cybercrime attempted through email or internet by engaging w/ EE.

Answer 62

policies and tools to enforce URL filtering, blocking certain file types, restrict users add-ons URL filtering can be done by Domain Name System (DNS) filtering - which blocks users from accessing certain domains on a blacklist.

Answer 63

Prevent the installation and propagation of malware onto company assets and its network. Endpoint assets and devices can be leveraged as entry points and targets

Answer 64

viruses, worms, spyware, adware, keyloggers, ransomware can cause damage by stealing intellectual property, log-ins, destroying data, or encryption for ransom.

Answer 65

solution should be centrally managed, maintained, and deployed to all potential entry points. Autorun/auto play features should be disabled

Answer 66

Living off the land approach minimizes likelihood attacker will get caught by using organization's existing tools against them - quick window

Answer 67

Establishes data backup, testing, restoration processes that allow organizations to effectively recover company assets to a pre-incident state. backup and restorage methods will be based on data value, sensitivity, classification, and retention requirements.

Answer 68

automating back-up process, off site storage and encryption. These should be tested once per quarter - restore using test bed environment

Answer 69

procedures and tools for managing and securing a company's network infrastructure (both physical/virtual devices - firewall, gateways routers, switches, wireless access points).

Answer 70

network architecture documenation/diagrams should be kept up to date to reflect network topology and layout Should include critical vendor contract info to increase likelihood for upgrade/patches timely, Monitor for end of life network components to make upgrades or mitigating controls Continuously identify and remediate insecure default network config settings, misconfig network, insecure protocol usage, outdated network software

Answer 71

Processes for monitoring and defending network infrastructure against threats.

Answer 72

ways networks are attacked. DoS - gain access to network and overloading it with traffic so it is rendered useless.

Answer 73

Establish event logging and alerting mechanisms tools such as security info and event management (SIEM) to help centralize and assist in log analysis. Traffic flow monitoring, alerting and detection safeguards can also be implemented (network intrusion prevention system, next-gen firewall, data loss prevention end point detection systems)

Answer 74

guides in establishing security awareness and training program to reduce cybersecurity risk.

Answer 75

Develop processes to evaluate 3rd party service providers that have access to data or manage IT functions.

Answer 76

Processes to oversees service provider life cycle Providers should be assessed and their performance and standards catalogued from initial engagement through decommissioning for adherence to security standards, protocols, and best practices. SOC audit reports can be used.

Answer 77

Safegaurds that manage the entire life cycle of software that is aquired, hosted or developed to detect, deter and resolve cybersecurity weaknesses before they are exploited.

Answer 78

Buffer overflows, corss site scripting - xxs inject content and code into a website to take over Sql injections - sql query to extract or corrupt data race conditions - two apps share the same data, race to get data first

Answer 79

Consider if best practices/safegaurds are followed (secure design standards, secure code reviews, security testing tools) introuce application security as early as possible process in place to inventory 3rd party components, tools, and apps (ensuring software up to date, configurations are reviewed, compensating controls for attach mitigation) SAAS can be an weak spot can implemenet bug bounty programs

Answer 80

Establish incident response management program to detect, respond, and prepare for cybersecurity attacks.

Answer 81

-Designation of key contact, - establishment of incident response team -development of communications plans for notifying impacted business units, stakeholders, and regulatory agencies. -Exercises/test the incident response process

Answer 82

Test sophistication of cybersecurity defense system in place by simulating attacks in an effort to find and exploit weaknesses. Begins with discovery or observation of env., followed by scans to find vulnerablities that can gain access, results are studied, revise controls - at least annually for large orgs w/ significant risks

Answer 83

-ISACA developed -Most widely used IT governance standards -Provides a roadmap to implement best practices for IT governance and management

Answer 84

-Governance - BOD -Management - daily planning/admin of operations CEO, CFO, COO -Internal Stakeholders - BOD/MGMT, managers, assurance providers, RM - External stakeholders - regulators, investors, business partners

Answer 85

Formed by princples, standards and regulations (Cobit 5, 6 principals for governance systems 3 principals of governance framework, community collabor, regs) The core model can be customized through design factors and focus areas to arrive at a enterprise governance system. There are Framework guides (Intro/Methodology and governance and mgmt objecgices) a Design guide and implemenation guide that can be refernced.

Answer 86

VHDDTE (very healthy diet do try everything) 1. Provide Stakeholder VALUE 2. HOLISTIC Approach 3. DYNAMIC Governance System 4. Governance DISTINCT From Management 5. TAILOR Enterprise Needs 6. END to END Governance System

Answer 87

governance system should create value for stakeholders by balancing benefits, risks, and resources through well designed governance system with actionable strategy.

Answer 88

governance systems for IT can comprise diverse components, collectively providing an holistic model (18 CIS controls)

Answer 89

When a change in one governance system occurs, the impact on all others should be considered so they system continues to meet demands - system that is dynamic enough that it can be relevant while adjusting

Answer 90

Management activites and governance systems should be clearly distinguished from each other as they have different functions

Answer 91

Customized to each company, using design factors to prioritize and tailor the system. No one size fits all.

Answer 92

More than just the IT function should be considered - all processes involving information and technology should be factored.

Answer 93

Should identify key components and relationships between those components to provide for greater automation and max consistency.

Answer 94

Ability to change adding relevant content and removing irrelevant content, while keeping consistency and integrity.

Answer 95

align with regulations, frameworks, and standards

Answer 96

Responsibility of BOD Evaluate, direct, monitor - evaluate strategic objectives, direct management to achieve those objectives, and monitor if they are being met. 1. Ensuring benefits delivery 2. governance framework setting 3. risk optimizatoin 4. resource optimization 5. stakeholder engagement

Answer 97

Focus on aligning technology's overall strategy, planning how to utilize technology in business operations, organizing resources for most efficient and effective usage. Managed data is one of the most significant objectives Things such as: IT infrastructure, budgeting, HR, vendors, quality, security, managing risk.

Answer 98

building, acquiring, and Implementation of IT solutions in business processes 11 objectives on requirements definitions, ID solutions, managing capacity, dealing with org and IT change, managing knowledge, administering assets, managing configuration

Answer 99

Address the delivery, service, and support of IT services. 6 objectives cover managed operations, service requests, managed problems, continuity, security services, business process controls.

Answer 100

address IT conformance with performance targets and control objectives w/ external requirements : managed performance, Through continuous monitoring, evaluations and assessments of IT systems, controls and components.

Answer 101

factors collectively or individually contribute to successful execution of governance system over IT and systems.

Answer 102

1. Process - activities to ach. overall tech goals 2. Org Structure - decision making entities in org 3. principals, policies, and frameworks - guidance to turn desired behavior into practice 4. information - 5. cultuer, ethics, behavior 6. people skills and competencies 7. service infrastructure and applications

Answer 103

Influence design of IT governance system, 11 factors

Answer 104

primary and secondary strategy like growth and acquisition, innovation/differentiation, cost leadership strategies, and client service/stability strategies

Answer 105

goals support the strategy and are structured based on the balance scorecard dimensions (which are financial, customer, interal, and growth)

Answer 106

addresses current risk exposure and maps which risks exceed appetite - risks include IT operational incidents, software adoption and usage problems, noncompliance, tech-based innovation, and geopolitical issues

Answer 107

regular IT audit findings of poor IT quality or controls, insufficient IT resources, frustration between IT and departments, hidden IT spending, problems with data quality, noncompliance w/ regs.

Answer 108

Environment in which company operates - classified as normal or high due to geopolitical issues, industry, or economic issues.

Answer 109

Compliance demands can be low (minimal demands), normal (typical for the industry), or high

Answer 110

system not critical for operating or maintain business

Answer 111

immediate impact on business ops and continuity if fails

Answer 112

drives innovation but not required for critical business ops

Answer 113

crucial for both innovation and business ops

Answer 114

type of IT procurement model from outsources to cloud to built in house or hybrid

Answer 115

methods to implement new IT projects - agile, DevOps, traditional waterfall or hybrid

Answer 116

emerging technologies adopted as soon as possible to gain edge

Answer 117

emerging technologies adopted after proven

Answer 118

very late to adopt new technologies

Answer 119

Large - FT count > 250 , small/medium with 50-250 FT.

ICS1 Flashcards

Regulations, Standards, Framework (143 cards)