Module 3 Governance, Risk and Compliance Flashcards
(111 cards)
0
Q
Two Governance Components
A
- Separation of Duties
2. Policy Definition
1
Q
GRC
A
Governance
Risk
Compliance
2
Q
3 Characteristics of GRC
A
- Integrated and holistic
- Organization structures
- Process oriented
3
Q
Two Risk Management Components
A
- Change Management
2. Configuration Management
4
Q
Two Compliance Components
A
- Adherence to Regulations
2. Industry Aligned
5
Q
Integrated approach to organization-wide governance, risk management, and compliance.
A
GRC
6
Q
Helps ensure that an organization acts ethically correct and in accordance with its risk appetite, internal policies and external regulations.
A
GRC
7
Q
Integrated, holistic, and organization-wide
A
GRC
8
Q
Managed and supported through GRC
A
Operations
9
Q
Defines the guidelines and performance goals of an organization.
A
Governance
10
Q
Must include measurements of success to determine if the operation is performing to the company’s standard and, if not, what type of remediation is required.
A
Governance
11
Q
Four Consequences of Bad / Failed / No GRC
A
- Risk of fines for failed audits.
- Compliance concerns stall virtualization and Cloud.
- Audits - time consuming and costly.
- Concerns of identifying risk and proper valuation.
12
Q
Examples of external events that drive a company to have a GRC program
A
- A breach where information is lost and has to be reported due to regulations.
- A new Federal regulation
13
Q
Companies usually accept the risk of exposure until what?
A
Until they have an actual breach
14
Q
Why GRC is important
A
- Breach
- Regulation
- Other?
15
Q
Is security GRC?
A
No. Security is not GRC.
16
Q
- Related to information processing systems.
2. Mechanisms and techniques that control who may use or modify the computer or the information stored in it.
A
Security
17
Q
Three key security tenets
A
- Confidentiality
- Integrity
- Availability
CIA
18
Q
CIA
A
Confidentiality
Integrity
Availability
19
Q
Purpose of IT security
A
To mitigate risks
20
Q
IT risks are coupled with what?
A
Business risks
21
Q
A framework for decision making, accountability, and measuring success.
A
Governance
22
Q
Data protection and regulatory laws require what?
A
Security controls
23
Q
How does Compliance relate to Security?
A
- Data protection and regulatory laws require security controls.
- Access to information and enforcement.
24
Related to information processing systems
Security
25
Mechanisms and techniques that control who may use or modify the computer or the information stored in it.
Security
26
Key security rule regarding information
Always ensure that your company owns the information; retain ownership no matter who stores / maintains it.
27
Key security rule regarding the Cloud
Make your information Cloud ready - clearly understand:
1. Data you're putting in the Cloud.
2. Regulations and legislation surrounding that data.
3. Worst case outcomes related to a breach of this information.
28
Required for data
A creation-to-deletion plan
29
Layered Security Approach
Take a layered approach to protections with defense-in-depth, measuring against the CIA model, and keep roles segregated.
30
Term for End-to-end Data Lifecycle
Information Lifecycle Management
31
Key because most regulated data has data lifecycle requirements and should be how all data is handled.
The end-to-end data lifecycle (Information Lifecycle Management)
32
Four GRC Requirements for Virtualize Step
1. Visibility into virtual infrastructure
2. Privileged user monitoring
3. Access management
4. Network security
33
Four GRC Requirements for Operationalize Step
1. Security compliance
2. Information-centric
3. Risk-driven policies
4. IT & security operations alignment
34
Three GRC Requirements for IT-as-a-Service Step
1. Secure hyrbid Clouds
2. Secure multi-tenancy
3. Chain of trust
35
3 Infrastructure Characteristics for Virtualize Step
1. Automation
2. Efficiency
3. Integration of virtual OS and infrastructure
36
3 Infrastructure Characteristics for Operationalize Step
1. On-demand
2. Service Level Management
3. Increased range of capability
37
3 Infrastructure Characteristics for IT-as-a-Service Step
1. Metering and charge-back
2. Federation of resources
3. Geographically independent
38
Must be included when securing hybrid Clouds
Secure multi-tenancy and hardware root of trust
39
How do enterprises need to look at the Cloud?
As an extension of the data center
40
Looking at the Cloud as an extension of the data center means what?
That security and GRC controls should already be in place and be enforceable with measurable results.
41
Most large enterprises fall between what two stages?
Between the Virtualize and Operationalize stages
42
7 Top Threats - Cloud Security Alliance (CSA)
1. Abuse and nefarious use of Cloud computing
2. Insecure interface and APIs
3. Malicious insiders
4. Shared technology issues
5. Data loss or leakage
6. Account or service hijacking
7. Unknown risk profile
43
7 Top Threats - ENISA
1. Loss of governance
2. Lock-in
3. Isolation failure
4. Compliance risks
5. Data protection
6. Insecure or incomplete data deletion
7. Malicious insider
44
True or False: Currently, there are few tools, procedures, standard data formats, or services interfaces to guarantee data, application, and service portability.
True
45
Dependency on a particular hypervisor for service provisioning, especially if data portability is not enabled.
Lock-in
46
Includes the failure of mechanisms separating storage, memory, routing - and even reputation between different tenants (e.g., guest-hopping attacks).
Isolation Failure
47
True or False: Attacks on resource isolation mechanisms (e.g., against hypervisors) are less numerous and much more difficult for an attacker to put in practice compared to attacks on traditional OSs.
True
48
Compliance risks of migration to the VDC
1. If the VDC cannot provide evidence of their own compliance with the relevant requirements.
2. If the VDC does not permit audit by the VDC customer.
3. If using a multi-tenant infrastructure implies that certain kinds of compliance cannot be achieved (e.g., Electronic Healthcare Records).
49
True or False: Management interface compromise is not a Cloud security risk.
False
50
Threat associated with requests to delete a Cloud resource
As with most OSs, may not result in true wiping of the data - insecure or incomplete data deletion
51
Definition of Enterprise Governance
The active distribution of decision-making rights and accountability among different stakeholders in an organization and the rules and procedures for making and monitoring those decisions to determine and achieve desired behaviors and results.
52
Questions related to Enterprise Governance
1. Who makes directing, controlling and executing decisions?
2. How will the decision be made?
3. What info is required to make the decisions?
4. What decision-making mechanisms should be required?
5. How will exceptions be handled?
6. How should governance results be reviewed and improved?
53
Directors should govern ICT through which three main tasks?
1. Evaluate the use of ICT.
2. Direct preparation and implementation of plans and policies.
3. Monitor conformance to policies, and performance against the plans.
54
Four applications that require GRC
1. Email
2. Accounts Payable
3. Accounts Receivable
4. Expense Management
55
Defines the rules of electronics discovery
U.S. Federal Rules of Civil Procedure (FRCP)
56
FRCP
Federal Rules of Civil Procedure
57
Requires improved transparency in financial services reporting methods, data collection, and aging standards.
Graham Leach Bliley Act (GLBA) - Financial Modernization Act of 1999
58
GLBA
Graham Leach Bliley Act - Financial Modernization Act of 1999
59
SOX
Sarbanes Oxley Act of 2002
60
Requires improved transparency in public company filings.
Sarbanes Oxley Act of 2002
61
Requires supporting information be kept in compliance with specifications around: ease of restore, length of data retention, types of data retained, and auditing processes.
Sarbanes Oxley Act of 2002 (SOX)
62
PII
Personally Identifiable Information
63
Usually includes Social Security Number (government ID), name, address, and credit card numbers
Personally Identifiable Information (PII)
64
PCI DSS
Payment Card Industry Data Security Standard
PCI DSS
65
Worldwide standard that specifies how cardholder information is collected, stored, processed, and shared with requirements for the processes (monitoring, audits) as well as the technology (encryption) used to manage PCI data.
Payment Card Industry Data Security Standard (PCI DSS)
66
US regulations which apply to email
FRCP
GLBA
SOX
HIPAA
67
US regulations which apply to accounts payable
GLBA
| SOX
68
US regulations which apply to accounts receivable
GLBA
| SOX
69
US regulations which apply to expense management
GLBA
SOX
PII
PCI
70
Typical security requirements for email, accounts payable, accounts receivable, and expense management applications.
2 factor authentication
| 45 day password expiration
71
The potential that a specific action or activity (including no action) will lead to an undesirable outcome
Risk
72
3 VDC Risk & Risk Assessment Considerations
1. What decision-making mechanisms should be required?
2. How will exceptions be handled?
3. How should governance results be reviewed and improved
73
3 Cloud Risk & Risk Assessment Considerations
1. Potential for data flow across boundaries in the public Cloud?
2. Third party controls need to be clearly documented.
3. Handoffs.
4. Clear process to manage information flow.
74
True or False: Traditional data centers have risk assessment considerations and they should be the foundation of any VDC and Cloud GRC implementation.
True
75
Tenancy GRC Consideration
When data is no longer kept on a system dedicated to just one business unit or application and is now in a multi-tenant shared resource pool - what are the implications from a risk perspective?
76
Auto-migration GRC Consideration
Does automatically migrating a VM and/or the data to another system or location have an impact on the risk level?
77
Auto-scaling GRC Considerations
As workloads scale up is there an availability risk or performance risk?
Can the environment automatically scale up to handle the workload and what happens when it scales down?
Are all the systems left "clean" of residual data that could be exposed?
78
Virtual provisioning GRC Considerations
Can it be considered a risk if it exhausts resources?
| Has that consideration been included in the risk assessments?
79
Cloud boundary GRC Considerations
With a public Cloud environment there are new risks such as the potential for data to be flowing across boundaries. Does the environment have adequate controls to assure that the data won't cross borders if it is not allowed to due to rules of law or regulation?
80
Cloud GRC considerations for trusted 3rd parties
Are there clearly understood controls for trusted 3rd parties, such as the Cloud SP?
Are they clearly documented to mitigate the risks as much as possible.
81
Cloud GRC Considerations for Incidents
When an incident occurs, is there a clear definition of where / when / who handoffs are done to facilitate efficient incident response escalation and post mortems?
82
Cloud GRC Consideration for Service Provider Information Flow
Do you as the customer have a clear process in place that manages the information flow and timing from the SP into your own organization and vice versa?
83
5 Steps in the Risk Assessment Process
1. Perform a quick, very high level risk check.
2. Based on the risk score, determine what mitigation needs to be applied to allow the asset to be placed in a VDC or Cloud environment.
3. Perform a full, detailed risk assessment. Understand all exposures; any further mitigations can be applied as necessary.
4. Deploy the asset within the shared environment. Security controls are in place with compliance requirements being met.
5. Re-evaluate the environment with another assessment and potentially an external audit.
84
3 levels of a risk scoring system
Low
Medium
High
85
5 Steps in Risk Assessment Process (Abbreviated Version)
1. Quick Risk (L/M/H)
2. Mitigation
3. Full Risk Assessment
4. Deploy
5. Evaluate
86
3 Quick Risk (L/M/H) Components
1. Asset Valuation
2. Pass / Fail
3. For VDC or Cloud
87
2 Mitigation Components
1. Apply Standards
| 2. Apply Internal Mitigation
88
3 Components of Full Risk Assessment
1. Perform Deeper Assessment
2. Determine Exposures
3. Apply Mitigations
89
2 Components of Deploy Stage in Risk Assessment Process
1. With Security Controls
| 2. With Compliance Controls
90
2 Components of Evaluate Stage of Risk Assessment Process
1. People, Process and Technology
| 2. Execute Full Audits Internal and External
91
Assessment usually applied to a whole business unit's IT infrastructure and processes - or even a whole company.
ISO 27002 Assessment
92
IRM
Information Rights Management
93
True or False: Risk determination must be asset-centric.
True
94
3 Risk Determination Quick Scoring Systems
1. Balanced Scorecard
2. Pre-Assessment
3. Blended Methor
95
What does a Balanced Scorecard risk determination evaluate?
Business and technology risk
96
Pre-assessment usually pertains to privacy assessments.
True
97
Pre-assessment IOS standard designed for financial services
ISO/IEC 22307
98
4 Primary Risk Determination Considerations
1. CIA - Confidentiality, Integrity, Availability
2. Management and organization
3. Value of application and data
4. Leverage standards for mitigation
99
Most important dimension to evaluate the risk
The value of the application and data to the company
100
3 Information Security Questions
1. Where is this application hosted?
2. How are support processes performed for the application?
3. Are there documented vulnerabilities in the application or associated infrastructure?
101
3 Business Considerations for Risk Scoring
1. Classify Data Sensitivity
2. Cost of Financial Damage
3. Value of Application Product and Data
102
ALE
Average Loss Expectancy
103
A state of being in accordance with established guidelines, specifications, or legislation
Compliance
104
Compliance Issues
1. Inventory applications
2. Pre-assessment for risk level for the VDC and Cloud
3. Deploy / apply rating system
4. Evaluate based on regulatory requirements
5. Evaluate compliance criteria for virtualization / Cloud
6. If data will handled by SP, evaluate them for transitive risks
7. Evaluate for vendor lock-in and future need to migrate to another provider.
105
Generally used before the asset is to be placed in a new environment
Privacy Assessments
106
Regulation which applies to financial data (personal and corporate)
PCI
107
Regulations which apply to healthcare data
HIPAA
| HITECH/HER
108
Regulation which applies to financial data (corporate)
SOX
109
Regulation which applies to personal information data
PII
110
Examples of 3rd party audit
SAS 70 Type II
