S3-m4/5

Question 1

Privacy

Answer 1

Protects the rights of an individual and gives the individual control over what information they are willing to share with others
-dictates the types of authorization granted to information

Question 2

Confidentiality

Answer 2

-Protects unauthorized access to information gathered by the company
-protecting personal privacy and proprietary information
-is required is that the information is only accessed by system or individuals with the appropriate authority

Question 3

Creating Policies and Procedures

Data Collection

Answer 3

Organizations should develop comprehensive policies and procedures for protecting the confidentiality of PII and proprietary information by defining:
-specific confidential data collected
-how data is collected, accessed, and retained
-incident response
-privacy in the development cycle
-sharing rules
-consequences of violation

Question 4

Conducting Training

Data Collection

Answer 4

Organizations should reduce the possibility that PII will be accessed, used, or disclosed inappropriately by requiring that all individuals receive appropriate training to understand the relevant guidelines and the repercussions of violating these guidelines

Question 5

Personal Identifiable Information (PII)

Answer 5

All data that can be used to identify an individual:
-full name/ alias
-identification numbers
-addresses

Question 6

De-identifying Personal Information

Data Processing

Answer 6

Organizations should de-identify records by removing enough personal information such that the remaining information does not identify and individual

Question 7

Using Access Enforcement

Data Storage

Answer 7

Organizations should control access to personal info through access control policies and access enforcement mechanisms

Question 8

Implementing Access Control for Mobile Devices

Data Collection

Answer 8

Organizations should prohibit or strictly limit access to personal information from portable and mobile devices, such as laptops, and phones

Question 9

Auditing Events

Data Collection

Answer 9

Organizations can monitor events that affect confidentiality of personal information, such as inappropriate access to PII

Question 10

Data Transmission

Answer 10

Organizations should protect the confidentiality of information transmitted. This is commonly accomplished through encrypting the communication

Question 11

Data Deletion/Purging

Answer 11

Organizations should set up the policies to determine the data sets subject to be archived or purged

Question 12

Obfuscation

Answer 12

the process of replacing production data or sensitive information with data that is less valuable to unauthorized users

Question 13

Encryption

Obfuscation

Answer 13

Scrambles unencrypted data using cryptography so that it can generally only be deciphered with a key

Question 14

Tokenization

Obfuscation

Answer 14

Removes production data and replaces it with a surrogate value or token.

Question 15

Masking

Obfuscation

Answer 15

Swaps data with other like data so that the original identifying characteristics are disguised, or masked, while maintaining a similar structure to the unmodified data set

Question 16

Symmetric Encyption

Answer 16

Involves a single shared or private key for encryption and decryption of data within a group.
-drawback: does not facilitate a non repudiation bc any person with the shared key can encrypt and decrypt messages

Question 17

Asymmetric Encryption

Answer 17

Uses two keys, a public and private key. The public key is used to encrypt the message and the private key to decrypt it, or vice versa. Only the two opposite keys can be used in tandem.
-weakness is speed or operation: long keys/ complex

Question 18

Hashing

Answer 18

Converts a message with variable lengths to a fixed length message or code called a message digest or hash value

Question 19

Hashing vs Encryption

Answer 19

Difference is their intended use. Encryption is used fo secure data transfer to maintain confidentiality, whereas, hashing is used to maintain the integrity of the data, validating that the message is sent from the true sender

Question 20

Cipher

Answer 20

The result of applying encryption algorithms that encode encrypted messages into an encrypted form. Results in a combo of numbers and letters that are meaningless and illegible to those without a key

Question 21

Substitution Ciphers

Answer 21

Are algorithms that replace each character of a plaintext message with another character. Very basic ciphers imply replace one letter or number with another using a key, while more complex ciphers involve math to substitute.

Question 22

Transposing Ciphers

Answer 22

Are encryption techniques that rearrange the letter of a message to form unreadable ciphertext, often by using a matrix to perform columnar transposition

Question 23

Data Loss Prevention Systems (DLP)

Answer 23

Enables organizations to detect and prevent attempts by employees or unauthorized users to transfer sensitive information out of the organization electronically across multiple protocols, ports, and communication methods.
-pattern matching
-word recognition

Question 24

Objectives of a DLP

Answer 24

-implement a centralized DLP program, with collaboration from various departments, which oversee data for the entire organization
-define and create enterprise data usage policies
-evaluate the different forms of data, define levels of sensitivity
-monitor the use of sensitive data
-enforce security policies
-implement employee education programs

Question 25

Network Based DLP

Answer 25

Scan outgoing data that meet specific criteria and are transmitted using means such email, file transfer protocols, and direct messaging
-cloud based DLP apply same protection but to a cloud

Question 26

Endpoint based DLP

Answer 26

Scan files stored or sent to devices that might be outside of a network, such as a printer, USB drive, or any other device to which data can be transferred

Question 27

Physical Security

Answer 27

locked cabinet and closets, security cameras and badge entry

Question 28

Digital Security Controls

Answer 28

Encrypted hard drives, encrypted USB drives, or secure file systems that are encypted

Question 29

Authorization and User Access Controls

Answer 29

Control mechanisms, such as role based access controls, rule based access controls, discretionary access controls
-multifactor authentication

Question 30

Change Management Controls

Answer 30

require there to be processes in place for requesting changes to a system or data, review and approval, implementation, reversion, and documentation

Question 31

Backup and Recovery Mechanisms

Answer 31

these redundancy defenses protect data so it is not lost and can be restored in the event of a disaster, cyberattack, or accidental deletion or modification

Question 32

A read through

Answer 32

Involves distributing security, confidentiality, and privacy procedures to member of both the IT departments and no-IT departments supporting the walk-through for review
-inform personnel of tactical and strategic procedures

Question 33

Walk Throughs

Answer 33

occur in phases starting with a planning and preparation phase, followed by obtaining an understanding of the process being evaluated, performing the walk-through, creating documentation, performing tests, and finally evaluating the procedures
1. Plan and Prep
2. Obtain an Understanding
3. Perform Walk-through
4. Create Documentation
5. Test
6. Evaluate and report

Question 34

Finance and Accounting

Walk Through

Answer 34

-for confidentiality and privacy, focus on ensuring confidentiality and privacy policies are followed such that minimal PIIs are collected and each user has minimal level of PII and proprietary data to execute job function
-for security, focus on ensuring security policies are in place to only allow authorized employees access to systems that control any accounting functions that involve withdrawing or transferring cash

Question 35

Corporate Training and Education

Walk Through

Answer 35

-viewing security, confidentiality, and privacy content being delivered to employees
-employee acknowledgement of policies and procedures
-attending courses delivered by trainers
-reviewing materials an assessments given to trainees

Question 36

Human Resources

Walk Through

Answer 36

-for confidentiality and privacy, focus on how human resources follow the policies and procedures to identify an collect PII
-for security, focus on practices regarding background checks, defining security roles

Question 37

IT Risk Management

Walk Through

Answer 37

-for confidentiality and privacy, focus on identifying ways the department monitors the controls, identifying and communicating potential violations
-for security, focus on identifying ways the department tracks assets and systems that should be protected,

Question 38

Walk through procedures to be performed by SOC 2 engagement service auditor

Answer 38

-Following a transaction, event, or activity from origination until final disposition through the service organizations system using the same documents used by service organization personnel
-Inquiry, observation, inspection of relevant documentation, and flowcharts, questionnaires, or decision tables to facilitate understanding the design of the controls
-inquiry about instances during the period in which controls did not operate as described or designed
-questioning variations in the process for different types of events or transactions

Question 39

Factors when determining whether identified deviations may have a pervasive effect on other controls

Answer 39

-effect that entity level controls have on the operation of other controls
-the extent of the use of segmentation, a technique that enhances security by dividing networks or systems into multiple segments, across the service organization

Question 40

For potential fraud involving senior mangement

How should the service auditor respond?

Answer 40

communicating to those charged with governance and discussing with them the nature, extent, and timing of procedures necessary to complete the examination

Question 41

Incident response plan (IRP)

Answer 41

the documentation of a set of procedures, people, and information to detect, respond to, and limit the consequences of a cyberattack against an organization

Question 42

Key elements of a IRP outlined by NIST

Answer 42

-mission, strategies and goals, senior management approval and statement of commitment, organizational approach to incident response, purpose and objectives of the policy, scope of the policy, metrics for measuring the incident, roadmap, definition of computer security incidents and related terms

Question 43

Incident Response Timeline

Answer 43

Recovery timeline to be charted when an incident occurs, clearly delineating the point at which the incident starts, when its detected, contained, and eradicated and when normal operations are stored

Question 44

Method of detection

Answer 44

-vulnerability scanning software
-anomaly detection
-endpoint detection and response solutions
-file integrity monitoring
-log analysis
-intrusion detection
-intrusion prevention

Question 45

Centralized Incident Reponse Team

Answer 45

A single incident response team is tasked with managing incidents across the organization. This approach is effective for smaller organizations and those with computing environments that aren’t distributed geographically

Question 46

Distribute Incident Reponse Teams

Answer 46

Organizations in this model have multiple incident response teams that are responsible for specific logical or physical segments of a company’s network. Effective for orgs that have geographically widespread computing resources

Question 47

Coordinating Team

Answer 47

A secondary function of either a distributed or centralized incident response team is coordinating with other departments without having authority over those teams

Question 48

Employee Morale

Answer 48

Segregating roles may be one option to combat this fatigue and be a morale booster

Question 49

Event

Answer 49

An observable occurrence in a system or network. Examples include a user connecting to a shared file server, a server receiving a request for a web page, a user sending an email, and a firewall blocking a connection attempt

Question 50

Adverse Event

Answer 50

Any event with a negative consequence is defined as an adverse event, such as system crashes, packet floods, unauthorized use of system privilege’s, unauthorized access to sensitive data, and the execution of malware that destroys data

Question 51

Computer System Incident

Answer 51

A type of adverse event that is computer security related and caused by malicious human intent, not by environmental or indirect human factors such as power failures or natural disasters
-any violation or imminent threat of computer security policies

Question 52

Preparation

Answer 52

Initial phase of incident response planning involves assembling key personnel, tools, and processes so the organization will be prepared to handle many scenarios

Question 53

Detection and Analysis/Identification

Answer 53

The second phase concentrates on recognizing deviation from normal operations, evaluating deviations, and correctly classifying them as either an acceptable event or a problematic CS incident

Question 54

Containment

Answer 54

Once threat is correctly identified, the org must contain it so that further damage is not incurred.
-isolating a segment of network, removing infected servers
-nontechnical measures like informing employees so that certain routine operations might stop
step 3

Question 55

Eradication

Answer 55

Targets the extraction of the threat and restoration of affected systems, which may be as simple as restoring infected files with clean backup copies or as complex as using specialized software and forensic analysis to help decrypt or remove infected file.
step 4

Question 56

Reporting

Answer 56

Emphasizes communicating of the incident to management, IT personnel, and affected employees

Question 57

Recovery

Answer 57

Prioritizes returning an organizations normal IT operations to full functional state
-phased approach with early days focused on increasing overall security and implementing immediate high impact changes

Question 58

Post Incident Activity/Lessons Learned

Answer 58

Last step. Senior management and directly affected employees examine the incident, understand how it occurred, and develop ways to improve the response.

Question 59

SysAdmin, Audit, Network, and Security (SANS) institute

Incident response phases

Answer 59

1. Preparation
2. Identification
3. Containment
4. Eradication
5. Recovery
6. Lessons Learned

Question 60

NIST IRP

Incident response stages

Answer 60

1. Preparation
2. Detection
3. Containment, eradication, recovery
4. post incident activity

Question 61

International Organization for Standardization (ISO) IRP

Security Incident Management Activities

Answer 61

• evaluating event criteria and defining incident
• monitoring and detecting events
• managing incidents to the end of their lifecycle
• coordinating with authorities and handling evidence properly
• performing a root cause analysis
• reporting on all incident managment activities

Question 62

Mean Time to Detect

Answer 62

amount of minutes or hours that it takes an organization to detect a prior incident or one in progress

Question 63

Mean time to acknowledge

Answer 63

used to determine the amount of time an organization takes to acknowledge an incident once it has occurred
difference between the point in time when incident is reported and when it is recognized as an actual threat

Question 64

Mean time Between Failures

Answer 64

mean time between consecutive failures

Question 65

System Availability or Downtime

Answer 65

amount of time that a production system is completely or partially unusabel

Question 66

Service level agreement compliance

Answer 66

Involves evaluating whether qualitative or quantitively specified performance levels in a series level agreement with a IT provider were met

Question 67

Business Interruption Losses

Insurable Loss

Answer 67

Lost Revenue from operating delays that are due to the inability to access records, systems, or financial resources may be part of a cyber insurance policy

Question 68

Cyber Extortion Losses

Insurable Loss

Answer 68

Coverage may include funds for ransom payments and fees to attorneys or IT experts for the cost of negotiating with attackers

Question 69

Incident Reponse Costs

Insurable Loss

Answer 69

costs associated with recovery of lost or stolen data by external IT experts or managed services providers

Question 70

Replacement Costs for information systems

Insurable Loss

Answer 70

if an attack results in corrupted software or physically damaged hardware, insurance may cover a partial or complete replacement of IT assets

Question 71

Cyber Insurance Requirements for Applicants

Answer 71

• backround checks
• compliacne with regulations
• disaster recovery
• employee training
• company policies
• independent risk assessment
• incident response plans
• IT controls
• Mandatory PEN testing
• Loss history

Question 72

User Behavior Analytics Tools

Answer 72

UBA tools monitor, analyze, and interpret user activities to detect patterns and anomalies. Listed in an IRP

Question 73

Tabletop Excecises

Answer 73

also know as simulations