Shared Flashcard Set

Details

CompTIA Sec+ 3.1
Architecture and Design: Use Cases for Frameworks (Updated Feb 4, 2019)
28
Computer Science
Professional
11/12/2018

Additional Computer Science Flashcards

 


 

Cards

Term
AT-101 Attestation Standard
Definition
Created by the PCAOB (Public Company Accounting Oversight Board)
-Companies that provide "As a Service" products
-SOC2 reports are based on
-Review reports from other companies(potential partners) to understand how partnering could introduce risk
Term
Administrative Controls
Definition
-Control type focuses on people
--risk assessments
--planning
--policies: separation of duties and mandatory vacations
Term
Control Diversity
Definition
-More security controls
-Part of defense in depth
Term
FedRAMP - (Federal Risk and Management Program)
Definition
-Security assessment authorization and CM for cloud products and services
-Standard approach to provider assessments
-Government agencies use it to make decision on feasibility of cloud based solutions
Term
Framework
Definition
Common policies, language, methods, and procedures designed to deliver an outcome or manage a process
Term
HIPAA/HITECH
Definition
-Protect PHI (personal health information)
-Controls in place to secure PHI during collection, storing, or processing of data
-Any organization collecting storing or processing PHI
Term
ISO (International Organization for Standardization)
Definition
Used as a framework to monitor, report, and improve ISMS (Information Security Management Systems)
-For Any Organization type of any size
-IT Security references controls
-Sub frameworks depending on goals and industry
Term
NIST - National Institute of Standards and technology
Definition
-Controls frameworks that span industries to manage cybersecurity risk.
-Voluntary
-US Chamber of Commerce
-Impact varies by compliance level
-Larger organizations and govt agencies
Term
NIST Cyber-Security Framework CSF
Definition
-Framework Core
-Framework Profile
-Framework Implementation Tiers
Term
NIST Security Framework
Definition
-Presidential Exec order 13636
-Improving Critical Infrastrucure Cybersecurity
Term
PCI DSS (Payment Card Industry Data Security Standard)
Definition
Credit Card Data
-Various level of controls depending on how company interacts with credit card
data
-Self Assessments, onsite audits, quarterly network scans
-Merchants, Banks, CC processors
Term
Privacy Shield
Definition
-Replaced safe harbor standard
-Safeguards data being transferred between the EU and US
-Self Certification Process
-Enables US companies to more easily receive personal data from the EU and comply with EU privacy laws
Term
Regulatory and Compliance Frameworks
Definition
-Sarbanes Oxley
-FedRAMP
-PCI DSS
-NIST
-SSAE-16
-HIPAA/HITECH
-ISO
-Privacy SHield
-AT-101
Term
SOX - Sarbanes Oxley
Definition
Created in 2002 to address the fraud accounting scandals associated with major companies:
-Famous for Security Fraud: -Enron, MCI WorldCom, Tyco
-Security requirements for any systems processing financial data (access management, IT controls, entity-level controls)
Term
SSAE-16 (Statement on Standards for Attestation Engagements No 16)
Definition
-Companies that receive SOC 1 reports
-Companies that process financial information/impact financial statements
-Part of SOX
-Mandatory compliance (public companies)
-SOC1 reports are reviewed by stakeholders
Term
Systems Hardening
Definition
-Disable Unnecessary Services
-Use Secure Protocols
-Use lease privilege principle
-Set up monitoring / alerts
-Establish Baselines
-Periodically audit configuration
Term
Technical Controls
Definition
-NIDS/NIPS
-UTM
-Training Users to recognize threats
Term
Types of Frameworks
Definition
-Regulatory
-National vs International
-Non-Regulatory
-Industry Specific
Term
Vendor Diversity
Definition
-Utilize more than one manufacturer
-Reduces impact of vulnerabilities
Term
Vendor Specific Benchmarks and Configuration Guides
Definition
Guidelines for Secure Configurations for
-Webservers
-OS
-Application Servers
-Network infrastructure Devices
Term
NIST Framework Components
Definition
-Implementation Tiers
-Framework Core
-Profiles
Term
NIST Framework Tiers
Definition
-Partial
-Risk Informed
-Repeatable
-Adaptive
Term
NIST Framework Implementation Tiers (definition)
Definition
-They describe the degree to which an organization’s cybersecurity risk management practices exhibit the characteristics defined in the framework by progressive levels with an increasing degree of rigor.
Term
NIST Framework Core's Functions
Definition
-Identify
-Protect
-Detect
-Respond
-Recover
Term
NIST Framework Core
Definition
-A set of desired cybersecurity activities and outcomes organized by Functions, Categories, and Subcategories

-designed to be intuitive and to act as a translation layer to enable communication between multi-disciplinary teams by using simplistic and non-technical language.
Term
NIST Framework Profiles
Definition
-An organization's unique alignment of their organizational requirements and objectives, risk appetite, and resources against the desired outcomes

-used to identify opportunities for improving cybersecurity posture
Term
SOC1 Report
Definition
-SSAE-18 previously considered to be the standard SAS70 (or SSAE 16)
-It is an audit report restricted to the management of the services organization, user entities and user auditor
-A report on controls at a service organization which are relevant to user entities’ internal control over financial reporting.

Needed for these service companies:
-Payroll processors
-Medical claims processors
-Loan servicing companies
-Data center companies
-Software-as-a-Service (SaaS) companies that may -impact the financials of their user entities.
Term
SOC 2 report
Definition
- An audit report that addresses a service organization’s controls that relate to operations and compliance, as outlined by the AICPA’s Trust Services criteria in relation to:
1. availability
2. security,
3. processing integrity,
4. confidentiality
5. privacy.
Supporting users have an ad free experience!