CCSP Standards (ISO, NIST, Etc.)

Pataasin ang iyong marka sa homework at exams ngayon gamit ang Quizwiz!

Life cycle process

"1. Plan and Organize

Audit Scope Statements

"An audit scope statement offers the required level of information for the client or organization

Audit Scope Restrictions

"Audit Scope Restrictions

COBIT 5.0:

"COBIT 5.0:

CSA Star

"Created to establish a "first step" in displaying transparency and assurance for cloud-based environments. In an effort to ensure adoption and use throughout the cloud-computing industry, the CSA made the STAR a publicly available and accessible registry that provides a mechanism for users to assess the security of the cloud security provider.

Define an ISMS policy.

"Define an ISMS policy.

"

"EU Data Protection Directive Features:

Health Insurance Portability and Accountability Act (HIPAA)

"HIPAA (U.S. Act) sets out the requirements of the Department of Health and Human

ISO 27002 includes:

"ISO 27002 includes:

ITIL Benefits:

"ITIL Benefits:

Important FISMA Features:

"Important FISMA Features:

Important HIPAA Features:

"Important HIPAA Features:

Important HITECH Features:

"Important HITECH Features:

Audit Scope

"It provides both an independent and an objective review of overall adherence or effectiveness of processes and controls.

Key SLA Elements

"Key SLA Elements

SOX (Sarbanes-Oxley Act)

"Requires companies to review internal control and take responsibility for the accuracy and completeness of their financial reports. SOX is U.S. legislation enacted to protect shareholders and the general public from accounting errors and fraudulent practices in the enterprise. The act is administered by the Securities and Exchange Commission (SEC), which sets deadlines for compliance and publishes rules on requirements. SOX is not a set of business practices and does not specify how a business should store records; rather, it defines which records are to be

SABSA

"SABSA

the Stored Communications Act (SCA)

"SCA was enacted in the United States in 1986 as part of the Electronic Communications

Sarbanes-Oxley Act (SOX).

"SOX is U.S. legislation enacted to protect shareholders and the general public from

FIPS Level One

"Security Level 1: The lowest level of security. To meet Level 1 requirements,

FIPS Level Two

"Security Level 2: Enhances the required physical security mechanisms listed

FIPS Level Three

"Security Level 3: Looks to develop the basis of Level 1 and Level 2 to include preventing

FIPS Level Four

"Security Level 4: Represents the highest rating. Security Level 4 provides the

SP 800-53

"Security and controls for federal systems. The primary goal and objective of the 800-5323 standard is to ensure that appropriate security requirements and security controls are applied to all U.S. federal government information and information management systems.

TOGAF

"TOGAF

the Gramm-Leach-Bliley Act (GLBA)

"The GLBA (aka the Financial Modernization Act of 1999) is a federal law enacted in the

ISO IEC 27001:2013

"The standard provides "established guidelines and general principles for initiating, implementing,

ENISA

"You could think of European Union Agency for Network and Information Security (ENISA) as a European counterpart to NIST. It is a standard and model developed in Europe. While it is international in nature within the confines of Europe, it is not as globally accepted in the way ISO standards are.

ISO 28000:2007

"a set of requirements for a supply chain security management system that includes aspects of financing, manufacturing, information systems, and the facilities for packing, storing, and transferring goods between modes of transportation and locations.

SOC 3 Report

- SOC 3 reports are very similar in approach and substance to SOC 2 reports, but they are designed for general use and do not contain any sensitive information.

SABSA

...is a framework and methodology for enterprise security architecture and service management. It provides a life-cycle model so that the architecture can be constantly monitored and improved upon over time.

Six Sigma

...is a process improvement methodology. It is the "new and improved"

Zachman framework

...is a two-dimensional model that uses six basic communication interrogatives (What, How, Where, Who, When, and Why) intersecting with different viewpoints (Planner, Owner, Designer, Builder, Implementer, and Worker) to give a holistic understanding of the enterprise.

ITIL

...is the de facto standard of best practices for IT service management. It was created because of the increased dependence on information technology to meet business needs.

Capability Maturity Model Integration (CMMI)

...is to develop structured steps that can be followed so an organization can evolve from one level to the next and constantly improve its processes and security posture.

bottom-up approach

...refers to a situation in which staff members (usually IT) try to develop a security program without getting proper management support and direction.

TOGAF

...which has its origins in the U.S. Department of Defense. It provides an approach to design, implement, and govern an enterprise information architecture. Can be used with Business, Data, Applications and Technology Architecture

Wassenaar Arrangement

41 countries, military

Checksum

A checksum is the output of an algorithm processing a cryptographic hashing function against a piece of data or a file. The same algorithm can be run against a file at another time and compared to the original, known, true value to determine if the file has been altered at all from its original and correct state. Using a checksum is an easy and quick way to determine if a file has been altered or tampered with in any way.

Cloud Controls Matrix (CCM)

A list of security controls and principles appropriate for the cloud environment, cross-referenced to other control frameworks such as COBIT, ISO standards, and NIST pubs. You can download a copy of the current CCM from CSA at

PaaS (Platform as a Service)

A method that enables infrastructure and tools from the service provider so that the client does not need to manage them. With PaaS offering a full platform and framework, and just needing application code and data to function, auto-scaling is a prominent feature of the service category, and it's typically the service category being discussed with the topic.

IaaS (Infrastructure as a Service)

A method that provides network resources such as for storage and allow the client can deploy software and add network components such as firewalls. Most expensive

PLA (Privacy level agreement)

A privacy level agreement, or PLA, would set out in contractual terms how a third party provider will ensure that the information it hosts will not be seen by the wrong sets of eyes.

Consensus Assessments Initiative Questionnaire (CAIQ

A self-assessment performed by cloud providers, detailing their evaluation of the practice areas and control groups they use in providing their services

ISO/IEC 27034

Application security

ITAR

Arms export restrictions state department

APEC

Asia pacific Economic Cooperation Council

APP 11

Austalian - PII security

APP8

Australian - cross border PII

BS7799

BS7799 was created in 1995, by the British Standards Institution (BSI), as a standard to guide the development and implementation of an Information Security Management System, commonly known as an ISMS.

NIST SP 800-14

Baseline to establish and review IT security programs

ISO/IEC 27031

Business continuity

Corporate Governance

COSO

NIST SP 800-53

Catalog of baseline security and privacy controls for RMF. (53A = assessment guidelines)

ISO/IEC 15408-1:2009

Certificate test for assurance framework

ISO/IEC 27006

Certification body requirements

CCSM

Cloud Certification Schemes Metaframework

CAMP

Cloud application management platforms (CAMPs) are a set of specifications designed to ease management of applications, including packaging and deployment across public and private cloud platforms.

Security Controls Development

CobiT (Control Objectives for Information and Related Technology)

ISO/IEC 27002

Code of practice for information security controls

ISO/IEC 27002

Code of practice for information security management (recommendation of security control)

Confidentiality

Confidentiality pertains to the protection of sensitive information from disclosure to unauthorized parties, either through accidental disclosure or by the actions of malicious actors. It has a second component that is related to ensuring that data is available to authorized parties and provisioned for appropriate access.

NIST 800-37 Step 4

Continuous Monitoring Phase - ongoing security of the system is verified.

8 step in risk analysis process

Control Recommendations

4 step in risk analysis process

Control analysis

ITIL Service Operation

Covers IT operations control.

ISO/IEC 27032

Cybersecurity

TOGAF

Defacto standard for enterprise architecture. Develops and maintains the togaf standard and publishes successive versions at regular intervals.

Jerico Forum

Defines security capabilities that arise from the reality of the traditional in the data center technology environments (Security & Risk management)

NIST SP 800-145

Definition of cloud computing

ITIL Service Transition

Describes taking new projects and making them operational.

OCTAVE

Describes three phase process for managing risk. 1. ID staff knowledge, assets and threats. 2. ID vulnerabilities and evaluate safeguards. 3. Conduct risk analysis and develop risk mitigation strategy.

ITIL Continual Service Improvement

Describes ways to improve existing IT services.

ITIL Service Design

Details the infrastructure and architecture required to deliver IT services.

ISO/IEC 27037

Digital evidence collection and preservation

ENISA

European 2009 RMF - (like US ) 35 org risks and Top8: loss govrn, lockin, isloate fail, complaince, mgmnt interface, data protect, incomplete delete, bad insider.

EAR

Exports department converse

FedRAMP

FedRAMP is a government-wide program that provides for a standardized approach to security assessments, authorization, and continuous monitoring of cloud products and services. FedRAMP certification can be quite costly and difficult to achieve but is required if you want to host a U.S. government agency or subcontractor.

NIST FIPS 140-2

Four levels of security based on crypto levels. Level 1 (lowest) though Level 4 (highest)

ISO/IEC 27001:2013

Framework of domains for formal risk assessment program that defines an ISMS. (It is widely used) infosec policy, organization, human, asset, access, crypto, physical/environmental, ops, comms, acquisition/dev/maint, supplier, incident management, BC, compliance.

ISO/IEC 27008

Guidance for auditors

NIST SP 800-37, Rev. 1

Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Lifecycle Approach. Large collection of security publications

NIST 800-37

Guide for Security Certification and Accreditation of Federal Information Systems.

NIST 800 122

Guide to protecting PII

NIST SP 800-125

Guide to security for full virtualization technologies, (and 125B is security virtual network configuratins for VMs)

ISO/IEC 27003

Guideline for ISMS implementation

ISO/IEC 27031

Guideline for information and communications technology readiness for business continuity

ISO 27799

Guideline for information security management in health organizations

ISO/IEC 27004

Guideline for information security management measurement and metrics framework

ISO/IEC 27005

Guideline for information security risk management

ISO/IEC 27033-1

Guideline for network security

ISO/IEC 27006

Guidelines for bodies providing audit and certification of information security management systems

ITIL Service Strategy

Helps IT provide services

ISO/IEC 27007

ISMS auditing

ISO/IEC 27003

ISMS implementation

ISO/IEC 27001

ISMS requirements

ISO/IEC 27001

ISMS requirements (systematic approach to managing and securing company information)

ISO 14443: Smart card standardizations

ISO 14443: Smart card standardizations

ISO 15408: Common Criteria

ISO 15408: Common Criteria

ISO 22301: BCM - Business continuity

ISO 22301: BCM - Business continuity

ISO 27000: ISMS-Overview and Vocabulary

ISO 27000: ISMS-Overview and Vocabulary

ISO 27001: ISMS-Requirement

ISO 27001: ISMS-Requirement

ISO 27002: Code of practice

ISO 27002: Code of practice

ISO 27003: ISMS implementation

ISO 27003: ISMS implementation

ISO 27004: Measurement and metrics framework

ISO 27004: Measurement and metrics framework

ISO 27005: Risk management

ISO 27005: Risk management

ISO 27006: Certification body requirements

ISO 27006: Certification body requirements

ISO 27007: ISMS-Auditing

ISO 27007: ISMS-Auditing

ISO 27008: Information Security Control

ISO 27008: Information Security Control

ISO 27011: ISMS guideline telecom organization

ISO 27011: ISMS guideline telecom organization

ISO 27014: Governance of information security

ISO 27014: Governance of information security

ISO 27017: Use of cloud services

ISO 27017: Use of cloud services

ISO 27018: Cloud privacy protection overview

ISO 27018: Cloud privacy protection overview

ISO 27031: Communications technology readiness for business continuity

ISO 27031: Communications technology readiness for business continuity

ISO 27032: Cyber Security Resilience

ISO 27032: Cyber Security Resilience

ISO 27034: Security applications

ISO 27034: Security applications

ISO 27035: Security incident management

ISO 27035: Security incident management

ISO 27037: Covers identifying, gathering, and preserving digital evidence.

ISO 27037: Covers identifying, gathering, and preserving digital evidence.

ISO 27799: Directives on protecting personal health information

ISO 27799: Directives on protecting personal health information

ISO 28000: Supply Chain Management

ISO 28000: Supply Chain Management

ISO 31000: Risk Management Framework

ISO 31000: Risk Management Framework

ISO 42010: Systems and Software Engineering Architecture description

ISO 42010: Systems and Software Engineering Architecture description

ISO 7498: OSI Model

ISO 7498: OSI Model

IT Infrastructure Library (ITIL)

IT Infrastructure Library (ITIL) - service strategy, service design, service transition, service operations, and continuous service improvement. Processes to allow for IT service management developed by the United Kingdom's Office of Government Commerce

Process Management

ITIL

6 step in risk analysis process

Impact Analysis

contract

In the event of any litigation, either against the cloud customer's systems or services or against the cloud provider, the contract should clearly document the responsibilities and duties of each party as far as communication and compliance.

ISO/IEC 27035

Incident management

ISO/IEC 27004

Information Security Measurements

ISO/IEC 27014

Information security governance

ISO/IEC 27011

Information security management guidelines for telecommunications organizations

NIST 800-37 Step 1

Initiation Phase - IS and risk mitigation plan is researched.

CobiT

It defines goals for the controls that should be used to properly manage IT and to ensure that IT maps to business needs. CobiT is broken down into four domains: Plan and Organize, Acquire and Implement, Deliver and Support, and Monitor and Evaluate.

NIST SP 800-53

Its primary goal and objective is to ensure that appropriate security requirements and security controls are applied to all U.S. Federal Government information and information management systems.

CSA Star Level One:

Level One: Self-Assessment Requires the release and publication of due diligence assessments against the CSA's Consensus Assessment Initiative Questionnaire and/or Cloud Matrix (CCM)

CSA Star Level Three:

Level Three: CSA STAR Continuous Monitoring Requires the release and publication of results related to the security properties of monitoring based on the CloudTrust Protocol

CSA Star Level Two:

Level Two: CSA STAR Attestation Requires the release and publication of available results of an assessment carried out by an independent third party based on CSA CCM and ISO 27001:2013 or an AICPA SOC 3

5 step in risk analysis process

Likelihood Determination

ITIL (Information Technology Infrastructure Library)

Literally a library of open source issues that align to business processes

FIPS 200

Minimum security requirements

NIST 100 IS Handbook

NIST 100 IS Handbook

NIST 115 IS Security Testing and Assessment

NIST 115 IS Security Testing and Assessment

NIST 119 Guidelines for Secure Deployment of IPv6

NIST 119 Guidelines for Secure Deployment of IPv7

NIST 12 Handbook Intro to Computer Security

NIST 12 Handbook Intro to Computer Security

NIST 122 Protect PII

NIST 122 Protect PII

NIST 13 Telecomm Security Guidelines for Telecomm Mgmt. Network

NIST 13 Telecomm Security Guidelines for Telecomm Mgmt. Network

NIST 137 Information Security Continuous Monitoring (ISCM)

NIST 137 Information Security Continuous Monitoring (ISCM)

NIST 14 Generally Accepted Principles and Practices Securing Information

NIST 14 Generally Accepted Principles and Practices Securing Information

NIST 145 Cloud computing

NIST 145 Cloud computing

NIST 18 AUP / Rules of Behavior

NIST 18 AUP / Rules of Behavior

NIST 30 Risk Management/Assessments

NIST 30 Risk Management/Assessments

NIST 34 Contingency Planning

NIST 34 Contingency Planning

NIST 37 Risk Management Framework

NIST 37 Risk Management Framework

NIST 40 Creating a Patch and Vulnerability Management Program

NIST 40 Creating a Patch and Vulnerability Management Program

NIST 41 Guidelines on Firewalls and Firewall Policy

NIST 41 Guidelines on Firewalls and Firewall Policy

NIST 44 Guidelines on Securing Public Web Servers

NIST 44 Guidelines on Securing Public Web Servers

NIST 45 Guidelines on Electronic Mail Security

NIST 45 Guidelines on Electronic Mail Security

NIST 47 Security Guide for Interconnecting IT Systems

NIST 47 Security Guide for Interconnecting IT Systems

NIST 48 Guide to Securing Legacy IEEE 802.11 Wireless Networks

NIST 48 Guide to Securing Legacy IEEE 802.11 Wireless Networks

NIST 50 Building an IT Security Awareness and Training Program

NIST 50 Building an IT Security Awareness and Training Program

NIST 53 Security and Privacy Controls for Federal Information Systems

NIST 53 Security and Privacy Controls for Federal Information Systems

NIST 54 Border Gateway Protocol Security

NIST 54 Border Gateway Protocol Security

NIST 55 Security metrics IS

NIST 55 Security metrics IS

NIST 57 Recommendation for Key Management

NIST 57 Recommendation for Key Management

NIST 60 Guide for Mapping Types of Information and Information

NIST 60 Guide for Mapping Types of Information and Information

NIST 61 Computer Security Incident Handling

NIST 61 Computer Security Incident Handling

NIST 63 Electronic Authentication

NIST 63 Electronic Authentication

NIST 64 Security Considerations in SDLC

NIST 64 Security Considerations in SDLC

NIST 66 Healthcare privacy issues

NIST 66 Healthcare privacy issues

NIST 800-123

NIST 800-123, titled Guided to General Server Security, assists organizations in understanding the fundamental activities performed as part of securing and maintaining the servers that provide services over network communications as a main function.

NIST 800-53r4

NIST 800-53r4 describes ways to ensure the proper application of appropriate security requirements and security controls to all U.S. federal government information and information management. The others are legitimate NIST documents with different purposes.

NIST 82 Guide to Industrial Control Systems (ICS) Security

NIST 82 Guide to Industrial Control Systems (ICS) Security

NIST 83 Guide to Malware Incident Prevention and Handling

NIST 83 Guide to Malware Incident Prevention and Handling

NIST 86 Guide to Integrating Forensic Techniques into IR

NIST 86 Guide to Integrating Forensic Techniques into IR

NIST 86 Guide to Integrating Forensic Techniques into Incident Response

NIST 86 Guide to Integrating Forensic Techniques into Incident Response

NIST 88 Media Sanitization

NIST 88 Media Sanitization

NIST 94 IDS/1PS

NIST 94 IDS/1PS

SP 800-53

NIST Standard that controls that agencies need to put into place to be compliant with the Federal Information Security Management Act of 2002. The control categories (families) are the management, operational, and technical controls prescribed for an information system to protect the confidentiality, integrity, and availability of the system and its information.

ISO/IEC 27033

Network Security

ISO/IEC 27034-1

ONF, ANF. And APSM (app security)

ISO/IEC 27001:2005

Old - outlines steps to create an ISMS (information security management system)

SCA stored communication act

Old, part of the electronic communications privacy act of 1986, update wiretap and computer fraud and abuse act

ISO/IEC 27000

Overview and vocabulary

ISO/IEC 27018

Practices for protection of PII in public clouds

FIPS 140-2

Primary goal is to accredit and distinguish secure and well-architect-ed cryptographic modules produced by private sector vendors who seek to have their solutions and services certified for use in regulated industries that collect, store, transfer, or share data that is deemed to be "sensitive" but not classified.

Sabsa

Proven framework and methodology used successfully around the glob e to meet a wide variety of enterprise needs including risk management, information assurance, governance and continuity management. Makes sure security is first. Enableg other existing standards to be integrated.

ISO 31000:2009

Provides an international standard for risk management as well as a generic approach to risk management applicable within any industry sector.

NIST SP 800-39

RISK ASSESSMENT Managing risk from Information Systems. Structured but flexible guidelines and flagship for FISMA pubs. FARM=Frame Assess Respond Monitor. Three tiers of risk 1) Org/Govern [strategic] 2) Mission/BP 3) infosys/ops [tactical]

NIST SP 800-37

RISK MANAGEMENT FRAMEWORK. Management is consistent with objectives/strategy. Integrated into SDLC. STart with FIPS 199 and SP 800-60. SLC = Categorize, Select, Implement, Assess, Authorize, Monitor

ISO/IEC 17789 : 2014

ROLES! Cloud computing refrence architecture: roles, activities, functional components and relationships

NIST SP 800-146

Recommendations for cloud computing

9 step in risk analysis process

Results Documentation

7 step in risk analysis process

Risk Determination

NIST 800-30

Risk Management Guide for Information Technology

CSA Cloud Controls Matrix

Risk Management Rool. List of controls to get assurance from provider

ISO/IEC 31000:2009

Risk Management guide and framework (RMF) to design and implement a risk management program. 11 principles. Protect value, all aspects of organization, part of all org decisions, RM mitigates uncertainty, integrated efficiently with processes, uses accurate data, tailored to business needs, include human elements, transparent, flexible, continual improvements.

Security Enterprise Architecture Development

SABSA model (Sherwood Applied Business Security Architecture)

Secure KVM

Secure data port, tamper label, fixed firmware, Souder circuits, reduce buffers, airgap buttons

NIST 800-37 Step 3

Security Accreditation Phase - Decision to accept the risk is made and documented by the approving authority.

NIST 800-37 Step 2

Security Certification Phase - security of the system is assessed and documented.

SABSA (Sherwood business Security Architecture)

Security capabilities from a business perspective

SOC 2

Security is mandatory. SOC 2 reports are relevant to a user entity's internal controls over the five security principles of Security, Processing Integrity, Availability, Confidentiality, and Privacy.

Sherwood Applied Business Security Architecture (SABSA) Framework

Sherwood Applied Business Security Architecture (SABSA) Framework - Chain of traceability

Six Sigma

Six Sigma: Business management strategy that can be used to carry out process improvement

ISO/IEC 27001

Specifies requirements for establishing, implementing, operating, monitoring, reviewing, maintaining and improving a documented information security management system

Payment Card Industry Data Security Standard (PCI DSS)

Standard for Payment Card Industry (Not a US Law). PCI DSS allows for cardholder information at rest to be secured with either tokenization or encryption, but the use of one is mandatory.

FIPS 140-2

Standard for cryptography of hardware and software. (Cloud and non-cloud) Levels 1-4 (1-lowest, 4-Highest)

ISO/IEC 27050:2016

Standard for eDiscovery processes and best practices. Process = identification, preservation, collection, processing, reviwe, analysis, and production. Data is produced, stored, shared, and destroyed.

ISO/IEC Common Criteria standard 15408

Standard of EAL (evaluation assurance levels) for organizations to make PP (protection profile) claims for their SFRs (sec functional reqs) and SARs (sec assurance reqs). EAL1= function test EAL2= structurally EAL3= methodically ... EAL7 = Formally verified design and tested

ISO/IEC 27017 :2015

Standards for information security controls which influences other regulations

ISO/IEC 28000 :2007

Supply chain

1 step in risk analysis process

System Characterization

TOGAF

TOGAF: Model and methodology for the development of enterprise architectures developed by The Open Group

ISO/IEC 27011

Telecommunications organizations

ISO/IEC 17788:2014

Terms and definitions for cloud computing

MODAF

The British Ministry of Defence Architecture Framework (MODAF) is an architecture framework which defines a standardised way of conducting enterprise architecture, originally developed by the UK Ministry of Defence.

Capability Maturity Model Integration (CMMI)

The Capability Maturity Model Integration (CMMI) is a process and behavioral model that helps organizations streamline process improvement and encourage productive, efficient behaviors that decrease risks in software, product and service development.

DoDAF

The Department of Defense Architecture Framework (DoDAF) is an architecture framework for the United States Department of Defense (DoD) that provides visualization infrastructure for specific stakeholders concerns through viewpoints organized by various views.

The European Union Data Protection Regulation of 2012 (EUGDP 2012)

The European Union Data Protection Regulation of 2012 (EUGDP 2012) introduced significant changes for data processors and controllers operating in and across the EU. Some of those changes included the concept of consent, transfers abroad, the right to be forgotten, establishment of the data protection officer, home state regulation, and increased sanctions.

FISMA

The Federal Information Security Management Act (FISMA) is United States legislation that defines a comprehensive framework to protect government information, operations and assets against natural or man-made threats. FISMA was signed into law part of the Electronic Government Act of 2002.

the Federal Information Security Management Act (FISMA)

The Federal Information Security Management Act of 2002 is a United States federal law enacted in 2002 as Title III of the E-Government Act of 2002. The act recognized the importance of information security to the economic and national security interests of the United States.

ISO 27001

The ISO 27001 defines the cycle of the information security management system ISMS as PCDA: Plan-Do-Check-Act.

ITIL

The Information Technology Infrastructure Library (ITIL) is a set of practices that focus on aligning IT services with business needs. Information Technology operation and support (ITOS)

SOC 2 Report

The SOC 2 reports are composed of five principles: confidentiality, processing integrity, availability, privacy, and security. If a principle other than security is desired, the security principle must also be included, as it is required for all reports.

DoDAF

The focus of the architecture framework is on command, control, communications, computers, intelligence, surveillance, and reconnaissance systems and processes. It is not only important that these different devices communicate using the same protocol types and interoperable software components, but also that they use the same data elements.

top-down approach

The initiation, support, and direction come from top management; work their way through middle management; and then reach staff members.

2 step in risk analysis process

Threat Identification

Total Quality Management (TQM)

Total Quality Management (TQM) that hit the business sector in the 1980s. Was was developed by Motorola with the goal of identifying and removing defects in its manufacturing processes.

COSO

Treadway Commission in 1985 to deal with fraudulent financial activities and reporting. Control environment, risk assessment, control activities, information, communication and monitoring

COBIT (Control Objectives for Information and related Technology)

Used to help management align business goals with info tech and better managed risk. Established common ways using common terminology and to adapt to support business needs

3 step in risk analysis process

Vulnerability Identification

certifications

With a cloud customer having very limited insight into the configuration and operational practices of a cloud provider, certifications are often used to provide assurances that standards are being met, as well as specifics in regard to minimum settings and protection standards. With certification programs publishing publicly available standards and frameworks, having an independently verified audit to show adherence can provide a cloud customer with confidence in the cloud provider's practices; this can also serve as a means of compliance with their own regulations.

SaaS (Software as a Service)

Within a Software as a Service (SaaS) implementation, cloud customers are acquiring and paying for services that are explicitly tied to the use of a fully operational application package that is completely designed, maintained, and implemented by the cloud provider. Billing is often measured based on the number of users or the number of transactions the organization does with the application, rather than traditional computing resources associated with other service categories.Software as a Service (SaaS) solution will typically have the highest startup and licensing costs, as the customer is buying a fully developed, integrated, secured, and production-ready software application.

Zachman Framework

Zachman Framework - not specific to security architecture

Enterprise Architecture Development

Zachman framework

gap analysis

a marketing research method that measures the difference between a customer's expectation of a service quality and what actually occurred

Elasticity

a measure of the responsiveness of quantity demanded or quantity supplied to a change in one of its determinants

Safe Harbor Program

a private self-regulating policy and enforcement mechanism that meets the objectives of government regulators and legislation but does not involve government regulation or enforcement

Advanced Persistent Threat (APT)

a sophisticated, possibly long-running computer hack that is perpetrated by large, well-funded organizations such as governments

On-demand self-service

consumers can obtain computing capabilities such as server time or network storage as needed automatically on their own

COBIT 5 (2012)

control objectives for information and related technologies. Global. By ISACA (info systm audit and control assoc)

MODAF

crux of the framework is to be able to get data in the right format to the right people as soon as possible. Data needs to be captured and properly presented so that decision makers understand complex issues quickly, which allows for fast and hopefully accurate decisions.

Ediscovery

e Discovery is the process that requires searching, identifying, collecting, and securing electronic data or records, typically to be used for criminal or civil legal matters. It is similar to the discovery process typically used for evidence collection or document production in the course of a legal inquiry, just specifically focused on electronic records and the particular needs and processes required for them.

Plan - Do - Check - Act (PDCA)

establishing objectives and making plans implementation of the plans measuring results to understand if objectives are met direction on how to correct and improve plans to better achieve success

ISO/IEC 27015

financial sector

ISO/IEC 27799

health organizations

The Cloud Certification Schemes List (CCSL)

provides an overview of different existing certification schemes. It describes the main characteristics relevant to cloud computing and cloud computing customers. It also attempts to answer questions such as the following in an effort to provide the customer with adequate knowledge in order to make a well-informed decision about a cloud provider:

Common criteria assurance framework (ISO/IEC 15408-1:2009)

yet another international standard designed to provide assurances for security claims by vendors. It establishes a common criterion for evaluating those items.


Kaugnay na mga set ng pag-aaral

medical termonolgy midterm chp 2

View Set

CH10 Designing Adaptive Organizations

View Set

AWS Solutions Architect Associate

View Set

Vocabulary: Unit 1 Synonyms & Antonyms- 9th Grade

View Set

Module 2: Budgets, Financial Goals, & Student Loan Debt

View Set