Cysa Lesson 5 - Compliance and Assessment
"Data at rest"
"Data at rest" is a state describing data in storage. This is used to describe encrypted data on a hard disk drive.
"Data in use"
"Data in use" is a state describing data present in volatile memory, such as system RAM or CPU registers and cache. Data is usually decrypted as it moves from disk to memory.
A company determined that their data center is worth about $500,000 in assets and data from its customers. Every so often, they are hit with a security incident where the single loss expectancy (SLE) totals about $25,000. If management determines that these instances may occur once a month next year, what will be the calculated annual rate of occurrence when calculating the annual loss expectancy (ALE)?
*12*
An encrypted hard drive disk (HDD) in storage describes data _____.
*At Rest*
code of conduct
A code of conduct policy outlines user and administrator expectations. For example, administrators are expected to protect the confidentiality and integrity of personal account credentials.
Data Loss Prevention (DLP)
A data loss prevention (DLP) endpoint agent enforces policies on the client computers, even when they are not connected on the network. A DLP network agent scans communications at the network borders and interface with web servers to monitor file access and use. A DLP network agent scans communications at the network borders and interface with messaging servers to monitor file sharing in messages.
non-disclosure agreement (NDA)
A non-disclosure agreement (NDA) is non-technical security control representing the legal basis for protecting information assets. NDAs are used between companies and employees, between companies and contractors, and between two companies.
password policy
A password policy instructs users on best practices for creating and maintaining passwords. A password should long enough, and complex enough to prevent brute force or other typically executed password guessing methods hackers use.
A physical security control
A physical security control may include an alarm system, like one that alerts the local fire department of a building fire.
A social DRM
A social DRM involves encoding a watermark into the media file. If the file is posted to a file sharing site, search tools can track the media file and the company can enforce appropriate action.
GPS Location sharing to access data
An application that requires Global Positioning System (GPS) location sharing may restrict the use of processing or downloading data to a smartphone that exists outside the jurisdiction of the service provider.
A systems assessment
An assessment identifies and prioritizes business processes or workflows. A systems assessment determines which IT assets and procedures support these workflows. Risk identification takes place within the assess component.
An audit policy
An audit policy, like ones provided by Microsoft, includes options to track account log-on and management events, object access, and changes to system security and integrity.
authorized *media* players
An authorized media players describes a physical device like a game console or television that can play the media file.
A movie producer shares a sample clip of a movie trailer to a few users for review. The company has a custom application to review and provide feedback on the clip. Which type of protection does the company apply to the distribution of movie trailers?
An authorized viewer
Asset value (AV)
Asset value (AV) is the direct cost (monetary) of a product or solution. When calculating quantitative risk, the asset value represents the magnitude of the risk.
An identity and access management tool reported an unknown local account on a Windows server. An administrator checked the local users and confirmed the existence of the account. How can the administrator find out if the local account was used previously?
Check the security logs. Verify data owners.
Classified
Classified documentations are also known as private, internal use only, and office use only data. Viewing is restricted to authorized persons in the organization and third parties under a non-disclosure agreement (NDA).
Which of the following are examples of data sovereignty?
Cloud application requires GPS location sharing Local Admins cannot process data overseas
Which company policy lists expectations for how IT admins should handle their elevated access?
Code of conduct
Traditional elements of a password policy not only make it secure, but also make it difficult for users to access resources locally or over the network. The National Institute of Standards and Technology (NIST) has updated their special publication (SP) 800 guidelines to balance security and user account manageability. Which element changes support this capability? Select all that apply.
Complexity rules should not be enforced. Aging policies should not be enforced
The IT team received the latest report from the identity and access management (IAM) application. An administrator is now reviewing the security logs of a Windows server. Analyze the scenario to determine why the admin is reviewing the logs.
Confirm last login attempts.
A U.S. manufacturing company is moving its IT infrastructure to the cloud. The cloud service provider (CSP) is touting 99% uptime and on-demand storage capacity. What can the manufacturing company require of the CSP in order to ensure the data is only accessible in the U.S.?
Constraint-Bases Access Choice of Data Center
Continuous security monitoring (CSM)
Continuous security monitoring (CSM) is a process of continual risk reassessment. Rather than an ad hoc process driven by incident response, CSM is an ongoing effort to obtain information vital in managing risk within the organization.
Watermarking
DLP solutions do not encode watermarks into files. Watermarking is a digital and most times visible marking encoded into the file or video to defeat attempts of removal from official channels, or so the file can be located if released on a file sharing site.
Data masking
Data masking is a technical security control. It is when all or part of the contents of a field are redacted, by substituting all character strings with an "x."
Which non-technical security control affects data retention policies?
Data minimization
Data minimization
Data minimization is the principle that data should only be processed and stored if it is necessary to perform the purpose for which it is collected.
Data retention standards
Data retention standards are a non-technical control. It includes policies that manage and show when and how to dispose of distinct types of data. An example includes regulated data that require long-term retention.
Data sovereignty
Data sovereignty refers to a jurisdiction preventing, or restricting, processing and storage from taking place on systems that do not physically reside within the jurisdiction.
When caring for the quality of the data, identify the person who labels and stores data in a format applicable to laws and regulations.
Data steward
Deidentification
Deidentification is a technical security control. It is the process by which datasets that contain Personally Identifiable Information (PII) remove the associated PII.
When ensuring an application can protect the privacy of patient health information, as described in the Health Insurance Portability and Accountability Act (HIPAA), what process would prove its usefulness?
Evaluation process
Exposure factor (EF)
Exposure factor (EF) is how often a risk will occur. This is the probability represented in a quantitative risk calculation.
A hospital runs proprietary software to automate patient health information and billing. Software developers also keeps copies of each iteration of the code in case of a disaster. Determine which other reason would apply to keeping different copies of the code?
For version control
Select the components that make up the National Institute of Standards and Technology (NIST) Cybersecurity Framework.
Implementation tiers Core Profiles
authorized *viewer*
In a digital rights management (DRM) solution, an authorized viewer refers to a viewing application, like a specific media player that can play the clip. The company's custom application has the authorized viewing application built-in.
Which of the following statements about continuous security monitoring are true?
It is a process of continual risk assessment. It involves a routine audit of rights and privileges.
Jurisdiction (related to data)
Jurisdiction refers to data sovereignty where data processing may have storage and legal restrictions based on geographic location.
The organization is switching to a risk-based framework to better understand its current cybersecurity posture and improve it. Following the NIST Cybersecurity Framework as a template, how can framework profiles support the company's security goals?
List target cybersecurity outcomes.
According to National Institute of Standards and Technology Special Publication (NIST SP) 800-39, the risk identification process consists of which of the following? Select all that apply.
Mitigation through security controls Prioritization of systems Evaluation of any changes Risk framework establishment
In the military, data confidentiality is divided into different levels, classified with different labels. The military often consults with third parties to understand which IT solutions can support their missions. Under which data classification would the military be able to provide electronic documents to third-parties under a non-disclosure agreement (NDA)?
Official use only Restricted
When creating a risk assessment process, which of the following physical security controls must a company consider for a data center warehouse? Select all that apply.
Parking lights Fire alarm
A central data loss prevention (DLP) application has been operating at the network edge. Administrators are now installing endpoint agents on the workstations. What protection does this action provide for the company?
Prevention of copying data to a USB flash drive
Which of the following is a non-technical security control?
Purpose limitation Non-disclosure agreement Retention standards
Purpose limitation
Purpose limitation is a non-technical control used in privacy regulations. It restricts an organization's ability to transfer data to third parties. Consent statements must be tracked to keep data usage in compliance.
Recovery point objective (RPO)
Recovery point objective (RPO) is the amount of data loss that a system can sustain, measured in time.
Recovery time objective (RTO)
Recovery time objective (RTO) is the period following a disaster that an individual IT system may remain offline. This is the amount of time it takes to identify that there is a problem and then perform recovery.
A military unit is working with a vendor to gather information about an IT security solution to monitor their network. The vendor is requesting documentation about the environment to make a proper assessment. Which types of data may the military allow a vendor to review under a non-disclosure agreement (NDA)?
Restricted Official Use Only
Restricted
Restricted or confidential documents are highly sensitive. It is approved for viewing only by approved persons in the organization, and possibly by trusted third parties under a NDA.
There has been an increase in external intrusions, ranging from denial of service attacks to malicious software installation at a local company. Using a limited budget, management is trying to decide on deploying a network or host-based intrusion prevention solution. Which of the following will be the deciding factor if they make their decision solely based on cost of operations?
Return on security investment
Return on security investment (ROSI)
Return on security investment (ROSI) includes multiple factors such as the cost of the solution, and the reduction of the annual loss expectancy (ALE). ALE can depend a little on operational costs due to an incident happening or not, or even how quickly it is resolved.
Secret
Secret documentation is too valuable to allow any risk of its capture. This is strictly for persons within the military.
A data retention policy may include which of the following types of factors?
Short term Dates Redundancy
Single loss expectancy (SLE)
Single loss expectancy (SLE) is the product of an AV and EF. This is the quantitative risk result.
Committee of Sponsoring Organizations of the Treadway Commission (COSO)
The Committee of Sponsoring Organizations of the Treadway Commission (COSO) provides guidance on a variety of governance-related topics including fraud, controls, finance, and ethics.
Federal Information Security Management Act (FISMA)
The Federal Information Security Management Act (FISMA) requires federal organizations to adopt information assurance controls.
Gramm-Leach-Bliley Act (GLBA)
The Gramm-Leach-Bliley Act (GLBA) institutes requirements that help protect the individual's financial informational privacy held by financial institutions and other groups, such as tax preparation companies.
The NIST guidelines for passwords
The NIST guidelines suggest not enforcing aging policies. NIST guidelines suggest smart card use The NIST guidelines suggest users to use lengthy passwords up to 64 characters. Min of 8.
(NIST) Cybersecurity Framework
The National Institute of Standards and Technology (NIST) Cybersecurity Framework is risk-based and includes the framework core, implementation tiers, and framework profiles. The framework core identifies five cybersecurity functions (Identify, Protect, Detect, Respond, and Recover).
Sarbanes-Oxley Act (SOX)
The Sarbanes-Oxley Act (SOX) dictates requirements for the storage and retention of documents relating to an organization's financial and business operations. This includes storage of specific documents types, and their retention periods.
Windows security logs
The Windows security logs will provide the date and times a local account, or domain, was successful or unsuccessful in accessing the logs. Any attempts of using the account per the logs should be reported.
The audit process
The audit process is more rigid than evaluation and assessment strategies. An auditor uses a pre-defined baseline that they compare the organization's current state to, which helps the auditor find any specific violations that require remediation.
A company has been using a prescriptive framework to implement security controls. They have matured to a tier 3 organization and have learned many lessons along the way. Review the following descriptions and select the most applicable statement to this company's situation.
The company has defined policies and procedures.
Data Custodian
The data custodian handles managing the system that stores data assets. This includes responsibility for enforcing access control, encryption, and backup/recovery measures.
Data Owner
The data owner is a senior (executive) role with ultimate responsibility for maintaining the confidentiality, integrity, and availability of the information asset.
Data steward
The data steward is responsible for data quality. This involves tasks like labeling and identifying data with appropriate metadata. The data is collected and stored in a format, and with values, that comply with applicable laws and regulations.
The evaluation process
The evaluation process is aimed at examining outcomes or literally "proving usefulness." It will answer questions like, "Were there security breaches?" and "What was the response to an incident?"
The formula for annual loss expectancy (ALE)
The formula for annual loss expectancy (ALE) = SLE (Single Loss Expectancy) x ARO (Annual Rate of Occurrence).
frame (Risk Management)
The frame component establishes a strategic risk management framework, supported by decision-makers at the top tier of the organization. The risk frame sets an overall goal for the degree of risk tolerated and demarcates responsibilities.
The framework core
The framework core identifies five cybersecurity functions (Identify, Protect, Detect, Respond, and Recover). Each function can be divided into categories and subcategories.
Privacy Officer
The privacy officer is responsible for oversight of Personally Identifiable Information (PII), including company managed Person Health Information (PHI) assets. This ensures compliance in matters like data sovereignty and data retention.
Risk Frame
The risk frame sets an overall goal for the degree of risk that can be tolerated and demarcates responsibilities. The risk frame directs and receives inputs from all other processes.
The validation process
The validation process, during software development for example, determines whether the security system is fit-for-purpose (its design goals meet the requirements for a secure system).
The verification process
The verification process, during software development for example, is a compliance-testing process to ensure that the security system meets the requirements of a framework or regulatory environment.
Tier 1 in the prescriptive framework
Tier 1 in the prescriptive framework represents an organization that has a reactive approach to security. This means something bad happens and they scramble to fix it.
Tier 2 in the prescriptive framework
Tier 2 in the prescriptive framework represents an organization that prepares to mitigate cybersecurity risks by performing risk assessments.
Tier 3 in the prescriptive framework
Tier 3 in the prescriptive framework represents an organization with defined policies and procedures driven by the IT department.
Tier 4 in the prescriptive framework
Tier 4 in the prescriptive framework represents an organization that demonstrates management oversight of risks. They have risk-driven business policies and processes, and procedures for optimizing and continuously monitoring controls.
A data loss prevention (DLP) solution is being researched. If using an enterprise solution, the DLP architecture may include a policy server, endpoint agents, and network agents. How can DLP endpoint agents support data privacy and protection?
To enforce client policies
Research is being conducted for a data loss prevention (DLP) solution. If using an enterprise solution, the DLP architecture may include a policy server, endpoint agents, and network agents. How can DLP network agents support data privacy and protection?
To scan web communication To scan messaging servers
Unclassified
Unclassified or public documents have no restrictions. No NDA is required for this type of information.
Verification
Verification is a compliance-testing process to ensure that the security system meets the requirements of a framework or regulatory environment, or more generally, that a product or system meets its design goals.
Version Control
Version control helps when files and records change frequently, such as software code. This would apply to short term data retention policies created by an organization.
Which of the following might a company include in an acceptable user policy (AUP) for general users?
Voice over IP use Appropriate use of Internet services Prohibit sharing accounts
Watermarking
Watermarking is a technical security control. It encodes data with a visible or invisible marking.
Work recovery time (WRT)
Work recovery time (WRT) represents that time following systems recovery, where there may be additional work to reintegrate different systems, test overall functionality, and brief system users on any changes.
