NIST Privacy Framework Core Functions
control
data processing policies, processes, and procedures; data processing management; and disassociated processing
Protect
data protection policies, processes, and procedures; identity management, authentication, and access control; and data security, maintenance, and protective technology
Evaluate, Direct, and Monitor (EDM)
1. ensure governance framework setting and maintenance2. ensured benefits delivery3. ensured risk optimization4. ensured resource optimization5. ensured stakeholder engagement
five components of framework core
1. identify 2. protect 3. detect 4. respond 5. recover
Deliver, Service, and Support (DSS)
1. managed operations2. service requests and incidents3. managed problems4. managed continuity5. managed security services6. managed business process controls
When complementary user entity controls are identified, the scope section of the service auditor's SOC 1® Type 2 report will be amended to include which of the following?
A statement that the service auditor did not evaluate the suitability of the design or operating effectiveness of the complementary user entity controls.
What is the primary disadvantage of using a cold site as a disaster recovery site?
Delivery of equipment and software may be delayed.
CIS Control 15: Service Provider Management
Develop a process to evaluate relevant third parties who hold sensitive data or are responsible for an enterprise's critical IT platforms or processes, to ensure these providers are protecting those platforms and data appropriately.
Network address translation firewalls
Devices that have a primary function of enabling other machines in a network to share an IP address so that identities may be hidden,
Which of the following descriptions best summarizes the holistic approach governance system principle under COBIT 2019?
Governance systems for IT can comprise diverse components.
Under what circumstances would a service auditor be required to be independent from a subservice organization used by a service organization in an engagement to report on controls at a service organization?
Independence is required when a subservice organization is used and management elects to use the inclusive method to present its system description.
switch
It simply needs to connect the router to other machines on the network without providing any advanced routing capabilities
A system outage that would allow an organization to partially function temporarily for days or a week but still potentially reach its objectives describes an
M category
Build, Acquire, and Implement (BAI)
Managed knowledge, managed organizational change, and managed availability and capacity
Align, Plan, and Organize (APO)
Managed security, managed human resources, and managed budget and costs
General controls in an information system include
Software acquisition, Security management,Information technology infrastructure.
Event logs
are a form of logging that catalogs various types of events that occur on a system, such as activity at the device level recorded in endpoint logs; access to files, which is documented in security logs; and authenticating users, which is tracked in directory logs
system commitments
are declarations made by service organization management to user entities and others about the system used to provide the service.
To prevent interrupted information systems operation, which of the following controls are typically included in an organization's disaster recovery plan?
are designed to ensure that the processing of data is accurate and complete. An example control includes matching two or more items or transactions before action is taken on the item or transaction.
processing controls
are designed to ensure that the processing of data is accurate and complete. An example control includes matching two or more items or transactions before action is taken on the item or transaction.
public cloud models
are owned by third-party cloud service providers, are located off-site, and are shared with one or more organizations. However, their purpose is not to share resources with industry peers.
system requirements
are specifications regarding how the system should function to meet the service organization's service commitments to user entities and others, to meet the service organization's commitments to vendors and business partners, to comply with relevant laws and regulations and guidelines of industry groups, and to achieve other objectives of the service organization that are relevant to the trust services category or categories addressed by the description.
Control 08: Audit Log Management
establishes a process for managing logs so that companies will be alerted and recover from system disruptions or attacks rapidly. System logs contain a list of events, such as when a person entered a command into a command-line prompt or when a DNS query was triggered after a person entered a specific domain into a browser on a company device. Such logs facilitate pulling records for legal matters and requests in eDiscovery.
identify framework core
framework functions in the Privacy Framework Core best describes how the organization answers what the company's privacy risks related to data processing activities are
Additional Privacy Framework Functions
govern control communicate
Govern
governance policies, process, and procedures; risk management strategy; awareness and training; and monitoring review
In all SOC engagements, risk assessment primarily focuses on:
inherent risk
identify
inventory and mapping, business environment, risk assessment, data proessing ecosystem risk management
replication
involves copying and transferring data between different databases located in different sites, such as a geographically different data center or the cloud. Replication allows operations to resume quickly using data in the secondary site after a system failure.
Virus quarantining (corrective)
involves isolating actual or suspected viruses to remove the threat from the rest of a company's network and is usually accomplished in an automated manner via antivirus software or manually after suspicious activity has been flagged from the review of system logs.
NIST 800-53
is designed for protecting information systems against sophisticated threats
star schema
is the most common schema for dimensional modeling, and it is also the simplest schema used for dimensional modeling. It is organized into a central fact table with associated dimension tables surrounding it, where the diagram of the schema looks like a star with the fact table at the center and the dimension tables arranged around it.
2NF
it's essential that each non-key attribute (such as Category in this case) depend on the entire primary key (ProductID). This ensures that the data is organized efficiently and eliminates partial dependencies.
size checks
limit the number of characters input into a field.
router
more sophisticated piece of equipment that can interpret data packets and route them according to how they are encoded,
principles for a governance framework under COBIT
open and flexible based on a conceptual model aligned to major standards
business as a process
organizations that use SaaS to perform a specific business function for clients, such as billing, payroll, or distribution. It provides more than just the software and hardware needed to perform a business function. This model also performs that function.
implementation tiers
provide a measure of an organization's information security infrastructure sophistication.
platform as a service
provides proprietary tools or solutions to allow customers to build or operate their applications on the CSP's infrastructure. CSPs are responsible for keeping the customer applications' uptime at an acceptable level by maintaining all of the back-end infrastructure (e.g., hardware, network, operating systems, etc.) required to build/test/run those applications.
infrastructure as a service
provides users with a virtual data center with outsourced servers, storage, hardware, and networking resources. It does not also provide applications to perform business functions like processing payments and performing marketing campaigns.
System testing through independent verification of transaction processing
results represents one of the most effective methods to reduce the risk of incorrect processing of transactions in a newly installed accounting system.
Community cloud computing deployment models
share resources with multiple organizations that have the same mission or a common interest, such as banding together for regulatory compliance or for collaborating with others in the same industry.
software as a service
the cloud service provider (CSP) provides a business application (e.g., a web-based application to sell any kind of product) that organizations use to perform specific functions or processes (e.g., selling products to customers). Customers can use the application for their specific purposes while still having some level of customization (e.g., adding its own logo, pictures, product descriptions, etc.) and configuration options (e.g., adding extensions).
RTO
the maximum amount of time it should take to restore IT operations after a system failure.
framework profiles
the mechanisms by which NIST recommends companies measure cybersecurity risk and establish a roadmap to ensure the organization can minimize such risk. implementation guides. 3 tiers: current, target, gap analysis.
NIST Privacy Framework's purpose
to help organizations manage privacy risk by considering privacy best practices as they design and deploy systems, products, and services that affect individuals, communicating privacy practices to the rest of the organization, and encouraging cross-organizational workforce collaboration relating to user privacy and IT security.
data minimization
under GDPR, is the principle that requires that data processing must be relevant, adequate, and limited to what is necessary for the purpose. The other five principles include purpose limitation, accuracy, integrity and confidentiality, storage limitations, and lawfulness, fairness, and transparency.
Framework Core
was a legislative imperative for NIST to develop a set of plain language controls for the protection of critical IT infrastructure. The focus is to develop a program to identify, assess, and manage cybersecurity risks in a cost-effective and repeatable manner.
