Objective 5
Center for Internet Security (CIS)
A non-profit organization that publishes information on cybersecurity best practices and threats. They also provide tools to help harden your environment and provide risk management.
Cloud Security Alliance (CSA)
A nonprofit organization with a mission to promote best practices for using cloud computing securely.
Mean Time Between Failures (MTBF)
A statistical value that is the average time until a component fails, cannot be repaired, and must be replaced.
Service Level Agreement (SLA)
Agreement between a company and a vendor that stipulates performance expectations, such as minimum uptime and maximum downtime levels.
Annualized Rate of Occurrence (ARO)
An estimate of how often a threat will be successful in exploiting a vulnerability over the period of a year.
Data Processor
An individual or organization, often a third-party outsourcing service, that uses and manipulates data.
ISO 27701
An international standard that acts as a privacy extension to enhance the existing ISMS with additional requirements in order to establish, implement, maintain, and continually improve protections to PII and data privacy.
NIST RMF Step 5:
Assess security controls
NIST RMF Step 6:
Authorize information systems
NIST RMF Step 2:
Categorize information systems
ISO 27002
Code of practice for information security with hundreds of potential controls and control mechanisms. The standard is intended to provide a guide for the development of "organizational security standards and effective security management practices and to help build confidence in inter-organizational activities".
SOC Type 2
Describes an organization's systems and covers security controls' operational effectiveness over a range of dates, such as 12 months. Refers to how well the security controls worked when mitigating risks during the range of dates. Higher level of assurance.
SOC Type 1
Describes an organization's systems and covers the design effectiveness of security controls on a specific date. Refers to how well the security controls address the risks, but not necessarily how well they work when mitigating risks.
Acceptable Use Policy (AUP)
Describes the purpose of computer systems and networks, how users can access them, and the responsibilities of users when they access the systems.
Data Owner
Ensure that the data is classified correctly and ensuring that the data is labeled to match the classification. They are also responsible for ensuring adequate security controls are implemented to protect the data. While they often delegate day-to-day, they cannot delegate their responsibility.
Data Controller
Entity that determines why and how personal data should be processed. They control all employee data and decide what data to release to the payroll company.
Measurement Systems Analysis (MSA)
Evaluates the processes and tools used to make measurements.
Single-Loss Expectancy (SLE)
Expected monetary loss every time a risk occurs; calculated by multiplying asset value by exposure factor.
Annualized Loss Expectancy (ALE)
Expected monetary loss for an asset due to a risk over a one-year period; calculated by multiplying single loss expectancy by annualized rate of occurrence.
Memorandum of Understanding (MOU)
Expresses an understanding between two or more parties indicating their intention to work together toward a common goal.
End of Life (EOL)
Generally refers to the date when a product will no longer be offered for sale.
NIST RMF Step 4:
Implement security controls
End of Service Life (EOSL)
Indicates the date when you expect a lack of vendor support because vendors no longer create patches or upgrades to resolve vulnerabilities for the product.
Payment Card Industry Data Security Standard (PCI DSS)
Information security standard created to enhance cardholder data security for organizations that store and process credit card data. Compliance is mandatory to all organizations that participate in the storage, processing, or transmission of cardholder data.
NIST Cybersecurity Framework
Integrates industry standards and best practices to help organizations manage their cybersecurity risks. Private-sector and government experts help organizations understand their cybersecurity risks (threats, vulnerabilities and impacts), but how to reduce these risks with customized measures.
ISO 31000
International standard for enterprise risk management that provides a universally recognized paradigm for practitioners and companies employing risk management processes to replace the myriad of existing standards, methodologies, and paradigms that differed between industries, subject matters, and regions.
Gamification
Intertwines game-design elements within user training methods to increase participation and interaction.
Non-Disclosure Agreement (NDA)
Legal basis for protecting information assets. Used between two companies, an employee and a company, or a contractor and a company. Deters violating trust with legal consequences.
Cloud Controls Matrix (CCM)
Lists and categorizes the domains and controls, along with which elements and components are relevant per the controls. This framework enables cooperation between cloud consumers and cloud providers on demonstrating adequate risk management.
Anonymization
Modifies data to protect the privacy of individuals by removing all PII within a data set. The goal is to remove any data that can be traced back to an individual while maintaining other data within the data set. Permanent.
Data Masking
Modifying data to hide the original content. The primary reason for doing so is to protect sensitive information such as PII. The process retains usable data but converts it to inauthentic data. Data typically comes from substitution files, such as a file of first names, a file of last names, and so on. May go through several rounds of substitution.
NIST RMF Step 7:
Monitor security controls
Clean Desk Space
Policy directs users to keep their areas organized and free of papers. The primary security goal is to reduce threats of security incidents by ensuring the protection of sensitive data. More specifically, it helps prevent the possibility of data theft or inadvertent disclosure of information.
NIST RMF Step 1:
Prepare
Data Minimization
Principle requiring organizations to limit the information they collect and use.
NIST Risk Management Framework (RMF)
Provides federal agencies and other organizations with structure and guidance for managing information security and risks by assembling standards, guidelines, and practices that are working effectively in industry today
Terms of Agreement
Refers to the period that an agreement shall be in effect.
General Data Protection Regulation (GDPR)
Regulatory requirements to protect the personal data of anyone living in the EU. Includes right to be forgotten and requires organizations to report any data breaches to the impacted individuals and appropriate regulatory authorities within 72 hours after discovering the breach.
Pseudo-anonymizaiton
Replaces PII and other data with pseudonyms or artificial identifiers. A separate data set matches the pseudonyms with the original data. Reversible.
Tokenization
Replaces sensitive data elements with a substitution value. The token is a substitute value used in place of the sensitive data. A tokenization system can convert the token back into its original form.
Security Operations Center (SOC)
Report covers organizational cybersecurity controls. The auditor creates the report after evaluating an organization's security controls. The report indicates that the organization is compliant and gives customers a level of assurance that the organization has adequate security controls in place. Addresses five trust service principles: confidentiality, integrity, availability, security, and privacy.
Data Custodian
Responsible for routine daily tasks such as backing up data, storage of the data, and implementation of business rules.
NIST RMF Step 3:
Select security controls
ISO 27001
Specifies requirements for establishing, implementing, maintaining and continually improving an information security management system (ISMS). Evaluates the evidence to prove your controls and ISMS are effective, and they meet the requirements for certification.
Mean Time to Repair (MTTR)
The average amount of time a computer repair technician needs to resolve the cause of a failure through replacement or repair of a faulty unit.
Recovery Time Objective (RTO)
The maximum amount of time that a process or service is allowed to be down and the consequences still to be considered acceptable.
Recovery Point Objective (RPO)
The point in time to which data must be restored in order to successfully resume processing. The amount of data that can acceptably be lost.
Data Protection Officer (DPO)
This person is responsible for ensuring the organization is complying with all relevant laws. This person in this role also needs to act as an independent advocate for customer data.
Computer-based Training (CBT)
Training where an individual interacts with an application on a computer. It can be courseware installed on a single computer or web-based training available over the Internet or an intranet.
Business Partnership Agreement (BPA)
Written agreement that details the relationship between business partners, including their obligations toward the partnership. It typically identifies the shares of profits or losses each partner will take, their responsibilities to each other, and what to do if a partner chooses to leave the partnership.