Cysa Lesson 5 - Compliance and Assessment

"Data at rest"

"Data at rest" is a state describing data in storage. This is used to describe encrypted data on a hard disk drive.

"Data in use"

"Data in use" is a state describing data present in volatile memory, such as system RAM or CPU registers and cache. Data is usually decrypted as it moves from disk to memory.

A company determined that their data center is worth about $500,000 in assets and data from its customers. Every so often, they are hit with a security incident where the single loss expectancy (SLE) totals about $25,000. If management determines that these instances may occur once a month next year, what will be the calculated annual rate of occurrence when calculating the annual loss expectancy (ALE)?

*12*

An encrypted hard drive disk (HDD) in storage describes data _____.

*At Rest*

code of conduct

A code of conduct policy outlines user and administrator expectations. For example, administrators are expected to protect the confidentiality and integrity of personal account credentials.

Data Loss Prevention (DLP)

A data loss prevention (DLP) endpoint agent enforces policies on the client computers, even when they are not connected on the network. A DLP network agent scans communications at the network borders and interface with web servers to monitor file access and use. A DLP network agent scans communications at the network borders and interface with messaging servers to monitor file sharing in messages.

non-disclosure agreement (NDA)

A non-disclosure agreement (NDA) is non-technical security control representing the legal basis for protecting information assets. NDAs are used between companies and employees, between companies and contractors, and between two companies.

password policy

A password policy instructs users on best practices for creating and maintaining passwords. A password should long enough, and complex enough to prevent brute force or other typically executed password guessing methods hackers use.

A physical security control

A physical security control may include an alarm system, like one that alerts the local fire department of a building fire.

A social DRM

A social DRM involves encoding a watermark into the media file. If the file is posted to a file sharing site, search tools can track the media file and the company can enforce appropriate action.

GPS Location sharing to access data

An application that requires Global Positioning System (GPS) location sharing may restrict the use of processing or downloading data to a smartphone that exists outside the jurisdiction of the service provider.

A systems assessment

An assessment identifies and prioritizes business processes or workflows. A systems assessment determines which IT assets and procedures support these workflows. Risk identification takes place within the assess component.

An audit policy

An audit policy, like ones provided by Microsoft, includes options to track account log-on and management events, object access, and changes to system security and integrity.

authorized *media* players

An authorized media players describes a physical device like a game console or television that can play the media file.

A movie producer shares a sample clip of a movie trailer to a few users for review. The company has a custom application to review and provide feedback on the clip. Which type of protection does the company apply to the distribution of movie trailers?

An authorized viewer

Asset value (AV)

Asset value (AV) is the direct cost (monetary) of a product or solution. When calculating quantitative risk, the asset value represents the magnitude of the risk.

An identity and access management tool reported an unknown local account on a Windows server. An administrator checked the local users and confirmed the existence of the account. How can the administrator find out if the local account was used previously?

Check the security logs. Verify data owners.

Classified

Classified documentations are also known as private, internal use only, and office use only data. Viewing is restricted to authorized persons in the organization and third parties under a non-disclosure agreement (NDA).

Which of the following are examples of data sovereignty?

Cloud application requires GPS location sharing Local Admins cannot process data overseas

Which company policy lists expectations for how IT admins should handle their elevated access?

Code of conduct

Traditional elements of a password policy not only make it secure, but also make it difficult for users to access resources locally or over the network. The National Institute of Standards and Technology (NIST) has updated their special publication (SP) 800 guidelines to balance security and user account manageability. Which element changes support this capability? Select all that apply.

Complexity rules should not be enforced. Aging policies should not be enforced

The IT team received the latest report from the identity and access management (IAM) application. An administrator is now reviewing the security logs of a Windows server. Analyze the scenario to determine why the admin is reviewing the logs.

Confirm last login attempts.

A U.S. manufacturing company is moving its IT infrastructure to the cloud. The cloud service provider (CSP) is touting 99% uptime and on-demand storage capacity. What can the manufacturing company require of the CSP in order to ensure the data is only accessible in the U.S.?

Constraint-Bases Access Choice of Data Center

Continuous security monitoring (CSM)

Continuous security monitoring (CSM) is a process of continual risk reassessment. Rather than an ad hoc process driven by incident response, CSM is an ongoing effort to obtain information vital in managing risk within the organization.

Watermarking

DLP solutions do not encode watermarks into files. Watermarking is a digital and most times visible marking encoded into the file or video to defeat attempts of removal from official channels, or so the file can be located if released on a file sharing site.

Data masking

Data masking is a technical security control. It is when all or part of the contents of a field are redacted, by substituting all character strings with an "x."

Which non-technical security control affects data retention policies?

Data minimization

Data minimization

Data minimization is the principle that data should only be processed and stored if it is necessary to perform the purpose for which it is collected.

Data retention standards

Data retention standards are a non-technical control. It includes policies that manage and show when and how to dispose of distinct types of data. An example includes regulated data that require long-term retention.

Data sovereignty

Data sovereignty refers to a jurisdiction preventing, or restricting, processing and storage from taking place on systems that do not physically reside within the jurisdiction.

When caring for the quality of the data, identify the person who labels and stores data in a format applicable to laws and regulations.

Data steward

Deidentification

Deidentification is a technical security control. It is the process by which datasets that contain Personally Identifiable Information (PII) remove the associated PII.

When ensuring an application can protect the privacy of patient health information, as described in the Health Insurance Portability and Accountability Act (HIPAA), what process would prove its usefulness?

Evaluation process

Exposure factor (EF)

Exposure factor (EF) is how often a risk will occur. This is the probability represented in a quantitative risk calculation.

A hospital runs proprietary software to automate patient health information and billing. Software developers also keeps copies of each iteration of the code in case of a disaster. Determine which other reason would apply to keeping different copies of the code?

For version control

Select the components that make up the National Institute of Standards and Technology (NIST) Cybersecurity Framework.

Implementation tiers Core Profiles

authorized *viewer*

In a digital rights management (DRM) solution, an authorized viewer refers to a viewing application, like a specific media player that can play the clip. The company's custom application has the authorized viewing application built-in.

Which of the following statements about continuous security monitoring are true?

It is a process of continual risk assessment. It involves a routine audit of rights and privileges.

Jurisdiction (related to data)

Jurisdiction refers to data sovereignty where data processing may have storage and legal restrictions based on geographic location.

The organization is switching to a risk-based framework to better understand its current cybersecurity posture and improve it. Following the NIST Cybersecurity Framework as a template, how can framework profiles support the company's security goals?

List target cybersecurity outcomes.

According to National Institute of Standards and Technology Special Publication (NIST SP) 800-39, the risk identification process consists of which of the following? Select all that apply.

Mitigation through security controls Prioritization of systems Evaluation of any changes Risk framework establishment

In the military, data confidentiality is divided into different levels, classified with different labels. The military often consults with third parties to understand which IT solutions can support their missions. Under which data classification would the military be able to provide electronic documents to third-parties under a non-disclosure agreement (NDA)?

Official use only Restricted

When creating a risk assessment process, which of the following physical security controls must a company consider for a data center warehouse? Select all that apply.

Parking lights Fire alarm

A central data loss prevention (DLP) application has been operating at the network edge. Administrators are now installing endpoint agents on the workstations. What protection does this action provide for the company?

Prevention of copying data to a USB flash drive

Which of the following is a non-technical security control?

Purpose limitation Non-disclosure agreement Retention standards

Purpose limitation

Purpose limitation is a non-technical control used in privacy regulations. It restricts an organization's ability to transfer data to third parties. Consent statements must be tracked to keep data usage in compliance.

Recovery point objective (RPO)

Recovery point objective (RPO) is the amount of data loss that a system can sustain, measured in time.

Recovery time objective (RTO)

Recovery time objective (RTO) is the period following a disaster that an individual IT system may remain offline. This is the amount of time it takes to identify that there is a problem and then perform recovery.

A military unit is working with a vendor to gather information about an IT security solution to monitor their network. The vendor is requesting documentation about the environment to make a proper assessment. Which types of data may the military allow a vendor to review under a non-disclosure agreement (NDA)?

Restricted Official Use Only

Restricted

Restricted or confidential documents are highly sensitive. It is approved for viewing only by approved persons in the organization, and possibly by trusted third parties under a NDA.

There has been an increase in external intrusions, ranging from denial of service attacks to malicious software installation at a local company. Using a limited budget, management is trying to decide on deploying a network or host-based intrusion prevention solution. Which of the following will be the deciding factor if they make their decision solely based on cost of operations?

Return on security investment

Return on security investment (ROSI)

Return on security investment (ROSI) includes multiple factors such as the cost of the solution, and the reduction of the annual loss expectancy (ALE). ALE can depend a little on operational costs due to an incident happening or not, or even how quickly it is resolved.

Secret

Secret documentation is too valuable to allow any risk of its capture. This is strictly for persons within the military.

A data retention policy may include which of the following types of factors?

Short term Dates Redundancy

Single loss expectancy (SLE)

Single loss expectancy (SLE) is the product of an AV and EF. This is the quantitative risk result.

Committee of Sponsoring Organizations of the Treadway Commission (COSO)

The Committee of Sponsoring Organizations of the Treadway Commission (COSO) provides guidance on a variety of governance-related topics including fraud, controls, finance, and ethics.

Federal Information Security Management Act (FISMA)

The Federal Information Security Management Act (FISMA) requires federal organizations to adopt information assurance controls.

Gramm-Leach-Bliley Act (GLBA)

The Gramm-Leach-Bliley Act (GLBA) institutes requirements that help protect the individual's financial informational privacy held by financial institutions and other groups, such as tax preparation companies.

The NIST guidelines for passwords

The NIST guidelines suggest not enforcing aging policies. NIST guidelines suggest smart card use The NIST guidelines suggest users to use lengthy passwords up to 64 characters. Min of 8.

(NIST) Cybersecurity Framework

The National Institute of Standards and Technology (NIST) Cybersecurity Framework is risk-based and includes the framework core, implementation tiers, and framework profiles. The framework core identifies five cybersecurity functions (Identify, Protect, Detect, Respond, and Recover).

Sarbanes-Oxley Act (SOX)

The Sarbanes-Oxley Act (SOX) dictates requirements for the storage and retention of documents relating to an organization's financial and business operations. This includes storage of specific documents types, and their retention periods.

Windows security logs

The Windows security logs will provide the date and times a local account, or domain, was successful or unsuccessful in accessing the logs. Any attempts of using the account per the logs should be reported.

The audit process

The audit process is more rigid than evaluation and assessment strategies. An auditor uses a pre-defined baseline that they compare the organization's current state to, which helps the auditor find any specific violations that require remediation.

A company has been using a prescriptive framework to implement security controls. They have matured to a tier 3 organization and have learned many lessons along the way. Review the following descriptions and select the most applicable statement to this company's situation.

The company has defined policies and procedures.

Data Custodian

The data custodian handles managing the system that stores data assets. This includes responsibility for enforcing access control, encryption, and backup/recovery measures.

Data Owner

The data owner is a senior (executive) role with ultimate responsibility for maintaining the confidentiality, integrity, and availability of the information asset.

Data steward

The data steward is responsible for data quality. This involves tasks like labeling and identifying data with appropriate metadata. The data is collected and stored in a format, and with values, that comply with applicable laws and regulations.

The evaluation process

The evaluation process is aimed at examining outcomes or literally "proving usefulness." It will answer questions like, "Were there security breaches?" and "What was the response to an incident?"

The formula for annual loss expectancy (ALE)

The formula for annual loss expectancy (ALE) = SLE (Single Loss Expectancy) x ARO (Annual Rate of Occurrence).

frame (Risk Management)

The frame component establishes a strategic risk management framework, supported by decision-makers at the top tier of the organization. The risk frame sets an overall goal for the degree of risk tolerated and demarcates responsibilities.

The framework core

The framework core identifies five cybersecurity functions (Identify, Protect, Detect, Respond, and Recover). Each function can be divided into categories and subcategories.

Privacy Officer

The privacy officer is responsible for oversight of Personally Identifiable Information (PII), including company managed Person Health Information (PHI) assets. This ensures compliance in matters like data sovereignty and data retention.

Risk Frame

The risk frame sets an overall goal for the degree of risk that can be tolerated and demarcates responsibilities. The risk frame directs and receives inputs from all other processes.

The validation process

The validation process, during software development for example, determines whether the security system is fit-for-purpose (its design goals meet the requirements for a secure system).

The verification process

The verification process, during software development for example, is a compliance-testing process to ensure that the security system meets the requirements of a framework or regulatory environment.

Tier 1 in the prescriptive framework

Tier 1 in the prescriptive framework represents an organization that has a reactive approach to security. This means something bad happens and they scramble to fix it.

Tier 2 in the prescriptive framework

Tier 2 in the prescriptive framework represents an organization that prepares to mitigate cybersecurity risks by performing risk assessments.

Tier 3 in the prescriptive framework

Tier 3 in the prescriptive framework represents an organization with defined policies and procedures driven by the IT department.

Tier 4 in the prescriptive framework

Tier 4 in the prescriptive framework represents an organization that demonstrates management oversight of risks. They have risk-driven business policies and processes, and procedures for optimizing and continuously monitoring controls.

A data loss prevention (DLP) solution is being researched. If using an enterprise solution, the DLP architecture may include a policy server, endpoint agents, and network agents. How can DLP endpoint agents support data privacy and protection?

To enforce client policies

Research is being conducted for a data loss prevention (DLP) solution. If using an enterprise solution, the DLP architecture may include a policy server, endpoint agents, and network agents. How can DLP network agents support data privacy and protection?

To scan web communication To scan messaging servers

Unclassified

Unclassified or public documents have no restrictions. No NDA is required for this type of information.

Verification

Verification is a compliance-testing process to ensure that the security system meets the requirements of a framework or regulatory environment, or more generally, that a product or system meets its design goals.

Version Control

Version control helps when files and records change frequently, such as software code. This would apply to short term data retention policies created by an organization.

Which of the following might a company include in an acceptable user policy (AUP) for general users?

Voice over IP use Appropriate use of Internet services Prohibit sharing accounts

Watermarking

Watermarking is a technical security control. It encodes data with a visible or invisible marking.

Work recovery time (WRT)

Work recovery time (WRT) represents that time following systems recovery, where there may be additional work to reintegrate different systems, test overall functionality, and brief system users on any changes.