Lesson 1: Security Controls, CIA triad,
Cybersecurity Framework (CSF)
a list of activities and objectives undertaken to mitigate risks, the use of which allows an organization to make an objective statement of its current cybersecurity capabilities, identify a target level of capability, and prioritize investments to achieve that target.
Cloud controls matrix (CSA resource)
lists specific controls and assessment guidelines that should be implemented by CSPs. For cloud consumers, the matrix acts as a starting point for cloud contracts and agreements as it provides a baseline level of security competency that the CSP should meet.
informed consent
means that the data must be collected and processed only for the stated purpose, and that purpose must be clearly described to the user in plain language, not legalese
Detect Cybersecurity task
perform ongoing, proactive monitoring to ensure that controls are effective and capable of protecting against new types of threats.
Protect Cybersecurity task
procure/develop, install, operate, and decommission IT hardware and software assets with security as an embedded requirement of every stage of this operations life cycle.
The National Checklist Program (NCP)
produced by NIST provides checklists and benchmarks for a variety of operating systems and applications
Security Technical Implementation Guides (STIGs)
provided by Department of Defense Cyber Exchange hardening guidelines for a variety of software and hardware solutions
SOC3 report
provided for general consumption a less detailed report certifying compliance with SOC2. can be freely distributed.
PCI DSS
industry-mandated regulation that defines the safe handling and storage of financial information
benchmark
Settings for services and policy configuration for a server operating in a particular application role (web server, mail server, file/print server, and so on).
Open Web Application Security Project (OWASP)
-A charity and community publishing a number of secure application development resources. -a not-for-profit, online community that publishes several secure application development resources, such as the Top 10 list of the most critical application security risks -has developed resources, such as the Zed Attack Proxy and Juice Shop (a deliberately unsecure web application), to help investigate and understand penetration testing and application security issues.
Managerial Control
A category of security control that gives oversight of the information system. Examples: risk identification or a tool allowing the evaluation and selection of other security controls; security policies
Technical control
A category of security control that is implemented as a system (hardware, software, or firmware). -may also be described as logical controls. Examples: firewalls, antivirus software, and OS access control models
Operational control
A category of security control that is implemented by people. Examples: Security guards, training program, and SOPs
Access Control List (ACL)
A collection of access control entries (ACEs) that determines which subjects (user accounts, host IP addresses, and so on) are allowed or denied access to the object and the privileges given (read only, read/write, and so on).
Development and operations (DevOps)
A combination of software development and systems operations, and refers to the practice of integrating one discipline with the other.
ISO 31K
A comprehensive set of standards for enterprise risk management
ISO 27001
A comprehensive set of standards for information security, including best practices for security and risk management, compliance, and technical implementation.
Graham-Leach-Bliley Act
A law enacted in 1999 that deregulated banks, but also instituted requirements that help protect the privacy of an individual's financial information that is held by financial institutions.
Center for Internet Security (CIS)
A not-for-profit organization (founded partly by SANS). It publishes the well-known "Top 20 Critical Security Controls" (or system design recommendations).
Compensating Control
A security measure that takes on risk mitigation when a primary control fails or cannot completely meet expectations. Examples: unknown
What is a security control?
A technology or procedure put in place to mitigate vulnerabilities and risk and to ensure the confidentiality, integrity, and availability (CIA) of information.
Corrective Control
A type of security control that acts after an incident to eliminate or minimize its impact Examples: a backup/restore system and patch management
Physical control
A type of security control that acts against in-person intrusion attempts. Examples: alarms, gateways, locks, lighting, security cameras, and guards
Detective Control
A type of security control that acts during an incident to identify or record that it is happening. Examples: Logs
Preventive
A type of security control that physically or logically restricts unauthorized access acts to eliminate or reduce the likelihood that an attack can succeed, operating before an attack can take place. Examples: Anti-malware software, SOPs
Deterrent Control
A type of security control that psychologically discourages intrusion attempts Examples: signs and warnings of legal penalties against trespass or intrusion.
SSAE (Statements on Standards for Attestation Engagements)
Audit specifications designed to ensure that cloud/hosting providers meet professional standards. A , while s are . developed by American Institute of Certified Public Accountants (CPAs)
ISO 27002
Classifies security controls
ISO 27701
Focuses on personal data and privacy
Cloud Security Alliance (CSA)
Industry body providing security guidance to CSPs, including enterprise reference architecture and security controls matrix. produces various resources to assist cloud service providers (CSP) in setting up and delivering secure cloud platforms. These resources can also be useful for cloud consumers in evaluating and selecting cloud services.
GDPR (General Data Protection Regulation)
Provisions and requirements protecting the personal data of European Union (EU) citizens. Transfers of personal data outside the EU Single Market are restricted unless protected by like-for-like regulations, such as the US's Privacy Shield requirements.
ISO 27017, 27018
Reference cloud security
Availability
The fundamental security goal of ensuring that computer systems operate continuously and that authorized persons can access data that they need.
Confidentiality
The fundamental security goal of keeping information and communications private and protecting them from unauthorized access.
integrity
The fundamental security goal of keeping organizational information accurate, free of errors, and without unauthorized modifications.
system operations center (SOC)
The location where security professionals monitor and protect critical information assets in an organization.
non-repudiation
The security goal of ensuring that the party that sent a transmission or created data remains associated with that data and cannot deny sending or creating that data.
Security Guidance (CSA resource)
a best practice summary analyzing the unique challenges of cloud environments and how on-premises controls can be adapted to them.
SOC2 Type I report
assesses the system design
Enterprise reference architecture (CSA resource)
best practice methodology and tools for CSPs to use in architecting cloud solutions. The solutions are divided across a number of domains, such as risk management and infrastructure, application, and presentation services.
Identify Cybersecurity task
develop security policies and capabilities. Evaluate risks, threats, and vulnerabilities and recommend security controls to mitigate them.
SOC2 Type II report
evaluates the internal controls implemented by the service provider to ensure compliance with Trust Services Criteria (TSC) when storing and processing customer data. assesses the ongoing effectiveness of the security architecture over a period of 6-12 months highly detailed and designed to be restricted; should only be shared with the auditor and regulators, and with important partners under non-disclosure agreement (NDA) terms.
what rights to data subjects does the GDPR give?
gives data subjects rights to withdraw consent, and to inspect, amend, or erase data held about them.
Respond Cybersecurity task
identify, analyze, contain, and eradicate threats to systems and data security.
Recover Cybersecurity task
implement cybersecurity resilience to restore systems and data if other controls are unable to prevent attacks.
