Term
|
Definition
| Sherwood applied business security architecture |
|
|
Term
What architecture is this pertaining to?
Business operation support services
IT Operations and Support
Presentation
Information
Infrastructure
Security and risk management |
|
Definition
| CSA Enterprise Architecture |
|
|
Term
|
Definition
| The Open Group Architecture Framework |
|
|
Term
What categories do these relate to?
Interoperability
Availability
Security
Privacy
Resiliency
performance
governance
SLAs
Auditability
Regulatory Compliance |
|
Definition
|
|
Term
| What type of management deals with encryption and permissions |
|
Definition
|
|
Term
| What step is provisioning regarding IAM? |
|
Definition
|
|
Term
| What term refers to track, secure, and audit privileged credentials used by administrators, computer services, and applications when accessing sensitive information and computing resources |
|
Definition
| Privileged Identity Management |
|
|
Term
| temporarily change a user’s privileges so that he can perform tasks that require elevated permissions, providing auditing and fine-grained control of the process. |
|
Definition
| privileged User management |
|
|
Term
| user access management - key components |
|
Definition
|
|
Term
|
Definition
DN - distinguished name
RDN - relative distinguished name |
|
|
Term
| Mitigate Account or Service Hijacking |
|
Definition
MFA
Prohibit sharing of accounts |
|
|
Term
What do these controls relate to?
1. authentication
2. access control
3. encryption
4. activity monitoring |
|
Definition
|
|
Term
| *How to mitigate shared technology vulnerabilities? |
|
Definition
|
|
Term
| What are the problems with using components with known vulnerabilities |
|
Definition
| libraries, frameworks and software modules have full privileges |
|
|
Term
What is the purpose of these components?
1. No undocumented single points of weaknesses
2. Migration to alt provider within agreed upon timeframe
3. client should be able to verify data integrity
4. user selects backup settings
5. all components are available for DR |
|
Definition
|
|
Term
These domains pertain to which ISO?
IS Policies
Org and info Security
HR Security
Asset Management
Access Control
Cryptographic
Physical and Environmental
Operations
System Acq, Dev and Maint
Supplier Relationship
IS Incident Management
IS Business Continuity Management
Compliance |
|
Definition
|
|
Term
What ISO is this relating to?
takes into account the company's security risk environment. Used to select controls within the process of implementing an IS management system (ISMS) base on ISO 27001. And help them create their own IS management guidelines |
|
Definition
|
|
Term
What ISO are these controls relating to?
1. Shared roles and responsibilities within a cloud computing environment
2. Removal and return of cloud service customer assets upon contract termination
3. Protection and separation of a customer’s virtual environment from that of other customers
4. Virtual machine hardening requirements to meet business needs
5. Procedures for administrative operations of a cloud computing environment
6. Enabling customers to monitor relevant activities within a cloud computing environment
7. Alignment of security management for virtual and physical networks |
|
Definition
| ISO 27017:2015 (Code of practice for information security controls based on ISO/IEC 27002 for cloud services) |
|
|
Term
| PC encryption is what fips level? |
|
Definition
|
|
Term
FIPS Level
evidence of tamper proofing and prevent physical access to encryption keys |
|
Definition
|
|
Term
Fips level
preventing the intruder from gaining access to info and data held within cryptographic module. detecting physical access attempts and respond appropriately to protect cryptographic module |
|
Definition
|
|
Term
FIPS Level
complete protection around cryptographic module to detect and respond to all unauthorized physical attempts. Zeroization of all plaintext upon detection. |
|
Definition
|
|
Term
| FIPS applies to what industries |
|
Definition
| government and regulated industries |
|
|
Term
| What level of data classification is FIPS? |
|
Definition
| sensitive but not classified |
|
|
Term
What step for CC Evaluation is this?
Vendor must complete a security target description that provides an overview of the security products features. |
|
Definition
|
|
Term
What step for CC Evaluation is this?
certified lab test product |
|
Definition
|
|
Term
What step for CC Evaluation is this?
successful evaluation leads to certification |
|
Definition
|
|
Term
| What is a defined standard set of security requirements for a specific product such as a firewall. |
|
Definition
|
|
Term
| What is defined on how thoroughly the product has been tested. |
|
Definition
| Evaluation Assurance Level |
|
|
Term
| What are guidelines and specifications developed for evaluating security products for the government. |
|
Definition
|
|
Term
What components are these for?
1. Document any single points of failure
2. migration to alternate providers
3. All components need to be supported by alternate CSP in the event of a failover
4. automated controls should be enabled to allow customer to verify data
5. Customer allowed to determine incremental backup frequency, coverage and easy of use of recovery point restoration options
6. regular assessment of SLA |
|
Definition
|
|
Term
What principles are these regarding for SOC 2?
Security, CIA and Privacy |
|
Definition
| 5 Trust Services principles for a SOC 2 |
|
|
Term
|
Definition
|
|
Term
|
Definition
|
|
Term
|
Definition
| 20,000 - 1 million credit card |
|
|
Term
|
Definition
less than 20,000 e-commerce
up to 1 mil transactions |
|
|
Term
| What is the Security issue with creating data? |
|
Definition
|
|
Term
| What are the two Security considerations for storing data? |
|
Definition
| Access control lists and encryption |
|
|
Term
| What 2 Security issues for use and shared data |
|
Definition
|
|
Term
| Security issues with destroy |
|
Definition
| Cryptoshredding and overwriting |
|
|
Term
| Two Additional considerations that affect data lifecycle |
|
Definition
|
|
Term
| What are the three factors that influence necessary controls for data? |
|
Definition
| actors, functions and locations |
|
|
Term
|
Definition
Damage
Reproducibility
Exploitability
Affected Users
Discoverablity |
|
|
Term
What type of Threats are these to data?
1. unauthorized usage, access, theft, tampering and destruction
2. regulatory noncompliance
3. DOS
4. leakage
5. malware
6. improper sanitization after end of use. |
|
Definition
|
|
Term
What do these threats relate to?
1. DLP
2. Encryption
3. Obfuscation, anonymization, tokenization and masking |
|
Definition
|
|
Term
Cloud Based challenges for what security service?
1. data in cloud tends to replicate (between locations, backups)
2. Admin access - hard to perform discovery and classifcation
3. can affect performance |
|
Definition
|
|
Term
What type of architecture deals with these items?
Data objects
encryption engine
encryption keys |
|
Definition
|
|
Term
Encryption techniques
Volume/Object/Data - Instance based |
|
Definition
|
|
Term
Encryption techniques
Volume/Object/Data - File Level based |
|
Definition
|
|
Term
|
Definition
| Key Management Interoperability Protocol |
|
|
Term
| Is it Internally / Externally used? Managed Key Storage - database, backup, application |
|
Definition
|
|
Term
| Internally / Externally Managed Key Storage - hardware security module |
|
Definition
|
|
Term
| Data Masking approaches - Uses null data |
|
Definition
|
|
Term
| What type of masking makes a new copy of the data with masked values for non-production |
|
Definition
|
|
Term
What architecture is this referring to?
1. generate PII
2. data is sent to token server
3. token server generates token (both token and data are stored on server)
4. token server returns the token to the application
5. The application replaces the data with token
6. the authorized app/user can request sensitive data |
|
Definition
| Tokenization Architecture |
|
|
Term
Which bit-splitting process is this?
Ssms or aont-rs?
Three phased process
1. encryption
2. use of information dispersal algorithm (IDA)
3. the fragments of data and keys are distributed to different cloud storage services. |
|
Definition
Secret Sharing Made Short
All or nothing provides low computation and storage costs |
|
|
Term
What approaches are these items referring regarding data?
Big data
Realtime analytics
Agile analytics and agile business intelligence |
|
Definition
| Data Discovery Approaches |
|
|
Term
What methods are these used for?
1. Metadata
most common technique
2. labels
marking data elements being grouped with a tag.
3. Content analysis
pattern matching, hashing, statistical and probability analysis. |
|
Definition
|
|
Term
| *What is a file management system that allows records to be accessed sequentially or randomly? |
|
Definition
| Indexed Sequential Access Methods |
|
|
Term
What issues are these related to?
Poor data quality
Dashboards
Hidden costs |
|
Definition
|
|
Term
| how to prevent poor data quality with EDiscovery? |
|
Definition
| create corporate data governance policy |
|
|
Term
| How to fix dashboard issues for EDiscovery? |
|
Definition
| have an audit trail. Data needs to be encrypted. |
|
|
Term
| How to fix hidden costs due to RAM issues for EDiscovery? |
|
Definition
| Hire skilled techs or purchase prebuilt appliances. |
|
|
Term
What area are these challenges for?
Identifying where the data is
accessing the data
performing preservation and maintenance |
|
Definition
|
|
Term
What are these categories related to?
data type
jurisdiction
context
ownership
contractual constraints
trust levels
value, sensitivity and criticality
obligation for retention and preservation |
|
Definition
| Data classification categories |
|
|
Term
What challenges are these related to data?
data creation
classification controls: administrative, preventative or compensating.
metadata
classification data transformation
reclassification consideration |
|
Definition
|
|
Term
What controls are these related to?
administrative (as guidelines for users)
preventative
compensating |
|
Definition
|
|
Term
| *This determines the legal standing of a case |
|
Definition
|
|
Term
| this usually determines the ability of a national court to decide a case or enforce a judgement |
|
Definition
|
|
Term
| What role can be defined as being identified, directly or indirectly to an ID number |
|
Definition
|
|
Term
| Who oversees access requests and ensuring that policies and procedures are enforced |
|
Definition
| definition of cloud steward |
|
|
Term
| Who is a public authority that determines the purpose and means of the processing of personal data |
|
Definition
| definition of cloud controller/owner |
|
|
Term
What do these categories relate to?
P&DP law
scope and purpose of the processing
categories of the personal data
categories of the processing to be performed |
|
Definition
| The Primary main input entities for data classification for P&DP purposes |
|
|
Term
What do these categories relate to?
Data locations allowed
categories of users allowed
data retention constraints
security measures to be ensured
data breach constraints
status |
|
Definition
| Secondary main input entities for data classification for P&DP purposes |
|
|
Term
*What are these questions related to?
is the data valuable for additional BCDR methods?
required RPO, RTO
What kind of disasters are included
what is the necessary Recovery service level (RSL) |
|
Definition
|
|
Term
What does this refer to?
Scope
Gather Requirements and context (risk threats and identifying critical business processes and their dependence on specific data.
Analysis of the Plan (translate requirements into input for plan design)
Risk Assessment
Plan Design |
|
Definition
|
|
Term
*What does this refer to
1. encryption
2. access control
3. agnostic to the location of the data
4. can protect all data objects
5. base for the default Information Protection Policy |
|
Definition
|
|
Term
What does this refer to?
1. Each resource be provisioned with an access policy
2. Access to resources are granted RBAC
3. Identify infrastructure
4. Force end users to install IRM agent for key storage or authentication
5. Reader software should be IRM aware. |
|
Definition
|
|
Term
*What does this refer to?
1. Persistent protection: documents are always protected
2. Dynamic policy control: Allows owners to define and change user permissions
3. Audit trails
4. Automatic expirations
5. maps to repository ACLs
6. integrates with auth, email filtering |
|
Definition
|
|
Term
What area do these policies relate to?
retention periods
data formats
data security
data-retrieval procedures for the company |
|
Definition
|
|
Term
What are these referring to?
legislation requirements
data mapping
data classification
data retention procedure
monitoring and maintenance |
|
Definition
| Data retention Challenges |
|
|
Term
| *What is data based on location, compliance, ownership or business usage - its value |
|
Definition
|
|
Term
What do these procedures relate to?
1. data-encryption
2. data-monitoring (maintain data governance)
3. ability to perform e-discovery and granular retrieval
4. backup and DR options
5. data format and media type
6. data restoration procedures |
|
Definition
| data archiving procedures |
|
|
Term
What capabilities do these relate to?
1. Data aggregation
2. correlation
3. alerting
4. dashboards
5. compliance
6. retention
7. forensics |
|
Definition
|
|
Term
| Software Defined Network Layer / Plane- configuring the control plane |
|
Definition
| application layer / management plane |
|
|
Term
Main file system deals with these issues?
data consistency is achieved eventually. Used for data that does change that often. |
|
Definition
|
|
Term
*What risks are these items related to?
1. Management plane breach
2. resource exhaustion
3. Isolation control failure
4. Insecure data deletion
5. control conflict risk
6. software related risks
7. single points of failure |
|
Definition
| Cloud-specific risks related to cloud infrastructure |
|
|
Term
What area of cloud risk are these referring to?
1. Guest breakout
2. snapshot and image security
3. Sprawl - lose control of amount of content |
|
Definition
|
|
Term
What are these referring to?
1. Tabletop
2. Walk-through drill/ simulation
3. functional drill / parallel
4. full interruption / full-scale |
|
Definition
|
|
Term
What do these situations deal with?
The data became public
An employee accessed the app
process or data was tampered
process failing
app was inaccessible |
|
Definition
| Potential situations with CSP applications |
|
|
Term
| What defines the start and the end of the message for SOAP? |
|
Definition
|
|
Term
Challenges of what area of security?
1. on premises performance vs. cloud
2. new training and awareness
3. lack of documentation ISO 12207
4. complexities of integration
5. overarching challenges (multi-tenancy and third party admins) |
|
Definition
|
|
Term
What steps are these referring to?
requirement gathering
Requirement analysis
3. designing overall system architecture (threat modeling and secure design)
4. developing code (review and testing)
5. testing |
|
Definition
|
|
Term
| What tech uses a config mgmt system and automatically enforces the correct state. |
|
Definition
|
|
Term
| What tech is used automate build, deploy and manage infrastructure |
|
Definition
|
|
Term
| What goals are related to configs being updated and consistency in versioning? |
|
Definition
| Goals of Software configuration mgmt |
|
|
Term
What activities do these refer to?
1. dynamic analysis
2. vulnerability assessments
3. activity monitoring
4. layer-7 firewalls |
|
Definition
| secure operations phase activities |
|
|
Term
What are these items referring to as related to NIST?
1.describe their current cybersecurity posture
2.target state
3. identify and prioritize opportunities for improvement
4. assess progress toward target
5. communicate amount stakeholders |
|
Definition
|
|
Term
What do these benefits relate to?
1. Programmatic control and access
2. automation
3. integration with third party tools |
|
Definition
|
|
Term
What components do these refer to?
Self-service
Registration
password mgmt
provisioning |
|
Definition
| Identity management components |
|
|
Term
What do these components refer to?
1. authentication
2. authorization
3. federation
4. policy management
5. Identity repository |
|
Definition
| access management components |
|
|
Term
What do these refer to?
SAML
WS-Federation - uses realms
OpenID Connect - web developers
OAuth - web and mobile apps |
|
Definition
|
|
Term
| *What is the term to define credential synchronization? |
|
Definition
|
|
Term
What are these devices classified as?
1. WAF
2. Database activity monitoring
Agent-DAM or network-(NDAM)
3. XML gateways - secures APIss DLP and antivirus services
4. Firewalls
5. API Gateway - filters API traffic |
|
Definition
| supplemental security devices |
|
|
Term
| *What allow for the generation of tokens (authentication) in one domain and the consumption (authorization) in another domain? |
|
Definition
|
|
Term
| *What service allows business entities to make assertions regarding the identity, attributes and entitlements of a subject to other entities |
|
Definition
| SAML (security assertion markup language) |
|
|
Term
What are these providers related to?
Identity provider holds identities and generates tokens
The relying party is the service provider that consumes the tokens |
|
Definition
| Federated identity providers |
|
|
Term
*WHat framework are these referring to?
1. business context (all policies and standards)
2. regulatory context
3. technical context
4. specifications
5. roles, responsibilities and qualifications
6. processes
7. application security control library |
|
Definition
| organizational normative framework (ONF) |
|
|
Term
| What framework's purpose is to achieve a required level or security or trust for an app? |
|
Definition
|
|
Term
*What process are these items referring to?
1. specifying the application requirements
2. assessing application risks
3. creating and maintaining the ANF
4. provisioning and operating the application
5. auditing |
|
Definition
ASMP
application security management process |
|
|
Term
| Static Application Security Testing (SAST) |
|
Definition
| white box testing while tool is under development |
|
|
Term
| Dynamic Application Security Testing (DAST) |
|
Definition
| black box testing. Analyze code in running state. Tests exposed HTTP and HTML interfaces of web applications |
|
|
Term
| Runtime Application Self-Protection (RASP) |
|
Definition
| self-protecting and reconfiguring automatically without human intervention |
|
|
Term
What primary area do these cover for cloud computing?
communication access
secure communications
secure storage
backup and DR |
|
Definition
| Cloud Data Center Key Areas |
|
|
Term
What secondary area do these cover for cloud computing?
1. segregation of duties
2. monitor network traffic
3. use of APIs
4. Logical design decisions can be enforced and monitored
5. use of SDN |
|
Definition
| Cloud Data Center Secondary Areas |
|
|
Term
What levels do these refer to?
1. compute nodes
2. management plane
3. storage nodes
4. control plane
5. network |
|
Definition
|
|
Term
What are these key areas related?
communications access
user access profiles
secure communication within and across the management plane
secure storage
DR |
|
Definition
| key areas for logical design of a data center |
|
|
Term
What are these key areas related?
segregation of duties
design for monitoring of network traffic
automation and the use of APIs
logical design decisions that are enforced and monitored.
SDN tools |
|
Definition
| other logical design considerations |
|
|
Term
logical design levels of separation
Compute nodes
Management plane
Storage nodes
control plane
network |
|
Definition
|
|
Term
| Environmental Design Considerations |
|
Definition
Temp and Humidity
HVAC Considerations
Air Management for Data Centers
Cable Management
Aisle Separation and Consideration
HVAC design consideration |
|
|
Term
| Secure Config of Hardware - Best Practices |
|
Definition
Servers
Storage Controllers
Network Controllers
Virtual Switches |
|
|
Term
Best practices for Servers
secure build
secure initial config
host hardening, patching and lockdown
ongoing maintenance |
|
Definition
|
|
Term
| iSCSI authentication types |
|
Definition
Kerberos:
Secure Remote password:
Simple Public-key mechanism:
CHAP: |
|
|
Term
| *What is a secure communication method that uses hashes? |
|
Definition
|
|
Term
*What technology uses this level security?
1. lock down switches so servers can't be moved.
2. networks with live migrations can be sniffed
3. don't mix external and internal traffic |
|
Definition
|
|
Term
| Tier Level for Basic site infrastructure |
|
Definition
|
|
Term
| Tier Level for Redundant Site Infrastructure Capacity Components |
|
Definition
|
|
Term
| Tier Level for Concurrently maintainable site infrastructure |
|
Definition
|
|
Term
| Tier Level for fault-tolerant site |
|
Definition
|
|
Term
Techniques for securing data
defense in depth
access control
auditing and monitoring
maintenance |
|
Definition
|
|
Term
|
Definition
1. TLS record protocol - provides connection security and ensures that the connection is private and reliable
2. TLS handshake protocol: Allows the client and the server to authentication each other. |
|
|
Term
What threats are these towards
1. Footprinting
2. DOS
3. Data modification
4. Redirection
5. Spoofing |
|
Definition
|
|
Term
What type of management do these refer to?
no service standardization
change management tools needs to be used
patch tools need to be scalable
testing of patches
multiple time zones
VM suspension and snapshot |
|
Definition
|
|
Term
What factors do these refer to?
volume
bandwidth
online/offline data storage
security
time to analyze |
|
Definition
|
|
Term
| *2 types of clustered storage |
|
Definition
tightly coupled: fixed size, max performance
loosely coupled: cost effective, grow as needed |
|
|
Term
What type of management do these refer to?
The development of new configs
Quality evaluation of config changes
Changing systems, testing
Prevention of unauthorized changes |
|
Definition
|
|
Term
What type of management do these refer to?
respond to customer's changing business requirements
respond to requests that align services with business needs
ensure that changes are recorded and evaluated
ensure that change are prioritized, planned, test, implemented and documented
ensure that all changes to CIs are recorded
optimize business risk |
|
Definition
|
|
Term
What type of management do these refer to?
definitions of an incident
roles and responsibilities of incident
response requirements
media coordination
legal and regulatory requirements |
|
Definition
|
|
Term
|
Definition
|
|
Term
What type of management do these refer to?
1. define and agree upon deployment plan
2. create and test release packages
3. ensure the integrity of release packages
4. record and track all packages
5. manage stakeholders
6. check delivery of utility and warranty (SLA)
7. manage risks
8. ensure knowledge transfer |
|
Definition
| release and deployment management |
|
|
Term
| *Three steps for quantitative risk assessment |
|
Definition
1. Initial mgmt approval
2. Construction of team
3. Review of information |
|
|
Term
|
Definition
| Single Loss Expectancy - provide estimate of loss |
|
|
Term
|
Definition
| SLE = asset value x exposure factor (loss due to successful threat exploit as a percent) |
|
|
Term
|
Definition
| Annualized Loss expenctancy |
|
|
Term
|
Definition
| Annualized rate of occurrence. How often a threat will be successful |
|
|
Term
|
Definition
|
|
Term
What do they factors relate to?
Skill
Ease of access
Incentive
Resource |
|
Definition
|
|
Term
| What is it called when you Provision the remaining resources when there is contention? |
|
Definition
|
|
Term
| Items that are disabled in Maintenance mode |
|
Definition
|
|
Term
What security group are these challenges for?
control over data
multitenancy
data volatility - no persistent storage
evidence acquisition |
|
Definition
|
|
Term
What do these factors relate to? (for readiness)
Auditing
database of file hashes
backups
data retention policies |
|
Definition
|
|
Term
| How is the data access managed within SAAS? |
|
Definition
|
|
Term
network forensic use cases
uncovering proof of attack
troubleshooting performance issues
monitoring activity for compliance
sourcing data leaks
creating audit trails for bus transactions |
|
Definition
|
|
Term
What steps do these relate to?
1. gather evidence - recorded in evidence log
2. storing evidence
3. removed
4. transported
5. any action, test, process that will be done
6. any action that is done |
|
Definition
|
|
Term
|
Definition
| BCM is a holistic approach to identify potential threats and business impacts. A BC defined by the capabilities to keep availability high |
|
|
Term
| continual service improvement management |
|
Definition
release and deploy and change mgmt
release and deploy and config mgmt
release and deploy and avail mgmt
relase and deploy and helpdesk
config and availability mgmt
config and change mgmt
service-level and change mgmt |
|
|
Term
| What ISO refers to Security Techniques for IS Controls for Cloud Services? |
|
Definition
|
|
Term
|
Definition
Org for Economic Cooperation and Development
-national privacy standards
-privacy mgmt programs
-data security breach notification |
|
|
Term
|
Definition
| Asia-Pacific Economic Cooperation |
|
|
Term
|
Definition
Privacy Framework
-privacy as international
-electronic trading environ and the effects of cross border |
|
|
Term
What privacy guideline are these for?
quality of data - lawfully collected
legitimacy of data processing - consent
special categories of processing - no racial or ethic origin
info given to subject - confirmation, erasure
exemptions and restrictions
right to object processing
notification of processing to superior
scope - right to court for any breach |
|
Definition
| EU Data Protective Directive guidelines |
|
|
Term
| What is a set of rights, obligations and remedies for relief of persons suffering from harm from wrongful acts of others |
|
Definition
|
|
Term
What law do these objectives meet?
compensation
shifts cost to people responsible
discourages bad behavior
vindicate legal rights |
|
Definition
|
|
Term
What Law does this refer to?
human rights to privacy, protection of individuals with regard to the processing of personal data and on the free movement of data |
|
Definition
|
|
Term
What law does this refer to?
1. concept of consent
2. transfers abroad
3. right to be forgotten
4. establishment of the role of the data protection officer
5. access requests
6. home state regulation
7. increased sanctions |
|
Definition
|
|
Term
|
Definition
|
|
Term
SOC level and type?
report on management's description of the service orgs system and the suitability of the design of the controls |
|
Definition
|
|
Term
What challenges do these relate to?
define audit requirements
verify that all regulatory and legal obligations will be satisfied as part of NDA
establish report and communication lines between CSP and client
ensure operational procedures
BC |
|
Definition
| Cloud Governance Challenges |
|
|
Term
What components do these deal with?
uptime guarantees
penalties
penalty exclusions
suspension of service
provider liability
data protection requirements
disaster recovery
security recommendations |
|
Definition
|
|
Term
What do these elements deal with?
Assessment of risk environment
risk profile
risk appetite responsibilities
regulatory requirements
risk mitigation
risk framework |
|
Definition
|
|
Term
| CSA STAR - Self Assessment, What Level? |
|
Definition
|
|
Term
|
Definition
|
|
Term
What risk do these factors relate to?
listing of all dependencies on third parties coupled with the key suppliers
single points of failure
prioritize contracts based on potential risk |
|
Definition
|
|
Term
| independent cert by third party reviews these elements |
|
Definition
security mgmt policy
org objectives
risk-mgmt programs
documented practices and records
supplier relationships
roles and responsiblities
USE of PDCA
orgranizational procedures |
|
|
Term
| *Five basic principles of governance |
|
Definition
auditing supply chain
board and management structure and process
corporate responsibility and compliance
financial transparency and info disclosure
ownership structure and exercise control rights |
|
|
Term
|
Definition
| raw, object and volume storage and CDN |
|
|
Term
| PAAS provides the following storage options |
|
Definition
| Database as a service, Big Data and Application Storage |
|
|
Term
|
Definition
| databases, object/file storage, volume storage |
|
|
Term
|
Definition
information storage and management
file / content storage |
|
|
Term
|
Definition
| Information and Communication Technology & Supply Chain Risk Management |
|
|
Term
| *What are the four Pillars of Supply Chain? |
|
Definition
Integrity
Security
Resilience
Quality |
|
|
Term
| *What are the two steps to manage unapproved data moving? |
|
Definition
1. Monitor data migrations with DAM and FAM
2. Monitor data moving with URL filtering and DLP |
|
|
Term
| Data Controls restrict potential / allowed actions from what three categories? |
|
Definition
| Location (where), Actor (who), Function (What) |
|
|
Term
What type of encryption is this related to?
prevents snapshot cloning
prevents cloud admins from viewing data
prevents data exposed from physical loss of drives |
|
Definition
| Purpose of volume storage encryption |
|
|
Term
| *content discovery and its policies are based on three aspects (used for DLP) |
|
Definition
data classification
info type
data structure |
|
|
Term
| *Instance managed encryption |
|
Definition
| Protected by passphase or keypair) and key is stored in volume |
|
|
Term
| *3 types of object storage encryption |
|
Definition
1. Client / Application
2. Proxy
3. File / Folder and DRM |
|
|
Term
| *Attribute based credentials are used to protect privacy by doing what? |
|
Definition
| by using a digital secret key and allowing their holder to transform them into a new credential that contains only a subset of the attributes in the original credential. |
|
|
Term
| *What two things should be done before migrating it to the cloud |
|
Definition
| encrypt data and remove metadata |
|
|
Term
| Essential Characteristics of cloud computing |
|
Definition
Rapid Elasticity
on-demand service
measured service
broad network access
resource pooling |
|
|
Term
| Allows management and other forms of interaction with the infrastructure by consumers. |
|
Definition
|
|
Term
| * 4 dimensions of Jericho cloud cube model |
|
Definition
1. outsourced / insourced
2. perimeterized / de-perimeterized
3. open / propriety
4. external / internal |
|
|
Term
| Jericho model - Securing De-perimeterization |
|
Definition
| data would be encapsulated with meta-data |
|
|
Term
| Jericho model - optimum flexibility and collaboration |
|
Definition
De-perimeterization
Open
External
Outsourced |
|
|
Term
| 5 basic principles of corporate governance |
|
Definition
1. auditing supply chains
2. board and mgmt structure and process
3. corporate responsibility and compliance
4. financial transparancy and info disclosure
5. ownership structure and exercise of control rights |
|
|
Term
| 4 risk response strategy categories |
|
Definition
avoidance
reduction
share or insure
accept |
|
|
Term
| *2 mechanisms to automate monitoring and testing of cloud supply chains |
|
Definition
Cloud Audit
Cloud Trust Protocol |
|
|
Term
| *2 ways to access object storage |
|
Definition
|
|
Term
| What term is used for distributed object storage? |
|
Definition
|
|
Term
| *proxy based encryption is used for |
|
Definition
|
|
Term
| link/network encryption examples |
|
Definition
|
|
Term
| client/application encryption |
|
Definition
| data is encrypted before sending out. agent based |
|
|
Term
| Three ediscovery categories |
|
Definition
Possession
Control
Custody |
|
|
Term
|
Definition
| between application and data layer to protect the production environment. |
|
|
Term
|
Definition
| handshake (communication) and record (encrypt) |
|
|
Term
| *WS-security standards use the following programming standards |
|
Definition
|
|
Term
| What protocol does the REST API rely on |
|
Definition
|
|
Term
| What feature does REST have that SOAP doesn't? |
|
Definition
|
|
Term
| Difference between IDCA - International Data Center Authority and Uptime Institute |
|
Definition
IDCA is viewed on a macro level
UI: developed the four tiers for data centers |
|
|
Term
| SIEM performs 5 functions |
|
Definition
1. searching
2. alerting
3. reporting
4. correlation
5. aggregation |
|
|
Term
| Dynamic resource scheduling vs. dynamic optimization |
|
Definition
dynamic optimization: constantly maintaining that resources are available
dynamic resource scheduling: balance compute loads between hosts to maintain thresholds |
|
|
Term
|
Definition
| EDiscovery international standard |
|
|
Term
|
Definition
| Standard for Privacy with Cloud Computing |
|
|
Term
|
Definition
| Contains any optional attributes of the message used in processing the message, either at an intermediary point or at the ultimate end-point |
|
|
Term
| What protocol and language does SOAP when making a POST |
|
Definition
|
|
Term
| EAL - Functionally Tested |
|
Definition
|
|
Term
| EAL - Structurally tested |
|
Definition
|
|
Term
| EAL - Methodology tested and checked |
|
Definition
|
|
Term
| EAL - Methodology designed, tested and reviewed |
|
Definition
|
|
Term
| EAL - Semi-formally designed and tested |
|
Definition
|
|
Term
| EAL - Semi-formally verified design and tested |
|
Definition
|
|
Term
| EAL - Formally verified design and tested |
|
Definition
|
|
Term
| *Five main service aspects of ITIL |
|
Definition
Strategy
Design
Transition
Operation
Continual Improvement |
|
|
Term
| Model for enterprise architecture and service management and for delivering security infrastructure |
|
Definition
|
|
Term
| Model that offer high-end design approach to avoid lock-in, comm problems throughout lifecycle |
|
Definition
|
|
Term
| *Regarding IAM, what is the Step after provisioning IAM |
|
Definition
| 2. centralized directory services |
|
|
Term
| *Regarding IAM, what is the Step after centralized directory services |
|
Definition
| 3. Privileged user management |
|
|
Term
| *Regarding IAM, what is the Step after privileged user mgmt |
|
Definition
| 4. authentication and access management |
|
|
Term
Security concerns for IAAS, PAAS or SAAS
Multitenancy |
|
Definition
|
|
Term
Security concerns for IAAS, PAAS or SAAS
Co-location |
|
Definition
|
|
Term
Security concerns for IAAS, PAAS or SAAS
Hypervisor security |
|
Definition
|
|
Term
Security concerns for IAAS, PAAS or SAAS
Network security |
|
Definition
|
|
Term
Security concerns for IAAS, PAAS or SAAS
Virtual Machine Attacks |
|
Definition
|
|
Term
Security concerns for IAAS, PAAS or SAAS
Virtual switch |
|
Definition
|
|
Term
Security concerns for IAAS, PAAS or SAAS
DOS |
|
Definition
|
|
Term
*Security concerns for IAAS, PAAS or SAAS
System Isolation |
|
Definition
|
|
Term
*Security concerns for IAAS, PAAS or SAAS
User Permission |
|
Definition
|
|
Term
*Security concerns for IAAS, PAAS or SAAS
User Access |
|
Definition
|
|
Term
*Security concerns for IAAS, PAAS or SAAS
Web Application Security |
|
Definition
|
|
Term
*Security concerns for IAAS, PAAS or SAAS
Malware and admin nightmares |
|
Definition
|
|
Term
*Security concerns for IAAS, PAAS or SAAS
data policies |
|
Definition
|
|
Term
*Security concerns for IAAS, PAAS or SAAS
Data protection and confidentiality |
|
Definition
|
|
Term
|
Definition
| Extensible Access Control Markup Language |
|
|
Term
|
Definition
Data breaches
DOS
Abuse of cloud services
Data loss
Account hijacking
Insecure APIs
Malicious insiders
Insufficient due diligence
Shared technology issues |
|
|
Term
| 5 Basic principles of governance |
|
Definition
auditing supply chain
Board and mgmt. structures and process
Corp responsibility
Financial transparency
Ownership structure and exercise of control rights |
|
|
Term
What issues are these for:
Possession, control and custody |
|
Definition
|
|
Term
| Process data function uses what data lifecycle |
|
Definition
|
|
Term
| Store data function uses what data lifecycle |
|
Definition
|
|
Term
| Access data function uses what data lifecycle? |
|
Definition
|
|
Term
|
Definition
Least privilege
Segregation of duties
Defense in depth
Fail safe – keep integrity if cloud is down
Economy of mechanism – prevents unintended access paths
Complete mediation
Open design
Least common mechanism
Weakest link |
|
|
Term
|
Definition
| Identity Entitlement and Access |
|
|
Term
| IDEA capabilities affect governance, integration and user experience |
|
Definition
|
|
Term
| How to defend against spoofing |
|
Definition
| authentication and DNSSEC |
|
|
Term
| *How to defend against tampering |
|
Definition
|
|
Term
| *How to defend against repudiation |
|
Definition
|
|
Term
| How to defend against information disclosure |
|
Definition
|
|
Term
| *How to defend against DOS |
|
Definition
|
|
Term
| *How to defend against elevation of privileges |
|
Definition
|
|
Term
What is the purpose of these categories?
Config mgmt.
Business logic
Auth
Authorization
Session mgmt
Data validation
dOS
web services
AJAX |
|
Definition
| OWASP SDLC testing categories |
|
|
Term
|
Definition
| representational state transfer |
|
|
Term
|
Definition
|
|
Term
|
Definition
| Simple Object Access Protocol |
|
|
Term
|
Definition
|
|
Term
|
Definition
|
|
Term
*Programmatic control and access
Automation
Integration with 3rd party tools |
|
Definition
|
|
Term
SAML 2.0
WS-Federation - not widely used
OpenID Connect - web developers
Oauth - web and mobile apps
Shibboleth - schools |
|
Definition
|
|
Term
|
Definition
| dynamic application security testing |
|
|
Term
| DAST used to test what protocol and programming language? |
|
Definition
|
|
Term
|
Definition
| Runtime application self-protection |
|
|
Term
|
Definition
| Cloud Application Management for Platforms |
|
|
Term
| *used in PAAS framework for managing plaform services with REST protocol and documents it |
|
Definition
|
|
Term
|
Definition
| directory information base |
|
|
Term
|
Definition
| directory information tree |
|
|
Term
| namespace is hierarchical with what protocol? |
|
Definition
|
|
Term
Security Requirements for what?
1. authentication
2. access control
3. encryption
4. activity monitoring |
|
Definition
|
|
Term
|
Definition
| Information security management systems – requirements |
|
|
Term
|
Definition
| Application Security Management Process |
|
|
Term
*Specifying the app requirement and environment
Assessing application security risks
Creating and maintain the app normative framework
Provisioning and operating the app
Auditing the security of the app |
|
Definition
Application Security Management Process
ISO 27034-1 |
|
|
Term
*What framework has these processes?
Business Context
Regulatory context
Specifications
Roles and responsibilities
Processes
6. App security control library |
|
Definition
|
|
Term
|
Definition
| Organizational Normative Framework |
|
|
Term
|
Definition
| Application Security Management Process |
|
|
Term
*Purpose of the following steps?
Establish ONF
AS Risk Management
Establish ANF
implement security in the ANF
Verify application |
|
Definition
|
|
Term
|
Definition
| Application Normative Framework |
|
|
Term
| What Identifies the relevant elements from the ONF which are applicable to the target business project. |
|
Definition
|
|
Term
|
Definition
| It will contain regulations, laws, best practices, roles & responsibilities accepted by the organization. |
|
|
Term
|
Definition
Development standard for software applications
Application project management standard
Software Development Lifecycle (SDLC) standard |
|
|
Term
|
Definition
| Cloud service security controls for CSP and cloud customers (Code of practice) |
|
|
Term
*What ISO is this related to?
1. Shared roles and responsibilities within a cloud computing environment
2. Removal and return of cloud service customer assets upon contract termination
3. Protection and separation of a customer’s virtual environment from that of other customers
4. Virtual machine hardening requirements to meet business needs
5. Procedures for administrative operations of a cloud computing environment
6. Enabling customers to monitor relevant activities within a cloud computing environment
7. Alignment of security management for virtual and physical networks |
|
Definition
|
|
Term
|
Definition
| Create an internal information security management system |
|
|
Term
|
Definition
| Cloud Computing Security and Privacy Management System-Security Controls |
|
|
Term
|
Definition
Cloud Computing Privacy techniques
Address the privacy aspects of cloud computing for consumers and is the first international set of privacy controls in the cloud. |
|
|
Term
|
Definition
|
|
Term
|
Definition
| Risk management guidelines not for certification (for design and implementation) |
|
|
Term
|
Definition
| Cloud Computing reference architecture |
|
|
Term
|
Definition
| Cloud Computing - overview and vocabulary |
|
|
Term
|
Definition
| implementing ISO 27001 controls |
|
|
Term
|
Definition
| Supplier chain management |
|
|
Term
|
Definition
|
|
Term
|
Definition
|
|
Term
What is this?
Enacted in the United States in 1986 as part of the Electronic Communications Privacy Act. It provides privacy protections for certain electronic communication and computing services from unauthorized access or interception |
|
Definition
|
|
Term
|
Definition
1. data in cloud tends to replicate (between locations, backups)
2. Admin access - hard to perform discovery and classification
3. DLP tech can affect performance |
|
|
Term
| *Encryption Challenge - Integrity |
|
Definition
|
|
Term
| *Encryption Challenge - Portability |
|
Definition
|
|
Term
| *Encryption Challenge - Multitenant |
|
Definition
|
|
Term
| *Encryption Challenge - Availability |
|
Definition
| keys may be compromised or lost |
|
|
Term
| patch management challenges |
|
Definition
• no service standardization
• change management tools needs to be used
• patch tools need to be scalable
• testing of patches
• multiple time zones
• VM suspension and snapshot |
|
|
Term
| An open source cloud computing and Infrastructure as a Service (IaaS) platform for enabling private clouds. |
|
Definition
|
|
Term
| *Four Pillars of Supply Chain |
|
Definition
Integrity
Security
Resilience
Quality |
|
|
Term
| static vs dynamic masking |
|
Definition
Static makes a copy of the data
Dynamic is on production data and is between app and data layers |
|
|
Term
|
Definition
1. concept of consent
2. transfers abroad
3. right to be forgotten
4. establishment of the role of the data protection officer
5. access requests
6. home state regulation
7. increased sanctions |
|
|
Term
|
Definition
| Asia-Pacific Economic Cooperation Privacy Framework |
|
|
Term
|
Definition
-privacy as international
-electronic trading environ and the effects of cross border |
|
|
Term
|
Definition
| Org for Economic Cooperation and Development |
|
|
Term
What ITIL management is this?
The development of new configs
Quality evaluation of config changes
Changing systems, testing
Prevention of unauthorized changes |
|
Definition
|
|
Term
What ITIL management is this?
respond to customer's changing business requirements
respond to requests that align services with business needs
ensure that changes are recorded and evaluated
ensure that change are prioritized, planned, test, implemented and documented
ensure that all changes to CIs are recorded
optimize business risk |
|
Definition
|
|
Term
What management is this?
1. define and agree upon deployment plan
2. create and test release packages
3. ensure the integrity of release packages
4. record and track all packages
5. manage stakeholders
6. check delivery of utility and warranty (SLA)
7. manage risks
8. ensure knowledge transfer |
|
Definition
|
|
Term
scope and purpose of the processing
categories of the personal data
categories of the processing to be performed |
|
Definition
|
|
Term
| What is config mgmt system and automatically enforces the correct state. |
|
Definition
|
|
Term
| Managing Threats - data breaches |
|
Definition
proper segmentation and isolation
encryption and offsite backups |
|
|
Term
| Managing Threats - insufficient identity credentials |
|
Definition
|
|
Term
| *Managing Threats - insecure APIs |
|
Definition
| proper encryption and authorization |
|
|
Term
| Managing Threats - account hijacking |
|
Definition
|
|
Term
| Managing Threats - malicious insiders |
|
Definition
| Client-side key management monitoring and logging |
|
|
Term
|
Definition
|
|
Term
| Managing Threats - data loss |
|
Definition
|
|
Term
| Mitigate Injection threat |
|
Definition
validate and sanitize inputs
safe APIs |
|
|
Term
| mitigate broken authentication |
|
Definition
| secure authentication and session tokens |
|
|
Term
|
Definition
| validation and sanitation of data input |
|
|
Term
| mitigate insecure direct object reference |
|
Definition
| Use per user or session indirect object references and access control check |
|
|
Term
| Managing Threats - security misconfiguration |
|
Definition
| change and config management |
|
|
Term
| Managing Threats - sensitive data |
|
Definition
| encryption and secure communications |
|
|
Term
| *Managing Threats - multi-function access controls |
|
Definition
|
|
Term
|
Definition
verify standard headers are coming from the origin
(determine origin and destination of origin)
check CSRF token
double cookies
CSRF tokens (unique per session, random value)
encrypted token patterns
custom header
CAPTCHA
re-authentication
one-time token |
|
|
Term
| Managing Threats - forwards and redirects |
|
Definition
| prevent injections from occuring |
|
|
Term
What are these?
Self-service
Registration
password mgmt
provisioning |
|
Definition
| Identity management components |
|
|
Term
|
Definition
|
|
Term
|
Definition
1. after link is established, authenticator sends challenge message to peer
2. Peer responds with a value using a hash
3. if hashes match, the authentication is ack
4. random intervals with a new challenge |
|
|
Term
Encryption techniques
Volume/Object/Data - Application Level based |
|
Definition
|
|
Term
Encryption techniques
Volume/Object/Data - Transparent based |
|
Definition
| Data (Keys reside within the instance or with a KMS) |
|
|
Term
| Data Masking approaches - Shuffle |
|
Definition
| values from the same column |
|
|
Term
Which bit-splitting process is this?
1. encrypts and transforms the information and the encryption key into blocks in a way that the information cannot be recovered without using all the blocks,
2. it uses the IDA to split the blocks into m shares that are distributed to different cloud storage services (the same as in SSMS). |
|
Definition
| All or Nothing with Reed Solomon |
|
|
Term
What do these relate to?
Poor data quality
Dashboards
Hidden costs |
|
Definition
|
|
Term
| Software Defined Network Layers - configure how the packets get moved |
|
Definition
|
|
Term
Software Defined Network Layers -
moves packets from one to another |
|
Definition
| Infrastructure Layer (Forwarding Plane) |
|
|
Term
|
Definition
Application
Control
Infrastructure |
|
|
Term
|
Definition
Management
Control
Forwarding |
|
|
Term
| *This determines the legal standing of s case or issue |
|
Definition
|
|
Term
Primary or secondary
P&dp law
Scope and purpose of processing
Categories of data
Categories of the processing |
|
Definition
|
|
Term
Primary/secondary data classification
Data location
Categories of users allowed
Data retention
Security measures
Data breach constraints
Status |
|
Definition
|
|
Term
| Three things to understand before determining necessary controls for data protection |
|
Definition
|
|
Term
| people are responsible for data content, context and associated business rules |
|
Definition
|
|
Term
| people responsible for the safe custody, transport, data strorage and implementation of business rules |
|
Definition
|
|
Term
| people who define distribution and associated policies. legal rights |
|
Definition
|
|
Term
| people who determine the purpose for which the personal data is processed |
|
Definition
|
|
Term
| person who processses data on behalf of the controller |
|
Definition
|
|
Term
What are these protocols used for
CHAP
SRP
SPKM 1/2
Kerberos |
|
Definition
|
|
Term
| a software architecture style consisting of guidelines and best practices for creating scalable web services. Also an API. |
|
Definition
|
|
Term
| a protocol spectification for exchanging structured info in the implementation of web services in computer networks |
|
Definition
|
|
Term
What are these?
directly programmable
agile
centrally managed
programmatically configured
open standards |
|
Definition
| SDN architecture characteristics |
|
|
Term
| Where data elements are grouped with a tag that describes the data. used in google search |
|
Definition
|
|
Term
most useful aspect of data to Ediscovery
|
|
Definition
|
|
Term
| you investigate the data itself by employing pattern matching, hashing, statistical or other analysis |
|
Definition
|
|
Term
| *encrypting entire database or portions |
|
Definition
| transparent encryption. Keys reside within the instance |
|
|
Term
| encryption resides at the application that is utilizing the database |
|
Definition
| application-level encryption (challenging to perform indexing, searches and metadata collection. |
|
|
Term
| a framework - a detailed method and a set of supporting tools - for developing an enterprise architecture. It may be used freely by any organization wishing to develop an enterprise architecture for use within that organization |
|
Definition
|
|
Term
SOC 2 Type 1 or 2?
These reports are focused on the systems of a service organization, coupled with the design of the security controls for it and an evaluation on design and intent standpoint |
|
Definition
|
|
Term
SOC 2 Type 1 or 2?
These reports are based on the design and application of the security controls of the service organization's and evaluate the effectiveness |
|
Definition
|
|
Term
| IASE SOC 1 reports are performed how often? |
|
Definition
|
|
Term
| IASE SOC 2 reports are performed how often? |
|
Definition
|
|
Term
What security categories are these from?
communications
logical and physical controls
monitoring of controls
org and mgmt
risk mgmt and design
system ops
change mgmt |
|
Definition
| SOC 2 security principles |
|
|
Term
What principles are these from
CIA security and privacy |
|
Definition
|
|
Term
What plan are these steps for?
Define objectives
Define scope
Conduct audit
Lessons learned |
|
Definition
|
|
Term
What ISO standard are these principles for?
communication
consent
control
transparency
independent audit |
|
Definition
|
|
Term
*What definition is this for?
designed to assist management in creating an effective privacy program that addresses their privacy obligations, risks, and business opportunities. |
|
Definition
|
|
Term
|
Definition
| Generally Accepted Privacy Principles |
|
|
Term
|
Definition
| Internal Information Security Management System |
|
|
Term
|
Definition
| European Network and Information Security Agency |
|
|
Term
|
Definition
| Risk management for cloud computing |
|
|
Term
What are these the processes of?
searching
identifying
collecting
securing |
|
Definition
|
|
Term
What framework is this referring to?
holistic controls and serves a broader purpose. Has requirements for privacy acts |
|
Definition
|
|
Term
|
Definition
|
|
Term
| Purpose of Common Criteria |
|
Definition
| to make claims that their products are secure |
|
|
Term
Features for what security controls?
auditing
expiration
policy control
protection
support for apps and format |
|
Definition
|
|
Term
| attributes and event types are determined and categories to allow what to occur? |
|
Definition
|
|
Term
What SDN plane is this
hypervisor
storage
computing
network |
|
Definition
|
|
Term
| *Use of automation for tasks such as provisioning, scaling and allocating resources |
|
Definition
|
|
Term
| What is the maintenance of resources to ensure they are available when needed? |
|
Definition
|
|
Term
| What is the automatic and programmatic mechanisms for scaling up based on load? |
|
Definition
|
|
Term
| *What is ability for an environment to provision/deprovision resources to meet demands automatically? |
|
Definition
|
|
Term
| What is the overall sharing of the aggregate resources available between individual tenants? |
|
Definition
|
|
Term
| What phase of risk management is involved when deciding on how to mitigate a risk during an audit? |
|
Definition
|
|
Term
| What risk management level deals with evaluating potential vulnerabilities coupled with likeliness? |
|
Definition
|
|
Term
| What is the part of the risk assessment where the assessment is defined and scoped? |
|
Definition
|
|
Term
| *What control does OAUTH deal with? |
|
Definition
|
|
Term
| What control does OPenID deal with? |
|
Definition
|
|
Term
| *What stage of SDLC deals with decisions about programming languages and technologies that will be used? |
|
Definition
|
|
Term
| A DREAD level 0 is high or low level of knowledge to exploit a weakness? |
|
Definition
|
|
Term
| Isolating systems and applications from one another. Primarily for prod and dev |
|
Definition
|
|
Term
| What is a Tool for maintaining config deployments and enforcing config rules? |
|
Definition
|
|
Term
| What infrastructure config tool works with Github? |
|
Definition
|
|
Term
| What is placed around load balancers and added as systems grow programmatically? |
|
Definition
XML accelerators
Use to offload validation and processing |
|
|
Term
| Where are WAFs implemented? |
|
Definition
| Between load balancers and servers |
|
|
Term
| What security component relies on standardized tools and non proprietary APIs to avoid vendor lock in? |
|
Definition
|
|
Term
| What security component allows an org to reuse components from previous versions and other apps and uses standard data structures and formats |
|
Definition
|
|
Term
| What are Web portal or utility for managing hypervisors |
|
Definition
|
|
Term
| What stage of SDLC deals with decisions about platforms and form a project plan? |
|
Definition
| Design (where security and risk management are merged) |
|
|
Term
| Guide produced by CSA to evaluate a prospective cloud provider |
|
Definition
|
|
Term
| What is an international guidelines and specs for evaluating IT security resources? |
|
Definition
|
|
Term
| *Set of rules and procedures that govern civil legal proceedings and provide uniformity and efficiency in resolving legal matters |
|
Definition
| Federal rules of civil procedures |
|
|
Term
| Subset of DRM focused on sensitive data |
|
Definition
| INFORMATION RIGHTS MANAGEMENT (IRM) |
|
|
Term
| *System of providing IT apps and data service to other components through communication protocols |
|
Definition
| Service oriented architectural SOA |
|
|
Term
| What ISO is Code of practice for information security controls based on ISO/IEC 27002 for cloud services? |
|
Definition
|
|
Term
| What type of masking is between application and database on the fly? |
|
Definition
|
|
Term
| How is the data access managed within PAAS? |
|
Definition
|
|
Term
| CSA STAR - attestation - (SOC2) - what Level? |
|
Definition
|
|
Term
| CSA STAR - continuous monitoring certification) - what Level? |
|
Definition
|
|
Term
What is this?
encompasses key principles of transparency, rigorous auditing, harmonization of standards, with continuous monitoring |
|
Definition
|
|
Term
|
Definition
| Security, Trust & Assurance Registry |
|
|
Term
| Keys are maintained and controlled by customer - most secure |
|
Definition
|
|
Term
| Keys are provided by CSP but hosted, maintained and controlled by customer - most common |
|
Definition
|
|
Term
XSS or CSRF?
sending untrusted data to a user's browser to be executed with their own credentials and access? |
|
Definition
|
|
Term
XSS or CSRF?
sending invalid requests through a user's client to execute commands on an application under a user's own credentials |
|
Definition
|
|
Term
| 2 Major challenges for EDiscovery in the cloud |
|
Definition
| ownership and quality of data |
|
|
Term
| What is the definition of: This promotes simple and comprehensible design and implementation of protection mechanisms, so that unintended access paths do not exist or can be readily identified and eliminated. |
|
Definition
|
|
Term
| What is the definition of: If a cloud system fails it should fail to a state in which the security of the system and its data are not compromised |
|
Definition
|
|
Term
| What is the IdEA acronym? |
|
Definition
| Identity, Entitlement, and Access Management |
|
|
Term
What type of management are these components used by
Authentication
Authorization
Administration
Audit & Compliance
Policy |
|
Definition
|
|
Term
| *The standard defines a declarative fine-grained, attribute-based access control (ABAC) policy language, an architecture, and a processing model describing how to evaluate access requests according to the rules defined in policies. |
|
Definition
|
|
Term
| *What are two mechanisms to automate monitoring and testing of cloud supply chains? |
|
Definition
| Cloud Audit and Cloud Trust Protocol |
|
|
Term
Storage options for IAAS/PAAS or SAAS?
Raw volume object cdn |
|
Definition
|
|
Term
| Encryption Service level and storage type for instance? |
|
Definition
|
|
Term
| Encryption Service level and storage type that is externally managed? |
|
Definition
|
|
Term
| Encryption Service level and storage type that is File / Folder? |
|
Definition
|
|
Term
| Encryption Service level and storage type that is DRM? |
|
Definition
|
|
Term
| Encryption Service level and storage type that is client/application? |
|
Definition
|
|
Term
| Encryption Service level and storage type that is database? |
|
Definition
|
|
Term
| *Encryption Service level and storage type that is provider managed? |
|
Definition
|
|
Term
|
Definition
|
|
Term
|
Definition
|
|
Term
| When the is a conflict of jurisdiction |
|
Definition
| Doctrine of the proper law |
|
|
Term
| Nist dealing with virtualization |
|
Definition
|
|
Term
Risk management process
Farm |
|
Definition
Framing
Assessing
Responding
Monitoring |
|
|
Term
|
Definition
|
|
Term
|
Definition
|
|
Term
SABSA, TOGAF, CSA STAR or ITIL, CCM OR JERICHO?
a framework for developing risk-driven enterprise information security and information assurance architectures and for delivering security infrastructure solutions that support critical business initiatives |
|
Definition
|
|
Term
SABSA, TOGAF, CSA STAR or ITIL, CCM OR JERICHO?
the Enterprise Architecture standard used by the world’s leading organizations to improve business efficiency. |
|
Definition
|
|
Term
SABSA, TOGAF, CSA STAR or ITIL, CCM OR JERICHO?
advocates that IT services must be aligned with the needs of the business and underpin the core business processes. It provides guidance to organizations on how to use IT as a tool to facilitate business change, transformation and growth. |
|
Definition
|
|
Term
SABSA, TOGAF, CSA STAR or ITIL, CCM OR JERICHO?
encompasses key principles of transparency, rigorous auditing, harmonization of standards, with continuous monitoring |
|
Definition
|
|
Term
SABSA, TOGAF, CSA STAR or ITIL, CCM OR JERICHO?
is specifically designed to provide fundamental security principles to guide cloud vendors and to assist prospective cloud customers in assessing the overall security risk of a cloud provider. |
|
Definition
|
|
Term
SABSA, TOGAF, CSA STAR or ITIL, CCM OR JERICHO?
describes the multidimensional elements of cloud computing, framing not only cloud use cases, but also how they are deployed and used. |
|
Definition
|
|
Term
| is a comprehensive guide for U.S. government agencies concerning their use of and migration to cloud computing platforms. It is not a rigid set of requirements for federal agencies or contractors but rather a solid framework to guide IT departments across the government in evaluating cloud technologies, the suitability of these technologies for their IT operations, and security models within a cloud framework to meet federal IT security standards. |
|
Definition
|
|
Term
| *a specification for managing applications in a PAAS |
|
Definition
|
|
Term
| Bit splitting SSMS is an acronym for |
|
Definition
| Secret sharing made short |
|
|
Term
SSMS or AONT?
Three phased process.
Encryption
Information dispersal algorithm to split data
Secret sharing algorithm to split keys |
|
Definition
|
|
Term
SSMS or AONT?
Encryption
Transforms the info and keys in blocks
Uses information dispersal algorithm |
|
Definition
|
|
