Term
| AT-101 Attestation Standard |
|
Definition
Created by the PCAOB (Public Company Accounting Oversight Board)
-Companies that provide "As a Service" products
-SOC2 reports are based on
-Review reports from other companies(potential partners) to understand how partnering could introduce risk |
|
|
Term
|
Definition
-Control type focuses on people
--risk assessments
--planning
--policies: separation of duties and mandatory vacations |
|
|
Term
|
Definition
-More security controls
-Part of defense in depth |
|
|
Term
| FedRAMP - (Federal Risk and Management Program) |
|
Definition
-Security assessment authorization and CM for cloud products and services
-Standard approach to provider assessments
-Government agencies use it to make decision on feasibility of cloud based solutions |
|
|
Term
|
Definition
| Common policies, language, methods, and procedures designed to deliver an outcome or manage a process |
|
|
Term
|
Definition
-Protect PHI (personal health information)
-Controls in place to secure PHI during collection, storing, or processing of data
-Any organization collecting storing or processing PHI |
|
|
Term
| ISO (International Organization for Standardization) |
|
Definition
Used as a framework to monitor, report, and improve ISMS (Information Security Management Systems)
-For Any Organization type of any size
-IT Security references controls
-Sub frameworks depending on goals and industry |
|
|
Term
| NIST - National Institute of Standards and technology |
|
Definition
-Controls frameworks that span industries to manage cybersecurity risk.
-Voluntary
-US Chamber of Commerce
-Impact varies by compliance level
-Larger organizations and govt agencies |
|
|
Term
| NIST Cyber-Security Framework CSF |
|
Definition
-Framework Core
-Framework Profile
-Framework Implementation Tiers |
|
|
Term
|
Definition
-Presidential Exec order 13636
-Improving Critical Infrastrucure Cybersecurity |
|
|
Term
| PCI DSS (Payment Card Industry Data Security Standard) |
|
Definition
Credit Card Data
-Various level of controls depending on how company interacts with credit card
data
-Self Assessments, onsite audits, quarterly network scans
-Merchants, Banks, CC processors |
|
|
Term
|
Definition
-Replaced safe harbor standard
-Safeguards data being transferred between the EU and US
-Self Certification Process
-Enables US companies to more easily receive personal data from the EU and comply with EU privacy laws |
|
|
Term
| Regulatory and Compliance Frameworks |
|
Definition
-Sarbanes Oxley
-FedRAMP
-PCI DSS
-NIST
-SSAE-16
-HIPAA/HITECH
-ISO
-Privacy SHield
-AT-101 |
|
|
Term
|
Definition
Created in 2002 to address the fraud accounting scandals associated with major companies:
-Famous for Security Fraud: -Enron, MCI WorldCom, Tyco
-Security requirements for any systems processing financial data (access management, IT controls, entity-level controls) |
|
|
Term
| SSAE-16 (Statement on Standards for Attestation Engagements No 16) |
|
Definition
-Companies that receive SOC 1 reports
-Companies that process financial information/impact financial statements
-Part of SOX
-Mandatory compliance (public companies)
-SOC1 reports are reviewed by stakeholders |
|
|
Term
|
Definition
-Disable Unnecessary Services
-Use Secure Protocols
-Use lease privilege principle
-Set up monitoring / alerts
-Establish Baselines
-Periodically audit configuration |
|
|
Term
|
Definition
-NIDS/NIPS
-UTM
-Training Users to recognize threats |
|
|
Term
|
Definition
-Regulatory
-National vs International
-Non-Regulatory
-Industry Specific |
|
|
Term
|
Definition
-Utilize more than one manufacturer
-Reduces impact of vulnerabilities |
|
|
Term
| Vendor Specific Benchmarks and Configuration Guides |
|
Definition
Guidelines for Secure Configurations for
-Webservers
-OS
-Application Servers
-Network infrastructure Devices |
|
|
Term
| NIST Framework Components |
|
Definition
-Implementation Tiers
-Framework Core
-Profiles |
|
|
Term
|
Definition
-Partial
-Risk Informed
-Repeatable
-Adaptive |
|
|
Term
| NIST Framework Implementation Tiers (definition) |
|
Definition
| -They describe the degree to which an organization’s cybersecurity risk management practices exhibit the characteristics defined in the framework by progressive levels with an increasing degree of rigor. |
|
|
Term
| NIST Framework Core's Functions |
|
Definition
-Identify
-Protect
-Detect
-Respond
-Recover |
|
|
Term
|
Definition
-A set of desired cybersecurity activities and outcomes organized by Functions, Categories, and Subcategories
-designed to be intuitive and to act as a translation layer to enable communication between multi-disciplinary teams by using simplistic and non-technical language. |
|
|
Term
|
Definition
-An organization's unique alignment of their organizational requirements and objectives, risk appetite, and resources against the desired outcomes
-used to identify opportunities for improving cybersecurity posture |
|
|
Term
|
Definition
-SSAE-18 previously considered to be the standard SAS70 (or SSAE 16)
-It is an audit report restricted to the management of the services organization, user entities and user auditor
-A report on controls at a service organization which are relevant to user entities’ internal control over financial reporting.
Needed for these service companies:
-Payroll processors
-Medical claims processors
-Loan servicing companies
-Data center companies
-Software-as-a-Service (SaaS) companies that may -impact the financials of their user entities. |
|
|
Term
|
Definition
- An audit report that addresses a service organization’s controls that relate to operations and compliance, as outlined by the AICPA’s Trust Services criteria in relation to:
1. availability
2. security,
3. processing integrity,
4. confidentiality
5. privacy. |
|
|
