Certified Security Compliance Specialist

Flashcards by jnkdmls, updated more than 1 year ago
Created by jnkdmls about 4 years ago


CSCS Certification Dalia Flashcards on Certified Security Compliance Specialist, created by jnkdmls on 12/04/2015.

Resource summary

Question Answer
Points of Vulnerability Man-in-the-Middle Rogue Access Points Session Hijacking Denial of Service (DoS)
Wireless Challenges Lack of user authentication Weak Encryption Poor Network Management
Intrusions Known Vulnerabilities Configuration Errors Fix: Patch in a timely manner (effective cyber security strategy)
Japan - PIP (Personal Information Protection Act) Effective: May 2003 Compliance: May 2005 Applies to: National & Local Gov't Private Companies Protects against: Loss of personal data Unauthorized Access Unauthorized Disclosure
Canada - PIPEDA (Personal Information Protection & Electronic Document Act) Effective: April 2000 Compliance: January 2004 Rules for: Collection Use Disclosure 10 FIPs
10 FIPs (Fair Information Principles) 1. Accountability 2. Identifying Purposes 3. Consent 4. Limiting Collection 5. Limiting Use, Disclosure, Retention 6. Accuracy 7. Safeguards 8. Openness 9. Individual Access 10. Challenging Compliance
Australia - FPA (Federal Privacy Act) Effective: December 2001 Protect the privacy of individuals Regulate credit providers & credit reporting agencies 11 IPPs 10 NPPs
11 IPPs (Information Privacy Principles) 1. Manner & purpose of collection 2. Collecting directly from individuals 3. Collecting information generally 4. Storage & Security 5-7. Access & Amendment 8-10: Information Use 11: Disclosure
10 NPPs (National Privacy Principles) 1. Collection 2. Use & Disclosure 3. Info Quality 4. Info Security 5. Openness 6. Access & Correction 7. Identifiers 8. Anonymity 9. Transborder Data Flow 10. Sensitive Information
European Union - DPD (Data Protection Directive) Effective: October 1995 Covers processing of personal data, automatically processed, & manual data in a filing system 95/46
United Kingdom The Turnbull Guidance (Internal Control: Guidance for Directors on the Combined Code) Effective: December 2000 Companies to manage identified internal & external risk within the organization
United Kingdom - DPA (Data Protection Act) Effective: 1998 Prevent: Unauthorized or unlawful processing Accidental loss or damage to data
United Kingdom F of IA (Freedom of Information Act) Compliance: January 2005 Prevent: Altering or corruption of public authority information Ensure: Uptime
United States - GLB Act (Gramm-Leach-Bliley Act) Effective: November 1999 Provisions for: Confidentiality, Integrity, Availability in the areas of: Admin, Physical, & Tech Safeguards Applies to: Banks, Security firms, Insurance companies, & sellers of financial products
United States - 21 CFR Part 11 (Title 21 of the US Code of Federal Regulations Part 11) Published: August 2003 Ensure authenticity, integrity, confidentiality, & non-repudiation of electronic records (part of the FDA)
NERC's - CSS North American Electric Reliability Council Cyber Security Standards Requires power utilities to assess and enhance their security environments (Critical Infrastructure Protection - CIP)
Critical Infrastructure Protection (CIP) CIP-002: Critical Cyber Assets CIP-003: Security Management Controls CIP-004 Personnel & Training CIP-005: Electronic Security CIP-006: Physical Security CIP-007: Systems Security Management
Deter and Detect Attacks Firewalls Intrusion Detection Systems (IDS) Intrusion Prevention Systems (IPS)
SOX Penalties (for knowingly signing a false financial report) A corporate officer $1 million up to 10 years in prison
SOX Titles and Sections 11 Titles 4 Sections
Title I Public Company Accounting Oversight Board
Title II Auditor Independence
Title III Corporate Responsibility Section 302 Corporate Responsibility for Financial Reports
Title IV Enhanced Financial Disclosures Section 404: Mgmt Assessment of internal Controls Section 409: Real Time Issuer Disclosures
Title V Analyst Conflicts of Interest
Title VI Commission Resources and Authority
Title VII Studies and Reports
Title VIII Corporate and Criminal Fraud Accountability Section 802: Criminal Penalties for Altering Documents
Title IX White-Collar Crime Penalty Enhancements
Title X Corporate Tax Returns
Title XI Corporate Fraud and Accountability
Section 302 Corporate Responsibility for Financial Reports Company's mgmt must ensure & demonstrate that financial data is accurate and complete - quarterly and annually Effective: July 2002
Section 404 Mgmt Assessment of Internal Controls Corporate mgmt, executives, and financial officers implement controls to protect and annually monitor and report of the effectiveness of the controls
Section 409 Real Time Disclosure of Issues Real-time reporting of material events that could impact a company's financial performance
Public Company Accounting Oversight Board (PCAOB) An audit of internal control over financial reporting performed in conjunction with an audit of financial statements
The Securities and Exchange Commission (SEC) indicated that the Committee of Sponsoring Organizations Internal Control (COSO) is acceptable to define internal controls for financial reporting systems
COSO 5 Aspects of effective internal controls 1. The Control Environment 2. Risk Assessment 3. Control Activities 4. Information & Communications 5. Monitoring
Complementary to COSO Control Objectives for Information and Related Technology (COBIT) established by IT Governance Institute (ITGI) ISO 27000 for Information Security Mgmt Systems
COBIT 5 Domains 1. Align, Plan, & Organize (APO) 2. Build, Acquire, & Implement (BAI) 3. Deliver, Service, & Support (DSS) 4. Monitor, Evaluate, & Assess (MEA) 5. Evaluate, Direct, & Monitor (EDM)
COBIT (1) Align, Plan, & Organize (APO) 1. Mng IT Mgmt Framework 2. Mng Strategy 3. Mng Enterprise Architecture 4. Mng Innovation 5. Mng Portfolio 6. Mng Budget & Costs 7. Mng HR 8. Mng Relationships 9. Mng Service Agreements 10. Mng Suppliers 11. Mng Quality 12. Mng Risk 13. Mng Security
COBIT (2) Build, Acquire, & Implement (BAI) 1. Mng Programs & Projects 2. Mng Requirements Definition 3. Mng Solutions Identification & Build 4. Mng Availability & Capacity 5. Mng Organizational Change Enablement 6. Mng Changes 7. Mng Change Acceptance & Transitioning 8. Mng Knowledge 9. Mng Assets 10. Mng Configurations
COBIT (3) Deliver, Service, & Support (DSS) 1. Mng Operations 2. Mng Service Requests & Incidents 3. Mng Problems 4. Mng Continuity 5. Mng Security Services 6. Mng Business Process Controls
COBIT (4) Monitor, Evaluate, & Assess (MEA) 1. MEA Performance and Conformance 2. MEA System of Internal Controls 3. MEA Compliance with External Req'ts
COBIT (5) Evaluate, Direct, & Monitor (EDM) 1. Ensure Governance Framework Setting & Maintenance 2. Ensure Benefits Delivery 3. Ensure Risk Optimization 4. Ensure Resource Optimization 5. Ensure Stakeholder Transparency
COBIT Security Objectives 37 Steps Read Chapter 2 Slides 27 to 41
Payment Card Industry (PCI) Data Security Standard (DSS) Applies to all who store, process, or transmit cardholder data
PCI Penalties 2006: over $5Mil $5K/mth increasing to $25K/mth Compromised cards: $25 per card up to $500K
12 PCI DSS Requirements 6 Control Objectives 1. Build & Maintain a Secure Network 2. Protect Cardholder Data 3. Maintain a Vulnerability Mgmt Program 4. Implement Strong Access Control Measures 5. Regularly Monitor & Test Networks 6. Maintain an Information Security Policy
(1) Build & Maintain a Secure Network A . Firewall Configuration B. No Vendor Defaults
(2) Protect Cardholder Data A. Protect Stored Cardholder Data (mask Primary Account Number PAN) B. Encrypt Transmission (SSL/TLS and IPSEC)
(3) Maintain a Vulnerability Mgmt Program A. Update Anti-Virus Software B. Maintain Secure Systems & Applications (patches, separate environments)
(4) Implement Strong Access Control Measures A. Restrict Access (need to know) B. Assign Unique IDs C. Restrict Physical Access
(5) Regularly Monitor & test Networks A. Track & Monitor All Access B. Regularly Test Security Processes (Pen tests; Network-Layer and Application-Layer)
(6) Maintain an Information Security Policy A. Maintain Policy (awareness program)
PCI Next Steps Pre-Assessment & Gap Analysis
HITECH Meaningful Use (Health Information Technology for Economic and Clinical Health) Effective: February 17, 2009 Ensure adequate privacy and security protections for PHI through use of policies, procedures, & technologies over EHR
Meaningful Penalties CMS will withhold payment until violations are resolved
HIPAA Mandate 164.308(a)(1)(ii)(A) Organizations need to conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, & availability of EPHI held by the organization
HIPAA Audit Evidence 1. Entity-wide Security Plan 2. Risk Analysis & Mgmt Plan 3. Security Violation Monitoring Rpts 4. Vulnerability Scanning Plans 5. Network Pen Testing Policy and Procs 6. Access Control Lists 7. Patch Mgmt Plans 8. Encryption Measures
Personal Identifiable Information (PII)
Show full summary Hide full summary


CCNA Security Final Exam
Maikel Degrande
ISACA CISM Exam Glossary
Fred Jones
Security Guard Training
Summit College
Securities Regulation
2W151 Volume 1: Safety and Security - Quiz 7
Joseph Whilden J
Security Quiz Review
Rylan Blah
Security Policies
2W151 Volume 1: Safety and Security - Quiz 6
Joseph Whilden J
Security (2)
Daniel Freedman
Security (1)
Daniel Freedman