Detective Controls → Attempt to detect when vulnerabilities have been exploited, resulting in a security incident
Ex. Log monitoring, SIEM systems, Security Audits, Video Surveillance, Motion Detection, Intrusion Detection System (IDS)
Corrective & Recovery Controls → Attempts to reverse the impact of an incident or problem after it has occurred
Ex. Backups & System Recovery, Incident handling processes, Antivirus
Physical Controls → Controls that you can physically touch
Ex. Barricades, Control Vestibules (Mantraps)
Deterrent Controls → Attempt to discourage a threat → Attempt to discourage potential attackers from attacking & attempt to discourage from violating security policy
Ex. Cable locks, Physical locks
Compensating Controls → Alternate controls used instead of primary control
Organizations adopt compensating controls to address a temporary exception to a security requirement.
Doesn’t prevent attack but restores using other means
Ex. Re-image or Restore from backup, Hot Site, Backup Power System
Ex. PCI DSS Conditions:
The control must meet the intent & rigor of the original requirement
The control must provide similar level of defense as the original requirement
The control must be “above & beyond” other PCI DSS requirements
Response Controls → Incident Response Control → Controls designed to prepare for security incidents & respond them when they occur
General Data Protection Regulation (GDPR) → This mandates the protection of privacy data for individuals who live in EU.
Requires a data protection officer (DPO) to oversee the organization’s data protection strategy and implementation, and make sure that the organization complies with the GDPR.
Payment Card Industry Data Security Standard (PCI DSS) → When using credit cards, company should comply with PCI DSS
Any organization that processes a credit card will be required to work with their credit card processor instead of working directly with the card issuers (Visa and Mastercard) → Send notification to your credit card processor
Center for Internet Security (CIS) → Identify, develop, validate, promote & sustain best practice solutions for cyber defense & build & lead communities to enable environment of trust in cyberspace
National Institute of Standards and Technology (NIST) Risk Management Framework (RMF)/ Cybersecurity Framework (CSF) → Used to mitigate risks
The NIST RMF’s process is.
Prepare
Categorize system
Select controls
Implement controls
Assess controls
Authorize system
Monitor controls
Cloud Security Alliance (CSA) → A non-profit organization that promotes best practices related to the cloud
CSA’s Cloud Control Matrix → Maps existing standards(COBIT, HIPAA, FedRAMP) to common control descriptions allowing control requirements to be compared and validated across many standards and regulations
Reference architecture → A document or set of documents that provides a set of standards
Acceptable Use Policy (AUP) → It describes the purpose of computers systems & networks, how users can access them, and the responsibilities of users when they access the systems
Job rotation → A concept that has employees rotate through different jobs to learn the processes & procedures in each job.
Helps to prevent or expose dangerous shortcuts or even fraudulent activity
Mandatory Vacation → Helps to detect when employees are involved in malicious activity such as fraud
These policies help to deter fraud and discover malicious activities while the employee is away.
Separation of Duties → A principle that prevents any single person or entity from being able to complete all the functions of a critical or sensitive process
Two people perform separate actions to prevent inventory fraud
This helps prevent potential fraud, such as if a single person prints and signs checks.
Least Privilege → Specifies that individuals and processes are granted only the privileges needed to perform assigned tasks or functions, but no more
Dual Control → A security mechanism that requires two individuals to simultaneously verify and approve an action or access to a system
Job Rotation vs Separation of Duties Vs Dual Control
Job Rotation → Periodic movement of employees between roles
Vendors → Implement vendor diversity to provide cybersecurity resilience
end of life (EOL) → Refers to the date when a product will no longer be offered for sale.
end of service life (EOSL) → Indicates the date when you expect a lack of vendor support because vendors no longer create patches or upgrades to resolve vulnerabilities for the product.
Service level agreement (SLA) → An agreement between a company & vendor that stipulates performance expectations, such as minimum uptime & maximum downtime levels
Memorandum of understanding (MOU) → Expresses an understanding between two or more parties indicating their intention to work together toward a common goal.
Business partners agreement (BPA) → A written agreement that details the relationship between business partners, including their obligations toward the partnership.
Measurement Systems Analysis (MSA) → Evaluates the processes & tools used to make measurements
Interconnection Security Agreement(ISA) → A formal agreement between organizations that governs the security requirements and responsibilities when connecting their information systems or networks.
Non-Disclosure Agreement (NDA) → Non-disclosure agreement (NDA) is the legal basis for protecting information assets.
Non-disclosure agreements (NDAs) are legally binding agreements to keep information confidential
If the employee or contractor breaks this agreement and does share such information, they may face legal consequences.
Risk management is the practice of identifying, monitoring, and limiting risks to a manageable level
Risk Awareness → Acknowledgement that risk exists & must be addressed to mitigate them
Inherent Risk → Refers to the risk that already exists before the controls are in place to manage the risk
Residual Risk → It is the amount of risk that remains after managing or mitigating risk to an acceptable level
Control Risk → Refers to the risk that exists if in-place controls do not adequately manage risks
Control risks specifically apply to financial information, where they may impact the integrity or availability of the financial information.
Risk Appetite → Refers to amount of risk an organization is willing to accept
Risk Avoidance → Organization can avoid risk by not providing a service or not participating in a malicious activity
Risk Mitigation → The organization implements controls to reduce risks. These controls reduce the vulnerabilities or reduce the impact of threat
Ex. Patching systems immediately after the release of patches, which helps to mitigate the risk of known security vulnerabilities being exploited by malicious actors
Risk Acceptance → The amount of risk that organization willing to accept
Risk Transference → The organization transfers the risk to the another entity or at least shares the risk with another entity
Cybersecurity Insurance → Helps to protect businesses & individuals from losses related to cybersecurity incidents such as data breaches & network damage
It is important part of Business Continuity Plan (BCP)
It helps organization to identify critical systems & components that are essential to the organization’s success
It helps to identify vulnerable business processes, which are mission essential functions
It identifies maximum downtime limits for these systems & components, various scenarios that can impact these systems & components, and the potential losses from an incident
Recovery Time Objective (RTO) → Identifies the maximum amount of time it can take to restore a system after an outage
Recovery Point Objective (RPO) → Identifies a point in time where the data loss is acceptable
It is the period of time a company can tolerate lost data being unrecoverable between backups
Mean time between failures (MTBF) → Provides a measure of a system’s reliability & usually represented in hours → Identifies the average time between failures
A measurement to show how reliable a hardware component is
a prediction of how often a repairable system will fail.
Mean Time to Failure (MTTF) → MTTF is the average time to failure for a non-repairable system or component. It measures the expected operational lifetime before failure.
Helps in predicting the lifespan and planning replacements.
Mean time to repair (MTTR) → Identifies the average time it takes to restore a failed system
Also called Mean time to recover
Assessing and improving maintenance efficiency
Disaster recovery plan (DRP) → Identifies how to recover critical systems after a disaster and often prioritizes services to restore after an outage.
The first step to developing an effective disaster recovery plan is to identify the assets.
Functional Recovery Plan → A recovery plan focused on a specific technical and business function