Module 2: Security Frameworks and Controls

by
Contents hide
1 INTRODUCTION – Security Frameworks and Controls
2 TEST YOUR KNOWLEDGE: MORE ABOUT FRAMEWORKS AND CONTROLS
3 TEST YOUR KNOWLEDGE: THE CIA TRIAD
4 TEST YOUR KNOWLEDGE: NIST FRAMEWORKS
5 TEST YOUR KNOWLEDGE: OWASP PRINCIPLES AND SECURITY AUDITS
6 PORTFOLIO ACTIVITY: CONDUCT A SECURITY AUDIT
7 MODULE 2 CHALLENGE
Spread the love

INTRODUCTION – Security Frameworks and Controls

In this course, a student will look into security frameworks and controls and an exhaustive understanding of all the elements within the confidentiality, integrity, and availability (CIA) triad. Open Web Application Security Project (OWASP) key principles show the best ways to protect applications and systems in the industry.

Here, participants will glean audit skills in security areas that show how proactive one can be in securing one’s digital environments. This article reviews the course against critical security principals and builds an excellent foundation for students in the current cybersecurity paradigm.

Learning objectives:

  • Define and describe the purpose of security frameworks and controls
  • Describe the CIA triad
  • Explain the National Institute of Standards and Technology (NIST) frameworks Identify security principles
  • Examine how businesses use security frameworks and controls to protect their operations
  • Define security audits Explore common elements of internal security audits.

TEST YOUR KNOWLEDGE: MORE ABOUT FRAMEWORKS AND CONTROLS

1. How do security frameworks enable security professionals to help mitigate risk?

  • They are used to establish laws that reduce a specific security risk.
  • They are used to refine elements of a core security model known as the CIA triad.
  • They are used to create unique physical characteristics to verify a person’s identity.
  • They are used to establish guidelines for building security plans. (CORRECT)

Security frameworks give guidance to create security schemes for helping security professionals prevent risks. These frameworks comprise best practices, standards, and processes, which recognize, manage, and reduce security threats.

2. Competitor organizations are the biggest threat to a company’s security.

  • True
  • False (CORRECT)

The fact that people happen to be the major threat to an organization is a point that makes it necessary to impart education for Workers about security threats and most effective practices to minimize the chance of breach. Awareness and training can encourage employees to detect threats, observe proper protocols, and become a line of defense against attacks.

3. Fill in the blank: Security controls are safeguards designed to reduce _____ security risks.

  • broadscale
  • public
  • specific (CORRECT)
  • general

They include the measures taken to safeguard against risks and vulnerabilities, with an aim to ensuring all the organization’s data and assets are kept as confidential, with an integrity in their original quality and full availability to the organization.

4. A security analyst works on a project designed to reduce the risk of vishing. They developed a plan to protect their organization from attackers who could exploit biometrics. Which type of security control does this scenario describe?

  • Encryption
  • Ciphertext
  • Classification
  • Authentication (CORRECT)

Such parameters are the possible measures within the limits of the definition concerning authentication. Before a user or an entity which engages in a transaction is allowed to access specific resources into a system, authentication is carried out. Such process involves the application of some control policies that will provide for an exclusive access to sensitive materials or the accomplishment of certain actions to only those who are authorized to do so.

TEST YOUR KNOWLEDGE: THE CIA TRIAD

1. What is the CIA triad?

  • A foundational security model used to set up security policies and systems (CORRECT)
  • A set of security controls used to update systems and networks
  • Ongoing validation processes involving all employees in an organization
  • A mandatory security framework involving the selection of appropriate controls

It is the bedrock security model for formulating the security policy and system which constitutes confidentiality, integrity, and availability.

2. Which element of the CIA triad specifies that only authorized users can access specific information?

  • Integrity
  • Access
  • Confidentiality (CORRECT)
  • Confirmation

Secrecy limits entry to precisely those who are supposed to see most information while also safeguarding it from people’s unauthorized eyes.

3. A security analyst discovers that certain data is inaccessible to authorized users, which is preventing these employees from doing their jobs efficiently. The analyst works to fix the application involved in order to allow for timely and reliable access. Which element of the CIA triad does this scenario describe?

  • Capacity
  • Integrity
  • Availability (CORRECT)
  • Applicability

Correct!

4. Fill in the blank: According to the CIA triad, _____ refers to ensuring that an organization’s data is verifiably correct, authentic, and reliable.

  • Availability
  • Credibility
  • Accuracy
  • Integrity (CORRECT)

Integrity, in accordance with the CIA triad, surrounded the area of keeping data in an organization accurate, authentic, and reliable from unauthorized modifications or tampering.

5. Fill in the blank: The CIA triad is a model that helps inform how organizations consider _____ when setting up systems and security policies.

  • risk (CORRECT)
  • access
  • data
  • assets

A model for guiding organizations in evaluating and managing risk while developing systems and security policies is the Confidentiality, Integrity, and Availability triad. Within the CIA framework, it is the protection of sensitive information. Application integrity, which requires data to be kept accurate, and system availability are also included.

TEST YOUR KNOWLEDGE: NIST FRAMEWORKS

1. What is the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF)?

  • A collection of security principles focused on maintaining confidentiality, integrity, and availability
  • A set of security controls that help analysts determine what to do if a data breach occurs
  • A required business framework for ensuring security updates and repairs are successful
  • Standards, guidelines, and best practices that organizations follow voluntarily in order to manage cybersecurity risk (CORRECT)

The whole thing comprising voluntary standards, guidelines and best practices is meant to aid organizations in the management and mitigation of cyber security risks. This framework is known as the NIST Cybersecurity Framework (CSF).

2. Fill in the blank: The five core functions that make up the CSF are: identify, protect, detect, _____, and recover.

  • respond (CORRECT)
  • reflect
  • reevaluate
  • regulate

Identify, Protect, Detect, Respond, and Recover are the five key core functions of the NIST Cybersecurity Framework (also known as the CSF). With such core functions, it is possible to have a well-rounded approach to manage and improve the cybersecurity practices of any organization.

3. Fill in the blank: The CSF _____ function relates to monitoring systems and devices in an organization’s internal network to help security teams manage potential cybersecurity risks and their effects.

  • respond                      
  • identify (CORRECT)
  • protect
  • recover

The Identification function of the NIST Cybersecurity Framework, or the NIST CSF, describes the understanding and management of cybersecurity risk to assets, people, and resources of an organization. This could include the discovery of systems and devices within the internal network, vulnerability assessment, and the establishment of processes that would allow effective management by security teams regarding possible impacts of threats.

4. What does a security analyst’s work involve during the CSF recover function?

  • Contain, neutralize, and analyze security incidents
  • Protect an organization through the implementation of employee training
  • Pinpoint threats and improve monitoring capabilities
  • Return affected systems back to normal operation (CORRECT)

A security analyst’s role during recovery is to restore normal functions in affected systems. This will involve the execution of recovery plans, ensuring integrity of data, and coordinating efforts to minimize downtime and prevent similar incidents in the future.

TEST YOUR KNOWLEDGE: OWASP PRINCIPLES AND SECURITY AUDITS

1. A security analyst disables certain software features to reduce the potential vulnerabilities that an attacker could exploit at their organization. Which OWASP security principle does this scenario describe?

  • Minimize the attack surface (CORRECT)
  • Fix security issues Correctly
  • Defense in depth
  • Separation of duties

Minimizing the attack surface is, defined here, as reducing the number of entry points or vulnerabilities that might be exploited by an attacker. Limiting the attack surface makes it less likely that an organization would experience a breach or a successful attack.

2. Fill in the blank: A security _____ is a review of an organization’s security controls, policies, and procedures against a set of expectations.

  • audit (CORRECT)
  • survey
  • examination
  • classification

A security audit is an evaluation of security controls, policies, and procedures of the organization, made suitable to verify their accordance with the established standards, rules, and best practices. Identification of vulnerabilities, gaps, and potential improvement areas in the organization’s security posture is the goal.

3. A security professional closely examines their organization’s network, then evaluates potential risks to the network. Their goal is to ensure internal safeguards and processes are effective. What security concept does this scenario describe?

  • Controls assessment (CORRECT)
  • Security recommendations
  • Compliance regulations
  • Communicating results

Very well, a very pleasant morning to you all. This is the scenario that describes a controls assessment; that is, an exercise that involves taking an inventory of an organization’s existing assets and assessing the risks that may pose a threat to these inputs. The reason for this exercise is to establish whether the internal controls and processes are effective enough to reduce these risks and protect the resources of the organization.

4. A security professional is asked to communicate the results of an internal security audit to stakeholders. What should be included in that communication? Select three answers.

  • A list of risks and compliance requirements that need to be addressed (CORRECT)
  • A summary of the audit’s scope and goals (CORRECT)
  • A recommendation about how to improve the organization’s security posture (CORRECT)
  • A list of questions for stakeholders to answer

Stakeholder communication on internal audit results needs to summarize the audit scope and objectives, state in detail the identified risks and compliance requirements, suggest clear recommendations, and give an appropriate conclusion. This comprehensively addresses the auditors’ debt for the stakeholders and the necessary steps to be taken to close the gaps that the audit findings reflect.

PORTFOLIO ACTIVITY: CONDUCT A SECURITY AUDIT

1. You reviewed the scope, goals, and risk assessment report.

  • Yes (CORRECT)
  • No

Correct!

2. You considered risks to Botium Toys’ customers, employees, and/or assets, based on controls and compliance best practices that are or are not currently implemented.

  • Yes (CORRECT)
  • No

Correct

3. You reviewed the control categories document.

  • Yes (CORRECT)
  • No

Correct

4. You selected “yes” or “no” for each control listed.

  • Yes (CORRECT)
  • No

Correct

5. You selected “yes” or “no” for each compliance best practice.

  • Yes (CORRECT)
  • No

Correct

MODULE 2 CHALLENGE

1. What is the purpose of a security framework?

  • Create security controls to protect marketing campaigns
  • Establish policies to expand business relationships
  • Build plans to help mitigate risks and threats to data and privacy (CORRECT)
  • Develop procedures to help identify productivity goals

Correct

2. Which of the following characteristics are examples of biometrics? Select all that apply.

  • Eye scan (CORRECT)
  • Fingerprint (CORRECT)
  • Palm scan (CORRECT)
  • Password

Correct

3. Which of the following statements accurately describe the CSF? Select all that apply.

  • The protect function of the CSF involves returning affected systems back to normal operation.
  • The identify function of the CSF involves managing cybersecurity risk and its effects on an organization’s people and assets. (CORRECT)
  • Implementing improvements to a security process is part of the respond function of the CSF. (CORRECT)
  • The CSF is a voluntary framework that consists of standards, guidelines, and best practices to manage cybersecurity risk. (CORRECT)

Correct

4. A security team establishes controls, including permission settings that will be used to create multiple security points that a threat actor must get through to breach their organization. Which OWASP principle does this scenario describe?

  • Defense in depth (CORRECT)
  • Separation of duties
  • Principle of least privilege
  • Keep security simple

Correct

5. What are some of the primary objectives of an internal security audit? Select all that apply.

  • Help security teams identify organizational risk (CORRECT)
  • Avoid fines due to a lack of compliance (CORRECT)
  • Reduce the amount of data on a network
  • Determine what needs to be improved in order to achieve the desired security posture (CORRECT)

Correct

6 Fill in the blank: In an internal security audit, _____ involves identifying potential threats, risks, and vulnerabilities in order to decide what security measures should be implemented.

  • establishing the scope and goals
  • conducting a risk assessment (CORRECT)
  • communicating to stakeholders
  • assessing compliance

Correct

7. A security analyst performs an internal security audit. They determine that the organization needs to install surveillance cameras at various store locations. What are they working to establish?

  • Physical controls (CORRECT)
  • Technical controls
  • Administrative controls
  • Communication controls

Correct

8. What information is typically communicated to stakeholders after completion of an internal security audit? Select three answers.

  • Comprehensive details about each part of the process
  • Compliance regulations to be adhered to (CORRECT)
  • Strategies for improving security posture (CORRECT)
  • Results and recommendations (CORRECT)

Correct

9. How do organizations use security frameworks to develop an effective security posture?

  • As a guide to identify threat actor strategies
  • As a policy to protect against phishing campaigns
  • As a policy to support employee training initiatives
  • As a guide to reduce risk and protect data and privacy (CORRECT)

Correct

10. Fill in the blank: A security professional uses _____ to convert data from a readable format to an encoded format.

  • authentication
  • encryption (CORRECT)
  • authorization
  • confidentiality

Correct

11. You work as a security analyst for a community organization that has large amounts of private data. Which core principle of the CIA triad do you use to ensure private information is kept safe?

  • Consistency
  • Integrity
  • Availability
  • Confidentiality (CORRECT)

Correct

12. A security team considers how to avoid unnecessarily complicated solutions when implementing security controls. Which OWASP principle does this scenario describe?

  • Principle of least privilege
  • Keep security simple (CORRECT)
  • Defense in depth
  • Fix security issues correctly

Correct

13. Fill in the blank: The planning elements of an internal security audit include establishing scope and _____, then conducting a risk assessment.

  • goals (CORRECT)
  • limitations
  • controls
  • compliance

Correct

14. What information is typically communicated to stakeholders after completion of an internal security audit? Select three answers.

  • Strategies for improving security posture (CORRECT)
  • Existing risks that need to be addressed now or in the future (CORRECT)
  • Detailed data about past cybersecurity incidents
  • A summary of the goals (CORRECT)

Correct

15. What does a security professional use to create guidelines and plans that educate employees about how they can help protect the organization?

  • Security hardening
  • Security posture
  • Security framework (CORRECT)
  • Security audit

Correct

16. Fill in the blank: An employee using multi-factor authentication to verify their identity is an example of the _____ process.

  • encryption
  • integrity
  • confidentiality
  • authentication (CORRECT)

Correct

17. What are some of the primary objectives of an internal security audit? Select all that apply.

  • Limit traffic on an organization’s firewall
  • Enable security teams to assess controls (CORRECT)
  • Identify any security gaps or weaknesses within an organization (CORRECT)
  • Help security teams Correct compliance issues (CORRECT)

Correct

18. You work as a security analyst at a bank and need to ensure that customers can access their account information. Which core principle of the CIA triad are you using to confirm their data is accessible to them?

  • Integrity
  • Accuracy
  • Availability (CORRECT)
  • Confidentiality

Correct

19. Which of the following statements accurately describe the CSF? Select all that apply.

  • The CSF is a voluntary framework that consists of standards, guidelines, and best practices to manage cybersecurity risk.  (CORRECT)
  • Restoring affected files or data is part of the recover function of the CSF. (CORRECT)
  • The identify function of the CSF involves returning affected systems back to normal operation.
  • The detect function of the CSF involves improving monitoring capabilities to increase the speed and efficiency of detections. (CORRECT)

Correct

20. A security team has just finished addressing a recent security incident. They now conduct tests to ensure that all of their repairs were successful. Which OWASP principle does this scenario describe?

  • Fix security issues Correctly (CORRECT)
  • Minimize attack surface area
  • Principle of least privilege
  • Separation of duties

Correct

21. A security analyst performs an internal security audit. They focus on the human component of cybersecurity, such as the policies and procedures that define how their company manages data. What are they working to establish?

  • Ownership (CORRECT)
  • Accounting
  • Characteristic (CORRECT)
  • Knowledge (CORRECT)

22. What information is typically communicated to stakeholders after completion of an internal security audit? Select three answers.

  • Questions about specific controls
  • Results and recommendations (CORRECT)
  • A summary of the scope (CORRECT)
  • A list of existing risks (CORRECT)

Correct

23. Fill in the blank: A security professional uses _____ to verify that an employee has permission to access a resource.

  • integrity
  • authorization (CORRECT)
  • admission
  • encryption

Correct

24. Fill in the blank: In an internal security audit, _____ refers to identifying people, assets, policies, procedures, and technologies that might impact an organization’s security posture.

  • implementing administrative controls
  • goals
  • scope (CORRECT)
  • completing a controls assessment

Correct

Leave a Comment