# The Official (ISC)2 CCSP CBK Reference  ## Metadata - Author: [[Leslie Fife, Aaron Kraus, and Bryan Lewis]] - Full Title: The Official (ISC)2 CCSP CBK Reference - Category: #books ## Highlights - In a very real sense, the customer is the individual the particular service model was created to support. ([Location 596](https://readwise.io/to_kindle?action=open&asin=B097NHTQBK&location=596)) - Note: User, dev, admin for Sara’s pass iaas - The customer has ultimate responsibility for the security of their customer and other sensitive data and how they use the cloud and cloud components. ([Location 608](https://readwise.io/to_kindle?action=open&asin=B097NHTQBK&location=608)) - A broker adds value through aggregation of services from multiple parties, integration of services with a company's existing infrastructure, and customization of services that a CSP cannot or will not make. ([Location 628](https://readwise.io/to_kindle?action=open&asin=B097NHTQBK&location=628)) - Security of systems and data is a shared responsibility between the customer and service provider. ([Location 843](https://readwise.io/to_kindle?action=open&asin=B097NHTQBK&location=843)) - There are three cloud deployment models and one hybrid model. The hybrid model is a combination of any two or more other deployment models. ([Location 875](https://readwise.io/to_kindle?action=open&asin=B097NHTQBK&location=875)) - The primary advantage to a private cloud is security. With more control over the environment and only one customer, it is easier to avoid the security issues of multitenancy. And when the cloud is internal to the organization, a secure wipe of hardware becomes a possibility. ([Location 899](https://readwise.io/to_kindle?action=open&asin=B097NHTQBK&location=899)) - With the concern over vendor lock-in, interoperability is a primary consideration. Interoperability creates the ability to communicate with and share data across multiple platforms and between traditional and cloud services provided by different vendors. ([Location 930](https://readwise.io/to_kindle?action=open&asin=B097NHTQBK&location=930)) - Data portability is focused on the ability to move data between traditional and cloud services or between different cloud services without having to port the data under challenging and lossy methods or significant changes to either service or the loss of metadata. ([Location 936](https://readwise.io/to_kindle?action=open&asin=B097NHTQBK&location=936)) - Architecture portability is concerned with the ability to access and run a cloud service from a wide variety of devices, running different operating systems. ([Location 942](https://readwise.io/to_kindle?action=open&asin=B097NHTQBK&location=942)) - Reversibility is a measure of the extent your cloud services can be moved from one cloud environment to another. ([Location 945](https://readwise.io/to_kindle?action=open&asin=B097NHTQBK&location=945)) - Resilience is the ability to continue operating under adverse or unexpected conditions. This ([Location 979](https://readwise.io/to_kindle?action=open&asin=B097NHTQBK&location=979)) - The major performance concerns are network availability and bandwidth. ([Location 990](https://readwise.io/to_kindle?action=open&asin=B097NHTQBK&location=990)) - A CSP will rarely allow a customer to perform on audit on their controls. Instead, independent third parties will perform assessments that are provided to the customer. ([Location 1035](https://readwise.io/to_kindle?action=open&asin=B097NHTQBK&location=1035)) - These are physical access control, technical access control, and administrative access control. ([Location 1172](https://readwise.io/to_kindle?action=open&asin=B097NHTQBK&location=1172)) - Create: This is the creation of new content or the modification of existing content. Store: This generally happens at creation time. This involves storing the new content in some data repository, such as a database or file system. Use: This includes all the typical data activities such as viewing, processing, and changing. Share: This is the exchange of data between two entities or systems. Archive: Data is no longer used but is being stored. Destroy: Data has reached the end of its life, as defined in a data retention policy or similar guidance. It is permanently destroyed. ([Location 1293](https://readwise.io/to_kindle?action=open&asin=B097NHTQBK&location=1293)) - The BCP may focus on critical business processes necessary to keep the business going while disaster recovery takes place. A disaster recovery plan (DRP) is focused on returning to normal business operations. This can be a lengthy process. The two plans work together. ([Location 1305](https://readwise.io/to_kindle?action=open&asin=B097NHTQBK&location=1305)) - Cloud computing is not always the correct solution. Which is the correct solution is a business decision guided by a cost-benefit analysis. Cloud computing benefits include reduced capital costs ([Location 1327](https://readwise.io/to_kindle?action=open&asin=B097NHTQBK&location=1327)) - Operational expenses, such as the cost of cloud computing, can usually be written off as a business expense in the year the expense is incurred. ([Location 1332](https://readwise.io/to_kindle?action=open&asin=B097NHTQBK&location=1332)) - Portability means that the movement between environments is possible. Portable movement will move services and data seamlessly and may be automated. ([Location 1352](https://readwise.io/to_kindle?action=open&asin=B097NHTQBK&location=1352)) - With customers using a variety of cloud services, often from different vendors, interoperability is an important consideration. ([Location 1357](https://readwise.io/to_kindle?action=open&asin=B097NHTQBK&location=1357)) - vendor lock-in. This occurs when a customer is tied to a specific CSP and moving would incur significant costs including financial, technical, and legal. ([Location 1368](https://readwise.io/to_kindle?action=open&asin=B097NHTQBK&location=1368)) - In the Shared Responsibility Model, the customer is responsible for their data and may have some responsibility for the APIs. All other layers are the responsibility of the CSP. ([Location 1400](https://readwise.io/to_kindle?action=open&asin=B097NHTQBK&location=1400)) - PCI is contractual compliance between the major credit card companies and the vendor. ([Location 1454](https://readwise.io/to_kindle?action=open&asin=B097NHTQBK&location=1454)) - Common Criteria (CC) is an international set of guidelines and specifications to evaluate information security products. There are two parts to CC: ([Location 1465](https://readwise.io/to_kindle?action=open&asin=B097NHTQBK&location=1465)) - Protection profile: Defines a standard set of security requirements for a specific product type, such as a network firewall. This creates a consistent set of standards for comparing like products. Evaluation assurance level: Scored from level 1 to 7, with 7 being the highest. This measures the amount of testing conducted on a product. ([Location 1467](https://readwise.io/to_kindle?action=open&asin=B097NHTQBK&location=1467)) - Being considered FIPS-validated requires testing by one of a few specified labs through four levels of testing. Sometimes a product is referred to as FIPS-compliant, which is a much lower bar, indicating some components of the product have been tested, but perhaps not the entire product. It is important to read the fine print. Validated and compliant are not the same thing. A CCSP should also become familiar with the new FIPS 140-3, which will be replacing FIPS 140-2 over the next several years. ([Location 1486](https://readwise.io/to_kindle?action=open&asin=B097NHTQBK&location=1486)) - the CSP is always responsible for the physical security of the infrastructure, while the consumer retains control over the identity and access management concerns of their applications and services. When it comes to securing data stored in the cloud, the most important thing to remember is that the consumer is always ultimately accountable, ([Location 1503](https://readwise.io/to_kindle?action=open&asin=B097NHTQBK&location=1503)) - Data dispersion refers to a technique used in cloud computing environments of breaking data into smaller chunks and storing them across different physical storage devices. ([Location 1587](https://readwise.io/to_kindle?action=open&asin=B097NHTQBK&location=1587)) - the data stored in it is lost when the virtual machine (VM) is powered down. Ephemeral storage ([Location 1626](https://readwise.io/to_kindle?action=open&asin=B097NHTQBK&location=1626)) - Raw device mapping (RDM) is a form of virtualization that allows a particular cloud VM to access a storage logical unit number (LUN). ([Location 1628](https://readwise.io/to_kindle?action=open&asin=B097NHTQBK&location=1628)) - Object storage is similar to accessing a Unix sharepoint or Windows file server on a network. Data is stored and retrieved as objects, often in the form of files, and users are able to interact with the data objects using file browsers. ([Location 1637](https://readwise.io/to_kindle?action=open&asin=B097NHTQBK&location=1637)) - Blobs are unstructured data; that is to say, data that does not adhere to a particular data model like the columns in a database. ([Location 1650](https://readwise.io/to_kindle?action=open&asin=B097NHTQBK&location=1650)) - Blob storage services such as AWS Simple Storage Service (S3) and Azure Blob Storage apply these concepts to large volumes of blob data and typically make it available to applications or users via a URL. ([Location 1653](https://readwise.io/to_kindle?action=open&asin=B097NHTQBK&location=1653)) - Information storage and management: This storage type allows users to enter data and manipulate it via a web GUI. The data is stored in a database managed by the CSP and often exists in a multitenant environment, with all details abstracted from the users. Content and file storage: Data is stored in the SaaS app in the form of files that users can create and manipulate. Examples include filesharing and collaboration apps, as well as custom apps that allow users to upload or attach documents such as ticketing systems. Content delivery network (CDN): ([Location 1662](https://readwise.io/to_kindle?action=open&asin=B097NHTQBK&location=1662)) - Note: Sass storage - According to the shared responsibility model published by the major CSPs, consumers are responsible for securing their own data. Under most privacy legislation, the data owner, who is usually the cloud consumer, is ultimately accountable and legally liable for data breaches. ([Location 1719](https://readwise.io/to_kindle?action=open&asin=B097NHTQBK&location=1719)) - a cryptosystem should be secure even if everything about the system, except the key, is public knowledge. Known as Kerckhoffs's principle, ([Location 1734](https://readwise.io/to_kindle?action=open&asin=B097NHTQBK&location=1734)) - Hashing, sometimes known as one-way encryption, is a tool primarily associated with the integrity principle of the CIA triad. ([Location 1785](https://readwise.io/to_kindle?action=open&asin=B097NHTQBK&location=1785)) - The signing party calculates a hash and encrypts the hash value with their private key. ([Location 1791](https://readwise.io/to_kindle?action=open&asin=B097NHTQBK&location=1791)) - FIPS 180-4, Secure Hash Standard (SHS), provides guidance on the Secure Hash Algorithm (SHA-3). ([Location 1805](https://readwise.io/to_kindle?action=open&asin=B097NHTQBK&location=1805)) - Data masking can be useful in preventing unintended disclosures by limiting the amount of data displayed. ([Location 1814](https://readwise.io/to_kindle?action=open&asin=B097NHTQBK&location=1814)) - Unstructured data can present problems for masking, as well as tokenization, obfuscation, and de-identification. When data is structured in a database, it is easy to identify and apply these techniques. Unstructured data can be stored in files, free-form text or comment fields in databases, or in applications that store data objects without structure. ([Location 1817](https://readwise.io/to_kindle?action=open&asin=B097NHTQBK&location=1817)) - Tokenization is a process whereby a nonsensitive representation of sensitive data, otherwise known as a token, is created and used. The token is a substitute to be used in place of more sensitive data like a credit card number, ([Location 1825](https://readwise.io/to_kindle?action=open&asin=B097NHTQBK&location=1825)) - The token is returned to the original application, which stores it instead of the original sensitive data. Any time the sensitive data is required, the token and appropriate credentials can be used to access it. Otherwise, the sensitive data is never revealed, as the tokenization service should be tightly access controlled. ([Location 1843](https://readwise.io/to_kindle?action=open&asin=B097NHTQBK&location=1843)) - Obfuscation is similar to data masking but is more often implemented when sensitive data needs to be used in a different situation. For example, obfuscation can remove or replace sensitive data elements when data from a live production system is copied for testing purposes. ([Location 1904](https://readwise.io/to_kindle?action=open&asin=B097NHTQBK&location=1904)) - null values. A similar practice is redaction, where a document's sensitive contents are simply blacked out. ([Location 1920](https://readwise.io/to_kindle?action=open&asin=B097NHTQBK&location=1920)) - (often pseudonymisation due to its presence in the EU GDPR and use of British English spellings by European translators) is a process of obfuscating data with the specific goal of reversing the obfuscation later. ([Location 1933](https://readwise.io/to_kindle?action=open&asin=B097NHTQBK&location=1933)) - eDiscovery, which deals with collecting evidence in legal situations, ([Location 1961](https://readwise.io/to_kindle?action=open&asin=B097NHTQBK&location=1961)) - A lake is an unstructured data storage mechanism with data often stored in files or blobs, while a warehouse is structured storage in which data has been normalized to fit a defined data model. ([Location 1977](https://readwise.io/to_kindle?action=open&asin=B097NHTQBK&location=1977)) - Normalization is the process of taking data with different formats—for example one system that stores MM-DD-YYYY and another that uses YYYY-MM-DD—and converting it to a common format. This is often known as extract, transform, load (ETL), as the data is extracted from sources like databases or apps, transformed to meet the warehouse's data model, and loaded into warehouse storage. Normalizing data improves searchability. ([Location 1979](https://readwise.io/to_kindle?action=open&asin=B097NHTQBK&location=1979)) - Structured data refers to data that has been formatted in a consistent way. This often takes the form of a database where all records conform to a known structure: data is separated into columns, and each row contains the same type of information in the same place. ([Location 2009](https://readwise.io/to_kindle?action=open&asin=B097NHTQBK&location=2009)) - Each classification level should have an associated set of control expectations, ([Location 2074](https://readwise.io/to_kindle?action=open&asin=B097NHTQBK&location=2074)) - PII. Examples include the EU GDPR and Canadian Personal Information Protection and Electronic Documents Act (PIPEDA) laws, which broadly cover PII, and the U.S. Graham-Leach-Bliley Act (GLBA), which covers banking uses of PII. ([Location 2148](https://readwise.io/to_kindle?action=open&asin=B097NHTQBK&location=2148)) - (PHI): Defined and governed primarily by the U.S. HIPAA, though personal health records are considered PII by most global privacy laws such as GDPR. ([Location 2150](https://readwise.io/to_kindle?action=open&asin=B097NHTQBK&location=2150)) - referred to as a cardholder data environment, or CDE): Defined and regulated by PCI DSS, it provides guidance on the handling, processing, and limited allowable storage of information related to credit and debit cards and transactions. ([Location 2151](https://readwise.io/to_kindle?action=open&asin=B097NHTQBK&location=2151)) - Most IRM solutions are designed to function using an access control list (ACL) for digital files, which specifies users and authorized actions such as reading, modifying, printing, or even onward sharing. ([Location 2193](https://readwise.io/to_kindle?action=open&asin=B097NHTQBK&location=2193)) - IRM systems should ideally possess a number of attributes, including the following: ([Location 2196](https://readwise.io/to_kindle?action=open&asin=B097NHTQBK&location=2196)) - Data archiving is a subset of retention typically focused on long-term storage of data not required for active processing or that has historical value and may therefore have high integrity requirements. ([Location 2247](https://readwise.io/to_kindle?action=open&asin=B097NHTQBK&location=2247)) - The costs associated with this storage can be significant, so CSPs offer a variety of storage services that balance cost and retrieval speeds; typically the solutions offer a combination of either low price/retrieval speed or higher price and quick retrieval. As an example, Amazon Simple Storage Service (S3) offers higher-priced S3 Standard, where retrieval is in real time, or lower-priced S3 Glacier, where retrieval time ranges from 1 minute to 12 hours. Similarly, Microsoft's Azure Blob Storage offers Hot, Cool, and Archive tiers, in order of higher cost/retrieval speed to lower cost/speed. ([Location 2274](https://readwise.io/to_kindle?action=open&asin=B097NHTQBK&location=2274)) - HIPAA: Affects all U.S. residents and specifies a six-year retention period for documents, such as policies and procedures, relevant to the HIPAA compliance program. Retention of patient medical data is not directly mentioned in HIPAA but is specified by many state-level laws that require medical records be retained for as long as a patient is active and then for a set period of time thereafter. ([Location 2295](https://readwise.io/to_kindle?action=open&asin=B097NHTQBK&location=2295)) - EU GDPR: Affects data of EU citizens; it does not set a specific retention period but rather provides for indefinite retention so long as a data subject has given consent and the organization has a legitimate need for the data. If consent is revoked or the organization must act on the revocation by deleting, destroying, or anonymizing the data. ([Location 2298](https://readwise.io/to_kindle?action=open&asin=B097NHTQBK&location=2298)) - defines three categories of deletion actions for various types of media to achieve defensible destruction—the steps required to prove that adequate care was given to prevent a breach of data confidentiality. ([Location 2337](https://readwise.io/to_kindle?action=open&asin=B097NHTQBK&location=2337)) - secure destruction of the cryptographic key to render data unreadable. This is effectively a positive denial-of-service attack and is often the only option available for cloud-based environments due to loss of physical control over storage media, the use of SSDs for storage that cannot be reliably overwritten, and the dispersion of data in cloud environments. ([Location 2350](https://readwise.io/to_kindle?action=open&asin=B097NHTQBK&location=2350)) - Note: Clear purge destroy, clear is straight delete, purge is cryptoshredding - The primary concern regarding information event sources in cloud services is the accessibility of the data, which will vary by the cloud service model in use. ([Location 2424](https://readwise.io/to_kindle?action=open&asin=B097NHTQBK&location=2424)) - is vital to establish a chain of custody, or a defensible record of how evidence was handled and by whom, from its collection to its presentation as evidence. ([Location 2485](https://readwise.io/to_kindle?action=open&asin=B097NHTQBK&location=2485)) - Chain of custody and evidence integrity do not imply that data has not changed since collection, but instead they provide convincing proof that it was not tampered with in a way that damages its reliability. ([Location 2488](https://readwise.io/to_kindle?action=open&asin=B097NHTQBK&location=2488)) - To provide security to the software-defined network, you will need to manage both certificates and communication between the VM management plane and the data plane. This includes authentication, authorization, and encryption. ([Location 2638](https://readwise.io/to_kindle?action=open&asin=B097NHTQBK&location=2638)) - You retain responsibility for this data and cannot rely on the CSP to securely wipe the physical storage areas. Compensating controls for the lack of physical control of the storage medium include only storing data in an encrypted fashion and employing crypto shredding when the data is no longer needed. ([Location 2661](https://readwise.io/to_kindle?action=open&asin=B097NHTQBK&location=2661)) - Secure baseline configurations can provide a more secure environment for the data center. ([Location 2723](https://readwise.io/to_kindle?action=open&asin=B097NHTQBK&location=2723)) - Note: standard patterns - The preferred report is a SOC-2 Type-2 report. ([Location 2836](https://readwise.io/to_kindle?action=open&asin=B097NHTQBK&location=2836)) - Other useful attestations are ISO 270017 (Cloud Security) and ISO 27018 (Privacy) ([Location 2837](https://readwise.io/to_kindle?action=open&asin=B097NHTQBK&location=2837)) - If the hypervisor is compromised, all VMs on the hypervisor may be compromised. ([Location 2857](https://readwise.io/to_kindle?action=open&asin=B097NHTQBK&location=2857)) - VM sprawl is also a risk. Members of the workforce may create VMs for projects and forget to close them down when done. VM sprawl increases the attack surface as these unused VMs may not be actively monitored, so malicious use may go unnoticed. The increase in the overall number of VMs can also balloon costs to the organization unexpectedly. ([Location 2859](https://readwise.io/to_kindle?action=open&asin=B097NHTQBK&location=2859)) - Azure provides a similar tool in Microsoft Cloud Monitoring (MCM). This tool will monitor Azure applications, analyze log files, and alert customers to potential threats. ([Location 2943](https://readwise.io/to_kindle?action=open&asin=B097NHTQBK&location=2943)) - packet capture on a cloud vendor or CSP using traditional tools like Wireshark is not generally possible. ([Location 2982](https://readwise.io/to_kindle?action=open&asin=B097NHTQBK&location=2982)) - what is essentially a virtual tap. ([Location 2992](https://readwise.io/to_kindle?action=open&asin=B097NHTQBK&location=2992)) - Computing becomes an operational expense (OPEX) rather than a capital expense (CAPEX). ([Location 3007](https://readwise.io/to_kindle?action=open&asin=B097NHTQBK&location=3007)) - Three ways we measure the business capabilities are RTO or how long are you down, RPO or how much data may you lose, and recovery service level (RSL), which measures how much computing power (0 to 100 percent) is needed for production systems during a disaster. ([Location 3043](https://readwise.io/to_kindle?action=open&asin=B097NHTQBK&location=3043)) - A BCP may be executed following an event that falls short of being a disaster. ([Location 3084](https://readwise.io/to_kindle?action=open&asin=B097NHTQBK&location=3084)) - Tests should be both scheduled and a surprise. ([Location 3181](https://readwise.io/to_kindle?action=open&asin=B097NHTQBK&location=3181)) - While developing a plan, regular tabletops and walk-throughs can help flesh out a more robust plan. ([Location 3191](https://readwise.io/to_kindle?action=open&asin=B097NHTQBK&location=3191)) - A more substantial test is a simulation. Like a fire drill ([Location 3193](https://readwise.io/to_kindle?action=open&asin=B097NHTQBK&location=3193)) - The next level of testing is a parallel test. ([Location 3196](https://readwise.io/to_kindle?action=open&asin=B097NHTQBK&location=3196)) - The most robust level of testing is a full cutover test. In this test, the disaster is simulated in full. ([Location 3201](https://readwise.io/to_kindle?action=open&asin=B097NHTQBK&location=3201)) - the CSA (cloudsecurityalliance.org) has published the top threats to cloud computing. The ([Location 3268](https://readwise.io/to_kindle?action=open&asin=B097NHTQBK&location=3268)) - OWASP Top 10 (owasp.org) ([Location 3279](https://readwise.io/to_kindle?action=open&asin=B097NHTQBK&location=3279)) - The SDLC has several phases. These steps are Requirements. Design, Development, Testing, Deployment, and Operations and Maintenance (O&M). ([Location 3293](https://readwise.io/to_kindle?action=open&asin=B097NHTQBK&location=3293)) - Similar to the popular NIST Cybersecurity Framework (CSF), the NIST Secure Software Development Framework (SSDF) defines and describes secure software development practices (nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04232020.pdf ([Location 3299](https://readwise.io/to_kindle?action=open&asin=B097NHTQBK&location=3299)) - SSDLC is a collection of best practices focused on adding security to the standard SDLC. ([Location 3356](https://readwise.io/to_kindle?action=open&asin=B097NHTQBK&location=3356)) - QA occurs at each phase, ensuring continuous improvement and quality tracking. Testing (often automated testing) is tied to both functional and security requirements developed in the requirements phase and specified by the security architecture and strategy. For QA to be effective, further functional and requirements testing should be performed. QA should be involved in load testing, performance testing, stress testing, and vulnerability management. ([Location 3460](https://readwise.io/to_kindle?action=open&asin=B097NHTQBK&location=3460)) - The ability to quickly and accurately perform audits is an important role of SCM. Configuration management and versioning ([Location 3513](https://readwise.io/to_kindle?action=open&asin=B097NHTQBK&location=3513)) - The primary categories of testing that lead up to functional testing are unit testing, integration testing, and usability testing. ([Location 3536](https://readwise.io/to_kindle?action=open&asin=B097NHTQBK&location=3536)) - Unit testing: This is testing by a developer on modules being developed as part of a larger system. All paths through the module need to be tested. Integration testing: As modules are combined, integration testing ensures that the modules work together. As additional modules are added, we get ever closer to functional testing. Usability testing: This testing uses customers in a production-like environment to get feedback on the interaction between the user and the system. ([Location 3537](https://readwise.io/to_kindle?action=open&asin=B097NHTQBK&location=3537)) - Regression testing is done during the maintenance phase of software development to ensure that modifications to the software application (for example, to fix bugs or enhance the software) do not reduce current functionality, add new vulnerabilities, or reintroduce previous bugs and vulnerabilities that have been fixed. ([Location 3559](https://readwise.io/to_kindle?action=open&asin=B097NHTQBK&location=3559)) - White-box testing: Tests the internal structures of the software. This requires access to the software. Static application security testing (SAST) is a form of white-box testing. Gray-box testing: Tests a system with limited information about the application. The tester does not have access to the code but will have knowledge of things such as algorithms and architectures. It is primarily used in integration and penetration testing. Black-box testing: Tests a system with no knowledge of the code, algorithms, or architecture. Dynamic Application Security Testing (DAST) is a form of black-box testing. ([Location 3569](https://readwise.io/to_kindle?action=open&asin=B097NHTQBK&location=3569)) - Another tool often discussed with SAST, DAST, and IAST is Runtime Application Self-Protection (RASP). RASP is less a test and more of a security tool. RASP runs on a server and works whenever the application is running. ([Location 3588](https://readwise.io/to_kindle?action=open&asin=B097NHTQBK&location=3588)) - Fourth party refers to a third party's third party, such as if your vendor uses a separate, independent vendor to provide you a service. ([Location 3643](https://readwise.io/to_kindle?action=open&asin=B097NHTQBK&location=3643)) - The traditional application architecture is a three-tier client-server module. In cloud computing, we have some additional choices. These include microservices, cloud native, serverless, and cloud-based architectures. ([Location 3670](https://readwise.io/to_kindle?action=open&asin=B097NHTQBK&location=3670)) - By filtering HTTP/HTTPS traffic, a WAF helps protect against SQL injection, cross-site scripting (XSS) and cross-site forgery, and other attacks. ([Location 3696](https://readwise.io/to_kindle?action=open&asin=B097NHTQBK&location=3696)) - In addition to application monitoring and protecting from web attacks, DAM also provides privileged user monitoring. ([Location 3706](https://readwise.io/to_kindle?action=open&asin=B097NHTQBK&location=3706)) - These tools do more than monitor database usage. They can monitor privileged use, data discovery, data classification, and other database needs. Some DAM toolsets also provide assistance in compliance to contractual and regulatory requirements such as PCI DSS, HIPAA, and GDPR. ([Location 3708](https://readwise.io/to_kindle?action=open&asin=B097NHTQBK&location=3708)) - Sandboxes provide two primary security benefits. These include sandboxes for developers and sandboxes for secure execution of code. ([Location 3757](https://readwise.io/to_kindle?action=open&asin=B097NHTQBK&location=3757)) - OAUth2 was developed to provide authorization with web applications and mobile devices. SAML is an XML-based authentication service well-suited for authentication between the identity provider and a service provider. LDAP is designed to work well with directory services, like Active Directory (AD). ([Location 3799](https://readwise.io/to_kindle?action=open&asin=B097NHTQBK&location=3799)) - A definition of TPM is provided in ISO/IEC 11889, ([Location 3934](https://readwise.io/to_kindle?action=open&asin=B097NHTQBK&location=3934)) - Clusters are a grouping of resources with some coordinating element, often a software agent that facilitates communication, resource sharing, and routing of tasks among the cluster. Clustered hosts can offer a number of advantages, including high availability via redundancy, optimized performance via distributed workloads, and the ability to scale resources without disrupting processing via addition or removal of hosts to the cluster. ([Location 4279](https://readwise.io/to_kindle?action=open&asin=B097NHTQBK&location=4279)) - 27050: ISO 27050 is a four-part standard within the broader ISO 27000 family of information security standards. Part 1, Overview and concepts, defines terms and requirements for organizations to consider when planning for and implementing digital forensics to support e-discovery. Part 2, Guidance for governance and management of electronic discovery, offers a framework for directing and maintaining e-discovery programs, with correlation to other elements of the 27000 framework for managing information security. Part 3, Code of practice for electronic discovery, provides detailed requirements for achieving e-discovery objectives in alignment with the standard, including evidence management and analysis. Part 4, Technical readiness, is under development as of 2020 and is designed to provide more discrete guidance on enabling various systems and architectures to support digital forensics. ([Location 5111](https://readwise.io/to_kindle?action=open&asin=B097NHTQBK&location=5111)) - tools such as write blockers should be used; these devices allow for read-only access to devices and prevent writing to them. Even the simple act of connecting a drive to a modern OS causes files such as a search index to be written, ([Location 5257](https://readwise.io/to_kindle?action=open&asin=B097NHTQBK&location=5257)) - The first step in establishing communications with vendors is an inventory of critical third parties on which the organization depends. ([Location 5289](https://readwise.io/to_kindle?action=open&asin=B097NHTQBK&location=5289)) - The CISO Mind Map published by security author Rafeeq Rehman, found at rafeeqrehman.com/?s=mindmap, provides a more information-security-centric view of security operations than ISO 18788. Updated each year, the Mind Map details the items that a CISO's role should cover; the largest element of the job responsibilities is security operations, which is broken down into three main categories. ([Location 5427](https://readwise.io/to_kindle?action=open&asin=B097NHTQBK&location=5427)) - Two particular threats stand out for extra attention in this category. The first is data breach preparation, which encompasses the majority of incident response planning activities, business continuity planning, logging and monitoring functions, and the recently included cyber risk insurance. Insurance represents a form of risk transfer, which helps to shift the impact of a risk from the organization to another party, in ([Location 5460](https://readwise.io/to_kindle?action=open&asin=B097NHTQBK&location=5460)) - Preventative steps can include file integrity monitoring, designed to detect unwanted changes such as ransomware encrypting files or even the malware being installed. ([Location 5467](https://readwise.io/to_kindle?action=open&asin=B097NHTQBK&location=5467)) - newer concept is known as continuous monitoring, which is described in the NIST SP 800-37 Risk Management Framework (RMF) as “Maintaining ongoing awareness to support organizational risk decisions.” Information that comes from an audit conducted more than a year ago is not ongoing awareness. Instead, the RMF specifies the creation of a continuous monitoring strategy for getting near real-time risk information. ([Location 5520](https://readwise.io/to_kindle?action=open&asin=B097NHTQBK&location=5520)) - for example, responding to a ransomware attack by isolating any affected machines and working to establish how the malware was installed. Once this is ascertained, deploying techniques for preventing other machines from being affected may be more important than recovering data on machines that have already been compromised. ([Location 5702](https://readwise.io/to_kindle?action=open&asin=B097NHTQBK&location=5702)) - In these cases, the incident may need to be upgraded to an interruption, which is an event whose impact is significant enough to disrupt the organization's ability to achieve its goals or mission. A few users with malware infections on their workstations is an incident that can likely be handled by normal IT resources, but an outbreak affecting all critical systems and a large percentage of users is likely to require more resources. ([Location 5727](https://readwise.io/to_kindle?action=open&asin=B097NHTQBK&location=5727)) - Challenges of conflicting law, such as EU GDPR and the U.S. CLOUD Act, one of which requires privacy and the other that mandates disclosure. ([Location 5837](https://readwise.io/to_kindle?action=open&asin=B097NHTQBK&location=5837)) - Payment Card Industry Data Security Standard (PCI DSS): The current standard version 3.2 affects companies that accept, process, or receive electronic payments. ([Location 5948](https://readwise.io/to_kindle?action=open&asin=B097NHTQBK&location=5948)) - Sarbanes–Oxley Act (SOX): This law was enacted in 2002 and sets requirements for U.S. public companies to protect financial data when stored and used. It is intended to protect shareholders of the company as well as the general public from accounting errors or fraud within enterprises. ([Location 5952](https://readwise.io/to_kindle?action=open&asin=B097NHTQBK&location=5952)) - Gramm–Leach–Bliley Act (GBLA): U.S. federal law that requires financial institutions to explain how they share and protect their customers' private information. ([Location 5957](https://readwise.io/to_kindle?action=open&asin=B097NHTQBK&location=5957)) - Statutory requirements are required by law. U.S. federal laws, such as HIPAA, GLBA, and SOX outlined in the previous section Additional federal laws such as the Family Education Rights and Privacy Act (FERPA), which deals with privacy rights for students, and the Federal Information Security Management Act (FISMA), which protects federal data privacy State data privacy laws, which now exist in all 50 states as well as U.S. territories International laws, which we will discuss in a later section covering country-specific laws ([Location 5968](https://readwise.io/to_kindle?action=open&asin=B097NHTQBK&location=5968)) - Regulatory requirements may also be required by law, but refer to rules issued by a regulatory body that is appointed by a government entity. In the United States, many regulatory examples exist, mostly dealing with contractor compliance to do business with the government. An example would be security requirements outlined by NIST that are necessary to handle government data (such as NIST 800-171). At the state level, several states use regulatory bodies to implement their cybersecurity requirements. One example is the New York State Department of Financial Services (NY DFS) cybersecurity framework for the financial industry (23 NYCRR 500). There are numerous international requirements dealing with cloud legal requirements (including APEC and GDPR). ([Location 5973](https://readwise.io/to_kindle?action=open&asin=B097NHTQBK&location=5973)) - Tags: [[pink]] - Cloud Security Alliance: The CSA Security Guidance Domain 3: Legal Issues: Contracts and Electronic Discovery highlights some of the legal aspects raised by cloud computing. Of particular importance to CCSPs are the guidance provided on negotiating contracts with cloud service providers in regard to eDiscovery, searchability, and preservation of data. ([Location 6045](https://readwise.io/to_kindle?action=open&asin=B097NHTQBK&location=6045)) - Tags: [[pink]] - ISO/IEC 27037:2012: This provides guidelines for the handling of digital evidence, which include the identification, collection, acquisition, and preservation of data related to a specific case. ([Location 6048](https://readwise.io/to_kindle?action=open&asin=B097NHTQBK&location=6048)) - Tags: [[blue]] - ISO/IEC 27041:2014-01: This provides guidance on mechanisms for ensuring that methods and processes used in the investigation of information security incidents are “fit for purpose.” CCSPs should pay close attention to sections on how vendor and third-party testing can be used to assist with assurance processes. ([Location 6050](https://readwise.io/to_kindle?action=open&asin=B097NHTQBK&location=6050)) - ISO-IEC 27042:2014-01: This standard is a guideline for the analysis and interpretation of digital evidence. A CCSP can use these methods to demonstrate proficiency and competence with an investigative team. ([Location 6052](https://readwise.io/to_kindle?action=open&asin=B097NHTQBK&location=6052)) - Tags: [[orange]] - ISO/IEC 27043: The security techniques document covers incident investigation principles and processes. This can help a CCSP as a “playbook” for many types of incidents, including unauthorized access, data corruption, system crashes, information security breaches, and other digital investigations. ([Location 6054](https://readwise.io/to_kindle?action=open&asin=B097NHTQBK&location=6054)) - Tags: [[pink]] - ISO/IEC 27050-1: This standard covers electronic discovery, the process of discovering pertinent electronically stored information involved in an investigation. ([Location 6057](https://readwise.io/to_kindle?action=open&asin=B097NHTQBK&location=6057)) - Tags: [[blue]] - recognized classification of data that is almost universally regulated. PII is defined by the NIST standard 800-122 as “any information about an individual maintained by an agency, including (1) any information that can be used to distinguish or trace an individual‘s identity, such as name, social security number, date and place of birth, mother‘s maiden name, or biometric records; and (2) any other information that is linked or linkable to an individual, such as medical, educational, financial, and employment information.” ([Location 6078](https://readwise.io/to_kindle?action=open&asin=B097NHTQBK&location=6078)) - Protected health information (PHI) was codified under the HIPAA statutes in 1996. Any data that might relate to a patient's health, treatment, or billing that could identify a patient is PHI. ([Location 6084](https://readwise.io/to_kindle?action=open&asin=B097NHTQBK&location=6084)) - The Gramm–Leach–Bliley Act (GLBA) of 1999 This U.S. federal law requires financial institutions ([Location 6245](https://readwise.io/to_kindle?action=open&asin=B097NHTQBK&location=6245)) - The Stored Communication Act (SCA), as enacted as Title II of the Electronic Communication Privacy Act, created privacy protection for electronic communications (such as email or other digital communications) stored on the Internet. In many ways, this act extends the Fourth Amendment of the U.S. Constitution—the people's right, to be “secure in their persons, houses, papers, and effects, against unreasonable searches and seizures”— ([Location 6255](https://readwise.io/to_kindle?action=open&asin=B097NHTQBK&location=6255)) - One key resource for navigating the challenges of cloud compliance that all CCSPs should be familiar with is the Cloud Controls Matrix (CCM) provided by the Cloud Security Alliance (CSA). As of this writing, version 4.0 of the CCM (updated August 2019) provides some of the latest guidance in the form of a “Rosetta Stone” mapping control domains to dozens of relevant compliance specifications, including HIPAA, GAPP, FERPA, FedRAMP, ISO 27001, ITAR, NIST, and many others. ([Location 6348](https://readwise.io/to_kindle?action=open&asin=B097NHTQBK&location=6348)) - An external auditor is focused on ensuring compliance and therefore does not take on the role of a “trusted advisor” but rather more of regulator with punitive capability. ([Location 6372](https://readwise.io/to_kindle?action=open&asin=B097NHTQBK&location=6372)) - A common mnemonic used to remember the NIST CSF control areas is “In Public, Drink Reasonably Responsibly.” See the following site for complete details: www.nist.gov/cyberframework/online-learning/five-functions. ([Location 6586](https://readwise.io/to_kindle?action=open&asin=B097NHTQBK&location=6586)) - cloud security professional should be familiar with the ISO 31000:2018 guidance standard, the European Network and Information Security Agency (ENISA)'s cloud computing risk assessment tool, and NIST standards such as 800-146 (cloud computing synopsis and recommendation) and 800-37 (risk management framework for information systems). ([Location 6830](https://readwise.io/to_kindle?action=open&asin=B097NHTQBK&location=6830)) - ISO 15408-1:2009: The Common Criteria ([Location 6913](https://readwise.io/to_kindle?action=open&asin=B097NHTQBK&location=6913)) - (www.omg.org/cloud/deliverables/CSCC-Practical-Guide-to-Cloud-Service-Agreements.pdf): ([Location 7022](https://readwise.io/to_kindle?action=open&asin=B097NHTQBK&location=7022)) - ISO 27036: Information Security for Supplier Relationships ([Location 7073](https://readwise.io/to_kindle?action=open&asin=B097NHTQBK&location=7073))