K201673

70 questions(HIPAA):

Training

1. **Robust and Frequent End-User Cybersecurity Awareness Training:**

- Yes, comprehensive and regular cybersecurity awareness training sessions are
conducted for all employees, covering various threats, safe practices, and reporting
procedures.

2. **Teaching Secure Password/Passphrase Storage:**

- Yes, everyone is educated on securely storing passwords/passphrases, emphasizing the
use of password managers and strong passphrase creation.

3. **Quarterly Anti-Phishing, Smishing, and Vishing Campaigns:**

- Yes, quarterly simulated campaigns are carried out to assess and improve employee
resilience against phishing, smishing, and vishing attacks.

4. **Understanding Cybersecurity Risks and Reporting Suspicious Activities:**

- Yes, all employees are well-informed about cybersecurity risks, common threat tactics,
and the process for reporting suspicious activities, which are promptly investigated.

Access Control

1. **Changing or Disabling Vendor Default Accounts:**

- Yes, vendor default accounts are either changed or disabled before deployment within
the network.

2. **Enabling Only Necessary Services, Protocols, and Functions:**

- Yes, unnecessary services, protocols, and functionalities are regularly reviewed and
disabled to minimize potential vulnerabilities.
3. **Removing or Disabling Unnecessary Functionality:**
- Yes, unnecessary functionalities are removed or disabled to reduce attack surfaces.

4. **Disabling or Deleting Accounts Upon Termination:**

- Yes, a strict policy is in place to immediately disable or delete accounts upon an
employee's termination.

5. **Setting Screen Idle Times and Reauthentication:**

- Yes, screen idle times are set for 15 minutes, requiring reauthentication to unlock
devices.

6. **Providing Password Management Tools:**

- Yes, end users are provided with a secure password manager, preferably cloud-based
for both home and work use.

7. **Implementing Password/Passphrase Policies:**

- Yes, strict password/passphrase policies are enforced, eliminating the use of common or
easily guessable passwords.

End Points

1. **Ingesting End Point Logs with Smart Technology:**

- Yes, end point logs are ingested by advanced technologies utilizing threat intelligence
and AI for threat detection.

2. **Hardening Endpoints:**
- Yes, all endpoints undergo hardening processes to remove unnecessary components,
enhancing security.

3. **Next Generation Anti-Malware Protection:**

 - Yes, all endpoints are equipped with next-generation anti-malware protection utilizing
threat intelligence-based security analytics platforms.

4. **Preventing Non-Enterprise Devices from Network Access:**

- Yes, non-enterprise devices are prevented from connecting to any part of the network
without proper authorization and security measures.

5. **Personal Firewalls for Endpoints:**

- Yes, all endpoints are equipped with personal firewalls for secure internet access when
not connected to the enterprise network.

6. **Ensuring Antivirus Software Installation and Updates:**

- Yes, all endpoints have antivirus software that cannot be disabled and is automatically
updated when new updates are available.

7. **Implementing Next Generation Anti-Malware Applications:**

- Yes, endpoints are equipped with next-generation anti-malware applications for
enhanced protection against evolving threats.

Event Management

1. **Storage of Logs for at Least 2 Years:**

- Yes, logs are stored for a minimum of two years to meet compliance and investigative
requirements.

2. **Logging Devices:**
- Yes, all devices within the network infrastructure generate logs that are aggregated and
stored for analysis.

3. **Daily Log Reviews by Internal/External Sources:**

 - Yes, logs are reviewed daily by both internal and/or external sources to identify
potential security incidents.

4. **Mature Cybersecurity Incident Response:**

- Yes, there is a well-organized cybersecurity incident response plan either in-house or in
collaboration with third parties that thoroughly investigates all incidents following
established protocols.

Security Architecture

1. **Tool and Access Allocation:**

- Yes, employees are provided only the necessary tools and access required for their job
functions, following the principle of least privilege.

2. **Principle of Least Privilege (PoLP):**

- Yes, the PoLP is implemented to restrict access rights for users to the bare minimum
permissions required to perform their duties.

3. **Zero Trust Model:**

- Yes, a zero trust security model is deployed to ensure strict access controls and
continuous authentication throughout the network.

4. **MFA for External Connections:**

- Yes, multifactor authentication (MFA) is mandated for all connections outside of the
network for enhanced security.

5. **MFA for Internal Users Accessing Critical Infrastructure:**

- Yes, internal authenticated network users require MFA to access critical infrastructure
and sensitive data within the network.

6. **Credential Management for Quick Reset:**

 - Yes, credential management practices allow for rapid password resets for all accounts,
including service accounts.

7. **Assessment of Active Directory:**

- Yes, Active Directory is regularly assessed to ensure proper configuration and security
measures are in place.

8. **Active Monitoring of Active Directory Security:**

- Yes, continuous monitoring is conducted to ensure the ongoing security of the Active
Directory infrastructure.

9. **Deny-All Rule on Perimeter Firewalls:**

- Yes, perimeter firewalls are configured with a default deny-all rule, only allowing
authorized traffic.

10. **Secured Demilitarized Zone (DMZ):**

- Yes, the DMZ is properly secured with appropriate access controls and security
measures.

11. **No Data or Accounts in DMZ:**

- Yes, there are no data, databases, or stored accounts present in the DMZ to minimize
security risks.

12. **Anti-Spoofing Technology Deployment:**

- Yes, anti-spoofing technology is utilized to prevent forged IP addresses from entering
the network.

13. **Prevention of Internal IP Address Disclosure:**

- Yes, measures are in place to prevent the disclosure of internal IP addresses and routing
information on the Internet.
14. **Segmentation of Key Infrastructure:**
- Yes, key infrastructure is segmented from other parts of the network using restrictive
firewalls to enhance security.

Cryptography

1. **Protection of Cryptographic Keys:**

- Yes, procedures are in place to protect cryptographic keys used for stored data against
disclosure and misuse.

2. **Custodian and Storage of Cryptographic Keys:**

- Yes, cryptographic keys are stored in a minimal number of locations with dual
custodianship for added security.

3. **Full Disk Encryption:**

- Yes, full disk encryption is implemented on all appropriate drives to safeguard data at
rest.

4. **Use of Secure Encryption in Motion:**

- Yes, secure encryption (at least TLS 1.1 or higher) is employed for data in transit.

5. **Encryption for Non-Console Administrative Access:**

- Yes, strong cryptography is used for all non-console administrative access.

Threat Management

1. **Periodic Targeted Threat Hunts:**

- Yes, periodic targeted threat hunts are performed to proactively identify potential
threats.
2. **Ingestion of Threat Intelligence:**
- Yes, current threat intelligence from multiple sources is ingested and used to implement
rapid countermeasures against threats.

3. **Dark Web Reconnaissance:**

- Yes, routine reconnaissance on the dark web is conducted to monitor any information
related to the brand or

enterprise structures.

4. **Monitoring Vendor and Third-Party Supply-Chain Connections:**

- Yes, all vendor and third-party connections are closely monitored for compliance and
any untoward issues.

Testing

1. **Annual Penetration Tests by Third Party:**

- Yes, at least one penetration test is conducted annually by a third party to identify and
rectify security vulnerabilities.

2. **Routine Vulnerability Scans and Remediation:**

- Yes, routine vulnerability scans are performed, and vulnerabilities with a CVSS score of
4 or more are remediated within 30 days; other vulnerabilities are addressed within 90
days.

3. **Scanning of Internet-Facing Infrastructure:**

- Yes, regular scanning of internet-facing infrastructure is carried out to detect
vulnerabilities and potential penetration points.

4. **Annual Business Impact Analysis/Risk Analysis Report:**

 - Yes, an annual business impact analysis/risk analysis report is generated in
collaboration with insider and outside auditors.

Policy

1. **Enterprise Security Policy:**

- Yes, there's an enterprise security policy that is updated at least annually and
comprehensively understood by all applicable parties within the organization.

2. **Formal Change Control Policy:**

- Yes, there is a formal change control policy in place governing alterations to systems,
infrastructure, or processes.

Physical Security

1. **Restriction of Physical Access:**

- Yes, processes and mechanisms are implemented to restrict physical access to critical
infrastructure components such as servers, consoles, backup, and network equipment.
These areas are properly safeguarded.

2. **Controls for Publicly Accessible Network Jacks:**

- Yes, physical and/or logical controls are implemented to restrict the use of publicly
accessible network jacks within the facilities to authorized personnel.

Plans

1. **Cyber Incident Response Plan (CIRP):**

- Yes, there is a robust cyber incident response plan that is reviewed, practiced annually,
and updated regularly. Incident response teams participate in exercises to test their
response capabilities.
2. **Technical Playbooks for Handling Incidents:**
- Yes, there are playbooks containing technical instructions for handling common
cybersecurity incidents, facilitating swift and effective responses.

Inventory

1. **Network Diagrams:**
- Yes, comprehensive network diagrams, including WiFi infrastructure, are maintained to
provide an overview of the entire network.

2. **Asset Inventory:**
- Yes, there's a complete inventory of all assets including their criticality levels, ownership
details, restoration instructions, and recovery time objectives.

3. **Data Flow Diagrams:**

- Yes, there are thorough data flow diagrams that illustrate how data moves through the
network.

Data Management

1. **File Integrity Monitoring (FIM):**

- Yes, FIM is implemented to monitor the integrity of critical organizational data,
particularly the crown jewels.

2. **Data Storage and Deletion:**

- Yes, storage of confidential data is minimized, and secure deletion procedures are in
place for data that is no longer required.

3. **Data Classification:**
 - Yes, data classification policies are enforced throughout the network to ensure sensitive
information is appropriately handled and protected.

4. **Data Loss Prevention (DLP):**

- Yes, network and cloud-based DLP programs are deployed to safeguard confidential
data wherever it resides.

5. **Prevention of Data Copying and External Device Usage:**

- Yes, measures are in place to prevent copying confidential data to external devices and
restrict the attachment of external devices to endpoints.

Software Development

1. **Secure Systems and Software Development Processes:**

- Yes, processes and mechanisms for developing and maintaining secure systems and
software are defined and understood by development personnel.

2. **Use of Software Engineering Techniques for Vulnerability Mitigation:**

- Yes, software engineering techniques are utilized to prevent or mitigate common
software attacks and vulnerabilities in all software.

3. **Ongoing Addressing of Web Application Threats:**

- Yes, new threats and vulnerabilities concerning public-facing web applications are
addressed on an ongoing basis.

4. **Protection of Web Applications Against Attacks:**

- Yes, protective measures are implemented to secure public-facing web applications
against various attacks.

5. **Separation of Preproduction and Production Environments:**

 - Yes, preproduction environments are separated from production environments with
enforced access controls.

Mobile Devices

1. **Effective Mobile Device Management (MDM) Policies:**

- Yes, all mobile devices are governed by effective MDM policies ensuring secure usage
and management.

2. **Disallowance of Uncontrolled Mobile Device Connectivity:**

- Yes, connectivity of mobile devices not controlled by enterprise security mechanisms is
disallowed to prevent security risks.
Video Task:
- The speaker is Ashley, a Customer Engineering Enablement Lead for Security Operations
Sales at Google
- She is the instructor for a security course
- The course covers security definitions, job responsibilities, core skills, and key events
- It also covers frameworks, controls, and the CIA triad for risk reduction
- The course focuses on CISSP's eight security domains, NIST's Risk Management
Framework, security audits, and basic security tools
- The goal is to help students navigate the vast world of security and manage risks and
threats
- The first four security domains are security and risk management, asset security, security
architecture and engineering, and communication and network security
- The security and risk management domain includes defining security goals and objectives,
risk mitigation, compliance, business continuity, and legal regulations. The asset security
domain focuses on securing digital and physical assets, including PII and SPII.

The course instructor, Ashley, introduces the course by summarizing the topics covered in
the previous sessions. The course focuses on Certified Information Systems Security
Professional's eight security domains, security frameworks, controls, security audits, and
basic security tools. The course aims to provide knowledge, skills, and tools to navigate the
vast world of security and cybersecurity successfully. Ashley shares her experience as a
security analyst and emphasizes the importance of securing an organization and its assets
from threats, risks, and vulnerabilities. She then discusses the focus of the first four
security domains: security and risk management, asset security, security architecture and
engineering, and communication and network security. The security and risk management
domain includes defining security goals and objectives, risk mitigation, compliance,
business continuity, and legal regulations. The asset security domain focuses on securing
digital and physical assets, including data storage, maintenance, retention, and destruction.
The security architecture and engineering domain covers designing, implementing, and
maintaining security solutions. Finally, the communication and network security domain
involves securing communication channels, including networks, devices, and protocols.

- RMF is a risk management framework primarily used by the Department of Defense and
the U.S. Government
- It has six main steps: categorize the information system, select controls, implement
controls, assess controls effectiveness, make a decision to accept risk and authorize the
system, and continuously monitor
- There is also a seventh step of preparation
- Categorization is based on the three tenants of information security: confidentiality,
integrity, and availability
- Impact values are rated low, moderate, or high, and a security category is assigned for
each information type or system
- Different organizations may use RMF differently since it is a framework, not a regulation
- Security controls are selected based on NIST 800-53, and an initial set of baseline controls
is chosen
- Implementation, assessment, and continuous monitoring of controls follow the selection
step

The Risk Management Framework (RMF) is a risk management framework used mainly by
the Department of Defense and the US Government, defined by NIST 800-37. The process
has six main steps: categorizing the information system, selecting controls, implementing
those controls, assessing their effectiveness, accepting the risk, and continuously
monitoring the controls to ensure their effectiveness. It is important to understand that the
RMF is a framework, not a regulation, and different bodies of the government or defense
organizations use it differently. The first step is categorizing the information system, which
is to categorize the system and the information on that system that's processed, stored, or
transmitted, based on the CIA triad (confidentiality, integrity, and availability) and impact
values rated low, moderate, or high. The security category is then assigned per information
type or per information system, and this helps determine how to best implement controls
to protect that data. The next step is selecting the security controls, which is defined by
NIST 800-53, where an initial set of baseline controls is selected. RMF is a continuous
process that requires preparation, and it is important to realize that the processes may
vary across different organizations.
The video, featuring Ashley, a seasoned professional serving as the Customer Engineering
Enablement Lead for Security Operations Sales at Google, unveils a robust and extensive
security course designed to equip students with an in-depth understanding of
cybersecurity. Ashley, who assumes the role of the course instructor, meticulously outlines
the diverse array of topics covered, ranging from fundamental security definitions and job
responsibilities to core skills, key events, frameworks, controls, and strategies for risk
reduction based on the fundamental principles of the CIA triad.

The overarching objective of the course is explicitly laid out: to empower students with the
knowledge and skills necessary to navigate the intricacies of the cybersecurity landscape
adeptly. Ashley underscores the importance of cultivating the ability to manage risks
effectively and comprehend the myriad threats that organizations face in today's digital
era. The curriculum encompasses critical elements such as the eight security domains
stipulated by the Certified Information Systems Security Professional (CISSP), the Risk
Management Framework (RMF) crafted by the National Institute of Standards and
Technology (NIST), security audits, and a fundamental understanding of essential security
tools.

Diving into the specifics, Ashley takes the time to break down the initial four security
domains covered in the course. These domains, namely security and risk management,
asset security, security architecture and engineering, and communication and network
security, serve as foundational pillars for comprehending the multifaceted aspects of
cybersecurity. In the security and risk management domain, Ashley elaborates on key
facets such as defining security goals, implementing risk mitigation strategies, ensuring
compliance, addressing business continuity, and navigating the complex web of legal
regulations.

The focus then shifts to asset security, a domain that delves into the meticulous
safeguarding of both digital and physical assets. This includes a keen emphasis on
protecting sensitive information such as Personally Identifiable Information (PII) and
Sensitive Personal Identifiable Information (SPII). The depth of coverage in these early
domains underscores the course's commitment to providing a holistic understanding of
cybersecurity, addressing not only theoretical concepts but also practical applications in
securing assets and managing risks effectively.

Building on this foundation, the video transitions to an exploration of the Risk Management
Framework (RMF), a comprehensive and widely utilized framework primarily adopted by
the Department of Defense and the U.S. Government. Ashley walks through the six main
steps integral to the RMF process: categorizing the information system, selecting controls,
implementing controls, assessing control effectiveness, accepting risk, and continuous
monitoring. It's highlighted that RMF, contrary to being a rigid regulation, is a flexible
framework, allowing organizations to tailor its implementation to their specific needs.

Augmenting the video content, additional information is introduced, shedding light on the
criticality of security risk assessments. This supplementary insight outlines the myriad
reasons for undertaking security risk assessments, encompassing elements such as cost
justification, productivity enhancement, organizational barrier-breaking, self-analysis, and
improved communication. The document underscores the pivotal role of security risk
assessments in identifying, quantifying, and mitigating risks, ultimately ensuring the
preservation of an organization's mission.

In summary, the video, enriched by Ashley's expertise and external insights, provides a
comprehensive and detailed overview of the security course. It meticulously covers
fundamental concepts, industry frameworks, and practical applications, presenting an
educational journey that goes beyond theoretical understanding to encompass the
practicalities of securing assets and navigating the evolving landscape of cybersecurity
threats.