1: Risk management

Question 1

CIA triad

Answer 1

Security goals: confidentiality, integrity (permissions) and availability + Auditing&Accountability, Non-Repudiation (user cannot deny communication).

Question 2

Risk

Answer 2

Threats x Vulnerabilities = risk SP800-30

Question 3

Threat Actors

Answer 3

(Internal/External):
Script kiddies - amateur
Hacktivist - intent & motivation
Organized crime
Nation states/advanced persistent threat (APT)
Insiders
Competitors

Question 4

Risk Assessment

Answer 4

List of assets->value->vulnerabilities
cve.mitre.org - common vulnerabilities
Nessus, Penetration testing - vulnerability assessment tool

Question 5

Threat Types

Answer 5

Adversarial
Accidental
Structural
Environmental

Question 6

Risk Response

Answer 6

Mitigation
Risk transference
Risk acceptance
Risk avoidance

Question 7

Frameworks

Answer 7

NIST Risk Management Framework 800-37

ISACA Risk IT Infrastructure

Question 8

Guides for Risk Assessment

Answer 8

Benchmarks
Thresholds
Secure configurations
Network infrastructure devices - info by CISCO, etc.
General Purpose guides

Question 9

Security Controls

Answer 9

(Protect IT infrastructure and remediate problems)
Administrative Control
Technical Control
Physical Control

Question 10

Security Control Functions

Answer 10

Deterrent
Preventative
Detective
Corrective
Compensating

Question 11

Security Control Examples

Answer 11

Mandatory Vacation
Job Rotation
Multižperson Control
Seperation of Duties (Administrative).
Principle of least priviledge

Question 12

Sources of Security Controls

Answer 12

• Laws and regulations - for ex. HIPAA
• Standards (government and industry, PCI-DSS - for credit cards)
• Best Practices
• Common Sense

Question 13

Security Controls

Answer 13

• Policies
  
  • Organizational Standards - higher level of detail than policies

Procedures - how to
Guidelines (optional)

Question 14

Security Policies

Answer 14

Acceptable Use Policy - what a person can and cannot do on company assets
Data Sensitivity and Classification - confidential, etc.
Access Control Policies - what and how access data, etc.
Password policy
Care and Use of Equipment
Privacy Policies - in house or customers
Personnel policy

Question 15

Framework

Answer 15

regulatory, non-regulatory, national standards, international standards, industry-specific. (NIST SP800-37 - regulatory, ISACA IT Infrastructure - non-regulatory, ISO 27000 - international)
NIST: Categorize Systems->Select Security Controls->Implement Security Controls->Asses Security Controls (Sandbox)->Authorize Information Systems->Monitor Security Controls

Question 16

Quantitative Risk Calculations

Answer 16

Exposure factor - percentage of an asset that is lost as a result of incident
Asset Value x Exposure Factor =Single Loss Expectancy
ARO - annualized rate of occurence
SLE x ARO =ALE - annualized Loss Expectancy

MTTR - mean time to repair
MTTF - mean time to failure

MTBF - mean time between failures = MTTR + MTTF

Question 17

Business Impact Analysis

Answer 17

Determine mission process
Identify critical systems
Single point-of-failure - avoid with redundancy. backups
Identify resource requirements
Identify recovery priorities

Question 18

Business Impact

Answer 18

Finance - credit, cash flows and accounts receivable
Property
People - safety and life
Reputation

Privacy Impact Assessment (PIA) - what would the impact be in case of a problem
Privacy Threshold Assessment (PTA) - how we store, consume and transmit the data

RTO - recovery time objective, minimal time to repair a system, maximum time the system can be down without substantial impact
RPO - recovery point objective, maximum amount of data that can be lost without substantial impact

Question 19

Data Types

Answer 19

Public - no restrictions
Confidential - Limited to authorized party
Private - personally identifiale information PII, atc.
Proprietary - private at corporate level - proprietary information
Protected Health Information - PHI

Question 20

Data Roles

Answer 20

Owner - has legal responsibility
Steward/custodian - maintains the accuracy and integrity of data
Privacy Officer - ensures that data adheres to policies

Data Users:
Users - standard amount of permissions
Priviledged Users - increased access and control to a user (most of the time cannot delete all of the data).
Executive Users - make strategic decision - verifies backups being done, etc. strategic
System Administrator - complete control of system and data. In charge of day to day manipulation.
Data owner/System owner - have legal ownership of dataset or system.

Question 21

Security Training

Answer 21

Onboarding (background check, non-disclosure agreement NDA, Standard operating procedures, rules of behavior, general security policies).
Offboarding (disable accounts, return credentials, exit interview, knowledge transfer)

Question 22

PII

Answer 22

PII - personally identifiable information - NIST 800-122
full name, home address, email address, NI number, passport, license plate, digital identity, date of birth, drivers license number, face, fingerprint, credit card

Question 23

Role Based Controls

Answer 23

Personnel Management Controls - mandatory vacations, 2 weeks. Job rotation. Separation of Duties.

Role-based Data Controls:
System Owner
System Administrator
Data Owner - defines access
User - accesses and uses data, monitors and reports security breaches
Privileged user - has special access
Executive user - read only access

Question 24

Third Party Agreements

Answer 24

BPA - business partnership agreement (primary entities, time frame, financial issues, management,)
SLA - service level agreement, service provided, minimum up-time, response time and contacts, start and end date
ISA - interconnection security agreement - statement of requirements, system security considerations, topological drawing, Signature authority (time frame for interconnection and scheduling for reviews). Technical document.
MOU/ MOA - Memorandum of Understanding/Agreement - purpose of interconnection, authorities, responsibilities of both organizations, terms of the agreement, termination/reauthorisation.