1. Security And Risk Management Flashcards
What is the CIA triad?
Confidentiality, Integrity, and Availability
Define Confidentiality
Only people who need to know, know.
Define Integrity
Only people who need to access something, can.
Define Availability
The data is available all the time to people who know about it, and have access to it.
What does AAA stand for?
Authentication, Authorization, and Accountability
Define Authentication
Proves who you are. Something you; know, do, or are.
Define Authorization
Actions you can perform after you authenticate your ID.
Define Accountability
Hold users accountable for their actions
Who is ultimately responsible for security?
Senior management.
Define risk assessment
Identify assets, threats, and vulnerabilities. General write down of risks.
Define risk analysis
Adding number figures for costs of assets that are at risk.
What is OCTAVE?
Operationally Critical Threat, Asset and Vulnerability Evaluation.
A risk methodology, where you identify assets and their critically, vulnerabilities, and threats and base a protection strategy off that.
What is FRAP?
A risk methodology.Facilitated Risk Analysis Process. Qualitative analysis to determine if you should continue with a quantitative analysis. If likelihood is too low, the analysis is forgone.
What is NIST 800-30?
A risk methodology. A risk management made for information technology systems. It has 9 steps.
Define Qualitative Risk Analysis
Subjective analysis to help prioritize probability and impact if risk events.
Define Quantitative Risk Analysis
Providing a $ amount for a single risk event.
More sophisticated in nature, it relies on qualitative analysis to be relevant, but is much more difficult and requires a special subset of skills.
Define AV
Asset value
Define EF
Exposure factor
Define TCO
Total cost of ownership
Define SLE
Single loss expectancy
SLE = AV x EF
Define ALE
Annual loss expectancy.
ALE = SLE x ARO
Define ARO
Annual rate of occurrence.
Define total risk
The risk that exists before any control is implemented.
Total Risk = Threats x vulnerability x Asset Value
Define residual risk
Leftover risk after applying a control.
Residual Risk = Total Risk x Controls Gap
Define Secondary risk
When one risk response triggers another risk event.
Define Governance
Ensures that stakeholder needs, conditions and options are evaluated to determine RISK APPIATITE
Define Risk Management
Plans, builds, runs and monitors activities in alignment with the direction set by the governance body.
What does COBIT stand for?
Control Objectives for Information and related Technologies.
It is a governance framework GOAL.
What does COSO stand for?
Committee of Sponsoring Organizations. It is a governance framework GOAL.
What does ITIL stand for?
Information Technology Infrastructure Library. It is the defacto standard for the best practices for IT Service Management.
What is due diligence?
Research. Continually monitoring an organizations practices to ensure they are meeting/exceeding the security requirements.
What is due care?
Action. Ensuring that “best practices “ are implemented and followed. Follows up due diligence.
What is the prudent man rule?
Acting responsibly and cautiously as a prudent man would.
What is copeable negligence?
Essentially; is this your fault?
This is decided based on due care. Have you done the right thing to prevent this?
What is the difference between procedures, baselines, standards and guidelines?
Procedures, baselines and standards are MANDATORY, guidelines are not mandatory.
Baselines are the bare minimum.
What is knowledge transfer?
A fancy term for teaching employees about security policies.
What is the main international organization ran by the UN, protecting intellectual property?
The World Intellectual Property Organization (WIPO).
How long do copyrights last?
The lifetime of the author plus 70 years, or 75 years for corporations.
How long are patents valid?
20 years
What is Buisness Continuity Planning?
Long term over all plan for continuing the organization in case of disruption.
What is a disaster recovery plan?
Mostly IT focused plan of how to minimize a disasters effects and get the Buisness back up and running.
Who can call an event a disaster.
Only the BCP Coordinator. But anyone can declare and emergency.
What are the three BCP teams?
Rescue, recovery and salvage.
What are the seven phases of BCP?
- Project initiation
- Buisness impact analysis
- Recovery strategy
- Plan design and development
- Implementation
- Testing
- Maintenance
What is always the #1 priority?
Safety and human life
What are the phases of BCP step Implementation?
- Notification/activation- getting word out that something bad has happened.
- Recovery/fail over - actions taken by recovery teams to restore IT at an alternative site
- Reconstruction/fail back - outlines actions taken to return the system to normal operations.
What is a checklist test?
Functional manager review of a list for each department
What is a structured walkthrough (tabletop) test?
All parties sit down at a table and talk through the simulation
What is a simulation test?
Physically going through a disaster scenario. Continues up to the actual relocation of an offsite facility.
What is a parallel test?
Systems moved to alternative site, and processing takes place there.
What is a full implementation test?
Original site shut down. All processing moved to offsite facility.
What is a post incident review?
A lessons learned meeting. Focus on how to improve. Go over what happened, what should have happened.
Does. It focus on who’s fault it was.
What is BIA?
Buisness impact analysis. It identifies and prioritizes all Buisness processes based on criticality.
What are the BIA metrics to establish?
- Service level objectives
- RPO - recovery point objective
- MTD- maximum tolerable downtime
- MTBF - mean time between failures
What is STRIDE?
A threat model.
It is used in assessing threats against applications or operating systems. Developed my Microsoft
What does STRIDE stand for?
Spoofing Tampering Repudiation Information disclosure Denial of service Elevation of privilege
What is data ownership?
The formal assignment of responsibility to an individual or group.
Often this grants full capabilities and privileges over the object they own.
What is the most important and distinctive concept in relation to layered security?
Security in series. So that if one fails the next one will stop an intruder.
What is data hiding?
Preventing data from being discovered or accessed by a subject. Often a key element in security controls as well as in programming.
What are the three types of military classified information levels?
Confidential
Secret
Top secret
What data classification of private sector is used to protect information about individuals?
Private
