2 - Personnel Security and Risk Management Flashcards

1
Q

What is the weakest link of any security solution?

A

Humans

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What is the difference between job description and a role description?

A

Roles typically align a rank or level of privilege. Job descriptions map to specifically assigned responsibilities and tasks.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What is Separation of Duties?

A

Where critical tasks are divided among several individual administrators. Prevents one person from having the ability to undermine security mechanisms

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

What are Job Responsibilities?

A

The specific work tasks an employee is required to perform on a regular basis.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

What is Job Rotation?

A

Rotating employees amomg multiple positions. Provides knowledge redundancy and reduces risk of fraud, data misuse of information, etc.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

What is Privilege creep?

A

The continued collection of privileges, permissions, etc. without the removal unncessary rights along the way.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

What is a Background Check?

A

Obtaining a candidate’s work, educational history, checking references, interviewing people in their lives, checking for a record, etc.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

What is an NDA?

A

A document used to protect the confidential information within an organization from being disclosed by a former employee. Violations are met with strict penalties.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Why are Mandatory Vacations necessary/important?

A

It allows an audit of work tasks and privileges of eomployees.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

What is Onboarding?

A

The process of adding new employees to the identity and access management system. Also used when when an employee’s role changes.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

What is Offboarding?

A

The removal of an employee’s identity from an IAM system once they leave the organization.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

What is the proper procedure for Terminations?

A

They should take place with at least one witness (manager or security), terminated person needs to be escorted off the premises immediately, and all access related materials need to be collected and revoked.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

What is an Exit Interview?

A

To review the liabilities and restrictions placed on the former based on employee agreement, NDA, and other security related docs.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

What is a Service Level Agreement?

A

The levels of performance, expectation, compensation, and consequences for entities, persons, or organizations that are external to the primary organization.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

What are the commonly adressed issues in SLA’s?

A
  • System Uptime
  • Maximum Consecutive Downtime
  • Peak Load
  • Average Load
  • Responsibility for Diagnostics
  • Failover Time
  • Financial and/or contractual remedies that kick in if agreement is not maintained.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

What is Compliance?

A

The act of conforming to or adhering to rules, policies, regulations, standards, or requirements

17
Q

What is Privacy?

A
  • Active prevention of unauthorized access to information that is personally identifiable.
  • Freedom from unauthorized access to information deemed personal or confidential.
  • Freedom from being observed, monitored, or examined without consent or knowledge.
18
Q

What is PII?

A

Personally Identifiable Information (PII) is any data that can be easily and/or obviously traced back to the person of origin or concern:

  • Phone number
  • Email address
  • Mailing Address
  • Social Security Number
  • Name
  • Can vary by country
19
Q

What is Security Governance?

A

The collection of practices related to supporting, defining, and directing the security efforts of an organization.

20
Q

What is Third-Party Governance?

A

The system of oversight that may be mandated by law, regulation, industry standards, contractual obligation, or licensing requirements. Generally involves an outside invstigator or auditor.

21
Q

What is Documentation Review?

A

The process of reading the exchanged materials and verifying them against standards and expectations.

22
Q

What is Risk Management?

A

A detailed process of identifying factors that could damage or disclose data and implementing cost-effective solutions for mitigating or reducing risk.

23
Q

What is Risk Analysis?

A

Examining an environment for risks, evaluating each threat event as to its likelihood of occuring and cost of damage, assessing cost of countermeasure, and creating a cost/benefit report for safeguards to present to upper management.

24
Q

What are some common terms for Risk?

A
  • Asset: Anything within an environment that should be protected.
  • Asset Valuation: A dollar value assigned to an asset based on actual cost and nonmonetary expenses.
  • Threats: Any potential occurrence that may cause an undesirable or unwanted outcome for an organization or for a specific assest.
  • Vulnerability: The weakness in an asset or the absence or the weakness of a safeguard or countermeasure.
  • Exposure: Being susceptible to asset loss because of a threat; the possibility that a vulnerability will be exploited by a threat agent.
  • Risk: The possibility or likelihood that a threat will exploit a vulnerability to cause harm to an asset.
  • Safeguards: (security control, Countermeasure) Anything that removes or reduces a vulnerability or protects against one or more specific threats.
  • Attack: The exploitation of a vulnerability by a threat agent.
  • Breach: The occurrence of a security mechanism being bypassed or thwarted by a threat agent.
25
Q

What is the formula for Risk?

A

risk = threat * vulnerability

26
Q

What are the different models of Risk Analysis?

A
  • Quantative Risk Analysis: The results have concrete probability percentages and/or dollar figures.
  • Qualitative Risk Analysis: More scenario based than calculator based where you rank threats on a scale.
27
Q

What is the formula for ALE?

A
  • Calculate Single Loss Expectancy (SLE):
    • SLE = Asset Value (AV) * Exposure Factor (EF)
  • Annualized Loss Expectancy (ALE):
    • ALE = SLE * ARO
    • ARO (Annualized Rate Occurrence)
      • # /year
28
Q

What is the Delphi Technique?

A

An anonymous feedback-and-response process used to enable a group to reach an anonymous consensus.

29
Q

What are some actions you can take risks found in the environment?

A
  • Risk Mitigation: (Reducing risk) The implementation of safeguards and countermeasures to eliminate vulnerabilities or block threats.
  • Risk Assignment: (Assigning risk, transferring risk) The placement of the cost of loss a risk represents onto another entity or organization.
  • Risk Acceptance: The result after cost/benefit analysis shows countermeasure cost would outweigh the possible cost of loss due to a risk.
  • Risk Deterrence: The process of implementing deterrents to would be violators of security and policy.
  • Risk Avoidance: The process of selecting alternate options or activities that have less associated risk than the default, common, or cheap option.
  • Risk Rejection: Denying that a risk exists and hoping that it will never be realized are not vlaid or prudent due-care responses to risk.
  • Residual Risk: Comprises threats to specific assets against which upper management chooses not to implement a safeguard.
  • Total Risk: The amount of risk an organization would face if no safeguards were implemented.
    • threats * vulnerabilities *asset value = total risk
30
Q

What are the 3 categories of Security Mechanisms?

A
  • Technical/Logical: The hardware or software mechanisms used to manage access and to provide protection for resources and systems.
  • Administrative: The policies and procedures defined by an organization’s security policy and other regulations or requirements.
  • Physical: Items you can physically touch.
31
Q

What are the different types of security controls?

A
  • Deterrent: Deployed to discourage violation of security policies (locks, fences, security badges)
  • Preventive: Deployed to thwart or stop unwanted or unauthorized activity from occurring (fences, locks, biometrics)
  • Detective: Deployed to discover or detect unwanted or unauthorized activity (security guards, motion detectors)
  • Compensating: Deployed to provide various options to other existing controls to aid in enforcement and support of security policies.
  • Corrective: Modifies the environment to return systems to normal after an unwanted or unauthorized activity has occurred (anti-virus, backup restore).
  • Recovery: An extension of corrective controls but have more advanced or complex abilities (hot sites, warm sites, cold sites)
  • Directive: Deployed to direct, confine, or control the actions of subjects to force or encourage compliance with security policies (security policy requirements, posted notifications, escape route exit signs).
32
Q

What is a Security Control Assessment?

A

The formal evaluation of a security infrastructure’s individual mechanisms against a baseline or reliability expectation.

33
Q

What is Risk Reporting?

A

A key task to perform at the conclusion of a risk analysis. The production of a risk report and a presentation of that report to the interested/relevant parties.

34
Q

What is a Risk Framework?

A

A guideline or recipe for how risk is to be assessed, resolved, and monitored.

35
Q

What are the steps of the Risk Management Framework?

A
  • Categorize: The information system and the information processed, stored, and transmitted by that system based on an impact analysis.
  • Select an initial set of baseline controls and describe how the controls are employed within the information system and its environment of operation.
  • Implement the security controls and describe how the controls are employed within the information system and its environment of operation.
  • Assess the security controls using appropriate assessment procedures.
  • Authorize information system operation based on a determination of the risk.
  • Monitor the security controls in the information system on an ongoing basis

https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-37r2.pdf

36
Q

What is Awareness, Training, and Education?

A
  • Awareness: Establishes a common baseline or foundation of security understanding across the entire organization and focuses on key or basic topics.
  • Training: Teaching employees to perform their work tasks and comply with the security policy.
  • Education: A more detailed endeavor in which students/users learn much more than they actually need to know to perform their work tasks.