2.1_The Security Organization - GRC Flashcards
What are the 5 areas of Security Team Alignment?
- Linux and Windows
- Networking
- Defense Security
- Web and Web Vulnerabilities
- Offensive Security
Security operations will interact with other non-security team departments within the organization. Give an example.
An organization’s Marketing and Communications teams use the networks and accounts that IT and Networking manage.
Security Concerns vs. Business Concerns
Security Team’s Main Goal: Protect the business’s data
Business Goal: To make profit
An organization’s engineering team proposes an innovative but insecure new feature for their flagship product. What would the security team say vs the suits?
Security Team:
The security team would probably advise against the new feature due to its poor security.
Business-At-Large:
The business might decide to develop it anyway, believing the potential profit is worth the risk.
An organization’s engineering team proposes an innovative but insecure new feature for their flagship product. What could the security team do?
- Put in place more aggressive monitoring
on data servers likely to be exposed by the
new feature. - Advise IT and Networking to put in place more sophisticated access controls on important servers and proxies.
True or False:
100% security is not the business’s goal
True
To limit spending and increase profit, businesses often provide only adequate protection for their most important assets.
What is the GRC framework and the three components?
GRC is a framework for answering the questions: What assets are most important? and what is adequate protection?
Creating management processes for implementing security practices across the organization is what component of GRC framework?
Governance
Making sure the business follows internal security policies and adheres to relevant security laws is what component of GRC framework?
Compliance
Identifying an organization’s most important assets and determining how they might be compromised.
Risk Management
The more significant the loss, the more important the asset is apart of what concept?
GRC Framework
Security vs. Business Objective:
The organization performs a risk assessment and concludes that the feature could lead to a 25% increase in quarterly profits. The feature would also risk exposing an isolated data server containing customer names, usernames, and email addresses, but no other PII (personally identifiable information). What wins?
Business Wins!
The security team objects to the feature on the grounds of insecurity. But the business decides that the cost of the potential breach—of an isolated server with no sensitive PI —would be less than the potential profit of the feature.
The director of Engineering suggested giving all developers access to all data. What’s the recommendation?
Reject on the grounds of privacy?
The director of IT suggested exposing administration servers to the public internet. What’s the recommendation?
Reject this request. A VPN would be a better solution to this problem.
An SOC analyst recommended merging all of the company’s mail servers into a single server, in order to cut costs and improve efficiency. What’s the recommendation?
If the company has so many emails that it needs to maintain multiple servers, this suggestion is not possible. Otherwise, hosting all of the data on a single server makes sense.
Strong organizational security begins with what?
Strong organizational security begins with making sure employees both consider security important and understand the security implications of their decisions.
A healthy _______________ requires motivating employees to value security, and training them on how to avoid insecure behavior.
A healthy security culture requires motivating employees to value security, and training them on how to avoid insecure behavior.
Employees are receiving emails to their work accounts from external sources. What should you do and what is your first step?
Measure and Set Goals
Hire a pentester to run a phishing campaign against your organization. They will send malicious files to everyone in the organization and keep track of who downloads them.
Set a click rate goal of 5%. Measure this data to determine (1) what percentage of employees download the files and (2) which employees download them.
Involving the right people is what step of security culture framework.
Step 2
What is the security culture framework? How many steps are there?
- Measure and Set Goals
- Involve the Right People
- Create an Action Plan
- Execute the Plan
- Measure Change
Chief Information Security Officer (CISO) reports to whom?
CEO
What is a typical reporting structure fro VP of Networking?
VP of Networking:
- Director of IT > Director of Network Security
- Performance Manager
- Network Engineer
CISO is responsible for protecting what?
Company’s data
Explain the responsibilities of a security department.
- Network Security - Director of Network Security is in charge of networks.
- Incident Response - IR Manager or SOC Manager manages and Incident Response unit.
- Application Security - Security Architect is in charge of application security.
What are the 5 security controls?
- Preventative controls prevent access with physical or technical barriers. (Key-card access is an example of a preventive control.)
- Deterrent controls discourage attackers from attempting to access a resource.
- Detective controls identify and alert attempts at access to a resource.
- Corrective controls attempt to fix an incident, and possibly stop it from happening again.
- Compensating controls restore the function of compromised systems.
A system with multiple layers of protection is said to have ____________ because it is protected in multiple ways.
Control Diversity
A system with multiple layers of protection is said to have control diversity, because it is protected in multiple ways.
Discouraging attackers from attempting to access a resource is what security control?
Deterrent
Controls that identify and alert attempts at access to a resource is what security control?
Detective
Controls that attempt to fix an incident, and possibly stop it from happening again is what security control?
Corrective
Controls that restore the function of compromised systems is what security control?
Compensating
Controls that prevent access with physical or technical barriers.
Preventative
Key-card access is an example of a preventive control.
