3. Information Security Program Development & Management Flashcards
Name the two common Enterprise Architecture Framework
The Open Group Architecture Framework (TOGAF) and the Zachman Framework
What are the key elements of TOGAF
Business-driven, life-cycle management framework for enterprise architecture
Multiple phases starting with Preliminary, Vision Business Architecture, Technology Architecture, Oppurtunites and solutions, migration planning, governance, etc.
What is unique about Zachman Framwork
Similar to office building architecture. Starts with high-level and then increasingly detail.
Does not convey the relationship between IT Systems. Data Flow diagrams are used instead.
What are the components of ISACA’s Risk-IT Framework
Risk Governance - includes integrating with organizations ERM
Risk Evaluation
Risk Response
T or F a vulnerability ranking is influenced by probability of that threat will be realized and the asset value
False - a vulnerability ranking should depend on whether the threat will actually bring about harm to the asset.
T or F that Asset Value is always the replacement value
False - usually but now always
What is the financial loss that results from the realization of a threat expressed in percentage of the assets totals value
Exposure Factor (EF)
Most threats do not completely eliminate the asset value but instead reduce it.
SLE represents what?
Single loss expectancy is the value when the threat is realized one time.
AV X EF - SLE
What is the term for the estimate of the number of times that a threat will occur per year
Annual Rate of Occurrence
1 in 10 is 10%
1 in 50 is 2%
ALE is ?
Annualized loss expectancy
SLE X ARO = ALE
What is some Risk Analysis Standards
NIST 800-30
ISO/IEC 27005
Who is the best person (s) to make a decision on risk treatment
Security steering commitee
T or F being compliant is the same as being secure
False
Compliance is a checkbox starting point
What is another name for span port
Network Tap
What are the 3 types of controls
Physical
Technical
Administrative
What are some examples of Preventative Controls
Login Screens
Keycard screens
Encryption
What are some examples of Detective Controls
Video Surveillance
Event Logs
What are some examples of Deterrent Controls
Guard Dogs
Warning Signs
Visible Video Surveillance
Note: Deterrent controls only work if they are known by potential vioalator
What are some examples of corrective controls
any act of improving an process when found defective
An example of a compensating control
Guest Sign in register when there is no stronger detective control such as surveillance
An example of a recovery control
use of a tool to remove malware or backup software to recover lost or corrupted files
What is the purpose of Security Governance
Provide management with visibility and control of security program
What is a key difference between IPS and Firewalls from an inspection standpoint?
IPS inspect full packet while firewalls inspect headers
What should be developed first:
Procedures
Standards
Processes
or Policies
Policies since they govern behavior in an organization and should be developed first. Then process and procedures that align with policies can be developed. Standards which specific how policies can be implemented can be developed in conjunction
What is CISA Cert recognized for
Certified Information System Auditor
Experience in Information System Audit and information system protection
What is CGEIT
Certified in the Governance of Enterprise IT
What is CRISC
Certified in Risk and Information System control and focused on Risk Management
What is CISSP
Certified Information System Security Professional is a well known general purpose security cert
What is the most effective way to confirm overall compliance with security policies
Interview process owners and examine business records
What is the primary reason why one-time passwords sent via SMS do not provide physical possession of a trusted device
Not as secure as they used to be with the cellular carrier website, and services such as Google Voice.
What is CASB specifically designed for?
Provide visibility and control into the use of cloud-based services
Is the ideal VMP based on scanning first and then patching or ?
Best VMP is when system and device patching and hardening are proactively performed according to established SLA’s and security scanning is a QA function
What would be a important security related consideration to be included in advance planning for the SSO Portal
SAML Integration with applications
the point of SSO is to make authentication to a large number of application and SAML will be required
How often does an organization have to verify status of a service provider for PCI DSS
annually
Status only no need to audit or verify compliance.
How many personnel is needed to cover a 24x7x365 shop with vacation and sick time factored in.
12
Is it acceptable to allows users to “Test out” of SAT?
Yes
What is the best method for keeping a program aligned with long term strategy
Track and report on milestones
Controls Gap or Risk Analysis is too narrow
IT Steering committee is not the body the security leader is accountable to.
Is it an option for a third party to send logs to the larger client if they have deficient log storage and even visability.
Yes. known as intrusive monitoring and is an acceptable business practice
For PCI-DSS in relation to POS do you need to examine all systems for hardening to be compliant
No. You can perform a reasonable sample
What is adaptive MFA
Using specific critical business or not requiring MFA from known locations
If an organization is considering an acquisition of a security tool such as a SIEM what parties will provide functional requirements
Security Governance to ensure it meets objective
Security Operation s
IT Operations
Internal Audit
Does a SIEM provide any remediation of events
No. Correlates events and produces alerts for personnel to investigate and take action
What does the term “Identity is the new perimeter”
Due to IaaS, SaaS, PaaS, etc firewalls are no longer able to protect resources so tech such as MFA and Biometrics are essential
What is the best way a CISO estimate the resources required to support security operations
Consult with Industry Analyst and experts to get the best initial estimate.
