5.0 - Risk Management Flashcards
This is a legal agreement between partners that establishes the terms of the relationship, including sharing of profits and losses and responsiblities.
BPA (Business Partnership Agreement)
This document details the expectations between a customer and a service provider. It can define specific services, level of expectation, issue managment and resolution, etc. This is a legally binding document.
SLA (Service Level Agreement)
This is a specialized agreement between organizations that have interconnected IT systems. It can be part of an MOU.
ISA (Interconnection Security Agreement)
These documents describe the relationship between two parites in pursuit of a common goal.
MOU (Memorandum of Understanding)
MOA (Memorandum of Agreement)
They are not typically legally binding. MOU’s tend to be more high-level, but the lines are blurry.
Why are mandatory vacations a security measure?
Employees who never take time off may be hiding something, such as embezzlement. Mandatory vacations are tool to detect fraud, and create the need for cross-training.
How is Job Rotation useful?
Job Rotation through security helps other IT employees understand the security needs of the organization.
It is also a form of cross-training.
Why is separation of duties important?
Separation of duties:
- Makes it difficult for one bad actor to cause damage.
- Keeps individuals from being indespensible, since no single person has the keys to the kingdom.
What is a clean desk policy?
A clean desk policy states to sensitive information is not left unattended.
What is Roll-Based Awareness Training?
Roll-Based Awareness Training is security training attuned to the job role of the user. This is important even for non-IT users, such as managers.
Re-training over time is also important, as is re-assessment of training curriculum as job roles change.
Who owns the data?
Data Ownership should be defined. Data ownership is a business functions.
Should a system admin set policy?
A System Admin has nearly complete control over a system, but the system owner (usually the business unit) should be setting policy on how the system is used and configured.
Define types of users.
Types of users:
- User - minimal access
- Privlidged user - extra access, tailored to their job role
- Executive user - access is granted for their job role, but the principle of least priviledge still applies. Even the CIO should not have full access as she will not need it on a daily basis.
How should onboarding work from a security perspective?
Onboarding should make personnel aware of their responsibilities regarding security. Onboard and offboarding procedures should be well-documented.
This document defines how an employee should use resources, including computers, email, internet, network access. It should also state how the organization will monitor the employee’s use of these resources.
AUP (Acceptable Use Policy)
This often goes hand in hand with the Internet Use Policy.
What are the two common policies for violation of company policy.
Common Adverse Action responses are:
- Zero-tolerence - always terminate the employee.
- Descretionary Action - “violations will be punished via a range of HR actions, up to and including termination.”
This high-level document defines the over-all security attitude of the organization.
Security Policy or General Security Policy.
What are challenges presented by social meda networks and applictions.
A social media network could be considered a third-party when it is used for marketing or communication, however no SLA or MOA will exist with them.
Social media is a possible conduit for malware.
Social media contributes to employee inefficiency.
What risks does personal email represent?
A litigation hold on an employee’s personal email residing on a company system is problematic.
It is a channel for malware.
What is a defense against the issues brought by social media, web use and personal email.
Users should be trained to be cognizant of the risks to the organization when using these services.
What is a BIA document?
A BIA (Business Impact Analysis) document addresses sources of risk and steps taken to mitigate it. It will also outline how the loss of critical functions will impact the organization.
What is RTO?
RTO (Recovery Time Objective) is the amount of time before normal operations resume after an incident. Shorter RTO translates to greater recovery costs.
What is RPO?
RPO (Recovery Point Objective) is the maximum time of acceptable data loss. RPO defines the cadence of data backup operations.
What is MTBF?
MBTF is Mean Time Between Failures. How often a system fails.
MTBF = time in service / number of failures
10 years of service with 2 failures = MTBF of 5 years.
What is MTTR?
MTTR (Mean Time To Recovery) is how long it will take to get a failed system back online. This may account for repairs and hardware sourcing.
MTTR = Total Downtime / Number of breakdowns
It failed 5 times for a total of 2.5 hours downtime. 2.5 hours / 5 = MTTR of 30 minutes
How do you calculate availability?
Availability = MTBF / (MTBF + MTTR)
MTBF of 6 months
MTTR of 30 minutes
6 months / (6 months / 30 minutes) = 99.9884% availability
Risk vs. Impact?
Risk is the chance of something happening.
Impact is the cost of it happening
What is a PIA?
A PIA (Privacy Impact Assessment) look at how personally identifiable information (PII) is handled, and assess how secure and compliant the business practices around PII are.
What is a Privacy Threshold Assessment?
A Privacy Threshold Assessment analysis whether PII is collected and maintained by system. This step must be performed before a PIA, Privacy Impact Assessment.
What does a Threat Assessment encompass?
A Threat Assessment is a structured analysisof the threats the confront and enterprise. Each is given a likelihood. They may include:
- Environmental
- Manmade
- Internal or external
What is SLE?
SLE (Single Loss Expectancy) is the value of a single loss event. It is the asset value times the exposure factor (a percentage of the capability of the company)
SLE = asset value x exposure factor
$2 million building that houses 1/4 of the company business = SLE of $500,000
What is ARO?
ARO (Annualized Rate of Occurance) is the frequency of an event. If you get hit by lightening every 20 years, then your lightning strike ARO is 1/20.
What is ALE?
ALE (Annual Loss Expectancy) is the SLE (Single Loss Expectancy) x ARO (Annual Rate of Occurance).
SLE = $1 million ($4m buidling housing 1/4 of ops)
ARO = 1/10 (once every 10 years)
ALE = $100,000. Expec to spend that much every year for this loss.