Business Requirements Flashcards

1
Q

In the asset inventory give examples of tangible and intangible assets.

A

Assets can be tangible items such as IT Hardware, retail inventory and buildings but they can also be intangible assets such as public perception, goodwill intellectual property.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Why do we need an asset inventory ?

A

In order to protect assets you need to know what and where they are.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What process covers the valuation of the assets ?

A

Business Impact Analysis

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Who is responsible for assigning valuations to assets ?

A

Data Owners

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

What is the danger of allowing data owners to value assets ?

A

They tend to overvalue the assets

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Name two common methods in attributing value to assets ?

A

Insured value or replacement cost

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

What is the determination of criticality ?

A

Determination of Criticality is a part of the BIA effort to determine those assets without which the organisation could not operate or exist.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Who determines the criticality of assets ?

A

Senior Management

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

What process is responsible for identifying single points of failure ?

A

Business Impact Analysis

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Are single points of failure limited to solely tangible assets ?

A

No they can also be present in business processes

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Give some examples of remediations of single points of failure?

A

Adding redundancy for replacement
Creating alternative processes
Cross Training personnel to fill many roles
Consistent backing up of data
Load sharing and balancing of IT assets

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

What is risk appetite ?

A

The level amount or type of risk that an organisation finds acceptable.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

What is the definition of a risk ?

A

Liklihood an impact will be realised

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Can a risk be eliminated ?

A

No only reduced

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Which risks are not allowed to be accepted by an organisation ?

A

regulatory risks, risks to do with human safety and industry standards

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

What are the four ways to manage risks

A

Avoidance
Acceptance
Transference
Mitigation

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

What is risk avoidance ?

A

It is the leaving of a business opportunity because the risk is to high

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

What is risk acceptance?

A

The risk falls within the risk appetite of the organisation

19
Q

What is risk trasference ?

A

Organisation pays someone else to accept the risk. This is often the type of risk that has a low probability of occuring but a high impact if it dowe.

20
Q

What is risk mitigation ?

A

The organisation takes steps to decrease the liklihood or the impact of the risk

21
Q

What is a residual risk ?

A

The amount of risk that is left after the risk has been reduced.

22
Q

Under the IAAS model what is a challenge for the Customer ?

A

Auditing - It is difficult when you dont have access to the underlying hardware although application logs can still be downloaded

23
Q

What happens when the customer moves up from IAAS to SAAS ?

A

The customer loses control to ultimately they only data

24
Q

What are the are the three main security measures for protecting sensitive data ?

A

Hardening Devices
Encryption
Layered Defences

25
Q

What is involved with hardening devices ?

A

Guest accounts removed

Unused Ports closed

No default passwords

Strong password policies

Unnecessary services disabled

Physical Access Controlled

Systems are patched

26
Q

For BYOD what are the main considerations

A

Antivirus

Remote Wipe

Encryption

Strong Access Controls

VPN

27
Q

What are the considerations for encryption ?

A

Encryption in transit

Encryption at rest

Secure Sessions

Secure Sanitization

28
Q

What are some typical layered defences

A

Strong Password Controls

Governance Mechanisms

Training Programs

Strong Remote Access

Physical Controls

29
Q

What piece of legislation is a financial and security audit of target organisation ?

A

SOC

30
Q

What type of SOC control cover financial aspects of the Organisation only ?

A

Type 1

31
Q

What part of the SOC controls only discuss the security controls of an organisation ?

A

2 Type 1

32
Q

What part of the SOC controls cover the security control of the Organisation and how well they function ?

A

2 Type 2

33
Q

What level of SOC control is a summary with no detail outling if the Organisation has passed the audit or not ?

A

3

34
Q

What level of customer control exists for a SaaS solution ?

A

Solely the data and the processes - no access to logs at OS or software level

35
Q

What is risk appetite ?

A

Risk appetite is the level, amount or type of risk that the organisation finds acceptable

36
Q

What is risk tolerance ?

A

variance around objectives

37
Q

What is risk profile ?

A

the risk an organisation can tolerate

38
Q

What is RAID 0 ?

A

Data is written to all drives - no protection

39
Q

What is RAID 1 ?

A

Data is copied to redundant drive - protection through exact duplicate

40
Q

What is RAID 10 ?

A

Drives holding a parity value for the other drive - protection via the use of parity so drive a would hold the parity information for drive b etc

41
Q

What is erasure coding ?

A

RAID 5 for cloud - stores parity on drives but gets round that the drive for one piece of data can be stored on a completely different server from where it is used

42
Q

What is cloud psoture management ?

A

A remediation/alerting tool that tackles the situation where users gain priveleges by accessing resources that have high privilege roles attached to them.

43
Q

What is micro segmentation ?

A

Networks that contain only one element - Not useful for whole business but good for regulated items such as a database containing PHI

44
Q

What is hyper sementation ?

A

Hyper segmentation is the segmenting of networks via physical and data travel for particular app sources and destinations,