Business Requirements

Question 1

In the asset inventory give examples of tangible and intangible assets.

Answer 1

Assets can be tangible items such as IT Hardware, retail inventory and buildings but they can also be intangible assets such as public perception, goodwill intellectual property.

Question 2

Why do we need an asset inventory ?

Answer 2

In order to protect assets you need to know what and where they are.

Question 3

What process covers the valuation of the assets ?

Answer 3

Business Impact Analysis

Question 4

Who is responsible for assigning valuations to assets ?

Answer 4

Data Owners

Question 5

What is the danger of allowing data owners to value assets ?

Answer 5

They tend to overvalue the assets

Question 6

Name two common methods in attributing value to assets ?

Answer 6

Insured value or replacement cost

Question 7

What is the determination of criticality ?

Answer 7

Determination of Criticality is a part of the BIA effort to determine those assets without which the organisation could not operate or exist.

Question 8

Who determines the criticality of assets ?

Answer 8

Senior Management

Question 9

What process is responsible for identifying single points of failure ?

Answer 9

Business Impact Analysis

Question 10

Are single points of failure limited to solely tangible assets ?

Answer 10

No they can also be present in business processes

Question 11

Give some examples of remediations of single points of failure?

Answer 11

Adding redundancy for replacement
Creating alternative processes
Cross Training personnel to fill many roles
Consistent backing up of data
Load sharing and balancing of IT assets

Question 12

What is risk appetite ?

Answer 12

The level amount or type of risk that an organisation finds acceptable.

Question 13

What is the definition of a risk ?

Answer 13

Liklihood an impact will be realised

Question 14

Can a risk be eliminated ?

Answer 14

No only reduced

Question 15

Which risks are not allowed to be accepted by an organisation ?

Answer 15

regulatory risks, risks to do with human safety and industry standards

Question 16

What are the four ways to manage risks

Answer 16

Avoidance
Acceptance
Transference
Mitigation

Question 17

What is risk avoidance ?

Answer 17

It is the leaving of a business opportunity because the risk is to high

Question 18

What is risk acceptance?

Answer 18

The risk falls within the risk appetite of the organisation

Question 19

What is risk trasference ?

Answer 19

Organisation pays someone else to accept the risk. This is often the type of risk that has a low probability of occuring but a high impact if it dowe.

Question 20

What is risk mitigation ?

Answer 20

The organisation takes steps to decrease the liklihood or the impact of the risk

Question 21

What is a residual risk ?

Answer 21

The amount of risk that is left after the risk has been reduced.

Question 22

Under the IAAS model what is a challenge for the Customer ?

Answer 22

Auditing - It is difficult when you dont have access to the underlying hardware although application logs can still be downloaded

Question 23

What happens when the customer moves up from IAAS to SAAS ?

Answer 23

The customer loses control to ultimately they only data

Question 24

What are the are the three main security measures for protecting sensitive data ?

Answer 24

Hardening Devices
Encryption
Layered Defences

Question 25

What is involved with hardening devices ?

Answer 25

Guest accounts removed

Unused Ports closed

No default passwords

Strong password policies

Unnecessary services disabled

Physical Access Controlled

Systems are patched

Question 26

For BYOD what are the main considerations

Answer 26

Antivirus

Remote Wipe

Encryption

Strong Access Controls

VPN

Question 27

What are the considerations for encryption ?

Answer 27

Encryption in transit

Encryption at rest

Secure Sessions

Secure Sanitization

Question 28

What are some typical layered defences

Answer 28

Strong Password Controls

Governance Mechanisms

Training Programs

Strong Remote Access

Physical Controls

Question 29

What piece of legislation is a financial and security audit of target organisation ?

Answer 29

SOC

Question 30

What type of SOC control cover financial aspects of the Organisation only ?

Answer 30

Type 1

Question 31

What part of the SOC controls only discuss the security controls of an organisation ?

Answer 31

2 Type 1

Question 32

What part of the SOC controls cover the security control of the Organisation and how well they function ?

Answer 32

2 Type 2

Question 33

What level of SOC control is a summary with no detail outling if the Organisation has passed the audit or not ?

Answer 33

3

Question 34

What level of customer control exists for a SaaS solution ?

Answer 34

Solely the data and the processes - no access to logs at OS or software level

Question 35

What is risk appetite ?

Answer 35

Risk appetite is the level, amount or type of risk that the organisation finds acceptable

Question 36

What is risk tolerance ?

Answer 36

variance around objectives

Question 37

What is risk profile ?

Answer 37

the risk an organisation can tolerate

Question 38

What is RAID 0 ?

Answer 38

Data is written to all drives - no protection

Question 39

What is RAID 1 ?

Answer 39

Data is copied to redundant drive - protection through exact duplicate

Question 40

What is RAID 10 ?

Answer 40

Drives holding a parity value for the other drive - protection via the use of parity so drive a would hold the parity information for drive b etc

Question 41

What is erasure coding ?

Answer 41

RAID 5 for cloud - stores parity on drives but gets round that the drive for one piece of data can be stored on a completely different server from where it is used

Question 42

What is cloud psoture management ?

Answer 42

A remediation/alerting tool that tackles the situation where users gain priveleges by accessing resources that have high privilege roles attached to them.

Question 43

What is micro segmentation ?

Answer 43

Networks that contain only one element - Not useful for whole business but good for regulated items such as a database containing PHI

Question 44

What is hyper sementation ?

Answer 44

Hyper segmentation is the segmenting of networks via physical and data travel for particular app sources and destinations,