Business Requirements Flashcards
In the asset inventory give examples of tangible and intangible assets.
Assets can be tangible items such as IT Hardware, retail inventory and buildings but they can also be intangible assets such as public perception, goodwill intellectual property.
Why do we need an asset inventory ?
In order to protect assets you need to know what and where they are.
What process covers the valuation of the assets ?
Business Impact Analysis
Who is responsible for assigning valuations to assets ?
Data Owners
What is the danger of allowing data owners to value assets ?
They tend to overvalue the assets
Name two common methods in attributing value to assets ?
Insured value or replacement cost
What is the determination of criticality ?
Determination of Criticality is a part of the BIA effort to determine those assets without which the organisation could not operate or exist.
Who determines the criticality of assets ?
Senior Management
What process is responsible for identifying single points of failure ?
Business Impact Analysis
Are single points of failure limited to solely tangible assets ?
No they can also be present in business processes
Give some examples of remediations of single points of failure?
Adding redundancy for replacement
Creating alternative processes
Cross Training personnel to fill many roles
Consistent backing up of data
Load sharing and balancing of IT assets
What is risk appetite ?
The level amount or type of risk that an organisation finds acceptable.
What is the definition of a risk ?
Liklihood an impact will be realised
Can a risk be eliminated ?
No only reduced
Which risks are not allowed to be accepted by an organisation ?
regulatory risks, risks to do with human safety and industry standards
What are the four ways to manage risks
Avoidance
Acceptance
Transference
Mitigation
What is risk avoidance ?
It is the leaving of a business opportunity because the risk is to high
What is risk acceptance?
The risk falls within the risk appetite of the organisation
What is risk trasference ?
Organisation pays someone else to accept the risk. This is often the type of risk that has a low probability of occuring but a high impact if it dowe.
What is risk mitigation ?
The organisation takes steps to decrease the liklihood or the impact of the risk
What is a residual risk ?
The amount of risk that is left after the risk has been reduced.
Under the IAAS model what is a challenge for the Customer ?
Auditing - It is difficult when you dont have access to the underlying hardware although application logs can still be downloaded
What happens when the customer moves up from IAAS to SAAS ?
The customer loses control to ultimately they only data
What are the are the three main security measures for protecting sensitive data ?
Hardening Devices
Encryption
Layered Defences
What is involved with hardening devices ?
Guest accounts removed
Unused Ports closed
No default passwords
Strong password policies
Unnecessary services disabled
Physical Access Controlled
Systems are patched
For BYOD what are the main considerations
Antivirus
Remote Wipe
Encryption
Strong Access Controls
VPN
What are the considerations for encryption ?
Encryption in transit
Encryption at rest
Secure Sessions
Secure Sanitization
What are some typical layered defences
Strong Password Controls
Governance Mechanisms
Training Programs
Strong Remote Access
Physical Controls
What piece of legislation is a financial and security audit of target organisation ?
SOC
What type of SOC control cover financial aspects of the Organisation only ?
Type 1
What part of the SOC controls only discuss the security controls of an organisation ?
2 Type 1
What part of the SOC controls cover the security control of the Organisation and how well they function ?
2 Type 2
What level of SOC control is a summary with no detail outling if the Organisation has passed the audit or not ?
3
What level of customer control exists for a SaaS solution ?
Solely the data and the processes - no access to logs at OS or software level
What is risk appetite ?
Risk appetite is the level, amount or type of risk that the organisation finds acceptable
What is risk tolerance ?
variance around objectives
What is risk profile ?
the risk an organisation can tolerate
What is RAID 0 ?
Data is written to all drives - no protection
What is RAID 1 ?
Data is copied to redundant drive - protection through exact duplicate
What is RAID 10 ?
Drives holding a parity value for the other drive - protection via the use of parity so drive a would hold the parity information for drive b etc
What is erasure coding ?
RAID 5 for cloud - stores parity on drives but gets round that the drive for one piece of data can be stored on a completely different server from where it is used
What is cloud psoture management ?
A remediation/alerting tool that tackles the situation where users gain priveleges by accessing resources that have high privilege roles attached to them.
What is micro segmentation ?
Networks that contain only one element - Not useful for whole business but good for regulated items such as a database containing PHI
What is hyper sementation ?
Hyper segmentation is the segmenting of networks via physical and data travel for particular app sources and destinations,
