Ch 01 - Security and Risk Management Flashcards
Which of the following best describes the relationship between COBIT and ITIL?
a. COBIT is a model for IT governance, whereas ITIL is a model for corporate governance.
b. COBIT provides a corporate governance roadmap, whereas ITIL is a customizable framework for IT service management.
c. COBIT defines IT goals, whereas ITIL provides the process-level steps on how to achieve them.
d. COBIT provides a framework for achieving business goals, whereas ITIL defines a framework for achieving IT service-level goals.
C the Control Objectives for Information and related Technology (COBIT) is a framework developed by ISACA (formerly the Information Systems Audit and Control Association) and the IT Governance Institute (ITGI). It defines goals for the controls that should be used to properly manage IT and to ensure IT maps to business needs, not specifically just security needs. The Information Technology Infrastructure Library (ITIL) is the de facto standard of best practices for IT service management. A customizable framework, ITIL provides the goals, the general activities necessary to achieve these goals, and the input and output values for each process required to meet these determined goals. In essence, COBIT addresses “what is to be achieved,” and ITIL addresses “how to achieve it.”
A is incorrect because, although COBIT can be used as a model for IT governance, ITIL is not a model for corporate governance. Actually, Committee of Sponsoring Organizations of the Treadway Commission (COSO) is a model for corporate governance. COBIT is derived from the COSO framework. You can think of COBIT as a way to meet many of the COSO objectives, but only from the IT perspective. In order to achieve many of the objectives addressed in COBIT, an organization can use ITIL, which provides process-level steps for achieving IT service management objectives.
B is incorrect because, as previously stated, COBIT can be used as a model for IT governance, not corporate governance. COSO is a model for corporate governance. The second half of the answer is correct. ITIL is a customizable framework that is available either as a series of books or online for IT service management.
D is incorrect because COBIT defines goals for the controls that should be used to properly manage IT and ensure IT maps to business needs, not just IT security needs. ITIL provides steps for achieving IT service management goals as they relate to business needs. ITIL was created because of the increased dependence on information technology to meet business needs.
Global organizations that transfer data across international boundaries must abide by guidelines and transborder information flow rules developed by an international organization that helps different governments come together and tackle the economic, social, and governance challenges of a globalized economy. What organization is this?
a. Committee of Sponsoring Organizations of the Treadway Commission
b. The Organization for Economic Co-operation and Development
c. COBIT
d. International Organization for Standardization
B. Almost every country has its own rules pertaining to what constitutes private data and how it should be protected. As the digital and information age came upon us, these different laws started to negatively affect business and international trade. Thus, the Organization for Economic Co-operation and Development (OECD) developed guidelines for various countries so that data is properly protected and everyone follows the same rules.
A is incorrect because the Committee of Sponsoring Organizations of the Tredway Commission (COSO) was formed in 1985 to provide sponsorship for the National Commission on Fraudulent Financial Reporting, an organization that studies deceptive financial reports and what elements lead to them. The acronym COSO refers to a model for corporate governance that addresses IT at a strategic level, company culture, financial accounting principles, and more.
C is incorrect because the Control Objectives for Information and related Technology (COBIT) is a framework that defines goals for the controls that should be used to properly manage IT and ensure that IT maps to business needs. It is an international open standard that provides requirements for the control and security of sensitive data and a reference framework.
D is incorrect because the International Organization for Standardization (ISO) is an international standard-setting body consisting of representatives from national standards organizations. Its objective is to establish global standardizations. However, its standardizations go beyond the privacy of data as it travels across international borders. For example, some standards address quality control, and others address assurance and security.
Steve, a department manager, has been asked to join a committee that is responsible for defining an acceptable level of risk for the organization, reviewing risk assessment and audit reports, and approving significant changes to security policies and programs. What committee is he joining?
a. Security policy committee
b. Audit committee
c. Risk management committee
d. Security steering committee
D. Steve is joining a security steering committee, which is responsible for making decisions on tactical and strategic security issues within the enterprise. The committee should consist of individuals from throughout the organization and meet at least quarterly. In addition to the responsibilities listed in the question, the security steering committee is responsible for establishing a clearly defined vision statement that works with and supports the organizational intent of the business. It should provide support for the goals of availability, integrity, and confidentiality as they pertain to the organization’s business objectives. This vision statement should, in turn, be supported by a mission statement that provides support and definition to the processes that will apply to the organization and allow it to reach its business goals.
A is incorrect because a security policy committee is a committee chosen by senior management to produce security policies. Usually senior management has this responsibility unless they delegate it to a board or committee. Security policies dictate the role that security plays within the organization. They can be organizational, issue specific, or system specific. The steering committee does not directly create policies, but reviews and approves them if acceptable.
B is incorrect because the audit committee’s goal is to provide independent and open communication among the board of directors, management, internal auditors, and external auditors. Its responsibilities include the company’s system of internal controls, the engagement and performance of independent auditors, and the performance of the internal audit function. The audit committee would report its findings to the steering committee, but not be responsible for overseeing and approving any part of a security program.
C is incorrect because the purpose of a risk management committee is to understand the risks that the organization faces as a whole and work with senior management to reduce these risks to acceptable levels. This committee does not oversee the security program. The security steering committee usually reports its findings to the risk management committee as it relates to information security. A risk management committee must look at overall business risks, not just IT security risks.
Which of the following is not included in a risk assessment?
a. Discontinuing activities that introduce risk
b. Identifying assets
c. Identifying threats
d. Analyzing risk in order of cost or criticality
A. Discontinuing activities that introduce risk is a way of responding to risk through avoidance. For example, there are many risks surrounding the use of instant messaging (IM) in the enterprise. If a company decides not to allow IM activity because there is not enough business need for its use, then prohibiting this service is an example of risk avoidance. Risk assessment does not include the implementation of countermeasures such as this.
B is incorrect because identifying assets is part of a risk assessment, and the question asks to identify what is not included in a risk assessment. In order to determine the value of assets, those assets must first be identified. Asset identification and valuation are also important tasks of risk management.
C is incorrect because identifying threats is part of a risk assessment, and the question asks to identify what is not included in a risk assessment. Risk is present because of the possibility of a threat exploiting a vulnerability. If there were no threats, there would be no risk. Risk ties the vulnerability, threat, and likelihood of exploitation to the resulting business impact.
D is incorrect because analyzing risk in order of cost or criticality is part of the risk assessment process, and the question asks to identify what is not included in a risk assessment. A risk assessment researches and quantifies the risk a company faces. Dealing with risk must be done in a cost-effective manner. Knowing the severity of the risk allows the organization to determine how to address it effectively.
The integrity of data is not related to which of the following?
a. Unauthorized manipulation or changes to data
b. The modification of data without authorization
c. The intentional or accidental substitution of data
d. The extraction of data to share with unauthorized entities
D. The extraction of data to share with unauthorized entities is a confidentiality issue, not an integrity issue. Confidentiality ensures that the necessary level of secrecy is enforced at each junction of data processing and prevents unauthorized disclosure. This level of secrecy should prevail while data resides on systems and devices within the network, as it is transmitted, and once it reaches its destination. Integrity, on the other hand, is the principle that signifies the data has not been changed or manipulated in an unauthorized manner.
A is incorrect because integrity is related to the unauthorized manipulation or changes to data. Integrity is upheld when any unauthorized modification is prevented. Hardware, software, and communication mechanisms must work in concert to maintain and process data correctly and move data to intended destinations without unexpected alteration. The systems and network should be protected from outside interference and contamination.
B is incorrect because the modification of data without authorization is related to integrity. Integrity is about protecting data so that it cannot be changed either by users or other systems that do not have the rights to do so.
C is incorrect because the intentional or accidental substitution of data is related to integrity. Along with the assurance that data is not modified by unauthorized entities, integrity is upheld when the assurance of the accuracy and reliability of the information and systems is provided. An environment that enforces integrity prevents attackers, for example, from inserting a virus, logic bomb, or back door into a system that could corrupt or replace data. Users usually affect a system or its data’s integrity by mistake (although internal users may also commit malicious deeds). For example, a user may insert incorrect values into a data processing application that ends up charging a customer $3,000 instead of $300.
As his company’s CISO, George needs to demonstrate to the board of directors the necessity of a strong risk management program. Which of the following should George use to calculate the company’s residual risk?
a. threats × vulnerability × asset value = residual risk
b. SLE × frequency = ALE, which is equal to residual risk
c. (threats × vulnerability × asset value) × controls gap = residual risk
d. (total risk – asset value) × countermeasures = residual risk
C. Countermeasures are implemented to reduce overall risk to an acceptable level. However, no system or environment is 100 percent secure, and with every countermeasure some risk remains. The leftover risk after countermeasures are implemented is called residual risk. Residual risk differs from total risk, which is the risk companies face when they choose not to implement any countermeasures. While the total risk can be determined by calculating threats × vulnerability × asset value = total risk, residual risk can be determined by calculating (threats × vulnerability × asset value) × controls gap = residual risk. The controls gap is the amount of protection the control cannot provide.
A is incorrect because threats × vulnerability × asset value does not equal residual risk. It is the equation to calculate total risk. Total risk is the risk a company faces in the absence of any security safeguards or actions to reduce the overall risk exposure. The total risk is reduced by implementing safeguards and countermeasures, leaving the company with residual risk—or the risk left over after safeguards are implemented.
B is incorrect because SLE × frequency is the equation to calculate the annualized loss expectancy (ALE) as a result of a threat exploiting a vulnerability and the business impact. The frequency is the threat’s annual rate of occurrence (ARO). The ALE is not equal to residual risk. ALE indicates how much money a specific type of threat is likely to cost the company over the course of a year. Knowing the real possibility of a threat and how much damage in monetary terms the threat can cause is important in determining how much should be spent to try and protect against that threat in the first place.
D is incorrect and is a distracter answer. There is no such formula like this used in risk assessments. The actual equations are threats × vulnerability × asset value = total risk and (threats × vulnerability × asset value) × controls gap = residual risk.
Capability Maturity Model Integration (CMMI) came from the software engineering world and is used within organizations to help lay out a pathway of how incremental improvement can take place. This model is used by organizations in self-assessment and to develop structured steps that can be followed so an organization can evolve from one level to the next and constantly improve its processes. In the CMMI model graphic shown, what is the proper sequence of the levels?
a. Initial, Defined, Managed, Quantitatively Managed, Optimizing
b. Initial, Defined, Quantitatively Managed, Optimizing, Managed
c. Defined, Managed, Quantitatively Managed, Optimizing
d. Initial, Repeatable, Defined, Quantitatively Managed, Optimizing
D. Capability Maturity Model Integration (CMMI) is an organizational development model for process improvement developed by Carnegie Mellon. While organizations know that they need to constantly make their security programs better, it is not always easy to accomplish because “better” is a vague and no quantifiable concept. The only way we can really improve is to know where we are starting from, where we need to go, and the steps we need to take in between. This is how the security industry uses the CMMI model. A security program starts at Level 1 and is chaotic in nature. Processes are not predictable, and the security team is reactive to issues that arise—not proactive. The model uses the following maturity levels: Initial, Repeatable, Defined, Managed, Optimizing.
A is incorrect because it has the Defined level as the second level in the model. The actual second level is referred to as Managed. The developer of CMMI is Carnegie Mellon University, and they have modified this model to be used in three main categories: product and service development (CMMI-DEV), service establishment management (CMMI-SVC), and product and service acquisition (CMMI-ACQ). You do not need to know this level of detail for the exam, but you should understand that this is a flexible model that can be used for different situations. The Managed level will be defined slightly differently based upon how the model is being used. Different entities have modified the basic CMMI model to map to organizational security programs. For example, ISACA has laid out a CMMI model showing how ISO 27000 standards can be accomplished and IT security governance can be practiced. The latest version of CMMI has included these security topics:
OPSD Organizational Preparedness for Secure Development
SMP Security Management in Projects
SRTS Security Requirements and Technical Solution
SVV Security Verification and Validation
B is incorrect because the Defined and Managed levels are out of order. It might be confusing at first as to why Managed (Level 2) comes before Defined (Level 3). Level 2 basically means that the organization is not just practicing security by the seat of its pants. It is managing the processes—the processes are not managing the organization. An organization can only be considered to be at Level 3 if it has defined many things that will be tracked. This is the first part of creating a meaningful metric system for process improvement and optimization. Defining things means putting useful data about the security program into formats that can be used in quantitative analysis.
C is incorrect because the order of levels is wrong. The correct order is Initial, Managed, Defined, Quantitatively Managed, Optimizing. Organizations can only be assessed and assigned a level starting at Level 2. Level 1 basically means that there is no coherent structure. Level 2 means the program is being managed, Level 3 means things that can be counted are created, Level 4 means the organization is counting things and using quantitative measures to grade their improvement, and Level 5 means that the organization has control over the security program as a whole and is now focused on just making things more optimized. This is a process improvement model, and these levels are considered maturity levels—as the security program improves, it can be evaluated and achieve a higher maturity level.
Risk assessment has several different methodologies. Which of the following official risk methodologies was not created for the purpose of analyzing security risks?
a. FAP
b. OCTAVE
c. AS/NZS 4360
d. NIST SP 800-30
C. Although AS/NZS 4360 can be used to analyze security risks, it was not created for that purpose. It takes a much broader approach to risk management than other risk assessment methodologies, such as NIST and OCTAVE, which focus on IT threats and information security risks. AS/NZS 4360 can be used to understand a company’s financial, capital, human safety, and business decisions risks.
A is incorrect because there is no formal FAP risk analysis approach. It is a distracter answer.
B is incorrect because OCTAVE focuses on IT threats and information security risks. OCTAVE is meant to be used in situations where people manage and direct the risk evaluation for information security within their organization. The organization’s employees are given the power to determine the best approach for evaluating security.
D is incorrect because NIST SP 800-30 is specific to IT threats and how they relate to information security risks. It focuses mainly on systems. Data is collected from network and security practice assessments and from people within the organization. The data is then used as input values for the risk analysis steps outlined in the 800-30 document.
Which of the following is not a characteristic of a company with a security governance program in place?
a. Board members are updated quarterly on the company’s state of security.
b. All security activity takes place within the security department.
c. Security products, services, and consultants are deployed in an informed manner.
d. The organization has established metrics and goals for improving security.
B. If all security activity takes place within the security department, then security is working within a silo and is not integrated throughout the organization. In a company with a security governance program, security responsibilities permeate the entire organization, from executive management down the chain of command. A common scenario would be executive management holding business unit managers responsible for carrying out risk management activities for their specific business units. In addition, employees are held accountable for any security breaches they participate in, either maliciously or accidentally.
A is incorrect because security governance is a set of responsibilities and practices exercised by the board and executive management of an organization with the goal of providing strategic direction, ensuring that objectives are achieved, ascertaining that risks are managed appropriately, and verifying that the organization’s resources are used responsibly. An organization with a security governance program in place has a board of directors that understands the importance of security and is aware of the organization’s security performance and breaches.
C is incorrect because security governance is a coherent system of integrated security components that includes products, personnel, training, processes, etc. Thus, an organization with a security governance program in place is likely to purchase and deploy security products, managed services, and consultants in an informed manner. They are also constantly reviewed to ensure they are cost effective.
D is incorrect because security governance requires performance measurement and oversight mechanisms. An organization with a security governance program in place continually reviews its processes, including security, with the goal of continued improvement. On the other hand, an organization that lacks a security governance program is likely to march forward without analyzing its performance and therefore repeatedly makes similar mistakes.
There are four ways of dealing with risk. In the graphic that follows, which method is missing and what is the purpose of this method?
a. Risk transference. Share the risk with other entities.
b. Risk reduction. Reduce the risk to an acceptable level.
c. Risk rejection. Accept the current risk.
d. Risk assignment. Assign risk to a specific owner.
A. Once a company knows the amount of total and residual risk it is faced with, it must decide how to handle it. Risk can be dealt with in four basic ways: transfer it, avoid it, reduce it, or accept it. Many types of insurance are available to companies to protect their assets. If a company decides the total or residual risk is too high to gamble with, it can purchase insurance, which would transfer the risk to the insurance company.
B is incorrect because another approach is risk mitigation, where the risk is reduced to a level considered acceptable enough to continue conducting business. The implementation of firewalls, training, and intrusion/detection protection systems represent types of risk mitigation. Risk reduction is the same as risk mitigation, which is already listed in the graphic.
C is incorrect because companies should never reject risk, which basically means that they refuse to deal with it. Risk commonly has a negative business impact, and if risk is not dealt with properly, the company could have to deal with things such as the loss of production resources, legal liability issues, or a negative effect on its reputation. It is important that identified risk be dealt with properly through transferring it, avoiding it, reducing it, or accepting it.
D is incorrect because although someone could be delegated to deal with a specific risk, this is not one of the methods that is used to deal with risk. Even if risk was assigned to a specific entity to deal with it, she would still need to transfer, avoid, reduce, or accept the risk.
The following graphic contains a commonly used risk management scorecard. Identify the proper quadrant and its description.
a. Top-right quadrant is high impact, low probability.
b. Top-left quadrant is high impact, medium probability.
c. Bottom-left quadrant is low impact, high probability.
d. Bottom-right quadrant is low impact, high probability.
D. The bottom-right quadrant contains low-impact, high-probability risks. This means that there is a high chance that specific threats will exploit specific vulnerabilities. Although these risks are commonly frequent, their business impact is low. Out of the four quadrants, the risks that reside in this quadrant should be dealt with after the risks that reside in the two higher quadrants. An example of a risk that could reside in this quadrant is a virus that infects a user workstation. Since viruses are so common, this would mean that this risk has a high probability of taking place. But since this is only a user workstation and not a production system, the impact would be low.
A is incorrect because the top-right quadrant contains high-impact, high-probability risks. This means that there is a high chance that specific threats will exploit specific vulnerabilities. These risks are commonly frequent and their business impact is high. Out of the four quadrants, the risks that reside in this quadrant should be dealt with first. An example of a risk that would reside in this quadrant is an attacker compromising an internal mail server. If the proper countermeasures are not in place, there is a high probability that this would occur. Since this is a resource that the whole company depends upon, it would have a high business impact.
B is incorrect because the top-left quadrant contains high-impact, low-probability risks. This means that there is a low chance that specific threats will exploit specific vulnerabilities. These risks are commonly infrequent and their overall business impact is low. Out of the four quadrants, the risks that reside in this quadrant should be dealt with after the risks that reside in the top-right quadrant. An example of this type of risk is an attacker compromising an internal DNS server. If there is an external-facing DNS server and a DMZ is in place, the chances that an attacker being able to access an internal DNS server is low. But if this does happen, this would have a high business impact since all systems depend upon this resource.
C is incorrect because the bottom-left quadrant contains low-impact, low-probability risks. This means that there is a low chance that specific threats will exploit specific vulnerabilities. These risks are commonly infrequent and their business impact is low. Out of the four quadrants, the risks that reside in this quadrant should be dealt with after the risks in all of the other three quadrants. An example of this type of risk would be a legacy file server that is hardly used failing and going offline. Since it is not commonly used by users, it would have a low business impact, and if the correct countermeasures are in place, there would be a low probability of this occurring.
What are the three types of policies that are missing from the following graphic?
a. Regulatory, Informative, Advisory
b. Regulatory, Mandatory, Advisory
c. Regulatory, Informative, Public
d. Regulatory, Informative, Internal Use
A. A Regulatory type of policy ensures that the organization is following standards set by specific industry regulations. It is very detailed and specific to a type of industry. It is used in financial institutions, healthcare facilities, public utilities, and other government-regulated industries. An Informative type of policy informs employees of certain topics. It is not an enforceable policy, but rather one that teaches individuals about specific issues relevant to the company. It could explain how the company interacts with partners, indicate the company’s goals and mission, and provide a general reporting structure in different situations. An Advisory type of policy strongly advises employees as to which types of behaviors and activities should and should not take place within the organization. It also outlines possible ramifications if employees do not comply with the established behaviors and activities. This policy type can be used, for example, to describe how to handle medical information, how to handle financial transactions, or how to process confidential information.
B is incorrect because Mandatory is not one of the categories of a type of policy; thus, this answer is a distracter.
C is incorrect because Public is not one of the categories of a type of policy; thus, this answer is a distracter.
D is incorrect because Internal Use is not one of the categories of a type of policy; thus, this answer is a distracter.
List in the proper order from the table shown the learning objectives that are missing and their proper definitions.
a. Understanding, recognition and retention, skill
b. Skill, recognition and retention, skill
c. Recognition and retention, skill, understanding
d. Skill, recognition and retention, understanding
C. Awareness training and materials remind employees of their responsibilities pertaining to protecting company assets. Training provides skills needed to carry out specific tasks and functions. Education provides management skills and decision-making capabilities.
A is incorrect because the different types of training and education do not map to the listed results. Companies today spend a lot of money on security devices and technologies, but they commonly overlook the fact that individuals must be trained to use these devices and technologies. Without such training, the money invested toward reducing threats can be wasted, and the company is still insecure.
B is incorrect because the different types of training and education do not map to the listed results. Different roles require different types of training or education. A skilled staff is one of the most critical components to the security of a company.
D is incorrect because the different types of training and education do not map to the listed results. A security awareness program is typically created for at least three types of audiences: management, staff, and technical employees. Each type of awareness training must be geared toward the individual audience to ensure each group understands its particular responsibilities, liabilities, and expectations.
What type of risk analysis approach does the following graphic provide?
a. Quantitative
b. Qualitative
c. Operationally Correct
d. Operationally Critical
B. A qualitative risk analysis approach does not assign monetary values to components and losses. Instead, qualitative methods walk through different scenarios of risk possibilities and rank the seriousness of the threats and the validity of the different possible countermeasures based on opinions. Qualitative analysis techniques include judgment, best practices, intuition, and experience. This graphic shows a rating system, which qualitative risk analysis uses instead of percentages and monetary numbers.
A is incorrect because a quantitative risk analysis attempts to assign percentages and monetary values to all elements of the risk analysis process. These elements may include safeguard costs, asset value, business impact, threat frequency, safeguard effectiveness, exploit probabilities, and so on. When all of these are quantified, the process is said to be quantitative. Each element within the analysis (asset value, threat frequency, severity of vulnerability, impact damage, safeguard costs, safeguard effectiveness, uncertainty, and probability items) is quantified and entered into equations to determine total and residual risks.
C is incorrect because there is no Operationally Correct formal risk analysis approach. This is a distracter answer.
D is incorrect because there is no formal Operationally Critical risk analysis approach. This is a distracter answer.
ISO/IEC 27000 is part of a growing family of ISO/IEC information security management systems (ISMS) standards. It comprises information security standards published jointly by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC). Which of the following provides an incorrect mapping of the individual standards that make up this family of standards?
a. ISO/IEC 27002: Code of practice for information security management
b. ISO/IEC 27003: Guideline for ISMS implementation
c. ISO/IEC 27004: Guideline for information security management measurement and metrics framework
d. ISO/IEC 27005: Guideline for bodies providing audit and certification of information security management systems
D. The ISO/IEC 27005 standard is the guideline for information security risk management. ISO/IEC 27005 is an international standard for how risk management should be carried out in the framework of an ISMS.
A is incorrect because ISO/IEC 27002 is the code of practice for information security management; thus, it has a correct mapping. ISO/IEC 27002 provides best practice recommendations and guidelines as they pertain to initiating, implementing, or maintaining an ISMS.
B is incorrect because ISO/IEC 27003 is the guideline for ISMS implementation; thus, it has a correct mapping. It focuses on the critical aspects needed for successful design and implementation of an ISMS in accordance with ISO/IEC 27001:2013. It describes the process of ISMS specification and design from inception to the production of implementation plans.
C is incorrect because ISO/IEC 27004 is the guideline for information security management measurement and metrics framework; thus, it has a correct mapping. It provides guidance on the development and use of measures and measurement in order to assess the effectiveness of an ISMS and controls or groups of controls, as specified in ISO/IEC 27001.
