Chapter 1

Question 1

Name 5 architecture frameworks

Answer 1

1. Zachmann (what/where/when/who in columns and system archtectes, business managers etc in rows)
2. TOGAF - views of business , application, technology, data
3. DoDAF - systems, processes, personnel in concerted manner
4. MoDAF - data in right format to right people
5. SABSA - Assets, motivation, people, process, location and time in columns (similar to zachmann)

Question 2

For an enterprise security architecture to be successful in development and implementation

Answer 2

1. Strategic alignment
2. Business enablment
3. Process enhancement
4. Security effectiveness

Question 3

What are the principles that COBIT is based on

Answer 3

1. End to end enterprise coverage
2. Single integrated framework
3. Holistic approach
4. Separating governance from management

Question 4

How many goals does COBIT have

Answer 4

17 enterprise goals

17 IT related goals

Question 5

What does COBIT ask?

Answer 5

Simple question – “Why are we doing this”. This should lead to an IT Goal that is tied to an enterprise goal that is tied to a stakeholder need

Question 6

What is the misconception with COBIT

Answer 6

It is a misconception that COBIT is purely security focussed

Question 7

What does NIST 800-53 provide

Answer 7

Security and Privacy controls for federal information systems and organisation

Question 8

How many control categories does NIST have

Answer 8

18 control categories, categorised into (MOT)

Management,

Operational and

Technical

Question 9

How is COSO - IC Integrated Framework majorly different?

Answer 9

It works at strategic level instead of IT

Deals with fraud through corporate governance

Question 10

How many and what are the control principles in COSO IC Integrated Framework?

Answer 10

17 internal control principles, grouped into 5 components

1. Control environment
2. Risk Assesment
3. Control Activities
4. Information and communication
5. Monitoring activities

Question 11

SOX is based on which security controls framework

Answer 11

COSO IC Integrated framework

Question 12

What is the difference between NIST 800-53/COBIT etc and Zachmann/SABSA

Answer 12

former are security controls, later are enterprise architectures

Question 13

CMMI Level 0

Answer 13

Non existent management

Question 14

CMMI Level 1

Answer 14

Unpredictable processes

Question 15

CMMI Level 2

Answer 15

Repeatable processes

Question 16

CMMI Level 3

Answer 16

Defined processes

Question 17

CMMI Level 4

Answer 17

Managed Processes

Question 18

CMMI Level 5

Answer 18

Optimised processes

Question 19

ISO 27001

Answer 19

ISMS requirements

Question 20

27002

Answer 20

Code of practice for information security management

Question 21

27003

Answer 21

ISMS implementation

Question 22

27004

Answer 22

ISMS measurement

Question 23

27005

Answer 23

Risk Management

Question 24

27006

Answer 24

Certification body requirements

Question 25

27007

Answer 25

ISMS auditing

Question 26

27008

Answer 26

Guidance for auditors

Question 27

27011

Answer 27

Telecommunications organization

Question 28

27014

Answer 28

Information security governance

Question 29

27015

Answer 29

Financial sector

Question 30

27031

Answer 30

Business continuity

Question 31

ISO 27016 to 27030

Answer 31

No Standard

Question 32

ISO 27032

Answer 32

Cybersecurity

Question 33

ISO 27033

Answer 33

Network security

Question 34

ISO 27034

Answer 34

Application Security

Question 35

ISO 27035

Answer 35

Incident management

Question 36

ISO 27037

Answer 36

Digital evidence collection and preservation

Question 37

ISO 27099

Answer 37

Health organizations

Question 38

What is the Difference between ISO 27001 and Enterprise security frameworks:

Answer 38

ISO 27001 is general in nature - Can be difficult to know how to implement in a specific environment of a company - That is where the enterprise security architecture comes into play

Question 39

How are security controls categorised in enterprises

Answer 39

APT Administrative Physical Technical

Question 40

How are security controls categorised in government

Answer 40

MOT Management Operational Technial

Question 41

Describe the frameworks, controls standards in the analogy of a house

Answer 41

ISO/IEC 27001 - policy level (description of house) Security Enterprise Framework - architecture level (arch of house) Blueprints - detailed descriptions e.g window types Control Objectives - building specification codes

Question 42

Define Risk

Answer 42

Likelihood of threat source exploiting vulnerability and its business impact

Question 43

What are the 6 functionalities that Controls provide

Answer 43

Detective Preventive Corrective Deterrent Recovery Compensating

Question 44

Which is better between detective, corrective, preventive

Answer 44

Most productive to use a preventive model followed by detective, correcitve and recovery ( stop any troble before it starts but be able to react and combat it if it does happen) If detective control identifies that means preventive failed Hence corrective is necessary to ensure next time it is prevented

Question 45

How to map functionality to a control ?

Answer 45

try to think of the MAIN reason why the control was put in place Eg. A firewall was put in place to prevent an intruder Auditing of logs is post facto so it is detective Backup helps to restore data hene it is recovery Computer images can be reloaded in case of corruption hence corrective

Question 46

Why is compensating control required

Answer 46

it is either Affordable Allows specifically required business functionality

Question 47

What are the 8 OECD principles for privacy protection and transborder flow of data (**Q**uality **C**leaning of **P**ersonal **U**nderwear using **SOAP**)

Answer 47

1. ****_C_**ollection limitation principle**: limited collection, in lawful means, with knowledge of user 2. **Data **_Q_**uality principle**: data is complete, current and relevant 3. **_P_urpose specification**: users notified during collection, data used only for that purpose 4. ****_U_**se limitation**: use other than stated only by explicit agreement of user 5. ****_S_**ecurity safeguards**: put safeguards to protect loss, modification, damage 6. **_O_penness**: communicate standards, practices etc openly 7. **Individual **_p_**articipation**: user should know about data held by org and correct erroneous data 8. ****_A_**ccountability**: organizations should be accountable for complying

Question 48

What are the 7 Safe Harbor principles

Question 49

What is the Wassenar arrangement

Answer 49

implements export control for “conventional arms and dual use goods and technologies” . Cryptography falls under dual-use

Question 50

What are the main types of legal systems

Answer 50

1. Civil (code) Law System 2. Common Law System 3. Customary Law 4. Religious Law 5. Intellectual property law

Question 51

What are the major features of CIVIL (Code) LAW system

Answer 51

1. Most widespread 2. Based on rules instead of precedent 3. Used in continental Europe 4. Lower courts not compelled to follow higher courts decision

Question 52

What is common law system based on?

Answer 52

1. Precedent 2. Hierarchy of courts

Question 53

What are the subcomponents of common law system?

Answer 53

1. Criminal Law 2. Civil/Tort Law 3. Administrative (Regulatory Law)

Question 54

What is the difference between Criminal Law and Civil/Tort Law

Answer 54

1. guilty/not guilty :: liable/not liable 2. By government :: By private parties 3: for harm to society :: for damage to individual/frm

Question 55

What is the role of administrative law within the common law system

Answer 55

1. Address international trade / manufacturing 2. Deal with regulatory standards that regulate performance and conduct

Question 56

what are the components of intellectual property law?

Answer 56

**Trade Secret** o Proprietary to a company and important for its survival and profitability **Copyright** o Protects the form of expression than the subject itself o Computer programs can be protected as literary works **Trademark** o Used to protect a word, name, symbol, sound, shape, colour or combination **Patent** o Is the strongest form of intellectual property protection

Question 57

What is the use of Digital Millenium Copyright act?

Answer 57

criminalises production and dissemination of technology , devices or services that circumvent access control measures that are put into place to protect copyright material

Question 58

What are the drivers for privacy laws

Answer 58

- Data aggregation and retrieval happening more often - Cross border movement of data - convergent technologies

Question 59

Name well known privay laws

Answer 59

1. Federal Privacy Act 1974 2. FISMA 2002 3. Department of veterans affairs, infomration security protection 4. Health insurance portability and accountability 5. Health information technology for economic and clinical health (HITECH) 6. USA Patriot Act (eases restrictions of law enforcement to access privacy data)

Question 60

Name well known laws for financial protection

Answer 60

1. GLBA (financial services modernisation) 2. Personal information protection and electronic documents 3. PCI DSS 4. Economics espionage act 1996

Question 61

What does the Financial Services Modernisation Act (GLBA) include

Answer 61

1. **Financial Privacy Rule** (consumers should be informed about what is collected, who is it shared with, how is it protected and option to opt out of sharing it) 2. **Safeguards Rule** (should have written information security rule) 3. P**retexting protection** (Requires notification only if institution breached determines that the breached data has been or will be misused)

Question 62

What are the main requirements of PCI DSS

Answer 62

(12 main requirements broken into 6 categories) § Build and maintain a secure network and systems § Protect cardholder data § Maintain a vulnerability management program § Implement strong access control measures § Regularly monitor and test networks § Maintain an information security policy

Question 63

What is the use of Economics Espionage Act 1996

Answer 63

Protects corporations IP (rather than consumer privacy)

Question 64

What is US definition of PII

Answer 64

Combination of first and last name with any of the following ## Footnote - Social security number - Drivers license number - Credit or debit card number with security code or PIN

Question 65

Differentiate the role of Security Policy, Standards/guidlnes and Controls

Answer 65

**Security policy** – provides the foundation **Security procedures/standards/guidelines/baselines** – provides the framework **Security controls** (admin/physical/technical or Mgmt/opetations/technical) – used to fill in the framework to provide a full security program

Question 66

What are the Important characteristics of good security policy

Answer 66

Easy to understand Driven by business objectives Integrates security into all functions and processes Supports legislation Is a live document, reviewed, changed as needed Is forward looking Should be technology and solution independent

Question 67

Give examples of issue specific and system specific policies

Answer 67

Ex of issue specific policy could be email usage Ex of system specific policy is how a DB containing sensitive information should be protected

Question 68

What are the features of advisory policies?

Answer 68

1. Advises of acceptable behaviour 2. informs ramifications of non compliance

Question 69

Why is ISO 27001 considered a standard?

Answer 69

Because it was setup by a standards body

Question 70

Identify the 4 phases of risk management process

Answer 70

1. Identify the risk 2. Assess the risk 3. Reduce risk to acceptable level 4. Maintain risk at that level

Question 71

What are the three tiers of risk management defined by NIST SP 800-39

Answer 71

Organisation Tier Business Process Tier Information systems Tier

Question 72

List common and important concepts in risk management

Answer 72

Acceptable risk should be defined by senior management - Risk assessment procedures should be documented - Procedure for identifying risk - Procedure for mitigating risk - Financial support from senior management - Mapping of legal and regulations to controls - Metrics and performance indicators development

Question 73

What is threat modelling

Answer 73

process of describing feasible adverse effects on our assets caused by threat sources

Question 74

What is the difference between threat modelling and Risk assesment

Answer 74

Threat Modelling allows an organization to understand what is in the realm of probable not just possible

Question 75

What is the triad of threat model

Answer 75

The heart of a threat model is the triad of vulnerability, feasible attack, capable threat actor.

Question 76

What is the tool used in Threat modelling

Answer 76

Attack Tree Kill-chain/Attack-chain (specialised form of attack tree)

Question 77

What is the relationship between risk assesment and risk management

Answer 77

Risk assesment is a tool to perform risk management (it is a method of identifying vulnerabilities and threats and assessing the possible impacts to determine where to implement security controls)

Question 78

What is done after risk assement

Answer 78

Analysis of the results

Question 79

Why is risk analysis used?

Answer 79

To ensure that security is 1. cost effective 2. timely 3. relevant 4. responsive

Question 80

What are the 4 main goals of risk analysis

Answer 80

1. Identify assets and their value to the organization 2. Identify vulnerabilities and threats 3. Quantify the probability and business impact of these potential threats 4. Provide an economic balance between the threat and cost of countermeasure

Question 81

Put the following three in perspective Risk management Risk assesment Risk analysis

Answer 81

Risk management is overall thought/concept/process Risk assesment is a tool used for risk management (identify, threats , vulnerabilities and their impacts) Risk analysis is done after risk assesment and used to ensure that security is cost effective, timely, relevant and responsive

Question 82

List the common Risk Assesment guides/ methodologies

Answer 82

1. NIST SP 800-30 Rev 1 2. FRAP 3. OCTAVE 4. AS/NZS 4360 5. ISO/IEC 27005 6. FMEA 7. FAULT TREE ANALYSIS 8. CRAMM

Question 83

What are the steps in NIST SP 800-30 rev 1

Answer 83

a. Identify threat sources and events b. Identify vulnerabilities and predisposing conditions c. Determine likelihood of occurrence d. Determine magnitude of impact e. Determine risk f. Communicate results g. Maintain assesment

Question 84

What are the key elements of FRAP

Answer 84

FRAP = Facilitated Risk Analysis Process - is a qualitative process (not quantitative) - is dependent on experience of assesor - generally focussed on one service or application at a time

Question 85

What is OCTAVE

Answer 85

Operationally Critical Threat, Asset and Vulnerability evaluation

Question 86

what are the key features of OCTAVE

Answer 86

- self directed team approach through workshop - scope encompasses multiple systems and applications

Question 87

What are the key features of AS/NZS 4360

Answer 87

- Not focussed on security - focussed on health of company from business viewpoint - includes financial, human safety etc

Question 88

What is ISO/IEC 27005

Answer 88

- Carrying out risk management in the framework of overall ISMS - Deals with IT and other softer security issues (documentation/personnel/training etc)

Question 89

How does FMEA work

Answer 89

Failure - how things fail (not what) Effect analysis - (impact of failure) Most useful as a survey method to identify major failure modes in a system **NOT useful** for complex failure nodes across systems and subsystems

Question 90

What is CRAMM in reference to risk assesment

Answer 90

(Central computing and telecommunications agency risk analsyis and management method) Has questionnaires, formulas, dependency modeling etc all in automated format

Question 91

What tools to use when integrate risk assessment with overall ISO 27001 security program

Answer 91

ISO IEC 27005 OCTAVE

Question 92

What assesment tool is best for focussing on IT Security risks

Answer 92

NIST SP 800-30

Question 93

What risk assement tool to use if time and budget are limited

Answer 93

FRAP

Question 94

What risk assesment tools if detailed analysis is required

Answer 94

FMEA Faul-tree

Question 95

What is the formula used for quantitative risk analysis

Answer 95

EF = exposure factor (% off loss a **realised** threat can have) SLE = single loss expectancy AV = asset value ARO = annualised rate of occurence SLE = AV X EF ALE = SLE X ARO

Question 96

What is the formula for Cost/benefit calculation for a control

Answer 96

(ALE before implementing safeguard) – ( ALE after implementing safeguard) – (Annual cost of safeguard) = value of safeguard to the company

Question 97

What are the common **_Risk Management_** Frameworks?

Answer 97

NIST 800-37r1 (Specific to IT risks) ISO 31000-2009 (focus on uncertainty, is generic) ISACA Risk IT (bridge gap between IT and generic. also integrates with COBIT) COSO Enterprise Risk Management - Integrated framework (generic framework, superset of COSO IC Integrated framework)

Question 98

what are the 6 steps of NIST risk management framework

Answer 98

NIST Risk **_Management_** includes ## Footnote 1. Categorise information systems (identify systems, sub-systems and boundaries) 2. Select security controls _(**assessment, analysis**_, selection) 3. Implement security controls (documentation is a key part) 4. Assess security controls (determines whether controls are effective) 5. Authorise information systems (get approval to integrate IS into broader architecture) 6. Monitor security controls (ongoing effectiveness, changes to environment etc)

Question 99

formulat for total risk

Answer 99

total risk = threats X vulnerability X Asset value

Question 100

formulas for residual risk

Answer 100

total risk X control gaps = residual risk OR Total risk - countermeasures = residual risk these are not mathematical formulas , only representative

Question 101

Disaster recovery vs business continuity management

Answer 101

DR - minimise effects of disaster , more IT focusssed BC - longer outage, broader coverage

Question 102

What are the different standards addressing BCP

Answer 102

NIST SP 800-34 ISO IEC 27031:2011 (focussed on IT) ISO 22301:2012 , broader includes business (against which organisations seek certification) Business continuity institute Good practice guidelines (GPG)

Question 103

What are the 7 steps of NIST SP 800-34

Answer 103

1. Develop BCP policy 2. Conduct BIA (vuln,threat,impact,risk) 3. Identify _preventive_ controls 4. Create contingency strategies 5. Develop IT contingency plan 6. Plan testing, training and exercises 7. Plan maintenance

Question 104

Why is BCP required

Answer 104

to reduce financial loss by improving the companys ability to recover and restore operations. In case of NGOs/military/govt etc BCP is to ensure they can still carry out their critical tasks

Question 105

In BCP, what should be the risk mitigation measures be geared towards

Answer 105

It should be geared towards those things that might **_most rapidly_** disrupt critical business processes and commercial activities.

Question 106

what is the main goal of business continuity

Answer 106

Restore normal operations by spending least amount of money and resources

Question 107

What are the BCP project components?

Answer 107

BCP Coordinator BCP Committee (Biz, cxo, IT, security, PR, Legal) Contents of BCP Policy (scope, mission, statement, principles, guidelines, standards)

Question 108

What is Business Impact Analysis

Answer 108

It is a functional analysis that starts with collection of data across the organisation Upon completion of data collection phase, the BCP committee needs to conduct BIA to establish which processes , devices or operational activities are critical

Question 109

To what factors should the BCP committee map the identified threats?

Answer 109

a. Maximum tolerable downtime and disruption for services b. Operational disruption and productivity c. Financial considerations d. Regulatory responsibilities e. Reputation

Question 110

What should BCP related risk assesmente typically include

Answer 110

- Vulnerabilities for all of the organizations most time sensitive resources and activities - Threats and hazards to the organizations most urgent resources and activities - Single points of failure - Outsourced vendors - Skills related risks

Question 111

What is the formula for Risk in BCP

Answer 111

Risk = Threat X Impact X Probability

Question 112

What is a key factor in BIA

Answer 112

Time risk mitigation measures should be geared toward those things that might most rapidly disrupt critical business processes and commercial activities

Question 113

What are the steps involved in BIA in relation to BCP (**P**ost **G**raduate **C**ourse **R**equires **L**otof **V**ery **R**igorous **D**ocumentation)

Answer 113

1. Select individuals/**p**eople for interview 2. Create data **g**athering techniques 3. Identify company's **c**ritical business functions 4. Identify **r**esources these functions depend on 5. Calculate how **L**ong these functions can survive without these resources 6. Identify **v**ulnerabilities and threats to these functions 7. Calculate the **r**isk for each different business function 8. **D**ocument findings and report them to management

Question 114

What is the standard for business continuity management

Answer 114

ISO/IEC 22301

Question 115

NFPA business planning framework

Answer 115

1. Project Initiation and management (always first step is to do project management) 2. Risk evaluation and control (since this is Business planning framework, first risk needs to be evaluated) 3. Business impact analysis (once risk is evaluated, its business impact is to be analysed) 4. Develop Business continuity strategies (once business impact is known, Biz continuity strategy is to be developed) 5. Emergency response and operations 6. Business continuity plan development and implementation (actual implementation) 7. Awareness and Training programs (BCP wont work unless users are aware) 8. Maintaining and exercising BCP (document control, drills etc ie operations phase of BCP) 9. Public relations and crisis communications 10. Coordination with public authorities

Question 116

What is the NIST Cybersecurity framework split into

Answer 116

Functions Categories Sub Categories

Question 117

What is the difference betwneen NIST SP 800 37r1 NIST SP 800 30 NIST SP 800 53

Answer 117

NIST SP 800 37r1 : Risk Management framework NIST SP 800 30: Risk assement framework NIST SP 800 53 : Controls for IT Security

Question 118

What are the 5 functions in NIST Cybersecurity framework

Answer 118

Identify Protect Detect Respond Recover

Question 119

What are the categories within the Identify function of NIST CSF

Answer 119

Asset management Business environment Governance Risk assesment Risk management Supply chain risk management

Question 120

What are the categories within the Protect function of NIST CSF

Answer 120

Identity management and Access control Data security Protective technology Information protection processes and procedures Awareness training

Question 121

What are the categories within the DETECT function of NIST CSF

Answer 121

Detection Processes Anomalies and Events Security continuos monitoring

Question 122

What are the categories within the RESPOND function of NIST CSF

Answer 122

Analysis Mitigation Communication Improvement

Question 123

What are the categories within the RECOVER function of NIST CSF

Answer 123

Recovery planning Improvements Communications