Chapter 1 Flashcards

1
Q

Name 5 architecture frameworks

A
  1. Zachmann (what/where/when/who in columns and system archtectes, business managers etc in rows)
  2. TOGAF - views of business , application, technology, data
  3. DoDAF - systems, processes, personnel in concerted manner
  4. MoDAF - data in right format to right people
  5. SABSA - Assets, motivation, people, process, location and time in columns (similar to zachmann)
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

For an enterprise security architecture to be successful in development and implementation

A
  1. Strategic alignment
  2. Business enablment
  3. Process enhancement
  4. Security effectiveness
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What are the principles that COBIT is based on

A
  1. End to end enterprise coverage
  2. Single integrated framework
  3. Holistic approach
  4. Separating governance from management
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

How many goals does COBIT have

A

17 enterprise goals

17 IT related goals

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

What does COBIT ask?

A

Simple question – “Why are we doing this”. This should lead to an IT Goal that is tied to an enterprise goal that is tied to a stakeholder need

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

What is the misconception with COBIT

A

It is a misconception that COBIT is purely security focussed

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

What does NIST 800-53 provide

A

Security and Privacy controls for federal information systems and organisation

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

How many control categories does NIST have

A

18 control categories, categorised into (MOT)

Management,

Operational and

Technical

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

How is COSO - IC Integrated Framework majorly different?

A

It works at strategic level instead of IT

Deals with fraud through corporate governance

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

How many and what are the control principles in COSO IC Integrated Framework?

A

17 internal control principles, grouped into 5 components

  1. Control environment
  2. Risk Assesment
  3. Control Activities
  4. Information and communication
  5. Monitoring activities
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

SOX is based on which security controls framework

A

COSO IC Integrated framework

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

What is the difference between NIST 800-53/COBIT etc and Zachmann/SABSA

A

former are security controls, later are enterprise architectures

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

CMMI Level 0

A

Non existent management

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

CMMI Level 1

A

Unpredictable processes

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

CMMI Level 2

A

Repeatable processes

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

CMMI Level 3

A

Defined processes

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

CMMI Level 4

A

Managed Processes

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

CMMI Level 5

A

Optimised processes

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

ISO 27001

A

ISMS requirements

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

27002

A

Code of practice for information security management

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

27003

A

ISMS implementation

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

27004

A

ISMS measurement

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

27005

A

Risk Management

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

27006

A

Certification body requirements

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
27007
ISMS auditing
26
27008
Guidance for auditors
27
27011
Telecommunications organization
28
27014
Information security governance
29
27015
Financial sector
30
27031
Business continuity
31
ISO 27016 to 27030
No Standard
32
ISO 27032
Cybersecurity
33
ISO 27033
Network security
34
ISO 27034
Application Security
35
ISO 27035
Incident management
36
ISO 27037
Digital evidence collection and preservation
37
ISO 27099
Health organizations
38
What is the Difference between ISO 27001 and Enterprise security frameworks:
ISO 27001 is general in nature - Can be difficult to know how to implement in a specific environment of a company - That is where the enterprise security architecture comes into play
39
How are security controls categorised in enterprises
APT Administrative Physical Technical
40
How are security controls categorised in government
MOT Management Operational Technial
41
Describe the frameworks, controls standards in the analogy of a house
ISO/IEC 27001 - policy level (description of house) Security Enterprise Framework - architecture level (arch of house) Blueprints - detailed descriptions e.g window types Control Objectives - building specification codes
42
Define Risk
Likelihood of threat source exploiting vulnerability and its business impact
43
What are the 6 functionalities that Controls provide
Detective Preventive Corrective Deterrent Recovery Compensating
44
Which is better between detective, corrective, preventive
Most productive to use a preventive model followed by detective, correcitve and recovery ( stop any troble before it starts but be able to react and combat it if it does happen) If detective control identifies that means preventive failed Hence corrective is necessary to ensure next time it is prevented
45
How to map functionality to a control ?
try to think of the MAIN reason why the control was put in place Eg. A firewall was put in place to prevent an intruder Auditing of logs is post facto so it is detective Backup helps to restore data hene it is recovery Computer images can be reloaded in case of corruption hence corrective
46
Why is compensating control required
it is either Affordable Allows specifically required business functionality
47
What are the 8 OECD principles for privacy protection and transborder flow of data (**Q**uality **C**leaning of **P**ersonal **U**nderwear using **SOAP**)
1. ****_C_**ollection limitation principle**: limited collection, in lawful means, with knowledge of user 2. **Data **_Q_**uality principle**: data is complete, current and relevant 3. **_P_urpose specification**: users notified during collection, data used only for that purpose 4. ****_U_**se limitation**: use other than stated only by explicit agreement of user 5. ****_S_**ecurity safeguards**: put safeguards to protect loss, modification, damage 6. **_O_penness**: communicate standards, practices etc openly 7. **Individual **_p_**articipation**: user should know about data held by org and correct erroneous data 8. ****_A_**ccountability**: organizations should be accountable for complying
48
What are the 7 Safe Harbor principles
49
What is the Wassenar arrangement
implements export control for “conventional arms and dual use goods and technologies” . Cryptography falls under dual-use
50
What are the main types of legal systems
1. Civil (code) Law System 2. Common Law System 3. Customary Law 4. Religious Law 5. Intellectual property law
51
What are the major features of CIVIL (Code) LAW system
1. Most widespread 2. Based on rules instead of precedent 3. Used in continental Europe 4. Lower courts not compelled to follow higher courts decision
52
What is common law system based on?
1. Precedent 2. Hierarchy of courts
53
What are the subcomponents of common law system?
1. Criminal Law 2. Civil/Tort Law 3. Administrative (Regulatory Law)
54
What is the difference between Criminal Law and Civil/Tort Law
1. guilty/not guilty :: liable/not liable 2. By government :: By private parties 3: for harm to society :: for damage to individual/frm
55
What is the role of administrative law within the common law system
1. Address international trade / manufacturing 2. Deal with regulatory standards that regulate performance and conduct
56
what are the components of intellectual property law?
**Trade Secret** o Proprietary to a company and important for its survival and profitability **Copyright** o Protects the form of expression than the subject itself o Computer programs can be protected as literary works **Trademark** o Used to protect a word, name, symbol, sound, shape, colour or combination **Patent** o Is the strongest form of intellectual property protection
57
What is the use of Digital Millenium Copyright act?
criminalises production and dissemination of technology , devices or services that circumvent access control measures that are put into place to protect copyright material
58
What are the drivers for privacy laws
- Data aggregation and retrieval happening more often - Cross border movement of data - convergent technologies
59
Name well known privay laws
1. Federal Privacy Act 1974 2. FISMA 2002 3. Department of veterans affairs, infomration security protection 4. Health insurance portability and accountability 5. Health information technology for economic and clinical health (HITECH) 6. USA Patriot Act (eases restrictions of law enforcement to access privacy data)
60
Name well known laws for financial protection
1. GLBA (financial services modernisation) 2. Personal information protection and electronic documents 3. PCI DSS 4. Economics espionage act 1996
61
What does the Financial Services Modernisation Act (GLBA) include
1. **Financial Privacy Rule** (consumers should be informed about what is collected, who is it shared with, how is it protected and option to opt out of sharing it) 2. **Safeguards Rule** (should have written information security rule) 3. P**retexting protection** (Requires notification only if institution breached determines that the breached data has been or will be misused)
62
What are the main requirements of PCI DSS
(12 main requirements broken into 6 categories) § Build and maintain a secure network and systems § Protect cardholder data § Maintain a vulnerability management program § Implement strong access control measures § Regularly monitor and test networks § Maintain an information security policy
63
What is the use of Economics Espionage Act 1996
Protects corporations IP (rather than consumer privacy)
64
What is US definition of PII
Combination of first and last name with any of the following ## Footnote - Social security number - Drivers license number - Credit or debit card number with security code or PIN
65
Differentiate the role of Security Policy, Standards/guidlnes and Controls
**Security policy** – provides the foundation **Security procedures/standards/guidelines/baselines** – provides the framework **Security controls** (admin/physical/technical or Mgmt/opetations/technical) – used to fill in the framework to provide a full security program
66
What are the Important characteristics of good security policy
Easy to understand Driven by business objectives Integrates security into all functions and processes Supports legislation Is a live document, reviewed, changed as needed Is forward looking Should be technology and solution independent
67
Give examples of issue specific and system specific policies
Ex of issue specific policy could be email usage Ex of system specific policy is how a DB containing sensitive information should be protected
68
What are the features of advisory policies?
1. Advises of acceptable behaviour 2. informs ramifications of non compliance
69
Why is ISO 27001 considered a standard?
Because it was setup by a standards body
70
Identify the 4 phases of risk management process
1. Identify the risk 2. Assess the risk 3. Reduce risk to acceptable level 4. Maintain risk at that level
71
What are the three tiers of risk management defined by NIST SP 800-39
Organisation Tier Business Process Tier Information systems Tier
72
List common and important concepts in risk management
Acceptable risk should be defined by senior management - Risk assessment procedures should be documented - Procedure for identifying risk - Procedure for mitigating risk - Financial support from senior management - Mapping of legal and regulations to controls - Metrics and performance indicators development
73
What is threat modelling
process of describing feasible adverse effects on our assets caused by threat sources
74
What is the difference between threat modelling and Risk assesment
Threat Modelling allows an organization to understand what is in the realm of probable not just possible
75
What is the triad of threat model
The heart of a threat model is the triad of vulnerability, feasible attack, capable threat actor.
76
What is the tool used in Threat modelling
Attack Tree Kill-chain/Attack-chain (specialised form of attack tree)
77
What is the relationship between risk assesment and risk management
Risk assesment is a tool to perform risk management (it is a method of identifying vulnerabilities and threats and assessing the possible impacts to determine where to implement security controls)
78
What is done after risk assement
Analysis of the results
79
Why is risk analysis used?
To ensure that security is 1. cost effective 2. timely 3. relevant 4. responsive
80
What are the 4 main goals of risk analysis
1. Identify assets and their value to the organization 2. Identify vulnerabilities and threats 3. Quantify the probability and business impact of these potential threats 4. Provide an economic balance between the threat and cost of countermeasure
81
Put the following three in perspective Risk management Risk assesment Risk analysis
Risk management is overall thought/concept/process Risk assesment is a tool used for risk management (identify, threats , vulnerabilities and their impacts) Risk analysis is done after risk assesment and used to ensure that security is cost effective, timely, relevant and responsive
82
List the common Risk Assesment guides/ methodologies
1. NIST SP 800-30 Rev 1 2. FRAP 3. OCTAVE 4. AS/NZS 4360 5. ISO/IEC 27005 6. FMEA 7. FAULT TREE ANALYSIS 8. CRAMM
83
What are the steps in NIST SP 800-30 rev 1
a. Identify threat sources and events b. Identify vulnerabilities and predisposing conditions c. Determine likelihood of occurrence d. Determine magnitude of impact e. Determine risk f. Communicate results g. Maintain assesment
84
What are the key elements of FRAP
FRAP = Facilitated Risk Analysis Process - is a qualitative process (not quantitative) - is dependent on experience of assesor - generally focussed on one service or application at a time
85
What is OCTAVE
Operationally Critical Threat, Asset and Vulnerability evaluation
86
what are the key features of OCTAVE
- self directed team approach through workshop - scope encompasses multiple systems and applications
87
What are the key features of AS/NZS 4360
- Not focussed on security - focussed on health of company from business viewpoint - includes financial, human safety etc
88
What is ISO/IEC 27005
- Carrying out risk management in the framework of overall ISMS - Deals with IT and other softer security issues (documentation/personnel/training etc)
89
How does FMEA work
Failure - how things fail (not what) Effect analysis - (impact of failure) Most useful as a survey method to identify major failure modes in a system **NOT useful** for complex failure nodes across systems and subsystems
90
What is CRAMM in reference to risk assesment
(Central computing and telecommunications agency risk analsyis and management method) Has questionnaires, formulas, dependency modeling etc all in automated format
91
What tools to use when integrate risk assessment with overall ISO 27001 security program
ISO IEC 27005 OCTAVE
92
What assesment tool is best for focussing on IT Security risks
NIST SP 800-30
93
What risk assement tool to use if time and budget are limited
FRAP
94
What risk assesment tools if detailed analysis is required
FMEA Faul-tree
95
What is the formula used for quantitative risk analysis
EF = exposure factor (% off loss a **realised** threat can have) SLE = single loss expectancy AV = asset value ARO = annualised rate of occurence SLE = AV X EF ALE = SLE X ARO
96
What is the formula for Cost/benefit calculation for a control
(ALE before implementing safeguard) – ( ALE after implementing safeguard) – (Annual cost of safeguard) = value of safeguard to the company
97
What are the common **_Risk Management_** Frameworks?
NIST 800-37r1 (Specific to IT risks) ISO 31000-2009 (focus on uncertainty, is generic) ISACA Risk IT (bridge gap between IT and generic. also integrates with COBIT) COSO Enterprise Risk Management - Integrated framework (generic framework, superset of COSO IC Integrated framework)
98
what are the 6 steps of NIST risk management framework
NIST Risk **_Management_** includes ## Footnote 1. Categorise information systems (identify systems, sub-systems and boundaries) 2. Select security controls _(**assessment, analysis**_, selection) 3. Implement security controls (documentation is a key part) 4. Assess security controls (determines whether controls are effective) 5. Authorise information systems (get approval to integrate IS into broader architecture) 6. Monitor security controls (ongoing effectiveness, changes to environment etc)
99
formulat for total risk
total risk = threats X vulnerability X Asset value
100
formulas for residual risk
total risk X control gaps = residual risk OR Total risk - countermeasures = residual risk these are not mathematical formulas , only representative
101
Disaster recovery vs business continuity management
DR - minimise effects of disaster , more IT focusssed BC - longer outage, broader coverage
102
What are the different standards addressing BCP
NIST SP 800-34 ISO IEC 27031:2011 (focussed on IT) ISO 22301:2012 , broader includes business (against which organisations seek certification) Business continuity institute Good practice guidelines (GPG)
103
What are the 7 steps of NIST SP 800-34
1. Develop BCP policy 2. Conduct BIA (vuln,threat,impact,risk) 3. Identify _preventive_ controls 4. Create contingency strategies 5. Develop IT contingency plan 6. Plan testing, training and exercises 7. Plan maintenance
104
Why is BCP required
to reduce financial loss by improving the companys ability to recover and restore operations. In case of NGOs/military/govt etc BCP is to ensure they can still carry out their critical tasks
105
In BCP, what should be the risk mitigation measures be geared towards
It should be geared towards those things that might **_most rapidly_** disrupt critical business processes and commercial activities.
106
what is the main goal of business continuity
Restore normal operations by spending least amount of money and resources
107
What are the BCP project components?
BCP Coordinator BCP Committee (Biz, cxo, IT, security, PR, Legal) Contents of BCP Policy (scope, mission, statement, principles, guidelines, standards)
108
What is Business Impact Analysis
It is a functional analysis that starts with collection of data across the organisation Upon completion of data collection phase, the BCP committee needs to conduct BIA to establish which processes , devices or operational activities are critical
109
To what factors should the BCP committee map the identified threats?
a. Maximum tolerable downtime and disruption for services b. Operational disruption and productivity c. Financial considerations d. Regulatory responsibilities e. Reputation
110
What should BCP related risk assesmente typically include
- Vulnerabilities for all of the organizations most time sensitive resources and activities - Threats and hazards to the organizations most urgent resources and activities - Single points of failure - Outsourced vendors - Skills related risks
111
What is the formula for Risk in BCP
Risk = Threat X Impact X Probability
112
What is a key factor in BIA
Time risk mitigation measures should be geared toward those things that might most rapidly disrupt critical business processes and commercial activities
113
What are the steps involved in BIA in relation to BCP (**P**ost **G**raduate **C**ourse **R**equires **L**otof **V**ery **R**igorous **D**ocumentation)
1. Select individuals/**p**eople for interview 2. Create data **g**athering techniques 3. Identify company's **c**ritical business functions 4. Identify **r**esources these functions depend on 5. Calculate how **L**ong these functions can survive without these resources 6. Identify **v**ulnerabilities and threats to these functions 7. Calculate the **r**isk for each different business function 8. **D**ocument findings and report them to management
114
What is the standard for business continuity management
ISO/IEC 22301
115
NFPA business planning framework
1. Project Initiation and management (always first step is to do project management) 2. Risk evaluation and control (since this is Business planning framework, first risk needs to be evaluated) 3. Business impact analysis (once risk is evaluated, its business impact is to be analysed) 4. Develop Business continuity strategies (once business impact is known, Biz continuity strategy is to be developed) 5. Emergency response and operations 6. Business continuity plan development and implementation (actual implementation) 7. Awareness and Training programs (BCP wont work unless users are aware) 8. Maintaining and exercising BCP (document control, drills etc ie operations phase of BCP) 9. Public relations and crisis communications 10. Coordination with public authorities
116
What is the NIST Cybersecurity framework split into
Functions Categories Sub Categories
117
What is the difference betwneen NIST SP 800 37r1 NIST SP 800 30 NIST SP 800 53
NIST SP 800 37r1 : Risk Management framework NIST SP 800 30: Risk assement framework NIST SP 800 53 : Controls for IT Security
118
What are the 5 functions in NIST Cybersecurity framework
Identify Protect Detect Respond Recover
119
What are the categories within the Identify function of NIST CSF
Asset management Business environment Governance Risk assesment Risk management Supply chain risk management
120
What are the categories within the Protect function of NIST CSF
Identity management and Access control Data security Protective technology Information protection processes and procedures Awareness training
121
What are the categories within the DETECT function of NIST CSF
Detection Processes Anomalies and Events Security continuos monitoring
122
What are the categories within the RESPOND function of NIST CSF
Analysis Mitigation Communication Improvement
123
What are the categories within the RECOVER function of NIST CSF
Recovery planning Improvements Communications
124