Chapter 1: Managing Risk Flashcards
Three types of threats
Environmental
Manmade
Internal vs external
Environmental threat
Describe!
Threats caused by environment (ie fire, flood, lightning, etc)
Manmade threats
Threats caused by people (ie hackers, viruses)
Internal threat
Threat by personnel within the company
External threat
Threat by personnel outside the company
Risk register
Scatter plot of possible problem areas
Vulnerability
Weakness that could be exploited by a threat
Risk assessment process
Risks to the organization
Risks worth addressing
Coordination with business impact analysis
ALE
Annual loss expectancy: monetary measure of expected loss per year
BIA
Business impact analysis
SLE
Single loss expectancy: monetary measure of expected loss at a single time
AV
Asset value
EF
Exposure factor: percentage of item threatened
Single loss expectancy can be divided into:
Asset value and exposure factor
ARO
Annualized rate of occurrence: likelihood of an event occurring within a year
Risk assessment formula
SLE x ARO = ALE
NIST
National institute of standards and technology
Appendix G of NIST pub 800-30
Assessment scale for likelihood of threat event initiation
NIST pub 800-30 assessment scale qualitative, semi-quantitative, and description
Very high 10 adversary is almost certain to initiate threat event
High 8 adversary is highly likely to initiate threat event
Moderate 5 adversary is somewhat likely
Low 2 adversary is unlikely
Very low 0 adversary is highly unlikely
Supply chain assessment
Used to look at vendors your organization works with strategically and the potential risks they introduce
Threat vectors
The way in which an attacker poses a threat
MTBF
Mean time between failures
The measure of the anticipated incidence of failure for a system or component
MTTF
Mean time to failure
The average amount of time to failure for a non repairable system
MTTR
Mean time to restore
The measurement of how long it takes to repair a system or component once failure occurs
RTO
Recovery time objective
Maximum amount of time that a process or service is allowed to be down and the consequences still to be considered acceptable
RPO
Recovery point objective
Defines the point at which the system needs to be restored
PIA
Privacy impact assessment
Identifies the adverse impacts that can be associated with the destruction, corruption, or loss of accountability data for the organization; used in conjunction with a business impact analysis
PTA
Privacy threshold assessment
The compliance tool used in conjunction with the privacy impact assessment
Types of testing that can help identify risks
Penetration testing
Vulnerability testing
7 Key measures to prevent unanticipated threats
Likelihood Threat vector Mean time between failures Mean time to failure Mean time to restore Recovery time objective Recovery point objective
Four possible responses to a risk once identified
Risk avoidance
Risk transference
Risk mitigation
Risk acceptance
Risk avoidance
Identifying a risk and making the decision not to engage any longer in the actions associated with that risk
Risk transference
Share some of the burden of the risk with someone else
Risk mitigation
Taking steps to reduce the risk
Risk acceptance
The choice that you make when the cost of implementing any of the other responses exceeds the value of the harm that would occur if the risk came to fruition
DLP
Data loss prevention
Monitors the contents of systems to make sure that key content is not deleted or removed; also monitors the usage and transmission of data
Three ways to implement cloud computing
Platform as a service
Software as a service
Infrastructure as a service
PaaS
Platform as a service or cloud platform services
Vendors allow apps to be created and run on their infrastructure
SaaS
Software as a service
Applications are remotely run over the web
IaaS
Infrastructure as a service
Utilizes virtualization and clients pay a cloud service provider for resources used
3 Risk related issues associated with cloud computing
Regulatory compliance
User privileges
Data integration/segregation
2 risks associated with virtualization
Breaking out of the virtual machine
Intermingling network and security controls
Policies
Provide the people in the organization with guidance about their expected behavior
5 key areas of a good policy
Scope statement Policy overview statement Policy statement Accountability statement Exception statement
Scope statement
Outlines what the policy intends to accomplish and which documents, laws, and practices the policy addresses
Policy overview statement
Provides the goal of the policy why it’s important and why to comply with it
Policy statement
Substance of the policy
Accountability statement
Should address who is responsible for ensuring that the policy is enforced
Exception statement
Provides specific guidance about the procedure or process that must be followed in order to deviate from the policy
Standard
Deals with the specific issues or aspects of the business
Five key aspects of standards documents
Scope and purpose Roles and responsibilities Reference documents Performance criteria Maintenance and administrative requirements
Scope and purpose
Should explain or describe the intention
Roles and responsibilities
Outlines who is responsible for implementing, monitoring, and maintaining the standard
Reference documents
Explains how the standard relates to the organizations different policies, thereby connecting the standard to the underlying policy’s that have been put in place
Performance criteria
Outlines how to accomplish the task
Maintenance and administrative requirements
Outlines what is required to manage and administer the systems or networks
Audit
Evaluation of requirements
Guidelines
Help an organization implement or maintain standards by providing information on how to accomplish the policies and standards
Four minimum contents of a good guideline document
Scope and purpose
Roles and responsibilities
Guideline statement
Operational considerations
Scope and purpose of the guideline document
Provides an overview and statement of the guidelines intent
Roles and responsibilities
Identifies which individuals or departments are responsible for accomplishing a specific tasks
Guidelines statement
Provide the step by step instructions procedures on how to accomplish a task in specific manner
Operational considerations
Specifying and identify what duties are required and at what intervals
BPAs
Business partner agreement
Outline responsibilities and obligations between business partners
MOU and MOA
Memorandum of understanding and memorandum of agreement
Defined the terms and conditions for security sharing data and information resources
ISA
Interconnection security agreement
Documents the technical and security requirements for establishing, operating, and maintaining the interconnection
Personnel policies
Mandatory vacations Job rotation Separation of duties Clean desk Background checks Nondisclosure agreements Onboarding Continuing education Exit interviews Role based training Acceptable use policies (AUP) Adverse actions General security policies
Three control types
Management
Operational
Technical
Management controls
Risk assessment
Planning
System and services acquisition
Certification, accreditation, and security assessment
Operational controls
Personnel security Physical and environmental protection Contingency planning Configuration management Maintenance System and information integrity Media protection Incident response Awareness and training
Technical controls
Identification and authentication
Access control
Audit and accountability
System and communication protection
BIA
Business impact analysis
The process of evaluating all of the critical systems in an organization to define impact and recovery plans
Four key components of a business impact analysis
Identifying critical functions
Prioritizing critical functions
Calculating a timeframe for critical systems loss
Estimating the tangible and intangible impact
Possible plans to prepare for emergency
Automation/scripting Frameworks and templates Master image Non-persistence Elasticity Scalability Distributive allocation High availability Planning for resiliency Redundancy Fault tolerance RAID
Non-persistent image
Image that can only exist in Random access memory or be changes that are over written on a reboot by a persistent or frozen image
Elasticity
The ability to scale up resources as needed
Distributive allocation
Load balancing
HA
Hi availability
The measures, such as redundancy, failover, and mirroring, used to keep services and systems operational during an outage