Chapter 1: Security and Risk Management Flashcards
What is CIA triad?
It’s an acronym that means confidentiality, integrity, and availability.
What HVAC stands for?
Heating, ventilation, and air conditioning
What is Availability protection ensure?
Availability protection ensures reliability and timely access to data and resources to authorized individuals.
What does integrity guarantee from a security point of view?
Integrity is upheld when the assurance of the accuracy and reliability of information and systems is provided and any unauthorized modification is prevented.
What is Confidentiality protection ensure?
Confidentiality ensures that the necessary level of secrecy is enforced at each junction of data processing and prevents unauthorized disclosure.
Six examples of Integrity
Hashing (data integrity)
Configuration management (system integrity)
Change control (process integrity)
Access control (physical and technical)
Software digital signing
Transmission cyclic redundancy check (CRC) functions
What is a Vulnerability?
A vulnerability is a weakness in a system that allows a threat source to compromise its security
What is a Threat?
A threat is any potential danger that is associated with the exploitation of a vulnerability
What is a Risk?
A risk is the likelihood of a threat source exploiting a vulnerability and the corresponding business impact.
What is an Exposure?
An exposure is an instance of being exposed to losses.
What is an Administrative Control?
Commonly referred to as “soft controls”, like security documentation, risk management, personnel security, and training.
What is a Technical Control?
Also called logical controls, they are software or hardware components, as in firewalls, IDS, encryption, and identification and authentication mechanisms.
What is a Physical Control?
Items put into place to protect facilities, personnel, and resources, like security guards, locks, fencing, and lighting.
What is the functionality of a Preventive Control?
Intended to avoid an incident from occurring
What is the functionality of a Detective Control?
Helps identify an incident’s activities and potentially an intruder
What is the functionality of a Corrective Control?
Fixes components or systems after an incident has occurred
What is the functionality of a Deterrent Control?
Intended to discourage a potential attacker
What is the functionality of a Recovery Control?
Intended to bring the environment back to regular operations
What is the functionality of a Compensating Control?
Controls that provide an alternative measure of control
What type of control are administrative, physical, and technical?
They are preventive in nature.
Security Program Development
ISO/IEC 27000 series
Enterprise Architecture Development
Zachman Framework, TOGAF, DoDAF, MODAF and SABSA model
Security Controls Development
COBIT 5, NIST SP 800-53 and COSO Internal Control— Integrated Framework
Process Management Development
ITIL, Six Sigma and Capability Maturity Model Integration (CMMI)
What BS7799 Part 1 outlined?
Control objectives and a range of controls that can be used to meet those objectives
What BS7799 Part 2 outlined?
How a security program (ISMS) can be set up and maintained
Why the companies seek for ISO/IEC 27001?
Check Information Security Management System (ISMS) requirements and attests to the organization’s compliance level
What are the four architecture types that TOGAF framework can develop?
Business architecture, Data architecture, Applications architecture and Technology architecture
What is the difference between an ISMS and an enterprise security architecture?
An ISMS outlines the controls that need to be put into place (risk management, vulnerability management, business continuity planning, data protection, auditing, configuration management, physical security, etc.) and provides direction on how those controls should be managed throughout their life cycle
The enterprise security architecture illustrates how these components are to be integrated into the different layers of the current business environment
What Business enablement means?
Business enablement means the core business processes are integrated into the security operating model—they are standards based and follow a risk tolerance criteria.
Help the business to achieve their goals but adding security controls to make it work securely.
What Process enablement means?
So while business enablement means “we can do new stuff,” process enhancement means “we can do stuff better.”
What Security Effectiveness means?
It’s a way to determine how useful the current security solutions and architecture as a whole are performing (using SLA, metrics, ROI…)
What is the difference between Enterprise and System Architectures
?
An enterprise architecture addresses the structure of an organization. A system architecture addresses the structure of software and computing components.
COBIT five key principles
Meeting stakeholder needs
Covering the enterprise end to end
Applying a single integrated framework
Enabling a holistic approach
Separating governance from management
What is the different between COSO IC and COBIT?
COSO IC deals more at the strategic level, while COBIT focuses more at the operational level
What is the different between Polymorphic and Metamorphic malware
A polymorphic virus decrypts its code, runs that code, and then when propagating itself encrypts the decrypted code with a different key. A metamorphic virus simply runs its code and then when propagating itself mutates its code into different but functionally identical code
What is Data subject?
The individual to whom the data pertains
What is Data controller?
Any organization that collects data on EU residents
What is Data processor?
Any organization that processes data for a data controller
When Criminal law is used?
Criminal law is used when an individual’s conduct violates the government laws, which have been developed to protect the public.
Jail sentences are commonly the punishment
What do administrative/regulatory laws deal with?
Administrative/regulatory law deals with regulatory standards that regulate performance and conduct.
What are the two types of Intellectual Property?
Industrial property—such as inventions (patents), industrial designs, and trademarks—and copyrighted property, which covers things like literary and artistic works.
What Trade Secret protects?
Trade secret law protects certain types of information or resources from unauthorized use or disclosure.
A trade secret is something that is proprietary to a company and important for its survival and profitability.
What copyright law protects?
Copyright law protects the right of the creator of an original work to control the public distribution, reproduction, display, and adaptation of that original work.
What trademark law protects?
A trademark is used to protect a word, name, symbol, sound, shape, color, or combination of these
What is a patent?
Patents are given to individuals or companies to grant them legal ownership of, and enable them to exclude others from using or copying, the invention covered by the patent
What is a privacy horizontal approach?
Rules that stretch across all industry boundaries
What is a privacy vertical approach?
Defines requirements for specific verticals, such as the financial sector and health care
What is PII?
Personally identifiable information (PII) is data that can be used to uniquely identify, contact, or locate a single person or can be used with other sources to uniquely identify a single individual.
What is privacy?
Privacy is an individual’s right to determine what data they would like others to know about themselves, which people are permitted to know that data, and when those people can access it.
Federal Privacy Act of 1974
Agencies can gather information about individuals, but it must be relevant and necessary to the agency’s official functions. In addition, an agency cannot share people’s private information. If it does, private citizens have the right to sue that agency to protect their privacy.
The Federal Information Security Management Act (FISMA)
FISMA requires agency program officials, chief information officers, and inspectors general (IGs) to conduct annual reviews of the agency’s information security program and report the results to the Office of Management and Budget (OMB).
Health Insurance Portability and Accountability Act (HIPAA)
HIPAA outlines how security should be managed for any facility that creates, accesses, shares, or destroys medical information.
What REP stands for?
Reasonable Expectation of Privacy
Ways to deal with Privacy
Laws on government FPA, VA ISA, USA PATRIOT
Laws on corporations HIPAA, HITECH, GLBA, PIDEDA
Self-regulation PCI DSS
Individual user Passwords, encryption, awareness
What are the three policy types?
The organizational security policy provides scope and direction for all future security activities within the organization
An issue-specific policy, also called a functional policy, addresses specific security issues that management feels need more detailed explanation and attention to make sure a comprehensive structure is built and all employees understand how they are to comply with these security issues.
A system-specific policy presents the management’s decisions that are specific to the actual computers, networks, and applications.
What is the difference between strategic and tactical goal?
A strategic goal can be viewed as the ultimate endpoint, while tactical goals are the steps necessary to achieve it.
What is the difference between security policies, standards, procedures, baselines, and guidelines
Security policy - Is an overall general statement produced by senior management that dictates what role security plays within the organization.
Standard - Refer to mandatory activities, actions, or rules.
Procedure - Detailed step-by-step tasks that should be performed to achieve a certain goal.
Baseline - Refers to a point in time that is used as a comparison for future changes.
Guideline - Recommended actions and operational guides to users, IT staff, operations staff, and others when a specific standard does not apply.
What is risk?
Risk is the probability of a threat agent exploiting a vulnerability to cause harm to an asset resulting in a business impact.
Types of Risk
PHEIMiLoA
Physical Damage Human Interaction Equipment Malfunction Inside and Outside Attacks Misuse of Data Loss of Data Application error
What is the purpose of NIST 800-53?
Security and Privacy
What is the purpose of NIST 800-39?
Risk
- Organizational tier
- Business process tier
- Information systems tier
What is a Threat?
Potential cause of an unwanted incident, which may result in harm to a system or organization
What is the difference between risk assessment and risk analysis?
Risk assessment is a broader effort, which is reinforced by specific risk analysis tasks as needed.
Questions to evaluate a risk
What event could occur (threat event)?
What could be the potential impact (risk)?
How often could it happen (frequency)?
What level of confidence do we have in the answers to the first three questions (certainty)?
What is the focus area of NIST SP 800-30?
Risk assessments
What is FRAP?
Facilitated Risk Analysis Process is a qualitative methodology focused only on the systems that really need assessing, to reduce costs and time obligations
What is OCTAVE?
Operationally Critical Threat, Asset, and Vulnerability Evaluation is a methodology that is intended to be used in situations where people manage and direct the risk evaluation for information security within their company
What is the focus of AS/NZS ISO 31000 ?
This risk methodology is more focused on the health of a company from a business point of view, not security.
What is FMEA?
Failure Modes and Effect Analysis is a method for determining functions, identifying functional failures, and assessing the causes of failure and their failure effects through a structured process.
What is the difference between Risk Assessment and Risk Analysis?
Risk assessment is used to gather data. A risk analysis examines the gathered data to produce results that can be acted upon.
What SLE stands for?
Single loss expectancy (SLE)
Asset Value × Exposure Factor (EF) = SLE
What ALE stands for?
Annual loss expectancy (ALE)
SLE × Annualized Rate of Occurrence (ARO) = ALE
What HVAC stands for?
Heating, ventilation, and air conditioning
What is the goal of NIST SP 800-161?
Supply Chain Risk Management Practices for Federal Information Systems and Organizations
What RMF stands for?
Risk Management Framework
What TTP stands for?
Tactics, techniques, and procedures
What is the difference between Disaster Recovery, Business Continuity Plan and Business Continuity Management?
Disaster recovery is to minimize the effects of a disaster or disruption.
Business continuity plan provides methods and procedures for dealing with longer-term outages and disasters.
Business continuity management is the holistic management process that should cover both of them
What are the three pillars of BCM?
Availability, Reliability and Recoverability
What is the NIST SP 800-34 attached to?
Contingency Planning Guide for Federal Information Systems
What MDT stands for?
Maximum Downtime Tolerable
Who should be part of the BCP committee?
Business units, Senior management, IT department, Security department, Communications department, Legal department
What SWOT stands for?
Strengths/Weaknesses (internal)
Opportunities/Threats (external)
What is due diligence?
Do everything in our power to prevent something bad from happening.
What is due care?
Taking the precautions that a reasonable and competent person would take in the same situation.
Which threats BPC should identify?
Maximum tolerable downtime and disruption for activities
Operational disruption and productivity
Financial considerations
Regulatory responsibilities
Reputation
What is the equation of Risk?
Risk = Threat × Impact × Probability
Could add time
what can be a threat?
Threats can be manmade, natural, or technical
What MPTD stands for?
Maximum Period Time of Disruption
How RFC 1087 is called?
Ethics and the Internet
This RFC outlines the concepts pertaining to what the IAB considers unethical and unacceptable behavior
