Chapter 1 Security Governance Through Principles and Policies Flashcards

1
Q

What are the six goals for COBIT?

A

Provide stakeholder value

Have a holistic approach

Have a dynamic governance system

Governance distinct from management

Tailored to enterprise needs

An end-to-end governance system.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What is ITIL?

A

British government crafted, set of best practices for optimizing business growth, transformation, and change–often used to craft a custom solution

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What is a security policy?

A

A policy is a document that defines the scope of security needed by the organization and discuss the assets that require protection and the extent to which security solutions should go to provide the necessary protection. “Why we do something?”

Organization security policies focus on issues relevant to every aspect of an organization. Issue-specific security policies focus on a specific network service, department, function, or other aspect that does not apply to the whole organization. System-specific policies focus on individual systems.”

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

What is a security standard?

A

A standard defines compulsory requirements for the homogenous use of hardware, software, technology, and security controls. aka what should we be doing?

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

What is a security baseline?

A

Defines a minimum level of security that every system throughout the organization must meet. More operationally focused than a standard.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

What is a security guideline?

A

Recommendations for how standards and baselines are implemented. They are flexible, outline methodologies, and are not compulsory.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

What is a SOP?

A

Should be a detailed, step-by-step how-to document that describes the exact actions necessary to implement a security mechanism. They ensure the integrity of business processes. ““How we do something””

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

What is the STRIDE model?

A

Microsoft acronym for a threat model. Spoofing (attack with the goal of gaining access through the use of a false identity), Tampering (any action resulting in unauthorized changes to data), Repudiation (abillity of an attacker to deny having performed an action), information disclosure (relevation of private, confidential, or controlled information), DoS, Elevation of privilege.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

What is the PASTA model?

A

“Process for Attack Simulation and Threat Analysis.

–Stage 1: Definition of the Objectives (DO) for the analysis of risk
–Stage 2: Definition of the Technical Scope (DTS)
–Stage 3: Application Decomposition and Analysis (ADA)
–Stage 4: Threat Analysis (TA)
–Stage 5: Weakness and Vulnerability Analysis (WVA)
–Stage 6: Attack Modeling and Simulation (AMS)
–Stage 7: Risk Analysis and Management (RAM)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

What is the VAST model?

A

Visual, Agile, and Simple Threat. Integrates threat and risk management in an Agile environment

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

What are the elements of reduction analysis?

A

AKA decomposing the application, system, or environment in order to gain a greater understanding of the product. Priorities area;

–ID trust boundaries
–dataflows
–input points
–privileged operations
–details about security stance and approach.

You need to understand the system so you can figure out its vulnerabilities.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

What is the DREAD model?

A

Disaster, Reproducibility, Exploitability, Affected Users, and Discoverability rating.

–Damage Potential: how severe would the damage be?
–Reproducibility: how complicated is it for attackers to reproduce the exploit?
–Exploitability: how hard is it to perform the attack?
–Affected users: What percentage of your users would be affected?
–Discoverability: How hard is it for an attack to discover the weakness?

How well did you know this?
1
Not at all
2
3
4
5
Perfectly