Chapter 1 Security Governance Through Principles and Policies Flashcards
What are the six goals for COBIT?
Provide stakeholder value
Have a holistic approach
Have a dynamic governance system
Governance distinct from management
Tailored to enterprise needs
An end-to-end governance system.
What is ITIL?
British government crafted, set of best practices for optimizing business growth, transformation, and change–often used to craft a custom solution
What is a security policy?
A policy is a document that defines the scope of security needed by the organization and discuss the assets that require protection and the extent to which security solutions should go to provide the necessary protection. “Why we do something?”
Organization security policies focus on issues relevant to every aspect of an organization. Issue-specific security policies focus on a specific network service, department, function, or other aspect that does not apply to the whole organization. System-specific policies focus on individual systems.”
What is a security standard?
A standard defines compulsory requirements for the homogenous use of hardware, software, technology, and security controls. aka what should we be doing?
What is a security baseline?
Defines a minimum level of security that every system throughout the organization must meet. More operationally focused than a standard.
What is a security guideline?
Recommendations for how standards and baselines are implemented. They are flexible, outline methodologies, and are not compulsory.
What is a SOP?
Should be a detailed, step-by-step how-to document that describes the exact actions necessary to implement a security mechanism. They ensure the integrity of business processes. ““How we do something””
What is the STRIDE model?
Microsoft acronym for a threat model. Spoofing (attack with the goal of gaining access through the use of a false identity), Tampering (any action resulting in unauthorized changes to data), Repudiation (abillity of an attacker to deny having performed an action), information disclosure (relevation of private, confidential, or controlled information), DoS, Elevation of privilege.
What is the PASTA model?
“Process for Attack Simulation and Threat Analysis.
–Stage 1: Definition of the Objectives (DO) for the analysis of risk
–Stage 2: Definition of the Technical Scope (DTS)
–Stage 3: Application Decomposition and Analysis (ADA)
–Stage 4: Threat Analysis (TA)
–Stage 5: Weakness and Vulnerability Analysis (WVA)
–Stage 6: Attack Modeling and Simulation (AMS)
–Stage 7: Risk Analysis and Management (RAM)
What is the VAST model?
Visual, Agile, and Simple Threat. Integrates threat and risk management in an Agile environment
What are the elements of reduction analysis?
AKA decomposing the application, system, or environment in order to gain a greater understanding of the product. Priorities area;
–ID trust boundaries
–dataflows
–input points
–privileged operations
–details about security stance and approach.
You need to understand the system so you can figure out its vulnerabilities.
What is the DREAD model?
Disaster, Reproducibility, Exploitability, Affected Users, and Discoverability rating.
–Damage Potential: how severe would the damage be?
–Reproducibility: how complicated is it for attackers to reproduce the exploit?
–Exploitability: how hard is it to perform the attack?
–Affected users: What percentage of your users would be affected?
–Discoverability: How hard is it for an attack to discover the weakness?