Chapter 1 - Security Governance Through Principles And Policies Flashcards

1
Q

Seclusion

A

Seclusion involves storing something in an out-of-the-way location. This location can also provide strict access controls. Seclusion can help enforcement confidentiality protections.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Levels of government/military classifications

A
Top Secret
Secret
Confidential
Sensitive but unclassified
Unclassified

U.S. Can Stop Terrorism (reverse order of uppercase letters)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Confidential vs Private data in commercial business/private sector classification

A

Confidential data is company data whereas private data is data related to individuals.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Next step in threat modeling is to perform reduction analysis. What is the five key concepts in the decomposition process?

A

Trust Boundaries: Any location where the level of trust or security changes
Data Flow Paths: The movement of data between locations
Input Points: Locations where external input is received
Privileged Operations: Any activity that requires great privileges than of a standard user account or process, typically required to make system changes or alter security
Details about Security Stance and Approach: The declaration of the security policy, security foundations, and security assumptions.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Basics of Threat Modeling

A

Threat modeling is the security process where potential threats are identified, categorized, and analyzed. Threat modeling can be performed as a proactive measure during design and development or as a reactive measure once a product has been deployed. Key concepts include assets/attackers/software, STRIDE, diagramming, reduction/decomposing, and DREAD.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Microsoft developed a threat categorization scheme known as STRIDE. What components does STRIDE include? What does it used for?

A
Spoofing
Tampering
Repudiation
Information disclosure
Denial of Service
Elevation of privilege

STRIDE is often used in relation to assessing threats against applications or operating system.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Compare serial configuration protection to parallel configuration protection.

A

Layering, AKA as defense in depth, is simply the use of multiple controls in a series.

Serial configurations are very narrow but very deep, whereas parallel configurations are very wide but very shallow.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Three sub-dimensions of quality in COBIT 5

A

Three sub-dimensions of quality in COBIT 5 are as follows:

  1. Intrinsic quality – The extent to which data values are in conformance with the actual or true values. It includes
    Accuracy – The extent to which information is correct or accurate and reliable
    Objectivity – The extent to which information is unbiased, unprejudiced and impartial.
    Believability – The extent to which information is regarded as true and credible.
    Reputation – The extent to which information is highly regarded in terms of its source or content.
  2. Contextual and Representational Quality – The extent to which information is applicable to the task of the information user and is presented in an intelligible and clear manner, reorganizing that information quality depends on the context of use. It includes
    Relevancy – The extent to which information is applicable and helpful for the task at hand.
    Completeness – The extent to which information is not missing and is of sufficient depth and breadth for the task at hand
    Currency – The extent to which information is sufficiently up to date for task at hand.
    Appropriate amount of information – The extent to which the volume of information is appropriate for the task at hand
    Consistent Representation – The extent to which information is presented in the same format.
    Interpretability – The extent to which information is in appropriate languages, symbols and units, with clear definitions.
    Understandability - The extent to which information is easily comprehended.
    Ease of manipulation – The extent to which information is easy to manipulate and apply to different tasks.
  3. Security/accessibility quality – The extent to which information is available or obtainable. It includes:
    Availability/timeliness – The extent to which information is available when required, or easily available when required, or easily and quickly retrievable.
    Restricted Access – The extent to which access to information is restricted appropriately to authorize parties.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

COSO’s main objectives and purpose

A

The Committee of Sponsoring Organizations of the Treadway Commission (COSO)2 was formed in 1985 to sponsor the National Commission on Fraudulent Financial Reporting, which studied factors that lead to fraudulent financial reporting and produced recommendations for public companies, their auditors, the Securities Exchange Commission, and other regulators.

COSO identifies five areas of internal control necessary to meet the financial reporting and disclosure objectives.
These include:
(1) control environment,
(2) risk assessment,
(3) control activities,
(4) information and communication, and
(5) monitoring.

The COSO internal control model has been adopted as a framework by some organizations working toward Sarbanes–Oxley Section 404 compliance.

COSO deals more at the strategic level, while CobiT focuses more at the operational level. CobiT is a way to meet many of the COSO objectives, but only from the IT perspective.

COSO deals with non-IT items also, as in company culture, financial accounting principles, board of director responsibility, and internal communication structures.

Its main purpose is to help ensure fraudulent financial reporting cannot take place in an organization.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Acceptable Use Policy

A

Unless you specifically define how users interact with your information technology assets you cannot legally punish them when they damage, steal or otherwise abuse the systems and their information.

Access to critical systems is a serious responsibility and it is vital as a manger to strictly define how employees are to interact with the information.

If you do not define their responsibilities with your organization’s data you cannot legally hold them responsible when they abuse, damage or steal it.

There are canned AUP policies you can download from various websites which are pretty good starting points and you can customize them to meet the needs of your organization.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Who is responsible for restricting and monitoring access of a data user?

A

Security Administrator

For your exam you should know below roles in an organization

Data Owners These peoples are generally managers and directors responsible for using information for running and controlling the business. Their security responsibilities include authorizing access, ensuring that access rules are updated when personnel changes occur, and regularly review access rule for the data for which they are responsible.

Data Custodian or Data Steward These people are responsible for storing and safeguarding the data, and include IS personnel such as system analysis and computer operators.

Security Administrator - Security administrator are responsible for providing adequate physical and logical security for IS programs, data and equipment.

Data Users Data users, including internal and external user community, are the actual user of computerized data. Their level of access into the computer should be authorized by data owners, and restricted and monitor by security administrator.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Effective security policy

A

An effective information security policy should be designed with a long-term focus.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

five key principle that forms the core of the COBIT5 framework

A

Meeting Stakeholder Needs It is critical to define and link enterprise goals and IT-related goals to best support stakeholder needs.
Covering the Enterprise End to End Companies must shift from managing IT as a cost to managing IT as an asset, and business managers must take on the accountability for governing and managing IT-related assets within their own functions.
Applying a Single Integrated Framework Using a single, integrated governance framework can help organizations deliver optimum value from their IT assets and resources.
Enabling a Holistic Approach Governance of enterprise IT (GEIT) requires a holistic approach that takes into account many components, also known as enablers. Enablers influence whether something will work. COBIT 5 features seven enablers for improving GEIT, including principles, policies and frameworks; processes; culture; information and people.
Separating Governance From Management Governance processes ensure goals are achieved by evaluating stakeholder needs, setting direction through prioritization and decision making; and monitoring performance, compliance and progress. Based on the results from governance activities, business and IT management then plan, build, run and monitor activities to ensure alignment with the direction that was set.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Due care vs due diligence

A

Due diligence is performing reasonable examination and research before committing to a course of action. Basically, “look before you leap.” In law, you would perform due diligence by researching the terms of a contract before signing it. The opposite of due diligence might be “haphazard” or “not doing your homework.”

Due care is performing the ongoing maintenance necessary to keep something in proper working order, or to abide by what is commonly expected in a situation. This is especially important if the due care situation exists because of a contract, regulation, or law. The opposite of due care is “negligence.”

Due care - Employees should exercise due care within office environments and especially during travel. Any loss or theft of a mobile device must be treated as a security breach and reported immediately in accordance to security management policies and procedures.
In summary, Due Diligence is Identifying threats and risks while Due Care is Acting upon findings to mitigate risks
EXAM TIP:
The Due Diligence refers to the steps taken to identify risks that exists within the environment. This is base on best practices, standards such as ISO 27001, ISO 17799, and other consensus. The first letter of the word Due and the word Diligence should remind you of this. The two letters are DD = Do Detect.
In the case of due care, it is the actions that you have taken (implementing, designing, enforcing, updating) to reduce the risks identified and keep them at an acceptable level. The same apply here, the first letters of the work Due and the work Care are DC. Which should remind you that DC = Do correct.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Different focus between TCSEC and ITSEC?

A

TCSEC focused on confidentiality while ITSEC added integrity and availability as security goals.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

COBIT

A

COBIT (Control Objectives for Information and related Technology) is a control framework for employing information security governance best practices within an organization. COBIT was developed by ISACA (Information Systems Audit and Control Association.

COBIT provides control objectives, control practices, goal indicators, performance indicators, success factors, and maturity models.

COBIT has four domains: Plan and Organize, Acquire and Implement, Deliver and Support, and Monitor and Evaluate. There are 34 Information Technology processes across the four domains.

17
Q

Scoping and Tailoring

A

Scoping is the process of determining which portions of a standard will be employed by an organization. For example: an organization that does not employ wireless equipment may declare the wireless provisions of a standard are out of scope, and therefore do not apply.
Tailoring is the process of customizing a standard for an organization. It begins with controls selection, continues with scoping, and finishes with the application of compensating controls.

18
Q

Successor of ISO 17799

A

ISO 17799 was renumbered to ISO 27002 in 2005, to make it consistent with the 27000 series of ISO security standards.

19
Q

Informative Policy

A

To educate employees about events, new developments, or changes within a company. The messages are purely one way, meaning employees are not responsible for doing anything after reading the document. An example would be a company-wide email that details a recent reorganization of the board of directors.

20
Q

Fault Tree Analysis

A

A fault tree analysis usually proves to be a useful approach to identify failures that can take place within more complex environments and systems. Fault tree analysis follows this general process. First, an undesired effect is taken as the root or top event of a tree of logic. Then, each situation that has the potential to cause that effect is added to the tree as a series of logic expressions. Fault trees are then labeled with actual numbers pertaining to failure probabilities.

21
Q

SABSA

A

The Sherwood Applied Business Security Architecture (SABSA) is an enterprise security framework which slices an enterprise into different layers so that security can be more focused and precise. The model is made up of six layers. Each layer represents a different view of the organization and the types of security controls that need to be put into place.

22
Q

Differences between COBIT and COSO

A

COSO deals more at the strategic level, and COBIT focuses more at the operational level.

23
Q

Different ISO 27000 series

A
  • ISO 27001: based on BS 7799 part 2, which is establishment, implementation, control, and improvement of the Information Security Management System.
  • ISO 27002: Code of practice providing best practices advice on ISMS, which based on BS 7799 part 1.
  • ISO 27004: A standard for information security management measurements
  • ISO 27005: designed to assist in the satisfactory implementation of information security based on risk management approach.
  • ISO 27006: guide to the certification/registration process
  • ISO 27799: a guide to illustrate how to protect personal health information
24
Q

Advisory vs Informative Policy

A

An advisory policy is written to strongly suggest that certain types of behaviors and activities should take place within the organization. It also outlines possible ramifications for noncompliance. This is used for handling medical information, financial transactions, and processing confidential information.

An informative policy is written to inform employees on certain topics. It is not an enforceable policy, but one intended to teach individuals about specific issues relevant to the company. It could explain how the company interacts with partners, about the company’s goals and mission, or give a general reporting structure in different situations.

25
Q

ITIL

A

ITIL is the de facto standard of best practices for IT service management. ITIL was created because of the increased dependence on information technology to meet business needs.

26
Q

Six Sigma

A

SIx Sigma is a process improvement methodology. It is the “new and improved” Total Quality Management (TQM) that hit the business sector in the 1980s. It’s goal is to improve process quality by using statistical methods of measuring operational efficiency and reducing variation, defects, and waste.

27
Q

Baseline

A

A baseline refers to a point in time that is used as a comparison for future changes. Once risks have been mitigated and security put in place, a baseline is formally reviewed and agreed upon, after which all further comparisons and development are measured against it. A baseline results in a consistent reference point.

28
Q

Security through obscurity

A

Security through obscurity is not implementing true security controls, but rather attempting to hide the fact that an asset is vulnerable in the hope that an attacker will not notice. Security through obscurity is an approach to try and fool a potential attacker which is a poor way of practicing security.

29
Q

NIST 800-30 is the risk management guide for Information Technology Systems.

A

N/A