Chapter 2 - Governance and Risk Flashcards
Availability?
Uptime and timeliness
What is AIC or CIA?
Availability Integrity Confidentiality
Used to define security platform and threat surfaces
Integrity?
Unaltered information accuracy
Confidentiality?
Authorized disclosure
Shoulder surfing
Looking over the shoulder to view screen data or passwords
Social engineering
Tricking someone into divulging information
Vulnerability?
Lack of or weakness in a countermeasure that is exploitable
Threat?
The potential danger if a vulnerability is exploited
Threat Agent?
The entity that takes action on the threat and vulnerability
Risk?
The likelihood a threat agent will exploit a vulnerability and the impact that could cause to the business
Exposure?
This is the damage caused by a successful attack
Control?
Countermeasure to reduce risk a vulnerability may cause
Also known as safeguard
Deterrent control?
Discourage attacker
What three categories make for defense in depth ?
Administrative
Technical
Physical controls
Preventive control?
Avoid an incident entirely
Corrective control?
Fixes after an incident
Recovery control?
Intended to bring the environment back
Detective control?
Detect what occurred and who did it
Compensating control?
Alternative controls (a proxy server instead of a port block)
What three controls commonly make up a security policy?
Preventative, detective, and recovery
Why is security by obscurity a bad thing?
It assumes you are smarter than the attacker and in most cases lowers productivity
What cycle does the ISO standards follow?
Plan-Do-Check-Act (PDCA)
What is the BS7799? What did it become?
BS7799 was a British security defacto standard that was adopted by ISO 27000 it also goes by the name ISO 17799
What is the difference between framework and architecture?
Framework is an outline blueprint and architecture is the blueprint that fits the specific need
Define a view in terms of an enterprise architecture..
A view is how an individual element of a business supports the architectural integrity of a business
What is the benefit of having an architecture?
It shows the company as an organism and how each part has a role
An architecture is to a human body as views are to what?
A circulatory system
A bone structure
A digestive track
Etc.
What is the zachman framework best at illustrating?
A two dimensional view of each view in an architecture asking the 5 w’s for each
TOGAF is a comprised of what views of architecture?
In order:
Business
Data
Applications
Technology
What framework uses ADM as part of its definition?
TOGAF
What is the primary benefit of the complex DoD architectures like DODAF and MODAF?
Synchronous data types and standard communication channel so everyone is quickly on the same page
When do stakeholders become important?
When choosing an architecture that fits the business model. There concerns will help guide that decision.
What does tactical, strategic, and operational mean?
Strategic - the long term goals..(a retirement)
Tactical - the medium goals (a security plan in place)
Operational - short term (lock down that port)
ISMS
Information security management system
SABSA
It is a 2 dimension model like Zachman, using the 5 w’s to define security in increasing detail
What is a methodology?
A step by step process to implement and architecture
Strategic alignment?
The alignment of the business within an enterprise architecture
Business enablement?
Business needs and productivity come before security
Process enhancement?
Architecture planning will force diagnostics of business process and give a rich opportunity to fine tune the business process
Security effectiveness?
Use of tools like ROI SLA or baselines to see security efficiency
CobiT?
Controls oriented private business framework with 32 domains and complete checklist of it governance policies
NIST 800-53
Government version of a cobit like framework with specific steps
What is unique about the NIST categories?
Management
Technical
Operational
Instead of the standard:
Administrative
Technical
Physical
COSO
Architecture model focused on corporate governance instead of IT governance
What common law is built on COSO?
SOX
What is the primary focus of ITIL?
SLA
Six Sigma?
Process methodology architecture
CMMI?
Capability Maturity Model Integration
Used to help define maturity level of process, similar to cobit maturity model
Top-Down approach vs bottom-up approach
Top down is starting from senior management and working down. Bottom up is the other way around starting from the janitor up
What are the 4 domains of a security program life cycle?
Plan and organize
Implement
Operate and maintain
Monitor and evaluate
What is a blueprint?
Specific roles, outlines, responsibilities, or guidelines within the architecture
What is the first thing you do when securing and environment?
Find out how the business works down to the user and client experiences and up to the board members day to day
What is IRM?
Information Risk Management
What are the types of risk?
Physical damage (fire) Human interaction (disruptive interaction) Equipment failure Attacks (hacking) Misuse of data (sharing trade secrets) Loss of data (format /s /f) Application error (bad loops)
What allows a company to pick and choose vulnerabilities?
Risk management
What does risk effect in a company?
Everything in an organization.
What is the key thing for management to contribute to risk management?
A definition of what is considered and acceptable level of risk
What are the goals of a risk assessment?
Identify assets and value
Identify vulnerabilities and threats
Quantify the probability and business impact of threats
Provide an economic balance between impact and cost of control
Cost/Benefit
Finally got that risk assessment done? Now what?
React to it and make adjustments to reduce risk
What level of a department should be working with the risk assessment team?
The top level, far too often it is delegated to the lower people due to time, but they don’t know the amswers
What 4 questions should be asked in a risk assessment?
Threat event?
Risk?
Frequency?
Certainty of the last 3 questions?
How does the value of an object or piece of information dictate risk assessment?
More value, more risk
What is an intangible risk assessment?
Something not physical.
Reputation
Data
Intellectual property
It is critical to be able to assign a cost to these
Loss potential?
What would the company lose of the threat agent exploited the vulnerability
Delayed loss?
Damage reputation Loss of market share Late penalties Civil suits Etc.
This happens long after the exploit took place.
What is SP 800-30?
NIST methodology guide focused only on it security
What is FRAP?
This is a to the point risk methodology that focuses only on the most critical risks for cost and time efficiency
OCTAVE?
This a high level it security methodology focused on allowing the upper people within each department to make the risk assessment
AS/NZS 4360
This is a methodology focused on business health particularly financially and economically
FMEA ?
Failure modes and effect analysis
Used in development and operations to find flaws and potentially failures before they happen
Failure mode?
How a system can break?
Effect analysis
Impact of a failure
Fault Tree Analysis
Used for complex failure modes with multiple dependencies.
This model starts from what can go wrong and diagrams everything that can cause that to happen
Logic diagrams are used in what methodology?
Failure tree analysis
CRAMM
A UK methology that is fully automated with Siemens products
Risk assessment vs risk analysis?
Assessment is gathering information
Analysis is using and acting on the assessment
What 4 things can be done with a risk?
Accept
Mitigate
Transfer
Avoid
Qualitative analysis ?
Financial estimate of a risk
Quantitative analysis?
Assigning rating to risk like red, yellow, green.
Single loss expectancy ?
Dollar amount assigned to a single event if a threat took place
Asset value * exposure factor
Exposure factor
% of an asset lost
Annual loss expectancy
SLE * ARO = ALE
ARO?
Annualized rate of occurrence
Uncertainty?
This is the amount of guessing put into a risk analysis. This should be tracked.
Delphi?
A group discussion technique designed to anonymously give opinions
Cost/benefit analysis?
Prevent spending more money than the threat would cost annually (ALE)
Safeguard considerations?
Must be visible to evildoer but non discoverable
Residual risk?
No countermeasure is fully affective. The remainder is the residual risk.
Mitigation not prevention
Total risk?
The entire risk quotient .. Companies will accept this only if the cost/benefit supports that action
How can one deal with risk?
Accept it
Avoid it
Mitigate it
Transfer it
Transfer risk?
“It’s not my risk anymore, it’s his”
Risk avoidance
We will discontinue using that product.due to the risk
Mitigated risk
I implemented a new security device to reduce risk
Acceptable risk
I’m okay with that!
Security policy
General statement of security by senior management that dictates the role of security
Organizational security policy
Shows the tactical and strategic value of a security policy and a defined acceptable level of risk
Issue specific policies or functional policies
Specific security policy to one segment of the master organizational policy
System specific policy
This is an IT specific acceptable use policy defining roles access system security
Regulatory policy
Very detailed and specific standards used by industry, medical, and government
Ie. HIPPA, SOX
Advisory policy
Strongly shows exactly what is acceptable and unacceptable with consequences
Informative policy
Non-enforceable policy telling people relevant information
What is a baseline?
Clean data at a point on time to reference against
Guidelines
Recommended actions and operational guides
Procedure
Very detailed step-by-step task list
Data classification
Level of confidentiality of stored data
Board of directors?
Shareholder elected individuals in a public traded company used for steering a company from the shareholder side
CPO
Chief privacy officer - business legal advisor
Privacy impact analysis
Risk assessment specifically for the protection of sensitive data
Privacy
Controlled and expected release of sensitive data
PII
Personal identifiable information
Convergence
The combination of all security realms
Security steering committee
Everyone who is personally responsible or in charge of directing security in an organization
Audit committee
Independent auditing among the board of directors
Data owner
The person responsible for a subset of data and it’s business access and defined sensitivity
Data custodian
This is the person who manages where the data is stored .. Typically the IT person
System owner
The person to call when xyz application had a problem
Security administrator
Controls network security devices like IDS , IPS , firewalls , anti malware, etc
Security analyst
Works at a higher level and analyses the environment for security flaws. Works with risk analysis
Application owner
The person directly responsible for the security of an application
Supervisor
This is someone who is responsible for the users themself
Change control analyst
Ensure change control happens and stays secure
Data analyst
Ensures data is placed where it needs to be and is secured correctly
Solution provider
An external provider of a solution to a business ailment
Product line manager
Similar to a systems analyst, more specifically targeting products and licensing
Separation of duties
When multiple people are necessary to enable a control or process
Collision
This means working together.
separation of duties implies collusion occurred if the process became fraudulent
Split-knowledge
Two people required for a task, each knowing how to do half the task
Dual control
Both people understand the entire process but no one person can accomplish the task
Rotation of duties
Changing roles and shifts and handing them to others in order to encourage employee auditing
Mandatory vacation
Forcing people to take vacation and relinquish their role to someone else who could potentially find fraud
Non disclosure agreements
Used to link employees to a policy stating you cannot share sensitive data
Security Governance
This is how well the security is integrated into the organization as a whole
ISO 27004:2009 / NIST 800-55
Tells how to measure a security program