Chapter 2 - Personnel Security And Risk Management Concepts

Question 1

Define Personally Identifiable Information (PII)

Answer 1

PII is any data item that can be easily and/or obviously tracked back to the person of origin or concern. For example, a phone number, email address, mailing address, social security number, and name are all PII.

Question 2

Calculating Safeguard Cost/Benefit Formula

Answer 2

Pre-countermeasure ALE - post-countermeasure ALE - ACS (annual cost of safeguard)

Question 3

The importance of Job Descriptions

Answer 3

Job descriptions are important to the design and support of a security solution.

Question 4

Documentation Review

Answer 4

Documentation review is the process of reading exchanged materials and verifying them against standards and expectations. The documentation review is typically performed before any on-site inspection takes place. If the exchanged documentation is sufficient and meets expectations, then an on-site review will be able to focus on compliance with the stated documentation. However, if the documentation is incomplete, inaccurate, or otherwise insufficient, the on-site review is postponed until the documentation can be updated and corrected. This step is important because if the documentation is not in compliance, chances are the location will not be in compliance either.

Question 5

Threat Events

Answer 5

Threat events are accidental and intentional exploitations of vulnerabilities. They can also be natural or man made. Threat events include fire, earthquake, flood, system failure, human error, and power outage.

Question 6

When a safeguard or a countermeasure is not present or is not sufficient, what remain?

Answer 6

Vulnerability. A vulnerability is the absence or weakness of a safeguard or countermeasure.

Question 7

When evaluating safeguards, what is the rule that should be followed in most cases?

Answer 7

The annual costs of safeguards should not exceed the expected annual cost of asset loss.

Question 8

To make the determination of whether the safeguard is financially equitable, what the formula should be used?

Answer 8

ALE before safeguard - ALE after implementing the safeguard - annual cost of safeguard (ACS) = value of the safeguard to the company

Question 9

Security Training

Answer 9

Training is teaching employees to perform their work tasks and to comply with the security policy. Training is typically hosted by an organization and is targeted to groups of employees with similar job functions.

Question 10

Components of managing the security function

Answer 10

Assessment of budgets, metrics, resources, information security strategies, and assessing the completeness and effectiveness of the security program.

Question 11

Effects of countermeasure

Answer 11

A countermeasure directly affects the annualized rate of occurrence, primarily because the countermeasure is designed to prevent the occurrence of the risks, thus reducing its frequency per year.

Question 12

Which answer is the term used to describe the processes used to plan, allocate and control information security resources?

Answer 12

ESA Framework is the processes used to plan, allocate and control information security resources.

Whichever architecture you implement, the purpose is to support the business goals of the organization through the us of effective security investment.

Some metrics used to determine if you are successful are:

• Strategic alignment
• Effective risk management
• Resource Management
• Performance measurement

Question 13

How financial risks can be calculated is by using the formula?

Answer 13

The correct answer is: P * M = C

Financial risks can be quantified in many cases and are generally used to help determine how much should be spent on the recovery program. One of the ways financial risk can be calculated is using the formula P * M = C

Probability of harm (P) : the chance that a damaging event will occur

Magnitude or Harm (M): the amount of financial damage that would occur should a disaster happen

Cost of the prevention (C): the price of putting in place a countermeasure preventing the disaster’s effects. The cost of countermeasures should not be more than the cost of the event

A tip to use to remember this is: “A Project Manager (PM) cries many times when he thinks of the cost “ (P * M = C)

Question 14

Risk Avoidance

Answer 14

When we deploy publically accessible information systems there is a level of risk we must be willing to accept simply to operate the system.

If we need not host a service that is not necessary to business functions then it is a risk to be avoided. All In other words, don’t host a service (Like a web server, mail server or any other software system accessible by the public) if it is no absolutely necessary to the business model.

By NOT hosting the service we are avoiding the risk altogether.

Question 15

Risk Assessment

Answer 15

The risk assessment is critical because it enables the person responsible for contingency planning to focus risk management efforts and resources in a prioritized manner only on the identified risks. The risk management process includes the risk assessment and determination of suitable technical, management, and operational security controls based on the level of threat the risk imposes. Business units should be included in this process.

Question 16

an advantage of a qualitative over a quantitative risk analysis

Answer 16

The main advantage of the qualitative impact analysis is that it prioritizes the risks and identifies areas for immediate improvement in addressing the vulnerabilities. It does not provide specific quantifiable measurements of the magnitude of the impacts, therefore making a cost-analysis of any recommended controls difficult. Since it involves a consensus of export and some guesswork based on the experience of Subject Matter Experts (SME’s), it can not be easily automated.

Question 17

nonrepudiation is what type of control?

Answer 17

Systems accountability depends on the ability to ensure that senders cannot deny sending information and that receivers cannot deny receiving it. Because the mechanisms implemented in nonrepudiation prevent the ability to successfully repudiate an action, it can be considered as a preventive control.

Question 18

Delphi methods

Answer 18

1. Consensus Delphi method used in risk analysis, helps identifying the highest priority security issues and corresponding countermeasures.
2. Modified Delphi method is a silent form of brainstorming. Participants develop ideas individually and silently with no group interaction. The ideas are submitted to a group of decision makers for consideration and action.

Question 19

Facilitated Risk Analysis Process (FRAP)

Answer 19

FRAP is designed with the intention of exploring a qualitative risk assessment process in a manner that allows for tests to be conducted on different aspects and variations of the methodology. The intent of this methodology is to provide an organization with the means of deciding what course of action must be taken in specific circumstances to deal with various issues.

Question 20

Enterprise Security Architecture

Answer 20

An Enterprise Security Architecture is a subset of an enterprise architecture and defines the information security strategy that consists of layers of solutions, processes, and procedures and the way they are linked across an enterprise strategically, tactically, and operationally. It is a comprehensive and rigorous method for describing the structure and behavior of all the components that made up a holistic information security management system. (ISMS)