CHAPTER 2_Information Security Governance and Risk Management Flashcards

Question

Explanations: Security Analyst

Answer 1

I have analyzed your security and you have it all wrong.Response: What a surprise.

Answer 2

Guideline for information security management measurement and metrics framework

Answer 3

Guideline for IT network security, a multipart standard based on ISO/IEC 18028:2006

Answer 4

Another method of risk analysis is qualitative, which does not assign numbers and monetary values to components and losses. Instead, qualitative methods walk through different scenarios of risk possibilities and rank the seriousness of the threats and the validity of the different possible countermeasures based on opinions. (A wide sweeping analysis can include hundreds of scenarios.) Qualitative analysis techniques include judgment, best practices, intuition, and experience. Examples of qualitative techniques to gather data are Delphi, brainstorming, storyboarding, focus groups, surveys, questionnaires, checklists, one-on-one meetings, and interviews. The risk analysis team will determine the best technique for the threats that need to be assessed, as well as the culture of the company and individuals involved with the analysis.

Answer 5

A focused, qualitative approach that carries out prescreening to save time and money.

Answer 6

Intended to discourage a potential attacker

Answer 7

* The objectives of security are to provide availability, integrity, and confidentiality protection to data and resources. * A vulnerability is the absence of or weakness in a control. * A threat is the possibility that someone or something would exploit a vulnerability, intentionally or accidentally, and cause harm to an asset. * A risk is the probability of a threat agent exploiting a vulnerability and the loss potential from that action. * A countermeasure, also called a safeguard or control, mitigates the risk. * A control can be administrative, technical, or physical and can provide deterrent, preventive, detective, corrective, or recovery protection. * A compensating control is an alternate control that is put into place because of financial or business functionality reasons. * CobiT is a framework of control objectives and allows for IT governance. * ISO/IEC 27001 is the standard for the establishment, implementation, control, and improvement of the information security management system. * The ISO/IEC 27000 series were derived from BS 7799 and are international best practices on how to develop and maintain a security program. * Enterprise architecture frameworks are used to develop architectures for specific stakeholders and present information in views. * An information security management system (ISMS) is a coherent set of policies, processes, and systems to manage risks to information assets as outlined in ISO\IEC 27001. * Enterprise security architecture is a subset of business architecture and a way to describe current and future security processes, systems, and subunits to ensure strategic alignment. * Blueprints are functional definitions for the integration of technology into business processes. * Enterprise architecture frameworks are used to build individual architectures that best map to individual organizational needs and business drivers. * Zachman is an enterprise architecture framework, and SABSA is a security enterprise architecture framework. * COSO is a governance model used to help prevent fraud within a corporate environment. * ITIL is a set of best practices for IT service management. * Six Sigma is used to identify defects in processes so that the processes can be improved upon. * CMMI is a maturity model that allows for processes to improve in an incremented and standard approach. * Security enterprise architecture should tie in strategic alignment, business enablement, process enhancement, and security effectiveness. * NIST 800-53 uses the following control categories: technical, management, and operational. * OCTAVE is a team-oriented risk management methodology that employs workshops and is commonly used in the commercial sector. * Security management should work from the top down (from senior management down to the staff). * Risk can be transferred, avoided, reduced, or accepted. * Threats × vulnerability × asset value = total risk. * (Threats × vulnerability × asset value) × controls gap = residual risk. * The main goals of risk analysis are the following: identify assets and assign values to them, identify vulnerabilities and threats, quantify the impact of potential threats, and provide an economic balance between the impact of the risk and the cost of the safeguards. * Failure Modes and Effect Analysis (FMEA) is a method for determining functions, identifying functional failures, and assessing the causes of failure and their failure effects through a structured process. * A fault tree analysis is a useful approach to detect failures that can take place within complex environments and systems. * A quantitative risk analysis attempts to assign monetary values to components within the analysis. * A purely quantitative risk analysis is not possible because qualitative items cannot be quantified with precision. * Capturing the degree of uncertainty when carrying out a risk analysis is important, because it indicates the level of confidence the team and management should have in the resulting figures. * Automated risk analysis tools reduce the amount of manual work involved in the analysis. They can be used to estimate future expected losses and calculate the benefits of different security measures. * Single loss expectancy × frequency per year = annualized loss expectancy (SLE × ARO = ALE). * Qualitative risk analysis uses judgment and intuition instead of numbers. * Qualitative risk analysis involves people with the requisite experience and education evaluating threat scenarios and rating the probability, potential loss, and severity of each threat based on their personal experience. * The Delphi technique is a group decision method where each group member can communicate anonymously. * When choosing the right safeguard to reduce a specific risk, the cost, functionality, and effectiveness must be evaluated and a cost/benefit analysis performed. * A security policy is a statement by management dictating the role security plays in the organization. * Procedures are detailed step-by-step actions that should be followed to achieve a certain task. * Standards are documents that outline rules that are compulsory in nature and support the organization’s security policies. * A baseline is a minimum level of security. * Guidelines are recommendations and general approaches that provide advice and flexibility. * Job rotation is a detective administrative control to detect fraud. * Mandatory vacations are a detective administrative control type that can help detect fraudulent activities. * Separation of duties ensures no single person has total control over a critical activity or task. It is a preventative administrative control. * Split knowledge and dual control are two aspects of separation of duties. * Data owners specify the classification of data, and data custodians implement and maintain controls to enforce the set classification levels. * Security has functional requirements, which define the expected behavior from a product or system, and assurance requirements, which establish confidence in the implemented products or systems overall. * Management must define the scope and purpose of security management, provide support, appoint a security team, delegate responsibility, and review the team’s findings. * The risk management team should include individuals from different departments within the organization, not just technical personnel. * Social engineering is a nontechnical attack carried out to manipulate a person into providing sensitive data to an unauthorized individual. * Personal identification information (PII) is a collection of identity-based data that can be used in identity theft and financial fraud, and thus must be highly protected. * Security governance is a framework that provides oversight, accountability, and compliance. * ISO/IEC 27004:2009 is an international standard for information security measurement management. * NIST 800-55 is a standard for performance measurement for information security.

Answer 8

Code of practice for information security management

Answer 9

• What are you trying to do at this layer? The assets to be protected by your security architecture.

Answer 10

I am sure that company, based in another company that we have never met or ever heard of, will protect our most sensitive secrets just fine.Response: Yeah, they seem real nice.

Answer 11

A threat is any potential danger that is associated with the exploitation of a vulnerability. The threat is that someone, or something, will identify a specific vulnerability and use it against the company or individual. The entity that takes advantage of a vulnerability is referred to as a threat agent. A threat agent could be an intruder accessing the network through a port on the firewall, a process accessing data in a way that violates the security policy, a tornado wiping out a facility, or an employee making an unintentional mistake that could expose confidential information.

Answer 12

Security AdministratorThe security administrator is responsible for implementing and maintaining specific security network devices and software in the enterprise. These controls commonly include firewalls, IDS, IPS, antimalware, security proxies, data loss prevention, etc. It is common for there to be delineation between the security administrator and the network administrator. The security administrator has the main focus of keeping the network secure, and the network administrator has the focus of keeping things up and running.

Answer 13

The chief security officer (CSO) is responsible for understanding the risks that the company faces and for mitigating these risks to an acceptable level. This role is responsible for understanding the organization’s business drivers and for creating and maintaining a security program that facilitates these drivers, along with providing security, compliance with a long list of regulations and laws, and any customer expectations or contractual obligations.

Answer 14

* Define the acceptable risk level for the organization. * Develop security objectives and strategies. * Determine priorities of security initiatives based on business needs. * Review risk assessment and auditing reports. * Monitor the business impact of security risks. * Review major security breaches and incidents. * Approve any major change to the security policy and program.

Answer 15

CobiT contains control objectives used within the private sector; the U.S. government has its own set of requirements when it comes to controls for federal information systems and organizations.

Answer 16

An issue-specific policy, also called a functional policy, addresses specific security issues that management feels need more detailed explanation and attention to make sure a comprehensive structure is built and all employees understand how they are to comply with these security issues. For example, an organization may choose to have an e-mail security policy that outlines what management can and cannot do with employees’ e-mail messages for monitoring purposes, that specifies which e-mail functionality employees can or cannot use, and that addresses specific privacy issues.

Answer 17

Annual expected loss if a specific vulnerability is exploited and how it affects a single asset.

Answer 18

Computation errors, input errors, and buffer overflows

Answer 19

High-level document that outlines senior management’s security directives.

Answer 20

* Control environment * Management’s philosophy and operating style * Company culture as it pertains to ethics and fraud * Risk assessment * Establishment of risk objectives * Ability to manage internal and external change * Control activities * Policies, procedures, and practices put in place to mitigate risk * Information and communication * Structure that ensures that the right people get the right information at the right time * Monitoring * Detecting and responding to control deficiencies

Answer 21

Viewing information in an unauthorized manner by looking over the shoulder of someone else.

Answer 22

CSO vs. CISOThe CSO and chief information security officer (CISO) may have similar or very different responsibilities. How is that for clarification? It is up to the individual organization to define the responsibilities of these two roles and whether they will use both, either, or neither. By and large, the CSO role usually has a farther-reaching list of responsibilities compared to the CISO role. The CISO is usually focused more on technology and has an IT background. The CSO usually is required to understand a wider range of business risks, including physical security, not just technological risks.

Answer 23

The janitor said we should wrap our computers in tin foil to meet our information security needs.

Answer 24

Implement security in all phases of a system’s lifetime through development of security requirements, cryptography, integrity protection, and software development procedures.

Answer 25

International standards on how to develop and maintain an ISMS developed by ISO and IEC

Answer 26

* Top secret * Secret * Confidential * Sensitive but unclassified * Unclassified

Answer 27

I only want to get better, and better, and better.Response: I only want you to go away.

Answer 28

Who Really Understands Risk Management?Unfortunately, the answer to this question is that not enough people inside or outside of the security profession really understand risk management. Even though information security is big business today, the focus is more on applications, devices, viruses, and hacking. Although these items all must be considered and weighed in risk management processes, they should be considered small pieces of the overall security puzzle, not the main focus of risk management.

Answer 29

Compulsory rules that support the security policies.

Answer 30

Now that we know about the risk, what do we do with it?Response: Hide it behind that plant.

Answer 31

Intended to avoid an incident from occurring

Answer 32

Assigning monetary and numeric values to all the data elements of a risk assessment.

Answer 33

Enterprise Security ArchitectureAn enterprise security architecture is a subset of an enterprise architecture and defines the information security strategy that consists of layers of solutions, processes, and procedures and the way they are linked across an enterprise strategically, tactically, and operationally. It is a comprehensive and rigorous method for describing the structure and behavior of all the components that make up a holistic information security management system (ISMS). The main reason to develop an enterprise security architecture is to ensure that security efforts align with business practices in a standardized and cost-effective manner. The architecture works at an abstraction level and provides a frame of reference. Besides security, this type of architecture allows organizations to better achieve interoperability, integration, ease-of-use, standardization, and governance.

Answer 34

Nondisclosure agreements must be developed and signed by new employees to protect the company and its sensitive information. Any conflicts of interest must be addressed, and there should be different agreements and precautions taken with temporary and contract employees.

Answer 35

This type of policy strongly advises employees as to which types of behaviors and activities should and should not take place within the organization. It also outlines possible ramifications if employees do not comply with the established behaviors and activities. This policy type can be used, for example, to describe how to handle medical or financial information.

Answer 36

Privacy is different from security. Privacy indicates the amount of control an individual should be able to have and expect as it relates to the release of their own sensitive information. Security is the mechanisms that can be put into place to provide this level of control.

Answer 37

Two or more people working together to carry out fraudulent activities.

Answer 38

A U.S. federal standard that is focused on IT risks.

Answer 39

Reliable and timely access to data and resources is provided to authorized individuals.

Answer 40

* Confidential * Private * Sensitive * Public

Answer 41

Risk that remains after implementing a control. Threats × vulnerabilities × assets × (control gap) = residual risk.

Answer 42

The former Chief Executive Officer of HealthSouth Corp. was sentenced to five years in prison for his part in the $2.7 billion scandal.

Answer 43

* Using unique user IDs to enable users to be linked to and held accountable for their actions * Checking that the user has authorization from the system owner for the use of the information system or service, and the level of access granted is appropriate to the business purpose and consistent with the organizational security policy * A procedure to require users to understand and acknowledge their access rights and the conditions of such access * Ensuring that internal and external service providers do not provide access until authorization procedures have been completed * Maintaining a formal record, including access levels, of all persons registered to use the service * A timely and regular review of user IDs and access rights

Answer 44

Guideline for information security management systems auditing

Answer 45

Information security management guidelines for telecommunications organizations

Answer 46

Security effectiveness deals with metrics, meeting service level agreement (SLA) requirements, achieving return on investment (ROI), meeting set baselines, and providing management with a dashboard or balanced scorecard system. These are ways to determine how useful the current security solutions and architecture as a whole are performing.

Answer 47

Model and methodology for the development of enterprise architectures developed by The Open Group

Answer 48

The exposure factor (EF) represents the percentage of loss a realized threat could have on a certain asset. For example, if a data warehouse has the asset value of $150,000, it can be estimated that if a fire were to occur, 25 percent of the warehouse would be damaged, in which case the SLE would be $37,500:

Answer 49

Procedures are detailed step-by-step tasks that should be performed to achieve a certain goal. The steps can apply to users, IT staff, operations staff, security members, and others who may need to carry out specific tasks. Many organizations have written procedures on how to install operating systems, configure security mechanisms, implement access control lists, set up new user accounts, assign computer privileges, audit activities, destroy material, report incidents, and much more.

Answer 50

The last approach is to accept the risk, which means the company understands the level of risk it is faced with, as well as the potential cost of damage, and decides to just live with it and not implement the countermeasure. Many companies will accept risk when the cost/benefit ratio indicates that the cost of the countermeasure outweighs the potential loss value.

Answer 51

So the different categories of controls that can be used are administrative, technical, and physical. But what do these controls actually do for us? We need to understand the different functionality that each control type can provide us in our quest to secure our environments.

Answer 52

COSO is a model for corporate governance, and CobiT is a model for IT governance. COSO deals more at the strategic level, while CobiT focuses more at the operational level. You can think of CobiT as a way to meet many of the COSO objectives, but only from the IT perspective. COSO deals with non-IT items also, as in company culture, financial accounting principles, board of director responsibility, and internal communication structures. COSO was formed to provide sponsorship for the National Commission on Fraudulent Financial Reporting, an organization that studies deceptive financial reports and what elements lead to them.

Answer 53

Assigning confidence level values to data elements.

Answer 54

* The integrity of the company’s financial statements and other financial information provided to stockholders and others * The company’s system of internal controls * The engagement and performance of the independent auditors * The performance of the internal audit function * Compliance with legal requirements, regulations, and company policies regarding ethical conduct

Answer 55

Guideline for information security governance

Answer 56

The audit committee should be appointed by the board of directors to help it review and evaluate the company’s internal operations, internal audit system, and the transparency and accuracy of financial reporting so the company’s investors, customers, and creditors have continued confidence in the organization.

Answer 57

A security policy is an overall general statement produced by senior management (or a selected policy board or committee) that dictates what role security plays within the organization. A security policy can be an organizational policy, an issue-specific policy, or a system-specific policy. In an organizational security policy, management establishes how a security program will be set up, lays out the program’s goals, assigns responsibilities, shows the strategic and tactical value of security, and outlines how enforcement should be carried out. This policy must address relative laws, regulations, and liability issues, and how they are to be satisfied. The organizational security policy provides scope and direction for all future security activities within the organization. It also describes the amount of risk senior management is willing to accept.

Answer 58

Risk-driven enterprise security architecture that maps to business initiatives, similar to the Zachman framework.

Answer 59

A system-specific policy presents the management’s decisions that are specific to the actual computers, networks, and applications. An organization may have a system-specific policy outlining how a database containing sensitive information should be protected, who can have access, and how auditing should take place. It may also have a system-specific policy outlining how laptops should be locked down and managed. This policy type is directed to one or a group of similar systems and outlines how they should be protected.

Answer 60

Information security management guidelines for the finance and insurance sectors

Answer 61

Organizational development for process improvement developed by Carnegie Mellon

Answer 62

Helps identify an incident’s activities and potentially an intruder

Answer 63

Along with ensuring that we have the proper controls in place, we also want to have ways to construct and improve our business, IT, and security processes in a structured and controlled manner. The security controls can be considered the “things,” and processes are how we use these things. We want to use them properly, effectively, and efficiently.

Answer 64

I am very important, but I am missing a “C” in my title.Response: Then you are not so important.

Answer 65

Architecture framework used mainly in military support missions developed by the British Ministry of Defence

Answer 66

* An established risk acceptance level provided by senior management * Documented risk assessment processes and procedures * Procedures for identifying and mitigating risks * Appropriate resource and fund allocation from senior management * Security-awareness training for all staff members associated with information assets * The ability to establish improvement (or risk mitigation) teams in specific areas when necessary * The mapping of legal and regulation compliancy requirements to control and implement requirements * The development of metrics and performance indicators so as to measure and manage various types of risks * The ability to identify and assess new risks as the environment and company change * The integration of IRM and the organization’s change control process to ensure that changes do not introduce new vulnerabilities

Answer 67

Hey, we need a sacrificial lamb in case things go bad.Response: We already have one. He’s called the chief security officer.

Answer 68

Guideline for information security risk management

Answer 69

• The objectives of security are to provide availability, integrity, and confidentiality protection to data and resources.

Answer 70

Steps of a Quantitative Risk AnalysisIf we follow along with our previous sections in this chapter, we have already carried out our risk assessment, which is the process of gathering data for a risk analysis. We have identified the assets that are to be assessed, associated a value to each asset, and identified the vulnerabilities and threats that could affect these assets. Now we need to carry out the risk analysis portion, which means that we need to figure out how to interpret all the data that was gathered during the assessment.

Answer 71

Carry out operations security through operational procedures, proper change control, incident handling, separation of duties, capacity planning, network management, and media handling.

Answer 72

Controls that provide an alternative measure of control

Answer 73

The Control Objectives for Information and related Technology (CobiT) is a framework and set of control objectives developed by the Information Systems Audit and Control Association (ISACA) and the IT Governance Institute (ITGI). It defines goals for the controls that should be used to properly manage IT and to ensure that IT maps to business needs. CobiT is broken down into four domains: Plan and Organize, Acquire and Implement, Deliver and Support, and Monitor and Evaluate. Each category drills down into subcategories. For example, the Acquire and Implement category contains the following subcategories:

Answer 74

Our operating systems follow strict and hierarchical structures, but our company is a mess.

Answer 75

Intended to bring the environment back to regular operations

Answer 76

I have determined that our greatest risk is this paperclip.Response: Nice work.

Answer 77

Team-oriented approach that assesses organizational and IT risks through facilitated workshops.

Answer 78

An enterprise security architecture is a subset of an enterprise architecture and defines the information security strategy that consists of layers of solutions, processes, and procedures and the way they are linked across an enterprise strategically, tactically, and operationally. It is a comprehensive and rigorous method for describing the structure and behavior of all the components that make up a holistic information security management system (ISMS). The main reason to develop an enterprise security architecture is to ensure that security efforts align with business practices in a standardized and cost-effective manner. The architecture works at an abstraction level and provides a frame of reference. Besides security, this type of architecture allows organizations to better achieve interoperability, integration, ease-of-use, standardization, and governance.

Answer 79

A control, or countermeasure, is put into place to mitigate (reduce) the potential risk. A countermeasure may be a software configuration, a hardware device, or a procedure that eliminates a vulnerability or that reduces the likelihood a threat agent will be able to exploit a vulnerability. Examples of countermeasures include strong password management, firewalls, a security guard, access control mechanisms, encryption, and security-awareness training.

Answer 80

British Standard 7799 (BS7799) was developed in 1995 by the United Kingdom government’s Department of Trade and Industry and published by the British Standards Institution. The standard outlines how an information security management system (ISMS) (aka security program) should be built and maintained. The goal was to provide guidance to organizations on how to design, implement, and maintain policies, processes, and technologies to manage risks to its sensitive information assets.

Answer 81

Standards refer to mandatory activities, actions, or rules. Standards can give a policy its support and reinforcement in direction. Organizational security standards may specify how hardware and software products are to be used. They can also be used to indicate expected user behavior. They provide a means to ensure that specific technologies, applications, parameters, and procedures are implemented in a uniform (standardized) manner across the organization. An organizational standard may require that all employees wear their company identification badges at all times, that they challenge unknown individuals about their identity and purpose for being in a specific area, or that they encrypt confidential information. These rules are compulsory within a company, and if they are going to be effective, they must be enforced.

Answer 82

* Plan and Organize * Establish management commitment. * Establish oversight steering committee. * Assess business drivers. * Develop a threat profile on the organization. * Carry out a risk assessment. * Develop security architectures at business, data, application, and infrastructure levels. * Identify solutions per architecture level. * Obtain management approval to move forward. * Implement * Assign roles and responsibilities. * Develop and implement security policies, procedures, standards, baselines, and guidelines. * Identify sensitive data at rest and in transit. * Implement the following blueprints: * Asset identification and management * Risk management * Vulnerability management * Compliance * Identity management and access control * Change control * Software development life cycle * Business continuity planning * Awareness and training * Physical security * Incident response * Implement solutions (administrative, technical, physical) per blueprint. * Develop auditing and monitoring solutions per blueprint. * Establish goals, service level agreements (SLAs), and metrics per blueprint. * Operate and Maintain * Follow procedures to ensure all baselines are met in each implemented blueprint. * Carry out internal and external audits. * Carry out tasks outlined per blueprint. * Manage SLAs per blueprint. * Monitor and Evaluate * Review logs, audit results, collected metric values, and SLAs per blueprint. * Assess goal accomplishments per blueprint. * Carry out quarterly meetings with steering committees. * Develop improvement steps and integrate into the Plan and Organize phase.

Answer 83

Our reconnaissance mission gathered important intelligence on our enemy, but a software glitch resulted in us bombing the wrong country.Response: Let’s blame it on NATO.

Answer 84

Organizational (master), issue-specific, system-specific.

Answer 85

Fundamental Principles of SecurityWe need to understand the core goals of security, which are to provide availability, integrity, and confidentiality (AIC triad) protection for critical assets. Each asset will require different levels of these types of protection, as we will see in the following sections. All security controls, mechanisms, and safeguards are implemented to provide one or more of these protection types, and all risks, threats, and vulnerabilities are measured for their potential capability to compromise one or all of the AIC principles.

Answer 86

I am vulnerable and see you as a threat.Response: Good.

Answer 87

Risk analysis provides a cost/benefit comparison, which compares the annualized cost of controls to the potential cost of loss. A control, in most cases, should not be implemented unless the annualized cost of loss exceeds the annualized cost of the control itself. This means that if a facility is worth $100,000, it does not make sense to spend $150,000 trying to protect it.

Answer 88

The danger of a threat agent exploiting a vulnerability.

Answer 89

* The employee must leave the facility immediately under the supervision of a manager or security guard. * The employee must surrender any identification badges or keys, complete an exit interview, and return company supplies. * That user’s accounts and passwords should be disabled or changed immediately.

Answer 90

Safeguard that is put in place to reduce a risk, also called a countermeasure.

Answer 91

The term baseline refers to a point in time that is used as a comparison for future changes. Once risks have been mitigated and security put in place, a baseline is formally reviewed and agreed upon, after which all further comparisons and development are measured against it. A baseline results in a consistent reference point.

Answer 92

Functionality is what a control does, and its effectiveness is how well the control does it.

Answer 93

The oracle Delphi told me that everyone agrees with me.Response: Okay, let’s do this again—anonymously.

Answer 94

Set of control objectives for IT management developed by Information Systems Audit and Control Association (ISACA) and the IT Governance Institute (ITGI)

Answer 95

The probability of a threat agent exploiting a vulnerability and the associated impact.

Answer 96

Security Program DevelopmentNo organization is going to put all the previously listed items (ISO/IEC 27000, COSO, Zachman, SABSA, CobiT, NIST 800-53, ITIL, Six Sigma, CMMI) in place. But it is a good toolbox of things you can pull from, and you will find some fit the organization you work in better than others. You will also find that as your organization’s security program matures, you will see more clearly where these various standards, frameworks, and management components come into play. While these items are separate and distinct, there are basic things that need to be built in for any security program and its corresponding controls. This is because the basic tenets of security are universal no matter if they are being deployed in a corporation, government agency, business, school, or nonprofit organization. Each entity is made up of people, processes, data, and technology and each of these things needs to be protected.

Answer 97

Former WorldCom Chief Financial Officer Scott Sullivan was sentenced to five years in prison for his role in engineering the $ 11 billion accounting fraud that led to the bankruptcy of the telecommunications powerhouse.

Answer 98

I have a feeling that we are secure.Response: Great! Let’s all go home.

Answer 99

* Calculations can be complex. Can management understand how these values were derived? * Without automated tools, this process is extremely laborious. * More preliminary work is needed to gather detailed information about the environment. * Standards are not available. Each vendor has its own way of interpreting the processes and their results.

Answer 100

Hey, we need a sacrificial lamb in case things go bad.Response: We already have one. He’s called the chief security officer.

Answer 101

A risk is the likelihood of a threat agent exploiting a vulnerability and the corresponding business impact. If a firewall has several ports open, there is a higher likelihood that an intruder will use one to access the network in an unauthorized method. If users are not educated on processes and procedures, there is a higher likelihood that an employee will make an unintentional mistake that may destroy data. If an intrusion detection system (IDS) is not implemented on a network, there is a higher likelihood an attack will go unnoticed until it is too late. Risk ties the vulnerability, threat, and likelihood of exploitation to the resulting business impact.

Answer 102

The process enhancement piece can be quite beneficial to an organization if it takes advantage of this capability when it is presented to them. When an organization is serious about securing their environment, it means they will have to take a close look at many of the business processes that take place on an ongoing process. Many times these processes are viewed through the eyeglasses of security, because that’s the reason for the activity, but this is a perfect chance to enhance and improve upon the same processes to increase productivity. When you look at many business processes taking place in all types of organizations, you commonly find a duplication of efforts, manual steps that can be easily automated, or ways to streamline and reduce time and effort that are involved in certain tasks. This is commonly referred to as process reengineering.

Answer 103

My love letter to my dog is top secret.Response: As it should be.

Answer 104

The countermeasure doesn’t work, but it has a fun interface.Response: Good enough.

Answer 105

Fixes components or systems after an incident has occurred

Answer 106

* Monetary values assigned to assets * Comprehensive list of all possible and significant threats * Probability of the occurrence rate of each threat * Loss potential the company can endure per threat in a 12-month time span * Recommended controls

Answer 107

Individual responsible for implementing and maintaining security controls to meet security requirements outlined by data owner.

Answer 108

* The assessments and results are subjective and opinion-based. * Eliminates the opportunity to create a dollar value for cost/benefit discussions. * Hard to develop a security budget from the results because monetary values are not used. * Standards are not available. Each vendor has its own way of interpreting the processes and their results.

Answer 109

The CSO is commonly responsible for the convergence, which is the formal cooperation between previously disjointed security functions. This mainly pertains to physical and IT security working in a more concerted manner instead of working in silos within the organization. Issues such as loss prevention, fraud prevention, business continuity planning, legal/regulatory compliance, and insurance all have physical security and IT security aspects and requirements. So one individual (CSO) overseeing and intertwining these different security disciplines allows for a more holistic and comprehensive security program.

Answer 110

Ever heard the popular mantra, “Security is not a product, it’s a process”? The statement is very true. Security should be considered and treated like any another business process—not as its own island, nor like a redheaded stepchild with cooties. (The author is a redheaded stepchild, but currently has no cooties.)

Answer 111

Guidelines are recommended actions and operational guides to users, IT staff, operations staff, and others when a specific standard does not apply. Guidelines can deal with the methodologies of technology, personnel, or physical security. Life is full of gray areas, and guidelines can be used as a reference during those times. Whereas standards are specific mandatory rules, guidelines are general approaches that provide the necessary flexibility for unforeseen circumstances.

Answer 112

Opinion-based method of analyzing risk with the use of scenarios and ratings.

Answer 113

* A Social Security number trace * A county/state criminal check * A federal criminal check * A sexual offender registry check * Employment verification * Education verification * Professional reference verification * An immigration check * Professional license/certification verification * Credit report * Drug screening

Answer 114

Central Computing and Telecommunications Agency Risk Analysis and Management Method.

Answer 115

The board of directors is a group of individuals who are elected by the shareholders of a corporation to oversee the fulfillment of the corporation’s charter. The goal of the board is to ensure the shareholders’ interests are being protected and that the corporation is being run properly. They are supposed to be unbiased and independent individuals who oversee the executive staff’s performance in running the company.

Answer 116

* The usefulness of data * The value of data * The age of data * The level of damage that could be caused if the data were disclosed * The level of damage that could be caused if the data were modified or corrupted * Legal, regulatory, or contractual responsibility to protect the data * Effects the data has on security * Who should be able to access the data * Who should maintain the data * Who should be able to reproduce the data * Lost opportunity costs that could be incurred if the data were not available or were corrupted

Answer 117

In risk analysis, uncertainty refers to the degree to which you lack confidence in an estimate. This is expressed as a percentage, from 0 to 100 percent. If you have a 30 percent confidence level in something, then it could be said you have a 70 percent uncertainty level. Capturing the degree of uncertainty when carrying out a risk analysis is important, because it indicates the level of confidence the team and management should have in the resulting figures.

Answer 118

Many facets of the responsibilities of personnel fall under management’s umbrella, and several facets have a direct correlation to the overall security of the environment.

Answer 119

Balanced SecurityIn reality, when information security is dealt with, it is commonly only through the lens of keeping secrets secret (confidentiality). The integrity and availability threats can be overlooked and only dealt with after they are properly compromised. Some assets have a critical confidentiality requirement (company trade secrets), some have critical integrity requirements (financial transaction values), and some have critical availability requirements (e-commerce web servers). Many people understand the concepts of the AIC triad, but may not fully appreciate the complexity of implementing the necessary controls to provide all the protection these concepts cover. The following provides a short list of some of these controls and how they map to the components of the AIC triad:

Answer 120

The chief financial officer (CFO) is responsible for the corporation’s account and financial activities and the overall financial structure of the organization. This person is responsible for determining what the company’s financial needs will be and how to finance those needs. The CFO must create and maintain the company’s capital structure, which is the proper mix of equity, credit, cash, and debt financing. This person oversees forecasting and budgeting and the processes of submitting quarterly and annual financial statements to the SEC and stakeholders.

Answer 121

Business management strategy that can be used to carry out process improvement

Answer 122

Reduce risks that are inherent in human interaction by screening employees, defining roles and responsibilities, training employees properly, and documenting the ramifications of not meeting expectations.

Answer 123

Guideline for information security management in health organizations

Answer 124

Control access to assets based on business requirements, user management, authentication methods, and monitoring.

Answer 125

Set of internal corporate controls to help reduce the risk of financial fraud developed by the Committee of Sponsoring Organizations (COSO) of the Treadway Commission

Answer 126

Detective administrative control used to uncover potential fraudulent activities.

Answer 127

Protect the organization’s assets by properly choosing a facility location, erecting and maintaining a security perimeter, implementing access control, and protecting equipment.

Answer 128

The user is any individual who routinely uses the data for work-related tasks. The user must have the necessary level of access to the data to perform the duties within their position and is responsible for following operational security procedures to ensure the data’s confidentiality, integrity, and availability to others.

Answer 129

It is important to figure out what you are supposed to be doing before you dig right in and start working. Anyone who has worked on a project without a properly defined scope can attest to the truth of this statement. Before an assessment and analysis is started, the team must carry out project sizing to understand what assets and threats should be evaluated. Most assessments are focused on physical security, technology security, or personnel security. Trying to assess all of them at the same time can be quite an undertaking.

Answer 130

Automated Risk Analysis MethodsCollecting all the necessary data that needs to be plugged into risk analysis equations and properly interpreting the results can be overwhelming if done manually. Several automated risk analysis tools on the market can make this task much less painful and, hopefully, more accurate. The gathered data can be reused, greatly reducing the time required to perform subsequent analyses. The risk analysis team can also print reports and comprehensive graphs to present to management.

Answer 131

I just made all these numbers up.Response: Well, they look impressive.

Answer 132

* Identify assets and their value to the organization. * Identify vulnerabilities and threats. * Quantify the probability and business impact of these potential threats. * Provide an economic balance between the impact of the threat and the cost of the countermeasure.

Answer 133

The data custodian (information custodian) is responsible for maintaining and protecting the data. This role is usually filled by the IT or security department, and the duties include implementing and maintaining security controls; performing regular backups of the data; periodically validating the integrity of the data; restoring data from backup media; retaining records of activity; and fulfilling the requirements specified in the company’s security policy, standards, and guidelines that pertain to information security and data protection.

Answer 134

Hey, custodian, clean up my mess!Response: I’m not that type of custodian.

Answer 135

The chief privacy officer (CPO) is a newer position, created mainly because of the increasing demands on organizations to protect a long laundry list of different types of data. This role is responsible for ensuring that customer, company, and employee data are kept safe, which keeps the company out of criminal and civil courts and hopefully out of the headlines. This person is usually an attorney and is directly involved with setting policies on how data are collected, protected, and given out to third parties. The CPO often reports to the chief security officer.

Answer 136

Failure Modes and Effect Analysis (FMEA) is a method for determining functions, identifying functional failures, and assessing the causes of failure and their failure effects through a structured process. It is commonly used in product development and operational environments. The goal is to identify where something is most likely going to break and either fix the flaws that could cause this issue or implement controls to reduce the impact of the break. For example, you might choose to carry out an FMEA on your organization’s network to identify single points of failure. These single points of failure represent vulnerabilities that could directly affect the productivity of the network as a whole. You would use this structured approach to identify these issues (vulnerabilities), assess their criticality (risk), and identify the necessary controls that should be put into place (reduce risk).

Answer 137

Preventive administrative control used to ensure one person cannot carry out a critical task alone.

Answer 138

Develop a security infrastructure to protect organizational assets through accountability and inventory, classification, and handling procedures.

Answer 139

* Confidential * Private * Sensitive * Public

Answer 140

Oh look, this paper tells us what we need to do. I am going to put smiley-face stickers all over it.

Answer 141

Costs That Make Up the ValueAn asset can have both quantitative and qualitative measurements assigned to it, but these measurements need to be derived. The actual value of an asset is determined by the importance it has to the organization as a whole. The value of an asset should reflect all identifiable costs that would arise if the asset were actually impaired. If a server cost $4,000 to purchase, this value should not be input as the value of the asset in a risk assessment. Rather, the cost of replacing or repairing it, the loss of productivity, and the value of any data that may be corrupted or lost must be accounted for to properly capture the amount the organization would lose if the server were to fail for one reason or another.

Answer 142

Our business processes, data flows, software programs, and network devices are strung together like spaghetti.

Answer 143

The British Ministry of Defence Architecture Framework (MODAF) is another recognized enterprise architecture framework based upon the DoDAF. The crux of the framework is to be able to get data in the right format to the right people as soon as possible. Modern warfare is complex, and activities happen fast, which requires personnel and systems to be more adaptable than ever before. Data needs to be captured and properly presented so that decision makers understand complex issues quickly, which allows for fast and hopefully accurate decisions.

Answer 144

Putting It TogetherTo perform a risk analysis, a company first decides what assets must be protected and to what extent. It also indicates the amount of money that can go toward protecting specific assets. Next, it must evaluate the functionality of the available safeguards and determine which ones would be most beneficial for the environment. Finally, the company needs to appraise and compare the costs of the safeguards. These steps and the resulting information enable management to make the most intelligent and informed decisions about selecting and purchasing countermeasures.

Answer 145

Map of business objectives to security, management’s support, security goals, and responsibilities.

Answer 146

Data collection method that happens in an anonymous fashion.

Answer 147

* To perform effective cost/benefit analyses * To select specific countermeasures and safeguards * To determine the level of insurance coverage to purchase * To understand what exactly is at risk * To comply with legal and regulatory requirements

Answer 148

Another approach is risk mitigation, where the risk is reduced to a level considered acceptable enough to continue conducting business. The implementation of firewalls, training, and intrusion/detection protection systems or other control types represent types of risk mitigation efforts.

Answer 149

Each business unit should have a data owner who protects the unit’s most critical information. The company’s policies must give the data owners the necessary authority to carry out their tasks.

Answer 150

Fire, water, vandalism, power loss, and natural disasters

Answer 151

The annualized rate of occurrence (ARO) is the value that represents the estimated frequency of a specific threat taking place within a 12-month timeframe. The range can be from 0.0 (never) to 1.0 (once a year) to greater than 1 (several times a year) and anywhere in between. For example, if the probability of a fire taking place and damaging our data warehouse is once every ten years, the ARO value is 0.1.

Answer 152

Approach to map specific flaws to root causes in complex systems.

Answer 153

Presence of a vulnerability, which exposes the organization to a threat.

Answer 154

Application OwnerSome applications are specific to individual business units—for example, the accounting department has accounting software, R&D has software for testing and development, and quality assurance uses some type of automated system. The application owners, usually the business unit managers, are responsible for dictating who can and cannot access their applications (subject to staying in compliance with the company’s security policies, of course).

Answer 155

Residual risk is different from total risk, which is the risk a company faces if it chooses not to implement any type of safeguard. A company may choose to take on total risk if the cost/benefit analysis results indicate this is the best course of action. For example, if there is a small likelihood that a company’s web servers can be compromised, and the necessary safeguards to provide a higher level of protection cost more than the potential loss in the first place, the company will choose not to implement the safeguard, choosing to deal with the total risk.

Answer 156

16. A. It is referred to as the health informatics, and its purpose is to provide guidance to health organizations and other holders of personal health information on how to protect such information via implementation of ISO/IEC 27002.

Answer 157

Full risk amount before a control is put into place. Threats × vulnerabilities × assets = total risk.

Answer 158

An exposure is an instance of being exposed to losses. A vulnerability exposes an organization to possible damages. If password management is lax and password rules are not enforced, the company is exposed to the possibility of having users’ passwords captured and used in an unauthorized manner. If a company does not have its wiring inspected and does not put proactive fire prevention steps into place, it exposes itself to potentially devastating fires.

Answer 159

Accuracy and reliability of the information and systems are provided and any unauthorized modification is prevented.

Answer 160

Guideline for information and communications technology readiness for business continuity

Answer 161

One consultant said this threat could cost us $150,000, another consultant said it was red, and the audit team assigned it a four. Should we be concerned or not?

Answer 162

Chief Privacy OfficerThe chief privacy officer (CPO) is a newer position, created mainly because of the increasing demands on organizations to protect a long laundry list of different types of data. This role is responsible for ensuring that customer, company, and employee data are kept safe, which keeps the company out of criminal and civil courts and hopefully out of the headlines. This person is usually an attorney and is directly involved with setting policies on how data are collected, protected, and given out to third parties. The CPO often reports to the chief security officer.

Answer 163

I came up with the solution to world peace, but then I forgot it.Response: Write it down on this napkin next time.

Answer 164

The Delphi technique is a group decision method used to ensure that each member gives an honest opinion of what he or she thinks the result of a particular threat will be. This avoids a group of individuals feeling pressured to go along with others’ thought processes and enables them to participate in an independent and anonymous way. Each member of the group provides his or her opinion of a certain threat and turns it in to the team that is performing the analysis. The results are compiled and distributed to the group members, who then write down their comments anonymously and return them to the analysis group. The comments are compiled and redistributed for more comments until a consensus is formed. This method is used to obtain an agreement on cost, loss values, and probabilities of occurrence without individuals having to agree verbally.

Answer 165

We have our architecture. Now what do we put inside it?Response: Marshmallows.

Answer 166

As you will see in the following sections, various profit and nonprofit organizations have developed their own approaches to security management, security control objectives, process management, and enterprise development. We will examine their similarities and differences and illustrate where each is used within the industry.

Answer 167

The industry has different standardized methodologies when it comes to carrying out risk assessments. Each of the individual methodologies has the same basic core components (identify vulnerabilities, associate threats, calculate risk values), but each has a specific focus. As a security professional it is your responsibility to know which is the best approach for your organization and its needs.

Answer 168

The reason a company implements countermeasures is to reduce its overall risk to an acceptable level. As stated earlier, no system or environment is 100 percent secure, which means there is always some risk left over to deal with. This is called residual risk.

Answer 169

* Strict and granular access control for all levels of sensitive data and programs (see Chapter 3 for coverage of access controls, along with file system permissions that should be understood) * Encryption of data while stored and while in transmission (see Chapter 7 for coverage of all types of encryption technologies) * Auditing and monitoring (determine what level of auditing is required and how long logs are to be retained) * Separation of duties (determine whether two or more people must be involved in accessing sensitive information to protect against fraudulent activities; if so, define and document procedures) * Periodic reviews (review classification levels, and the data and programs that adhere to them, to ensure they are still in alignment with business needs; data or applications may also need to be reclassified or declassified, depending upon the situation) * Backup and recovery procedures (define and document) * Change control procedures (define and document) * Physical security protection (define and document) * Information flow channels (where does the sensitive data reside and how does it transverse the network) * Proper disposal actions, such as shredding, degaussing, and so on (define and document) * Marking, labeling, and handling procedures

Answer 170

We have this ladder, some rubber bands, and this Band-Aid.Response: Okay, we are covered.

Answer 171

A security program should use a top-down approach, meaning that the initiation, support, and direction come from top management; work their way through middle management; and then reach staff members. In contrast, a bottom-up approach refers to a situation in which staff members (usually IT) try to develop a security program without getting proper management support and direction. A bottom-up approach is commonly less effective, not broad enough to address all security risks, and doomed to fail. A top-down approach makes sure the people actually responsible for protecting the company’s assets (senior management) are driving the program. Senior management are not only ultimately responsible for the protection of the organization, but also hold the purse strings for the necessary funding, have the authority to assign needed resources, and are the only ones who can ensure true enforcement of the stated security rules and policies. Management’s support is one of the most important pieces of a security program. A simple nod and a wink will not provide the amount of support required.

Answer 172

Product Line ManagerWho’s responsible for explaining business requirements to vendors and wading through their rhetoric to see if the product is right for the company? Who is responsible for ensuring compliance to license agreements? Who translates business requirements into objectives and specifications for the developer of a product or solution? Who decides if the company really needs to upgrade their operating system version every time Microsoft wants to make more money? That would be the product line manager.

Answer 173

This type of policy informs employees of certain topics. It is not an enforceable policy, but rather one that teaches individuals about specific issues relevant to the company. It could explain how the company interacts with partners, the company’s goals and mission, and a general reporting structure in different situations.

Answer 174

* Firewalls * Intrusion detection system * Intrusion prevention systems * Antimalware * Access control * Encryption

Answer 175

Chief Information OfficerOn a lower rung of the food chain is the chief information officer (CIO). This individual can report to the CEO or CFO, depending upon the corporate structure, and is responsible for the strategic use and management of information systems and technology within the organization. Over time, this position has become more strategic and less operational in many organizations. CIOs oversee and are responsible for the day-in-day-out technology operations of a company, but because organizations are so dependent upon technology, CIOs are being asked to sit at the big boys’ corporate table more and more.

Answer 176

This type of policy ensures that the organization is following standards set by specific industry regulations (HIPAA, GLBA, SOX, PCI-DSS, etc.). It is very detailed and specific to a type of industry. It is used in financial institutions, healthcare facilities, public utilities, and other government-regulated industries.

Answer 177

Model for the development of enterprise architectures developed by John Zachman

Answer 178

Our policies are very informative and look very professional.Response: Doesn’t matter. Nobody cares.

Answer 179

U.S. Department of Defense architecture framework that ensures interoperability of systems to meet military mission goals

Answer 180

Accidental or intentional action or inaction that can disrupt productivity

Answer 181

Data AnalystHaving proper data structures, definitions, and organization is very important to a company. The data analyst is responsible for ensuring that data is stored in a way that makes the most sense to the company and the individuals who need to access and work with it. For example, payroll information should not be mixed with inventory information, the purchasing department needs to have a lot of its values in monetary terms, and the inventory system must follow a standardized naming scheme. The data analyst may be responsible for architecting a new system that will hold company information, or advise in the purchase of a product that will do so.

Answer 182

Relying upon the secrecy or complexity of an item as its security, instead of practicing solid security practices.

Answer 183

Guidelines for bodies providing audit and certification of information security management systems

Answer 184

* Fence * Locked external doors * Closed-circuit TV * Security guard * Locked internal doors * Locked server room * Physically secured computers (cable locks)

Answer 185

Comply with regulatory, contractual, and statutory requirements by using technical controls, system audits, and legal awareness.

Answer 186

John Rigas, the CEO of Adelphia Communications Corp., was sentenced to 15 years in prison for his role in the looting and debt-hiding scandal that pummeled the company into bankruptcy. His son, who also held an executive position, was sentenced to 20 years.

Answer 187

* Business Architecture * Data Architecture * Applications Architecture * Technology Architecture

Answer 188

The term baseline refers to a point in time that is used as a comparison for future changes. Once risks have been mitigated and security put in place, a baseline is formally reviewed and agreed upon, after which all further comparisons and development are measured against it. A baseline results in a consistent reference point.

Answer 189

The risk analysis team should have clearly defined goals. The following is a short list of what generally is expected from the results of a risk analysis:

Answer 190

One instance of an expected loss if a specific vulnerability is exploited and how it affects a single asset. Asset Value × Exposure Factor = SLE.

Answer 191

Approach that dissects a component into its basic functions to identify flaws and those flaws’ effects.

Answer 192

Create and maintain an organizational security structure through the use of a security forum, a security officer, defining security responsibilities, authorization processes, outsourcing, and independent reviews.

Answer 193

The audit committee should be appointed by the board of directors to help it review and evaluate the company’s internal operations, internal audit system, and the transparency and accuracy of financial reporting so the company’s investors, customers, and creditors have continued confidence in the organization.

Answer 194

* Does security take place in silos throughout the organization? * Is there a continual disconnect between senior management and the security staff? * Are redundant products purchased for different departments for overlapping security needs? * Is the security program made up of mainly policies without actual implementation and enforcement? * When user access requirements increase because of business needs, does the network administrator just modify the access controls without the user manager’s documented approval? * When a new product is being rolled out, do unexpected interoperability issues pop up that require more time and money to fix? * Do many “one-off” efforts take place instead of following standardized procedures when security issues arise? * Are the business unit managers unaware of their security responsibilities and how their responsibilities map to legal and regulatory requirements? * Is “sensitive data” defined in a policy, but the necessary controls are not fully implemented and monitored? * Are stovepipe (point) solutions implemented instead of enterprise-wide solutions? * Are the same expensive mistakes continuing to take place? * Is security governance currently unavailable because the enterprise is not viewed or monitored in a standardized and holistic manner? * Are business decisions being made without taking security into account? * Are security personnel usually putting out fires with no real time to look at and develop strategic approaches? * Are security efforts taking place in business units that other business units know nothing about? * Are more and more security personnel seeking out shrinks and going on antidepressant or anti-anxiety medication?

Answer 195

Sharing trade secrets, fraud, espionage, and theft

Answer 196

Individual responsible for the protection and classification of a specific data set.

Answer 197

Now that we built this thing, how do we manage it?Response: Try kicking it.

Answer 198

Enterprise Architectures: Scary BeastsIf these enterprise architecture models are new to you and a bit confusing, do not worry; you are not alone. While enterprise architecture frameworks are great tools to understand and help control all the complex pieces within an organization, the security industry is still maturing in its use of these types of architectures. Most companies develop policies and then focus on the technologies to enforce those policies, which skips the whole step of security enterprise development. This is mainly because the information security field is still learning how to grow up and out of the IT department and into established corporate environments. As security and business truly become more intertwined, these enterprise frameworks won’t seem as abstract and foreign, but useful tools that are properly leveraged.

Answer 199

When looking at the business enablement requirement of the security enterprise architecture, we need to remind ourselves that companies are in business to make money. Companies and organizations do not exist for the sole purpose of being secure. Security cannot stand in the way of business processes, but should be implemented to better enable them.

Answer 200

On a lower rung of the food chain is the chief information officer (CIO). This individual can report to the CEO or CFO, depending upon the corporate structure, and is responsible for the strategic use and management of information systems and technology within the organization. Over time, this position has become more strategic and less operational in many organizations. CIOs oversee and are responsible for the day-in-day-out technology operations of a company, but because organizations are so dependent upon technology, CIOs are being asked to sit at the big boys’ corporate table more and more.

Answer 201

Processes to allow for IT service management developed by the United Kingdom’s Office of Government Commerce

Answer 202

A security steering committee is responsible for making decisions on tactical and strategic security issues within the enterprise as a whole and should not be tied to one or more business units. The group should be made up of people from all over the organization so they can view risks and the effects of security decisions on individual departments and the organization as a whole. The CEO should head this committee, and the CFO, CIO, department managers, and chief internal auditor should all be on it.

Answer 203

* Cost to acquire or develop the asset * Cost to maintain and protect the asset * Value of the asset to owners and users * Value of the asset to adversaries * Price others are willing to pay for the asset * Cost to replace the asset if lost * Operational and production activities affected if the asset is unavailable * Liability issues if the asset is compromised * Usefulness and role of the asset in the organization

Answer 204

Only by reassessing the risks on a periodic basis can a statement of safeguard performance be trusted. If the risk has not changed, and the safeguards implemented are functioning in good order, then it can be said that the risk is being properly mitigated. Regular IRM monitoring will support the information security risk ratings.

Answer 205

Calculating the value of a control. (ALE before implementing a control) – (ALE after implementing a control) – (annual cost of control) = value of control.

Answer 206

The data owner (information owner) is usually a member of management who is in charge of a specific business unit, and who is ultimately responsible for the protection and use of a specific subset of information. The data owner has due care responsibilities and thus will be held responsible for any negligent act that results in the corruption or disclosure of the data. The data owner decides upon the classification of the data she is responsible for and alters that classification if the business need arises. This person is also responsible for ensuring that the necessary security controls are in place, defining security requirements per classification and backup requirements, approving any disclosure activities, ensuring that proper access rights are being used, and defining user access criteria. The data owner approves access requests or may choose to delegate this function to business unit managers. And the data owner will deal with security violations pertaining to the data she is responsible for protecting. The data owner, who obviously has enough on her plate, delegates responsibility of the day-to-day maintenance of the data protection mechanisms to the data custodian.

Answer 207

The classifications listed in the table are commonly used in the industry, but there is a lot of variance. An organization first must decide the number of data classifications that best fit its security needs, then choose the classification naming scheme, and then define what the names in those schemes represent. Company A might use the classification level “confidential,” which represents its most sensitive information. Company B might use “top secret,” “secret,” and “confidential,” where confidential represents its least sensitive information. Each organization must develop an information classification scheme that best fits its business and security needs.

Answer 208

A security control must make good business sense, meaning it is cost-effective (its benefit outweighs its cost). This requires another type of analysis: a cost/benefit analysis. A commonly used cost/benefit calculation for a given safeguard (control) is:

Answer 209

Should we map and integrate all of our security efforts with our business efforts?Response: No, we are more comfortable with chaos and wasting money.

Answer 210

Australia and New Zealand business risk management assessment approach.

Brainscape's Knowledge GenomeTM

CHAPTER 2_Information Security Governance and Risk Management Flashcards

Brainscape's Knowledge Genome^TM