CHAPTER 2_Information Security Governance and Risk Management Flashcards
Bullets: SABSA model
Model and methodology for the development of information security enterprise architectures
Explanations: Change Control Analyst
I have analyzed your change request and it will destroy this company.Response: I am okay with that.
Explanation Bullets: A common hierarchy of security policies is outlined here, which illustrates the relationship between the master policy and the issue-specific policies that support it:
- Organizational policy
- Acceptable use policy
- Risk management policy
- Vulnerability management policy
- Data protection policy
- Access control policy
- Business continuity policy
- Log aggregation and auditing policy
- Personnel security policy
- Physical security policy
- Secure application development policy
- Change control policy
- E-mail policy
- Incident response policy
Bullets: Defense-in-depth
Implementation of multiple controls so that successful penetration and compromise is more difficult to attain
Bullets: July 2005
WorldCom ex-Chief Executive Officer Bernard Ebbers was sentenced to 25 years in prison for his role in orchestrating the biggest corporate fraud in the nation’s history.
Bullets: Confidentiality
Necessary level of secrecy is enforced and unauthorized disclosure is prevented.
Bullets: ISO/IEC 27013
Guideline on the integrated implementation of ISO/IEC 20000-1 and ISO/IEC 27001
Explanation Bullets: The organizational security policy has several important characteristics that must be understood and implemented:
- Business objectives should drive the policy’s creation, implementation, and enforcement. The policy should not dictate business objectives.
- It should be an easily understood document that is used as a reference point for all employees and management.
- It should be developed and used to integrate security into all business functions and processes.
- It should be derived from and support all legislation and regulations applicable to the company.
- It should be reviewed and modified as a company changes, such as through adoption of a new business model, a merger with another company, or change of ownership.
- Each iteration of the policy should be dated and under version control.
- The units and individuals who are governed by the policy must have easy access to it. Policies are commonly posted on portals on an intranet.
- It should be created with the intention of having the policies in place for several years at a time. This will help ensure policies are forward-thinking enough to deal with potential changes that may arise.
- The level of professionalism in the presentation of the policies reinforces their importance as well as the need to adhere to them.
- It should not contain language that isn’t readily understood by everyone. Use clear and declarative statements that are easy to understand and adopt.
- It should be reviewed on a regular basis and adapted to correct incidents that have occurred since the last review and revision of the policies.
Bullets: SP 800-53
Set of controls to protect U.S. federal systems developed by the National Institute of Standards and Technology (NIST)
Emphasis: Response: No, we are more comfortable with chaos and wasting money
Should we map and integrate all of our security efforts with our business efforts?Response: No, we are more comfortable with chaos and wasting money.
Explanations: Information Risk Management Policy
How do I put all of these risk management pieces together?Response: Let’s check out the policy.
Explanations: Protection Mechanisms
Okay, so we know we are at risk, and we know the probability of it happening. Now, what do we do?
Bullets: ISO/IEC 27037
Guideline for identification, collection, and/or acquisition and preservation of digital evidence
Bullets: Business continuity management
Counter disruptions of normal operations by using continuity planning and testing.
Emphasis: risk assessment
A risk assessment, which is really a tool for risk management, is a method of identifying vulnerabilities and threats and assessing the possible impacts to determine where to implement security controls. A risk assessment is carried out, and the results are analyzed. Risk analysis is used to ensure that security is cost-effective, relevant, timely, and responsive to threats. Security can be quite complex, even for well-versed security professionals, and it is easy to apply too much security, not enough security, or the wrong security controls, and to spend too much money in the process without attaining the necessary objectives. Risk analysis helps companies prioritize their risks and shows management the amount of resources that should be applied to protecting against those risks in a sensible manner.
Bullets: Social engineering
Gaining unauthorized access by tricking someone into divulging sensitive information.
Emphasis: Why So Many Roles?
Why So Many Roles?Most organizations will not have all the roles previously listed, but what is important is to build an organizational structure that contains the necessary roles and map the correct security responsibilities to them. This structure includes clear definitions of responsibilities, lines of authority and communication, and enforcement capabilities. A clear-cut structure takes the mystery out of who does what and how things are handled in different situations.
Bullets: Loss of data
Intentional or unintentional loss of information to unauthorized receivers
Explanation Bullets: The cost of a countermeasure is more than just the amount filled out on the purchase order. The following items should be considered and evaluated when deriving the full cost of a countermeasure:
- Product costs
- Design/planning costs
- Implementation costs
- Environment modifications
- Compatibility with other countermeasures
- Maintenance requirements
- Testing requirements
- Repair, replacement, or update costs
- Operating and support costs
- Effects on productivity
- Subscription costs
- Extra man-hours for monitoring and responding to alerts
- Beer for the headaches that this new tool will bring about
Explanation Bullets: So up to this point, we have accomplished the following items:
- Developed a risk management policy
- Developed a risk management team
- Identified company assets to be assessed
- Calculated the value of each asset
- Identified the vulnerabilities and threats that can affect the identified assets
- Chose a risk assessment methodology that best fits our needs
Explanations: The Risk Management Team
Fred is always scared of stuff. He is going to head up our risk team.Response: Fair enough.
Emphasis: vulnerability
A vulnerability is a lack of a countermeasure or a weakness in a countermeasure that is in place. It can be a software, hardware, procedural, or human weakness that can be exploited. A vulnerability may be a service running on a server, unpatched applications or operating systems, an unrestricted wireless access point, an open port on a firewall, lax physical security that allows anyone to enter a server room, or unenforced password management on servers and workstations.
Bullets: January 2004
Enron ex-Chief Financial Officer Andrew Fastow was given a ten-year prison sentence for his accounting scandals, which was a reduced term because he cooperated with prosecutors.
Bullets: Mandatory vacation
Detective administrative control used to uncover potential fraudulent activities by requiring a person to be away from the organization for a period of time.