CHAPTER 2_Information Security Governance and Risk Management Flashcards

1
Q

Bullets: SABSA model

A

Model and methodology for the development of information security enterprise architectures

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Explanations: Change Control Analyst

A

I have analyzed your change request and it will destroy this company.Response: I am okay with that.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Explanation Bullets: A common hierarchy of security policies is outlined here, which illustrates the relationship between the master policy and the issue-specific policies that support it:

A
  • Organizational policy
  • Acceptable use policy
  • Risk management policy
  • Vulnerability management policy
  • Data protection policy
  • Access control policy
  • Business continuity policy
  • Log aggregation and auditing policy
  • Personnel security policy
  • Physical security policy
  • Secure application development policy
  • Change control policy
  • E-mail policy
  • Incident response policy
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Bullets: Defense-in-depth

A

Implementation of multiple controls so that successful penetration and compromise is more difficult to attain

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Bullets: July 2005

A

WorldCom ex-Chief Executive Officer Bernard Ebbers was sentenced to 25 years in prison for his role in orchestrating the biggest corporate fraud in the nation’s history.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Bullets: Confidentiality

A

Necessary level of secrecy is enforced and unauthorized disclosure is prevented.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Bullets: ISO/IEC 27013

A

Guideline on the integrated implementation of ISO/IEC 20000-1 and ISO/IEC 27001

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Explanation Bullets: The organizational security policy has several important characteristics that must be understood and implemented:

A
  • Business objectives should drive the policy’s creation, implementation, and enforcement. The policy should not dictate business objectives.
  • It should be an easily understood document that is used as a reference point for all employees and management.
  • It should be developed and used to integrate security into all business functions and processes.
  • It should be derived from and support all legislation and regulations applicable to the company.
  • It should be reviewed and modified as a company changes, such as through adoption of a new business model, a merger with another company, or change of ownership.
  • Each iteration of the policy should be dated and under version control.
  • The units and individuals who are governed by the policy must have easy access to it. Policies are commonly posted on portals on an intranet.
  • It should be created with the intention of having the policies in place for several years at a time. This will help ensure policies are forward-thinking enough to deal with potential changes that may arise.
  • The level of professionalism in the presentation of the policies reinforces their importance as well as the need to adhere to them.
  • It should not contain language that isn’t readily understood by everyone. Use clear and declarative statements that are easy to understand and adopt.
  • It should be reviewed on a regular basis and adapted to correct incidents that have occurred since the last review and revision of the policies.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Bullets: SP 800-53

A

Set of controls to protect U.S. federal systems developed by the National Institute of Standards and Technology (NIST)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Emphasis: Response: No, we are more comfortable with chaos and wasting money

A

Should we map and integrate all of our security efforts with our business efforts?Response: No, we are more comfortable with chaos and wasting money.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Explanations: Information Risk Management Policy

A

How do I put all of these risk management pieces together?Response: Let’s check out the policy.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Explanations: Protection Mechanisms

A

Okay, so we know we are at risk, and we know the probability of it happening. Now, what do we do?

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Bullets: ISO/IEC 27037

A

Guideline for identification, collection, and/or acquisition and preservation of digital evidence

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Bullets: Business continuity management

A

Counter disruptions of normal operations by using continuity planning and testing.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Emphasis: risk assessment

A

A risk assessment, which is really a tool for risk management, is a method of identifying vulnerabilities and threats and assessing the possible impacts to determine where to implement security controls. A risk assessment is carried out, and the results are analyzed. Risk analysis is used to ensure that security is cost-effective, relevant, timely, and responsive to threats. Security can be quite complex, even for well-versed security professionals, and it is easy to apply too much security, not enough security, or the wrong security controls, and to spend too much money in the process without attaining the necessary objectives. Risk analysis helps companies prioritize their risks and shows management the amount of resources that should be applied to protecting against those risks in a sensible manner.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Bullets: Social engineering

A

Gaining unauthorized access by tricking someone into divulging sensitive information.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

Emphasis: Why So Many Roles?

A

Why So Many Roles?Most organizations will not have all the roles previously listed, but what is important is to build an organizational structure that contains the necessary roles and map the correct security responsibilities to them. This structure includes clear definitions of responsibilities, lines of authority and communication, and enforcement capabilities. A clear-cut structure takes the mystery out of who does what and how things are handled in different situations.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

Bullets: Loss of data

A

Intentional or unintentional loss of information to unauthorized receivers

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

Explanation Bullets: The cost of a countermeasure is more than just the amount filled out on the purchase order. The following items should be considered and evaluated when deriving the full cost of a countermeasure:

A
  • Product costs
  • Design/planning costs
  • Implementation costs
  • Environment modifications
  • Compatibility with other countermeasures
  • Maintenance requirements
  • Testing requirements
  • Repair, replacement, or update costs
  • Operating and support costs
  • Effects on productivity
  • Subscription costs
  • Extra man-hours for monitoring and responding to alerts
  • Beer for the headaches that this new tool will bring about
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

Explanation Bullets: So up to this point, we have accomplished the following items:

A
  • Developed a risk management policy
  • Developed a risk management team
  • Identified company assets to be assessed
  • Calculated the value of each asset
  • Identified the vulnerabilities and threats that can affect the identified assets
  • Chose a risk assessment methodology that best fits our needs
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

Explanations: The Risk Management Team

A

Fred is always scared of stuff. He is going to head up our risk team.Response: Fair enough.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

Emphasis: vulnerability

A

A vulnerability is a lack of a countermeasure or a weakness in a countermeasure that is in place. It can be a software, hardware, procedural, or human weakness that can be exploited. A vulnerability may be a service running on a server, unpatched applications or operating systems, an unrestricted wireless access point, an open port on a firewall, lax physical security that allows anyone to enter a server room, or unenforced password management on servers and workstations.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

Bullets: January 2004

A

Enron ex-Chief Financial Officer Andrew Fastow was given a ten-year prison sentence for his accounting scandals, which was a reduced term because he cooperated with prosecutors.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

Bullets: Mandatory vacation

A

Detective administrative control used to uncover potential fraudulent activities by requiring a person to be away from the organization for a period of time.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Q

Explanations: Security Analyst

A

I have analyzed your security and you have it all wrong.Response: What a surprise.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
26
Q

Bullets: ISO/IEC 27004

A

Guideline for information security management measurement and metrics framework

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
27
Q

Bullets: ISO/IEC 27033

A

Guideline for IT network security, a multipart standard based on ISO/IEC 18028:2006

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
28
Q

Emphasis: qualitative

A

Another method of risk analysis is qualitative, which does not assign numbers and monetary values to components and losses. Instead, qualitative methods walk through different scenarios of risk possibilities and rank the seriousness of the threats and the validity of the different possible countermeasures based on opinions. (A wide sweeping analysis can include hundreds of scenarios.) Qualitative analysis techniques include judgment, best practices, intuition, and experience. Examples of qualitative techniques to gather data are Delphi, brainstorming, storyboarding, focus groups, surveys, questionnaires, checklists, one-on-one meetings, and interviews. The risk analysis team will determine the best technique for the threats that need to be assessed, as well as the culture of the company and individuals involved with the analysis.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
29
Q

Bullets: Facilitated Risk Analysis Process (FRAP)

A

A focused, qualitative approach that carries out prescreening to save time and money.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
30
Q

Bullets: Deterrent

A

Intended to discourage a potential attacker

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
31
Q

Explanation Bullets: Quick Tips

A
  • The objectives of security are to provide availability, integrity, and confidentiality protection to data and resources.
  • A vulnerability is the absence of or weakness in a control.
  • A threat is the possibility that someone or something would exploit a vulnerability, intentionally or accidentally, and cause harm to an asset.
  • A risk is the probability of a threat agent exploiting a vulnerability and the loss potential from that action.
  • A countermeasure, also called a safeguard or control, mitigates the risk.
  • A control can be administrative, technical, or physical and can provide deterrent, preventive, detective, corrective, or recovery protection.
  • A compensating control is an alternate control that is put into place because of financial or business functionality reasons.
  • CobiT is a framework of control objectives and allows for IT governance.
  • ISO/IEC 27001 is the standard for the establishment, implementation, control, and improvement of the information security management system.
  • The ISO/IEC 27000 series were derived from BS 7799 and are international best practices on how to develop and maintain a security program.
  • Enterprise architecture frameworks are used to develop architectures for specific stakeholders and present information in views.
  • An information security management system (ISMS) is a coherent set of policies, processes, and systems to manage risks to information assets as outlined in ISO\IEC 27001.
  • Enterprise security architecture is a subset of business architecture and a way to describe current and future security processes, systems, and subunits to ensure strategic alignment.
  • Blueprints are functional definitions for the integration of technology into business processes.
  • Enterprise architecture frameworks are used to build individual architectures that best map to individual organizational needs and business drivers.
  • Zachman is an enterprise architecture framework, and SABSA is a security enterprise architecture framework.
  • COSO is a governance model used to help prevent fraud within a corporate environment.
  • ITIL is a set of best practices for IT service management.
  • Six Sigma is used to identify defects in processes so that the processes can be improved upon.
  • CMMI is a maturity model that allows for processes to improve in an incremented and standard approach.
  • Security enterprise architecture should tie in strategic alignment, business enablement, process enhancement, and security effectiveness.
  • NIST 800-53 uses the following control categories: technical, management, and operational.
  • OCTAVE is a team-oriented risk management methodology that employs workshops and is commonly used in the commercial sector.
  • Security management should work from the top down (from senior management down to the staff).
  • Risk can be transferred, avoided, reduced, or accepted.
  • Threats × vulnerability × asset value = total risk.
  • (Threats × vulnerability × asset value) × controls gap = residual risk.
  • The main goals of risk analysis are the following: identify assets and assign values to them, identify vulnerabilities and threats, quantify the impact of potential threats, and provide an economic balance between the impact of the risk and the cost of the safeguards.
  • Failure Modes and Effect Analysis (FMEA) is a method for determining functions, identifying functional failures, and assessing the causes of failure and their failure effects through a structured process.
  • A fault tree analysis is a useful approach to detect failures that can take place within complex environments and systems.
  • A quantitative risk analysis attempts to assign monetary values to components within the analysis.
  • A purely quantitative risk analysis is not possible because qualitative items cannot be quantified with precision.
  • Capturing the degree of uncertainty when carrying out a risk analysis is important, because it indicates the level of confidence the team and management should have in the resulting figures.
  • Automated risk analysis tools reduce the amount of manual work involved in the analysis. They can be used to estimate future expected losses and calculate the benefits of different security measures.
  • Single loss expectancy × frequency per year = annualized loss expectancy (SLE × ARO = ALE).
  • Qualitative risk analysis uses judgment and intuition instead of numbers.
  • Qualitative risk analysis involves people with the requisite experience and education evaluating threat scenarios and rating the probability, potential loss, and severity of each threat based on their personal experience.
  • The Delphi technique is a group decision method where each group member can communicate anonymously.
  • When choosing the right safeguard to reduce a specific risk, the cost, functionality, and effectiveness must be evaluated and a cost/benefit analysis performed.
  • A security policy is a statement by management dictating the role security plays in the organization.
  • Procedures are detailed step-by-step actions that should be followed to achieve a certain task.
  • Standards are documents that outline rules that are compulsory in nature and support the organization’s security policies.
  • A baseline is a minimum level of security.
  • Guidelines are recommendations and general approaches that provide advice and flexibility.
  • Job rotation is a detective administrative control to detect fraud.
  • Mandatory vacations are a detective administrative control type that can help detect fraudulent activities.
  • Separation of duties ensures no single person has total control over a critical activity or task. It is a preventative administrative control.
  • Split knowledge and dual control are two aspects of separation of duties.
  • Data owners specify the classification of data, and data custodians implement and maintain controls to enforce the set classification levels.
  • Security has functional requirements, which define the expected behavior from a product or system, and assurance requirements, which establish confidence in the implemented products or systems overall.
  • Management must define the scope and purpose of security management, provide support, appoint a security team, delegate responsibility, and review the team’s findings.
  • The risk management team should include individuals from different departments within the organization, not just technical personnel.
  • Social engineering is a nontechnical attack carried out to manipulate a person into providing sensitive data to an unauthorized individual.
  • Personal identification information (PII) is a collection of identity-based data that can be used in identity theft and financial fraud, and thus must be highly protected.
  • Security governance is a framework that provides oversight, accountability, and compliance.
  • ISO/IEC 27004:2009 is an international standard for information security measurement management.
  • NIST 800-55 is a standard for performance measurement for information security.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
32
Q

Bullets: ISO/IEC 27002

A

Code of practice for information security management

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
33
Q

Emphasis: What

A

• What are you trying to do at this layer? The assets to be protected by your security architecture.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
34
Q

Explanations: Outsourcing

A

I am sure that company, based in another company that we have never met or ever heard of, will protect our most sensitive secrets just fine.Response: Yeah, they seem real nice.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
35
Q

Emphasis: threat agent

A

A threat is any potential danger that is associated with the exploitation of a vulnerability. The threat is that someone, or something, will identify a specific vulnerability and use it against the company or individual. The entity that takes advantage of a vulnerability is referred to as a threat agent. A threat agent could be an intruder accessing the network through a port on the firewall, a process accessing data in a way that violates the security policy, a tornado wiping out a facility, or an employee making an unintentional mistake that could expose confidential information.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
36
Q

Emphasis: Security Administrator

A

Security AdministratorThe security administrator is responsible for implementing and maintaining specific security network devices and software in the enterprise. These controls commonly include firewalls, IDS, IPS, antimalware, security proxies, data loss prevention, etc. It is common for there to be delineation between the security administrator and the network administrator. The security administrator has the main focus of keeping the network secure, and the network administrator has the focus of keeping things up and running.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
37
Q

Emphasis: chief security officer (CSO)

A

The chief security officer (CSO) is responsible for understanding the risks that the company faces and for mitigating these risks to an acceptable level. This role is responsible for understanding the organization’s business drivers and for creating and maintaining a security program that facilitates these drivers, along with providing security, compliance with a long list of regulations and laws, and any customer expectations or contractual obligations.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
38
Q

Explanation Bullets: This committee should meet at least quarterly and have a well-defined agenda. Some of the group’s responsibilities are as follows:

A
  • Define the acceptable risk level for the organization.
  • Develop security objectives and strategies.
  • Determine priorities of security initiatives based on business needs.
  • Review risk assessment and auditing reports.
  • Monitor the business impact of security risks.
  • Review major security breaches and incidents.
  • Approve any major change to the security policy and program.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
39
Q

Explanations: NIST 800-53

A

CobiT contains control objectives used within the private sector; the U.S. government has its own set of requirements when it comes to controls for federal information systems and organizations.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
40
Q

Emphasis: issue-specific policy

A

An issue-specific policy, also called a functional policy, addresses specific security issues that management feels need more detailed explanation and attention to make sure a comprehensive structure is built and all employees understand how they are to comply with these security issues. For example, an organization may choose to have an e-mail security policy that outlines what management can and cannot do with employees’ e-mail messages for monitoring purposes, that specifies which e-mail functionality employees can or cannot use, and that addresses specific privacy issues.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
41
Q

Bullets: Annualized loss expectancy

A

Annual expected loss if a specific vulnerability is exploited and how it affects a single asset.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
42
Q

Bullets: Application error

A

Computation errors, input errors, and buffer overflows

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
43
Q

Bullets: Policy

A

High-level document that outlines senior management’s security directives.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
44
Q

Explanation Bullets: CobiT was derived from the COSO framework, developed by the Committee of Sponsoring Organizations (COSO) of the Treadway Commission in 1985 to deal with fraudulent financial activities and reporting. The COSO framework is made up of the following components:

A
  • Control environment
  • Management’s philosophy and operating style
  • Company culture as it pertains to ethics and fraud
  • Risk assessment
  • Establishment of risk objectives
  • Ability to manage internal and external change
  • Control activities
  • Policies, procedures, and practices put in place to mitigate risk
  • Information and communication
  • Structure that ensures that the right people get the right information at the right time
  • Monitoring
  • Detecting and responding to control deficiencies
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
45
Q

Bullets: Shoulder surfing

A

Viewing information in an unauthorized manner by looking over the shoulder of someone else.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
46
Q

Emphasis: CSO vs. CISO

A

CSO vs. CISOThe CSO and chief information security officer (CISO) may have similar or very different responsibilities. How is that for clarification? It is up to the individual organization to define the responsibilities of these two roles and whether they will use both, either, or neither. By and large, the CSO role usually has a farther-reaching list of responsibilities compared to the CISO role. The CISO is usually focused more on technology and has an IT background. The CSO usually is required to understand a wider range of business risks, including physical security, not just technological risks.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
47
Q

Explanations: Top-down Approach

A

The janitor said we should wrap our computers in tin foil to meet our information security needs.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
48
Q

Bullets: System development and maintenance

A

Implement security in all phases of a system’s lifetime through development of security requirements, cryptography, integrity protection, and software development procedures.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
49
Q

Bullets: ISO/IEC 27000 series

A

International standards on how to develop and maintain an ISMS developed by ISO and IEC

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
50
Q

Explanation Bullets: The following shows the levels of sensitivity from the highest to the lowest for military purposes:

A
  • Top secret
  • Secret
  • Confidential
  • Sensitive but unclassified
  • Unclassified
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
51
Q

Explanations: Capability Maturity Model Integration

A

I only want to get better, and better, and better.Response: I only want you to go away.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
52
Q

Emphasis: Who Really Understands Risk Management?

A

Who Really Understands Risk Management?Unfortunately, the answer to this question is that not enough people inside or outside of the security profession really understand risk management. Even though information security is big business today, the focus is more on applications, devices, viruses, and hacking. Although these items all must be considered and weighed in risk management processes, they should be considered small pieces of the overall security puzzle, not the main focus of risk management.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
53
Q

Bullets: Standard

A

Compulsory rules that support the security policies.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
54
Q

Explanations: Handling Risk

A

Now that we know about the risk, what do we do with it?Response: Hide it behind that plant.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
55
Q

Bullets: Preventive

A

Intended to avoid an incident from occurring

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
56
Q

Bullets: Quantitative risk analysis

A

Assigning monetary and numeric values to all the data elements of a risk assessment.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
57
Q

Emphasis: Enterprise Security Architecture

A

Enterprise Security ArchitectureAn enterprise security architecture is a subset of an enterprise architecture and defines the information security strategy that consists of layers of solutions, processes, and procedures and the way they are linked across an enterprise strategically, tactically, and operationally. It is a comprehensive and rigorous method for describing the structure and behavior of all the components that make up a holistic information security management system (ISMS). The main reason to develop an enterprise security architecture is to ensure that security efforts align with business practices in a standardized and cost-effective manner. The architecture works at an abstraction level and provides a frame of reference. Besides security, this type of architecture allows organizations to better achieve interoperability, integration, ease-of-use, standardization, and governance.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
58
Q

Emphasis: Nondisclosure agreements

A

Nondisclosure agreements must be developed and signed by new employees to protect the company and its sensitive information. Any conflicts of interest must be addressed, and there should be different agreements and precautions taken with temporary and contract employees.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
59
Q

Bullets: Advisory

A

This type of policy strongly advises employees as to which types of behaviors and activities should and should not take place within the organization. It also outlines possible ramifications if employees do not comply with the established behaviors and activities. This policy type can be used, for example, to describe how to handle medical or financial information.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
60
Q

Emphasis: Privacy

A

Privacy is different from security. Privacy indicates the amount of control an individual should be able to have and expect as it relates to the release of their own sensitive information. Security is the mechanisms that can be put into place to provide this level of control.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
61
Q

Bullets: Collusion

A

Two or more people working together to carry out fraudulent activities.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
62
Q

Bullets: NIST 800-30 Risk Management Guide for Information Technology Systems

A

A U.S. federal standard that is focused on IT risks.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
63
Q

Bullets: Availability

A

Reliable and timely access to data and resources is provided to authorized individuals.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
64
Q

Explanation Bullets: The following shows the common levels of sensitivity from the highest to the lowest for commercial business:

A
  • Confidential
  • Private
  • Sensitive
  • Public
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
65
Q

Bullets: Residual risk

A

Risk that remains after implementing a control. Threats × vulnerabilities × assets × (control gap) = residual risk.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
66
Q

Bullets: December 2005

A

The former Chief Executive Officer of HealthSouth Corp. was sentenced to five years in prison for his part in the $2.7 billion scandal.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
67
Q

Explanation Bullets: So how does CobiT fit into the big picture? When you develop your security policies that are aligned with the ISO/IEC 27000 series, these are high-level documents that have statements like, “Unauthorized access should not be permitted.” But who is authorized? How do we authorize individuals? How are we implementing access control to ensure that unauthorized access is not taking place? How do we know our access control components are working properly? This is really where the rubber hits the road, where words within a document (policy) come to life in real-world practical implementations. CobiT provides the objective that the real-world implementations (controls) you chose to put into place need to meet. For example, CobiT outlines the following control practices for user account management:

A
  • Using unique user IDs to enable users to be linked to and held accountable for their actions
  • Checking that the user has authorization from the system owner for the use of the information system or service, and the level of access granted is appropriate to the business purpose and consistent with the organizational security policy
  • A procedure to require users to understand and acknowledge their access rights and the conditions of such access
  • Ensuring that internal and external service providers do not provide access until authorization procedures have been completed
  • Maintaining a formal record, including access levels, of all persons registered to use the service
  • A timely and regular review of user IDs and access rights
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
68
Q

Bullets: ISO/IEC 27007

A

Guideline for information security management systems auditing

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
69
Q

Bullets: ISO/IEC 27011

A

Information security management guidelines for telecommunications organizations

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
70
Q

Emphasis: Security effectiveness

A

Security effectiveness deals with metrics, meeting service level agreement (SLA) requirements, achieving return on investment (ROI), meeting set baselines, and providing management with a dashboard or balanced scorecard system. These are ways to determine how useful the current security solutions and architecture as a whole are performing.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
71
Q

Bullets: TOGAF

A

Model and methodology for the development of enterprise architectures developed by The Open Group

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
72
Q

Emphasis: exposure factor (EF)

A

The exposure factor (EF) represents the percentage of loss a realized threat could have on a certain asset. For example, if a data warehouse has the asset value of $150,000, it can be estimated that if a fire were to occur, 25 percent of the warehouse would be damaged, in which case the SLE would be $37,500:

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
73
Q

Emphasis: Procedures

A

Procedures are detailed step-by-step tasks that should be performed to achieve a certain goal. The steps can apply to users, IT staff, operations staff, security members, and others who may need to carry out specific tasks. Many organizations have written procedures on how to install operating systems, configure security mechanisms, implement access control lists, set up new user accounts, assign computer privileges, audit activities, destroy material, report incidents, and much more.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
74
Q

Emphasis: accept the risk

A

The last approach is to accept the risk, which means the company understands the level of risk it is faced with, as well as the potential cost of damage, and decides to just live with it and not implement the countermeasure. Many companies will accept risk when the cost/benefit ratio indicates that the cost of the countermeasure outweighs the potential loss value.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
75
Q

Emphasis: do

A

So the different categories of controls that can be used are administrative, technical, and physical. But what do these controls actually do for us? We need to understand the different functionality that each control type can provide us in our quest to secure our environments.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
76
Q

Emphasis: IT

A

COSO is a model for corporate governance, and CobiT is a model for IT governance. COSO deals more at the strategic level, while CobiT focuses more at the operational level. You can think of CobiT as a way to meet many of the COSO objectives, but only from the IT perspective. COSO deals with non-IT items also, as in company culture, financial accounting principles, board of director responsibility, and internal communication structures. COSO was formed to provide sponsorship for the National Commission on Fraudulent Financial Reporting, an organization that studies deceptive financial reports and what elements lead to them.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
77
Q

Bullets: Uncertainty analysis

A

Assigning confidence level values to data elements.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
78
Q

Explanation Bullets: This committee is usually responsible for at least the following items:

A
  • The integrity of the company’s financial statements and other financial information provided to stockholders and others
  • The company’s system of internal controls
  • The engagement and performance of the independent auditors
  • The performance of the internal audit function
  • Compliance with legal requirements, regulations, and company policies regarding ethical conduct
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
79
Q

Bullets: ISO/IEC 27014

A

Guideline for information security governance

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
80
Q

Explanations: Audit Committee

A

The audit committee should be appointed by the board of directors to help it review and evaluate the company’s internal operations, internal audit system, and the transparency and accuracy of financial reporting so the company’s investors, customers, and creditors have continued confidence in the organization.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
81
Q

Emphasis: organizational security policy

A

A security policy is an overall general statement produced by senior management (or a selected policy board or committee) that dictates what role security plays within the organization. A security policy can be an organizational policy, an issue-specific policy, or a system-specific policy. In an organizational security policy, management establishes how a security program will be set up, lays out the program’s goals, assigns responsibilities, shows the strategic and tactical value of security, and outlines how enforcement should be carried out. This policy must address relative laws, regulations, and liability issues, and how they are to be satisfied. The organizational security policy provides scope and direction for all future security activities within the organization. It also describes the amount of risk senior management is willing to accept.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
82
Q

Bullets: SABSA framework

A

Risk-driven enterprise security architecture that maps to business initiatives, similar to the Zachman framework.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
83
Q

Emphasis: system-specific policy

A

A system-specific policy presents the management’s decisions that are specific to the actual computers, networks, and applications. An organization may have a system-specific policy outlining how a database containing sensitive information should be protected, who can have access, and how auditing should take place. It may also have a system-specific policy outlining how laptops should be locked down and managed. This policy type is directed to one or a group of similar systems and outlines how they should be protected.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
84
Q

Bullets: ISO/IEC 27015

A

Information security management guidelines for the finance and insurance sectors

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
85
Q

Bullets: Capability Maturity Model Integration (CMMI)

A

Organizational development for process improvement developed by Carnegie Mellon

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
86
Q

Bullets: Detective

A

Helps identify an incident’s activities and potentially an intruder

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
87
Q

Explanations: Process Management Development

A

Along with ensuring that we have the proper controls in place, we also want to have ways to construct and improve our business, IT, and security processes in a structured and controlled manner. The security controls can be considered the “things,” and processes are how we use these things. We want to use them properly, effectively, and efficiently.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
88
Q

Explanations: Executive Management

A

I am very important, but I am missing a “C” in my title.Response: Then you are not so important.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
89
Q

Bullets: MODAF

A

Architecture framework used mainly in military support missions developed by the British Ministry of Defence

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
90
Q

Explanation Bullets: Each organization is different in its size, security posture, threat profile, and security budget. One organization may have one individual responsible for IRM or a team that works in a coordinated manner. The overall goal of the team is to ensure the company is protected in the most cost-effective manner. This goal can be accomplished only if the following components are in place:

A
  • An established risk acceptance level provided by senior management
  • Documented risk assessment processes and procedures
  • Procedures for identifying and mitigating risks
  • Appropriate resource and fund allocation from senior management
  • Security-awareness training for all staff members associated with information assets
  • The ability to establish improvement (or risk mitigation) teams in specific areas when necessary
  • The mapping of legal and regulation compliancy requirements to control and implement requirements
  • The development of metrics and performance indicators so as to measure and manage various types of risks
  • The ability to identify and assess new risks as the environment and company change
  • The integration of IRM and the organization’s change control process to ensure that changes do not introduce new vulnerabilities
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
91
Q

Explanations: Chief Security Officer

A

Hey, we need a sacrificial lamb in case things go bad.Response: We already have one. He’s called the chief security officer.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
92
Q

Bullets: ISO/IEC 27005

A

Guideline for information security risk management

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
93
Q

Explanations: Quick Tips

A

• The objectives of security are to provide availability, integrity, and confidentiality protection to data and resources.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
94
Q

Emphasis: Steps of a Quantitative Risk Analysis

A

Steps of a Quantitative Risk AnalysisIf we follow along with our previous sections in this chapter, we have already carried out our risk assessment, which is the process of gathering data for a risk analysis. We have identified the assets that are to be assessed, associated a value to each asset, and identified the vulnerabilities and threats that could affect these assets. Now we need to carry out the risk analysis portion, which means that we need to figure out how to interpret all the data that was gathered during the assessment.

95
Q

Bullets: Communications and operations management

A

Carry out operations security through operational procedures, proper change control, incident handling, separation of duties, capacity planning, network management, and media handling.

96
Q

Bullets: Compensating

A

Controls that provide an alternative measure of control

97
Q

Emphasis: control objectives

A

The Control Objectives for Information and related Technology (CobiT) is a framework and set of control objectives developed by the Information Systems Audit and Control Association (ISACA) and the IT Governance Institute (ITGI). It defines goals for the controls that should be used to properly manage IT and to ensure that IT maps to business needs. CobiT is broken down into four domains: Plan and Organize, Acquire and Implement, Deliver and Support, and Monitor and Evaluate. Each category drills down into subcategories. For example, the Acquire and Implement category contains the following subcategories:

98
Q

Explanations: Enterprise vs. System Architectures

A

Our operating systems follow strict and hierarchical structures, but our company is a mess.

99
Q

Bullets: Recovery

A

Intended to bring the environment back to regular operations

100
Q

Explanations: Risk Assessment and Analysis

A

I have determined that our greatest risk is this paperclip.Response: Nice work.

101
Q

Bullets: Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE)

A

Team-oriented approach that assesses organizational and IT risks through facilitated workshops.

102
Q

Emphasis: enterprise security architecture

A

An enterprise security architecture is a subset of an enterprise architecture and defines the information security strategy that consists of layers of solutions, processes, and procedures and the way they are linked across an enterprise strategically, tactically, and operationally. It is a comprehensive and rigorous method for describing the structure and behavior of all the components that make up a holistic information security management system (ISMS). The main reason to develop an enterprise security architecture is to ensure that security efforts align with business practices in a standardized and cost-effective manner. The architecture works at an abstraction level and provides a frame of reference. Besides security, this type of architecture allows organizations to better achieve interoperability, integration, ease-of-use, standardization, and governance.

103
Q

Emphasis: control

A

A control, or countermeasure, is put into place to mitigate (reduce) the potential risk. A countermeasure may be a software configuration, a hardware device, or a procedure that eliminates a vulnerability or that reduces the likelihood a threat agent will be able to exploit a vulnerability. Examples of countermeasures include strong password management, firewalls, a security guard, access control mechanisms, encryption, and security-awareness training.

104
Q

Emphasis: British Standard 7799 (BS7799)

A

British Standard 7799 (BS7799) was developed in 1995 by the United Kingdom government’s Department of Trade and Industry and published by the British Standards Institution. The standard outlines how an information security management system (ISMS) (aka security program) should be built and maintained. The goal was to provide guidance to organizations on how to design, implement, and maintain policies, processes, and technologies to manage risks to its sensitive information assets.

105
Q

Emphasis: Standards

A

Standards refer to mandatory activities, actions, or rules. Standards can give a policy its support and reinforcement in direction. Organizational security standards may specify how hardware and software products are to be used. They can also be used to indicate expected user behavior. They provide a means to ensure that specific technologies, applications, parameters, and procedures are implemented in a uniform (standardized) manner across the organization. An organizational standard may require that all employees wear their company identification badges at all times, that they challenge unknown individuals about their identity and purpose for being in a specific area, or that they encrypt confidential information. These rules are compulsory within a company, and if they are going to be effective, they must be enforced.

106
Q

Explanation Bullets: The main components of each phase are provided in the following:

A
  • Plan and Organize
  • Establish management commitment.
  • Establish oversight steering committee.
  • Assess business drivers.
  • Develop a threat profile on the organization.
  • Carry out a risk assessment.
  • Develop security architectures at business, data, application, and infrastructure levels.
  • Identify solutions per architecture level.
  • Obtain management approval to move forward.
  • Implement
  • Assign roles and responsibilities.
  • Develop and implement security policies, procedures, standards, baselines, and guidelines.
  • Identify sensitive data at rest and in transit.
  • Implement the following blueprints:
  • Asset identification and management
  • Risk management
  • Vulnerability management
  • Compliance
  • Identity management and access control
  • Change control
  • Software development life cycle
  • Business continuity planning
  • Awareness and training
  • Physical security
  • Incident response
  • Implement solutions (administrative, technical, physical) per blueprint.
  • Develop auditing and monitoring solutions per blueprint.
  • Establish goals, service level agreements (SLAs), and metrics per blueprint.
  • Operate and Maintain
  • Follow procedures to ensure all baselines are met in each implemented blueprint.
  • Carry out internal and external audits.
  • Carry out tasks outlined per blueprint.
  • Manage SLAs per blueprint.
  • Monitor and Evaluate
  • Review logs, audit results, collected metric values, and SLAs per blueprint.
  • Assess goal accomplishments per blueprint.
  • Carry out quarterly meetings with steering committees.
  • Develop improvement steps and integrate into the Plan and Organize phase.
107
Q

Explanations: Military-Oriented Architecture Frameworks

A

Our reconnaissance mission gathered important intelligence on our enemy, but a software glitch resulted in us bombing the wrong country.Response: Let’s blame it on NATO.

108
Q

Bullets: Policy types

A

Organizational (master), issue-specific, system-specific.

109
Q

Emphasis: Fundamental Principles of Security

A

Fundamental Principles of SecurityWe need to understand the core goals of security, which are to provide availability, integrity, and confidentiality (AIC triad) protection for critical assets. Each asset will require different levels of these types of protection, as we will see in the following sections. All security controls, mechanisms, and safeguards are implemented to provide one or more of these protection types, and all risks, threats, and vulnerabilities are measured for their potential capability to compromise one or all of the AIC principles.

110
Q

Explanations: Security Definitions

A

I am vulnerable and see you as a threat.Response: Good.

111
Q

Emphasis: cost/benefit comparison

A

Risk analysis provides a cost/benefit comparison, which compares the annualized cost of controls to the potential cost of loss. A control, in most cases, should not be implemented unless the annualized cost of loss exceeds the annualized cost of the control itself. This means that if a facility is worth $100,000, it does not make sense to spend $150,000 trying to protect it.

112
Q

Bullets: Threat

A

The danger of a threat agent exploiting a vulnerability.

113
Q

Explanation Bullets: Because terminations can happen for a variety of reasons, and terminated people have different reactions, companies should have a specific set of procedures to follow with every termination. For example:

A
  • The employee must leave the facility immediately under the supervision of a manager or security guard.
  • The employee must surrender any identification badges or keys, complete an exit interview, and return company supplies.
  • That user’s accounts and passwords should be disabled or changed immediately.
114
Q

Bullets: Control

A

Safeguard that is put in place to reduce a risk, also called a countermeasure.

115
Q

Emphasis: baseline

A

The term baseline refers to a point in time that is used as a comparison for future changes. Once risks have been mitigated and security put in place, a baseline is formally reviewed and agreed upon, after which all further comparisons and development are measured against it. A baseline results in a consistent reference point.

116
Q

Bullets: Functionality versus effectiveness of control

A

Functionality is what a control does, and its effectiveness is how well the control does it.

117
Q

Explanations: The Delphi Technique

A

The oracle Delphi told me that everyone agrees with me.Response: Okay, let’s do this again—anonymously.

118
Q

Bullets: CobiT

A

Set of control objectives for IT management developed by Information Systems Audit and Control Association (ISACA) and the IT Governance Institute (ITGI)

119
Q

Bullets: Risk

A

The probability of a threat agent exploiting a vulnerability and the associated impact.

120
Q

Emphasis: Security Program Development

A

Security Program DevelopmentNo organization is going to put all the previously listed items (ISO/IEC 27000, COSO, Zachman, SABSA, CobiT, NIST 800-53, ITIL, Six Sigma, CMMI) in place. But it is a good toolbox of things you can pull from, and you will find some fit the organization you work in better than others. You will also find that as your organization’s security program matures, you will see more clearly where these various standards, frameworks, and management components come into play. While these items are separate and distinct, there are basic things that need to be built in for any security program and its corresponding controls. This is because the basic tenets of security are universal no matter if they are being deployed in a corporation, government agency, business, school, or nonprofit organization. Each entity is made up of people, processes, data, and technology and each of these things needs to be protected.

121
Q

Bullets: August 2005

A

Former WorldCom Chief Financial Officer Scott Sullivan was sentenced to five years in prison for his role in engineering the $ 11 billion accounting fraud that led to the bankruptcy of the telecommunications powerhouse.

122
Q

Explanations: Qualitative Risk Analysis

A

I have a feeling that we are secure.Response: Great! Let’s all go home.

123
Q

Explanation Bullets: Quantitative Cons

A
  • Calculations can be complex. Can management understand how these values were derived?
  • Without automated tools, this process is extremely laborious.
  • More preliminary work is needed to gather detailed information about the environment.
  • Standards are not available. Each vendor has its own way of interpreting the processes and their results.
124
Q

Emphasis: Response: We already have one. He’s called the chief security officer

A

Hey, we need a sacrificial lamb in case things go bad.Response: We already have one. He’s called the chief security officer.

125
Q

Emphasis: risk

A

A risk is the likelihood of a threat agent exploiting a vulnerability and the corresponding business impact. If a firewall has several ports open, there is a higher likelihood that an intruder will use one to access the network in an unauthorized method. If users are not educated on processes and procedures, there is a higher likelihood that an employee will make an unintentional mistake that may destroy data. If an intrusion detection system (IDS) is not implemented on a network, there is a higher likelihood an attack will go unnoticed until it is too late. Risk ties the vulnerability, threat, and likelihood of exploitation to the resulting business impact.

126
Q

Emphasis: process reengineering

A

The process enhancement piece can be quite beneficial to an organization if it takes advantage of this capability when it is presented to them. When an organization is serious about securing their environment, it means they will have to take a close look at many of the business processes that take place on an ongoing process. Many times these processes are viewed through the eyeglasses of security, because that’s the reason for the activity, but this is a perfect chance to enhance and improve upon the same processes to increase productivity. When you look at many business processes taking place in all types of organizations, you commonly find a duplication of efforts, manual steps that can be easily automated, or ways to streamline and reduce time and effort that are involved in certain tasks. This is commonly referred to as process reengineering.

127
Q

Explanations: Information Classification

A

My love letter to my dog is top secret.Response: As it should be.

128
Q

Explanations: Functionality and Effectiveness of Countermeasures

A

The countermeasure doesn’t work, but it has a fun interface.Response: Good enough.

129
Q

Bullets: Corrective

A

Fixes components or systems after an incident has occurred

130
Q

Results of a Quantitative Risk Analysis : The risk analysis team should have clearly defined goals. The following is a short list of what generally is expected from the results of a risk analysis:

A
  • Monetary values assigned to assets
  • Comprehensive list of all possible and significant threats
  • Probability of the occurrence rate of each threat
  • Loss potential the company can endure per threat in a 12-month time span
  • Recommended controls
131
Q

Bullets: Data custodian

A

Individual responsible for implementing and maintaining security controls to meet security requirements outlined by data owner.

132
Q

Explanation Bullets: Qualitative Cons

A
  • The assessments and results are subjective and opinion-based.
  • Eliminates the opportunity to create a dollar value for cost/benefit discussions.
  • Hard to develop a security budget from the results because monetary values are not used.
  • Standards are not available. Each vendor has its own way of interpreting the processes and their results.
133
Q

Emphasis: convergence

A

The CSO is commonly responsible for the convergence, which is the formal cooperation between previously disjointed security functions. This mainly pertains to physical and IT security working in a more concerted manner instead of working in silos within the organization. Issues such as loss prevention, fraud prevention, business continuity planning, legal/regulatory compliance, and insurance all have physical security and IT security aspects and requirements. So one individual (CSO) overseeing and intertwining these different security disciplines allows for a more holistic and comprehensive security program.

134
Q

Explanations: Process Owner

A

Ever heard the popular mantra, “Security is not a product, it’s a process”? The statement is very true. Security should be considered and treated like any another business process—not as its own island, nor like a redheaded stepchild with cooties. (The author is a redheaded stepchild, but currently has no cooties.)

135
Q

Emphasis: Guidelines

A

Guidelines are recommended actions and operational guides to users, IT staff, operations staff, and others when a specific standard does not apply. Guidelines can deal with the methodologies of technology, personnel, or physical security. Life is full of gray areas, and guidelines can be used as a reference during those times. Whereas standards are specific mandatory rules, guidelines are general approaches that provide the necessary flexibility for unforeseen circumstances.

136
Q

Bullets: Qualitative risk analysis

A

Opinion-based method of analyzing risk with the use of scenarios and ratings.

137
Q

Explanation Bullets: Possible background check criteria could include

A
  • A Social Security number trace
  • A county/state criminal check
  • A federal criminal check
  • A sexual offender registry check
  • Employment verification
  • Education verification
  • Professional reference verification
  • An immigration check
  • Professional license/certification verification
  • Credit report
  • Drug screening
138
Q

Bullets: CRAMM

A

Central Computing and Telecommunications Agency Risk Analysis and Management Method.

139
Q

Emphasis: board of directors

A

The board of directors is a group of individuals who are elected by the shareholders of a corporation to oversee the fulfillment of the corporation’s charter. The goal of the board is to ensure the shareholders’ interests are being protected and that the corporation is being run properly. They are supposed to be unbiased and independent individuals who oversee the executive staff’s performance in running the company.

140
Q

Explanation Bullets: Once the scheme is decided upon, the organization must develop the criteria it will use to decide what information goes into which classification. The following list shows some criteria parameters an organization may use to determine the sensitivity of data:

A
  • The usefulness of data
  • The value of data
  • The age of data
  • The level of damage that could be caused if the data were disclosed
  • The level of damage that could be caused if the data were modified or corrupted
  • Legal, regulatory, or contractual responsibility to protect the data
  • Effects the data has on security
  • Who should be able to access the data
  • Who should maintain the data
  • Who should be able to reproduce the data
  • Lost opportunity costs that could be incurred if the data were not available or were corrupted
141
Q

Emphasis: uncertainty

A

In risk analysis, uncertainty refers to the degree to which you lack confidence in an estimate. This is expressed as a percentage, from 0 to 100 percent. If you have a 30 percent confidence level in something, then it could be said you have a 70 percent uncertainty level. Capturing the degree of uncertainty when carrying out a risk analysis is important, because it indicates the level of confidence the team and management should have in the resulting figures.

142
Q

Explanations: Personnel Security

A

Many facets of the responsibilities of personnel fall under management’s umbrella, and several facets have a direct correlation to the overall security of the environment.

143
Q

Emphasis: Balanced Security

A

Balanced SecurityIn reality, when information security is dealt with, it is commonly only through the lens of keeping secrets secret (confidentiality). The integrity and availability threats can be overlooked and only dealt with after they are properly compromised. Some assets have a critical confidentiality requirement (company trade secrets), some have critical integrity requirements (financial transaction values), and some have critical availability requirements (e-commerce web servers). Many people understand the concepts of the AIC triad, but may not fully appreciate the complexity of implementing the necessary controls to provide all the protection these concepts cover. The following provides a short list of some of these controls and how they map to the components of the AIC triad:

144
Q

Emphasis: chief financial officer (CFO)

A

The chief financial officer (CFO) is responsible for the corporation’s account and financial activities and the overall financial structure of the organization. This person is responsible for determining what the company’s financial needs will be and how to finance those needs. The CFO must create and maintain the company’s capital structure, which is the proper mix of equity, credit, cash, and debt financing. This person oversees forecasting and budgeting and the processes of submitting quarterly and annual financial statements to the SEC and stakeholders.

145
Q

Bullets: Six Sigma

A

Business management strategy that can be used to carry out process improvement

146
Q

Bullets: Personnel security

A

Reduce risks that are inherent in human interaction by screening employees, defining roles and responsibilities, training employees properly, and documenting the ramifications of not meeting expectations.

147
Q

Bullets: ISO 27799

A

Guideline for information security management in health organizations

148
Q

Bullets: Access control

A

Control access to assets based on business requirements, user management, authentication methods, and monitoring.

149
Q

Bullets: COSO

A

Set of internal corporate controls to help reduce the risk of financial fraud developed by the Committee of Sponsoring Organizations (COSO) of the Treadway Commission

150
Q

Bullets: Rotation of duties

A

Detective administrative control used to uncover potential fraudulent activities.

151
Q

Bullets: Physical and environmental security

A

Protect the organization’s assets by properly choosing a facility location, erecting and maintaining a security perimeter, implementing access control, and protecting equipment.

152
Q

Emphasis: user

A

The user is any individual who routinely uses the data for work-related tasks. The user must have the necessary level of access to the data to perform the duties within their position and is responsible for following operational security procedures to ensure the data’s confidentiality, integrity, and availability to others.

153
Q

Emphasis: project sizing

A

It is important to figure out what you are supposed to be doing before you dig right in and start working. Anyone who has worked on a project without a properly defined scope can attest to the truth of this statement. Before an assessment and analysis is started, the team must carry out project sizing to understand what assets and threats should be evaluated. Most assessments are focused on physical security, technology security, or personnel security. Trying to assess all of them at the same time can be quite an undertaking.

154
Q

Emphasis: Automated Risk Analysis Methods

A

Automated Risk Analysis MethodsCollecting all the necessary data that needs to be plugged into risk analysis equations and properly interpreting the results can be overwhelming if done manually. Several automated risk analysis tools on the market can make this task much less painful and, hopefully, more accurate. The gathered data can be reused, greatly reducing the time required to perform subsequent analyses. The risk analysis team can also print reports and comprehensive graphs to present to management.

155
Q

Explanations: Uncertainty

A

I just made all these numbers up.Response: Well, they look impressive.

156
Q

Explanation Bullets: A risk analysis has four main goals:

A
  • Identify assets and their value to the organization.
  • Identify vulnerabilities and threats.
  • Quantify the probability and business impact of these potential threats.
  • Provide an economic balance between the impact of the threat and the cost of the countermeasure.
157
Q

Emphasis: data custodian

A

The data custodian (information custodian) is responsible for maintaining and protecting the data. This role is usually filled by the IT or security department, and the duties include implementing and maintaining security controls; performing regular backups of the data; periodically validating the integrity of the data; restoring data from backup media; retaining records of activity; and fulfilling the requirements specified in the company’s security policy, standards, and guidelines that pertain to information security and data protection.

158
Q

Explanations: Data Custodian

A

Hey, custodian, clean up my mess!Response: I’m not that type of custodian.

159
Q

Emphasis: chief privacy officer (CPO)

A

The chief privacy officer (CPO) is a newer position, created mainly because of the increasing demands on organizations to protect a long laundry list of different types of data. This role is responsible for ensuring that customer, company, and employee data are kept safe, which keeps the company out of criminal and civil courts and hopefully out of the headlines. This person is usually an attorney and is directly involved with setting policies on how data are collected, protected, and given out to third parties. The CPO often reports to the chief security officer.

160
Q

Emphasis: Failure Modes and Effect Analysis (FMEA)

A

Failure Modes and Effect Analysis (FMEA) is a method for determining functions, identifying functional failures, and assessing the causes of failure and their failure effects through a structured process. It is commonly used in product development and operational environments. The goal is to identify where something is most likely going to break and either fix the flaws that could cause this issue or implement controls to reduce the impact of the break. For example, you might choose to carry out an FMEA on your organization’s network to identify single points of failure. These single points of failure represent vulnerabilities that could directly affect the productivity of the network as a whole. You would use this structured approach to identify these issues (vulnerabilities), assess their criticality (risk), and identify the necessary controls that should be put into place (reduce risk).

161
Q

Bullets: Separation of duties

A

Preventive administrative control used to ensure one person cannot carry out a critical task alone.

162
Q

Bullets: Asset classification and control

A

Develop a security infrastructure to protect organizational assets through accountability and inventory, classification, and handling procedures.

163
Q

Explanation Bullets:

The following shows the common levels of sensitivity from the highest to the lowest for commercial business:

A
  • Confidential
  • Private
  • Sensitive
  • Public
164
Q

Explanations: Security Policy

A

Oh look, this paper tells us what we need to do. I am going to put smiley-face stickers all over it.

165
Q

Emphasis: Costs That Make Up the Value

A

Costs That Make Up the ValueAn asset can have both quantitative and qualitative measurements assigned to it, but these measurements need to be derived. The actual value of an asset is determined by the importance it has to the organization as a whole. The value of an asset should reflect all identifiable costs that would arise if the asset were actually impaired. If a server cost $4,000 to purchase, this value should not be input as the value of the asset in a risk assessment. Rather, the cost of replacing or repairing it, the loss of productivity, and the value of any data that may be corrupted or lost must be accounted for to properly capture the amount the organization would lose if the server were to fail for one reason or another.

166
Q

Explanations: The Open Group Architecture Framework

A

Our business processes, data flows, software programs, and network devices are strung together like spaghetti.

167
Q

Emphasis: British Ministry of Defence Architecture Framework (MODAF)

A

The British Ministry of Defence Architecture Framework (MODAF) is another recognized enterprise architecture framework based upon the DoDAF. The crux of the framework is to be able to get data in the right format to the right people as soon as possible. Modern warfare is complex, and activities happen fast, which requires personnel and systems to be more adaptable than ever before. Data needs to be captured and properly presented so that decision makers understand complex issues quickly, which allows for fast and hopefully accurate decisions.

168
Q

Emphasis: Putting It Together

A

Putting It TogetherTo perform a risk analysis, a company first decides what assets must be protected and to what extent. It also indicates the amount of money that can go toward protecting specific assets. Next, it must evaluate the functionality of the available safeguards and determine which ones would be most beneficial for the environment. Finally, the company needs to appraise and compare the costs of the safeguards. These steps and the resulting information enable management to make the most intelligent and informed decisions about selecting and purchasing countermeasures.

169
Q

Bullets: Information security policy for the organization

A

Map of business objectives to security, management’s support, security goals, and responsibilities.

170
Q

Bullets: Delphi method

A

Data collection method that happens in an anonymous fashion.

171
Q

Explanation Bullets: Determining the value of assets may be useful to a company for a variety of reasons, including the following:

A
  • To perform effective cost/benefit analyses
  • To select specific countermeasures and safeguards
  • To determine the level of insurance coverage to purchase
  • To understand what exactly is at risk
  • To comply with legal and regulatory requirements
172
Q

Emphasis: risk mitigation

A

Another approach is risk mitigation, where the risk is reduced to a level considered acceptable enough to continue conducting business. The implementation of firewalls, training, and intrusion/detection protection systems or other control types represent types of risk mitigation efforts.

173
Q

Explanations: Data Owner Issues

A

Each business unit should have a data owner who protects the unit’s most critical information. The company’s policies must give the data owners the necessary authority to carry out their tasks.

174
Q

Bullets: Physical damage

A

Fire, water, vandalism, power loss, and natural disasters

175
Q

Emphasis: annualized rate of occurrence (ARO)

A

The annualized rate of occurrence (ARO) is the value that represents the estimated frequency of a specific threat taking place within a 12-month timeframe. The range can be from 0.0 (never) to 1.0 (once a year) to greater than 1 (several times a year) and anywhere in between. For example, if the probability of a fire taking place and damaging our data warehouse is once every ten years, the ARO value is 0.1.

176
Q

Bullets: Fault tree analysis

A

Approach to map specific flaws to root causes in complex systems.

177
Q

Bullets: Exposure

A

Presence of a vulnerability, which exposes the organization to a threat.

178
Q

Emphasis: Application Owner

A

Application OwnerSome applications are specific to individual business units—for example, the accounting department has accounting software, R&D has software for testing and development, and quality assurance uses some type of automated system. The application owners, usually the business unit managers, are responsible for dictating who can and cannot access their applications (subject to staying in compliance with the company’s security policies, of course).

179
Q

Emphasis: total risk

A

Residual risk is different from total risk, which is the risk a company faces if it chooses not to implement any type of safeguard. A company may choose to take on total risk if the cost/benefit analysis results indicate this is the best course of action. For example, if there is a small likelihood that a company’s web servers can be compromised, and the necessary safeguards to provide a higher level of protection cost more than the potential loss in the first place, the company will choose not to implement the safeguard, choosing to deal with the total risk.

180
Q

Emphasis: health informatics

A
  1. A. It is referred to as the health informatics, and its purpose is to provide guidance to health organizations and other holders of personal health information on how to protect such information via implementation of ISO/IEC 27002.
181
Q

Bullets: Total risk

A

Full risk amount before a control is put into place. Threats × vulnerabilities × assets = total risk.

182
Q

Emphasis: exposure

A

An exposure is an instance of being exposed to losses. A vulnerability exposes an organization to possible damages. If password management is lax and password rules are not enforced, the company is exposed to the possibility of having users’ passwords captured and used in an unauthorized manner. If a company does not have its wiring inspected and does not put proactive fire prevention steps into place, it exposes itself to potentially devastating fires.

183
Q

Bullets: Integrity

A

Accuracy and reliability of the information and systems are provided and any unauthorized modification is prevented.

184
Q

Bullets: ISO/IEC 27031

A

Guideline for information and communications technology readiness for business continuity

185
Q

Explanations: Risk Analysis Approaches

A

One consultant said this threat could cost us $150,000, another consultant said it was red, and the audit team assigned it a four. Should we be concerned or not?

186
Q

Emphasis: Chief Privacy Officer

A

Chief Privacy OfficerThe chief privacy officer (CPO) is a newer position, created mainly because of the increasing demands on organizations to protect a long laundry list of different types of data. This role is responsible for ensuring that customer, company, and employee data are kept safe, which keeps the company out of criminal and civil courts and hopefully out of the headlines. This person is usually an attorney and is directly involved with setting policies on how data are collected, protected, and given out to third parties. The CPO often reports to the chief security officer.

187
Q

Explanations: Solution Provider

A

I came up with the solution to world peace, but then I forgot it.Response: Write it down on this napkin next time.

188
Q

Emphasis: Delphi technique

A

The Delphi technique is a group decision method used to ensure that each member gives an honest opinion of what he or she thinks the result of a particular threat will be. This avoids a group of individuals feeling pressured to go along with others’ thought processes and enables them to participate in an independent and anonymous way. Each member of the group provides his or her opinion of a certain threat and turns it in to the team that is performing the analysis. The results are compiled and distributed to the group members, who then write down their comments anonymously and return them to the analysis group. The comments are compiled and redistributed for more comments until a consensus is formed. This method is used to obtain an agreement on cost, loss values, and probabilities of occurrence without individuals having to agree verbally.

189
Q

Explanations: Security Controls Development

A

We have our architecture. Now what do we put inside it?Response: Marshmallows.

190
Q

Explanations: Many Standards, Best Practices, and Frameworks

A

As you will see in the following sections, various profit and nonprofit organizations have developed their own approaches to security management, security control objectives, process management, and enterprise development. We will examine their similarities and differences and illustrate where each is used within the industry.

191
Q

Explanations: Methodologies for Risk Assessment

A

The industry has different standardized methodologies when it comes to carrying out risk assessments. Each of the individual methodologies has the same basic core components (identify vulnerabilities, associate threats, calculate risk values), but each has a specific focus. As a security professional it is your responsibility to know which is the best approach for your organization and its needs.

192
Q

Explanations: Total Risk vs. Residual Risk

A

The reason a company implements countermeasures is to reduce its overall risk to an acceptable level. As stated earlier, no system or environment is 100 percent secure, which means there is always some risk left over to deal with. This is called residual risk.

193
Q

Explanation Bullets: As mentioned earlier, which types of controls are implemented per classification depends upon the level of protection that management and the security team have determined is needed. The numerous types of controls available are discussed throughout this book. But some considerations pertaining to sensitive data and applications are common across most organizations:

A
  • Strict and granular access control for all levels of sensitive data and programs (see Chapter 3 for coverage of access controls, along with file system permissions that should be understood)
  • Encryption of data while stored and while in transmission (see Chapter 7 for coverage of all types of encryption technologies)
  • Auditing and monitoring (determine what level of auditing is required and how long logs are to be retained)
  • Separation of duties (determine whether two or more people must be involved in accessing sensitive information to protect against fraudulent activities; if so, define and document procedures)
  • Periodic reviews (review classification levels, and the data and programs that adhere to them, to ensure they are still in alignment with business needs; data or applications may also need to be reclassified or declassified, depending upon the situation)
  • Backup and recovery procedures (define and document)
  • Change control procedures (define and document)
  • Physical security protection (define and document)
  • Information flow channels (where does the sensitive data reside and how does it transverse the network)
  • Proper disposal actions, such as shredding, degaussing, and so on (define and document)
  • Marking, labeling, and handling procedures
194
Q

Explanations: Control Types

A

We have this ladder, some rubber bands, and this Band-Aid.Response: Okay, we are covered.

195
Q

Emphasis: bottom-up approach

A

A security program should use a top-down approach, meaning that the initiation, support, and direction come from top management; work their way through middle management; and then reach staff members. In contrast, a bottom-up approach refers to a situation in which staff members (usually IT) try to develop a security program without getting proper management support and direction. A bottom-up approach is commonly less effective, not broad enough to address all security risks, and doomed to fail. A top-down approach makes sure the people actually responsible for protecting the company’s assets (senior management) are driving the program. Senior management are not only ultimately responsible for the protection of the organization, but also hold the purse strings for the necessary funding, have the authority to assign needed resources, and are the only ones who can ensure true enforcement of the stated security rules and policies. Management’s support is one of the most important pieces of a security program. A simple nod and a wink will not provide the amount of support required.

196
Q

Emphasis: Product Line Manager

A

Product Line ManagerWho’s responsible for explaining business requirements to vendors and wading through their rhetoric to see if the product is right for the company? Who is responsible for ensuring compliance to license agreements? Who translates business requirements into objectives and specifications for the developer of a product or solution? Who decides if the company really needs to upgrade their operating system version every time Microsoft wants to make more money? That would be the product line manager.

197
Q

Bullets: Informative

A

This type of policy informs employees of certain topics. It is not an enforceable policy, but rather one that teaches individuals about specific issues relevant to the company. It could explain how the company interacts with partners, the company’s goals and mission, and a general reporting structure in different situations.

198
Q

Explanation Bullets: Technical controls that are commonly put into place to provide this type of layered approach are

A
  • Firewalls
  • Intrusion detection system
  • Intrusion prevention systems
  • Antimalware
  • Access control
  • Encryption
199
Q

Emphasis: Chief Information Officer

A

Chief Information OfficerOn a lower rung of the food chain is the chief information officer (CIO). This individual can report to the CEO or CFO, depending upon the corporate structure, and is responsible for the strategic use and management of information systems and technology within the organization. Over time, this position has become more strategic and less operational in many organizations. CIOs oversee and are responsible for the day-in-day-out technology operations of a company, but because organizations are so dependent upon technology, CIOs are being asked to sit at the big boys’ corporate table more and more.

200
Q

Bullets: Regulatory

A

This type of policy ensures that the organization is following standards set by specific industry regulations (HIPAA, GLBA, SOX, PCI-DSS, etc.). It is very detailed and specific to a type of industry. It is used in financial institutions, healthcare facilities, public utilities, and other government-regulated industries.

201
Q

Bullets: Zachman framework

A

Model for the development of enterprise architectures developed by John Zachman

202
Q

Explanations: Implementation

A

Our policies are very informative and look very professional.Response: Doesn’t matter. Nobody cares.

203
Q

Bullets: DoDAF

A

U.S. Department of Defense architecture framework that ensures interoperability of systems to meet military mission goals

204
Q

Bullets: Human interaction

A

Accidental or intentional action or inaction that can disrupt productivity

205
Q

Emphasis: Data Analyst

A

Data AnalystHaving proper data structures, definitions, and organization is very important to a company. The data analyst is responsible for ensuring that data is stored in a way that makes the most sense to the company and the individuals who need to access and work with it. For example, payroll information should not be mixed with inventory information, the purchasing department needs to have a lot of its values in monetary terms, and the inventory system must follow a standardized naming scheme. The data analyst may be responsible for architecting a new system that will hold company information, or advise in the purchase of a product that will do so.

206
Q

Bullets: Security through obscurity

A

Relying upon the secrecy or complexity of an item as its security, instead of practicing solid security practices.

207
Q

Bullets: ISO/IEC 27006

A

Guidelines for bodies providing audit and certification of information security management systems

208
Q

Explanation Bullets:

Figure 2-2 Defense-in-depth

A
  • Fence
  • Locked external doors
  • Closed-circuit TV
  • Security guard
  • Locked internal doors
  • Locked server room
  • Physically secured computers (cable locks)
209
Q

Bullets: Compliance

A

Comply with regulatory, contractual, and statutory requirements by using technical controls, system audits, and legal awareness.

210
Q

Bullets: June 2005

A

John Rigas, the CEO of Adelphia Communications Corp., was sentenced to 15 years in prison for his role in the looting and debt-hiding scandal that pummeled the company into bankruptcy. His son, who also held an executive position, was sentenced to 20 years.

211
Q

Explanation Bullets: TOGAF is a framework that can be used to develop the following architecture types:

A
  • Business Architecture
  • Data Architecture
  • Applications Architecture
  • Technology Architecture
212
Q

Explanations: Baselines

A

The term baseline refers to a point in time that is used as a comparison for future changes. Once risks have been mitigated and security put in place, a baseline is formally reviewed and agreed upon, after which all further comparisons and development are measured against it. A baseline results in a consistent reference point.

213
Q

Explanations: Results of a Quantitative Risk Analysis

A

The risk analysis team should have clearly defined goals. The following is a short list of what generally is expected from the results of a risk analysis:

214
Q

Bullets: Single loss expectancy

A

One instance of an expected loss if a specific vulnerability is exploited and how it affects a single asset. Asset Value × Exposure Factor = SLE.

215
Q

Bullets: Failure Modes and Effect Analysis

A

Approach that dissects a component into its basic functions to identify flaws and those flaws’ effects.

216
Q

Bullets: Creation of information security infrastructure

A

Create and maintain an organizational security structure through the use of a security forum, a security officer, defining security responsibilities, authorization processes, outsourcing, and independent reviews.

217
Q

Emphasis: audit committee

A

The audit committee should be appointed by the board of directors to help it review and evaluate the company’s internal operations, internal audit system, and the transparency and accuracy of financial reporting so the company’s investors, customers, and creditors have continued confidence in the organization.

218
Q

Explanation Bullets: How do you know if an organization does not have an enterprise security architecture in place? If the answer is “yes” to most of the following questions, this type of architecture is not in place:

A
  • Does security take place in silos throughout the organization?
  • Is there a continual disconnect between senior management and the security staff?
  • Are redundant products purchased for different departments for overlapping security needs?
  • Is the security program made up of mainly policies without actual implementation and enforcement?
  • When user access requirements increase because of business needs, does the network administrator just modify the access controls without the user manager’s documented approval?
  • When a new product is being rolled out, do unexpected interoperability issues pop up that require more time and money to fix?
  • Do many “one-off” efforts take place instead of following standardized procedures when security issues arise?
  • Are the business unit managers unaware of their security responsibilities and how their responsibilities map to legal and regulatory requirements?
  • Is “sensitive data” defined in a policy, but the necessary controls are not fully implemented and monitored?
  • Are stovepipe (point) solutions implemented instead of enterprise-wide solutions?
  • Are the same expensive mistakes continuing to take place?
  • Is security governance currently unavailable because the enterprise is not viewed or monitored in a standardized and holistic manner?
  • Are business decisions being made without taking security into account?
  • Are security personnel usually putting out fires with no real time to look at and develop strategic approaches?
  • Are security efforts taking place in business units that other business units know nothing about?
  • Are more and more security personnel seeking out shrinks and going on antidepressant or anti-anxiety medication?
219
Q

Bullets: Misuse of data

A

Sharing trade secrets, fraud, espionage, and theft

220
Q

Bullets: Data owner

A

Individual responsible for the protection and classification of a specific data set.

221
Q

Explanations: Security Management

A

Now that we built this thing, how do we manage it?Response: Try kicking it.

222
Q

Emphasis: Enterprise Architectures: Scary Beasts

A

Enterprise Architectures: Scary BeastsIf these enterprise architecture models are new to you and a bit confusing, do not worry; you are not alone. While enterprise architecture frameworks are great tools to understand and help control all the complex pieces within an organization, the security industry is still maturing in its use of these types of architectures. Most companies develop policies and then focus on the technologies to enforce those policies, which skips the whole step of security enterprise development. This is mainly because the information security field is still learning how to grow up and out of the IT department and into established corporate environments. As security and business truly become more intertwined, these enterprise frameworks won’t seem as abstract and foreign, but useful tools that are properly leveraged.

223
Q

Emphasis: business enablement

A

When looking at the business enablement requirement of the security enterprise architecture, we need to remind ourselves that companies are in business to make money. Companies and organizations do not exist for the sole purpose of being secure. Security cannot stand in the way of business processes, but should be implemented to better enable them.

224
Q

Emphasis: chief information officer (CIO)

A

On a lower rung of the food chain is the chief information officer (CIO). This individual can report to the CEO or CFO, depending upon the corporate structure, and is responsible for the strategic use and management of information systems and technology within the organization. Over time, this position has become more strategic and less operational in many organizations. CIOs oversee and are responsible for the day-in-day-out technology operations of a company, but because organizations are so dependent upon technology, CIOs are being asked to sit at the big boys’ corporate table more and more.

225
Q

Bullets: ITIL

A

Processes to allow for IT service management developed by the United Kingdom’s Office of Government Commerce

226
Q

Emphasis: security steering committee

A

A security steering committee is responsible for making decisions on tactical and strategic security issues within the enterprise as a whole and should not be tied to one or more business units. The group should be made up of people from all over the organization so they can view risks and the effects of security decisions on individual departments and the organization as a whole. The CEO should head this committee, and the CFO, CIO, department managers, and chief internal auditor should all be on it.

227
Q

Explanation Bullets: The following issues should be considered when assigning values to assets:

A
  • Cost to acquire or develop the asset
  • Cost to maintain and protect the asset
  • Value of the asset to owners and users
  • Value of the asset to adversaries
  • Price others are willing to pay for the asset
  • Cost to replace the asset if lost
  • Operational and production activities affected if the asset is unavailable
  • Liability issues if the asset is compromised
  • Usefulness and role of the asset in the organization
228
Q

Explanations: We Are Never Done

A

Only by reassessing the risks on a periodic basis can a statement of safeguard performance be trusted. If the risk has not changed, and the safeguards implemented are functioning in good order, then it can be said that the risk is being properly mitigated. Regular IRM monitoring will support the information security risk ratings.

229
Q

Bullets: Cost/benefit analysis

A

Calculating the value of a control. (ALE before implementing a control) – (ALE after implementing a control) – (annual cost of control) = value of control.

230
Q

Emphasis: data owner

A

The data owner (information owner) is usually a member of management who is in charge of a specific business unit, and who is ultimately responsible for the protection and use of a specific subset of information. The data owner has due care responsibilities and thus will be held responsible for any negligent act that results in the corruption or disclosure of the data. The data owner decides upon the classification of the data she is responsible for and alters that classification if the business need arises. This person is also responsible for ensuring that the necessary security controls are in place, defining security requirements per classification and backup requirements, approving any disclosure activities, ensuring that proper access rights are being used, and defining user access criteria. The data owner approves access requests or may choose to delegate this function to business unit managers. And the data owner will deal with security violations pertaining to the data she is responsible for protecting. The data owner, who obviously has enough on her plate, delegates responsibility of the day-to-day maintenance of the data protection mechanisms to the data custodian.

231
Q

Emphasis: commonly

A

The classifications listed in the table are commonly used in the industry, but there is a lot of variance. An organization first must decide the number of data classifications that best fit its security needs, then choose the classification naming scheme, and then define what the names in those schemes represent. Company A might use the classification level “confidential,” which represents its most sensitive information. Company B might use “top secret,” “secret,” and “confidential,” where confidential represents its least sensitive information. Each organization must develop an information classification scheme that best fits its business and security needs.

232
Q

Explanations: Control Selection

A

A security control must make good business sense, meaning it is cost-effective (its benefit outweighs its cost). This requires another type of analysis: a cost/benefit analysis. A commonly used cost/benefit calculation for a given safeguard (control) is:

233
Q

Explanations: Enterprise Architecture Development

A

Should we map and integrate all of our security efforts with our business efforts?Response: No, we are more comfortable with chaos and wasting money.

234
Q

Bullets: AS/NZS 4360

A

Australia and New Zealand business risk management assessment approach.