CHAPTER 2_Information Security Governance and Risk Management Flashcards

Question 1

Q

Bullets: SABSA model

Answer

A

Model and methodology for the development of information security enterprise architectures

Question 2

Q

Explanations: Change Control Analyst

Answer

A

I have analyzed your change request and it will destroy this company.Response: I am okay with that.

Question 3

Q

Explanation Bullets: A common hierarchy of security policies is outlined here, which illustrates the relationship between the master policy and the issue-specific policies that support it:

Answer

A

Organizational policy
Acceptable use policy
Risk management policy
Vulnerability management policy
Data protection policy
Access control policy
Business continuity policy
Log aggregation and auditing policy
Personnel security policy
Physical security policy
Secure application development policy
Change control policy
E-mail policy
Incident response policy

Question 4

Q

Bullets: Defense-in-depth

Answer

A

Implementation of multiple controls so that successful penetration and compromise is more difficult to attain

Question 5

Q

Bullets: July 2005

Answer

A

WorldCom ex-Chief Executive Officer Bernard Ebbers was sentenced to 25 years in prison for his role in orchestrating the biggest corporate fraud in the nation’s history.

Question 6

Q

Bullets: Confidentiality

Answer

A

Necessary level of secrecy is enforced and unauthorized disclosure is prevented.

Question 7

Q

Bullets: ISO/IEC 27013

Answer

A

Guideline on the integrated implementation of ISO/IEC 20000-1 and ISO/IEC 27001

Question 8

Q

Explanation Bullets: The organizational security policy has several important characteristics that must be understood and implemented:

Answer

A

Business objectives should drive the policy’s creation, implementation, and enforcement. The policy should not dictate business objectives.
It should be an easily understood document that is used as a reference point for all employees and management.
It should be developed and used to integrate security into all business functions and processes.
It should be derived from and support all legislation and regulations applicable to the company.
It should be reviewed and modified as a company changes, such as through adoption of a new business model, a merger with another company, or change of ownership.
Each iteration of the policy should be dated and under version control.
The units and individuals who are governed by the policy must have easy access to it. Policies are commonly posted on portals on an intranet.
It should be created with the intention of having the policies in place for several years at a time. This will help ensure policies are forward-thinking enough to deal with potential changes that may arise.
The level of professionalism in the presentation of the policies reinforces their importance as well as the need to adhere to them.
It should not contain language that isn’t readily understood by everyone. Use clear and declarative statements that are easy to understand and adopt.
It should be reviewed on a regular basis and adapted to correct incidents that have occurred since the last review and revision of the policies.

Question 9

Q

Bullets: SP 800-53

Answer

A

Set of controls to protect U.S. federal systems developed by the National Institute of Standards and Technology (NIST)

Question 10

Q

Emphasis: Response: No, we are more comfortable with chaos and wasting money

Answer

A

Should we map and integrate all of our security efforts with our business efforts?Response: No, we are more comfortable with chaos and wasting money.

Question 11

Q

Explanations: Information Risk Management Policy

Answer

A

How do I put all of these risk management pieces together?Response: Let’s check out the policy.

Question 12

Q

Explanations: Protection Mechanisms

Answer

A

Okay, so we know we are at risk, and we know the probability of it happening. Now, what do we do?

Question 13

Q

Bullets: ISO/IEC 27037

Answer

A

Guideline for identification, collection, and/or acquisition and preservation of digital evidence

Question 14

Q

Bullets: Business continuity management

Answer

A

Counter disruptions of normal operations by using continuity planning and testing.

Question 15

Q

Emphasis: risk assessment

Answer

A

A risk assessment, which is really a tool for risk management, is a method of identifying vulnerabilities and threats and assessing the possible impacts to determine where to implement security controls. A risk assessment is carried out, and the results are analyzed. Risk analysis is used to ensure that security is cost-effective, relevant, timely, and responsive to threats. Security can be quite complex, even for well-versed security professionals, and it is easy to apply too much security, not enough security, or the wrong security controls, and to spend too much money in the process without attaining the necessary objectives. Risk analysis helps companies prioritize their risks and shows management the amount of resources that should be applied to protecting against those risks in a sensible manner.

Question 16

Q

Bullets: Social engineering

Answer

A

Gaining unauthorized access by tricking someone into divulging sensitive information.

Question 17

Q

Emphasis: Why So Many Roles?

Answer

A

Why So Many Roles?Most organizations will not have all the roles previously listed, but what is important is to build an organizational structure that contains the necessary roles and map the correct security responsibilities to them. This structure includes clear definitions of responsibilities, lines of authority and communication, and enforcement capabilities. A clear-cut structure takes the mystery out of who does what and how things are handled in different situations.

Question 18

Q

Bullets: Loss of data

Answer

A

Intentional or unintentional loss of information to unauthorized receivers

Question 19

Q

Explanation Bullets: The cost of a countermeasure is more than just the amount filled out on the purchase order. The following items should be considered and evaluated when deriving the full cost of a countermeasure:

Answer

A

Product costs
Design/planning costs
Implementation costs
Environment modifications
Compatibility with other countermeasures
Maintenance requirements
Testing requirements
Repair, replacement, or update costs
Operating and support costs
Effects on productivity
Subscription costs
Extra man-hours for monitoring and responding to alerts
Beer for the headaches that this new tool will bring about

Question 20

Q

Explanation Bullets: So up to this point, we have accomplished the following items:

Answer

A

Developed a risk management policy
Developed a risk management team
Identified company assets to be assessed
Calculated the value of each asset
Identified the vulnerabilities and threats that can affect the identified assets
Chose a risk assessment methodology that best fits our needs

Question 21

Q

Explanations: The Risk Management Team

Answer

A

Fred is always scared of stuff. He is going to head up our risk team.Response: Fair enough.

Question 22

Q

Emphasis: vulnerability

Answer

A

A vulnerability is a lack of a countermeasure or a weakness in a countermeasure that is in place. It can be a software, hardware, procedural, or human weakness that can be exploited. A vulnerability may be a service running on a server, unpatched applications or operating systems, an unrestricted wireless access point, an open port on a firewall, lax physical security that allows anyone to enter a server room, or unenforced password management on servers and workstations.

Question 23

Q

Bullets: January 2004

Answer

A

Enron ex-Chief Financial Officer Andrew Fastow was given a ten-year prison sentence for his accounting scandals, which was a reduced term because he cooperated with prosecutors.

Question 24

Q

Bullets: Mandatory vacation

Answer

A

Detective administrative control used to uncover potential fraudulent activities by requiring a person to be away from the organization for a period of time.

Question 25

Q

Explanations: Security Analyst

Answer

A

I have analyzed your security and you have it all wrong.Response: What a surprise.

Question 26

Q

Bullets: ISO/IEC 27004

Answer

A

Guideline for information security management measurement and metrics framework

Question 27

Q

Bullets: ISO/IEC 27033

Answer

A

Guideline for IT network security, a multipart standard based on ISO/IEC 18028:2006

Question 28

Q

Emphasis: qualitative

Answer

A

Another method of risk analysis is qualitative, which does not assign numbers and monetary values to components and losses. Instead, qualitative methods walk through different scenarios of risk possibilities and rank the seriousness of the threats and the validity of the different possible countermeasures based on opinions. (A wide sweeping analysis can include hundreds of scenarios.) Qualitative analysis techniques include judgment, best practices, intuition, and experience. Examples of qualitative techniques to gather data are Delphi, brainstorming, storyboarding, focus groups, surveys, questionnaires, checklists, one-on-one meetings, and interviews. The risk analysis team will determine the best technique for the threats that need to be assessed, as well as the culture of the company and individuals involved with the analysis.

Question 29

Q

Bullets: Facilitated Risk Analysis Process (FRAP)

Answer

A

A focused, qualitative approach that carries out prescreening to save time and money.

Question 30

Q

Bullets: Deterrent

Answer

A

Intended to discourage a potential attacker

Question 31

Q

Explanation Bullets: Quick Tips

Answer

A

The objectives of security are to provide availability, integrity, and confidentiality protection to data and resources.
A vulnerability is the absence of or weakness in a control.
A threat is the possibility that someone or something would exploit a vulnerability, intentionally or accidentally, and cause harm to an asset.
A risk is the probability of a threat agent exploiting a vulnerability and the loss potential from that action.
A countermeasure, also called a safeguard or control, mitigates the risk.
A control can be administrative, technical, or physical and can provide deterrent, preventive, detective, corrective, or recovery protection.
A compensating control is an alternate control that is put into place because of financial or business functionality reasons.
CobiT is a framework of control objectives and allows for IT governance.
ISO/IEC 27001 is the standard for the establishment, implementation, control, and improvement of the information security management system.
The ISO/IEC 27000 series were derived from BS 7799 and are international best practices on how to develop and maintain a security program.
Enterprise architecture frameworks are used to develop architectures for specific stakeholders and present information in views.
An information security management system (ISMS) is a coherent set of policies, processes, and systems to manage risks to information assets as outlined in ISO\IEC 27001.
Enterprise security architecture is a subset of business architecture and a way to describe current and future security processes, systems, and subunits to ensure strategic alignment.
Blueprints are functional definitions for the integration of technology into business processes.
Enterprise architecture frameworks are used to build individual architectures that best map to individual organizational needs and business drivers.
Zachman is an enterprise architecture framework, and SABSA is a security enterprise architecture framework.
COSO is a governance model used to help prevent fraud within a corporate environment.
ITIL is a set of best practices for IT service management.
Six Sigma is used to identify defects in processes so that the processes can be improved upon.
CMMI is a maturity model that allows for processes to improve in an incremented and standard approach.
Security enterprise architecture should tie in strategic alignment, business enablement, process enhancement, and security effectiveness.
NIST 800-53 uses the following control categories: technical, management, and operational.
OCTAVE is a team-oriented risk management methodology that employs workshops and is commonly used in the commercial sector.
Security management should work from the top down (from senior management down to the staff).
Risk can be transferred, avoided, reduced, or accepted.
Threats × vulnerability × asset value = total risk.
(Threats × vulnerability × asset value) × controls gap = residual risk.
The main goals of risk analysis are the following: identify assets and assign values to them, identify vulnerabilities and threats, quantify the impact of potential threats, and provide an economic balance between the impact of the risk and the cost of the safeguards.
Failure Modes and Effect Analysis (FMEA) is a method for determining functions, identifying functional failures, and assessing the causes of failure and their failure effects through a structured process.
A fault tree analysis is a useful approach to detect failures that can take place within complex environments and systems.
A quantitative risk analysis attempts to assign monetary values to components within the analysis.
A purely quantitative risk analysis is not possible because qualitative items cannot be quantified with precision.
Capturing the degree of uncertainty when carrying out a risk analysis is important, because it indicates the level of confidence the team and management should have in the resulting figures.
Automated risk analysis tools reduce the amount of manual work involved in the analysis. They can be used to estimate future expected losses and calculate the benefits of different security measures.
Single loss expectancy × frequency per year = annualized loss expectancy (SLE × ARO = ALE).
Qualitative risk analysis uses judgment and intuition instead of numbers.
Qualitative risk analysis involves people with the requisite experience and education evaluating threat scenarios and rating the probability, potential loss, and severity of each threat based on their personal experience.
The Delphi technique is a group decision method where each group member can communicate anonymously.
When choosing the right safeguard to reduce a specific risk, the cost, functionality, and effectiveness must be evaluated and a cost/benefit analysis performed.
A security policy is a statement by management dictating the role security plays in the organization.
Procedures are detailed step-by-step actions that should be followed to achieve a certain task.
Standards are documents that outline rules that are compulsory in nature and support the organization’s security policies.
A baseline is a minimum level of security.
Guidelines are recommendations and general approaches that provide advice and flexibility.
Job rotation is a detective administrative control to detect fraud.
Mandatory vacations are a detective administrative control type that can help detect fraudulent activities.
Separation of duties ensures no single person has total control over a critical activity or task. It is a preventative administrative control.
Split knowledge and dual control are two aspects of separation of duties.
Data owners specify the classification of data, and data custodians implement and maintain controls to enforce the set classification levels.
Security has functional requirements, which define the expected behavior from a product or system, and assurance requirements, which establish confidence in the implemented products or systems overall.
Management must define the scope and purpose of security management, provide support, appoint a security team, delegate responsibility, and review the team’s findings.
The risk management team should include individuals from different departments within the organization, not just technical personnel.
Social engineering is a nontechnical attack carried out to manipulate a person into providing sensitive data to an unauthorized individual.
Personal identification information (PII) is a collection of identity-based data that can be used in identity theft and financial fraud, and thus must be highly protected.
Security governance is a framework that provides oversight, accountability, and compliance.
ISO/IEC 27004:2009 is an international standard for information security measurement management.
NIST 800-55 is a standard for performance measurement for information security.

Question 32

Q

Bullets: ISO/IEC 27002

Answer

A

Code of practice for information security management

Question 33

Q

Emphasis: What

Answer

A

• What are you trying to do at this layer? The assets to be protected by your security architecture.

Question 34

Q

Explanations: Outsourcing

Answer

A

I am sure that company, based in another company that we have never met or ever heard of, will protect our most sensitive secrets just fine.Response: Yeah, they seem real nice.

Question 35

Q

Emphasis: threat agent

Answer

A

A threat is any potential danger that is associated with the exploitation of a vulnerability. The threat is that someone, or something, will identify a specific vulnerability and use it against the company or individual. The entity that takes advantage of a vulnerability is referred to as a threat agent. A threat agent could be an intruder accessing the network through a port on the firewall, a process accessing data in a way that violates the security policy, a tornado wiping out a facility, or an employee making an unintentional mistake that could expose confidential information.

Question 36

Q

Emphasis: Security Administrator

Answer

A

Security AdministratorThe security administrator is responsible for implementing and maintaining specific security network devices and software in the enterprise. These controls commonly include firewalls, IDS, IPS, antimalware, security proxies, data loss prevention, etc. It is common for there to be delineation between the security administrator and the network administrator. The security administrator has the main focus of keeping the network secure, and the network administrator has the focus of keeping things up and running.

Question 37

Q

Emphasis: chief security officer (CSO)

Answer

A

The chief security officer (CSO) is responsible for understanding the risks that the company faces and for mitigating these risks to an acceptable level. This role is responsible for understanding the organization’s business drivers and for creating and maintaining a security program that facilitates these drivers, along with providing security, compliance with a long list of regulations and laws, and any customer expectations or contractual obligations.

Question 38

Q

Explanation Bullets: This committee should meet at least quarterly and have a well-defined agenda. Some of the group’s responsibilities are as follows:

Answer

A

Define the acceptable risk level for the organization.
Develop security objectives and strategies.
Determine priorities of security initiatives based on business needs.
Review risk assessment and auditing reports.
Monitor the business impact of security risks.
Review major security breaches and incidents.
Approve any major change to the security policy and program.

Question 39

Q

Explanations: NIST 800-53

Answer

A

CobiT contains control objectives used within the private sector; the U.S. government has its own set of requirements when it comes to controls for federal information systems and organizations.

Question 40

Q

Emphasis: issue-specific policy

Answer

A

An issue-specific policy, also called a functional policy, addresses specific security issues that management feels need more detailed explanation and attention to make sure a comprehensive structure is built and all employees understand how they are to comply with these security issues. For example, an organization may choose to have an e-mail security policy that outlines what management can and cannot do with employees’ e-mail messages for monitoring purposes, that specifies which e-mail functionality employees can or cannot use, and that addresses specific privacy issues.

Question 41

Q

Bullets: Annualized loss expectancy

Answer

A

Annual expected loss if a specific vulnerability is exploited and how it affects a single asset.

Question 42

Q

Bullets: Application error

Answer

A

Computation errors, input errors, and buffer overflows

Question 43

Q

Bullets: Policy

Answer

A

High-level document that outlines senior management’s security directives.

Question 44

Q

Explanation Bullets: CobiT was derived from the COSO framework, developed by the Committee of Sponsoring Organizations (COSO) of the Treadway Commission in 1985 to deal with fraudulent financial activities and reporting. The COSO framework is made up of the following components:

Answer

A

Control environment
Management’s philosophy and operating style
Company culture as it pertains to ethics and fraud
Risk assessment
Establishment of risk objectives
Ability to manage internal and external change
Control activities
Policies, procedures, and practices put in place to mitigate risk
Information and communication
Structure that ensures that the right people get the right information at the right time
Monitoring
Detecting and responding to control deficiencies

Question 45

Q

Bullets: Shoulder surfing

Answer

A

Viewing information in an unauthorized manner by looking over the shoulder of someone else.

Question 46

Q

Emphasis: CSO vs. CISO

Answer

A

CSO vs. CISOThe CSO and chief information security officer (CISO) may have similar or very different responsibilities. How is that for clarification? It is up to the individual organization to define the responsibilities of these two roles and whether they will use both, either, or neither. By and large, the CSO role usually has a farther-reaching list of responsibilities compared to the CISO role. The CISO is usually focused more on technology and has an IT background. The CSO usually is required to understand a wider range of business risks, including physical security, not just technological risks.

Question 47

Q

Explanations: Top-down Approach

Answer

A

The janitor said we should wrap our computers in tin foil to meet our information security needs.

Question 48

Q

Bullets: System development and maintenance

Answer

A

Implement security in all phases of a system’s lifetime through development of security requirements, cryptography, integrity protection, and software development procedures.

Question 49

Q

Bullets: ISO/IEC 27000 series

Answer

A

International standards on how to develop and maintain an ISMS developed by ISO and IEC

Question 50

Q

Explanation Bullets: The following shows the levels of sensitivity from the highest to the lowest for military purposes:

Answer

A

Top secret
Secret
Confidential
Sensitive but unclassified
Unclassified

Question 51

Q

Explanations: Capability Maturity Model Integration

Answer

A

I only want to get better, and better, and better.Response: I only want you to go away.

Question 52

Q

Emphasis: Who Really Understands Risk Management?

Answer

A

Who Really Understands Risk Management?Unfortunately, the answer to this question is that not enough people inside or outside of the security profession really understand risk management. Even though information security is big business today, the focus is more on applications, devices, viruses, and hacking. Although these items all must be considered and weighed in risk management processes, they should be considered small pieces of the overall security puzzle, not the main focus of risk management.

Question 53

Q

Bullets: Standard

Answer

A

Compulsory rules that support the security policies.

Question 54

Q

Explanations: Handling Risk

Answer

A

Now that we know about the risk, what do we do with it?Response: Hide it behind that plant.

Question 55

Q

Bullets: Preventive

Answer

A

Intended to avoid an incident from occurring

Question 56

Q

Bullets: Quantitative risk analysis

Answer

A

Assigning monetary and numeric values to all the data elements of a risk assessment.

Question 57

Q

Emphasis: Enterprise Security Architecture

Answer

A

Enterprise Security ArchitectureAn enterprise security architecture is a subset of an enterprise architecture and defines the information security strategy that consists of layers of solutions, processes, and procedures and the way they are linked across an enterprise strategically, tactically, and operationally. It is a comprehensive and rigorous method for describing the structure and behavior of all the components that make up a holistic information security management system (ISMS). The main reason to develop an enterprise security architecture is to ensure that security efforts align with business practices in a standardized and cost-effective manner. The architecture works at an abstraction level and provides a frame of reference. Besides security, this type of architecture allows organizations to better achieve interoperability, integration, ease-of-use, standardization, and governance.

Question 58

Q

Emphasis: Nondisclosure agreements

Answer

A

Nondisclosure agreements must be developed and signed by new employees to protect the company and its sensitive information. Any conflicts of interest must be addressed, and there should be different agreements and precautions taken with temporary and contract employees.

Question 59

Q

Bullets: Advisory

Answer

A

This type of policy strongly advises employees as to which types of behaviors and activities should and should not take place within the organization. It also outlines possible ramifications if employees do not comply with the established behaviors and activities. This policy type can be used, for example, to describe how to handle medical or financial information.

Question 60

Q

Emphasis: Privacy

Answer

A

Privacy is different from security. Privacy indicates the amount of control an individual should be able to have and expect as it relates to the release of their own sensitive information. Security is the mechanisms that can be put into place to provide this level of control.

Question 61

Q

Bullets: Collusion

Answer

A

Two or more people working together to carry out fraudulent activities.

Question 62

Q

Bullets: NIST 800-30 Risk Management Guide for Information Technology Systems

Answer

A

A U.S. federal standard that is focused on IT risks.

Question 63

Q

Bullets: Availability

Answer

A

Reliable and timely access to data and resources is provided to authorized individuals.

Question 64

Q

Explanation Bullets: The following shows the common levels of sensitivity from the highest to the lowest for commercial business:

Answer

A

Confidential
Private
Sensitive
Public

Answer 65

A

Risk that remains after implementing a control. Threats × vulnerabilities × assets × (control gap) = residual risk.

Answer 66

A

The former Chief Executive Officer of HealthSouth Corp. was sentenced to five years in prison for his part in the $2.7 billion scandal.

Answer 67

A

Using unique user IDs to enable users to be linked to and held accountable for their actions
Checking that the user has authorization from the system owner for the use of the information system or service, and the level of access granted is appropriate to the business purpose and consistent with the organizational security policy
A procedure to require users to understand and acknowledge their access rights and the conditions of such access
Ensuring that internal and external service providers do not provide access until authorization procedures have been completed
Maintaining a formal record, including access levels, of all persons registered to use the service
A timely and regular review of user IDs and access rights

Answer 68

A

Guideline for information security management systems auditing

Answer 69

A

Information security management guidelines for telecommunications organizations

Answer 70

A

Security effectiveness deals with metrics, meeting service level agreement (SLA) requirements, achieving return on investment (ROI), meeting set baselines, and providing management with a dashboard or balanced scorecard system. These are ways to determine how useful the current security solutions and architecture as a whole are performing.

Answer 71

A

Model and methodology for the development of enterprise architectures developed by The Open Group

Answer 72

A

The exposure factor (EF) represents the percentage of loss a realized threat could have on a certain asset. For example, if a data warehouse has the asset value of $150,000, it can be estimated that if a fire were to occur, 25 percent of the warehouse would be damaged, in which case the SLE would be $37,500:

Answer 73

A

Procedures are detailed step-by-step tasks that should be performed to achieve a certain goal. The steps can apply to users, IT staff, operations staff, security members, and others who may need to carry out specific tasks. Many organizations have written procedures on how to install operating systems, configure security mechanisms, implement access control lists, set up new user accounts, assign computer privileges, audit activities, destroy material, report incidents, and much more.

Answer 74

A

The last approach is to accept the risk, which means the company understands the level of risk it is faced with, as well as the potential cost of damage, and decides to just live with it and not implement the countermeasure. Many companies will accept risk when the cost/benefit ratio indicates that the cost of the countermeasure outweighs the potential loss value.

Answer 75

A

So the different categories of controls that can be used are administrative, technical, and physical. But what do these controls actually do for us? We need to understand the different functionality that each control type can provide us in our quest to secure our environments.

Answer 76

A

COSO is a model for corporate governance, and CobiT is a model for IT governance. COSO deals more at the strategic level, while CobiT focuses more at the operational level. You can think of CobiT as a way to meet many of the COSO objectives, but only from the IT perspective. COSO deals with non-IT items also, as in company culture, financial accounting principles, board of director responsibility, and internal communication structures. COSO was formed to provide sponsorship for the National Commission on Fraudulent Financial Reporting, an organization that studies deceptive financial reports and what elements lead to them.

Answer 77

A

Assigning confidence level values to data elements.

Answer 78

A

The integrity of the company’s financial statements and other financial information provided to stockholders and others
The company’s system of internal controls
The engagement and performance of the independent auditors
The performance of the internal audit function
Compliance with legal requirements, regulations, and company policies regarding ethical conduct

Answer 79

A

Guideline for information security governance

Answer 80

A

The audit committee should be appointed by the board of directors to help it review and evaluate the company’s internal operations, internal audit system, and the transparency and accuracy of financial reporting so the company’s investors, customers, and creditors have continued confidence in the organization.

Answer 81

A

A security policy is an overall general statement produced by senior management (or a selected policy board or committee) that dictates what role security plays within the organization. A security policy can be an organizational policy, an issue-specific policy, or a system-specific policy. In an organizational security policy, management establishes how a security program will be set up, lays out the program’s goals, assigns responsibilities, shows the strategic and tactical value of security, and outlines how enforcement should be carried out. This policy must address relative laws, regulations, and liability issues, and how they are to be satisfied. The organizational security policy provides scope and direction for all future security activities within the organization. It also describes the amount of risk senior management is willing to accept.

Answer 82

A

Risk-driven enterprise security architecture that maps to business initiatives, similar to the Zachman framework.

Answer 83

A

A system-specific policy presents the management’s decisions that are specific to the actual computers, networks, and applications. An organization may have a system-specific policy outlining how a database containing sensitive information should be protected, who can have access, and how auditing should take place. It may also have a system-specific policy outlining how laptops should be locked down and managed. This policy type is directed to one or a group of similar systems and outlines how they should be protected.

Answer 84

A

Information security management guidelines for the finance and insurance sectors

Answer 85

A

Organizational development for process improvement developed by Carnegie Mellon

Answer 86

A

Helps identify an incident’s activities and potentially an intruder

Answer 87

A

Along with ensuring that we have the proper controls in place, we also want to have ways to construct and improve our business, IT, and security processes in a structured and controlled manner. The security controls can be considered the “things,” and processes are how we use these things. We want to use them properly, effectively, and efficiently.

Answer 88

A

I am very important, but I am missing a “C” in my title.Response: Then you are not so important.

Answer 89

A

Architecture framework used mainly in military support missions developed by the British Ministry of Defence

Answer 90

A

An established risk acceptance level provided by senior management
Documented risk assessment processes and procedures
Procedures for identifying and mitigating risks
Appropriate resource and fund allocation from senior management
Security-awareness training for all staff members associated with information assets
The ability to establish improvement (or risk mitigation) teams in specific areas when necessary
The mapping of legal and regulation compliancy requirements to control and implement requirements
The development of metrics and performance indicators so as to measure and manage various types of risks
The ability to identify and assess new risks as the environment and company change
The integration of IRM and the organization’s change control process to ensure that changes do not introduce new vulnerabilities

Answer 91

A

Hey, we need a sacrificial lamb in case things go bad.Response: We already have one. He’s called the chief security officer.

Answer 92

A

Guideline for information security risk management

Answer 93

A

• The objectives of security are to provide availability, integrity, and confidentiality protection to data and resources.

Answer 94

A

Steps of a Quantitative Risk AnalysisIf we follow along with our previous sections in this chapter, we have already carried out our risk assessment, which is the process of gathering data for a risk analysis. We have identified the assets that are to be assessed, associated a value to each asset, and identified the vulnerabilities and threats that could affect these assets. Now we need to carry out the risk analysis portion, which means that we need to figure out how to interpret all the data that was gathered during the assessment.

Answer 95

A

Carry out operations security through operational procedures, proper change control, incident handling, separation of duties, capacity planning, network management, and media handling.

Answer 96

A

Controls that provide an alternative measure of control

Answer 97

A

The Control Objectives for Information and related Technology (CobiT) is a framework and set of control objectives developed by the Information Systems Audit and Control Association (ISACA) and the IT Governance Institute (ITGI). It defines goals for the controls that should be used to properly manage IT and to ensure that IT maps to business needs. CobiT is broken down into four domains: Plan and Organize, Acquire and Implement, Deliver and Support, and Monitor and Evaluate. Each category drills down into subcategories. For example, the Acquire and Implement category contains the following subcategories:

Answer 98

A

Our operating systems follow strict and hierarchical structures, but our company is a mess.

Answer 99

A

Intended to bring the environment back to regular operations

Answer 100

A

I have determined that our greatest risk is this paperclip.Response: Nice work.

Answer 101

A

Team-oriented approach that assesses organizational and IT risks through facilitated workshops.

Answer 102

A

An enterprise security architecture is a subset of an enterprise architecture and defines the information security strategy that consists of layers of solutions, processes, and procedures and the way they are linked across an enterprise strategically, tactically, and operationally. It is a comprehensive and rigorous method for describing the structure and behavior of all the components that make up a holistic information security management system (ISMS). The main reason to develop an enterprise security architecture is to ensure that security efforts align with business practices in a standardized and cost-effective manner. The architecture works at an abstraction level and provides a frame of reference. Besides security, this type of architecture allows organizations to better achieve interoperability, integration, ease-of-use, standardization, and governance.

Answer 103

A

A control, or countermeasure, is put into place to mitigate (reduce) the potential risk. A countermeasure may be a software configuration, a hardware device, or a procedure that eliminates a vulnerability or that reduces the likelihood a threat agent will be able to exploit a vulnerability. Examples of countermeasures include strong password management, firewalls, a security guard, access control mechanisms, encryption, and security-awareness training.

Answer 104

A

British Standard 7799 (BS7799) was developed in 1995 by the United Kingdom government’s Department of Trade and Industry and published by the British Standards Institution. The standard outlines how an information security management system (ISMS) (aka security program) should be built and maintained. The goal was to provide guidance to organizations on how to design, implement, and maintain policies, processes, and technologies to manage risks to its sensitive information assets.

Answer 105

A

Standards refer to mandatory activities, actions, or rules. Standards can give a policy its support and reinforcement in direction. Organizational security standards may specify how hardware and software products are to be used. They can also be used to indicate expected user behavior. They provide a means to ensure that specific technologies, applications, parameters, and procedures are implemented in a uniform (standardized) manner across the organization. An organizational standard may require that all employees wear their company identification badges at all times, that they challenge unknown individuals about their identity and purpose for being in a specific area, or that they encrypt confidential information. These rules are compulsory within a company, and if they are going to be effective, they must be enforced.

Answer 106

A

Plan and Organize
Establish management commitment.
Establish oversight steering committee.
Assess business drivers.
Develop a threat profile on the organization.
Carry out a risk assessment.
Develop security architectures at business, data, application, and infrastructure levels.
Identify solutions per architecture level.
Obtain management approval to move forward.
Implement
Assign roles and responsibilities.
Develop and implement security policies, procedures, standards, baselines, and guidelines.
Identify sensitive data at rest and in transit.
Implement the following blueprints:
Asset identification and management
Risk management
Vulnerability management
Compliance
Identity management and access control
Change control
Software development life cycle
Business continuity planning
Awareness and training
Physical security
Incident response
Implement solutions (administrative, technical, physical) per blueprint.
Develop auditing and monitoring solutions per blueprint.
Establish goals, service level agreements (SLAs), and metrics per blueprint.
Operate and Maintain
Follow procedures to ensure all baselines are met in each implemented blueprint.
Carry out internal and external audits.
Carry out tasks outlined per blueprint.
Manage SLAs per blueprint.
Monitor and Evaluate
Review logs, audit results, collected metric values, and SLAs per blueprint.
Assess goal accomplishments per blueprint.
Carry out quarterly meetings with steering committees.
Develop improvement steps and integrate into the Plan and Organize phase.

Answer 107

A

Our reconnaissance mission gathered important intelligence on our enemy, but a software glitch resulted in us bombing the wrong country.Response: Let’s blame it on NATO.

Answer 108

A

Organizational (master), issue-specific, system-specific.

Answer 109

A

Fundamental Principles of SecurityWe need to understand the core goals of security, which are to provide availability, integrity, and confidentiality (AIC triad) protection for critical assets. Each asset will require different levels of these types of protection, as we will see in the following sections. All security controls, mechanisms, and safeguards are implemented to provide one or more of these protection types, and all risks, threats, and vulnerabilities are measured for their potential capability to compromise one or all of the AIC principles.

Answer 110

A

I am vulnerable and see you as a threat.Response: Good.

Answer 111

A

Risk analysis provides a cost/benefit comparison, which compares the annualized cost of controls to the potential cost of loss. A control, in most cases, should not be implemented unless the annualized cost of loss exceeds the annualized cost of the control itself. This means that if a facility is worth $100,000, it does not make sense to spend $150,000 trying to protect it.

Answer 112

A

The danger of a threat agent exploiting a vulnerability.

Answer 113

A

The employee must leave the facility immediately under the supervision of a manager or security guard.
The employee must surrender any identification badges or keys, complete an exit interview, and return company supplies.
That user’s accounts and passwords should be disabled or changed immediately.

Answer 114

A

Safeguard that is put in place to reduce a risk, also called a countermeasure.

Answer 115

A

The term baseline refers to a point in time that is used as a comparison for future changes. Once risks have been mitigated and security put in place, a baseline is formally reviewed and agreed upon, after which all further comparisons and development are measured against it. A baseline results in a consistent reference point.

Answer 116

A

Functionality is what a control does, and its effectiveness is how well the control does it.

Answer 117

A

The oracle Delphi told me that everyone agrees with me.Response: Okay, let’s do this again—anonymously.

Answer 118

A

Set of control objectives for IT management developed by Information Systems Audit and Control Association (ISACA) and the IT Governance Institute (ITGI)

Answer 119

A

The probability of a threat agent exploiting a vulnerability and the associated impact.

Answer 120

A

Security Program DevelopmentNo organization is going to put all the previously listed items (ISO/IEC 27000, COSO, Zachman, SABSA, CobiT, NIST 800-53, ITIL, Six Sigma, CMMI) in place. But it is a good toolbox of things you can pull from, and you will find some fit the organization you work in better than others. You will also find that as your organization’s security program matures, you will see more clearly where these various standards, frameworks, and management components come into play. While these items are separate and distinct, there are basic things that need to be built in for any security program and its corresponding controls. This is because the basic tenets of security are universal no matter if they are being deployed in a corporation, government agency, business, school, or nonprofit organization. Each entity is made up of people, processes, data, and technology and each of these things needs to be protected.

Answer 121

A

Former WorldCom Chief Financial Officer Scott Sullivan was sentenced to five years in prison for his role in engineering the $ 11 billion accounting fraud that led to the bankruptcy of the telecommunications powerhouse.

Answer 122

A

I have a feeling that we are secure.Response: Great! Let’s all go home.

Answer 123

A

Calculations can be complex. Can management understand how these values were derived?
Without automated tools, this process is extremely laborious.
More preliminary work is needed to gather detailed information about the environment.
Standards are not available. Each vendor has its own way of interpreting the processes and their results.

Answer 124

A

Hey, we need a sacrificial lamb in case things go bad.Response: We already have one. He’s called the chief security officer.

Answer 125

A

A risk is the likelihood of a threat agent exploiting a vulnerability and the corresponding business impact. If a firewall has several ports open, there is a higher likelihood that an intruder will use one to access the network in an unauthorized method. If users are not educated on processes and procedures, there is a higher likelihood that an employee will make an unintentional mistake that may destroy data. If an intrusion detection system (IDS) is not implemented on a network, there is a higher likelihood an attack will go unnoticed until it is too late. Risk ties the vulnerability, threat, and likelihood of exploitation to the resulting business impact.

Answer 126

A

The process enhancement piece can be quite beneficial to an organization if it takes advantage of this capability when it is presented to them. When an organization is serious about securing their environment, it means they will have to take a close look at many of the business processes that take place on an ongoing process. Many times these processes are viewed through the eyeglasses of security, because that’s the reason for the activity, but this is a perfect chance to enhance and improve upon the same processes to increase productivity. When you look at many business processes taking place in all types of organizations, you commonly find a duplication of efforts, manual steps that can be easily automated, or ways to streamline and reduce time and effort that are involved in certain tasks. This is commonly referred to as process reengineering.

Answer 127

A

My love letter to my dog is top secret.Response: As it should be.

Answer 128

A

The countermeasure doesn’t work, but it has a fun interface.Response: Good enough.

Answer 129

A

Fixes components or systems after an incident has occurred

Answer 130

A

Monetary values assigned to assets
Comprehensive list of all possible and significant threats
Probability of the occurrence rate of each threat
Loss potential the company can endure per threat in a 12-month time span
Recommended controls

Answer 131

A

Individual responsible for implementing and maintaining security controls to meet security requirements outlined by data owner.

Answer 132

A

The assessments and results are subjective and opinion-based.
Eliminates the opportunity to create a dollar value for cost/benefit discussions.
Hard to develop a security budget from the results because monetary values are not used.
Standards are not available. Each vendor has its own way of interpreting the processes and their results.

Answer 133

A

The CSO is commonly responsible for the convergence, which is the formal cooperation between previously disjointed security functions. This mainly pertains to physical and IT security working in a more concerted manner instead of working in silos within the organization. Issues such as loss prevention, fraud prevention, business continuity planning, legal/regulatory compliance, and insurance all have physical security and IT security aspects and requirements. So one individual (CSO) overseeing and intertwining these different security disciplines allows for a more holistic and comprehensive security program.

Answer 134

A

Ever heard the popular mantra, “Security is not a product, it’s a process”? The statement is very true. Security should be considered and treated like any another business process—not as its own island, nor like a redheaded stepchild with cooties. (The author is a redheaded stepchild, but currently has no cooties.)

Answer 135

A

Guidelines are recommended actions and operational guides to users, IT staff, operations staff, and others when a specific standard does not apply. Guidelines can deal with the methodologies of technology, personnel, or physical security. Life is full of gray areas, and guidelines can be used as a reference during those times. Whereas standards are specific mandatory rules, guidelines are general approaches that provide the necessary flexibility for unforeseen circumstances.

Answer 136

A

Opinion-based method of analyzing risk with the use of scenarios and ratings.

Answer 137

A

A Social Security number trace
A county/state criminal check
A federal criminal check
A sexual offender registry check
Employment verification
Education verification
Professional reference verification
An immigration check
Professional license/certification verification
Credit report
Drug screening

Answer 138

A

Central Computing and Telecommunications Agency Risk Analysis and Management Method.

Answer 139

A

The board of directors is a group of individuals who are elected by the shareholders of a corporation to oversee the fulfillment of the corporation’s charter. The goal of the board is to ensure the shareholders’ interests are being protected and that the corporation is being run properly. They are supposed to be unbiased and independent individuals who oversee the executive staff’s performance in running the company.

Answer 140

A

The usefulness of data
The value of data
The age of data
The level of damage that could be caused if the data were disclosed
The level of damage that could be caused if the data were modified or corrupted
Legal, regulatory, or contractual responsibility to protect the data
Effects the data has on security
Who should be able to access the data
Who should maintain the data
Who should be able to reproduce the data
Lost opportunity costs that could be incurred if the data were not available or were corrupted

Answer 141

A

In risk analysis, uncertainty refers to the degree to which you lack confidence in an estimate. This is expressed as a percentage, from 0 to 100 percent. If you have a 30 percent confidence level in something, then it could be said you have a 70 percent uncertainty level. Capturing the degree of uncertainty when carrying out a risk analysis is important, because it indicates the level of confidence the team and management should have in the resulting figures.

Answer 142

A

Many facets of the responsibilities of personnel fall under management’s umbrella, and several facets have a direct correlation to the overall security of the environment.

Answer 143

A

Balanced SecurityIn reality, when information security is dealt with, it is commonly only through the lens of keeping secrets secret (confidentiality). The integrity and availability threats can be overlooked and only dealt with after they are properly compromised. Some assets have a critical confidentiality requirement (company trade secrets), some have critical integrity requirements (financial transaction values), and some have critical availability requirements (e-commerce web servers). Many people understand the concepts of the AIC triad, but may not fully appreciate the complexity of implementing the necessary controls to provide all the protection these concepts cover. The following provides a short list of some of these controls and how they map to the components of the AIC triad:

Answer 144

A

The chief financial officer (CFO) is responsible for the corporation’s account and financial activities and the overall financial structure of the organization. This person is responsible for determining what the company’s financial needs will be and how to finance those needs. The CFO must create and maintain the company’s capital structure, which is the proper mix of equity, credit, cash, and debt financing. This person oversees forecasting and budgeting and the processes of submitting quarterly and annual financial statements to the SEC and stakeholders.

Answer 145

A

Business management strategy that can be used to carry out process improvement

Answer 146

A

Reduce risks that are inherent in human interaction by screening employees, defining roles and responsibilities, training employees properly, and documenting the ramifications of not meeting expectations.

Answer 147

A

Guideline for information security management in health organizations

Answer 148

A

Control access to assets based on business requirements, user management, authentication methods, and monitoring.

Answer 149

A

Set of internal corporate controls to help reduce the risk of financial fraud developed by the Committee of Sponsoring Organizations (COSO) of the Treadway Commission

Answer 150

A

Detective administrative control used to uncover potential fraudulent activities.

Answer 151

A

Protect the organization’s assets by properly choosing a facility location, erecting and maintaining a security perimeter, implementing access control, and protecting equipment.

Answer 152

A

The user is any individual who routinely uses the data for work-related tasks. The user must have the necessary level of access to the data to perform the duties within their position and is responsible for following operational security procedures to ensure the data’s confidentiality, integrity, and availability to others.

Answer 153

A

It is important to figure out what you are supposed to be doing before you dig right in and start working. Anyone who has worked on a project without a properly defined scope can attest to the truth of this statement. Before an assessment and analysis is started, the team must carry out project sizing to understand what assets and threats should be evaluated. Most assessments are focused on physical security, technology security, or personnel security. Trying to assess all of them at the same time can be quite an undertaking.

Answer 154

A

Automated Risk Analysis MethodsCollecting all the necessary data that needs to be plugged into risk analysis equations and properly interpreting the results can be overwhelming if done manually. Several automated risk analysis tools on the market can make this task much less painful and, hopefully, more accurate. The gathered data can be reused, greatly reducing the time required to perform subsequent analyses. The risk analysis team can also print reports and comprehensive graphs to present to management.

Answer 155

A

I just made all these numbers up.Response: Well, they look impressive.

Answer 156

A

Identify assets and their value to the organization.
Identify vulnerabilities and threats.
Quantify the probability and business impact of these potential threats.
Provide an economic balance between the impact of the threat and the cost of the countermeasure.

Answer 157

A

The data custodian (information custodian) is responsible for maintaining and protecting the data. This role is usually filled by the IT or security department, and the duties include implementing and maintaining security controls; performing regular backups of the data; periodically validating the integrity of the data; restoring data from backup media; retaining records of activity; and fulfilling the requirements specified in the company’s security policy, standards, and guidelines that pertain to information security and data protection.

Answer 158

A

Hey, custodian, clean up my mess!Response: I’m not that type of custodian.

Answer 159

A

The chief privacy officer (CPO) is a newer position, created mainly because of the increasing demands on organizations to protect a long laundry list of different types of data. This role is responsible for ensuring that customer, company, and employee data are kept safe, which keeps the company out of criminal and civil courts and hopefully out of the headlines. This person is usually an attorney and is directly involved with setting policies on how data are collected, protected, and given out to third parties. The CPO often reports to the chief security officer.

Answer 160

A

Failure Modes and Effect Analysis (FMEA) is a method for determining functions, identifying functional failures, and assessing the causes of failure and their failure effects through a structured process. It is commonly used in product development and operational environments. The goal is to identify where something is most likely going to break and either fix the flaws that could cause this issue or implement controls to reduce the impact of the break. For example, you might choose to carry out an FMEA on your organization’s network to identify single points of failure. These single points of failure represent vulnerabilities that could directly affect the productivity of the network as a whole. You would use this structured approach to identify these issues (vulnerabilities), assess their criticality (risk), and identify the necessary controls that should be put into place (reduce risk).

Answer 161

A

Preventive administrative control used to ensure one person cannot carry out a critical task alone.

Answer 162

A

Develop a security infrastructure to protect organizational assets through accountability and inventory, classification, and handling procedures.

Answer 163

A

Confidential
Private
Sensitive
Public

Answer 164

A

Oh look, this paper tells us what we need to do. I am going to put smiley-face stickers all over it.

Answer 165

A

Costs That Make Up the ValueAn asset can have both quantitative and qualitative measurements assigned to it, but these measurements need to be derived. The actual value of an asset is determined by the importance it has to the organization as a whole. The value of an asset should reflect all identifiable costs that would arise if the asset were actually impaired. If a server cost $4,000 to purchase, this value should not be input as the value of the asset in a risk assessment. Rather, the cost of replacing or repairing it, the loss of productivity, and the value of any data that may be corrupted or lost must be accounted for to properly capture the amount the organization would lose if the server were to fail for one reason or another.

Answer 166

A

Our business processes, data flows, software programs, and network devices are strung together like spaghetti.

Answer 167

A

The British Ministry of Defence Architecture Framework (MODAF) is another recognized enterprise architecture framework based upon the DoDAF. The crux of the framework is to be able to get data in the right format to the right people as soon as possible. Modern warfare is complex, and activities happen fast, which requires personnel and systems to be more adaptable than ever before. Data needs to be captured and properly presented so that decision makers understand complex issues quickly, which allows for fast and hopefully accurate decisions.

Answer 168

A

Putting It TogetherTo perform a risk analysis, a company first decides what assets must be protected and to what extent. It also indicates the amount of money that can go toward protecting specific assets. Next, it must evaluate the functionality of the available safeguards and determine which ones would be most beneficial for the environment. Finally, the company needs to appraise and compare the costs of the safeguards. These steps and the resulting information enable management to make the most intelligent and informed decisions about selecting and purchasing countermeasures.

Answer 169

A

Map of business objectives to security, management’s support, security goals, and responsibilities.

Answer 170

A

Data collection method that happens in an anonymous fashion.

Answer 171

A

To perform effective cost/benefit analyses
To select specific countermeasures and safeguards
To determine the level of insurance coverage to purchase
To understand what exactly is at risk
To comply with legal and regulatory requirements

Answer 172

A

Another approach is risk mitigation, where the risk is reduced to a level considered acceptable enough to continue conducting business. The implementation of firewalls, training, and intrusion/detection protection systems or other control types represent types of risk mitigation efforts.

Answer 173

A

Each business unit should have a data owner who protects the unit’s most critical information. The company’s policies must give the data owners the necessary authority to carry out their tasks.

Answer 174

A

Fire, water, vandalism, power loss, and natural disasters

Answer 175

A

The annualized rate of occurrence (ARO) is the value that represents the estimated frequency of a specific threat taking place within a 12-month timeframe. The range can be from 0.0 (never) to 1.0 (once a year) to greater than 1 (several times a year) and anywhere in between. For example, if the probability of a fire taking place and damaging our data warehouse is once every ten years, the ARO value is 0.1.

Answer 176

A

Approach to map specific flaws to root causes in complex systems.

Answer 177

A

Presence of a vulnerability, which exposes the organization to a threat.

Answer 178

A

Application OwnerSome applications are specific to individual business units—for example, the accounting department has accounting software, R&D has software for testing and development, and quality assurance uses some type of automated system. The application owners, usually the business unit managers, are responsible for dictating who can and cannot access their applications (subject to staying in compliance with the company’s security policies, of course).

Answer 179

A

Residual risk is different from total risk, which is the risk a company faces if it chooses not to implement any type of safeguard. A company may choose to take on total risk if the cost/benefit analysis results indicate this is the best course of action. For example, if there is a small likelihood that a company’s web servers can be compromised, and the necessary safeguards to provide a higher level of protection cost more than the potential loss in the first place, the company will choose not to implement the safeguard, choosing to deal with the total risk.

Answer 180

A

A. It is referred to as the health informatics, and its purpose is to provide guidance to health organizations and other holders of personal health information on how to protect such information via implementation of ISO/IEC 27002.

Answer 181

A

Full risk amount before a control is put into place. Threats × vulnerabilities × assets = total risk.

Answer 182

A

An exposure is an instance of being exposed to losses. A vulnerability exposes an organization to possible damages. If password management is lax and password rules are not enforced, the company is exposed to the possibility of having users’ passwords captured and used in an unauthorized manner. If a company does not have its wiring inspected and does not put proactive fire prevention steps into place, it exposes itself to potentially devastating fires.

Answer 183

A

Accuracy and reliability of the information and systems are provided and any unauthorized modification is prevented.

Answer 184

A

Guideline for information and communications technology readiness for business continuity

Answer 185

A

One consultant said this threat could cost us $150,000, another consultant said it was red, and the audit team assigned it a four. Should we be concerned or not?

Answer 186

A

Chief Privacy OfficerThe chief privacy officer (CPO) is a newer position, created mainly because of the increasing demands on organizations to protect a long laundry list of different types of data. This role is responsible for ensuring that customer, company, and employee data are kept safe, which keeps the company out of criminal and civil courts and hopefully out of the headlines. This person is usually an attorney and is directly involved with setting policies on how data are collected, protected, and given out to third parties. The CPO often reports to the chief security officer.

Answer 187

A

I came up with the solution to world peace, but then I forgot it.Response: Write it down on this napkin next time.

Answer 188

A

The Delphi technique is a group decision method used to ensure that each member gives an honest opinion of what he or she thinks the result of a particular threat will be. This avoids a group of individuals feeling pressured to go along with others’ thought processes and enables them to participate in an independent and anonymous way. Each member of the group provides his or her opinion of a certain threat and turns it in to the team that is performing the analysis. The results are compiled and distributed to the group members, who then write down their comments anonymously and return them to the analysis group. The comments are compiled and redistributed for more comments until a consensus is formed. This method is used to obtain an agreement on cost, loss values, and probabilities of occurrence without individuals having to agree verbally.

Answer 189

A

We have our architecture. Now what do we put inside it?Response: Marshmallows.

Answer 190

A

As you will see in the following sections, various profit and nonprofit organizations have developed their own approaches to security management, security control objectives, process management, and enterprise development. We will examine their similarities and differences and illustrate where each is used within the industry.

Answer 191

A

The industry has different standardized methodologies when it comes to carrying out risk assessments. Each of the individual methodologies has the same basic core components (identify vulnerabilities, associate threats, calculate risk values), but each has a specific focus. As a security professional it is your responsibility to know which is the best approach for your organization and its needs.

Answer 192

A

The reason a company implements countermeasures is to reduce its overall risk to an acceptable level. As stated earlier, no system or environment is 100 percent secure, which means there is always some risk left over to deal with. This is called residual risk.

Answer 193

A

Strict and granular access control for all levels of sensitive data and programs (see Chapter 3 for coverage of access controls, along with file system permissions that should be understood)
Encryption of data while stored and while in transmission (see Chapter 7 for coverage of all types of encryption technologies)
Auditing and monitoring (determine what level of auditing is required and how long logs are to be retained)
Separation of duties (determine whether two or more people must be involved in accessing sensitive information to protect against fraudulent activities; if so, define and document procedures)
Periodic reviews (review classification levels, and the data and programs that adhere to them, to ensure they are still in alignment with business needs; data or applications may also need to be reclassified or declassified, depending upon the situation)
Backup and recovery procedures (define and document)
Change control procedures (define and document)
Physical security protection (define and document)
Information flow channels (where does the sensitive data reside and how does it transverse the network)
Proper disposal actions, such as shredding, degaussing, and so on (define and document)
Marking, labeling, and handling procedures

Answer 194

A

We have this ladder, some rubber bands, and this Band-Aid.Response: Okay, we are covered.

Answer 195

A

A security program should use a top-down approach, meaning that the initiation, support, and direction come from top management; work their way through middle management; and then reach staff members. In contrast, a bottom-up approach refers to a situation in which staff members (usually IT) try to develop a security program without getting proper management support and direction. A bottom-up approach is commonly less effective, not broad enough to address all security risks, and doomed to fail. A top-down approach makes sure the people actually responsible for protecting the company’s assets (senior management) are driving the program. Senior management are not only ultimately responsible for the protection of the organization, but also hold the purse strings for the necessary funding, have the authority to assign needed resources, and are the only ones who can ensure true enforcement of the stated security rules and policies. Management’s support is one of the most important pieces of a security program. A simple nod and a wink will not provide the amount of support required.

Answer 196

A

Product Line ManagerWho’s responsible for explaining business requirements to vendors and wading through their rhetoric to see if the product is right for the company? Who is responsible for ensuring compliance to license agreements? Who translates business requirements into objectives and specifications for the developer of a product or solution? Who decides if the company really needs to upgrade their operating system version every time Microsoft wants to make more money? That would be the product line manager.

Answer 197

A

This type of policy informs employees of certain topics. It is not an enforceable policy, but rather one that teaches individuals about specific issues relevant to the company. It could explain how the company interacts with partners, the company’s goals and mission, and a general reporting structure in different situations.

Answer 198

A

Firewalls
Intrusion detection system
Intrusion prevention systems
Antimalware
Access control
Encryption

Answer 199

A

Chief Information OfficerOn a lower rung of the food chain is the chief information officer (CIO). This individual can report to the CEO or CFO, depending upon the corporate structure, and is responsible for the strategic use and management of information systems and technology within the organization. Over time, this position has become more strategic and less operational in many organizations. CIOs oversee and are responsible for the day-in-day-out technology operations of a company, but because organizations are so dependent upon technology, CIOs are being asked to sit at the big boys’ corporate table more and more.

Answer 200

A

This type of policy ensures that the organization is following standards set by specific industry regulations (HIPAA, GLBA, SOX, PCI-DSS, etc.). It is very detailed and specific to a type of industry. It is used in financial institutions, healthcare facilities, public utilities, and other government-regulated industries.

Answer 201

A

Model for the development of enterprise architectures developed by John Zachman

Answer 202

A

Our policies are very informative and look very professional.Response: Doesn’t matter. Nobody cares.

Answer 203

A

U.S. Department of Defense architecture framework that ensures interoperability of systems to meet military mission goals

Answer 204

A

Accidental or intentional action or inaction that can disrupt productivity

Answer 205

A

Data AnalystHaving proper data structures, definitions, and organization is very important to a company. The data analyst is responsible for ensuring that data is stored in a way that makes the most sense to the company and the individuals who need to access and work with it. For example, payroll information should not be mixed with inventory information, the purchasing department needs to have a lot of its values in monetary terms, and the inventory system must follow a standardized naming scheme. The data analyst may be responsible for architecting a new system that will hold company information, or advise in the purchase of a product that will do so.

Answer 206

A

Relying upon the secrecy or complexity of an item as its security, instead of practicing solid security practices.

Answer 207

A

Guidelines for bodies providing audit and certification of information security management systems

Answer 208

A

Fence
Locked external doors
Closed-circuit TV
Security guard
Locked internal doors
Locked server room
Physically secured computers (cable locks)

Answer 209

A

Comply with regulatory, contractual, and statutory requirements by using technical controls, system audits, and legal awareness.

Answer 210

A

John Rigas, the CEO of Adelphia Communications Corp., was sentenced to 15 years in prison for his role in the looting and debt-hiding scandal that pummeled the company into bankruptcy. His son, who also held an executive position, was sentenced to 20 years.

Answer 211

A

Business Architecture
Data Architecture
Applications Architecture
Technology Architecture

Answer 212

A

The term baseline refers to a point in time that is used as a comparison for future changes. Once risks have been mitigated and security put in place, a baseline is formally reviewed and agreed upon, after which all further comparisons and development are measured against it. A baseline results in a consistent reference point.

Answer 213

A

The risk analysis team should have clearly defined goals. The following is a short list of what generally is expected from the results of a risk analysis:

Answer 214

A

One instance of an expected loss if a specific vulnerability is exploited and how it affects a single asset. Asset Value × Exposure Factor = SLE.

Answer 215

A

Approach that dissects a component into its basic functions to identify flaws and those flaws’ effects.

Answer 216

A

Create and maintain an organizational security structure through the use of a security forum, a security officer, defining security responsibilities, authorization processes, outsourcing, and independent reviews.

Answer 217

A

The audit committee should be appointed by the board of directors to help it review and evaluate the company’s internal operations, internal audit system, and the transparency and accuracy of financial reporting so the company’s investors, customers, and creditors have continued confidence in the organization.

Answer 218

A

Does security take place in silos throughout the organization?
Is there a continual disconnect between senior management and the security staff?
Are redundant products purchased for different departments for overlapping security needs?
Is the security program made up of mainly policies without actual implementation and enforcement?
When user access requirements increase because of business needs, does the network administrator just modify the access controls without the user manager’s documented approval?
When a new product is being rolled out, do unexpected interoperability issues pop up that require more time and money to fix?
Do many “one-off” efforts take place instead of following standardized procedures when security issues arise?
Are the business unit managers unaware of their security responsibilities and how their responsibilities map to legal and regulatory requirements?
Is “sensitive data” defined in a policy, but the necessary controls are not fully implemented and monitored?
Are stovepipe (point) solutions implemented instead of enterprise-wide solutions?
Are the same expensive mistakes continuing to take place?
Is security governance currently unavailable because the enterprise is not viewed or monitored in a standardized and holistic manner?
Are business decisions being made without taking security into account?
Are security personnel usually putting out fires with no real time to look at and develop strategic approaches?
Are security efforts taking place in business units that other business units know nothing about?
Are more and more security personnel seeking out shrinks and going on antidepressant or anti-anxiety medication?

Answer 219

A

Sharing trade secrets, fraud, espionage, and theft

Answer 220

A

Individual responsible for the protection and classification of a specific data set.

Answer 221

A

Now that we built this thing, how do we manage it?Response: Try kicking it.

Answer 222

A

Enterprise Architectures: Scary BeastsIf these enterprise architecture models are new to you and a bit confusing, do not worry; you are not alone. While enterprise architecture frameworks are great tools to understand and help control all the complex pieces within an organization, the security industry is still maturing in its use of these types of architectures. Most companies develop policies and then focus on the technologies to enforce those policies, which skips the whole step of security enterprise development. This is mainly because the information security field is still learning how to grow up and out of the IT department and into established corporate environments. As security and business truly become more intertwined, these enterprise frameworks won’t seem as abstract and foreign, but useful tools that are properly leveraged.

Answer 223

A

When looking at the business enablement requirement of the security enterprise architecture, we need to remind ourselves that companies are in business to make money. Companies and organizations do not exist for the sole purpose of being secure. Security cannot stand in the way of business processes, but should be implemented to better enable them.

Answer 224

A

On a lower rung of the food chain is the chief information officer (CIO). This individual can report to the CEO or CFO, depending upon the corporate structure, and is responsible for the strategic use and management of information systems and technology within the organization. Over time, this position has become more strategic and less operational in many organizations. CIOs oversee and are responsible for the day-in-day-out technology operations of a company, but because organizations are so dependent upon technology, CIOs are being asked to sit at the big boys’ corporate table more and more.

Answer 225

A

Processes to allow for IT service management developed by the United Kingdom’s Office of Government Commerce

Answer 226

A

A security steering committee is responsible for making decisions on tactical and strategic security issues within the enterprise as a whole and should not be tied to one or more business units. The group should be made up of people from all over the organization so they can view risks and the effects of security decisions on individual departments and the organization as a whole. The CEO should head this committee, and the CFO, CIO, department managers, and chief internal auditor should all be on it.

Answer 227

A

Cost to acquire or develop the asset
Cost to maintain and protect the asset
Value of the asset to owners and users
Value of the asset to adversaries
Price others are willing to pay for the asset
Cost to replace the asset if lost
Operational and production activities affected if the asset is unavailable
Liability issues if the asset is compromised
Usefulness and role of the asset in the organization

Answer 228

A

Only by reassessing the risks on a periodic basis can a statement of safeguard performance be trusted. If the risk has not changed, and the safeguards implemented are functioning in good order, then it can be said that the risk is being properly mitigated. Regular IRM monitoring will support the information security risk ratings.

Answer 229

A

Calculating the value of a control. (ALE before implementing a control) – (ALE after implementing a control) – (annual cost of control) = value of control.

Answer 230

A

The data owner (information owner) is usually a member of management who is in charge of a specific business unit, and who is ultimately responsible for the protection and use of a specific subset of information. The data owner has due care responsibilities and thus will be held responsible for any negligent act that results in the corruption or disclosure of the data. The data owner decides upon the classification of the data she is responsible for and alters that classification if the business need arises. This person is also responsible for ensuring that the necessary security controls are in place, defining security requirements per classification and backup requirements, approving any disclosure activities, ensuring that proper access rights are being used, and defining user access criteria. The data owner approves access requests or may choose to delegate this function to business unit managers. And the data owner will deal with security violations pertaining to the data she is responsible for protecting. The data owner, who obviously has enough on her plate, delegates responsibility of the day-to-day maintenance of the data protection mechanisms to the data custodian.

Answer 231

A

The classifications listed in the table are commonly used in the industry, but there is a lot of variance. An organization first must decide the number of data classifications that best fit its security needs, then choose the classification naming scheme, and then define what the names in those schemes represent. Company A might use the classification level “confidential,” which represents its most sensitive information. Company B might use “top secret,” “secret,” and “confidential,” where confidential represents its least sensitive information. Each organization must develop an information classification scheme that best fits its business and security needs.

Answer 232

A

A security control must make good business sense, meaning it is cost-effective (its benefit outweighs its cost). This requires another type of analysis: a cost/benefit analysis. A commonly used cost/benefit calculation for a given safeguard (control) is:

Answer 233

A

Should we map and integrate all of our security efforts with our business efforts?Response: No, we are more comfortable with chaos and wasting money.

Answer 234

A

Australia and New Zealand business risk management assessment approach.

Brainscape's Knowledge GenomeTM

CHAPTER 2_Information Security Governance and Risk Management Flashcards

Brainscape's Knowledge Genome^TM