Chapter 3 - Info Sec Governance & Risk Management Flashcards
ITGI
IT Governance Institute defines IT governance as being the responsibility of the board of directors and executive management
Executive Management
maintains the overal responsibility for protection of the information assets. - Must be aware of risks that they are accepting
Security Officer
responsible for design, implementation, management, and review of the organization’s security policies, standards, procedures, baselines, and guidlines.
Information Systems Security Professional
drafting of policies, standards, guidelines and baselines is coordinated through these individuals.
Data/Information/Business Owners
assign appropriate classification to information assets. ensure business information is protected with appropriate controls. Need to determine the criticality, sensitivity, retention, backups and safeguards for the information. need to understand risks for information that they control.
Data/Information Custondian/Steward
takes care of the information on behalf of the owner. This group administers rights to the information assets.
Information Systems Auditor
determine compliance with policy, procedures, standards, baselines, designs, architectures, management direction and other requirements placed on systems. Provide top management with an independent view of controls and their effectiveness.
Business Continuity Planner
develop contigency plans. ensures business process can continue through the disaster and coordinates those activities with the buisness areas and information technology personnel responsible for disaster recovery.
Information Systems/Information Technology Professionals
responsible for designing security controls into information systems, testing the controls, and implementing the systems in production through agreed upon policies and procedures
Security Administrator
manages the user acces request process and ensures that privileges are provided to those individuals who have been authorized for access by application/system/data owners. Has elevated privileges and creates and deletes accounts and access permissions. Maintains records
Network/System Administrator
configures network and server hardware and the operating system, ensuring informaion is available and accessible
Physical Security
establish relationships with external law enforcement to assist in investigations. Manage the installation, maintenance and ongoin operation of the closed circuit television, burglar alarms, card reader access. Act as a deterrent to unauthorized access
Administrative Assistants/Secretaries
be subject to social engineering attacks
Help desk administrator
ususally where first security incidents will be seen. Contacts Computer Security Incident response team (CIRT). Reswet passwords, tokens and smart cards
Safe Harbor Provision
“good faith” conditions
Control Frameworks
Must be Consistent. meaurable, standardized, comprehensive, and modular
European Data Protection Directive
compliance with a legal action, protect life of subject, subject provided consent, performed within the scope of public interest and the law. NIST 800-3 ISO 27001
Due Care
care a reasonable person would exercise, lack is negligence
Due dilligence
measure made to avoid harm to other persons or property
Guidelines for writing security policies
formally define a policy creation and policy maintenance practice; policies should survive for two or three years; do not be too specific; use forceful wording; do not include technical implementation details; keep each policy as short as possible; provide references to supporting documents; thoroughly review; conduct management review and sign-off, employees should acknowledge policies; do not use jargon; review incidents and adjust policies; periodically review; define exception rules;and sanctions for non-compliance
Spanning Tree Analysis
creates a tree of all possible threat or faults of the system
VAR
Value at risk
Threat types
Human; Natural; Technical, Physical, Environmental, and Operational
When determining the value of an intagible asset which is sthe BEST apprach? A. Determine the physical storage cost and multiply by the expected life of the compancy B. With the assistance of finance of accounting professional determine how much profit the asset has returned C. Review the depreciation of the intangible asset over the past three years D. Use teh historical acquisition or development cost of the intangible asset
B. With the assistance of finance of accounting professional determine how much profit the asset has returned
Qualitative risk assessment is earmarked by which of the following? A. Ease of implementation and it can be completed by Personnel with a limited understanding of the risk assessment process B. Can be completed by personnel with a limited understanding of the risk assessment process and uses detailed metrics for calculation of risk C. Detailed metrics used for calculation of risk and ease of implementation D. Can be completed by personnel with a limited understanding of the risk assessment process and detailed metrics used for the calculation of risk
A. Ease of implementation and it can be completed by Personnel with a limited understanding of the risk assessment process
Single loss expectancy is calculated by using: A. Asset value an annulaized rate of occurrence (ARO) B. Asset value, local annual frequeny estimate (LAFE) and standard annual frequency estimate (SAFE) C. Asset value and exposure factor D. Local annual frequency estimate and annualized rate of occurrence
C. Asset value and exposure factor
Consideration for which the type of risk assessment to perform includes all of the following: A. Culture of the organization, liklihood of exposure and budget B. Budget, capabilities of resources, and liklihood of exposure C. Capabilities of resources, liklihood of exposure and budget D. Culture of the organization, budget, capabilities and resources
D. Culture of the organization, budget, capabilities and resources
Security awareness training includes A. Legislated secuirty compliance objectives B. Security roles and responsibilities for staff C. The high-level outcome of vulnerability assessments D. Specialilzed curriculum assignments, course work and an accredited institution
B. Security roles and responsibilities for staff
A signed user acknowledgment of the corporate security policy A. Ensures that users have read the policy B. Esures that users understand the policy, as well as the consequences for not following the policy C. Can be waived if the organization is satisfied that users have an adequate understanding of the policy D. Helps to protect the orgainzation if a user’s behavior violates the policy
D. Helps to protect the orgainzation if a user’s behavior violates the policy
Effective security management A. Achieves security at the lowest cost B. Reduces risk to an acceptable level C. Prioritizes security for new products D. Installs patches in a timely manner
B. Reduces risk to an acceptable level
Availability makes information accessible by protecting it from A. Denail of services, fires, floods, hurricanes, and unauthorized transactions B. Fires, floods, hurricanes, unauthorized transactions and unreadable backup tapes C. Unauthorized transactions, fires, floods, hurricanes and unreadable backup tapes D. Denial of Services, fires, floods, and hurricanes and unreadable backup tapes
D. Denial of Services, fires, floods, and hurricanes and unreadable backup tapes
To avoid bias the security officer could report to any of the following A. CEO, application development or CFO B. CIO, CFO or application development C. CFO, CEO, or CIO D. Application development, CFO or CEO
C. CFO, CEO, or CIO
Tactical security plans are best used to A. Establish high-level security policies B. Enable enterprise/entity-wide security management C. Reduce Downtime D. Deploy new security technology
D. Deploy new security technology
Who is accountable for implementing information security A. Everyone B. Senior Managment C. Security Officer D. Data owners
C. Security Officer
Security is likely to be most expensive when addressed in which phase A. Design B. Rapid prototyping C. Testing D. Implementation
D. Implementation
Information systems auditors help the organization A. Mitigate compliance issues B. Establish an effective control enviornment C. Identify control gaps D. Address information technology for financial statements
C. Identify control gaps
Long duration security projects A. Provide greater organizational value B. Increase return on Investment C. Minimize risk D. Increase completion risk
D. Increase completion risk
Setting clear security roles has the following benefits A. Establishes personal accountability, reduces cross-training requirements and reduces departmental turf battles B. Enables continuous improvement, reduces cross-training requirements and reduces departmental turf battles C. Establishes personal accountability, establishes continuous improvement and reduces turf battles D. Reduces departmental turf battles, reduces cross-training requirements and establishes personal accountability
C. Establishes personal accountability, establishes continuous improvement and reduces turf battles
Well-written security program policies are best reviewed A. At least annually or at pre-determined organization changes B. After major project implementation C. When application or operating systems are updated D. When procedures need to be modified
A. At least annually or at pre-determined organization changes
Orally obtaining a password from an employee is the result of A. Social engineering B. Weak authentication methods C. Ticket-granting server authorization D. Voice recognition software
A. Social engineering
A security policy which will remain relevant and meaningful over time includes the following A. Directive words such as shall, must, or will, technical specifications and is short in length B. Defined policy development process, short in length and contains directive words such as shall, must or will C. Short in length, technical specifications and contain directive words such as shall, must or will D. Directive words such as shall, must, or will, defined policy development process and is short in length
D. Directive words such as shall, must, or will, defined policy development process and is short in length
The ability of one person in the finance department to add vendors to the vendor database and subsequently pay the vendor violates which concept A. A well-formed transaction B. Separation of Duties C. Least privilege D. Data Sensitivity level
B. Separation of Duties
Collusion is best mitigated through A. Job rotation B. Data classification C. Defining job sensitivity label D. Least privilege
A. Job rotation
Data access decisions are best made by A. User managers B. Data owners C. Senior management D. Application developers
B. Data owners