Chapter 4: Governance and Risk Management

Question 1

Security Programme

Answer 1

An ongoing management activity for the preservation and advancement of the organization

Question 2

Most crucial element in a programme

Answer 2

Policies

Question 3

Charter

Answer 3

Top of the policies and standards library; usually built by management; another word for a programme level policy

Question 4

Policy informational elements (best practice)

Answer 4

Title,
Purpose
Authorizing individual,
Author,
Other policy references,
Scope,
Measurement expectations,
Exception process,
Accountability,
Compliance management (and measurements description)
Effective/expiration dates,
Definitions

Question 5

Programme level policy

Answer 5

Management sponsored “mission statement”

Question 6

Programme framework policy

Answer 6

Describes the elements and organization of the program and department(s) that will carry out the programme level policy

Question 7

Issue specific policy

Answer 7

Addresses specific issues or sets of issues of concern to the organization. Can be regulatory or compliance oriented

Question 8

System specific policy

Answer 8

Focuses on a specific system, such as an access system, a particular piece of equipment, or legacy items

Question 9

PLP Purpose

Answer 9

Defines goals of the program and structure. My designate high level departments or offices

Question 10

PLP Scope

Answer 10

Specifies which resources, information, and personnel are covered

Question 11

PLP Responsibilities

Answer 11

Addresses which officials, offices, owners, and users are responsible for which tasks and own which information and to what degree

Question 12

PLP Compliance

Answer 12

Authorizes creation of guidelines for penalties or disciplinary actions for those who do not fulfill their responsibilities

Must account for both willful and unwillful noncompliance

Question 13

PFP - Descriptive Points

Answer 13

More stable long term than an issue specific policy
Can address multiple semi related issues in one shot
Examples include business continuity planning, application development security frameworks, physical security requirements for data centers, etc

Question 14

ISP- Issue Statement

Answer 14

Defines the issue and includes any relevant terms, distinctions, or conditions

Question 15

ISP - Position

Answer 15

States an organization’s position clearly on the issue

Question 16

ISP - Applicability

Answer 16

States when, where, how, to whom and to what a particular policy applies

Question 17

ISP - Roles and Responsibilities

Answer 17

Assigns roles and responsibilities within the issue

Question 18

ISP - Compliance

Answer 18

Describes penalties and disciplinary actions in cases of violation. May require coordination with collective bargaining bodies.

Question 19

ISP - Points of Contact and Supplemental Info

Answer 19

Lists who to talk to if more information is required or if an issue requires an interaction (a manager, administrator, etc)

Question 20

Security Objectives

Answer 20

Series of statements to describe meaningful actions about specific resources; connected to

Question 21

Operational Security

Answer 21

Nuts and bolts of who can access which things and when

Question 22

Formal policies

Answer 22

Security role assignments, access lists, anything controversial

Question 23

Policy implementation

Answer 23

Requires both hardware and software as well as the human element… how do you actually achieve the granular level of the thing you want?

Question 24

Regulations

Answer 24

Laws passed by regulators or lawmakers (GLBA,HIPAA, etc)

Question 25

Standards and baselines

Answer 25

Topic specific (standards) or system specific (baselines) that describe how to achieve a particular security state; NIST, etc. What auditors are looking for when they audit a company

Question 26

Guidelines

Answer 26

Best practices (often from industry) in implementing a preferred state of security

Question 27

Procedures

Answer 27

Step by step instructions for a process; ensures repeatability

Question 28

ISO/IEC 17799

Answer 28

Common set of standards used to describe domains similarly to CISSP; suggestive in nature

Question 29

British Standard 7799

Answer 29

More specific that ISO/IEC 17799; places specific dictates about how to meet general principles or areas of responsibility

Question 30

Control Objectives for Information and Related Technology (COBIT)

Answer 30

Standards preferred by many IT auditors

Question 31

Public information

Answer 31

Marketing content on a website, directories of contact information, published reports

Question 32

Business sensitive/confidential

Answer 32

Comapny directories, GALs, internal policies, invoice info

Question 33

Customer confidential

Answer 33

Any customer PII, SSN, credit card numbers, account activity, purchase activity, grades

Question 34

Trade secret

Answer 34

Secret recipes, disciplinary actions, proprietary info

Question 35

Quantitative Risk Analysis

Answer 35

Independent set of risk metrics and statistics

Question 36

Annualized Loss Expectancy (ALE)

Answer 36

Single loss expectency (SLE) multiplied by annual rate of occurance (ARO)

Question 37

Qualitative Risk Analysis

Answer 37

Uses only estimates of potential loss and takes into account Threats, Vulnerabilities, and Controls

Question 38

Threats (QRA)

Answer 38

Things that can go wrong or attack the system; always exists, can’t be eliminated

Question 39

Vulnerabilities (QRA)

Answer 39

Makes a system more prone to attack or more likely to see a threat realized (combustible paper in a flammable zone, for example)

Question 40

Controls (QRA)

Answer 40

Countermeasures for vulnerabilities; consist of deterrents, preventatives, correctives, detectives, and recoveries

Question 41

Risk

Answer 41

Exists when there is the presence of a threat, a corresponding vulnerability, and the likelihood that someone will exploit them both

Question 42

Three questions Risk Analysis asks

Answer 42

What am I trying to protect?
What is threatening my system?
How much time, effort and money am I willing to spend