Chapter 6: Risk and Personnel Management Flashcards
Define documentation review.
Documentation review is the process of reading the exchanged materials and verifying them against standards and expectations. This refers to security documentation in an audit.
What is ATO?
Authority to operate
What can often be the consequence of providing insufficient documentation to meet requirements of third party governance in an audit?
Failing to provide sufficient documentation to meet the requirements of third party governance.
What happens if you lose your ATO?
Generally, a full documentation review is required, along with an on-site review showing full compliance.
Why is understanding risk management concepts important?
It’s on the CISSP Exam, it’s also esssential to the establishment of a sufficient security stance, proper security governance, and legal proof of due care and due diligence.
What is the primary goal of risk management?
Reducing risk to an acceptable level.
Define asset.
An asset is anything within an environment that should be protected.
What can the loss or disclosure of an asset cause?
An overall security compromise, loss of productivity, reduction in profits, additional expenditures, discontinuation of the organization, and numerous intangible consequences.
Define asset valuation.
A dollar value assigned to an asset based on actual cost and nonmonitary expenditures.
Define threats.
Any potential occurrences that may cause an undesirable or unwanted outcome for an organization for a specific asset. Can be intentional or accidental. Threat agents are usually people, but can other. Fire, earthquate, etc.
Define vulnerability.
The weakness in an asset or the absence of the weakness of a safeguard of countermeasure. A flaw, loophole, oversight, error, limitation, frailty, or susceptibility in the IT infrastructure or any other aspect of an organization.
Define exposure.
Being susceptible to asset loss because of a threat.
Define risk
The possiblity or likelihood that a threat will exploit a vulnerability to cause harm to an asset.
risk = threat * vulnerability
Define safeguard
Anything that removes or reduces a vulnerability or protects against one or more specific threats. Also called a countermeasure.
Define attack
The exploitation of a vulnerability by a threat agent. Any intentional atempt to exploit a vulnerability of an organizations security infrastructure to cause damage, loss, or disclosure of assets.
Define breach
The occurrence of a security mechanism being bypassed or thwarted by a threat agent
Asset valuation details
p 246
What are the six steps of quantitative risk analysis?
- Inventory assets and assign value
- Produce a list of all possible threats for each asset, calculate the exposure factor (EF) and single loss expectancy (SLE)
- Perform a threat analysis to calculate likelihood of each threat being realized per year == annualized rate of occurrence (ARO)
- Derive overall loss potential per threat by calculating the annualized loss expectancy (ALE)
- Research countermeasures for each threat, calculate changes to ARO and ALE based on an applied countermeasure
- Perform a cost/benefit analysis of each countermeasure and select the most appropriate
What is exposure factor?
The percentage of loss that an orgamization would experience if a specific asset were violated by a realized risk, expressed as a percentage. Assets aren’t necessarily completely lost (100%) when compromised, they may just become less valuable.
What is Single Loss Expectancy?
The cost associated with a single realized risk against a specific asset. It’s asset value (AV) * exposure factor (EF), and is a dollar value.
What is Annualized Rate of Occurrence?
The expected frequency with which a specific threat or risk will occur within a single year. Can range from 0-any. >1 means the risk occurs on average more than once per year.
What is Annualized Loss Expectancy?
The possible yearly cost of all instances of a specific realized threat against a specific asset
ALE = SLE * ARO
What is a hybrid risk assessment?
One that uses quantitative as well as qualitative approaches.
List techniques that can be used to perform qualitative risk analysis.
brainstorming delphi technique storyboarding focus groups surveys questionnaires checklists one-on-one meetings interviews
What is a scenario?
A written description of a single major threat.
Table on 254
.
What is the Controls Gap?
The difference between total risk and residual risk. The amount of risk that is reduced by implementing safeguards.
What are the four possible responses to risk?
Reduce or mitigate
Assign or transfer
Accept
Reject or ignore
What is risk mitigation?
Implementation of safeguards and countermeasures to eliminate vulnerabilities or block threats. Also risk avoidance, which is eliminating the risk cause (removing FTP to avoid FTP attacks).
What is risk assignment?
Placement of the cost of loss a risk represents onto another entity or organization. This includes buying insurance.
What is risk acceptance?
Valuation by management of the cost/benefit analysis and determination that the cost of the countermeasure greatly outweighs the possible cost of loss due to risk. Management agrees to accept the consequences.
What is risk rejection?
Denying that the risk exists.
What is residual risk?
The risk that remains after countermeasures are applied.
What is the formula for total risk?
total risk = threats * vulnerabilities * asset value
List elements of constructing job descriptions which support personnel security.
Separation of duties
Job responsibilities
Job rotation
What is separation of duties?
Dividing critical, significant, and sensitive work tasks among several individuals preventing any one person from having the ability to undermine or subvert vital security mechanisms. Protects against collusion.
What are job responsibilities, and how do they support personnel security?
The specific work tasks an employee is required to perform on a regular basis. Used with least privilege. Your job responsibilities determine your access.
What is job rotation?
Rotating employees among job positions. Provides knowledge redundancy. Reduces risk of fraud, data modification, theft, sabotage, information misuse.
Why is reviewing a person’s online identity useful?
It can give insight into a person’s attitude, intelligence, loyalty, common sense, diligence, honesty, respect, consistency, and adherence to social norms or corporate culture.
What is a Service Level Agreement?
AKA SLA. A document that defines levels of performance, expectation, compensation and consequences for entities, persons, or organizations that are external to the primary organization.
List the issues commonly addressed in an SLA.
system uptime (%)
peak load
average load
maximum consecutive downtime (seconds/minutes)
responsibility for diagnostics
failover time (if redundancy is in place)
