D1: Information Security Governance and Risk Management Flashcards
Integrity
Accuracy and reliability of the information and systems are provided and any unauthorized modification is prevented
Availability
Reliable and timely access to data and resources is provided to authorized individuals
Confidentiality
Necessary level of secrecy is enforced and unauthorized disclosure is prevented
List some controls for Availability
- redundent array of inexpenisve disks (RAID)
- clustering
- load balancing
- redundant data and pwoer lines
- software and data backups
- disk shadowing
- co-locatio nand off-site facilities
- roll-back functions
- fail-over configurations
Name some controls for Integrity
- hashing (data integrity)
- configuration management (system integrity)
- Change control (process integrity)
- access control (physical and technical integrity)
- software digital signing
- transmission CRC functions
Name some controls for confidentiality
- encryption for data at rest (whole disk, database encryption)
- encryption for data in transit (IPSec, SSL, PPTP, SSH)
- access controls (physical and technical)
VULNERABILITY
Weakness or a lack of a countermeasure
i.e.: service running on a server; unpatched application or OS; unrestricted wireless access point; open port on firewall; lax physical security; unenforced password mgt. on severs/workstations
THREAT AGENT
Entity that can exploit a vulnerability
(i.e.: intruder acessing the network through a port on the FW; a process accessing data in a way that violates the security policy; a tornado wiping out a facility; employee making unintentional mistake)
THREAT
The danger of a threat agent explotiing a vulnerability
(ssomeon or somethign will identify a specific vulnerability and use it against the company/individual.
RISK
the probability of a threat agent exploiting a vulnerability and the associated impact.
(if FW has several ports open, higher likelilihood intruder will access; if uesrs not educated on processes/procedures there sa higher likelihood that an employee will destory data; IDS not implemented higher likelihood attack will go unnoticed
CONTROL
Safeguard that is put in place to reduce a risk; also called a countermeasure
EXPOSURE
Presence of a vulneraiblity which exposes the organization to a threat
(i.ee.: if PW mgt is lax, compony is exposed; does not have its wiring inspective; exposed to devastating fires)
CONTROL
Countermeasure taht is put into place to mitigate (reduce) the potential risk
What are the three main types of controls?
1 - Administrative Controls (soft controls)
2 - Technical Controls (aka logical controls)
3 - Physical Controls
Describe administrative controls
Management oriented: i.e. security documentation; risk management; personnel security; training
Describe technical controls
software/hardware components (i.e. FWs IDS, encryption, identification and authenticatin mechanisms)
Describe physical controls
items put into place to protect facility, personnel, resources (i.e. security guards, locks, fencing)
Name the different functionalities of the security controls
1-prventative 2- detective 3- corrective 4- deterrent 5-recovery 6-compensating
DETERRENT CONTROL
Intended to discourage a potential attacker
PREVENTATIVE
Intended to avoid an incident from occurring
CORRECTIVE CONTROL
Fixes components or systems after an incident has occurred
RECOVERY CONTROL
Intended to bring the environment back to regular operations
DETECTIVE CONTROL
Helps identify an inciden’ts activities and potentially an intruder
COMPENSATING CONTROL
Controls that provide an alternative measure of control
What you can’t ____, you should be able to ___, and if you ____ something, it means you weren’t able to _____ it, and therefore you should take _____ ___ to make sure it is indeed ___ the next time around.
prevent; detect; detect; prevent; corrective action; prevented
Examples of Preventive Administrative Controls
- policies and procedures
- effective hiring practices
- pre-employment background checks
- cotnrolled termination processes
- data classification and labeling
- security awareness
Examples of Preventitive Physical controls
Badges, swipe cards
Guards, dogs
Fences, locks, mantraps
What is the bS7799 and its significance?
British Standard 7799, developed in 1995 by UK gvt. to outline how an information security management system (ISMS; aka security program) should be build and maintained. Was the basis of the ISO/IEC 2700 series
ISO
International Organization for Standardization
IEC
International Electrotechnical Commission
The objectives of security are to provide
Avilability, integrity, and confidentiality protection to data and resources
CoBIT
a framework of control objectives and allows for IT governence
ISO/IEC 27001
The standard for the establishment, implementation, control, and improvement of the information security management system
Enterprise architecture frameworks are used to:
develop architectures for specific stakeholders and present inforamiton in views
ISMS
Informaiotn security management system is a coherent set of policies, processes, and systems to manage risks to inforamtion assets outlined in ISO/IEC 27001
Enterprise security architecuture
A subset of business architecture and a way to describe current and future security processes, syttems, and subunits to ensure strategic alginment
BLUEPRINTS
Functional definitions for the integration of technology into business processes
Enterprise architure frameworks are used to build…
individual architectures that best map to individual organizationl needs and business drivers
Zachman
an enterprise architecture framework
SABSA
Security enterprise architecture framework
COSO
A governance model used to help prevent fraud within a corporate environment
ITIL
A set of best practices for IT service management
Six Sigma
Used to identify defects in processes so that the processes can be improved upon
CMMI
A maturity model that allows for processes to improve in an incremented and standard approach
Security enterprise architecture should tie in (4):
1 - strategic alginment
2 - business enablement
3 - process enhancement
4 - security effectiveness
What control categories does NIST 800-53 use?
1 - technical
2 - management
3 - operational
OCTAVE
A team-oriented risk management methodology that employs workshops and is commonly used in the commercial sector
Security management should work from - - -
the top down (from senior management down to the staff)
Risk can be:
transferred, avoided, reduced, or accepted
A x B x C = total risk
threats x vulnerability x asset value = total risk
(threats x vulnerability x asset value) x __ = residual risk
threats x vulnerability x asset value ) x controls gap = residual risk
State the main goals of risk analysis
1) identify assets and assign values to them
2) identify vulnerabilities and threats
3) quantify the impact of potential threats
4) proidde an economic balance between the impact of the risk and cost of the safegaurds
FMEA
Failure Modes and Effect Analysis.
A method for determinign functions, identifying functional failures, and assessing the causes of failures and the failure effects through a structured process
When would you use a fault tree analysis?
To detect failures that can take place within complex environments and systems
Describe quantitative risk analysis
Attempts to assign monetary values to components within the analysis
Is a purely quantitiative risk analysis possible?
No, becasue qualitative items cannot be quantified with precision
Why is capturing the degree of uncertainty when carrying out a risk analysis important?
because it indicates the level of confidence the team and management should have in the resulting figures
When should automated risk analysis tools be used?
to estimate future expected lossses and calculate the benefits of different security measures
___ x ___ = annualized loss expectancy
single loss expectancy x frequency per year - annualized loss expectancy (SLE x ARO = ALE)
Qualitative risk analysis uses _ and _ instead of numbers
judgement; intuition; numbers
Qualitiative risk analysis involves people with….
the requisite experience and education evaluating threat scenarios and rating the probability, potential loss, and severity of each threat based on their perosnla experience
DELPHI TECHNIQUE
A group decision method where each group member can communicate anonymously
When choosing the right safeguard to reduce a specific risk, the _, _, and _ must be evaluated and a cost/benefit analysis performed.
cost; functionality; effectiveness
SECURITY POLICY
A statement by managment dictating the role security plays in the organization
PROCEDURES
detailed step-by-sepactions that should be followed to achieve a certain task
STANDARDS
Documetns that outline rules that are compulsory in nature and support the organization’s security policies
BASELINE
minimum level of security
GUIDELINES
Recommendations and general approaches that provide advice and flexibility
Job rotation is a _ _ control to detect fraud
detective administrative
Mandatory vacations are a _ _ control type that can help detect _ activities.
detective administrative control type that can help detect fraudulent activities
SEPARATION OF DUTIES
ensures no single person has total control over a critical activity or task.
Separation of duties is a _ _ control
preventative adminsitrative
Split knowledge an dual control are two aspects of _ _ _.
separation fo duties
Who specifies the classification of data?
data owners
Who implements and maintains controls to enforce the set classification levels?
Data custodians
Security has functional requirements, which define the _ _ _ _ _ _ _ , and assurance requirements which establish _ _ _ _ _ _ _ .
functional requirements: define the expected behavior from a product or system
assurance requirements: establish confidence in the implemented products or systems overall
Management must: (5)
1 - define the scope and purpose of the security management 2 - provide support 3 - appoint a security team 4 -delegate responsibiilty 5 - review the team's findings
Who should be included in the risk management team?
individuals from different departments within the organization; not just technical personnel
SOCIAL ENGINEERING
A nontechnical attack carried out to manipulate a person into providing sensitive data to an unauthorized individual
PII
Personal identification information is a collection of identity based data that can be used in identity theft an dfinancial raud, and thus must be highly protected
SECURITY GOVERNANCE
A framework that provides oversight, accountability, and compliance
ISO/IEC 27004 2009
AN INTERNATIONAL STANDARD FOR INFORMATION SECURITY MEAsurement management
NIST-800-55
a standard for the performance measurementfor information security
