D1: Information Security Governance and Risk Management

Question 0

Integrity

Answer 0

Accuracy and reliability of the information and systems are provided and any unauthorized modification is prevented

Question 1

Availability

Answer 1

Reliable and timely access to data and resources is provided to authorized individuals

Question 2

Confidentiality

Answer 2

Necessary level of secrecy is enforced and unauthorized disclosure is prevented

Question 3

List some controls for Availability

Answer 3

• redundent array of inexpenisve disks (RAID)
• clustering
• load balancing
• redundant data and pwoer lines
• software and data backups
• disk shadowing
• co-locatio nand off-site facilities
• roll-back functions
• fail-over configurations

Question 4

Name some controls for Integrity

Answer 4

• hashing (data integrity)
• configuration management (system integrity)
• Change control (process integrity)
• access control (physical and technical integrity)
• software digital signing
• transmission CRC functions

Question 5

Name some controls for confidentiality

Answer 5

• encryption for data at rest (whole disk, database encryption)
• encryption for data in transit (IPSec, SSL, PPTP, SSH)
• access controls (physical and technical)

Question 6

VULNERABILITY

Answer 6

Weakness or a lack of a countermeasure
i.e.: service running on a server; unpatched application or OS; unrestricted wireless access point; open port on firewall; lax physical security; unenforced password mgt. on severs/workstations

Question 7

THREAT AGENT

Answer 7

Entity that can exploit a vulnerability
(i.e.: intruder acessing the network through a port on the FW; a process accessing data in a way that violates the security policy; a tornado wiping out a facility; employee making unintentional mistake)

Question 8

THREAT

Answer 8

The danger of a threat agent explotiing a vulnerability

(ssomeon or somethign will identify a specific vulnerability and use it against the company/individual.

Question 9

RISK

Answer 9

the probability of a threat agent exploiting a vulnerability and the associated impact.
(if FW has several ports open, higher likelilihood intruder will access; if uesrs not educated on processes/procedures there sa higher likelihood that an employee will destory data; IDS not implemented higher likelihood attack will go unnoticed

Question 10

CONTROL

Answer 10

Safeguard that is put in place to reduce a risk; also called a countermeasure

Question 11

EXPOSURE

Answer 11

Presence of a vulneraiblity which exposes the organization to a threat
(i.ee.: if PW mgt is lax, compony is exposed; does not have its wiring inspective; exposed to devastating fires)

Question 12

CONTROL

Answer 12

Countermeasure taht is put into place to mitigate (reduce) the potential risk

Question 13

What are the three main types of controls?

Answer 13

1 - Administrative Controls (soft controls)
2 - Technical Controls (aka logical controls)
3 - Physical Controls

Question 14

Describe administrative controls

Answer 14

Management oriented: i.e. security documentation; risk management; personnel security; training

Question 15

Describe technical controls

Answer 15

software/hardware components (i.e. FWs IDS, encryption, identification and authenticatin mechanisms)

Question 16

Describe physical controls

Answer 16

items put into place to protect facility, personnel, resources (i.e. security guards, locks, fencing)

Question 17

Name the different functionalities of the security controls

Answer 17

1-prventative
2- detective
3- corrective
4- deterrent
5-recovery
6-compensating

Question 18

DETERRENT CONTROL

Answer 18

Intended to discourage a potential attacker

Question 19

PREVENTATIVE

Answer 19

Intended to avoid an incident from occurring

Question 20

CORRECTIVE CONTROL

Answer 20

Fixes components or systems after an incident has occurred

Question 21

RECOVERY CONTROL

Answer 21

Intended to bring the environment back to regular operations

Question 22

DETECTIVE CONTROL

Answer 22

Helps identify an inciden’ts activities and potentially an intruder

Question 23

COMPENSATING CONTROL

Answer 23

Controls that provide an alternative measure of control

Question 24

What you can’t ____, you should be able to ___, and if you ____ something, it means you weren’t able to _____ it, and therefore you should take _____ ___ to make sure it is indeed ___ the next time around.

Answer 24

prevent; detect; detect; prevent; corrective action; prevented

Question 25

Examples of Preventive Administrative Controls

Answer 25

• policies and procedures
• effective hiring practices
• pre-employment background checks
• cotnrolled termination processes
• data classification and labeling
• security awareness

Question 26

Examples of Preventitive Physical controls

Answer 26

Badges, swipe cards
Guards, dogs
Fences, locks, mantraps

Question 27

What is the bS7799 and its significance?

Answer 27

British Standard 7799, developed in 1995 by UK gvt. to outline how an information security management system (ISMS; aka security program) should be build and maintained. Was the basis of the ISO/IEC 2700 series

Question 28

ISO

Answer 28

International Organization for Standardization

Question 29

IEC

Answer 29

International Electrotechnical Commission

Question 30

The objectives of security are to provide

Answer 30

Avilability, integrity, and confidentiality protection to data and resources

Question 31

CoBIT

Answer 31

a framework of control objectives and allows for IT governence

Question 32

ISO/IEC 27001

Answer 32

The standard for the establishment, implementation, control, and improvement of the information security management system

Question 33

Enterprise architecture frameworks are used to:

Answer 33

develop architectures for specific stakeholders and present inforamiton in views

Question 34

ISMS

Answer 34

Informaiotn security management system is a coherent set of policies, processes, and systems to manage risks to inforamtion assets outlined in ISO/IEC 27001

Question 35

Enterprise security architecuture

Answer 35

A subset of business architecture and a way to describe current and future security processes, syttems, and subunits to ensure strategic alginment

Question 36

BLUEPRINTS

Answer 36

Functional definitions for the integration of technology into business processes

Question 37

Enterprise architure frameworks are used to build…

Answer 37

individual architectures that best map to individual organizationl needs and business drivers

Question 38

Zachman

Answer 38

an enterprise architecture framework

Question 39

SABSA

Answer 39

Security enterprise architecture framework

Question 40

COSO

Answer 40

A governance model used to help prevent fraud within a corporate environment

Question 41

ITIL

Answer 41

A set of best practices for IT service management

Question 42

Six Sigma

Answer 42

Used to identify defects in processes so that the processes can be improved upon

Question 43

CMMI

Answer 43

A maturity model that allows for processes to improve in an incremented and standard approach

Question 44

Security enterprise architecture should tie in (4):

Answer 44

1 - strategic alginment
2 - business enablement
3 - process enhancement
4 - security effectiveness

Question 45

What control categories does NIST 800-53 use?

Answer 45

1 - technical
2 - management
3 - operational

Question 46

OCTAVE

Answer 46

A team-oriented risk management methodology that employs workshops and is commonly used in the commercial sector

Question 47

Security management should work from - - -

Answer 47

the top down (from senior management down to the staff)

Question 48

Risk can be:

Answer 48

transferred, avoided, reduced, or accepted

Question 49

A x B x C = total risk

Answer 49

threats x vulnerability x asset value = total risk

Question 50

(threats x vulnerability x asset value) x __ = residual risk

Answer 50

threats x vulnerability x asset value ) x controls gap = residual risk

Question 51

State the main goals of risk analysis

Answer 51

1) identify assets and assign values to them
2) identify vulnerabilities and threats
3) quantify the impact of potential threats
4) proidde an economic balance between the impact of the risk and cost of the safegaurds

Question 52

FMEA

Answer 52

Failure Modes and Effect Analysis.
A method for determinign functions, identifying functional failures, and assessing the causes of failures and the failure effects through a structured process

Question 53

When would you use a fault tree analysis?

Answer 53

To detect failures that can take place within complex environments and systems

Question 54

Describe quantitative risk analysis

Answer 54

Attempts to assign monetary values to components within the analysis

Question 55

Is a purely quantitiative risk analysis possible?

Answer 55

No, becasue qualitative items cannot be quantified with precision

Question 56

Why is capturing the degree of uncertainty when carrying out a risk analysis important?

Answer 56

because it indicates the level of confidence the team and management should have in the resulting figures

Question 57

When should automated risk analysis tools be used?

Answer 57

to estimate future expected lossses and calculate the benefits of different security measures

Question 58

___ x ___ = annualized loss expectancy

Answer 58

single loss expectancy x frequency per year - annualized loss expectancy (SLE x ARO = ALE)

Question 59

Qualitative risk analysis uses _ and _ instead of numbers

Answer 59

judgement; intuition; numbers

Question 60

Qualitiative risk analysis involves people with….

Answer 60

the requisite experience and education evaluating threat scenarios and rating the probability, potential loss, and severity of each threat based on their perosnla experience

Question 61

DELPHI TECHNIQUE

Answer 61

A group decision method where each group member can communicate anonymously

Question 62

When choosing the right safeguard to reduce a specific risk, the _, _, and _ must be evaluated and a cost/benefit analysis performed.

Answer 62

cost; functionality; effectiveness

Question 63

SECURITY POLICY

Answer 63

A statement by managment dictating the role security plays in the organization

Question 64

PROCEDURES

Answer 64

detailed step-by-sepactions that should be followed to achieve a certain task

Question 65

STANDARDS

Answer 65

Documetns that outline rules that are compulsory in nature and support the organization’s security policies

Question 66

BASELINE

Answer 66

minimum level of security

Question 67

GUIDELINES

Answer 67

Recommendations and general approaches that provide advice and flexibility

Question 68

Job rotation is a _ _ control to detect fraud

Answer 68

detective administrative

Question 69

Mandatory vacations are a _ _ control type that can help detect _ activities.

Answer 69

detective administrative control type that can help detect fraudulent activities

Question 70

SEPARATION OF DUTIES

Answer 70

ensures no single person has total control over a critical activity or task.

Question 71

Separation of duties is a _ _ control

Answer 71

preventative adminsitrative

Question 72

Split knowledge an dual control are two aspects of _ _ _.

Answer 72

separation fo duties

Question 73

Who specifies the classification of data?

Answer 73

data owners

Question 74

Who implements and maintains controls to enforce the set classification levels?

Answer 74

Data custodians

Question 75

Security has functional requirements, which define the _ _ _ _ _ _ _ , and assurance requirements which establish _ _ _ _ _ _ _ .

Answer 75

functional requirements: define the expected behavior from a product or system
assurance requirements: establish confidence in the implemented products or systems overall

Question 76

Management must: (5)

Answer 76

1 - define the scope and purpose of the security management
2 - provide support
3 - appoint a security team
4 -delegate responsibiilty
5 - review the team's findings

Question 77

Who should be included in the risk management team?

Answer 77

individuals from different departments within the organization; not just technical personnel

Question 78

SOCIAL ENGINEERING

Answer 78

A nontechnical attack carried out to manipulate a person into providing sensitive data to an unauthorized individual

Question 79

PII

Answer 79

Personal identification information is a collection of identity based data that can be used in identity theft an dfinancial raud, and thus must be highly protected

Question 80

SECURITY GOVERNANCE

Answer 80

A framework that provides oversight, accountability, and compliance

Question 81

ISO/IEC 27004 2009

Answer 81

AN INTERNATIONAL STANDARD FOR INFORMATION SECURITY MEAsurement management

Question 82

NIST-800-55

Answer 82

a standard for the performance measurementfor information security