D1: Security & Risk Management

Question 1

CIA

Answer 1

Confidentiality
Integrity
Availability

Question 2

Confidentiality

Answer 2

Confidentiality prevents the unauthorized disclosure of data

Confidentiality assures least privilege and need to know

Question 3

Integrity

Answer 3

Integrity assures no unauthorized modification is made to data from unintentional or malicious actions

Question 4

Availability

Answer 4

Reliability assures that systems and data is reliable and timely, accessible, fault tolerant and has recovery procedures in place.

Question 5

IAAA

Answer 5

Requirements for accountability

Identification: when a user claims their identity; used for access control
Authentication: testing a user’s identity via evidence
Accountability: associates actions to the person committing
Authorization: the rights an permissions provided to a person

Question 6

Privacy

Answer 6

Level of confidentiality and privacy protections

Question 7

An Organization’s Relationship with Risk

Answer 7

While it’s impossible to eliminate all risk, it’s important to get risk at an acceptable/tolerable level

A popular risk management framework is ISO 27005

To track risk, create baselines - the minimum standards

To reduce/prevent risk, and the budget is not constrained, spend more money on better tools

Question 8

Responsibilities of ISO

Answer 8

1. Documentation
2. Computer Incident Response Team
3. Security Awareness
4. Communicate risk to upper management, as high as possible
5. Educate organization that security is everyone’s responsibility

Question 9

Control Framework Requirements

Answer 9

Consistent with approach & application
Measurable ways to determine progress
Standardized in one format
Comprehension - covers end to end
Modular - adaptive, layered and abstraction

Question 10

Due Care

Answer 10

When an organization did all that it could have reasonably done to try and prevent security breach / compromise / disaster, and took the necessary steps as countermeasures / controls (safeguards).

The benefit of due care can be seen as the difference between the damage with or without safeguards in place - AKA doing something about the threats.

Failing to perform periodic security audits can result in the perception that due care is not being maintained.

Question 11

Due Diligence

Answer 11

When an organization properly investigated all of its possible weaknesses and vulnerabilities AKA understanding threats

Question 12

Patent Law

Answer 12

Patent law grants ownership of an invention and provides enforcement for owner to exclude others from practicing the invention

After 20 years the idea is open source of application

Question 13

Copyright Law

Answer 13

Copyright law protects the expression of ideas but not necessarily the idea itself

Question 14

Trade Secret

Answer 14

Something that is proprietary to a company and important for its survival and profitability (like formula of Coke)

No application to register?

Question 15

Trademarks

Answer 15

Trademarks are words, names, product shape, symbol, color or a combination used to identify products and distinguish them from competitor products (McDonald’s M)

@10 Years

Question 16

Wassenaar Agreement (WA)

Answer 16

Dual use goods & trade

International cryptographic agreement, prevent destabilizing

Question 17

Computer Crimes

Answer 17

loss, image, penalties???

Question 18

SOX - Sarbanes Oxley

Answer 18

Implemented in 2002 after ENRON and World Online

Requires independent review by contractors

Section 302: CEO’s and CFO’s can be sent to jail when information they sign is incorrect

Section 404: Requires internal controls assessment; describe logical controls over accounting files, good auditing and information security

COSO - framework for SOX 404 compliance

Question 19

Corporate Officer Liability

Answer 19

Executives are held liable if the organization they represent is not compliant with the law

Negligence occurs if there is a failure to implement recommended precautions e.g. disaster recovery plan, background checks, information security, policy, laws and regulations

Question 20

Treadway commission

Answer 20

???

Question 21

COSO

Answer 21

Strong in anti-spam and legit marketing

Directs public directories to be subjected to tight controls

Takes an OPT-IN approach to unsolicited commercial electronic communications

User may refuse cookies to be stored, and user must be provided with information

Member states in the EU can make own laws e.g. retention of data

Question 22

Incident

Answer 22

An event that has potential to do harm

Question 23

Breach

Answer 23

An incident that results in disclosure or potential disclosure of data

Question 24

Data Disclosure

Answer 24

Unauthorized acquisition of personal information

Question 25

Event

Answer 25

Threat events can be accidental/intentional exploitations of vulnerabilities.

Question 26

ITAR

Answer 26

????

Question 27

FERPA

Answer 27

????

Question 28

GLBA

Answer 28

Graham, Leach, Bliley; credit related PII

Question 29

ECS

Answer 29

Electronic Communication Service (Europe)

Notice of breaches

Question 30

Fourth Amendment

Answer 30

Basis for privacy rights

Question 31

1974 US Privacy Act

Answer 31

Protection of PII on federal databases

Question 32

1980 Organization for Economic Cooperation and Development (OECD)

Answer 32

Provides for data collection, specifications, specifications

Question 33

1986/1996 US Computer Fraud and Abuse Act

Answer 33

Trafficking in computer passwords or information that causes a loss of $1K or more or could impair medical treatment

Question 34

1986 Electronic Communications Privacy Act

Answer 34

Prohibits eavesdropping or interception w/o distinguishing private/public

Question 35

1994 Communications Assistance for Law Enforcement Act (CALEA)

Answer 35

Amended the electronic communications privacy act of 1986.

CALEA requires all communications carriers to make wiretaps possible for law enforcement with an appropriate court order, regardless of the technology in use

Question 36

1987 US Computer Security Act

Answer 36

Security training, develop a security plan, and identify sensitive systems on govt. agencies

Question 37

1991 US Federal Sentencing Guidelines

Answer 37

Responsibility on senior management with fines up to $290 mil

Invoke prudent man rule

Address both individuals and organizations

Question 38

1996 US Economic and Protection of Proprietary Information Act

Answer 38

??

Question 39

1996 US National Information Infrastructure Protection Act

Answer 39

Encourage other countries to adopt similar frameworks

Question 40

Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH)

Answer 40

Congress amended HIPAA by this Act

Updated many of HIPAA’s privacy and security requirements

Changed the way the law treats business associates (BA), organizations who handle PHI on behalf of a HIPAA covered entity

Business Associate Agreement: Any relationship between a covered entity and a BA must be governed by a written contract (BAA)

Under the new regulation, BAs are directly subject to HIPAA and HIPAA enforcement actions in the same manner as a covered entity

HITECH also introduced new data breach notification requirements

Question 41

ISC2 Code of Ethics Canons

Answer 41

Protect society, the commonwealth and the infrastructure.

Act honorably, honestly, justly, responsibly, and legally

Provide diligent and competent service to principals

Advance and protect the profession

Question 42

Internet Advisory Board (IAB)

Answer 42

????

Question 43

Ethics and Internet (RFC 1087)

Answer 43

Don’t compromise the privacy of users

Access to and use of Internet is a privilege and should be treated as such

It is defined as unacceptable and unethical if you, for example, gain unauthorized access to resources on the internet, destroy integrity, waste resources or compromise privacy.

Question 44

Business Continuity Plan - Development

Answer 44

Defining the continuity strategy

Computing strategy to preserve the elements of HW/SW communication lines/data/application

Facilities: use of main buildings or any remote facilities

People: operators, management, technical support persons

Supplies and equipment: paper, forms HVAC

Documenting the continuity strategy

Question 45

BIA - Business Impact Analysis

Answer 45

Goal is to create a document to be used to help understand what impact a disruptive event would have on the business

Gather Assessment Material:

• Org charts to determine functional relationships
• Examine business success factors

Vulnerability Assessment

• Identify Critical IT resources out of critical processes
• Identify disruption impacts and MTD (Max Tolerable Downtime)
• Quantitative Loss (revenue, expenses for repair)
• Qualitative Loss - competitive edge, public embarrassment
• Presented as LOW, MEDIUM, HIGH

Analyzed the compiled information

• Document the process
• Identify inter-dependability
• Determine acceptable interruption periods

Documentation and Recommendation

Question 46

Separation of Duties

Answer 46

Assignment of different parts of tasks to different individuals so no single person has total control of the system’s security mechanisms

Prevents collusion

Question 47

M of N Control

Answer 47

A requirement that a minimum number of agents (M) out of a total number of agents (N) work together to perform high-security tasks

Ex: Implementing 3 of 8 controls would require three people out of the 8 with assigned work task of key escrow agent to work together to pull a single key of the key escrow database.

Question 48

Least Privilege

Answer 48

A system’s user should have the lowest level of rights and privileges necessary to perform their work and should only have them for the shortest amount of time

Read-Only, Read/Write and Access/Change

Question 49

Two Man Control

Answer 49

Two persons review and approve the work of each other, for every sensitive operation

Question 50

Dual Control

Answer 50

Two persons are required to complete a task

Question 51

Rotations of Duties

Answer 51

Limiting the amount of time a person is assigned to perform a security related task before being moved to a different task to prevent fraud

Reduces collusion

Question 52

Mandatory Vacations

Answer 52

Prevents fraud and allows for investigations

One week minimum

Kills processes

Question 53

Need to Know

Answer 53

The subject is given only the amount of information required to perform an assigned task, business justification

Question 54

Employment

Answer 54

Staff members pose more threat than external factors

• loss of money
• stolen equipment
• loss of time work hours
• loss of reputation
• declining trusts and loss of resources
• bandwidth theft
• due diligence

Voluntary and Involuntary - Exit Interview

Question 55

Agreements

Answer 55

NDA

Acceptable Use

No Compete

Question 56

Third Party Controls

Answer 56

Vendors

Consultants

Contractors

Ensure Vendors are properly supervised, rights based on policy

Question 57

Risk Management Concepts

Answer 57

Threat - damage

Vulnerability - weakness to threat vector (never does anything)

Likelihood - probability it will happen

Impact - overall affects if it happens

Residual Risk - amount leftover

Organization owns the risk

Risk is determined by a byproduct of likelihood and impact

Question 58

ITIL

Answer 58

ITIL - best practices for IT core operational processes, not for audit

• Service
• Change
• Release
• Configuration

Strong end to end customer focus/expertise
About services and service strategy

Question 59

Risk Management Goal

Answer 59

The goal of risk management is to determine the impact of the threat and risk of threat occurring and to reduce risk to an acceptable level

Question 60

Risk Assessment Steps

Answer 60

1. Prepare for Assessment (purpose, scope, etc.)
2. Conduct Assessment
   - ID threat sources and events
   - ID vulnerabilities
   - Determine likelihood of occurrence
   - Determine magnitude of impact
   - Determine risk
3. Communicate Risk/Results
4. Maintain Assessment/regularly

Question 61

Types of Risk

Answer 61

Inherent Risk: chance of making an error with no controls in place

Control Risk: chance that controls in place will prevent, detect or control errors

Detection Risk: chance that auditors won’t find an error

Residual Risk: Risk remaining after a control is in place

Business Risk: Concerns about effects of unforeseen circumstances

Overall Risk: combination of all risks aka Audit Risk

Question 62

Preliminary Security Examination (PSE)

Answer 62

Helps to gather the elements that you will need when the actual risk analysis takes place

Question 63

Risk Analysis Steps

Answer 63

1. Identify Assets
2. Identify Threats
3. Calculate Risks

Question 64

Risk Assessment Steps

Answer 64

1. Prepare
2. Perform
3. Communicate
4. Maintain

Question 65

Qualitative Risk Analysis

Answer 65

????

Question 66

SLE

Answer 66

Single Loss Expectancy

SLE = Asset Value * Exposure Factor

Question 67

Exposure Factor

Answer 67

Percentage loss of an asset

Question 68

ARO

Answer 68

Annualized Rate of Occurrence

Question 69

ALE

Answer 69

Annual Loss Expectancy

SLE * ARO

Question 70

Loss

Answer 70

Probability * Cost

Question 71

Quantitative Risk Analysis

Answer 71

Mitigate: Reduce risk by implementing controls
Assign: insure the risk to transfer it
Avoid: Stop business activity

Question 72

Residual Risk

Answer 72

When the cost of applying extra countermeasures is more than the estimated loss resulting from a threat or vulnerability (C > L)

Legally the remaining residual risk is not counted when deciding whether a company is liable.

Question 73

Controls Gap

Answer 73

The amount of risk that is reduced by implementing safeguards. A formula for residual risk is as follows:

total risk - controls gap = residual risk

Question 74

RTO

Answer 74

How quickly you need to have that application’s information available after downtime has occurred

Question 75

RPO

Answer 75

Recovery Point Objective

Point in time that application’s information data must be recovered to resume business functions

Amount of data you’re willing to lose

Question 76

MTD

Answer 76

Maximum Tolerable Downtime

Maximum delay a business can be down and still remain viable

MTD = critical / minutes to hours
MTD = urgent / 24 hours
MTD = important / 72 hours
MTD = normal / 7 days
MTD = non-essential / 30 days

Question 77

Risk Response

Answer 77

Risk Avoidance: discontinue activity because you don’t want to accept risk
Risk Transfer: passing on the risk to another entity
Risk Mitigation: elimination or decrease in level of risk
Risk Acceptance: live with it and pay the cost

Background checks - mitigation, acceptance, avoidance

Question 78

Control Costs

Answer 78

Control cost should be less than the value of the asset being protected

Question 79

Administrative/Managerial Policy

Answer 79

Preventative: hiring policies, screening security awareness (soft measures)

Detective: screening behavior, job rotation, review of audit records

Question 80

Technical / Logical Policy

Answer 80

Preventative: protocols, encryption, biometrics, smartcards, routers. firewalls

Detective: IDS and automatic generated violation reports, audit logs, CCTV (never preventative)

Preventative: fences, guards, locks

Detective: motion detectors, thermal detectors, video cameras

Question 81

Risk Analysis and Its Prime Objective

Answer 81

A process that analyzes threat scenarios and produces a representation of the estimated potential loss.

Prime Objective is to reduce the effects of security threats and vulnerabilities to a tolerable level

Question 82

Access Control - Main Categories

Answer 82

Directive: specify rules of behavior

Deterrent: discourage people, change my mind

Preventative: prevent incident or breach

Compensating: sub for loss of primary controls

Detective: signal warning, investigate

Corrective: mitigate damage, restore control

Recovery: restore to normal after incident

Question 83

Penetration Testing

Answer 83

Testing a network’s defenses by using the same techniques as external intruders

Scanning and Probing - port scanners
Demon Dialing - war dialing for modems
Sniffing - capture data packets
Dumpster Diving - searching paper disposal areas
Social Engineering - most common, get information by asking

Question 84

Blue Team

Answer 84

Has knowledge of the organization, can be done frequently and is the least expensive

Question 85

Red Team

Answer 85

External and stealthy

Question 86

White Box

Answer 86

Ethical hacker knows what to look for, sees code as a developer

Question 87

Grey Box

Answer 87

Partial knowledge of the system, sees code, act as a user

Question 88

Black Box

Answer 88

Ethical hacker not knowing what to find

Question 89

4 Stages of Penetration Test Planning

Answer 89

1. Planning
2. Discovery
3. Attack
4. Reporting

Question 90

Pen Test Strategies and Categories

Answer 90

Strategies: external, internal, blind, double-blind

Categories: zero, partial, full knowledge tests

Question 91

Software License - Public Domain

Answer 91

Available for anyone to use

Question 92

Software License - Open Source

Answer 92

Source Code made available with a license in which the copyright holder provides the rights to study, change and distribute the software to anyone

Question 93

Software License - Freeware

Answer 93

Proprietary software that is available for use at no monetary cost. May be used without payment but may usually not be modified, re-distributed or reverse-engineered without the author’s position

Question 94

Wire Tapping

Answer 94

Eavesdropping on communication - only legal with prior consent

Question 95

Data Diddling

Answer 95

Act of modifying information, programs, or documents to commit fraud, tampers with INPUT data

Question 96

Privacy Laws

Answer 96

Data collected must be collected fairly and lawfully and used only for the purpose it was collected

Question 97

Water Holing

Answer 97

Create a bunch of websites with similar names

Question 98

Work Function (factor)

Answer 98

The difficulty of obtaining the clear text from the cipher text as measured by cost/time

Question 99

Fair Cryptosystems

Answer 99

In this escrow approach, the secret keys used in a communication are divided into two or more pieces, each of which is given to an independent third party.

When the government obtains legal authority to access a particular key, it provides evidence of the court order to each of the third parties and then reassembles the secret key.

Question 100

Information Security Program

Answer 100

Provides the means for achieving strategy

Defines:

• policies/standards/procedures/guidelines
• roles and responsibilities
• SLAs/Outsourcing
• Data Classification/Security
• C&A (Certification and Accreditation)
• Auditing

Question 101

Types of Policy

Answer 101

1. Corporate/Organizational Policy
   - management’s intent, commitment and philosophy to the organization
2. System Specific Policy
   - policy will state that MFA is required, and the standard will state the details of what type of MFA
3. Issue Specific Policy
   - can’t rely on common sense

*Policies don’t change often, but standards do - they fill in the gaps in policy

Question 102

Change Management

Answer 102

Changes are not implemented randomly, but follow a formalized process to implement change - approved, tested, etc.

Question 103

Acceptable Use

Answer 103

How organizations expect their resources to be treated.

Question 104

Privacy

Answer 104

Do employees have an expectation of privacy in the workplace - the answer should be yes. employer doesn’t have to provide privacy, but the employee would have to be notified.

Biggest part of privacy policy is notification.

Question 105

Data/System Ownership

Answer 105

Be clear of who owns the system and who owns the information - these people are responsible for determining the classification of information and dictate the controls

Question 106

Separation of Duties

Answer 106

ALWAYS THE RIGHT ANSWER

no one individual has too much power, it’s a conflict of interest

SODs forces collusion = if an employee wants to commit fraud, they would have to bring in another employee and would be less successful

Question 107

Mandatory Vacation

Answer 107

A detective control, usually in banks

If a person is committing fraud, they absence would highlight this.

Question 108

Job Rotation

Answer 108

Cross training; redundancy

A detective control, someone can view the work that was done

Question 109

Least Privilege/Need to Know

Answer 109

Least Privilege = action

Need to Know = data
- rights to access to data

Question 110

Dual Control

Answer 110

Preventing the abuse of power because it would take two individuals to commit fraud.

Question 111

M of N

Answer 111

Variables stating that so many of the total needs to be present

Question 112

Standards

Answer 112

States the specifics of policy

• mandatory
• created to support policy, while providing more details
• reinforces policy and provides direction
• can be internal or external

Question 113

Procedures

Answer 113

Mandatory, how-to’s

SOP - standard operating procedures

Question 114

Guidelines

Answer 114

Not mandatory

best practices, recommendations
will have words like - whenever possible, should, etc.

Question 115

Documentation Relationships

Answer 115

Guidelines - suggestions
Procedures - how
Standards - what
Policies - why

Question 116

Baselines

Answer 116

Mandatory

Minimum acceptable security configuration for a system or process

The purpose of security classification is to determine and assign the necessary baseline config to protect data

Question 117

Senior Management

Answer 117

Provide

• strategy and oversight
• funding and support
• ensure testing and results
• prioritize business functions (BIA) (COO)
• common vision/strategy/framework for the enterprise
• ‘sign-off’ on Policy, BIA and other organization documents

Question 118

Business Impact Analysis (BIA)

Answer 118

The document that prioritizes business processes, services, etc. based on criticality to the organization

COO

Question 119

Steering Committee

Answer 119

• Oversight of Information Security Program
• acts as liaison between management, business, information technology, and information security.
• assess and incorporate results of the risk assessment activity
• intro the decision-making process
• ensures all stakeholder interests are addressed
• oversees compliance activities

Question 120

CISO Chief Information Security Officer

Answer 120

Senior Management - provides the what

• directly involved in strategic planning using CIA triad
• policy development
• technology assessments
• not just digital data, also verbal and physical
• process improvements
• acquisitions
• capital planning
• security

Question 121

Information Security Manager

Answer 121

Functional Management - provides the how

• plays leading role in introducing an appropriate, structured methodology - solutions work, tested and are validated
• acts as a major consultant in support of senior management

Question 122

Business Managers

Answer 122

Owners of systems and information
- determine classification of assets, data access, how it is protected etc

Our customers, heads of business units

Accountable for the protection of the information

Question 123

Security Practitioner

Answer 123

Implement, configure the security requirements

Support or use the risk management process to identify and assess new potential risk and implement new security controls as needed to safeguard their IT systems

Question 124

Auditors

Answer 124

Audit controls and policies to ensure that they are being implemented and are effective - and report on this.

If internal auditing is in place, auditors should not report to the head of a business unit, but rather to the COO or some other entity without direct stake in results

Auditors document, they do not modify and should never have write access

Auditors are there for compliance, and will tell you if they are compliant with policy. Audit will not tell you if something works, you’ll need to have to test.

Question 125

Security Trainers

Answer 125

Must understand the risk management process

Develop appropriate training materials

Conduct security trainings and awareness programs catered to roles within the organization

Incorporate risk assessment into training programs to educate the end users

Encourage users to report violations

Should make a security positive environment, and stay away from blame culture

Important to talk about WHY we enforce what we do

Question 126

Information Security/Enterprise Risk Management

Answer 126

ISRM is the process of managing risks associated with the use of info technology

Involves identifying, assessing, and treating risks to the confidentiality, integrity and availability of an organization’s assets.

Question 127

asset

Answer 127

Anything of value to the company and what we’re protecting

First step in RA is identifying assets and its values
- could be devices, information, IP

Question 128

vulnerability

Answer 128

a weakness in an asset; the absence of a safeguard

Question 129

threat

Answer 129

something that could pose loss to all or part of an asset

Question 130

threat agent

Answer 130

what carries out the attack; person and/or software

Question 131

exploit

Answer 131

an instance of a compromise

Question 132

risk

Answer 132

the probability of a threat materializing if I do nothing to mitigate the risk

ties in with likelihood

Question 133

controls

Answer 133

aka safeguards (proactive) aka firewall or countermeasures (reactive) reviewing an audit log

physical, administrative, and technical protections

Question 134

total risk

Answer 134

the risk that exists before any control is implemented

aka inherent risk

Question 135

residual risk

Answer 135

leftover risk after applying a control

could be because you can’t, or because you don’t want to - just get it to an acceptable level

risk management about getting residual risk to acceptable levels

Question 136

secondary risk

Answer 136

when one risk response triggers another risk event

security patches, service packs - security problem is fixed but not as available

Question 137

incident

Answer 137

a risk event that has transpired

Question 138

Risk Identification

Answer 138

Identify:
- determine the value for assets (what am I protecting and what is it worth)

– threats

— current controls and policies

—- vulnerabilities and residual risk

—– consequences of the residual risk

Question 139

Risk Assessment (Value)

Answer 139

Qualitative

Quantitative

Question 140

Risk Mitigation/Response

Answer 140

Reduce
Accept
Transfer
Avoid
Reject

Question 141

Risk Management Steps

Answer 141

1. Identification
2. Assessment
3. Mitigation/Response
4. Ongoing Evaluation

A revolving life cycle

Question 142

Methods of identifying risk

Answer 142

• sources of risk documentation
• audit reports incident reports
• interviews with SMEs and public media
• annual reports
• press releases
• vulnerability assessments and penetration tests

Question 143

Methods of identifying risk

Answer 143

• sources of risk documentation
• audit reports incident reports
• interviews with SMEs and public media
• annual reports
• press releases
• vulnerability assessments and penetration tests
• business continuity and disaster recovery plans
• interviews and workshops
• threat intelligence services

Question 144

Alignment with Business Goals and Objectives

Answer 144

• the most important step for a CISM is to understand the business; review org vision and strategy FIRST
• look beyond IT - risk is measure by the impact the risk has on the BUSINESS not the SYSTEM
• senior management must be supportive and involved
• —- management funds and supports risk mgmt
• —- good metrics means we have attainable objectives
• —- good communication and transparency help is make risk-aware business decisions

Question 145

Organizational Structure + Impact on Risk

Answer 145

Risk Context: the context in which the org operates; culture, environment, constraints, high risk activities. Factors that influence how risk is addressed

Risk Management approach should be enterprise wide and a common framework should be shared across all departments - TESTABLE!!!!
- framework, strategy and programs should all be universal

Three lines of defense

RACI Charts should be used to indicate responsibilities

Question 146

Three Lines of Defense

Answer 146

1st Line: Business Units - Admins, Senior Management

• involved in day-to-day risk management
• follow a risk process
• apply internal controls
• dealing with systems and information

2nd Line: Risk and Compliance - Hands-On

• oversee and challenge risk management
• provide guidance and direction
• develop risk management framework

3rd Line: Audit - Auditors

• review 1st and 2nd lines
• provide an independent perspective and challenge the process
• objective and offer assurance

Question 147

Risk Management Lifecycle

Answer 147

1. IT Risk Assessment
2. Risk Response and Mitigation
3. Risk and Control Monitoring and Reporting
4. IT Risk Identification

Question 148

IT Risk Assessment

Answer 148

Objective is to justify the mitigation strategy

Question 149

Risk Value

Answer 149

Potential for loss associated with the risk

Question 150

Qualitative Risk Analysis

Answer 150

• the starting point
• brainstorming - example, planning a picnic in 3 weeks; what’s a risk to this picnic? % weather
• not expensive or takes a long time
• Subjective analysis to help prioritize probability and impact of risk events
• May use Delphi Technique: anonymous surveying; people are more honest when anonymous
• Probability and Impact Matrix to complete this
• Assess risks based on subjective input
• Uses terms like high, medium and low
• inexpensive, and quick way to begin the prioritization and ranking of risk

Question 151

Quantitative Risk Analysis

Answer 151

• THE DOLLARS!!!!
• • per year I’m losing 8K, but if I spend 10K i wont have that risk anymore
• Providing a dollar value to a particular risk event
• Much more sophisticated in nature, quantitative analysis is much more difficult and requires a special skill set
• Business decisions are made on a quantitative analysis
• Can’t exist on its own. Quantitative analysis depends on qualitative information

Question 152

(AV) asset value

Answer 152

Dollar figure that represents that the asset is worth to the organization

$300K warehouse
- test questions won’t be tricky for these

$300K warehouse that has 75K of hardware = count it all together

Question 153

(EF) exposure factor

Answer 153

The percentage of loss that is expected to result in the manifestation of a particular risk

Every time there is a fire, I lose 50% of the asset = will lose $150K

Question 154

(SLE) single loss expectancy**

Answer 154

Dollar figure that represents the cost of a single occurrence of a threat instance

every time the risk event happens, what does it cost me?

AV + EF = SLE

Question 155

(ARO) annual rate of occurrence

Answer 155

How often the threat is expected to materialize

Question 156

(ALE) annual loss expectancy**

Answer 156

Cost per year as a result of the threat

Every time a hard drive fails (risk event), it costs the company $3K (AV or EF?). Hard drive fails 3x a year (ARO) = $9K (ALE). You can spend $5K (cost of control) to mitigate it.

Question 157

(TCO) total cost of ownership

Answer 157

Total cost of implementing a safeguard. Often in addition to initial costs, there are ongoing maintenance fees as well.

Make sure you are looking at both upfront costs and maintenance fees - printer example, cheap to buy but have to keep buying ink every 20 prints

Question 158

(ROI) return on investment

Answer 158

amount of money saved by implementation of a safeguard. Sometimes referred to as the value of the safeguard/control

Looking for controls that mitigates risk to an acceptable level = ROI

Question 159

Steps for Quantitative Analysis

Answer 159

1. Assign Asset Value (AV)
2. Calculate Exposure Factor (EF)
3. Calculate Single Loss Expectance (SLE)
4. Assess the annualized rate of occurrence (ARO)
5. Derive the annualized loss expectancy (ALE)
6. Perform cost/benefit analysis of countermeasures

Question 160

Risk Mitigation and Response

Answer 160

Risk Assessment will dictate the appropriate risk response

• reduce
• avoidance
• transfer
• accept
• rejection - not acceptable

Question 161

Risk Reduction/Avoidance

Answer 161

When action is taken to lessen the frequency and/or impact of a risk. Can’t lessen the probability of rain, but can Lessens the impact, by bringing an umbrella
- may require the use of several controls until it reaches levels of risk acceptance or risk tolerance

If you’ve brought risk probability down to zero - you have avoided the risk
- there’s usually a negative payoff, like not doing or having something that we want

Examples of risk mitigation

• strengthening overall risk management practices, such as implementing sufficiently mature risk management processes
• deploying new technical, management or operational controls that reduce either the likelihood or the impact of an adverse event
• installing a new access control system
• implementing policies or operational procedures
• developing an effective incident response and business continuity plan (BCP)
• using compensating controls

ULTIMATE RISK REDUCTION IS AVOIDANCE!! but there is NO RISK ELIMINATION - no such thing!! TESTABLEEEEEEEEEEEEEEEE

Question 162

Risk Reduction/Transference

Answer 162

Risk transference is a decision to reduce loss through sharing that risk with another organization

• insurance
• just because you have transference, does not reduce the risk of fire, but will reduce the potential for loss

Transference Examples:
SLA (Service Level Agreements) and contracts establish the degree of transference.

Outsourcing work - i am a healthcare provider have no idea how to remain HIPAA compliant, so I outsource to a company to maintain liability

BUT YA CAN’T TRANSFER LIABILITY!!!!
- if the HIPAA company fails to protect the data, the liability is still on the healthcare provider

Question 163

Risk Acceptance

Answer 163

Sometimes you just cant mitigate the risk, not feasible due to price, complexity, etc.

bring it up next quarter maybe

Examples:

• provides no active mitigation
• based on cost/benefit analysis, it is determined the cost of the control is less than the potential for loss
• sometimes acceptance is the only choice
• risk acceptance still includes due diligence, and can still be use to indicate good business decisions were made
• level of risk and impact is always changing, so regular reviews are needed

Difference between risk rejection and risk acceptance is with acceptance is the due diligence and that good business decisions were made

Question 164

Risk Monitoring and Reporting

Answer 164

A risk response is designed and implemented based on a risk assessment that was conducted at a single point in time

Because of the changing nature of risk and associated controls, ongoing monitoring is an essential step of the risk management life cycle

• controls can become less effective
• the operational environment may change and new threats, technologies and vulnerabilities may emerge

Controls need to be re-evaluated for risk mitigation at least once per year, or after a major change
- just because something isn’t broken OR there hasn’t been a compromise yet

Question 165

Key Risk Indicators (KRIs)

Answer 165

essentially a warning sign that a risk may materialize ex. if the risk is rain, a KRI would be dark clouds, thunder, etc. so we should move into the alternate indoors area

• provide early warning
• provide backward-looking view on risk events
• enable documentation and analysis of trends
• provide an indication of risk appetite and tolerance
• increase the likelihood of achieving strategic objectives
• assist in optimizing risk governance

Question 166

Examples of KRIs

Answer 166

• quantity of unauthorized equipment or software detected in scans
• number of instances of SLAs exceeding thresholds
• high average time to research and remediate operations incidents
• number of desktops/laptops that do not have current antivirus signatures or have not run a full scan within scheduled periods

Question 167

KRIs Support The Following

Answer 167

• risk appetite
• risk identification
• risk mitigation
• risk culture
• risk measurement and reporting
• regulatory compliance

Question 168

Risk Management Process Review

Answer 168

Risk Assessment

• usually the most difficult to accomplish
• many unknowns
• necessary effort of gathering the right data

Risk Analysis
- can be done qualitatively and/or quantitatively

Risk Mitigation
- takes steps to reduce risk to acceptable level

Risk Monitoring
- remember - risk must be managed since it cannot be totally eliminated

Question 169

Legal Consideration - note about its exam worthiness

Answer 169

NOT HUGE ON THE EXAM bc it’s US based law and its a global exam

Question 170

Liabilities

Answer 170

Who is at fault?

• failure of management to execute Due Care/Due Diligence can be termed negligence
• • culpable negligence is often used to prove liability

Prudent Man Rule:
- perform duties that prudent people would exercise in similar circumstanced - ex: due diligence - researching industry standards and best practices, due care - setting and enforcing policy to bring organization into compliance

Downstream liabilities

Integrated technology with other companies can extend one’s responsibility outside the normal bounds

Question 171

Types of Law

Answer 171

Criminal
Civil
Regulatory
Intellectual property

Question 172

Criminal Law

Answer 172

Difficult to get a conviction for cyber crimes

• beyond a reasonable doubt - can be difficult to meet this burden of proof in computer-related crimes. Technical details are hard

Penalties: financial, jailtime, death

• felonies: more serious of the two, often penalty results in incarceration of at least a year
  misdemeanors: normally the less serious of the two with fines or jail-times of less than one year

The goal of criminal penalties is punishment, and deterrence

Question 173

Civil (Tort) Law

Answer 173

Burden of proof = Preponderance (amount of) of evidence

Damages

• compensatory: paid for the actual damage which was suffered by a victim, including attorney fees, loss of profits, medical costs, investigative costs, etc.
• punitive: designed as a punishment for the offender
• statutory: an amount stipulated within the law rather than calculated based on the degree of harm to the plaintiff. Often, statutory damages are awarded for acts in which it is difficult to determine the value of the harm to the victim

Liability, Due Care, Due Diligence, Prudent Person Rule are all pertinent to civil law, as well as administrative law

Question 174

Administrative (Regulatory) Law

Answer 174

Defines standards of performance and regulates conduct for specific industries

• Banking (Basel II)
• Energy (EPAct) of 2005
• Health Care (HIPAA)

Burden of proof = ‘more likely than not’

Penalties consist of financial or imprisonment

Question 175

Intellectual Property

Answer 175

Intellectual Property Law

• protecting products of the mind
• company must take steps to protect resources covered by these laws or these laws may not protect them

Main international organization run by the UN is the World Intellectual Property Organization (WIPO) - investigates copyright issues

Licensing is the most prevalent violation, followed by plagiarism, piracy and corporate espionage

Question 176

Trade Secret

Answer 176

Resource must provide competitive value and a unique edge

Ex: McDonalds mac sauce recipe

Must be reasonably protected from unauthorized use or disclosure

Proprietary to a company and important for survival

Must be genuine and not obvious

Question 177

Knowledge Transfer

Answer 177

TRAIN YOUR PEOPLE!

Awareness, Training, Education

“People are often the weakest link in securing information. Awareness of the need to protect information, training in the skills needed to operate them securely and education in security measures and practices are of critical importance for the success of an organization’s security program”

The goal of knowledge transfer is to modify employee behavior
- there may be more incident reports because they know what’s wrong and know how to report

Question 178

Security Awareness Training

Answer 178

• employees can’t and won’t follow the directives and procedures if they don’t know them
• employees must know expectations and ramifications, if not met
• employee recognition award program
• part of due care
• administrative control

Shouldn't be One Size Fits All:
Sr. management also needs training
- due diligence, due care, culpable negligence
End Users
- basic cyber hygiene

Overriding Benefits

• modifies employee behavior and improves attitudes towards information security
• increases ability to hold employees accountable for their actions
• raises collective security awareness level of the organization