D1: Security & Risk Management Flashcards

1
Q

CIA

A

Confidentiality
Integrity
Availability

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Confidentiality

A

Confidentiality prevents the unauthorized disclosure of data

Confidentiality assures least privilege and need to know

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Integrity

A

Integrity assures no unauthorized modification is made to data from unintentional or malicious actions

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Availability

A

Reliability assures that systems and data is reliable and timely, accessible, fault tolerant and has recovery procedures in place.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

IAAA

A

Requirements for accountability

Identification: when a user claims their identity; used for access control
Authentication: testing a user’s identity via evidence
Accountability: associates actions to the person committing
Authorization: the rights an permissions provided to a person

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Privacy

A

Level of confidentiality and privacy protections

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

An Organization’s Relationship with Risk

A

While it’s impossible to eliminate all risk, it’s important to get risk at an acceptable/tolerable level

A popular risk management framework is ISO 27005

To track risk, create baselines - the minimum standards

To reduce/prevent risk, and the budget is not constrained, spend more money on better tools

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Responsibilities of ISO

A
  1. Documentation
  2. Computer Incident Response Team
  3. Security Awareness
  4. Communicate risk to upper management, as high as possible
  5. Educate organization that security is everyone’s responsibility
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Control Framework Requirements

A
Consistent with approach & application
Measurable ways to determine progress
Standardized in one format
Comprehension - covers end to end
Modular - adaptive, layered and abstraction
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Due Care

A

When an organization did all that it could have reasonably done to try and prevent security breach / compromise / disaster, and took the necessary steps as countermeasures / controls (safeguards).

The benefit of due care can be seen as the difference between the damage with or without safeguards in place - AKA doing something about the threats.

Failing to perform periodic security audits can result in the perception that due care is not being maintained.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Due Diligence

A

When an organization properly investigated all of its possible weaknesses and vulnerabilities AKA understanding threats

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Patent Law

A

Patent law grants ownership of an invention and provides enforcement for owner to exclude others from practicing the invention

After 20 years the idea is open source of application

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Copyright Law

A

Copyright law protects the expression of ideas but not necessarily the idea itself

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Trade Secret

A

Something that is proprietary to a company and important for its survival and profitability (like formula of Coke)

No application to register?

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Trademarks

A

Trademarks are words, names, product shape, symbol, color or a combination used to identify products and distinguish them from competitor products (McDonald’s M)

@10 Years

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Wassenaar Agreement (WA)

A

Dual use goods & trade

International cryptographic agreement, prevent destabilizing

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

Computer Crimes

A

loss, image, penalties???

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

SOX - Sarbanes Oxley

A

Implemented in 2002 after ENRON and World Online

Requires independent review by contractors

Section 302: CEO’s and CFO’s can be sent to jail when information they sign is incorrect

Section 404: Requires internal controls assessment; describe logical controls over accounting files, good auditing and information security

COSO - framework for SOX 404 compliance

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

Corporate Officer Liability

A

Executives are held liable if the organization they represent is not compliant with the law

Negligence occurs if there is a failure to implement recommended precautions e.g. disaster recovery plan, background checks, information security, policy, laws and regulations

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

Treadway commission

A

???

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

COSO

A

Strong in anti-spam and legit marketing

Directs public directories to be subjected to tight controls

Takes an OPT-IN approach to unsolicited commercial electronic communications

User may refuse cookies to be stored, and user must be provided with information

Member states in the EU can make own laws e.g. retention of data

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

Incident

A

An event that has potential to do harm

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

Breach

A

An incident that results in disclosure or potential disclosure of data

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

Data Disclosure

A

Unauthorized acquisition of personal information

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Q

Event

A

Threat events can be accidental/intentional exploitations of vulnerabilities.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
26
Q

ITAR

A

????

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
27
Q

FERPA

A

????

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
28
Q

GLBA

A

Graham, Leach, Bliley; credit related PII

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
29
Q

ECS

A

Electronic Communication Service (Europe)

Notice of breaches

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
30
Q

Fourth Amendment

A

Basis for privacy rights

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
31
Q

1974 US Privacy Act

A

Protection of PII on federal databases

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
32
Q

1980 Organization for Economic Cooperation and Development (OECD)

A

Provides for data collection, specifications, specifications

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
33
Q

1986/1996 US Computer Fraud and Abuse Act

A

Trafficking in computer passwords or information that causes a loss of $1K or more or could impair medical treatment

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
34
Q

1986 Electronic Communications Privacy Act

A

Prohibits eavesdropping or interception w/o distinguishing private/public

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
35
Q

1994 Communications Assistance for Law Enforcement Act (CALEA)

A

Amended the electronic communications privacy act of 1986.

CALEA requires all communications carriers to make wiretaps possible for law enforcement with an appropriate court order, regardless of the technology in use

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
36
Q

1987 US Computer Security Act

A

Security training, develop a security plan, and identify sensitive systems on govt. agencies

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
37
Q

1991 US Federal Sentencing Guidelines

A

Responsibility on senior management with fines up to $290 mil

Invoke prudent man rule

Address both individuals and organizations

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
38
Q

1996 US Economic and Protection of Proprietary Information Act

A

??

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
39
Q

1996 US National Information Infrastructure Protection Act

A

Encourage other countries to adopt similar frameworks

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
40
Q

Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH)

A

Congress amended HIPAA by this Act

Updated many of HIPAA’s privacy and security requirements

Changed the way the law treats business associates (BA), organizations who handle PHI on behalf of a HIPAA covered entity

Business Associate Agreement: Any relationship between a covered entity and a BA must be governed by a written contract (BAA)

Under the new regulation, BAs are directly subject to HIPAA and HIPAA enforcement actions in the same manner as a covered entity

HITECH also introduced new data breach notification requirements

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
41
Q

ISC2 Code of Ethics Canons

A

Protect society, the commonwealth and the infrastructure.

Act honorably, honestly, justly, responsibly, and legally

Provide diligent and competent service to principals

Advance and protect the profession

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
42
Q

Internet Advisory Board (IAB)

A

????

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
43
Q

Ethics and Internet (RFC 1087)

A

Don’t compromise the privacy of users

Access to and use of Internet is a privilege and should be treated as such

It is defined as unacceptable and unethical if you, for example, gain unauthorized access to resources on the internet, destroy integrity, waste resources or compromise privacy.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
44
Q

Business Continuity Plan - Development

A

Defining the continuity strategy

Computing strategy to preserve the elements of HW/SW communication lines/data/application

Facilities: use of main buildings or any remote facilities

People: operators, management, technical support persons

Supplies and equipment: paper, forms HVAC

Documenting the continuity strategy

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
45
Q

BIA - Business Impact Analysis

A

Goal is to create a document to be used to help understand what impact a disruptive event would have on the business

Gather Assessment Material:

  • Org charts to determine functional relationships
  • Examine business success factors

Vulnerability Assessment

  • Identify Critical IT resources out of critical processes
  • Identify disruption impacts and MTD (Max Tolerable Downtime)
  • Quantitative Loss (revenue, expenses for repair)
  • Qualitative Loss - competitive edge, public embarrassment
  • Presented as LOW, MEDIUM, HIGH

Analyzed the compiled information

  • Document the process
  • Identify inter-dependability
  • Determine acceptable interruption periods

Documentation and Recommendation

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
46
Q

Separation of Duties

A

Assignment of different parts of tasks to different individuals so no single person has total control of the system’s security mechanisms

Prevents collusion

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
47
Q

M of N Control

A

A requirement that a minimum number of agents (M) out of a total number of agents (N) work together to perform high-security tasks

Ex: Implementing 3 of 8 controls would require three people out of the 8 with assigned work task of key escrow agent to work together to pull a single key of the key escrow database.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
48
Q

Least Privilege

A

A system’s user should have the lowest level of rights and privileges necessary to perform their work and should only have them for the shortest amount of time

Read-Only, Read/Write and Access/Change

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
49
Q

Two Man Control

A

Two persons review and approve the work of each other, for every sensitive operation

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
50
Q

Dual Control

A

Two persons are required to complete a task

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
51
Q

Rotations of Duties

A

Limiting the amount of time a person is assigned to perform a security related task before being moved to a different task to prevent fraud

Reduces collusion

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
52
Q

Mandatory Vacations

A

Prevents fraud and allows for investigations

One week minimum

Kills processes

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
53
Q

Need to Know

A

The subject is given only the amount of information required to perform an assigned task, business justification

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
54
Q

Employment

A

Staff members pose more threat than external factors

  • loss of money
  • stolen equipment
  • loss of time work hours
  • loss of reputation
  • declining trusts and loss of resources
  • bandwidth theft
  • due diligence

Voluntary and Involuntary - Exit Interview

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
55
Q

Agreements

A

NDA

Acceptable Use

No Compete

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
56
Q

Third Party Controls

A

Vendors

Consultants

Contractors

Ensure Vendors are properly supervised, rights based on policy

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
57
Q

Risk Management Concepts

A

Threat - damage

Vulnerability - weakness to threat vector (never does anything)

Likelihood - probability it will happen

Impact - overall affects if it happens

Residual Risk - amount leftover

Organization owns the risk

Risk is determined by a byproduct of likelihood and impact

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
58
Q

ITIL

A

ITIL - best practices for IT core operational processes, not for audit

  • Service
  • Change
  • Release
  • Configuration

Strong end to end customer focus/expertise
About services and service strategy

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
59
Q

Risk Management Goal

A

The goal of risk management is to determine the impact of the threat and risk of threat occurring and to reduce risk to an acceptable level

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
60
Q

Risk Assessment Steps

A
  1. Prepare for Assessment (purpose, scope, etc.)
  2. Conduct Assessment
    - ID threat sources and events
    - ID vulnerabilities
    - Determine likelihood of occurrence
    - Determine magnitude of impact
    - Determine risk
  3. Communicate Risk/Results
  4. Maintain Assessment/regularly
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
61
Q

Types of Risk

A

Inherent Risk: chance of making an error with no controls in place

Control Risk: chance that controls in place will prevent, detect or control errors

Detection Risk: chance that auditors won’t find an error

Residual Risk: Risk remaining after a control is in place

Business Risk: Concerns about effects of unforeseen circumstances

Overall Risk: combination of all risks aka Audit Risk

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
62
Q

Preliminary Security Examination (PSE)

A

Helps to gather the elements that you will need when the actual risk analysis takes place

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
63
Q

Risk Analysis Steps

A
  1. Identify Assets
  2. Identify Threats
  3. Calculate Risks
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
64
Q

Risk Assessment Steps

A
  1. Prepare
  2. Perform
  3. Communicate
  4. Maintain
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
65
Q

Qualitative Risk Analysis

A

????

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
66
Q

SLE

A

Single Loss Expectancy

SLE = Asset Value * Exposure Factor

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
67
Q

Exposure Factor

A

Percentage loss of an asset

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
68
Q

ARO

A

Annualized Rate of Occurrence

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
69
Q

ALE

A

Annual Loss Expectancy

SLE * ARO

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
70
Q

Loss

A

Probability * Cost

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
71
Q

Quantitative Risk Analysis

A

Mitigate: Reduce risk by implementing controls
Assign: insure the risk to transfer it
Avoid: Stop business activity

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
72
Q

Residual Risk

A

When the cost of applying extra countermeasures is more than the estimated loss resulting from a threat or vulnerability (C > L)

Legally the remaining residual risk is not counted when deciding whether a company is liable.

73
Q

Controls Gap

A

The amount of risk that is reduced by implementing safeguards. A formula for residual risk is as follows:

total risk - controls gap = residual risk

74
Q

RTO

A

How quickly you need to have that application’s information available after downtime has occurred

75
Q

RPO

A

Recovery Point Objective

Point in time that application’s information data must be recovered to resume business functions

Amount of data you’re willing to lose

76
Q

MTD

A

Maximum Tolerable Downtime

Maximum delay a business can be down and still remain viable

MTD = critical / minutes to hours
MTD = urgent / 24 hours
MTD = important / 72 hours
MTD = normal / 7 days
MTD = non-essential / 30 days
77
Q

Risk Response

A

Risk Avoidance: discontinue activity because you don’t want to accept risk
Risk Transfer: passing on the risk to another entity
Risk Mitigation: elimination or decrease in level of risk
Risk Acceptance: live with it and pay the cost

Background checks - mitigation, acceptance, avoidance

78
Q

Control Costs

A

Control cost should be less than the value of the asset being protected

79
Q

Administrative/Managerial Policy

A

Preventative: hiring policies, screening security awareness (soft measures)

Detective: screening behavior, job rotation, review of audit records

80
Q

Technical / Logical Policy

A

Preventative: protocols, encryption, biometrics, smartcards, routers. firewalls

Detective: IDS and automatic generated violation reports, audit logs, CCTV (never preventative)

Preventative: fences, guards, locks

Detective: motion detectors, thermal detectors, video cameras

81
Q

Risk Analysis and Its Prime Objective

A

A process that analyzes threat scenarios and produces a representation of the estimated potential loss.

Prime Objective is to reduce the effects of security threats and vulnerabilities to a tolerable level

82
Q

Access Control - Main Categories

A

Directive: specify rules of behavior

Deterrent: discourage people, change my mind

Preventative: prevent incident or breach

Compensating: sub for loss of primary controls

Detective: signal warning, investigate

Corrective: mitigate damage, restore control

Recovery: restore to normal after incident

83
Q

Penetration Testing

A

Testing a network’s defenses by using the same techniques as external intruders

Scanning and Probing - port scanners
Demon Dialing - war dialing for modems
Sniffing - capture data packets
Dumpster Diving - searching paper disposal areas
Social Engineering - most common, get information by asking

84
Q

Blue Team

A

Has knowledge of the organization, can be done frequently and is the least expensive

85
Q

Red Team

A

External and stealthy

86
Q

White Box

A

Ethical hacker knows what to look for, sees code as a developer

87
Q

Grey Box

A

Partial knowledge of the system, sees code, act as a user

88
Q

Black Box

A

Ethical hacker not knowing what to find

89
Q

4 Stages of Penetration Test Planning

A
  1. Planning
  2. Discovery
  3. Attack
  4. Reporting
90
Q

Pen Test Strategies and Categories

A

Strategies: external, internal, blind, double-blind

Categories: zero, partial, full knowledge tests

91
Q

Software License - Public Domain

A

Available for anyone to use

92
Q

Software License - Open Source

A

Source Code made available with a license in which the copyright holder provides the rights to study, change and distribute the software to anyone

93
Q

Software License - Freeware

A

Proprietary software that is available for use at no monetary cost. May be used without payment but may usually not be modified, re-distributed or reverse-engineered without the author’s position

94
Q

Wire Tapping

A

Eavesdropping on communication - only legal with prior consent

95
Q

Data Diddling

A

Act of modifying information, programs, or documents to commit fraud, tampers with INPUT data

96
Q

Privacy Laws

A

Data collected must be collected fairly and lawfully and used only for the purpose it was collected

97
Q

Water Holing

A

Create a bunch of websites with similar names

98
Q

Work Function (factor)

A

The difficulty of obtaining the clear text from the cipher text as measured by cost/time

99
Q

Fair Cryptosystems

A

In this escrow approach, the secret keys used in a communication are divided into two or more pieces, each of which is given to an independent third party.

When the government obtains legal authority to access a particular key, it provides evidence of the court order to each of the third parties and then reassembles the secret key.

100
Q

Information Security Program

A

Provides the means for achieving strategy

Defines:

  • policies/standards/procedures/guidelines
  • roles and responsibilities
  • SLAs/Outsourcing
  • Data Classification/Security
  • C&A (Certification and Accreditation)
  • Auditing
101
Q

Types of Policy

A
  1. Corporate/Organizational Policy
    - management’s intent, commitment and philosophy to the organization
  2. System Specific Policy
    - policy will state that MFA is required, and the standard will state the details of what type of MFA
  3. Issue Specific Policy
    - can’t rely on common sense

*Policies don’t change often, but standards do - they fill in the gaps in policy

102
Q

Change Management

A

Changes are not implemented randomly, but follow a formalized process to implement change - approved, tested, etc.

103
Q

Acceptable Use

A

How organizations expect their resources to be treated.

104
Q

Privacy

A

Do employees have an expectation of privacy in the workplace - the answer should be yes. employer doesn’t have to provide privacy, but the employee would have to be notified.

Biggest part of privacy policy is notification.

105
Q

Data/System Ownership

A

Be clear of who owns the system and who owns the information - these people are responsible for determining the classification of information and dictate the controls

106
Q

Separation of Duties

A

ALWAYS THE RIGHT ANSWER

no one individual has too much power, it’s a conflict of interest

SODs forces collusion = if an employee wants to commit fraud, they would have to bring in another employee and would be less successful

107
Q

Mandatory Vacation

A

A detective control, usually in banks

If a person is committing fraud, they absence would highlight this.

108
Q

Job Rotation

A

Cross training; redundancy

A detective control, someone can view the work that was done

109
Q

Least Privilege/Need to Know

A

Least Privilege = action

Need to Know = data
- rights to access to data

110
Q

Dual Control

A

Preventing the abuse of power because it would take two individuals to commit fraud.

111
Q

M of N

A

Variables stating that so many of the total needs to be present

112
Q

Standards

A

States the specifics of policy

  • mandatory
  • created to support policy, while providing more details
  • reinforces policy and provides direction
  • can be internal or external
113
Q

Procedures

A

Mandatory, how-to’s

SOP - standard operating procedures

114
Q

Guidelines

A

Not mandatory

best practices, recommendations
will have words like - whenever possible, should, etc.

115
Q

Documentation Relationships

A

Guidelines - suggestions
Procedures - how
Standards - what
Policies - why

116
Q

Baselines

A

Mandatory

Minimum acceptable security configuration for a system or process

The purpose of security classification is to determine and assign the necessary baseline config to protect data

117
Q

Senior Management

A

Provide

  • strategy and oversight
  • funding and support
  • ensure testing and results
  • prioritize business functions (BIA) (COO)
  • common vision/strategy/framework for the enterprise
  • ‘sign-off’ on Policy, BIA and other organization documents
118
Q

Business Impact Analysis (BIA)

A

The document that prioritizes business processes, services, etc. based on criticality to the organization

COO

119
Q

Steering Committee

A
  • Oversight of Information Security Program
  • acts as liaison between management, business, information technology, and information security.
  • assess and incorporate results of the risk assessment activity
  • intro the decision-making process
  • ensures all stakeholder interests are addressed
  • oversees compliance activities
120
Q

CISO Chief Information Security Officer

A

Senior Management - provides the what

  • directly involved in strategic planning using CIA triad
  • policy development
  • technology assessments
  • not just digital data, also verbal and physical
  • process improvements
  • acquisitions
  • capital planning
  • security
121
Q

Information Security Manager

A

Functional Management - provides the how

  • plays leading role in introducing an appropriate, structured methodology - solutions work, tested and are validated
  • acts as a major consultant in support of senior management
122
Q

Business Managers

A

Owners of systems and information
- determine classification of assets, data access, how it is protected etc

Our customers, heads of business units

Accountable for the protection of the information

123
Q

Security Practitioner

A

Implement, configure the security requirements

Support or use the risk management process to identify and assess new potential risk and implement new security controls as needed to safeguard their IT systems

124
Q

Auditors

A

Audit controls and policies to ensure that they are being implemented and are effective - and report on this.

If internal auditing is in place, auditors should not report to the head of a business unit, but rather to the COO or some other entity without direct stake in results

Auditors document, they do not modify and should never have write access

Auditors are there for compliance, and will tell you if they are compliant with policy. Audit will not tell you if something works, you’ll need to have to test.

125
Q

Security Trainers

A

Must understand the risk management process

Develop appropriate training materials

Conduct security trainings and awareness programs catered to roles within the organization

Incorporate risk assessment into training programs to educate the end users

Encourage users to report violations

Should make a security positive environment, and stay away from blame culture

Important to talk about WHY we enforce what we do

126
Q

Information Security/Enterprise Risk Management

A

ISRM is the process of managing risks associated with the use of info technology

Involves identifying, assessing, and treating risks to the confidentiality, integrity and availability of an organization’s assets.

127
Q

asset

A

Anything of value to the company and what we’re protecting

First step in RA is identifying assets and its values
- could be devices, information, IP

128
Q

vulnerability

A

a weakness in an asset; the absence of a safeguard

129
Q

threat

A

something that could pose loss to all or part of an asset

130
Q

threat agent

A

what carries out the attack; person and/or software

131
Q

exploit

A

an instance of a compromise

132
Q

risk

A

the probability of a threat materializing if I do nothing to mitigate the risk

ties in with likelihood

133
Q

controls

A

aka safeguards (proactive) aka firewall or countermeasures (reactive) reviewing an audit log

physical, administrative, and technical protections

134
Q

total risk

A

the risk that exists before any control is implemented

aka inherent risk

135
Q

residual risk

A

leftover risk after applying a control

could be because you can’t, or because you don’t want to - just get it to an acceptable level

risk management about getting residual risk to acceptable levels

136
Q

secondary risk

A

when one risk response triggers another risk event

security patches, service packs - security problem is fixed but not as available

137
Q

incident

A

a risk event that has transpired

138
Q

Risk Identification

A

Identify:
- determine the value for assets (what am I protecting and what is it worth)

– threats

— current controls and policies

—- vulnerabilities and residual risk

—– consequences of the residual risk

139
Q

Risk Assessment (Value)

A

Qualitative

Quantitative

140
Q

Risk Mitigation/Response

A
Reduce
Accept
Transfer
Avoid
Reject
141
Q

Risk Management Steps

A
  1. Identification
  2. Assessment
  3. Mitigation/Response
  4. Ongoing Evaluation

A revolving life cycle

142
Q

Methods of identifying risk

A
  • sources of risk documentation
  • audit reports incident reports
  • interviews with SMEs and public media
  • annual reports
  • press releases
  • vulnerability assessments and penetration tests
143
Q

Methods of identifying risk

A
  • sources of risk documentation
  • audit reports incident reports
  • interviews with SMEs and public media
  • annual reports
  • press releases
  • vulnerability assessments and penetration tests
  • business continuity and disaster recovery plans
  • interviews and workshops
  • threat intelligence services
144
Q

Alignment with Business Goals and Objectives

A
  • the most important step for a CISM is to understand the business; review org vision and strategy FIRST
  • look beyond IT - risk is measure by the impact the risk has on the BUSINESS not the SYSTEM
  • senior management must be supportive and involved
  • —- management funds and supports risk mgmt
  • —- good metrics means we have attainable objectives
  • —- good communication and transparency help is make risk-aware business decisions
145
Q

Organizational Structure + Impact on Risk

A

Risk Context: the context in which the org operates; culture, environment, constraints, high risk activities. Factors that influence how risk is addressed

Risk Management approach should be enterprise wide and a common framework should be shared across all departments - TESTABLE!!!!
- framework, strategy and programs should all be universal

Three lines of defense

RACI Charts should be used to indicate responsibilities

146
Q

Three Lines of Defense

A

1st Line: Business Units - Admins, Senior Management

  • involved in day-to-day risk management
  • follow a risk process
  • apply internal controls
  • dealing with systems and information

2nd Line: Risk and Compliance - Hands-On

  • oversee and challenge risk management
  • provide guidance and direction
  • develop risk management framework

3rd Line: Audit - Auditors

  • review 1st and 2nd lines
  • provide an independent perspective and challenge the process
  • objective and offer assurance
147
Q

Risk Management Lifecycle

A
  1. IT Risk Assessment
  2. Risk Response and Mitigation
  3. Risk and Control Monitoring and Reporting
  4. IT Risk Identification
148
Q

IT Risk Assessment

A

Objective is to justify the mitigation strategy

149
Q

Risk Value

A

Potential for loss associated with the risk

150
Q

Qualitative Risk Analysis

A
  • the starting point
  • brainstorming - example, planning a picnic in 3 weeks; what’s a risk to this picnic? % weather
  • not expensive or takes a long time
  • Subjective analysis to help prioritize probability and impact of risk events
  • May use Delphi Technique: anonymous surveying; people are more honest when anonymous
  • Probability and Impact Matrix to complete this
  • Assess risks based on subjective input
  • Uses terms like high, medium and low
  • inexpensive, and quick way to begin the prioritization and ranking of risk
151
Q

Quantitative Risk Analysis

A
  • THE DOLLARS!!!!
    • per year I’m losing 8K, but if I spend 10K i wont have that risk anymore
  • Providing a dollar value to a particular risk event
  • Much more sophisticated in nature, quantitative analysis is much more difficult and requires a special skill set
  • Business decisions are made on a quantitative analysis
  • Can’t exist on its own. Quantitative analysis depends on qualitative information
152
Q

(AV) asset value

A

Dollar figure that represents that the asset is worth to the organization

$300K warehouse
- test questions won’t be tricky for these

$300K warehouse that has 75K of hardware = count it all together

153
Q

(EF) exposure factor

A

The percentage of loss that is expected to result in the manifestation of a particular risk

Every time there is a fire, I lose 50% of the asset = will lose $150K

154
Q

(SLE) single loss expectancy**

A

Dollar figure that represents the cost of a single occurrence of a threat instance

every time the risk event happens, what does it cost me?

AV + EF = SLE

155
Q

(ARO) annual rate of occurrence

A

How often the threat is expected to materialize

156
Q

(ALE) annual loss expectancy**

A

Cost per year as a result of the threat

Every time a hard drive fails (risk event), it costs the company $3K (AV or EF?). Hard drive fails 3x a year (ARO) = $9K (ALE). You can spend $5K (cost of control) to mitigate it.

157
Q

(TCO) total cost of ownership

A

Total cost of implementing a safeguard. Often in addition to initial costs, there are ongoing maintenance fees as well.

Make sure you are looking at both upfront costs and maintenance fees - printer example, cheap to buy but have to keep buying ink every 20 prints

158
Q

(ROI) return on investment

A

amount of money saved by implementation of a safeguard. Sometimes referred to as the value of the safeguard/control

Looking for controls that mitigates risk to an acceptable level = ROI

159
Q

Steps for Quantitative Analysis

A
  1. Assign Asset Value (AV)
  2. Calculate Exposure Factor (EF)
  3. Calculate Single Loss Expectance (SLE)
  4. Assess the annualized rate of occurrence (ARO)
  5. Derive the annualized loss expectancy (ALE)
  6. Perform cost/benefit analysis of countermeasures
160
Q

Risk Mitigation and Response

A

Risk Assessment will dictate the appropriate risk response

  • reduce
  • avoidance
  • transfer
  • accept
  • rejection - not acceptable
161
Q

Risk Reduction/Avoidance

A

When action is taken to lessen the frequency and/or impact of a risk. Can’t lessen the probability of rain, but can Lessens the impact, by bringing an umbrella
- may require the use of several controls until it reaches levels of risk acceptance or risk tolerance

If you’ve brought risk probability down to zero - you have avoided the risk
- there’s usually a negative payoff, like not doing or having something that we want

Examples of risk mitigation

  • strengthening overall risk management practices, such as implementing sufficiently mature risk management processes
  • deploying new technical, management or operational controls that reduce either the likelihood or the impact of an adverse event
  • installing a new access control system
  • implementing policies or operational procedures
  • developing an effective incident response and business continuity plan (BCP)
  • using compensating controls

ULTIMATE RISK REDUCTION IS AVOIDANCE!! but there is NO RISK ELIMINATION - no such thing!! TESTABLEEEEEEEEEEEEEEEE

162
Q

Risk Reduction/Transference

A

Risk transference is a decision to reduce loss through sharing that risk with another organization

  • insurance
  • just because you have transference, does not reduce the risk of fire, but will reduce the potential for loss

Transference Examples:
SLA (Service Level Agreements) and contracts establish the degree of transference.

Outsourcing work - i am a healthcare provider have no idea how to remain HIPAA compliant, so I outsource to a company to maintain liability

BUT YA CAN’T TRANSFER LIABILITY!!!!
- if the HIPAA company fails to protect the data, the liability is still on the healthcare provider

163
Q

Risk Acceptance

A

Sometimes you just cant mitigate the risk, not feasible due to price, complexity, etc.

bring it up next quarter maybe

Examples:

  • provides no active mitigation
  • based on cost/benefit analysis, it is determined the cost of the control is less than the potential for loss
  • sometimes acceptance is the only choice
  • risk acceptance still includes due diligence, and can still be use to indicate good business decisions were made
  • level of risk and impact is always changing, so regular reviews are needed

Difference between risk rejection and risk acceptance is with acceptance is the due diligence and that good business decisions were made

164
Q

Risk Monitoring and Reporting

A

A risk response is designed and implemented based on a risk assessment that was conducted at a single point in time

Because of the changing nature of risk and associated controls, ongoing monitoring is an essential step of the risk management life cycle

  • controls can become less effective
  • the operational environment may change and new threats, technologies and vulnerabilities may emerge

Controls need to be re-evaluated for risk mitigation at least once per year, or after a major change
- just because something isn’t broken OR there hasn’t been a compromise yet

165
Q

Key Risk Indicators (KRIs)

A

essentially a warning sign that a risk may materialize ex. if the risk is rain, a KRI would be dark clouds, thunder, etc. so we should move into the alternate indoors area

  • provide early warning
  • provide backward-looking view on risk events
  • enable documentation and analysis of trends
  • provide an indication of risk appetite and tolerance
  • increase the likelihood of achieving strategic objectives
  • assist in optimizing risk governance
166
Q

Examples of KRIs

A
  • quantity of unauthorized equipment or software detected in scans
  • number of instances of SLAs exceeding thresholds
  • high average time to research and remediate operations incidents
  • number of desktops/laptops that do not have current antivirus signatures or have not run a full scan within scheduled periods
167
Q

KRIs Support The Following

A
  • risk appetite
  • risk identification
  • risk mitigation
  • risk culture
  • risk measurement and reporting
  • regulatory compliance
168
Q

Risk Management Process Review

A

Risk Assessment

  • usually the most difficult to accomplish
  • many unknowns
  • necessary effort of gathering the right data

Risk Analysis
- can be done qualitatively and/or quantitatively

Risk Mitigation
- takes steps to reduce risk to acceptable level

Risk Monitoring
- remember - risk must be managed since it cannot be totally eliminated

169
Q

Legal Consideration - note about its exam worthiness

A

NOT HUGE ON THE EXAM bc it’s US based law and its a global exam

170
Q

Liabilities

A

Who is at fault?

  • failure of management to execute Due Care/Due Diligence can be termed negligence
    • culpable negligence is often used to prove liability

Prudent Man Rule:
- perform duties that prudent people would exercise in similar circumstanced - ex: due diligence - researching industry standards and best practices, due care - setting and enforcing policy to bring organization into compliance

Downstream liabilities

Integrated technology with other companies can extend one’s responsibility outside the normal bounds

171
Q

Types of Law

A

Criminal
Civil
Regulatory
Intellectual property

172
Q

Criminal Law

A

Difficult to get a conviction for cyber crimes

  • beyond a reasonable doubt - can be difficult to meet this burden of proof in computer-related crimes. Technical details are hard

Penalties: financial, jailtime, death

  • felonies: more serious of the two, often penalty results in incarceration of at least a year
    misdemeanors: normally the less serious of the two with fines or jail-times of less than one year

The goal of criminal penalties is punishment, and deterrence

173
Q

Civil (Tort) Law

A

Burden of proof = Preponderance (amount of) of evidence

Damages

  • compensatory: paid for the actual damage which was suffered by a victim, including attorney fees, loss of profits, medical costs, investigative costs, etc.
  • punitive: designed as a punishment for the offender
  • statutory: an amount stipulated within the law rather than calculated based on the degree of harm to the plaintiff. Often, statutory damages are awarded for acts in which it is difficult to determine the value of the harm to the victim

Liability, Due Care, Due Diligence, Prudent Person Rule are all pertinent to civil law, as well as administrative law

174
Q

Administrative (Regulatory) Law

A

Defines standards of performance and regulates conduct for specific industries

  • Banking (Basel II)
  • Energy (EPAct) of 2005
  • Health Care (HIPAA)

Burden of proof = ‘more likely than not’

Penalties consist of financial or imprisonment

175
Q

Intellectual Property

A

Intellectual Property Law

  • protecting products of the mind
  • company must take steps to protect resources covered by these laws or these laws may not protect them

Main international organization run by the UN is the World Intellectual Property Organization (WIPO) - investigates copyright issues

Licensing is the most prevalent violation, followed by plagiarism, piracy and corporate espionage

176
Q

Trade Secret

A

Resource must provide competitive value and a unique edge

Ex: McDonalds mac sauce recipe

Must be reasonably protected from unauthorized use or disclosure

Proprietary to a company and important for survival

Must be genuine and not obvious

177
Q

Knowledge Transfer

A

TRAIN YOUR PEOPLE!

Awareness, Training, Education

“People are often the weakest link in securing information. Awareness of the need to protect information, training in the skills needed to operate them securely and education in security measures and practices are of critical importance for the success of an organization’s security program”

The goal of knowledge transfer is to modify employee behavior
- there may be more incident reports because they know what’s wrong and know how to report

178
Q

Security Awareness Training

A
  • employees can’t and won’t follow the directives and procedures if they don’t know them
  • employees must know expectations and ramifications, if not met
  • employee recognition award program
  • part of due care
  • administrative control
Shouldn't be One Size Fits All:
Sr. management also needs training
- due diligence, due care, culpable negligence
End Users
- basic cyber hygiene

Overriding Benefits

  • modifies employee behavior and improves attitudes towards information security
  • increases ability to hold employees accountable for their actions
  • raises collective security awareness level of the organization