Developing the Security Case

Question 1

A technique that you can use to structure a system’s security requirements is called?.

Answer 1

Security Case

Question 2

What are the factors to consider when constructing a security case?

Answer 2

 Who will be using it?
 What is its purpose?
 Where will it be used and when?
 Why is it being used?
 When will it be used?

Question 3

What is the function SABSA Contextual Security Architecture?

Answer 3

Security policy making, information classification, risk analysis process, business requirements, collection and specification, organisational and cultural development, etc.

Question 4

What is the function SABSA Conceptual Security Architecture ?

Answer 4

Programmes for training and awareness, business continuity management, audit and review, process development for registration, authorisation, administration and incident handling, development of standards and procedures, etc.

Question 5

What is the function SABSA Logical Security Architecture?

Answer 5

Management of security services, security of service
management, negotiation of inter-operable standards for security services, audit trail monitoring and invocation of actions, etc.

Question 6

What is the of function SABSA Physical Security Architecture?

Answer 6

Cryptographic key management, communication of security parameters between parties, synchronisation between parties, access control list maintenance and distribution of access control entries, back-up management (storing, labelling, indexing, etc.), virus pattern search maintenance, event log file management and archiving, etc.

Question 7

What is the function SABSA Component Security Architecture?

Answer 7

Products, technology, standards and tools evaluation and selection, project management, implementation
management, operation and administration of individual components, etc.

Question 8

What is the function SABSA Operational Security Architecture?

Answer 8

Operational continuity of the business systems and
information processing, maintaining the security of
operational business data and information (confidentiality, integrity, availability, auditability and accountability), managing operational risks to minimise operational failures and disruptions, performing specialised security-related operations (user security administration, system security administration, data back-ups, security monitoring, emergency response procedures, etc.), providing operational support for the security-related needs of all users and their applications, maintaining the system integrity and security of all operational platforms and networks (by applying operational security standards and auditing the configuration against these standards), scheduling and executing a timetable of security-related operations.

Question 9

What is Threat Modelling ?

Answer 9

Threat modelling is the process of analysing potential threats to the proposed system

Question 10

What is Threat Modelling ISO 27000 ?

Answer 10

Threat as ‘potential cause of an unwanted incident, which may result in harm to a system or organization.

Question 11

What are the Six classification of Threats according to ISO 27000 ?

Answer 11

Human, Natural, Technical, Physical, Environmental. Operational

Question 12

What is Risk Management?

Answer 12

Risk management is the process of directing and controlling an organisation with regard to risk (ISO Guide 73:2009)

Question 13

What is risk management framework?

Answer 13

It is a set of components that provide the foundations and organisational arrangements for designing, implementing, monitoring reviewing and continually improving risk management throughout the organisation (ISO Guide 73:2009

Question 14

Policy, objectives, mandate and commitment to managing risk, existing and future plans, relationships, accountabilities, resources, processes, activities, are components that must be included what document

Answer 14

Risk Management Framework

Question 15

What are the five steps to risk identification

Answer 15

1. Identify your assets.
2. Identify potential or existing threats.
3. Identify your existing controls (measure that is modifying risk).
4. Identify any vulnerabilities within your controls.
5. Identify the consequences that these vulnerabilities could cause.

Question 16

What are the methodologies that you can use to analyse risks?

Answer 16

Qualitative (subjective), Semi-quantitative (subjective),

Quantitative (objective), Single Loss Expectancy (SLE) and Annualised Loss Expectancy (ALE)

Question 17

What is Qualitative (subjective)

Answer 17

Uses simple scales (e.g. high, medium, low) to describe the magnitude of a potential consequence and its likelihood

Question 18

What is Semi-quantitative (subjective)

Answer 18

uses a simplified numeric scale (e.g. 0.01 to
1.00) to describe the magnitude of a potential consequence and its
likelihood

Question 19

What is Quantitative (objective)

Answer 19

Uses ‘realistic’ numerical values to describe the

magnitude of a potential consequence and its likelihood

Question 20

What are the three ways to treat risk

Answer 20

 Modify (mitigate or change some circumstance)
 Avoid (do not use this system or action)
 Share (with others – insurance, external parties)

Question 21

What are the constraints of risk treatment

Answer 21

Technical limitations, operational limitations, legal problems, financial constraints, staffing requirements and training requirements

Question 22

Physical, Technical and Procedural are the types of control for

Answer 22

Operational Controls for Risk Management