Domain 1 Flashcards

1
Q

ICS2 Code of Ethics

A
  1. Protect Society, the commonwealth, the infrastructure
  2. Act honorably, honestly, justly, legally
  3. Provide diligent and competent service to principals
  4. Advance and protect the profession
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

4 Levels of Security Policy Development

A
  1. Acceptable use policy
  2. Security baselines
  3. Security guidelines
  4. security procedures
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

3 types of security plans

A
  1. Strategic (long term, stable, risk assessment, 5 year)
  2. Tactical (mid term, details on goals of strategic plan, 1 year)
  3. Operational (short term, highly detailed, based on strategic + tactical, monthly/quarterly)
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Primary risk management framework for the exam

A

NIST 800-37

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Secondary risk management frameworks for the exam

A
  1. OCTAVE
  2. FAIR
  3. TARA
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

7 steps of risk management framework (RMF), especially NIST 800-37

A
  1. PREPARE to execute the RMF
  2. CATEGORIZE information systems
  3. SELECT security controls
  4. IMPLEMENT security controls
  5. ASSESS security controls
  6. AUTHORIZE the system
  7. MONITOR the security controls

People Can See I Am Always Monitoring

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Fact on risk management

A

Not every risk can be mitigated

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Who decides how risk is handled?

A

Management

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

What should I do in case of legal issues?

A

Calling an attorney

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Inherent Risk

A

Newly identified, not addressed with strategies, absence of controls

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Total risk

A

amount of risk WITHOUT ANY safeguards + controls

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Formula Total Risk

A

total risk = threats * vulnerabilities * asset value

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Formula Risk

A

risk = threat * vulnerabilities

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

6 major steps of Quantitative Risk Analysis

A
  1. INVENTORY assets and assign value (AV)
  2. Identify THREATS (+ calculate EF and SLE)
  3. Perform a THREAT ANALYSIS (+ calculate likelihood in single year –> ARO=
  4. Estimate the POTENTIAL LOSS (by calculating ALE)
  5. Research COUNTERMEASURES for threat (+ calculate change to ARO and ALE)
  6. Perform a COST BENEFIT analysis
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Quantitative Risk Analysis

A

Dollar value, objective

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Qualitative Risk Analysis

A

Scoring System (rank threats + effectiveness controls), subjective

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

Delphi Technique

A

qualitative, anonymous, feedback + response –> arrive at consensus

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

What threat agents do

A

exploiting vulnerabilties

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

Exposure Factor (=EF)

A

percentage of loss in case asset gets hit

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

Single Loss Expectancy (=SLE)

A

costs, single realized risk, specific asset

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

Formula for SLE

A

SLE = Asset Value (AV) x Exposure Factor (EF)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

Annualized Rate of Occurrence (=ARO)

A

risk / threat frequency within single year

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

Annualized Loss Expectancy (=ALE)

A

yearly cost, realized threat, specific asset

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

Formula for ALE

A

SLE x ARO

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Safeguard evaluation considerations
mitigate risk, transparent, difficult to bypass, cost effective
26
Formula Value of Safeguard
ALE before safeguard - ALE after safeguard - annual costs of safeguard = ALE 1 - ALE2 - ALC
27
Controls Gap
Amount of risk reduced by implementing safeguard
28
Formula Residual Risk
Residual risk = Total risk - controls gap
29
Threat Modeling
potential threats identified, categorized, analyzed --> goal = eradicate or reduce threats proactive or reactive
30
Threat Model Focus
- Focused on assets (asset valuation) - Focused on attacks (threats based on attackers goals) - Focuses on software (potential threats agains software)
31
STRIDE (threat model Microsoft)
``` Spoofing Tampering Repudiation Information Disclosure Denial of Service Elevation of privilege ```
32
PASTA (threat model, focus on AV)
1. Definition of Objectives 2. Definition of Technical Scope 3. App Decomposition and Analysis 4. Threat Analysis 5. Weakness and Vulnerability Analysis 6. Attack Modeling and Simulation 7. Risk Analysis & Management
33
VAST (threat model)
Visual Agile Simple Threat
34
Trike (threat model)
focus on risk based approach
35
DREAD (threat model)
``` Damage potential Reproducibility Exploitability Affected users Discoverability ```
36
2 Types of Security Controls
``` Safeguard = proactive Countermeasure = reactive ```
37
Control Types
- Deterrent (discourage violation) - Preventative (stop unwanted/unauthorized activity) - Detective (discover/detect unwanted/unauthorized activity) - Compensating (options to other existing controls) - Corrective (return systems to normal) - Recovery (extension of corrective controls) - Directive (control the actions of subjects)
38
Types of Law
Criminal Law Civil Law Administrative Law
39
Computer Fraud and Abuse Act (CFAA)
first major piece of US cyber-crime-specific legislation
40
Federal Sentencing Guidelines
punishment guidelines, help federal judges interpret computer crime laws
41
Federal Information Security Management Act (FISMA)
formal infosec operations, for government
42
Copyright and Digital Millennium Copyright Act
literary, music, dramatic work
43
Trademarks
words, slogan, logos (identification of company, products, services)
44
Patents
intellectual property rights of inventor (not secret)
45
Trade secrets
Secret, absolutely critical to business (like Coca Cola recipe), must not be disclosed
46
4 Licensing types
- contractual - shrink wrap - click through - cloud services
47
Absolute basis for privacy rights
4th amendment of the US constitution
48
Healthcare specific laws
HIPAA, HITECH
49
FI specific laws
Gramm Leach Bliley Act
50
Law related to privacy of Children online
COPPA = Children Online Privacy Protection Act
51
2 Laws related to Electronic Communication
``` ECPA = Electronic Communication Privacy Act CALEA = Communications Assistance for Law Enforcement Act ```
52
5 Business Continuity Planning process steps
1. Strategy DEVELOPMENT 2. Provision and PROCESSES 3. Plan APPROVAL 4. Plan IMPLEMENTATION 5. Training and EDUCATION
53
Governance
the process of how an organization is managed
54
Security Governance
the entirety of policies, roles, processes to make security decisions
55
Security Control Frameworks
- ISO27001/27002 - COBIT = Control Objectives for Information and related Technology (maintained by ISACA) - ITIL = Information Technology Infrastructure Library (Best Practices for IT Service Management) - Risk Management Framework (especially NIST SP 800-37 + 800-53) - CSA STAR Cloud Service Alliance (Start Ratings for Cloud Service Providers)
56
Due Care
What the organization owes its customers
57
Due Diligence
Any activity to to demonstrate or provide due care, evidence of providing due care
58
Risk Frameworks (NOT only RMF)
- ISO 3100 (Risk Management Principles and Guidelines) - ISO 27005 (IT Security Risk Management) - COSO (ERM framework, financial reporting irregulatories and fraud) - ISACA (Risk IT, connect strategic risk with IT risk management) - NIST (RMF, SP 800-37)
59
3rd party assessment and monitoring
- ISO certified audits - CSA STAR evaluation - AICPA SSAE 16 SOC Reports
60
Industry standards
- set by industry participants - can eventually evolve into legal standard - may be accepted by regulators - examples: ISO, CSA STAR, Uptime Institute
61
PII data examples
- Name - Home address - Tax identification numbers / social security numbers - mobile telephone numbers - specific computer data (MAC address, IP address of users client)
62
data owner / data controller
entity that collects or controls PII data
63
data processor
creating, storing, sending, etc. on behalf of the data owner
64
data custodian
manages data day to day (system admin, database admin, etc.)
65
What kind of data storage is PCI DSS prohibiting?
CVV (Card Verification Value)
66
Does the information security policy require signing by employees?
No
67
Opposite of CIA
DAD = Disclosure, Alteration, Destruction
68
IAAA - requirements for accountability
- Identification - Authentication - Authorization - Accountability
69
Responsibility of the ISO
- Written products - CIRT - Security Awareness - Communicate risk to higher management - report as high a level as possible - security is everyone's responsibility
70
Wassenaar Arrangement (WA)
Dual use goods & trade, international cryptographic agreement, prevent destabilizing
71
Section 302
CEOs CFOs can go to jail, in case they sign false info
72
Section 404
describing logical controls over accounting files; good auditing and information security
73
Wire tapping
eavesdropping on communication, only legal with prior consent or warrant
74
Data Diddling
act of modifying information, programs, documents to commit fraud tampers with INPUT data
75
Water holing
creates a buch of websites with similar names
76
Work function / factor
how difficult is it to get cipher text to clear text (cost/time)?
77
SLR (Service Level Requirements)
requirements from a clients perspective
78
Service level report
insight into service providers ability to deliver the agreed service quality