Domain 1 - Chapter 2 - Personnel Security and Risk Management Concepts Flashcards
What is the weakest element in any security solution?
Human
What are job responsibilities?
Specific work tasks an employee is required to perform on a regular basis.
What is the removal of an employee’s identity from an Identity and Access Management system (IAM) system.
Offboarding
_______exists when several entities or organizations are involved in a project.
Multiparty risk
What is a VMS?
Vendor Management System
A software solution that assists with the management and procurement of staffing services, hardware, software, and other needed products and services.
What is compliance?
The act of conforming to or adhering to rules, policies, regulations, standards, or requirements.
What is the detailed process of identifying factors that could damage or disclose assets, evaluating those factors in light of asset value and countermeasure cost, and implementing cost-effective solutions for mitigating or reducing risk.
Risk management
What is risk assessment/risk analysis?
The examination of an environment for risks, evaluating each threat event as to its likelihood of occurring and the severity of the damager it would cause if it did occur.
What is risk response?
Involves evaluating countermeasures, safeguards, and security controls using a cost/benefit analysis;
What is meat by risk awareness?
An effort to increase the knowledge of risk within an organization.
What is an asset?
Anything used in a business process or task.
What is asset valuation
Value assigned to an asset based on a number of factors to include importance to the organization, used in critical process, actual costs, and nonmonetary expenses/costs.
What is a threat?
Any potential occurrence that may cause an undesirable or unwanted outcome for an organization or for a specific asset is a threat.
What is a threat agent/actors?
Person or entity that intentionally exploit vulnerabilities.
What is a threat event?
Accidental occurrences and intentional exploitations of vulnerabilities. - Earthquakes, fires, human error, ….
What is a vulnerabiity?
A weakness in asset or of the absence or the weakness of a safeguard or countermeasure. - loophole, flaw, oversight, error, limitation…
What is exposure?
Being susceptible to asset loss because or a threat.
What is a risk?
The possibility or likelihood that a threat will exploit a vulnerability to cause harm to an asset and the severity of damage that could result.
Risk formula
risk = threat * vulnerability
What is a safeguard?
Anything that removes or reduces a vulnerability or protects against one or more specific threats.
What is an attack?
The intentional attempted exploitation of a vulnerability by a threat agent to cause damage, loss, or disclosure of assets.
What is a breach?
Breach = Intrusion = Penetration
Occurrence of a security mechanism being bypassed or thwarted by a threat agent.
Threats exploit _____.
vulnerabilities
Who is primarily responsible for risk management?
Upper Management
Identify two risk assessment types?
Quantitative and Qualitative
What are the six major elements of quantitative risk analysis?
Assign asset value (AV)
Calculate exposure factor (EF)
Calculate single loss expectancy (SLE)
Assess the annualized rate of occurrence (ARO)
Derive the annualized loss expectancy (ALE)
Perform cost/benefit analysis of countermeasures
What is Exposure Factor (EF)?
The percentage of loss that an organization would experience if a specific asset were violated by a realized risk.
What is a Single Loss Expectancy (SLE)?
The potential loss associated with a single realized threat against a specific asset.
SLE = asset value (AV) * exposure factor (EF)
What is a Single Loss Expectancy (SLE)?
The potential loss associated with a single realized threat against a specific asset.
SLE = asset value (AV) * exposure factor (EF) SLE = AV * EF
Annualized Rate of Occurence
The expected frequency with which a specific threat or risk will occur within a SINGLE YEAR.
Annualized loss Expectancy
The possible yearly loss of all instances of a specific realize threat against a specific asset.
ALE = single loss expectancy (SLE) * annualized rate of occurrence ALE = SLE * ARO
What is risk appetitie?
The total amount of risk that an organization willing to shoulder in aggregate across all assets.
What is risk capacity?
The level of risk an organization is able to shoulder.
What is risk tolerance?
The amount or the level of risk an organization will accept per individual asset-threat pair.
What is risk limit?
The maximum level of risk above the risk target that will be tolerated before further risk management actions are taken.
Risk responses?
Risk Mitigation Risk Assignment Risk Deterrence Risk Avoidance Risk Acceptance Risk Rejection
Risk mitigation
Implementation of safeguards, security controls, and countermeasures to reduce and/or eliminate vulnerabilities or block threats.
Encryption; firewalls;
Risk Assignment
The placement of the responsibility of loss due to a risk onto another entity or organization.
Risk Detterence
The process of implementing deterrents to would-be violators or security and policy.
Risk Avoidance
The process of selecting alternate options or activities that have less associated risk than the default, common, expedient, or cheap option.
Risk Acceptance
The result after a cost/benefit analysis shows countermeasure costs would outweigh the possible cost of loss due to a risk. Management has agreed to accept the consequences and the loss if the risk is realized.
Risk Rejection
Ignoring a risk can be considered negligence in court
What are inherent risks?
Initial risk
What are residual risks?
The risk that management has chose to accept rather than mitigate.
What are total risk(s)?
The amount of risk an organization would face if no safeguards were implemented.
Total risk = threats * vulnerabilities * asset value
What is the control gap?
The difference between total risk and residual risk; the amount of risk that is reduced by implementing safeguards.
Total risk - controls gap = residual risk
What is ACS?
Annualized Cost of the Safeguard
What is the cost/benefit calculation?
ALE pre-safeguard - ALE post safe-guard - annual cost of safeguard = value of the safeguard for the company.
(ALE1 - ALE2) - ACS
If the result is negative, the safeguard is not a financially responsible choice.
Are policies and procedures defined by an organization’s security policy and other regulations or requirements….
Administrative controls
The hardware or software mechanisms used to manage access and provide protection for IT resources and systems.
Technical/logical controls
Protection to the facility and real-world objects.
Physical controls
What are preventative controls?
Controls deployed to thwart or stop unwanted or unauthorized activity from occurring.
fence, locks, authentication, access control vestibules, alarm systems, encryption, auditing
What are deterrent controls?
Deployed to discourage security policy violations.
policies, security awareness training, badges,
What are detective controls?
Deployed to discover or detect unwanted or unauthorized activity.
security guards, CCTV, motion detectors, audit trails, IDS’s
What are compensating controls?
Deployed to provide various options to other existing controls to aid in enforcement and support of security policies.
What are corrective controls?
Modifies the environment to return systems to normal after an unwanted or unauthorized activity has occured
What are recovery controls?
An extension of corrective controls but have more advanced or complex abilities. Attempts to repair or restore resources, functions, and capabilities after a security policy violation.
What are directive controls?
Deployed to direct, confine, or control the actions of subjects to force or encourage compliance with security policies.
What is a SCA?
Security Control Assessment
What is a Security Control Assessment (SCA)?
The formal evaluation of a security infrastructure’s individual mechanisms against a baseline or reliability expectation.
Goals of a SCA?
To ensure the effectiveness of the security mechanisms, evaluate the quality and thoroughness of the risk management processes of the organization, and produce a report of the relative strengths and weaknesses of the deployed security infrastructure.
Security controls should provide benefits that can be ______and _____.
monitored; measured
What is risk reporting?
A key task to perform at the conclusion of a risk analysis.
What is a risk register/risk log?
A document that inventories all the identified risk to an organization or system or within an individual projects.
What is an ERM?
Enterprise Risk Management program
An ERM assesses the key indicators and activities of a mature, sustainable, and repeatable risk management process.
____ established the Risk Management Framework and the Cybersecurity Framework
NIST
What is a risk framework?
A guideline for how risk is to be assessed, resolved, and monitored.
Cybersecurity Framework is designed for ______?
Critical infrastructure and Commercial organizations
CSF is based on framework core that consists of what five functions?
Identify Protect Detect Respond Recover
Risk Management Framework is designed for ____ ?
Federal Agencies
List the six (seven) cyclical RMF phases?
Prepare - Categorize Implement Assess Authorize Authorize Monitor
List social engineering types?
Authority Intimidation Consensus Scarcity Familiarity Trust Urgency
What is whaling?
A form of spear phishing that targets specific high-value individuals (by title, by industry, from media coverage…) C-level executives
What is smishing?
Spam over instant messaging
What is vishing?
Voice-based phishing
What is typo-squatting?
The practice of traffic redirected to a alternate website based on a mistyped character e.g. Googlee
What is the Delphi technique?
An anonymous feedback and response process used to arrive at a consensus.
NIST SP 800-37 Rev 2
RMF
What is RMM?
Risk Maturity Model
A means to assess the key indicators and activities of a mature, sustainable, and repeatable risk management process.
Ad hoc - Chaotic starting point
Preliminary - Loose attempts at following risk management processes, but each dept may perform risk assessment uniquely
Defined - A common or standardized risk framework is adopted organization-wide
Integrated - Risk management operation are integrated into business processes, metrics are used to gather effectiveness data, and risk is considered an element in business strategy decisions.
Optimized - Focuses on achieving objectives rather than reacting
