Domain 1: Governance, Risk & Compliance Flashcards
What is Governance?
Governance is accountability, authorization to make decisions, and oversight. Proper governance ensures that the organization’s strategies are aligned with its business, regulatory, and operating environment.
What is Information Security Governance?
Information security governance is the framework for reducing information security risk to the organization. The framework should include:
* Definition of the information security strategy aligned with the organization’s governance and organizational goals.
* Information security organizational structure
* A methodology for risk management
* Information security management directives (including policies, standards, guidelines, and so on)
* Continuous measurement and improvement of the program
What are some of the external and internal drivers that shape a security program?
External drivers that shape security programs, include regulatory drivers, industry best practices, risks and threats specific to the organisation.
Internal drivers that shape the information security program include leadership understanding and perception to ensure security is a priority at the highest levels, Management structure: to ensure CISO has communication with leadership, culture and climate, history, and lessons learned.
What is a fundamental aspect of Security Governance?
Measuring and monitoring the governance program itself, which supports the organization’s understanding of the security return on investment (ROI).
What are the factors that influence the size and spend of the CISO organisation?
Factors that can impact security organisations spending and sizing are extensive:
* value of assets, especially the assets most important
* type and frequency of risks and threats
* current state of the organization’s security posture
* Regulatory requirements
Based on industry, and published numbers and trends, what are the numbers that align to CISO spending?
- security spending can range from $1,000 to $3,000 per full-time employee.
- security spending as a percentage of IT spending ranges from 1 percent to 15 percent
- surveys report 6 percent as an average and some report information security spending as a percentage of IT spending as high as 30
- range from .2 percent to .9 percent of company revenue.
What are the elements of the CISO management structure regardless of organisation?
Should have the following elements:
* Clear lines of authority (chain of command): clearly defined lines of reporting and authority
* Situational awareness: provide the CISO with a view of the performance of the entire security program.
* Internal and external communication and reporting: provide ways of reporting the most essential information within the security organization as well as outside of it.
What are the types of management structures?
The most common organisation types:
* Hierarchical (tiered): provides clear lines of reporting, tight controls, and well defined roles. But, can also be bureaucratic, causing slow decision making and added costs.
* Flat (horizontal): best suited for smaller organisations.
* Matrix: thought of hybrid of hierarchal and flat, where resources are reporting in a grid to multiple lines to share resources more efficiently. However, this can create confusion and even conflicting goals and priorities.
What is the CIA triad?
- Confidentiality refers to the protection of data to ensure the data is only accessible by the people authorized to see it.
- Integrity refers to the accuracy of the data.
- Availability refers to the protection of systems to ensure reliable access to data and resources.
What are the definitions of Security Vulnerabilities, Threats, Risks, and Exposures?
- Vulnerability: Any weakness that could potentially be exploited.
- Threat: A potentially damaging event associated with the exploitation of a vulnerability.
- Risk: The likelihood that a vulnerability could be exploited and the corresponding impact of such an event.
- Exposure: The potential that a security breach could occur.
- Countermeasure: A control that is put in place to mitigate a risk
What the four steps of cyber attacks?
- Reconnaissance: attacker conducts research to learn about the target by performing web searches, examining social media accounts of the organization and its employees, reading press releases and media articles, or even physically observing the organization’s employees or facilities.
- Enumeration: identify the organization’s information assets and corresponding vulnerabilities to exploit in the next phase.
- Exploitation: using attack methods for probing and exploiting specific vulnerabilities with the goal of gaining unauthorized access to the enterprise.
- Action on objectives: Once the attacker gains access, they can exfiltrate or steal data, modify data, destroy data and otherwise disrupt the environment. Often the goal is expand laterally gaining access to other systems.
What are the common attack methods used within exploitation?
i. Phishing
ii. Fake websites
iii. Malware
iv. Virus: A type of malware that is usually hidden inside another application
v. Trojan: A virus disguised as something useful
vi. Worm A virus that propagates itself to other systems
vii. Vulnerability-specific attacks
What is risk management?
The process of identifying and assessing risk, reducing it to an acceptable level, and implementing the right controls to maintain that level.
According to SP 800-39, what are the three tiers to ensure risk management is applied to the entire organisation?
Three tiers:
1. Organizational tier
2. Mission/business process: using “risk-aware” business processes or addressing risk via the enterprise architecture as a whole
3. Information system: SSDLC of a given system.
What are the three components of Risk management?
Approach: Encompass all the activities and factors that go into implementing, managing, and improving the risk management program.
Process: Encompasses the activities from identifying the team, defining scope, the method of identifying risk (quantitative or qualitative), understanding risk levels, and finally making recommendations.
Method: The type of risk assessment methodology used to assess risk.
What are the activities within the Risk Management approach component?
○ Organisation: establishing the acceptable risk levels for the organization and assets, choosing the risk mitigation approaches, and approving the mitigation results and the results of risk assessments. These ensure the risk decisions are commensurate with the business goals.
○ Implementation: risk management program is defined by a program charter, plan, and risk management policy that define the scope, goals, and requirements of the program. Ultimately this should include budget, staffing and procedures
○ Monitoring, reporting, and continuous improvement: There should, at a minimum, an informal review cycle to monitor the program. There should be a defined process for reporting and escalating any material risks discovered during risk assessments.
○ Maturity: Improve risk management over time. CMMI’s maturity levels from Initial to optimizing.
What are the activities within the Risk Management: Process component?
○ Plan:
§ Identify the team: Which should include representatives from across the organisation.
§ Define the scope: System, business process, or function, region or department
§ Define model or method: There are essentially two approaches: quantitative analysis and qualitative analysis.
§ Use of tools: include configuration management, threat intelligence platforms
§ Understand acceptable risk levels: the residual risk, which is the risk that remains after controls or countermeasures are put in place
○ Collect information: specified by the risk assessment method.
○ Define Recommendations: are made to the decision-making authority, which we refer to as “management”. There are four choices: accept, transfer, mitigate, or avoid.
What is the difference between Quantitative and Qualitative risk methods?
Quantitative Methods: calculate the monetary loss associated with a given threat.
§ Factors may include:
□ Asset value
□ Threat probability
□ Vulnerability
□ Impact of loss
□ Cost of countermeasures or controls
Qualitative Method: is used to determine the risk of a given threat applied to a given asset.
§ Factors including
□ Severity of threat
□ Likelihood of threat occurrence
□ Severity of impact to the business (also known as consequence)
□ Effectiveness of controls
What are the frameworks for Risk management?
- OCTAVE (Operationally Critical Threat, Asset, and Vulnerability Evaluation), with three variations: OCTAVE, OCTAVE-Allegro (a more streamlined framework), and OCTAVE-S (for small organizations). It relies on the idea that people working in the organization are best suited to understand and analyze risk, using a qualitative risk management framework.
- FAIR (Factor Analysis of Information Risk), uses a quantitative risk framework. Provides a risk taxonomy that breaks risks down into specific factors and subfactors.
- ISACA Risk IT Framework: is an IT-oriented framework, which includes three domains: Risk Governance, Risk Evaluation, and Risk Response, leveraging a hybrid of quantitative and qualitative methods.
- ISO/IEC 27005 ISO/IEC 27005: an ISO standard for Security risk management, which implies a continual process for performing quantitative or qualitative risk analysis but does not contain a specific model. ISO 31000 is a robust risk management framework
FISMA/FIPS/NIST RMF: provide a framework, processes, and models for performing qualitative risk analysis. It also provide libraries of security controls, resulting in an end-to-end framework
What is a security plan and what are the components?
Security plan defines the complete information security program, and thus defines all security roles and responsibilities, and specifies strategic goals for the program. In addition, identifies all regulatory and business drivers and ensures the program presented in the plan is risk-based. Each component:
* Security streams of work: activities that are the core subject areas, or domains, of information security. E.g. Intrusion detection and monitoring, vulnerability management.
* Assets are systems, data, business units, departments, or critical areas of the enterprise to which the streams of work are applied.
* Security area of focus: aspects of the security program that require focus due to external drivers—usually regulatory drivers. e.g. PCI DSS, HIPPA, as well as internal drivers such as ISO 27000.
* Security projects: Specific activities that result from the application of streams of work against target and/or area of focus. e.g. implementation of SSO, deployment of IDPS
Security project management life cycle: ensures that security projects are well defined, properly documented, and executed, as well as provides for the proper control of resources, quality and results.
What are the top level documents that make up the Security management directives, and which of them are mandatory?
- Standards: establish specific methods for meeting the requirements defined in policies.
- Processes or procedures: are step-by-step workflows or instructions
- Baselines: establish specific configurations for implementations of hardware or software.
Guidelines: provide general direction or recommendations without specifying a requirement.
What is asset Security? And why is it fundamental to the security plan?
identifying what assets the organization has and ultimately determining what types of controls are appropriate for each based on the risk. Asset security addresses implementing security throughout the data life cycle: Acquisition, Data Classification and Marking, Use & Archival, and Destruction.
What is Security Operations? And the primary functions that make up security operations?
Focus on day-to-day functions to prevent, detect, and respond to security risks and threats. These functions include:
* Vulnerability, configuration, and patch management: should give the organization “situational awareness” or an accurate picture of all the assets and their configuration and patch status.
* Monitoring and logging.
* Incident handling: Usually follows a six step process:
○ Preparation: Predict what types of security events are likely to occur.
○ Identify: What type of event has occurred
○ Contain: the damage from spreading
○ Eradicate: what is causing the problem
○ Recover: from the event and return to normal operations
○ Lessons learned: activity to determine what actions could or should be undertaken.
* Forensics & investigations
Security Operations Centre: usually operates within the SIEM, and provides 24/7 monitoring to detect, prevent and respond to security events
What is Security Engineering? And the main functions within Engineering?
domain that addresses the secure design and implementation of information systems. Security Engineering includes all aspects of the computing environment such as:
* OS security and protection mechanisms
* Network Security Design
* Enterprise security solutions (firewalls, AV, DLP, Endpoint security)
* Cloud computing
