Domain 1: Information Security Governance and Risk Management Flashcards
What does the acronym ALE stand for ?
Annual Loss Expectancy
What does Annual Loss Expectancy (ALE) mean?
Allows security practitioners to determine the annual cost of a loss due to risk.
What is the Annual Loss Expectancy (ALE) Formula?
Single Loss Expectancy (SLE) X Annual Rate of Occurrence (ARO)
What does the Annual Rate of Occurrence (ARO) mean?
The number of losses you suffer per year
What does the acronym ARO stand for?
Annual Rate of Occurrence
What does the phrase
Exposure Factor (EF)
mean in the Annual Loss Expectancy section?
The Percentage of value an Asset lost due to an incident.
What does Asset Value (AV) mean?
The value of an asset you are trying to protect.
What does ROI stand for?
Return on Investment
What does the acronym EF stand for in the Annual Loss Expectancy section?
Exposure Factor
What does the phrase
Single Loss Expectancy (SLE)
mean in the Annual Loss Expectancy (ALE) section?
The cost of a single Loss.
What does the acronym
SLE
stand for?
Single Loss Expectancy
What is the
Single LossExpectancy (SLE)
Formula?
SLE = AV * EF
What does the phrase
Return on Investment (ROI)
mean?
The amount of money saved by implementing a safguard
What component can you add to the a
Risk Calculation
to give it more meaning?
Add Impact to the equation: Risk = Threat * Vulnerability * Impact
What does AV stand for in the Annual Loss Expectancy framework?
Asset Value
What does
Total Cost of Ownership (TCO)
mean?
The total cost of a mitigated safeguard
What does the acronym
TCO
stand for?
Total Cost of Ownership
What is the
Single Loss Expectancy (SLE)
Formula?
Single Loss Expectancy (SLE) = Asset Value (AV) * Exposure Factor (EF)
Can a certification be performed by a trusted third party?
Yes
Who accepts the risk in an Accreditation?
The Data Owner
What is a certification?
A detailed inspection that verifies whether a system meets the documented security requirements.
When a certification is performed by a trusted third party, are the issues identified recommendations
or
mandatory
actions?
Recommendations
What is an Accreditation?
The Data Owner’s acceptance of the risk represented by the system.
What are NIST’s four steps to accreditation?
1: Initiation Phase (Research)
2: Security Certification Phase (Assessment)
3: Security Accreditation Phase (Decision to Accept Risk)
4: Continuous Monitoring Phase (Monitor)
What is an example of System Alteration in the CIA model?
Malcode Install
What is an example of Destruction in the CIA model?
DDOS
What is an example of an Availability Failure in the CIA model?
DDOS Attack
What does Integrity mean in he CIA model?
Protections against unauthorized and undetected alteration of information
What is an example of Disclosure in the CIA model?
Wikileaks
What is an example of a Confidentiality Failure in the CIA model?
Wikileaks
What does Confidentiality mean in the CIA model?
Protections against unauthorized disclosure of information
What does CIA stand for?
Confidentiality
Integrity
Availability
What is the Opposite of Integrity in the CIA model?
Alteration
What is an example of Data Alteration in the CIA model?
Web Page Defacement
What is the Opposite of Confidentiality in the CIA model?
Disclosure
What is an example of a System Integrity Failure in the CIA model?
Malcode Infection
What does Availability mean in the CIA model?
Protections against denying authorized parties access to information when needed
What is the Opposite of Availability in the CIA model?
Destruction
What is an example of a Data Integrity Failure in the CIA model?
Web Page Alteration
What does
Least Privilege
meanin the Cornerstone Concept section?
A user should only have the bare minimum Authorization to do his job and no more.
What does the phrase
Need to Know
mean?
Even if the user has the privilege to do something, it doe not mean that he needs to know it because of his job.
What is more granular?
Need to Know
or
Least Privilege?
Need to Know
What does Defense in Depth mean in the Cornerstone Concepst section?
A Layered Defense that reduces the risk of a single point of failure.
When discussing policy, the exam will use words like Mandatory (compulsory) or Discretionary. Best Practices are usually
discretionary but if you decide not to follow them, you better have a good reason.
Do not confuse the Data Owner with a person who owns his own data.
The Data Owner is responsible for ensuring the data is protected. A user who owns his own data has read/write access.
Memory Device: Quantitative –
Quantity – Hard Numbers
When human life is at risk,
practitioners must weigh those consequences very high.
What are the three parts to teh ISC Code of Ethics?
Preamble: Introduction
Canons: Mandatory and Applied in order
Guidance: Advisory
Always choose the most ethical answer
in order of the canons.
What is Ethics?
Ethics is doing what is morally right
What are the ISC Code of Ethics Canons in order?
1: Protect society, the commonwealth, and the infrastructure.
2: Act honorably, honestly, justly, responsibly, and legally.
3: Provide diligent and competent service to principals.
4: Advance and Protect the profession.
What does IAAA stand for?
Identity
Authentication
Authorization
Accountability
What is an example of an Identity in the IAAA model?
Username
What is an example of Authorized Use in the IAAA model?
Regular users can see their own processes but cannot see the password file.
What does Authorization mean in the IAAA model?
Permissions that the identity can perform an action on a system;
What does Nonrepudiation mean?
Users cannot deny actions identified through Accountability procedures within the IAAA framework.
Identity is validated through Authentication transactions.
Integrity of the system is validated with Accountability (through logging and audit of transactions).
“To Repudiate” means
to deny
What are three examples of Accountability in the IAAA model?
Logging
Audit
Sanctions.
What is meant by Authentication in the IAAA model?
The process of proving the identity claim; Ex - password
What is an example of an authentication (Identity Claim) response?
Password
What is Accountability in the IAAA model?
Ensuring that authorizations have not been violated by examining computer transactions.
What is an Identity in the IAAA model?
Identitiy Is a claim of personhood or role (Rick or Admin)
Name two things that
Standards
help with the business
1 - They lower the Total Cost of Ownership (TCO).
2 - They support disaster recovery.
What is the name of the
informal rule
used to describe
**Due Care **
in the Information Security Governance section?
Prudent Man Rule
In the Information Security Governance section, what are three sources for
Best Practices?
1: NIST
2: NSA
3: SANS
What is a
Policy
fromt the Information Security Governance section?
High-level management directives.
What is a Guideline in the Information Security Governance section?
A discretionary piece of useful advice; a recommendation; especially good for novice users.
What does the word **Baselines **mean in the Information Security Governance section?
Discretionary but Uniform ways of implementing a safeguard.
In the Information Security Governance section, is ignorance an acceptable excuse for non-compliance?
An organization must be in compliance with all laws and regulations that apply to it. Ignorance of any law is never a valid excuse for breaking it.
What is Due Care in the Information Security Governance section?
Actions that a reasonable man would do.
What does the phrase Information Security Governance mean?
The policies, processes and staffing approved by senior management that make up the organization’s
Information Security Program.
What is a
Standard
in the Information Security Governance section?
Describes a specific and Mandatory use of a technology; usually hardware or software.
In the Information Security Governance, If you lose some PII and
cannot demonstrate Due Care
you are
Grossly Negligent
What does the phrase Gross Negligence mean in the Information Security Governance section?
It is the opposite of Due Care.
What is an Issue-Specific Policy in the Information Security Governance section?
It is one of three policy types (Program - Issue - System) that govern security rules for a category of activity and not the overall program and not s system. Ex: Email Policy, Email Privacy Policy
What is a
Program Policy
in the Information Security Governance section?
It is one of three types of policies (Program- Issue - System) that creates an organization’s computer security program.
What are
Procedures
in the Information Security governance section?
Mandatory, Step-by-Step Guides for accomplishing tasks.
They are low-level and specific.
What is the difference between a
Data Owner
vs
a Person Who Owns His Own Data
in the Information Security Governance section?
The Data Owner is responsible for ensuring the data is protected.
A User Who Owns His Own Data has read/write access.
What are the
three Policy Types
from the Information Securitiy Governance section?
1: Program Policy
2: Issue-Specific Policy
3: System Specific Policy
What are the five tools you can use to govern Information Security?
1 - Policy: High Level Mgt Directives (Mandatory)
2 -Procedures: Instructions for completing a task (Mandatory)
3 - Standard: A specific use for a technology (Mandatory)
4 - Guideline: Advice (Discretionary)
5 - Baseline A Starting point (Discretionary)
What is a Best Practice in the Information Security Governance section?
It is a consensus of the best way to protect CIA (Confidentiality, Integrity, and Availability).
What does the phrase Due Diligence mean in the Information Security Governance section?
It is a formal process for the management of Due Care..
What is a good way to demonstrate
Due Care and Due Diligence
in the Information Security Governance section?
Following Best Practices
What is an example of a
System-Specific Policy
File Server Policy, Web Server Policy
What does Outsourcing mean?
Using a third party to provide IT support services which were previously performed in-house.
What does Offshoring mean?
Outsourcing to another country
What does
Privacy
mean?
The protection of Personally Identifiable Information (PII).
The protection of this kind of information must be assured.
Qualitative Risk Assessment vs Quantitative Risk Analysis
More subjective but easier to calculate
In a Qualitative Risk Assessment, how is a
Risk Matrix
used?
Uses a quadrant grid to map the likelihood
(Rare – Unlikely – Possible – Likely – Certain)
of a Risk occurring against the Impact
(Insignificant – Minor – Moderate – Major – Catastrophic).
Which is
easier to calculate?
Qualitative Risk Analysis
or
Quantitative Risk Analysis
Qualitative Risk Analysis
What is the
formula
associated with
Quantitative Risk Analysis?
Annual Loss Expectancy (ALE) formula
What does the phrase
Qualitative Risk Analysis
mean?
Uses approximate values to calculate Risk
What are the four benefits of using a
Risk Matrix
for
Qualitative Analysis
1: Distinguish between High-Likelihood/Low-Consequences and High-Consequences/Low-Likelihood risks which have the same risk rating value.
2: Graphically display risks, thus makes them easier to analyse
3: Select risks for prioritising and further actions
4: Communicate risk
What does
Quantitative Risk Analysis
mean?
Uses hard numbers to calculate Risk
Which is more
objective?
Quantitative Risk Analysis
or
Qualitative Risk Analysis
**Quantitative Risk Analysis **
What is a Threat?
A potential harmful occurrence like earthquakes, cyber espionage, etc.
What is a Risk?
A connection between a Threat and a Vulnerability.
Threat X Vulnerability
Security practitioners have assigned arbitrary values to Threats and Vulnerabilities to assess risk. Use any scale as long as you stay consistent.
What is a Vulnerability?
Weaknesses in the defenses that can cause harm.
What is the Risk formula?
Threat X Vulnerability
What does Impact mean when calculating Risk?
An evaluation of the consequences if the Threat is realized (Somebody or something leverages the Vulnerability).
What is the
impact
when Human life is on the line in the Risk Analysis section?
Impact is always very high
What does the acronym TCO stand for in the Risk Analysis section?
Total Cost of Ownership
What is an **Asset **in Risk Analysis?
Valuable company resources like Data, systems, people, property, IP, etc.
In calculating Risk, do security practioners use arbitrary values or precise valuses for Threats and Vulnerabilities?
Arbitrary
Use any scale as long as you stay consistent.
According to NIST, what are the
9 Steps
in the process to asses
Risk
in an organization?
1: System Characterization
2: Threat identification
3: Vulnerability Identification
4: Control Analysis
5: Likelihood Determination
6: Impact Analysis
7: Risk Determination
8: Control recommendations
9: Results Documentation
What are two ways to measure Impact in the Risk Analysis section?
Sometimes those consequences are in terms of money lost (Cost).
Sometimes those consequences are more moral (human lives lost).
In the Risk Analysis Framework section, What does PCI stand for?
Payment Card Industry.
Who does the Payment Card Industry (PCI) framework protect?
Vendors who use credit cards.
What does the acronym OCTAVE stand for in the Risk Analysis Framework section?
Operationally
Critical
Threat
Asset and
Vulnerability
Evaluation
Who built OCTAVE in the Risk Analysis Frameworks section?
Carnegie Mellon
What are the 11 areas that ISO 17799 focuses on in the Risk Analysis Frameworks section?
1: Policy
2: Organization of Information Security
3: Asset Management
4: Human Resource Security
5: Physical and Environmental Security
6: Communications and Operational Management
7: Access Control
8: Information Systems Acquisition, development and maintenance
9: Information Security Incident Management
10: Business Continuity Management
11: Compliance
What is ISO in the Risk Analysis Frameworks
An International Organization for Standardization
Why did ISO renumber ISO 17799 to **ISO 27002 **in the Risk Analysis Frameworks section?
Consistency
What does ISO 27001 describe in the Risk Analysis Frameworks section?
a process for auditing (requirements) those best practices
What does teh acronym COBIT stand for in the Risk Analysis Frameworks section?
Control
Objectives for
Information and related
Technologies
What are the three phases in OCTAVE from the Risk Analysis Frameworks
1: Identify Staff knowledge, assets and Threats.
2: Identify vulnerabilities and evaluate safeguards.
3: Conduct Risk Analysis and develop risk mitigation strategy.
What was ISO 17799 renumbered to in the Risk Analysis Frameworks section?
**ISO 27002 **
What does ISO 27002 describe in the Risk Analysis Frameworks section?
Information Security Best Practices (techniques)
Who built COBIT in the Risk Analysis Frameworks section?
The Information Systems Audit and Control Association (ISACA)
How many phases in OCTAVE from the Risk Analysis Frameworks section?
3
Who sponsors the Information Technology Infrastrucre Libray (ITIL) in the Risk Analysis Frameworks section?
The UK Government
What does the acronym ITIL stand for in the Risk Analysis Frameworks section?
Information Technology Infrastructure Library
What are the five service management practices in the
Information Technology Infrastructure Library (ITIL)
from the Risk Analysis Frameworks section?
1: Service Strategy
2: Service Design
3: Service Transition
4: Service Operations
5: Continual Service Improvement
What are the Four Phases in the COBIT Risk Analysis Framework?
1: Plan and Organize
2: Acquire and Implement
3: Deliver & Support
4: Monitor& Evaluate
How many areas does ISO 17799 focus on in the Risk Analysis Frameworks section?
11
What does
Mitigate
mean in the Risk Choices section?
Lower the risk to an acceptable level
What does
Transfer
mean in the Risk Choices section?
Insurance Model - Have somebody else assume the risk
What are the five Risk Analysis choices?
Acceptance
Mitigation
Eliminate
Transfer
Avoid
What are three examples where you cannot
Accept
the Risk in the Risk Choices section?
Human safety
Laws
Regulations
What does
Acceptance
mean in the Risk Choices section?
The cost of doing anything else would be more expensive then the cost associated with the risk itself.
There are some cases (Human safety, Laws, Regulations) where it is not possible to accept the risk.
What does
Eliminate
mean in the Risk Choices section?
Remove the risk entirely; do not allow
What does
Avoidance
mean in the Risk Choices section?
If the project is too risky, don’t do it.
Compare the Annual Loss Expectancy (ALE) to the ROI after Risk Mitigation. If the ALE is higher, avoid the project.
What is a
Data Owner
in the ROLES AND RESPONSIBILITIES section?
Employee responsible for ensuring that specific data is protected;
determines the sensitivity label and the frequency of backup.
He is not the custodian.
What does the
User
in the ROLES AND RESPONSIBILITIES section?
They are the people that must follow the policy, procedures, and standards set by the Information Security Program in their day-to-day jobs.
What does
Senior Management
do in the ROLES AND RESPONSIBILITIES section?
Creates the information security program
What does
Security Awareness
mean?
Changes user behavior;
users already know how to do something and awareness might make them change how they are doing it.
What is a
Custodian
in the ROLES AND RESPONSIBILITIES section?
Perform hands-on asset protection:
Backups, restoration, patching, A/V Configuration, etc.
They follow orders, they do not make policy.
What does
Security Training
mean?
Provides a skill set; teaches a user how to do something.
14: What was ISO 17799 renamed as??
A: BS 7799-0-1.
B: ISO 27000.
C: ISO 27001.
D: ISO 27002.
D: ISO 27002.
10: Which of the following describes the duty of the Data Owner?
A: Patch systems.
B: Report suspicious activity.
C: Ensure their files are backed up.
D: Ensure data has proper security labels.
D: Ensure data has proper security labels.
1: Which of the following would be an example of a Policy Statement?
A: Protect PII by hardening servers.
B: Harden Windows 7 by first installing the pre-hardened OS image.
C: You may create a strong password by choosing the first letter of each word in a sentence and mixing in numbers and symbols.
D: Download the CISecurity Windows benchmark and apply it.
A: Protect PII by hardening servers.
11: Which control framework has 34 processes across four domains?
A: COSO.
B: COBIT.
C: ITIL.
D: OCTAVE.
B: COBIT.
12: What is the difference between a standard and a guideline?
A: Standards are compulsory and guidelines are mandatory.
B: Standards are recommendations and guidelines are requirements.
C: Standards are requirements and guidelines are recommendations.
D: Standards are recommendations and guidelines are optional.
C: Standards are requirements and guidelines are recommendations.
2: Which of the following describes the money saved by implementing a security control?
A: Total Cost of Ownership (TCO).
B: Asset Value (AV).
C: Return on Investment (ROI).
D: Control Savings.
C: Return on Investment (ROI).
13: Which phase of OCTAVE identifies vulnerabilities and safeguards?
A: Phase 1.
B: Phase 2.
C: Phase 3.
D: Phase 4.
B: Phase 2.
9: Which of the following steps would be taken while conducting a Qualitative Risk Assessment?
A: Calculate the Asset Value.
B: Calculate the return on Investment.
C: Complete the Risk Analysis Matrix.
D: Complete the ALE.
C: Complete the Risk Analysis Matrix.
15: Which of the following ethical actions is the most important?
A: Act legally.
B: Protect Society.
C: Advance and Protect the profession.
D: Provide diligent service.
B: Protect Society.
4: Which of the following proves an identity claim?
A: Authentication.
B: Authorization.
C: Accountability.
D: Auditing.
A: Authentication.
3: Which of the following is an example of a program policy?
A: Establish the Information Security Program.
B: Email Policy.
C: Application Development Policy.
D: Server Policy.
A: Establish the Information Security Program.
5: Which of the following protects against unauthorized changes to data?
A: Confidentiality.
B: Integrity.
C: Availability.
D: Alteration.
B: Integrity.
