Domain 1 - Security and Risk Management Flashcards

Question

What is COBIT?

Answer 1

Control Objectives for Information and related Technology > Goals for IT - Stakeholder needs are mapped down to IT related goals.

Answer 2

Commitee of Sponsoring Organizations | > Goals for the entire organizations (more higher level)

Answer 3

Information Technology Infrastructure Library | > IT Service Management (ITSM)

Answer 4

Facilitated Risk Analysis Process > Analyzed *one* business unit, application, or system at a time in roundtable brainstorm with internal employees, The impact is analyzed, and the threats and the risks are prioritized.

Answer 5

ISO 270001: Establish, implement, control, and improvement of the ISMS. Uses PDCA (Plan, Do, Check, Act) ISO 27002: Provides practical advice on how to establish, implement, control, and improvement security controls. It has 10 domains it users for ISMS (cannot get this certified) ISO 27003: Information security management system implementation guidance ISO 27004: Provides metrics for measuring the success of your ISMS ISO 27005: Standards based approach to risk management ISO 27799: Directive on how to protect PHI (Protected Health Information)

Answer 6

> Layered Defense or Onion Defense, implement multiple overlapping security control to protect asset > This applies to physical, administrative, and logical controls > No single security control secures an asset > Improve organization CIA

Answer 7

Criminal Laws : Society is the victim, text law included in United States Code Civil Law: Individuals, groups or organizations are the victim, mostly financial fines, text law included in United States Code Administrative Law: Laws enacted by goverment agencies (FDA Laws, HIPAA, FAA) Private Regulations: Compliance is required by contract (PCI-DSS) Customary Law: handle personal conduct on area/region Religious Law: Based on the religious beliefs in that area or country. include morality and code of ethics Administrative Law : CFR (Code of Federal Regulations) contains all administrative law Supreme Court rulling contains interpretation of law

Answer 8

Senior Leadership, but we need Negligence to prove it. > Due Diligence (Do Detect), research to build IT Security architecture and preparing before implementing. > Due Care (Do Correct), Prudent person rule. Negligence, if system under your control is compromised and you did NOT perform Due Care, you are most likely liable.

Answer 9

Real Evidence: Tangible and physical object in IT Security: Hard disks, USB drives (not the data) Direct Evidence: Testimony from a first hand witness, what they experienced Circumstantial Evidence: Evidence to support circumstances for a point or other evidence. Corroborative Evidence: Support facts or elements of the case; not facts on their own but they support other fact Hearsay: not first-hand knowledge - normally inadmissible in a case

Answer 10

We do with hashes, any forensics done on copies and never the originals.

Answer 11

Because there is no real evidence, there is nothing you can touch.

Answer 12

> must be obtained legally, even on organization employee need to be aware if actions are monitored > no threat to human life

Answer 13

Entrapment: When someone is persuaded to commit a crime they had no intention of commiting and is then charged with it Enticement: Making commiting a crime more enticing, but the person has already broken the law. Honeypots can be good way to use Enticement

Answer 14

is a category of property that includes intangible creations of the human intellect. Copyright: Automatically granted after creating something, last 70 years after creator death or 95 years for corporation Trademark: Brand names, logos, slogan - must be registered and valid for 10 years and can be renewed indefinitely. protected by USPTO (US Patent and Trademark Office) Patents: Protect invetion for 20 years, invention must be Novel, useful, Nonobvious Trade secrets: tell no one of your formula, not protected

Answer 15

Copyright > Piracy Trademark > Counterfeiting Patent > used by someone else without permission Cyber Squatting > Buying url that you know someone will need it Typo Squatting > Buying url that is very close to real website name (can be illegal if for purpose is disguise)

Answer 16

General Data Protection Regulation, regulation in EU Law on data protection and privacy for all individuals within EU Violators of the GDPR may be fined up to 20 million EUR Unless a data subject has provided informed consent to data processing, personal data may not be processed unless there is at least one legal basis to do so. unless there is lawful interception

Answer 17

act of keeping hiding that contains PII (personally identifiable information)

Answer 18

HIPAA - Health Insurance Portability and Accountability Act. Strict privacy rules on handling PHI (Protected Health Information) Security Breach Notification Laws ECPA - Electronic Communication Privacy Act. Protection of electronic communication against warrantless wiretapping, weakened by the Patriot Act. Patriot Act of 2001: > Expand law enforcement electronic monitoring capabilities > Allow search and seizure without immediate disclosure CFAA - Computer Fraud and Abuse Act, protects computers used by the government or in interstate commerce from a variety of abuses GLBA - Gramm-Leach-Bliley Act Applies to financial institutions SOX - Sarbanes-Oxley Act Directly related to accounting scandals PCI-DSS - Payment Card Industry-Data Security Standard created by payment card industry FISMA - Federal Information Security Modernization Act (previously GISRA, expired in 2002), goverment contract sponsorship FERPA - Family Educational Rights and Privacy Act, It grants certain privacy rights to students older than 18 and the parents of minor students Identity Theft and Assumption Deterrence Act In 1998, This act makes identity theft a crime against the person whose identity was stolen and provides severe criminal penalties (up to a 15-year prison term and/or a $250,000 fine) for anyone found guilty of violating this law.

Answer 19

> Right to access: Data controllers must be able to provide a free copy of individual data if requested > Right to erasure: All users have a "right to be forgotten" > Data portability: All users will be able to request access to their data "in electronic format" > Data breach notification: Users and data controllers must be notified of data breaches within 72 hours > Privacy by design: When designing data processes, care must be taken to ensure personal data is secure > Data Protection Officers: Companies whose activities involve data processing and monitoring must appoint a data protection officer

Answer 20

Organization for Economic Cooperation and Development contains 30 members nations from around the worlds. 8 Driving Principles issued in 1980, Collection limitation(collection must within knowledge of subject), Data Quality (data should be complete), Purpose Spesification (why data being collected), Use Limitation (only consent of subject/law), Security Safeguards (there is reasonable safeguard to protect CIA) , Openness(has to be communicate openly), Individual Participation (be able to which organization has the data), Accountability (organization must held with 7 principles)

Answer 21

Arrangement mostly for arms and dual use, cryptography is considered dual use (harmful and good)

Answer 22

- Set SLA (Service Level Agreement) - Have right to penetration test and Right to audit on agreement - Vendor must be accredited to industry standard, ISO, SOC, PCI-DSS

Answer 23

> Values (Ethics, Principles, Belief) > Vision (Hope and Ambition) > Mission (Motivation and Purpose) > Strategic Objectives (Plans, goals, and sequencing) > Action and KPIs (Actions, Resources, Outcomes, Owners, and Timeframes)

Answer 24

> Policy (Mandatory) : General Management Needs, High level, non-specific > Standards (Mandatory) : Specific Mandatory Control, specific > Guidelines (non-Mandatory) : Recommendation/Best Practice > Procedures (Mandatory) : Low level step-by-step guides > Baselines (Mandatory) : minimum requirement, implement stronger if needed

Answer 25

> Awareness: establishes a minimum standard common denominator or foundation of security understanding > Training: Set security training > Hiring Practices: Do background checks > Employee Termination Practices: Coordinate with HR to shut off access at the right time

Answer 26

> Administrative (Directive) Control: Organizational policies, Regulation > Technical Controls: Hardware/software/firmware - Firewalls, routers, encryption > Physical Controls: Locks, fences, guards, turnstile

Answer 27

> Administrative (Directive) Control: Organizational policies, Regulation > Technical Controls: Hardware/software/firmware - Firewalls, routers, encryption > Physical Controls: Locks, fences, guards

Answer 28

> Preventative: Prevents action from happening - Least privilege, IPS, firewalls > Detective: Controls that detect during or after attack, IDS, CCTV, alarms > Corrective: Controls that Correct an attack - Anti-virus, patches, IPS > Recovery: Controls that help us Recover after attack, DR Environment, backups, HA environments > Deterrent: Controls that Deter an attack - Fences, security guards, dogs > Compensating: Controls that Compensate, when other control are impossible or too costly to implement

Answer 29

> Risk Identification: If there a risk, identify assets, which type of risk appetite do we have Tangible Assets: physically touch - building, hardware Intangible Assets: untouchable physically - data, trade secrets > Risk Assessment: How bad is the risk > Risk Mitigation: How do we want to react to this > Risk and Control: Iterative, monitor control, uses KRI and KPI

Answer 30

Require senior executive take personal responsibility for information security matters

Answer 31

Qualitative Risk Assessment > more scenario based than it is calculator based. best tool for intangible assets > Delphi technique : anonymous feedback-and-response process used to enable a group to reach an anonymous consensus > Risk Analysis Matrix : Consequences x Likelihood Quantitative Risk Assessment > results in concrete probability indications or a numeric indication of relative risk potential > Assign Asset Value > Calculate Exposure Factor (EF) : percentage of loss that an organization would experience if a specific asset were violated by a realized risk > Calculate Single Loss Expectancy (SLE) : SLE = asset value (AV) * exposure factor (EF), potential loss associated with a single realized threat against a specific asset > Assess Annual Rate Occurence (ARO) : is the expected frequency with which a specific threat or risk will occur (that is, become realized) within a single year > Get Annualize Loss Expectancy (ALE) : ALE = SLE * ARO > Perform Cost/Benefit Analysis for countermeasures, Mitigation Cost vs ALE Total Risk = Threat * Vulnerability * Asset Value Residual Risk = Total Risk - Countermeasures

Answer 32

> Fourth Amendment : The basis for privacy rights > Privacy Act of 1974 : applies only to government agencies, agencies maintain only the records that are necessary for conducting their business and that they destroy those records when they are no longer needed > Electronic Communications Privacy Act of 1986 : crime to invade the electronic privacy of an individual > Economic Espionage Act : protect trade secret > Communications Assistance for Law Enforcement Act (CALEA) of 1994 : requires all communications carriers to make wiretaps possible for law enforcement with an appropriate court order, regardless of the technology in use > Health Insurance Portability and Accountability Act of 1996 (HIPAA) : strict security measures for hospitals, physicians, insurance companies, and other organizations that process or store private medical information about individuals.

Answer 33

Due diligence is establishing a plan, policy, and process to protect the interests of an organization. Due care is practicing the individual activities that maintain the due diligence effort. Due diligence is knowing what should be done and planning for it; due care is doing the right action at the right time.

Answer 34

Redundant Array of Inexpensive Disk RAID 0 - no fault tolerance (high performance) RAID 1 - Mirroring, data duplicate two drives (expensive) RAID 5 - Stripping with parity, 3 or more disk RAID 6 - Double Parity RAID 10 - most common, combine RAID 0 (stripping) and RAID 1 (mirroring). can survive failure up to 2 disk

Answer 35

assigned role who is responsible for implementing security control defined by policy and senior management

Answer 36

> Risk Mitigation (Reducing risk) : the implementation of safeguards, security controls, and countermeasures to reduce and/or eliminate vulnerabilities or block threats > Risk Assignment (Risk Transference) : the placement of the responsibility of loss due to a risk onto another entity or organization, Purchasing cybersecurity insurance > Risk Deterrence : implementing deterrents to would-be violators of security and policy, the goal is to convince a threat agent not to attack. example, security cameras, and warning banners > Risk Avoidance : process of selecting alternate options or activities that have less associated risk than the default, common, expedient, or cheap option. example, remove unused but vulnerable server. > Risk Acceptance : is the result after a cost/benefit analysis shows countermeasure costs would outweigh the possible cost of loss due to a risk > Risk Rejection : An unacceptable possible response to risk is to reject risk, ignoring risk may be considered negligence in court

Answer 37

- Authority : claimed as higher authority - Intimidation - Consensus : past familiar action - Scarcity : a technique used to convince someone that an object has a higher value based on the object's scarcity - Familiarity - Trust - Urgency

Answer 38

Mandatory vacations of one to two weeks are used to audit and verify the work tasks and privileges of employees. This often results in easy detection of abuse, fraud, or negligence.

Answer 39

User behavior analytics (UBA) and user and entity behavior analytics (UEBA) are the concepts of analyzing the behavior of users, subjects, visitors, customers, and so forth for some specific goal or purpose. Information collected from UBA/UEBA monitoring can be used to improve personnel security policies, procedures, training, and related security oversight programs.

Answer 40

> Prepare, to execute the RMF from an organization- and system-level perspective by establishing a context and priorities for managing security and privacy risk. > Categorize, the system and the information processed, stored, and transmitted by the system based on an analysis of the impact of loss. > Select, an initial set of controls for the system and tailor the controls as needed to reduce risk to an acceptable level based on an assessment of risk. > Implement, the controls and describe how the controls are employed within the system and its environment of operation. > Assess, the controls to determine if the controls are implemented correctly, operating as intended, and producing the desired outcomes with respect to satisfying the security and privacy requirements. > Authorize, the system or common controls based on a determination that the risk to organizational operations and assets, individuals, other organizations, and the nation is acceptable. > Monitor, the system and the associated controls on an ongoing basis to include assessing control effectiveness, documenting changes to the system and environment of operation, conducting risk assessments and impact analyses, and reporting the security and privacy posture of the system.

Answer 41

supply chain risk management (SCRM), means to ensure that all the vendors or links in the supply chain are reliable, trustworthy, reputable organizations that disclose their practices and security requirements to their business partners

Answer 42

to gain a greater understanding of the logic of the product, its internal components, as well as its interactions with external elements 5 keys concept: > Trust Boundaries : Any location where the level of trust or security changes > Dataflow Paths : The movement of data between locations > Input Points : Locations where external input is received > Privileged Operations : Any activity that requires greater privileges than of a standard user account or process, typically required to make system changes or alter security > Details about Security Stance and Approach : The declaration of the security policy, security foundations, and security assumptions

Answer 43

- Project scope and planning - Business impact analysis - Continuity planning - Approval and implementation

Answer 44

BCP: Business Continuity Planning deals with keeping business operations running — perhaps in another location or by using different tools and processes — after a disaster has struck. DRP: Disaster Recovery Planning deals with restoring normal business operations after the disaster takes place. The BCP project concentrates on continuing business operations, whereas the DRP project focuses on recovering the original business functions

Answer 45

``` > identification of priorities > risk identification > likelihood assessment > impact analysis > resource prioritization ```

Answer 46

KGI (Key Goal Indicator) measures wheter IT process has achieved its business need KPI (Key Performance Indicators) : how well process performing in enabling the goal KRI (Key Risk Indicator) : Quantify the risk organization is facing