Domain 1: Security and Risk Management Flashcards

1
Q

3 main elements of Security Program

A

People, Process, Technology

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Important for people

A

training, knowledge/skill set, company culture

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

important about process

A

controls how people interact with the technology

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Information Security Triad

A

Confidentiality, Integrity, Availability

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

cost v. performance

A

always a balance between levels of security and performance. Security will reduce performance.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Confidentiality

A

Prevent unauthorized disclosure

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Integrity

A

Prevent unauthorized modification

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Availability

A

Timely access to resources

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Why implement security?

A

to support the mission of the organization. Not security for security sake

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

GRC

A

Governance, Risk, Compliance

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Why GRC Came about

A

Response to widescale fraud and unethical behaviors of organizations in the early 2000s. Open Compliance & Ethics Group (OCEG) provided open standards addressing GRC

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Culpable Negligence

A

Not doing something a reasonably cautious person would do

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Due Care

A

Acting on the research to show you have acted prudently

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Due Care

A

Acting on the research to show you have acted prudently

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Prudent Person Rule

A

You have used due diligence and due care to take reasonable actions, responsibly and cautiously

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Ulimate Responsibliity/Liability

A

Senior Management

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

Information Security Frameworks

A

Provide standard set of IS requirements to guide organizations; foundation, structure

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

ISO 27001 has how many domains

A

14

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

ISO 27001

A

Specifies requirements for establishing, implementing, maintaining, and improving an IS Management system within an organization

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

GDPR

A

General Data Privacy Regulation

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

Who adheres to GDPR

A

Not the US, more popular in Europe

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

Goal of GDPR

A

Protect the Rights of data subjects

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

Data subject

A

person the data pertains to

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

Timeline for Breach Disclosure under GDPR

A

72 hours to notification

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Q

Seven Steps of the NIST CSF

A

Prioritize and scope, Orient, Create a current profile, Conduct a Risk Assessment, Create a Target Profile, Determine analyze and prioritize gaps, implement action plan

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
26
Q

Gap Analysis

A

Identifying and prioritizing gaps between where you are and where you want to be

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
27
Q

5 goals of NIST CSF

A

Identify, Protect, Detect, Respond, Recover

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
28
Q

CMMI Five Maturity Levels

A

Initial, Developing, Defined, Managed, Optimized

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
29
Q

CMMI Maturity Model

A

Identifies Maturity of Technology, Process, and People

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
30
Q

CMMI Level 1

A

People are unstaffed or uncoordinated, no formal security program, no security controls exist

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
31
Q

CMMI Level 2

A

Infosec leadership established, Basic governance and risk management process/policies, some controls in development with limited documentation

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
32
Q

CMMI Level 3

A

Some roles and responsibilities established, organization wide processes and policies in place with minimal verification, more controls documented and developed, over reliant on individual efforts

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
33
Q

CMMI Level 4

A

Increased resources and awareness, clearly defined roles and responsibilities, formal infosec committees, verification and measurement processes, controls monitored, measured for compliance but uneven levels of automation

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
34
Q

CMMI Level 5

A

Culture supports continuous improvements, processes comprehensively implemented, risk based and quantitatively understood, controls comprehensively implemented and automated

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
35
Q

Information Security Program Steps

A

Provide means for achieving strategy, policies/standards/procedures/guidelines, controls and control objectives, 3rd party governance, data classification/security, Certification and Accredidation (aka Assessment and Authorization), auditing

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
36
Q

Corporate Policy

A

Comes from senior leadership, expresses their vision for security

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
37
Q

System Specific Policy

A

Every system or role of system should have their own policy

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
38
Q

Issue Specific Policy

A

Policy focusing on a specific issue ex. Change Management Policy

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
39
Q

List of Issue Specific Policies

A
Change Management
Acceptable Use policy
privacy
Data/System Ownership
Separation of Duties
Mandatory Vacations
Job Rotation
Least privilege
need to know
dual control 
M of N control
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
40
Q

Change management policy

A

discusses how to manage and approve changes to the system

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
41
Q

Acceptable Use policy

A

Policy stating how to use system resources and restrictions

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
42
Q

Privacy policy

A

Pertains to employee privacy and notification of employees

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
43
Q

Data/System Ownership Policy

A

Data is more important for security, policy states who has security ownership as it pertains to systems and data

44
Q

Separation of Duties

A

Prevents any 1 individual from being too powerful, separates duties and forces collusion (multiple people coming together to perform an action)

45
Q

Mandatory vacations

A

Only in finance, mandates a set number of days in a row where employee can do absolutely no work actions or communications. Detective control

46
Q

Job Rotation

A

Personnel rotation through positions to avoid knowing all the workarounds and provide cross-training

47
Q

Least Privilege / Need to Know

A

Only allow people to perform actions they need to or access data they need to know

48
Q

Dual Control

A

Takes multiple personnel to perform an action, identifies specific personnel

49
Q

M of N Control

A

X out of Y personnel need to be present, more flexible than Dual Control

50
Q

Standards, Procedures, and Guidelines difference

A

Standards and Procedures are mandatory, guidelines are not.

51
Q

Strategic Policy Framework pieces

A

Driven by senior management. Org Drivers, Principles, Policies

52
Q

Tactical Policy Framework pieces

A

Standards, Guidelines, Procedures, and Baselines

53
Q

Compensating control

A

When plan A doesn’t work or provide a full and complete solution

54
Q

Control Objectives

A

understanding of the long-term objectives of an organization. strategy should describe a well-articulated vision of the desired outcomes for a security program through SMART objectives

55
Q

Senior Management Responsibilities

A

Provide oversight
Provide funding and support
Ensure Testing
Prioritize Business functions
establish a common vision/strategy/framework
Sign off on policy, BIA (business impact analysis), and other organizational documents

56
Q

Steering committee Responsibilities

A

Oversight of Information Security Program
Act as liaison b/w management, business, IT, and IS
Assess and incorporate result of risk assessment
Into the decision-making process
Ensure all stakeholder interests are addressed
Oversees compliance activities

57
Q

Chief Informational Officer Responsibilities

A
Strategic Planning
Policy development
technology assessments
process improvements
acquisitions
capital planning
security
58
Q

Chief Information Security Office (CISO) Responsibilities

A
Responsible for the CIA Triad
Usually reports to the CIO
Conduct risk assessments
program management
loss prevention
incident management
security operations
59
Q

Information Security manager Responsibilities

A

Functional manager responsible for achieving and determining the how
Play a leading role in introducing an appropriate methodology
Act as major consultants in support of senior management

60
Q

Busines Managers Responsibilities

A

The Data owners
Responsible for business operations. individual lines of business
provide direction to ensure security is implemented in such a way to meet objectives
responsible for security enforcement and direction
responsible for the day to day

61
Q

Security Practitioners Responsibilities

A

Responsible for implementation of security requirements
Support or use the Risk management process to identify and assess new potential risk and implement new security controls as needed

62
Q

Auditors Responsibilities

A

Evaulation of controls and policies
Can be internal or external
Document, not modify

63
Q

Security Trainers Responsibilities

A

Understnad the risk management process
develop training materials
conduct security trainings and awareness programs catered to roles within the org
incorporate risk assessment into training programs to educate end users
encourage users to report violations

64
Q

Information Security Risk Management

A

ISRM, process of managing risks associated with the use of information technology; identifying assessing and treating risks to the CIA of organization’s assets

65
Q

Asset

A

Anything of value to the company

66
Q

Vulnerability

A

A weakness, the absence of a safeguard

67
Q

Threat

A

Something that could pose loss to all or part of an asset

68
Q

Threat Agent

A

What carries out the attack

69
Q

Exploit

A

An instance of compromise

70
Q

Risk

A

The probability of a threat materializing

71
Q

Controls

A

Physical, Administrative, and Technical Protections

72
Q

Safeguards

A

Deterrents or Preventive Controls

73
Q

Countermeasures

A

Detective or Corrective Controls

74
Q

Total Risk

A

The risk that exists before any control is implemented

75
Q

Residual Risk

A

Risk that is left after applying a control

76
Q

Secondary Risk

A

When one risk response triggers another risk event

77
Q

Incident

A

A risk event that has transpired

78
Q

Risk Management Lifecycle

A

Identify, assess, mitigate, monitor

79
Q

Risk Identification

A

First step in lifecycle, Discovery all of threats and vulnerabilities against assets. Record risks in a risk register

80
Q

Risk Assessment

A

Second step in lifecycle, Determining loss potential. Probability * Impact

81
Q

RIsk mitigation

A

Third step in lifecycle, How we respond based on risk assessment. Could be controls, removal of risk, or transferring risk

82
Q

Risk Monitoring

A

Final step in lifecycle, ensuring risks stay in allowable range

83
Q

Formula for Risk

A

Asset Value * Threat * Vulnerability = Risk

84
Q

STRIDE Threats

A

Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, Escalation of Privilege

85
Q

DREAD Vulnerabilties

A

Damage potential, Reproducibility, Exploitability, Affected user base, Discoverability

86
Q

Qualitative Risk Assessment

A

Subjective analysis to help prioritize probability and impact of risk events. May use Delphi Technique (anonymous inputs from users)
Uses terms like high medium low; probability and impact
Produces a heat map

87
Q

Quantitative Risk Assessment

A

Provides a dollar value to risk event
More difficult and requires a special skill set
Can’t exist on its own, depends on qualitative info

88
Q

Asset Value (AV)

A

Dollar figure that represents what the asset is worth to the organization

89
Q

Exposure Factor (EF)

A

Percentage of loss that is expected to result in the manifestation of an actual risk event

90
Q

Single Loss Expectancy (SLE)

A

Dollar figure that represents the cost of a single occurrence of a threat instance

91
Q

Annual Rate of Occurrence (AOR)

A

How often the threat is expected to materialize

92
Q

Annual Loss Expectancy (ALE)

A

Cost per year as a result of the threat

93
Q

Total Cost of Ownership (TCO)

A

cost of implementing a safeguard, includes initial cost and maintenance fees

94
Q

Return on Investment (ROI)

A

money saved by implementing a safeguard; also known as value of safeguard/control

95
Q

Single Loss Expectancy (SLE) Formula

A

AV * EF

96
Q

ALE Formula

A

SLE * ARO

97
Q

TCO Formula

A

Initial Cost of Control + Yearly Fees

98
Q

ROI Formula

A

ALE before Control - ALE after Control - Cost of control

99
Q

Steps for Quantitative Analysis

A

Assign Asset value (AV)
Calculate Exposure Factor (EF)
Calculate Single Loss Expectancy (SLE)
Assess the annualized rate of occurrence (ARO)
Derive the Annualized loss expectancy (ALE)
Perform cost/benefit analysis of countermeasures

100
Q

Key Performance Indicator (KPI)

A

Performance objectives for the system. not meeting objectives could be a sign of an incident

101
Q

Key Risk Indicator (KRI)

A

A trigger for a risk
Provide early warning
Provide backward-looking view on risk events
Enable documentation and analysis of trends
Provide an indication of risk appetite and tolerance
Increase the likelihood of achieving strategic objectives
Assist in optimizing risk governance

102
Q

Wassenaar Arrangement

A

Cryptographic software is allowed to non-government end-users of other countries
No exporting of strong encryption software to terrorist states

103
Q

Import Restrictions

A

Some countries do not allow import of crypto tools with strong encryption unless a copy of the private keys is provided to law enforcement so they can break the encryption

104
Q

HIPAA

A

Regulation of Health info for individuals

105
Q

Gramm-Leach-Bliley Financial Services Modernization Act (GLBA)

A

Financial agencies required to protect financial information

106
Q

Payment Card Industry Data Security Standard (PCI DSS)

A

Self regulated for credit card information

107
Q

Parol Evidence

A

When agreement in written form, it contains all terms of the agreement. No verbal agreements can modify written agreement