Domain 1: Security and Risk Management Flashcards

Question

You can categorize evidence by several types. These categories basically determine the strength and usability of a particular piece of evidence. Name all 7 types of evidence.

Answer 1

* Best evidence * Secondary evidence * Direct evidence * Conclusive evidence * Opinions * Circumstantial evidence * Hearsay evidence

Answer 2

The development of a business continuity plan should include all areas that are critical for running the business, which could include (but is not limited to) the following: * Networks and computer equipment * Voice and data communications resources * Human resources and personnel security issues * Transportation of equipment and personnel * Environment issues (such as HVAC) * Data, software, and applications * Supplies (paper, forms, cabling, and so on) * Documentation and media The organization’s current technical environment must be understood. This means the planners have to know the intimate details of the network, communications technologies, computers, network equipment, and software requirements that are necessary to get the critical functions up and running.

Answer 3

Denial of service (DoS) is the act of using so much of the resources of a target system that the system’s services are no longer available to other clients. An example of a DoS attack is flooding a website with so many requests that either the bandwidth is consumed or the maximum number of connections is reached. DoS attacks are commonly initiated through the use of botnets: an army of compromised PCs controlled by the attacker to launch the attack.

Answer 4

Best evidence is the primary evidence used in a trial because it provides the most reliability. An example of something that would be categorized as best evidence is an original signed contract. Oral evidence is not considered best evidence because there is no reliable proof that supports its validity, and it therefore does not have as good a standing as legal documents.

Answer 5

1. Thou shalt not use a computer to harm other people. 2. Thou shalt not interfere with other people’s computer work. 3. Thou shalt not snoop around in other people’s computer files. 4. Thou shalt not use a computer to steal. 5. Thou shalt not use a computer to bear false witness. 6. Thou shalt not copy or use proprietary software for which you have not paid. 7. Thou shalt not use other people’s computer resources without authorization or proper compensation. 8. Thou shalt not appropriate other people’s intellectual output. 9. Thou shalt think about the social consequences of the program you are writing or the system you are designing. 10. Thou shalt always use a computer in ways that ensure consideration and respect for your fellow humans.

Answer 6

Critical systems and data should be identified and a request should be made to copy all data for future use. Backup copies will not be acceptable to the agents for investigation. In most cases, law enforcement agents will work with a company that reported a computer crime so that the investigation does not negatively affect the company.

Answer 7

Quantitative loss criteria can consist of the following: * Financial losses from loss of revenue, capital expenditure, or personal liability resolution * Additional operational expenses due to the disruptive event * Expenses due to loss of specific number of buildings, equipment, or other assets * Financial loss from resolution of violation of regulatory or compliance requirements Qualitative and quantitative impact information should be gathered and then properly analyzed and interpreted. The goal is to see exactly how a business will be affected by different threats. The effects can be financial, operational, or both.

Answer 8

1. Develop the continuity planning policy statement. 2. Conduct the business impact analysis (BIA). 3. Identify preventive controls. 4. Develop recovery strategies. 5. Develop the contingency plan. 6. Test the plan and conduct training and exercises. 7. Maintain the plan. Develop the continuity planning policy statement. Write a policy that provides the guidance necessary to develop a BCP and that assigns authority to the necessary roles to carry out their tasks. Conduct the business impact analysis (BIA). Identify critical functions and systems and allow the organization to prioritize them based on necessity. Identify vulnerabilities and threats, and calculate risks. Identify preventive controls. After threats are recognized, identify and implement controls and countermeasures to reduce the organization’s risk level in an economical manner. Develop recovery strategies. Formulate methods to ensure systems and critical functions can be brought back to normal or near normal condition quickly. Develop the contingency plan. Write procedures and guidelines for how the organization can stay functional in a crippled state. Test the plan and conduct training and exercises. Test the plan to identify deficiencies in the BCP and conduct training to properly prepare individuals on their expected tasks. Maintain the plan. Put in place steps to ensure the BCP is a living document that is updated regularly.

Answer 9

* Full backup * Incremental backup * Differential backup Full backup is just what it sounds like; all data is backed up and saved to some type of storage media. During a full backup, the archive bit is clear, which means that it is set to 0. Incremental backup backs up all the files that have changed since the last full or incremental backup and sets the archive bit to 0. When the data needs to be restored, the full backup data is laid down and then each incremental backup is laid down on top of it in the proper order. Differential backup backs up the files that have been modified since the last full backup. When the data needs to be restored, the full backup is laid down first and then the differential backup is put down on top of it. The differential process does not change the archive bit value.

Answer 10

* **Management approval:** The data owner with appropriate authorizations might approve the release if deemed necessary to carry out approved organizational tasks. * **Contractual requirement:** The release of classified data might be required pursuant to a signed contract. * **Court order:** Classified information might be released to satisfy a court order. * **Modification in requirements:** Data no longer holds the level of protection required in the past. Data can change in its level of protection requirements based on organizational decisions. It is important to periodically review the classification of data and other organizational assets. The classification level may need to increase or decrease depending upon organizational needs or circumstances. For example, if a government agency classifies a data set as Secret and then the information is announced on a TV news station, it no longer needs to be protected at that level of protection—it has been released and is now Unclassified.

Answer 11

Single loss expectancy (SLE) is a dollar amount assigned to a single occurrence of an event that represents the company’s potential loss amount if a specific threat were to take place. The SLE is calculated by multiplying the EF times the asset value. For example, an asset valued at $1,000 that has an EF of 10 percent would have an SLE of $1,000 × 10 percent = $100.

Answer 12

* Checklist * Structured walk-through * Simulation testing * Parallel testing * Full-interruption testing A checklist is usually a paper-based review of the steps in the BCP by management. In this type of test, copies of the BCP are distributed to the different departments and functional areas for review. This is done so each functional manager can review the plan and indicate if anything has been left out or if some approaches should be modified or deleted. A structured walk-through is a walk-though of the steps of the BCP that introduces disruptive events in an exercise format where key business management discusses the steps taken to remediate the disruption. A simulation is a test that takes a lot more planning and people. In this situation, all employees who participate in operational and support functions, or their representatives, come together to practice executing the disaster recovery plan based on a specific scenario. The scenario tests the reaction of each operational and support representative. Again, this is done to ensure specific steps were not left out and certain threats were not overlooked. It acts as a catalyst to raise the awareness of the people involved. A parallel test is done to ensure that the specific systems can actually perform adequately at the alternative offsite facility. Some systems are moved to the alternative site and processing takes place. The results are compared with the regular processing that is done at the original site. This test points out any necessary tweaking, reconfiguring, or steps that need to take place. Full-interruption testing is the most intrusive to regular operations and business productivity. The original site is actually shut down and processing takes place at the alternative site. The recovery team fulfills its obligations in preparing the systems and environment for the alternative site. All processing is done only on devices at the alternative offsite facility.

Answer 13

A patent grants the owner a legally enforceable right to exclude others from practicing or using the invention’s design for a defined period of time.

Answer 14

Social engineering is much like an old-fashioned con game, in that the attacker uses the art of manipulation to trick a victim into providing private information or improper access. Social engineering predates the computer era. Today it uses many techniques, including phishing emails and website links to get a user to reveal personal or corporate data.

Answer 15

Dumpster diving involves searching discarded material (trash) for items with important information (documents, CDs, and such). Although not technically a computer crime, dumpster diving can provide the data required to complete a computer crime.

Answer 16

Keystroke logging is an attack that is accomplished with software or hardware devices. These devices or software components can record everything a person types, including usernames, passwords, and account information. The hardware version of these devices is usually installed while users are away from their desks. Hardware keystroke loggers are completely undetectable except for their physical presence. Software versions use programming to hook into kernel-level processes to record keyboard-specific data.

Answer 17

There are several techniques for spoofing: * Internet Protocol (IP) address spoofing * Domain Name System (DNS) spoofing * Address Resolution Protocol (ARP) spoofing The term “IP address spoofing” refers to the creation of IP packets with a forged (spoofed) source IP address for the purpose of concealing the identity of the sender or impersonating another computing system. DNS spoofing is the act of returning the wrong IP address as the result of a DNS query. ARP spoofing is the act of returning an incorrect MAC address in response to an ARP request.

Answer 18

The damage assessment determines what if any phase of the business continuity plan (BCP) needs to be activated. After a disaster, the coordinator or another identified leader must carry out a disaster assessment so the team can know which phase to go into next. If the damage is extreme and threatens the survivability of the company, then it goes into the first phases of BCP. If the event was smaller and mainly IT related, the team moves into DRP phases. The damage assessment will indicate what phase to activate, which is formally called the activation phase. After this information is collected and assessed, it will also indicate what teams need to be called to action and whether the BCP actually needs to be activated.

Answer 19

Proximate causation. If proximate causation is proved, then a company may be found liable. Conversely, for a company to be found liable, proximate causation must be proven. This means that it can be proven that the company was actually at fault and responsible for a negative activity that took place.

Answer 20

Data loss needs to be addressed as a top priority. Today data and information are considered gold to many companies, the loss of which could be devastating. Although this may seem insensitive and one would guess the loss of human life to be the most devastating, a company’s survival is dependent upon critical processes that need to continue. Once the processes are implemented, it is the data that must be restored to ensure that the business functions can continue.

Answer 21

Authentication is a process to verify the identity of a subject requesting the use of a system and access to network resources. Combined with identification and authorization, authentication is one of the three steps necessary for granting a subject access to an object.

Answer 22

MOM stands for motive, opportunity, and means. Motive is the “who” and “why” of a crime. A person might be driven by the excitement, challenge, and adrenaline of committing a crime. Understanding the motive for a crime is an important piece in figuring out who would engage in such an activity. Opportunity is the “where” and “when” of a crime. Opportunities usually arise when certain vulnerabilities or weaknesses are present. Here’s an example of opportunity: If a company does not have a firewall, hackers and attackers have all types of opportunities within that network. Means pertains to the abilities a criminal would need to be successful. Suppose a crime fighter was asked to investigate a complex embezzlement that took place within a financial institution. If the suspects were three people who knew how to use a mouse, keyboard, and word processing application, but only one of them was a programmer and system analyst, the crime fighter would realize that this person might have the means to commit this crime much more successfully than the other two individuals.

Answer 23

A risk analysis identifies assets, discovers the threats that put them at risk, and estimates the possible damage and potential loss a company could endure if any of these threats becomes real. The results of the risk analysis help management construct a budget with the necessary funds to protect the recognized assets from their identified threats and develop applicable security policies that provide direction for security activities.

Answer 24

A safeguard is a software configuration, hardware, or procedure that eliminates a vulnerability or reduces the risk of a threat agent from exploiting a vulnerability. Safeguards are also called countermeasures or security controls.

Answer 25

The British Standard has two parts: * BS7799 Part I, which outlines control objectives and a range of controls that can be used to meet those objectives * BS7799 Part II, which outlines how a security program can be set up and maintained. BS7799 Part II also served as a baseline that organizations could be certified against. An organization would choose to be certified against the ISO 17799 standard to provide confidence to their customer base and partners and be used as a marketing tool. To become certified, an authorized third party would evaluate the organization against the requirements in ISO 17799 Part II. The organization could be certified against all of ISO 17799 Part II or just a portion of the standard.

Answer 26

Means to prevent the organization’s computer resources from being used as a source of attack on another organization’s computer system * Backups * Scans for malicious code * Business continuity and disaster recovery plans * Local and remote access control * Elimination of unauthorized and unsecured modems * Organizational security policies, procedures, and guidelines * Personnel screening procedure

Answer 27

For evidence to be relevant, it must have a reasonable and sensible relationship to the findings. The evidence is related to the crime in that it shows that the crime has been committed; it can provide information describing the crime; it can provide information as to the perpetrator’s motives; it can verify what had occurred; and it can fix the crime’s time of occurrence. For example, if a judge rules that a person’s past traffic tickets cannot be brought up in a murder trial, this means the judge has ruled that the traffic tickets are not relevant to the case at hand. Thus, the prosecuting lawyer cannot even mention them in court.

Answer 28

Training users and making them aware of BCP procedures helps to make sure all employees know what to do and how to do it in case of an emergency. Employees assigned to specific tasks must be trained to carry out needed procedures. Plan for cross-training of teams if possible, so those team members are familiar with a variety of recovery roles and responsibilities.

Answer 29

The ARO is a number that represents the estimated possibility of a specific threat taking place within a one-year timeframe. For example, a lightning strike that might occur in a given location once a year would have an ARO of 1 year × 1 event = 1. An area where lightning strikes occur only once every 10 years would have an ARO of 0.1.

Answer 30

* Preventive mechanisms might include some of the following components: * Fortification of the facility in its construction materials * Redundant servers and communications links * Power lines coming in through different transformers * Redundant vendor support * Purchasing of insurance * Purchasing of UPSs and generators with fuel backup * Data backup technologies * Media protection safeguards * Increased inventory of critical equipment * Fire detection and suppression systems * Preparing and testing a calling-tree * Awareness trainings Performing various types of tests to identify additional vulnerabilities Instead of just waiting for a disaster to hit to see how the company holds up, countermeasures should be integrated to better fortify the company from the impacts that were recognized. Appropriate and cost-effective preventive methods and proactive measures are more preferable than reactionary methods. Which types of preventive mechanisms need to be put in place depends upon the results of the BIA.

Answer 31

To be properly preserved, the evidence must not be subject to damage or destruction. To preserve evidence, it is recommended that one: * Does not prematurely remove power. * Backs up the hard disk image using disk imaging hardware or software. * Avoids placing magnetic media in the proximity of sources of magnetic fields. * Stores media in a dust- and smoke-free environment at proper temperature and humidity. * Write-protects media Authenticate the file system by creating a digital signature based on the contents of a file or disk sector. Preserving the original evidence also prevents inadvertent alteration of original evidence during examination.

Answer 32

Wiretapping is the monitoring of telephone and Internet conversations by a third party, often by covert means. The wiretap is so named because, historically, the monitoring connection was applied to the wires of the telephone line being monitored and drew off, or tapped, a small amount of the electrical signal carrying the conversation. Wiretapping is illegal in the United States without a court order. Legalized wiretapping by police or other recognized governmental authority is otherwise known as lawful interception.

Answer 33

The business resumption plan focuses on how to re-create the necessary business processes that need to be reestablished instead of focusing on just IT components. The continuity of operations plan (COOP) establishes senior management and a headquarters after a disaster. The business resumption plan is process-oriented instead of procedural-oriented. The continuity of operations plan (COOP) outlines the roles, authorities, orders of succession, and individual tasks.

Answer 34

In a salvage effort, an organization attempts to collect resources that can still be used post-disaster. In a recovery operation, the focus is on moving services or functions to an alternative location to restore a business process. * Salvage efforts can include the following: * Irreplaceable items and related documentation * Vital information such as employee and accounting records, succession lists, inventories, and data * Other items that directly support your mission * Items that are unique, most used, most vital for research, most representative of subject areas, and least replaceable or most valuable * Items most prone to continued damage

Answer 35

A full backup option is just what it sounds like: all data is backed up and saved to some type of storage media. During a full backup, the archive bit is clear, which means that it is set to 0. A company can choose to do full backups only, in which case the restoration process is just one step, but the backup and restore processes could take a long time.

Answer 36

It is imperative that the company gets human resources involved if an employee is considered a suspect in a computer crime. The human resources department knows the laws and regulations pertaining to employee treatment and can work to protect the employee and the company at the same time.

Answer 37

* Risk reduction * Risk transference * Risk acceptance * Risk avoidance Risk reduction involves modifying processes or altering an environment to reduce the risk, or implementing safeguards and security controls to mitigate the risk to an acceptable level. Risk transference involves assigning or transferring the potential impact of a potential loss to another party (such as an insurance company). Risk acceptance refers to accepting the risk as it is without attempting to reduce it, with the intent of simply absorbing the loss if there is impact to an asset. Risk avoidance entails eliminating the vulnerability (application, system, process, technology, etc.) or otherwise discontinuing the activity that is causing the risk.

Answer 38

When the risk analysis has been completed and the ALE has been computed, the organization must determine the cost of implementing appropriate controls (purchase cost, installation costs, maintenance, and development). The ALE then needs to be computed again given the new control. If the new ALE is less than the old ALE plus the costs of the control, the control is worth implanting from a pure dollar assessment.

Answer 39

Controls are security features that control how users and systems communicate and interact with other systems and resources. They protect the systems and resources from unauthorized access and can be components that participate in determining the level of authorization after an authentication procedure has successfully completed. The following controls are examples of the three categories of controls as they pertain to information security to achieve management’s security directives: Administrative controls: These include the developing and publishing of policies, standards, procedures, and guidelines; risk management; the screening of personnel; conducting security awareness training; and implementing change control procedures. Technical controls (also called logical controls): These consist of implementing and maintaining access control mechanisms; password and resource management, identification and authentication methods; security devices; and the configuration of the infrastructure. Physical controls: These entail controlling individual access into the facility and different departments; locking systems and removing unnecessary floppy or CD-ROM drives; protecting the perimeter of the facility; monitoring for intrusion; and environmental controls.

Answer 40

Exposure factor is the percentage of loss a realized threat can have on a certain asset. EF is a subjective value used to assign an impact on an asset for risk assessment purposes. For example, a threat that makes FTP unavailable on a given server might be assessed an exposure factor of 15 percent. The EF value is used in calculating SLE:asset value × exposure factor (EF) = SLE

Answer 41

Disasters are difficult to predict, let alone affects that will take place after the disaster. The effects of a disruptive event might impact the partner as well. Additionally, the agreements are difficult to enforce. Reciprocal agreements have been known to work well in specific businesses, such as newspaper printing. These businesses require specific technology and equipment that isn't available through any subscription service. These agreements follow a “you scratch my back and I’ll scratch yours” mentality. For most other organizations, they are generally, at best, a secondary option for disaster protection.

Answer 42

* Threat * Risk * Frequency * Certainty The identification of risk to an organization entails defining four basic elements: threat, risk, frequency, and certainty. Team members must ask the following: * What event could occur? (threat) * What could be the potential impact? (risk) * How often could it happen? (frequency) * What level of confidence do we have in the answers to the first three questions? (certainty) Much of this information is gathered through internal surveys, interviews, or workshops.

Answer 43

The senior and executive management in an organization sets the overall organization emphasis on security. It must be clear to employees that directives come from senior management and that the entire management staff supports the security policies. Computers and the information processed on them usually have a direct relationship with a company’s critical missions and objectives. Because of this level of importance, senior management should make protecting these items a high priority and provide the necessary support, funds, time, and resources to ensure that systems, networks, and information are protected in the most logical and cost-effective manner possible.

Answer 44

Software piracy is a copyright infringement that involves the unauthorized copying of computer software. Copyright infringement of this kind is extremely common in several parts of the world. Most countries have copyright laws that apply to software, but they are better enforced in some countries than others. In the United States, copyright law protects the right of an author to control the public distribution, reproduction, display, and adaptation of his original work.

Answer 45

Conducting a vulnerability assessment enables the BIA team to identify the types and severity of vulnerabilities present for a given asset, which can then be used to determine the overall risk to that asset. A vulnerability assessment is the process of identifying, quantifying, and prioritizing (or ranking) the vulnerabilities in a system or environment. The business impact analysis (BIA) seeks to identify the potential impact of given events on business functions.

Answer 46

Accountability is a security principle indicating that individuals need to be identifiable and must be held responsible for their actions. Accountability provides the capability to attribute any action on a given system back to the source that initiated that action. Audit trails, logs, and physical security devices like closed-circuit television (CCTV) support accountability.

Answer 47

The prudent man rule “requires officers to perform duties with diligence and care that ordinary, prudent people would exercise under similar circumstances.” Management has the obligation to protect the organization from losses due to natural disasters, malicious code, compromise of proprietary information, and damage to reputation, violation of the law, employee privacy suits, and stockholder suits. Management must follow the prudent man rule, and officers of an organization must exercise due care or reasonable care to carry out their responsibilities to the organization.

Answer 48

* Collection * Identification * Storage * Preservation and/or transportation * Presentation in court * Return to owner. Collection involves the following: * Collect all relevant storage media * Make image of hard disk before removing power * Print out screen * Avoid degaussing equipment * Identification involves tagging and marking all evidence * Storage in a proper environment protects media from erasure or damage.

Answer 49

Many options are available to planners, and they vary in cost, reliability, and effectiveness. These options include the following: * A reciprocal agreement where a business enters into a cooperative arrangement with another business to leverage existing excess capacity to support the other’s operations in an emergency * Hot, warm, or cold sites * Multiple service locations * Hosted services

Answer 50

* Cold site * Warm site * Hot site Cold site: An empty room with only rudimentary electrical power and computing capability. It might have a raised floor and some racks, but it is not ready for use. It might take several weeks to get the site operational. Warm site: An improvement over a cold site; this facility has data equipment and cables and is partially configured. It could be made operational in anywhere from a few hours to a few days. Hot site: This facility is ready to go. It is fully configured and equipped with the same system as the production network. Although it is capable of taking over operations at a moment's notice, it is the most expensive option discussed.

Answer 51

* Advisory: Strongly advises employees as to which types of behaviors and activities should and should not take place within the organization * Informative: Informs employees of certain topics. It is not an enforceable policy, but rather one that teaches individuals about specific issues relevant to the company * Regulatory: Ensures that the organization is following standards set by specific industry regulations or legislative requirements. It is detailed and specific to a type of industry. A security policy is an overall general statement produced by senior management (or a selected policy board or committee) that dictates what role security plays within the organization. It is through these policies that security programs can be set up with a strong foundation and an organized method of response to security issues, as well as expectations for personnel within the organization as to who is in charge during certain kinds of incidents. Different types of security policies can be implemented in an organization. These policies can be adapted to fit the specific needs of their environment.

Answer 52

Failure Modes and Effects Analysis (FMEA) is a method for determining functions, identifying functional failures, and assessing the causes of failure and its effects through a structured process. The application of this process to a chronic failure enables the determination of where exactly the failure is most likely to occur. This is very helpful in pinpointing where a vulnerability exists, as well as determining exactly what kind of scope the vulnerability entails—meaning, what would be the secondary ramifications of its exploitation?

Answer 53

* The age of data * The level of damage that could be caused if the data were disclosed * The level of damage that could be caused if the data were modified or corrupted * Legal, regulatory, or contractual responsibility to protect the data * Effects the data has on national security * Who should be able to access the data * Who should maintain the data * Where the data should be kept * Who should be able to reproduce the data * Which data requires labels and special marking * The usefulness of the data * Whether encryption is required for the data * Whether separation of duties is required * Lost opportunity costs that could be incurred if the data were not available or were corrupted Once the classification scheme is decided upon, the company or government agency must develop the criteria it will use to decide what information goes into which classification.

Answer 54

The most common types of computer crimes today include: * Denial of service * Password theft * Network intrusion * Wiretapping * Social engineering * Illegal content * Fraud * Dumpster diving * Software piracy * Malicious code * Spoofing attacks * Information warfare * Masquerading * Keystroke logging * Man-in-the-middle * War driving * Shoulder surfing * Identity theft * Phishing * Spam * Hacking

Answer 55

A chain of custody is a history that shows how evidence was collected, analyzed, transported, and preserved in order to be presented as evidence in court. Because electronic evidence can be easily modified, a clearly defined chain of custody demonstrates that the evidence is trustworthy.

Answer 56

When a company needs to move back into its original site or a new site after a disaster, the company is ready to enter into the reconstitution phase. The company is always vulnerable while operating in a backup facility, and is not out of an emergency state until it is back in operation at the original primary site or a new site that was constructed to replace the primary site. Many logistical issues need to be considered as to when a company must return from the alternate site to the original site

Answer 57

Authorization is the granting of access to a given object when a subject has been properly identified and authenticated. Authorization is also the collection of rights and privileges an entity (user or process) has on a given system.

Answer 58

* Select individuals to interview for data gathering. * Create data-gathering techniques (surveys, questionnaires, and so on). * Identify the company’s critical business functions. * Identify the resources these functions depend upon. * Calculate how long these functions can survive without these resources. * Identify vulnerabilities and threats to these functions. * Calculate the risk for each different business function. * Document findings and report them to management.

Answer 59

Security governance is the set of responsibilities and practices exercised by the board and executive management of a company or organization with the goal of providing strategic direction, ensuring that objectives are achieved, ascertaining that risks are managed appropriately, and verifying that the enterprise’s resources are used responsibly. Security governance is all of the tools, personnel, and business processes necessary to ensure that the security implemented meets the organization’s specific needs. It requires organizational structure, roles and responsibilities, performance measurement, defined tasks, and oversight mechanisms.

Answer 60

Due diligence means that the company properly investigated all its possible weaknesses and vulnerabilities. With respect to due diligence, managers should implement the following procedures: * Means to prevent the organization’s computer resources from being used as a source of attack on another organization’s computer system * Backups * Scans for malicious code * Business continuity and disaster recovery plans * Local and remote access control * Elimination of unauthorized and unsecured modems * Organizational security policies, procedures, and guidelines * Personnel screening procedure

Answer 61

A disaster recovery plan (DRP) is carried out when everything is still in emergency mode and everyone is scrambling to get all critical systems back online. Continuity planning provides methods and procedures for dealing with longer-term outages and disasters and is information technology (IT) focused. The goal of disaster recovery is to minimize the effects of a disaster and take the necessary steps to ensure that the resources, personnel, and business processes can resume operation in a timely manner. This is different from continuity planning, which provides methods and procedures for dealing with longer-term outages and disasters.

Answer 62

A differential backup operation backs up only every modified data element since the last time a full backup was completed. This means that if full backups are done every Sunday and differential backups are done nightly, a file modified on Monday will be backed up every day of the week until the next full backup (the following Sunday).

Answer 63

A vulnerability is the existence of a flaw or condition that can be exploited in the absence or weakness of sufficient security controls.

Answer 64

Military organizations are more concerned than most private-sector businesses about not disclosing confidential information. Government classifications, which range from unclassified to top-secret, are determined according to the sensitivity of the data and its potential to damage national security were it to became public. Private-sector businesses are usually more interested in the integrity and availability of data. These different perspectives affect data classification. The following are government classifications: * Unclassified: Designated as neither sensitive nor classified. * Sensitive but Unclassified (SBU): Designated organizationally important but might not create serious damage if disclosed. Answers to tests are an example of this kind of information. Health care information is another example of SBU data. * Confidential: Designated to be of a confidential nature. The unauthorized disclosure of this information could cause some damage to the country’s national security * Secret: Designated to be of a secret nature. The unauthorized disclosure of this information could cause serious damage to the country’s national security * Top Secret: The highest level of information classification in most governments. The unauthorized disclosure of Top Secret information can cause damage to the country’s national security. A commonly used classification set employed in the commercial sector is: * For official use only: Financially sensitive * Proprietary: Protects competitive edge * Privileged: Ensures conformance with business standards and laws * Private: Contains records about individuals

Answer 65

Senior management has the ultimate responsibility for all phases of the plan. Senior management is responsible not only for initiation of the plan process, but also monitoring and management of the plan during testing, supervision, and execution of the plan during a disruptive event. Executives might be held responsible and liable under various laws and regulations. They could be sued by stockholders and customers if they do not practice due diligence and due care and fulfill all of their responsibilities when it comes to disaster recovery and business continuity.

Answer 66

The Control Objectives for Information and related Technology (CobiT) is a framework developed by the Information Systems Audit and Control Association (ISACA) and the IT Governance Institute (ITGI). It defines goals for the controls that should be used to properly manage IT and ensure IT maps to business needs. CobiT is broken down into four domains: * Plan and Organize * Acquire and Implement * Deliver and Support * Monitor and Evaluate.

Answer 67

To be admissible, evidence must be: * relevant * legally permissible * reliable * properly identified * properly preserved The foundation of admissibility is based on the following items: * Procedures for collecting and maintaining evidence * Proof of how errors were avoided * Identification of custodian and skill set * Reasonable explanations for why certain actions were taken and certain procedures bypassed

Answer 68

The primary purpose of risk management is to identify, assess, and reduce risk to an acceptable level, and to implement the right mechanisms to maintain that level of risk. Threats must be identified, classified by category, and evaluated to calculate their damage potential to the company. Real risk is hard to measure, but prioritizing the potential risks in order of which ones must be addressed first is possible.

Answer 69

A threat is any potential danger that a vulnerability will be exploited to compromise one of the security triad components (availability, integrity, confidentiality) resulting in an impact to an asset.

Answer 70

The business continuity process is not integrated into the change management process. * Infrastructure and environment changes occur. * Reorganization of the company, layoffs, or mergers occur. * Changes in hardware, software, and applications occur. * After the plan is constructed, people feel their job is done. * Personnel turns over. * Large plans take a lot of work to maintain. * These plans do not have a direct line to profitability.

Answer 71

Identification is the first step of the authentication process, which requires a subject to provide some type of data to an authentication service to verify the subject’s identity. For example, an ID card is a form of identification. Identification describes a method of ensuring that a subject (user, program, or process) is the entity it claims to be. Identification can be provided with the use of a username or account number. To be properly authenticated, the subject is usually required to provide a second piece to the credential set. This piece could be a password, passphrase, cryptographic key, personal identification number (PIN), anatomical attribute, or token. These two credential items are compared to information that has been previously stored for this subject. If these credentials match the stored information, the subject is authenticated.

Answer 72

* Administrative * Technical * Physical Administrative controls include: * Developing and publishing of policies, standards, procedures, and guidelines * Risk management * Screening of personnel * Conducting security awareness training * Implementing change control procedures. Technical controls (also called logical controls) consist of: * Implementing and maintaining access control mechanisms * Password and resource management, identification and authentication methods * Security devices * Configuration of the infrastructure Physical controls entail: * Controlling individual access into the facility and different departments * Locking systems and removing unnecessary floppy or CD-ROM drives * Protecting the perimeter of the facility * Monitoring for intrusion * Environmental controls.

Answer 73

Major legal systems in use worldwide include civil (code) law, common law, customary law, and religious law. **Civil (code) law** evolved in Europe and is based on a comprehensive system of written rules of law. Civil law is rule-based law, not precedence-based. **Common law** is practiced in the United States, Canada, the United Kingdom, Australia, and New Zealand. It is based on the rule of reasonable doubt and the premise that you are innocent until proven guilty. Before there was a written set of laws, laws were based on custom and precedent. **Customary law** is usually found combined with another legal system; it is based on the concept of what is customary and considered normal conduct. Customary law is based on traditions and customs of the region, and emerged when cooperation of individuals became necessary as communities merged. Mainly used in regions of the world that have mixed legal systems (e.g., China, India). - **Religious law** is based on religious beliefs in a given region. In Islamic countries, the law is based on the rules of the Koran.

Answer 74

Administrative, or regulatory, law covers standards of performance or conduct expected by government agencies from companies, industries, and certain officials.

Answer 75

Single loss expectancy × frequency per year = annualized loss expectancy (SLE × ARO = ALE)

Answer 76

Automated risk analysis tools reduce the amount of manual work involved in the analysis. They can be used to estimate future expected losses and calculate the benefits of different security measures.

Answer 77

A baseline is a minimum level of security.

Answer 78

A business case must be presented to gain executive support. This is done by explaining regulatory and legal requirements, exposing vulnerabilities, and providing solutions.

Answer 79

Business continuity management (BCM) is the overarching approach to managing all aspects of BCP and DRP.

Answer 80

The business impact analysis (BIA) is one of the most important first steps in the planning development. Qualitative and quantitative data on the business impact of a disaster need to be gathered, analyzed, interpreted, and presented to management.

Answer 81

* Uses prewritten rules and is not based on precedent * Is different from civil (tort) laws, which work under a common law system

Answer 82

CMMI is a maturity model that allows for processes to improve in an incremented and standard approach.

Answer 83

Made up of criminal, civil, and administrative laws. Criminal law deals with an individual’s conduct that violates government laws developed to protect the public. Civil law deals with wrongs committed against individuals or companies that result in injury or damages. Civil law does not use prison time as a punishment, but usually requires financial restitution.

Answer 84

A compensating control is an alternative control that is put into place because of financial or business functionality reasons.

Answer 85

A control can be: * Administrative * Technical * Physical and can provide * Deterrent * Preventive * Detective * Corrective * Recovery protection

Answer 86

Copyright protects the expression of ideas rather than the ideas themselves.

Answer 87

COSO Internal Control—Integrated Framework is a governance model used to help prevent fraud within a corporate environment.

Answer 88

A countermeasure, also called a safeguard or control, mitigates the risk.

Answer 89

* Addresses mainly personal conduct and uses regional traditions and customs as the foundations of the laws. * Is usually mixed with another type of listed legal system rather than being the sole legal system used in a region.

Answer 90

The Delphi technique is a group decision method where each group member can communicate anonymously.

Answer 91

Enterprise architecture frameworks are used to build individual architectures that best map to individual organizational needs and business drivers.

Answer 92

Enterprise security architecture is a subset of business architecture and a way to describe current and future security processes, systems, and subunits to ensure strategic alignment.

Answer 93

A fault tree analysis is a useful approach to detect failures that can take place within complex environments and systems.

Answer 94

Failure Modes and Effect Analysis (FMEA) is a method for determining functions, identifying functional failures, and assessing the causes of failure and their failure effects through a structured process.

Answer 95

Guidelines are recommendations and general approaches that provide advice and flexibility.

Answer 96

An information security management system (ISMS) is a coherent set of policies, processes, and systems to manage risks to information assets as outlined in ISO/IEC 27001.

Answer 97

ISO/IEC 22301 is the standard for business continuity management (BCM).

Answer 98

Overview and vocabulary

Answer 99

ISMS requirements

Answer 100

Code of practice for information security controls

Answer 101

ISMS implementation

Answer 102

ISMS measurement

Answer 103

Risk management

Answer 104

Certification body requirements

Answer 105

ISMS auditing

Answer 106

Guidance for auditors

Answer 107

Telecommunications organizations

Answer 108

Information security governance

Answer 109

Financial sector

Answer 110

Business continuity

Answer 111

Cybersecurity

Answer 112

Network security

Answer 113

Application security

Answer 114

Incident management

Answer 115

Digital evidence collection and preservation

Answer 116

Health organizations

Answer 117

ITIL is a set of best practices for IT service management.

Answer 118

Job rotation is a detective administrative control to detect fraud.

Answer 119

Mandatory vacations are a detective administrative control type that can help detect fraudulent activities.

Answer 120

Uses two or more legal systems.

Answer 121

NIST SP 800-53 uses the following control categories: technical, management, and operational.

Answer 122

NIST SP 800-55 is a standard for performance measurement for information security.

Answer 123

OCTAVE is a team-oriented risk management methodology that employs workshops and is commonly used in the commercial sector.

Answer 124

Risk can be: * Transferred * Avoided * Reduced * Accepted.

Answer 125

A patent grants ownership and enables that owner to legally enforce his rights to exclude others from using the invention covered by the patent.

Answer 126

Privacy laws dictate that data collected by government agencies must be collected fairly and lawfully, must be used only for the purpose for which it was collected, must only be held for a reasonable amount of time, and must be accurate and timely.

Answer 127

Procedures are detailed step-by-step actions that should be followed to achieve a certain task.

Answer 128

* Initiating the project * Performing business impact analyses * Developing a recovery strategy * Developing a recovery plan * Implementing, testing, and maintaining the plan.

Answer 129

Laws are derived from religious beliefs and address an individual’s religious responsibilities; commonly used in Muslim countries or regions.

Answer 130

(Threats × vulnerability × asset value) × controls gap = residual risk

Answer 131

A risk is the probability of a threat agent exploiting a vulnerability and the loss potential from that action.

Answer 132

* Identify assets and assign values to them * Identify vulnerabilities and threats * Quantify the impact of potential threats * Provide an economic balance between the impact of the risk and the cost of the safeguards.

Answer 133

Sherwood Applied Business Security Architecture (SABSA), is a security enterprise architecture framework

Answer 134

Security enterprise architecture should tie in: * Strategic alignment * Business enablement * Process enhancement * Security effectiveness

Answer 135

Security governance is a framework that provides: * Oversight * Accountability * Compliance

Answer 136

A security policy is a statement by management dictating the role security plays in the organization.

Answer 137

Separation of duties ensures no single person has total control over a critical activity or task. It is a preventive administrative control. Split knowledge and dual control are two aspects of separation of duties.

Answer 138

A service level agreement (SLA) is a contractual agreement that states that a service provider guarantees a certain level of service.

Answer 139

Six Sigma is used to identify defects in processes so that the processes can be improved upon.

Answer 140

Social engineering is a nontechnical attack carried out to manipulate a person into providing sensitive data to an unauthorized individual.

Answer 141

Standards are documents that outline rules that are compulsory in nature and support the organization’s security policies.

Answer 142

A supply chain is a sequence of suppliers involved in delivering some product.

Answer 143

A threat is the possibility that someone or something would exploit a vulnerability, either intentionally or accidentally, and cause harm to an asset. Also, a potential cause of an unwanted incident, which may result in harm to a system.

Answer 144

Threats × vulnerability × asset value = total risk

Answer 145

Trade secrets are deemed proprietary to a company and often include information that provides a competitive edge. The information is protected as long as the owner takes the necessary protective actions.

Answer 146

Trademarks protect words, names, product shapes, symbols, colors, or a combination of these used to identify products or a company. These items are used to distinguish products from the competitors’ products.

Answer 147

A vulnerability is a weakness in a system that allows a threat source to compromise its security.

Answer 148

Zachman Framework is a two-dimensional enterprise architecture framework

Answer 149

* Protect society, the common good, necessary public trust and confidence, and the infrastructure * Act honorably, honestly, justly, responsibly, and legally * Provide diligent and competent service to principals * Advance and protect the profession

Answer 150

Administrative controls are more management oriented * Security documentation * Risk management * Personnel security * Training

Answer 151

A group of attackers is not in a hurry to launch an attack quickly, but will wait for the most beneficial moment and attack vector to ensure that its activities go unnoticed.

Answer 152

SLE × Annualized Rate of Occurrence (ARO)

Answer 153

The value that represents the estimated frequency of a specific threat taking place within a 12-month timeframe.

Answer 154

Baselines refer to a point in time that is used as a comparison for future changes.

Answer 155

A control, or countermeasure, is put into place to mitigate (reduce) the potential risk.

Answer 156

A commonly used cost/ benefit calculation for a given safeguard (control) is: (ALE before implementing safeguard) –(ALE after implementing safeguard) –(annual cost of safeguard) = value of safeguard to the company

Answer 157

Due care, on the other hand, means taking the precautions that a reasonable and competent person would take in the same situation.

Answer 158

Due diligence can be defined as doing everything within one’s power to prevent a bad thing from happening. Examples

Answer 159

* TOGAF - Model and methodology for the development of enterprise architectures developed by The Open Group * DoDAF - U.S. Department of Defense architecture framework that ensures interoperability of systems to meet military mission goals * MODAF - Architecture framework used mainly in military support missions developed by the British Ministry of Defence * SABSA model - Model and methodology for the development of information security enterprise architectures

Answer 160

An exposure is an instance of being exposed to losses. A vulnerability exposes an organization to possible damages.

Answer 161

The exposure factor (EF) represents the percentage of loss a realized threat could have on a certain asset.

Answer 162

The crux of this qualitative methodology is to focus only on the systems that really need assessing

Answer 163

* **Data subject** - The individual to whom the data pertains * **Data controller** - Any organization that collects data on EU residents * **Data processor** - Any organization that processes data for a data controller

Answer 164

Gramm-Leach-Bliley Act of 1999 - upon identification of an incident of unauthorized access to sensitive customer information, the institution determine the likelihood that the information has or will be misused.

Answer 165

Guidelines are recommended actions and operational guides to users, IT staff, operations staff, and others when a specific standard does not apply.

Answer 166

Health Insurance Portability and Accountability Act

Answer 167

Health Information Technology for Economic and Clinical Health Act directs the U.S. Secretary of Health and Human Services (HHS) to publish annual guidance to affected corporations on effective technical controls to protect data.

Answer 168

International Electrotechnical Commission

Answer 169

ISMS outlines the controls that need to be put into place, enterprise security architecture illustrates how these components are to be integrated into the different layers of the current business environment.

Answer 170

International Organization for Standardization

Answer 171

Maximum period time of disruption

Answer 172

Maximum tolerable downtime

Answer 173

a guide for conducting risk assessments

Answer 174

NIST SP 800-39 defines three tiers to risk management: **Organizational tier** - Concerned with risk to the business as a whole, which means it frames the rest of the conversation and sets important parameters such as the risk tolerance level. **Business process tier** - Deals with the risk to the major functions of the organization, such as defining the criticality of the information flows between the organization and its partners or customers. The bottom tier. **Information systems tier** - Addresses risk from an information systems perspective. Though this is where we will focus our discussion, it is important to understand that it exists within the context of (and must be consistent with) other, more encompassing risk management efforts.

Answer 175

patent trolls

Answer 176

Physical controls are items put into place to protect facilities, personnel, and resources. * Security guards * Locks * Fencing * Lighting

Answer 177

Procedures are detailed step-by-step tasks that should be performed to achieve a certain goal.

Answer 178

(threats × vulnerability × asset value) × controls gap total risk – countermeasures

Answer 179

Risk management (RM) is the process of identifying and assessing risk, reducing it to an acceptable level, and ensuring it remains at that level.

Answer 180

A structured process that allows an organization to identify and assess risk, reduce it to an acceptable level, and ensure that it remains at that level. Examples: * NIST RMF (SP 800-37r1) * ISO 31000: 2018 * ISACA Risk IT

Answer 181

Intended to avoid an incident from occurring

Answer 182

Helps identify an incident’s activities and potentially an intruder

Answer 183

Fixes components or systems after an incident has occurred

Answer 184

Intended to discourage a potential attacker

Answer 185

Intended to bring the environment back to regular operations

Answer 186

Provide an alternative measure of control

Answer 187

The SLE is a dollar amount that is assigned to a single event that represents the company’s potential loss amount if a specific threat were to take place. Asset Value × Exposure Factor (EF) = SLE

Answer 188

Standards refer to mandatory activities, actions, or rules.

Answer 189

SWOT stands for Strengths/Weaknesses/Opportunities/Threats,

Answer 190

Technical controls (also called logical controls) are software or hardware components * Firewalls * IDS * Encryption * Identification and authentication mechanisms

Answer 191

the entity that takes advantage of a vulnerability

Answer 192

The process of describing feasible adverse effects on our assets caused by threat sources.

Answer 193

threats × vulnerability × asset value

Answer 194

Vulnerability assessment just finds the vulnerabilities (the holes). A risk assessment calculates the probability of the vulnerabilities being exploited