Domain 1 - Security and Risk Management Flashcards
ITIL - Four Foundations
- Service
- Change
- Release
- Configuration
ISO 27005
Risk management framework - The standard doesn’t specify, recommend or even name any specific risk management method. It does however imply a continual process consisting of a structured sequence of activities, some of which are iterative:
Establish the risk management context (e.g. the scope, compliance obligations, approaches/methods to be used and relevant policies and criteria such as the organization’s risk tolerance or appetite);
Quantitatively or qualitatively assess (i.e. identify, analyze and evaluate) relevant information risks, taking into account the information assets, threats, existing controls and vulnerabilities to determine the likelihood of incidents or incident scenarios, and the predicted business consequences if they were to occur, to determine a ‘level of risk’;
Treat (i.e. modify [use information security controls], retain [accept], avoid and/or share [with third parties]) the risks appropriately, using those ‘levels of risk’ to prioritize them;
Keep stakeholders informed throughout the process; and
Monitor and review risks, risk treatments, obligations and criteria on an ongoing basis, identifying and responding appropriately to significant changes.
Copyright
Protects the expression of ideas but not necessarily the idea itself ex. Poem, song @70
years after author dies
Trademarks
Words, names, product shape, symbol, color or a combination used to identify products
and distinguish them from competitor products (McDonald’s M) @10 years
SOX Section 302
CEO’s and CFO’s can be sent to jail when information they sign is incorrect
SOX Section 404
Issuers are required to publish information in their annual reports concerning the scope and adequacy of the internal control structure and procedures for financial reporting. This statement shall also assess the effectiveness of such internal controls and procedures.
The registered accounting firm shall, in the same report, attest to and report on the assessment on the effectiveness of the internal control structure and procedures for financial reporting.
COSO Initiative
Framework to work with Sarbanes-Oxley 404. COSO is a voluntary private sector initiative dedicated to improving organizational performance and governance through effective internal control, enterprise risk management, and fraud deterrence compliance
COBIT
Examines the effectiveness, efficiency, confidentiality, integrity, availability, compliance, and
reliability of high level control objectives. Having controls, GRC heavy auditing, metrics, regulated
industry.
Incident
An event that has potential to do harm
Breach
Incident that results in disclosure or potential disclosure of data
Data Disclosure
Unauthorized acquisition of personal information
Threat Event
Threat events are accidental and intentional exploitation of vulnerabilities
GLBA
It is a United States federal law that requires financial institutions to explain how they share and protect their customers’ private information.
1974 US Privacy Act
Protection of PII on federal databases
1980 Organization for Economic Cooperation and Development (OECD)
Provides guidelines for datacollection, specifications, safeguards
1986 (amended in 1996) US Computer Fraud and Abuse Act.
Trafficking in computer passwords or information that causes a loss of $1,000 or more or could impair medical treatment.
1986 Electronic Communications Privacy Act
Prohibits eavesdropping or interception w/o distinguishing private/public data. Was enacted by the United States Congress to extend restrictions on government wire taps of telephone calls to include transmissions of electronic data by computer , added new provisions prohibiting access to stored electronic communications,
1991 US Federal Sentencing Guidelines
Responsibility on senior management with fines up to $290 million. Invoke prudent man rule. Address both individuals and organizations.
1996 US Economic and Protection of Propriety Information Act
Industrial and corporate espionage
HITECH
Congress amended HIPAA by passing this Act. This law updated many of HIPAA’s privacy and
security requirements. One of the changes is a change in the way the law treats business associates
(BAs), organizations who handle PHI on behalf of a HIPAA covered entity. Any relationship between a
covered entity and a BA must be govern ed by a written contract known as a business associate
agreement (BAA). Under the new regulation, BAs are directly subject to HIPAA and HIPAA
enforcement actions in the same manner as a covered entity. HITECH also introduced new data breach
notification requirement.
Separation of duties
Assigns parts of tasks to different individuals thus no single person has total control of the system’s security mechanisms; prevent collusion
Least privilege -
A system’s user should have the lowest level of rights and privileges necessary to perform their work and should only have them for the shortest time. Three types: Read only, Read/write and Access/change
Two-man control
Two persons review and approve the work of each other, for very sensitive operations
Dual Control
Two persons are needed to complete a task
Rotation of duties
Limiting the amount of time a person is assigned to perform a security related task
before being moved to different task to prevent fraud; reduce collusion
Mandatory vacations
Prevent fraud and allowing investigations, one week minimum; kill processes
Threat
Damage
Vulnerability
Weakness to threat vector (never does anything)
Impact
Overall effects R
Residual Risk
amount left over Organizations own
the risk Risk is determined as a byproduct of likelihood and impact
Goal of Risk Management
Reduce risk to an acceptable level.
Inherent Risk
Chance of making an error with no controls in place
Control Risk
Chance that controls in place will prevent, detect or control errors
Detection Risk
Chance that auditors won’t find an error
Business Risk
Concerns about effects of unforeseen circumstances
ANALYSIS Steps
Identify assets, identify threats, and calculate risk.
Four major steps in Risk assessment
Prepare, Perform, Communicate, Maintain
Loss=
probability * cost
Residual risk
Where cost of applying extra countermeasures is more than the estimated loss resulting
from a threat or vulnerability (C > L).
Controls gap
Is the amount of risk that is reduced by implementing safeguards. A formula for residual risk is as follows: total risk – controls gap = residual risk
Risk Avoidance
Discontinue activity because you don’t want to accept risk
Risk Transfer
Passing on the risk to another entity
Risk Mitigation
Elimination or decrease in level of risk
Risk Acceptance
Live with it and pay the cost
Administrative/Managerial Policy Controls
- Preventive: hiring policies, screening security awareness (also called soft-measures!)
- Detective: screening behavior, job rotation, review of audit records
Technical (aka Logical) - Preventive
Protocols, encryption, biometrics smartcards, routers, firewalls
Technical (aka Logical) -Detective
IDS and automatic generated violation reports, audit logs, CCTV(never preventative)
Physical Controls
Fences, door, lock, windows etc
Types of Controls
Administrative, Physical, Technical (Logical)
Deming Cycle
Plan – ID opportunity & plan for change Do – implement change on small scale Check – use data to
analyze results of change Act – if change successful, implement wider scale, if fails begin cycle again
Open source License
Source code made available with a license in which the copyright holder provides the
rights to study, change, and distribute the software to anyone
Freeware
Proprietary software that is available for use at no monetary cost. May be used without
payment but may usually not be modified, re-distributed or reverse-engineered without the author’s
permission
Assurance
Degree of confidence in satisfaction of security requirements. OUTSIDE AUDIT
Data Diddling
Act of modifying information, programs, or documents to commit fraud, tampers with INPUT data
Water holing
Create a bunch of websites with similar names
Work Function (factor):
The difficulty of obtaining the clear text from the cipher text as measured by cost/time
Fair Cryptosystems
In this escrow approach, the secret keys used in a communication are divided
into two or more pieces, each of which is given to an independent third party. When the government
obtains legal authority to access a particular key, it provides evidence of the court order to each of the
third parties and then reassembles the secret key.
FISMA (federal agencies) - Phase 1
Categorizing, selecting minimum controls, assessment
FISMA (federal agencies) - Phase 2
Create national network of secures services to assess