Domain 1 - Security and Risk Management Flashcards

1
Q

ITIL - Four Foundations

A
  • Service
  • Change
  • Release
  • Configuration
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

ISO 27005

A

Risk management framework - The standard doesn’t specify, recommend or even name any specific risk management method. It does however imply a continual process consisting of a structured sequence of activities, some of which are iterative:

Establish the risk management context (e.g. the scope, compliance obligations, approaches/methods to be used and relevant policies and criteria such as the organization’s risk tolerance or appetite);
Quantitatively or qualitatively assess (i.e. identify, analyze and evaluate) relevant information risks, taking into account the information assets, threats, existing controls and vulnerabilities to determine the likelihood of incidents or incident scenarios, and the predicted business consequences if they were to occur, to determine a ‘level of risk’;
Treat (i.e. modify [use information security controls], retain [accept], avoid and/or share [with third parties]) the risks appropriately, using those ‘levels of risk’ to prioritize them;
Keep stakeholders informed throughout the process; and
Monitor and review risks, risk treatments, obligations and criteria on an ongoing basis, identifying and responding appropriately to significant changes.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Copyright

A

Protects the expression of ideas but not necessarily the idea itself ex. Poem, song @70
years after author dies

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Trademarks

A

Words, names, product shape, symbol, color or a combination used to identify products
and distinguish them from competitor products (McDonald’s M) @10 years

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

SOX Section 302

A

CEO’s and CFO’s can be sent to jail when information they sign is incorrect

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

SOX Section 404

A

Issuers are required to publish information in their annual reports concerning the scope and adequacy of the internal control structure and procedures for financial reporting. This statement shall also assess the effectiveness of such internal controls and procedures.

The registered accounting firm shall, in the same report, attest to and report on the assessment on the effectiveness of the internal control structure and procedures for financial reporting.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

COSO Initiative

A

Framework to work with Sarbanes-Oxley 404. COSO is a voluntary private sector initiative dedicated to improving organizational performance and governance through effective internal control, enterprise risk management, and fraud deterrence compliance

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

COBIT

A

Examines the effectiveness, efficiency, confidentiality, integrity, availability, compliance, and
reliability of high level control objectives. Having controls, GRC heavy auditing, metrics, regulated
industry.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Incident

A

An event that has potential to do harm

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Breach

A

Incident that results in disclosure or potential disclosure of data

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Data Disclosure

A

Unauthorized acquisition of personal information

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Threat Event

A

Threat events are accidental and intentional exploitation of vulnerabilities

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

GLBA

A

It is a United States federal law that requires financial institutions to explain how they share and protect their customers’ private information.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

1974 US Privacy Act

A

Protection of PII on federal databases

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

1980 Organization for Economic Cooperation and Development (OECD)

A

Provides guidelines for datacollection, specifications, safeguards

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

1986 (amended in 1996) US Computer Fraud and Abuse Act.

A

Trafficking in computer passwords or information that causes a loss of $1,000 or more or could impair medical treatment.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

1986 Electronic Communications Privacy Act

A

Prohibits eavesdropping or interception w/o distinguishing private/public data. Was enacted by the United States Congress to extend restrictions on government wire taps of telephone calls to include transmissions of electronic data by computer , added new provisions prohibiting access to stored electronic communications,

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

1991 US Federal Sentencing Guidelines

A

Responsibility on senior management with fines up to $290 million. Invoke prudent man rule. Address both individuals and organizations.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

1996 US Economic and Protection of Propriety Information Act

A

Industrial and corporate espionage

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

HITECH

A

Congress amended HIPAA by passing this Act. This law updated many of HIPAA’s privacy and
security requirements. One of the changes is a change in the way the law treats business associates
(BAs), organizations who handle PHI on behalf of a HIPAA covered entity. Any relationship between a
covered entity and a BA must be govern ed by a written contract known as a business associate
agreement (BAA). Under the new regulation, BAs are directly subject to HIPAA and HIPAA
enforcement actions in the same manner as a covered entity. HITECH also introduced new data breach
notification requirement.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

Separation of duties

A

Assigns parts of tasks to different individuals thus no single person has total control of the system’s security mechanisms; prevent collusion

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

Least privilege -

A

A system’s user should have the lowest level of rights and privileges necessary to perform their work and should only have them for the shortest time. Three types: Read only, Read/write and Access/change

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

Two-man control

A

Two persons review and approve the work of each other, for very sensitive operations

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

Dual Control

A

Two persons are needed to complete a task

25
Q

Rotation of duties

A

Limiting the amount of time a person is assigned to perform a security related task
before being moved to different task to prevent fraud; reduce collusion

26
Q

Mandatory vacations

A

Prevent fraud and allowing investigations, one week minimum; kill processes

27
Q

Threat

A

Damage

28
Q

Vulnerability

A

Weakness to threat vector (never does anything)

29
Q

Impact

A

Overall effects R

30
Q

Residual Risk

A

amount left over Organizations own

the risk Risk is determined as a byproduct of likelihood and impact

31
Q

Goal of Risk Management

A

Reduce risk to an acceptable level.

32
Q

Inherent Risk

A

Chance of making an error with no controls in place

33
Q

Control Risk

A

Chance that controls in place will prevent, detect or control errors

34
Q

Detection Risk

A

Chance that auditors won’t find an error

35
Q

Business Risk

A

Concerns about effects of unforeseen circumstances

36
Q

ANALYSIS Steps

A

Identify assets, identify threats, and calculate risk.

37
Q

Four major steps in Risk assessment

A

Prepare, Perform, Communicate, Maintain

38
Q

Loss=

A

probability * cost

39
Q

Residual risk

A

Where cost of applying extra countermeasures is more than the estimated loss resulting
from a threat or vulnerability (C > L).

40
Q

Controls gap

A

Is the amount of risk that is reduced by implementing safeguards. A formula for residual risk is as follows: total risk – controls gap = residual risk

41
Q

Risk Avoidance

A

Discontinue activity because you don’t want to accept risk

42
Q

Risk Transfer

A

Passing on the risk to another entity

43
Q

Risk Mitigation

A

Elimination or decrease in level of risk

44
Q

Risk Acceptance

A

Live with it and pay the cost

45
Q

Administrative/Managerial Policy Controls

A
  • Preventive: hiring policies, screening security awareness (also called soft-measures!)
  • Detective: screening behavior, job rotation, review of audit records
46
Q

Technical (aka Logical) - Preventive

A

Protocols, encryption, biometrics smartcards, routers, firewalls

47
Q

Technical (aka Logical) -Detective

A

IDS and automatic generated violation reports, audit logs, CCTV(never preventative)

48
Q

Physical Controls

A

Fences, door, lock, windows etc

49
Q

Types of Controls

A

Administrative, Physical, Technical (Logical)

50
Q

Deming Cycle

A

Plan – ID opportunity & plan for change Do – implement change on small scale Check – use data to
analyze results of change Act – if change successful, implement wider scale, if fails begin cycle again

51
Q

Open source License

A

Source code made available with a license in which the copyright holder provides the
rights to study, change, and distribute the software to anyone

52
Q

Freeware

A

Proprietary software that is available for use at no monetary cost. May be used without
payment but may usually not be modified, re-distributed or reverse-engineered without the author’s
permission

53
Q

Assurance

A

Degree of confidence in satisfaction of security requirements. OUTSIDE AUDIT

54
Q

Data Diddling

A

Act of modifying information, programs, or documents to commit fraud, tampers with INPUT data

55
Q

Water holing

A

Create a bunch of websites with similar names

56
Q

Work Function (factor):

A

The difficulty of obtaining the clear text from the cipher text as measured by cost/time

57
Q

Fair Cryptosystems

A

In this escrow approach, the secret keys used in a communication are divided
into two or more pieces, each of which is given to an independent third party. When the government
obtains legal authority to access a particular key, it provides evidence of the court order to each of the
third parties and then reassembles the secret key.

58
Q

FISMA (federal agencies) - Phase 1

A

Categorizing, selecting minimum controls, assessment

59
Q

FISMA (federal agencies) - Phase 2

A

Create national network of secures services to assess