Domain 1 – Security Management Practices

Question 1

Government Classification Terms:

Answer 1

• Unclassified – Neither sensitive nor classified, public release is acceptable • Sensitive But Unclassified (SBU) – Minor secret, no serious damage if disclosed • Confidential – disclosure could cause damage to National Security • Secret - disclosure could cause serious damage to National Security • Top Secret – Highest Level - disclosure could cause exponentially grave damage to National Security

Question 2

Public Classification Terms

Answer 2

• Public – similar to unclassified, should not be disclosed but is not a problem if it is • Sensitive – data protected from loss of Confidentiality and integrity • Private – data that is personal in nature and for company use only • Confidential – very sensitive for internal use only - could seriously negatively impact the company

Question 3

Classification Criteria

Answer 3

• Value - number one criteria, if it is valuable it should be protected • Age – value of data lowers over time, automatic de-classification • Useful Life – If the information is made obsolete it can often be de-classified

Question 4

Personal Association

Answer 4

If the data contains personal information it should remain classified

Question 5

Distribution may be required in the event of the following:

Answer 5

• Court Order – may be required by court order • Government Contracts – government contractors may need to disclose classified information • Senior Level Approval – senior executives may approve release

Question 6

Owner

Answer 6

• May be executive or manager • Owner has final corporate responsibility of the data protection • Makes determination of classification level • Reviews classification level regularly for appropriateness • Delegates responsibility of data protection to the Custodian

Question 7

Custodian

Answer 7

• Generally IT systems personnel • Running regular backups and testing recovery • Performs restoration when required • Maintains records in accordance with the classification policy

Question 8

User

Answer 8

• Anyone the routinely uses the data • Must follow operating procedures • Must take due care to protect • Must use computing resources of the company for company purposes only

Question 9

Policies Standards, Guidelines and Procedures

Answer 9

• Policies are the highest level of documentation • Standards, Guidelines and Procedures derived from policies • Should be created first, but are no more important than the rest

Question 10

Senior Management Statement – general high-level statement

Answer 10

• Acknowledgment of importance of computing resources • Statement of Support for information security • Commitment to authorize lower level Standards, Guidelines and Procedures

Question 11

Regulatory Policies

Answer 11

Company is required to implement due to legal or regulatory requirements • Usually very detailed and specific to the industry of the organization • Two main purposes • To ensure the company is following industry standard procedures • To give the company confidence they are following industry standard procedures

Question 12

Advisory Polices

Answer 12

Not mandated but strongly suggested. • Company wants employees to consider these mandatory. • Advisory Policies can have exclusions for certain employees or job functions

Question 13

Informative Policies

Answer 13

• Exist simply to inform the reader • No implied or specified requirements

Question 14

Standards, Guidelines and Procedures

Answer 14

• Contain actual detail of the policy • How the policies should be implemented • Should be kept separate from one another • Different Audiences • Security Controls are different for each policy type • Updating the policy is more manageable

Question 15

Standards

Answer 15

Specify use of technology in a uniform way, compulsory

Question 16

Guidelines

Answer 16

similar to standards but not compulsory, more flexible

Question 17

Procedures

Answer 17

Detailed steps, required, sometimes called “practices”, lowest level

Question 18

Baselines

Answer 18

baselines are similar to standards, standards can be developed after the baseline is established

Question 19

Roles and Responsibilities-Senior Management

Answer 19

Has ultimate responsibility for security

Question 20

Roles and Responsibilities-Infosec Officer

Answer 20

Has the functional responsibility for security

Question 21

Roles and Responsibilities-Owner

Answer 21

Determines the data classification

Question 22

Roles and Responsibilities-Custodian

Answer 22

Preserves C.I.A.

Question 23

Roles and Responsibilities-User

Answer 23

Performs in accordance with stated policy

Question 24

Roles and Responsibilities-Auditor

Answer 24

Examines Security

Question 25

Identification of Risk

Answer 25

• Actual threat • Possible consequences • Probable frequency • Likely hood of event

Question 26

Risk Analysis

Answer 26

• Identification of risks • Benefit - cost justification of counter measures

Question 27

Risk Analysis Terms

Answer 27

• Asset – Resource, product, data • Threat – Action with a negative impact • Vulnerability – Absence of control • Safeguard – Control or countermeasure

Question 28

Exposure Factor

Answer 28

% of asset loss caused by threat

Question 29

SLE

Answer 29

Single Loss Expectancy Expected financial loss for single event

Question 30

ARO

Answer 30

Annualized Rate of Occurrence represents estimated frequency in which threat will occur within one year

Question 31

ALE

Answer 31

Annualized Loss Expectancy Annually expected financial loss

Question 32

Risk Analysis

Answer 32

• Risk analysis is more comprehensive than a Business Impact Analysis • Quantitative – assigns objective numerical values (dollars) • Qualitative – more intangible values (data) • Quantitative is a major project that requires a detailed process plan

Question 33

PSE

Answer 33

Preliminary Security Examination • Often conducted prior to the quantitative analysis. • PSE helps gather elements that will be needed for actual RA

Question 34

Risk Analysis Steps

Answer 34

1) Estimate of potential loss 2) Analyze potential threats 3) Define the Annualized Loss Expectancy (ALE)

Question 35

Categories of Threats-Information

Answer 35

Warfare – technically oriented terrorism

Question 36

Categories of Threats-Personnel

Answer 36

Unauthorized system access

Question 37

Categories of Threats-Application / Operational

Answer 37

ineffective security results in data entry errors

Question 38

Categories of Threats-Criminal

Answer 38

Physical destruction, or vandalism

Question 39

Categories of Threats-Environmental

Answer 39

utility outage, natural disaster

Question 40

Categories of Threats-Computer Infrastructure

Answer 40

Hardware failure, program errors

Question 41

Categories of Threats-Delayed Processing

Answer 41

reduced productivity, delayed collections processing

Question 42

Risk analysis should contain the following:

Answer 42

• Valuation of Critical Assets • Detailed listing of significant threats • Each threats likelihood • Loss potential by threat • Recommended remedial safeguards

Question 43

Remedies

Answer 43

Risk Reduction - implementation of controls to alter risk position Risk Transference – get insurance, transfer cost of a loss to insurance Risk Acceptance – Accept the risk, absorb loss

Question 44

Qualitative Scenario Procedure

Answer 44

• Scenario Oriented • List the threat and the frequency • Create exposure rating scale for each scenario • Scenario written that address each major threat • Scenario reviewed by business users for reality check • Risk Analysis team evaluates and recommends safeguards • Work through each finalized scenario • Submit findings to management

Question 45

Value Assessment

Answer 45

• Asset valuation necessary to perform cost/benefit analysis • Necessary for insurance • Supports safeguard choices

Question 46

Safeguard Selection

Answer 46

• Perform cost/benefit analysis • Costs of safeguards need to be considered including • Purchase, development and licensing costs • Installation costs • Disruption to production • Normal operating costs

Question 47

Cost Benefit Analysis

Answer 47

ALE (PreControl) – ALE (PostControl) = Annualized value of the control

Question 48

Level of manual operations

Answer 48

• The amount of manual intervention required to operate the safeguard • Should not be too difficult to operate

Question 49

Auditability and Accountability

Answer 49

Safeguard must allow for auditability and accountability

Question 50

Recovery Ability

Answer 50

• During and after the reset condition • No asset destruction during activation or reset • No covert channel access to or through the control during reset • No security loss after activation or reset • Defaults to a state that does not allow access until control are fully operational

Question 51

Security Awareness Training

Answer 51

Benefits of Awareness • Measurable reduction in unauthorized access attempts • Increase effectiveness of control • Help to avoid fraud and abuse Periodic awareness sessions for new employees and refresh other

Question 52

Methods of awareness improvement

Answer 52

• Live interactive presentations • CBTs • Publishing of posters and newsletters • Incentives and awards • Reminders, login banners

Question 53

Training & Education Types Are:

Answer 53

• Security training for Operators • Technical training • Infosec training • Manager training

Question 54

Deterrent

Answer 54

Intended to discourage a potential attacker : fences lightning

Question 55

Security framework

Answer 55

Program made up of many components: logical administrative, and physical

Question 56

BS799

Answer 56

British Standard 799 Was developed in 1995 defined how Information Security Management system should be built and maintained ant has two parts: Part1 outlines control objectives Part2 ISMS

Question 57

ISO/IEC 27000

Answer 57

standards that attempt to compartmentalize and modularize the necessary components of an ISMS, as shown here: • ISO/IEC 27000 Overview and vocabulary • ISO/IEC 27001 ISMS requirements • ISO/IEC 27002 Code of practice for information security management • ISO/IEC 27003 Guideline for ISMS implementation • ISO/IEC 27004 Guideline for information security management measurement and metrics framework • ISO/IEC 27005 Guideline for information security risk management • ISO/IEC 27006 Guidelines for bodies providing audit and certification of information security management systems • ISO/IEC 27011 Information security management guidelines for telecommunications organizations • ISO/IEC 27031 Guideline for information and communications technology readiness for business continuity • ISO/IEC 27033-1 Guideline for network security • ISO 27799 Guideline for information security management in health organizations

Question 58

PDCA

Answer 58

Plan- Do- Check- ACT Used in ISO/IEC 27000 series

Question 59

Zachman Framework

Answer 59

Model for the development of enterprise architectures developed by John Zachman What,How,Where,When,Why Planner,Owner,Designer,Builder,Worker

Question 60

TOGAF

Answer 60

Model and methodology for the development of enterprise architectures developed by The Open Group Used to develop the following architecture types: Business,Data,Applications,Technology.

Question 61

DODAF

Answer 61

Department of Defense architecture framework Focuses on: Command control,communications,computers,intelligence,surveillance and reconnaissance systems and processes.

Question 62

MODAF

Answer 62

British ministry of defense architecture framework Based upon DoDAF, get data in the right format,to the right people ASAP.

Question 63

SABSA

Answer 63

Sherwood Applied Business Security Architecture Similar to Zachman Framework(Enterprise Architecture), defines business requirements from security perspective . Each layer decries in abstraction: Contextual,Conceptual,Logical,Physical,Component,Operational. • What are you trying to do at this layer? The assets to be protected by your security architecture. • Why are you doing it? The motivation for wanting to apply security, expressed in the terms of this layer. • How are you trying to do it? The functions needed to achieve security at this layer. • Who is involved? The people and organizational aspects of security at this layer. • Where are you doing it? The locations where you apply your security, relevant to this layer. • When are you doing it? The time-related aspects of security relevant to this layer.

Question 64

CobiT

Answer 64

Control objectives for information and related technology set of control objectives for IT management developed by Information Systems Audit and Control Association (ISACA) and IT governance institute Security Controls development Plan and organize,Acquire and implement,Deliver and support, and monitor and evaluate IT products. Was derived from COSO -Controls to reduce risk of financial fraud Similar to NIST 800-53

Question 65

Sp 800-53

Answer 65

Set of controls to protect U.S. federal systems developed by the National Institute of Standards and Technology (NIST) outlines controls that agencies need to put into place to be compliant with the Federal Information Security Management Act of 2002

Question 66

COSO

Answer 66

Controls to reduce risk of financial fraud developed by Comittee of Sponsoring Organizations COSO 1985 Co

Question 67

Six Sigma

Answer 67

Six Sigma is a process improvement methodology. developed by Motorola It is the “new and improved” Total Quality Management (TQM) Is used to identify defects in processes so that the processes can be improved upon.

Question 68

CMMI

Answer 68

Capability Maturity Model Integration (CMMI) Process improvement model developed by Carnegie Mellon. CMMI is a maturity model that allows for processes to improve in an incremented and standard approach.

Question 69

ADM

Answer 69

Architecture Development Method (ADM). This method is an iterative and cyclic process that allows requirements to be continuously reviewed and the individual architectures updated as needed. These different architectures can allow a technology architect to understand the enterprise from four different views (business, data, application, and technology) so she can ensure her team develops the necessary technology to work within the environment and all the components that make up that environment and meet business requirements.

Question 70

Architecture Frameworks

Answer 70

Who the stakeholders? What information they need? MODAF:British ministry of defense architecture framework DODAF:Department of Defense architecture framework TOGAF:The Open Group architecture framework Zachman Framework 1980

Question 71

Enterprise Security Architecture

Answer 71

Subset of enterprise architecture Strategy how to make up ISMS Make sure that security efforts aligned with practices in standardized cost effective manner.

Question 72

Strategic alignment

Answer 72

Strategic alignment means the business drivers and the regulatory and legal requirements are being met by the security enterprise architecture. Security efforts must provide and support an environment that allows a company to not only survive, but thrive.

Question 73

ITIL

Answer 73

Information Technology Infrastructure Library is the de facto standard of best practices for IT service management.

Question 74

IRM

Answer 74

Information risk management (IRM) is the process of identifying and assessing risk reducing it to an acceptable level implementing the right mechanisms to maintain that level.

Question 75

Information Risk Management Policy

Answer 75

Proper risk management requires a strong commitment from senior management, a documented process that supports the organization’s mission, an information risk management (IRM) policy, and a delegated IRM team. The IRM policy should address the following items: • The objectives of the IRM team • The level of risk the organization will accept and what is considered an acceptable level of risk Formal processes of risk identification • The connection between the IRM policy and the organization’s strategic planning processes • Responsibilities that fall under IRM and the roles to fulfill them • The mapping of risk to internal controls • The approach toward changing staff behaviors and resource allocation in response to risk analysis • The mapping of risks to performance targets and budgets • Key indicators to monitor the effectiveness of controls

Question 76

IRM team.

Answer 76

The Risk Management Team The overall goal of the team is to ensure the company is protected in the most cost-effective manner. This goal can be accomplished only if the following components are in place: • An established risk acceptance level provided by senior management • Documented risk assessment processes and procedures • Procedures for identifying and mitigating risks • Appropriate resource and fund allocation from senior management • Security-awareness training for all staff members associated with information assets • The ability to establish improvement (or risk mitigation) teams in specific areas when necessary • The mapping of legal and regulation compliancy requirements to control and implement requirements • The development of metrics and performance indicators so as to measure and manage various types of risks • The ability to identify and assess new risks as the environment and company change • The integration of IRM and the organization’s change control process to ensure that changes do not introduce new vulnerabilities

Question 77

SP 800-30

Answer 77

NIST developed a risk methodology, which is published in their SP 800-30 document. This NIST methodology is named a “Risk Management Guide for Information Technology Systems” and is considered a U.S. federal government standard. It is specific to IT threats and how they relate to information security risks. It lays out the following steps: • System characterization • Threat identification • Vulnerability identification • Control analysis • Likelihood determination • Impact analysis • Risk determination • Control recommendations • Results documentation

Question 78

FRAP

Answer 78

Facilitated Risk Analysis Process. The crux of this qualitative methodology is to focus only on the systems that really need assessing to reduce costs and time obligations. It stresses prescreening activities so that the risk assessment steps are only carried out on the item(s) that needs it the most.

Question 79

OCTAVE

Answer 79

Another methodology called OCTAVE (Operationally Critical Threat, Asset, and Vulnerability Evaluation) was created by Carnegie Mellon University’s Software Engineering Institute. It is a methodology that is intended to be used in situations where people manage and direct the risk evaluation for information security within their company. This places the people that work inside the organization in the power positions as being able to make the decisions regarding what is the best approach for evaluating the security of their organization. This relies on the idea that the people working in these environments best understand what is needed and what kind of risks they are facing.

Question 80

FRAP vs OCTAVE

Answer 80

The scope of an OCTAVE assessment is usually very wide compared to the more focused approach of FRAP. Where FRAP would be used to assess a system or application, OCTAVE would be used to assess all systems, applications, and business processes within the organization.