Domain 1 - Security & Risk Management Flashcards
Incident
Some sort of occurrence or event
Breach
An occurrence or event that has a negative outcome
A countermeasure being bypassed or rendered ineffective
Disclosure
Making ‘secret’ information ‘public’
Patent
A set of exclusive rights granted by a sovereign state to an inventor for a limited period of time (typically 20 years), in exchange for public disclosure.
Copyright
Protects published or unpublished original work (for the duration of the authors life, plus 50 years) from unauthorized duplication without due credit and compensation.
Trademark
A recognizable sign, design, or unique expression related to products or services of a particular source from those of others, usually called service marks.
Three major International intellectual-property protection treaties are…
Berne Convention
Universal Copyright Convention
WIPO Copyright Treaty
The five rights associated with a copyright
[ R A M P D ] Reproduce the work in any form, language, or medium Adapt or derive more works from it Make and distribute its copies Perform it in public Display it in public
International Traffic in Arms Regulations (ITAR)
What is considered exportable
Export Administration Regulations (EAR)
Under what conditions we can export
The Wassenaar Arrangement
Dual-use goods
What are the OECD Principles?
Organization for Economic Cooperations and Development
Eight Core Principles:
- Collections Limitation
- Data Quality
- Purpose Specification
- Use Limitation
- Security Safeguards
- Openness
- Individual Participation
- Data Controller Accountability
(ISC)2 Code of Professional Ethics
- Protect society, the commonwealth, and the infrastructure (Do no harm, Protect life FIRST)
- Act honorable, honestly, justly, responsible, and legally
- Provide diligently and competent service to principals
- Advance and protect the profession
“Safety of the commonwealth, duty to our principals, and to each other requires that we adhere, and be seen to adhere, to the highest ethical standards of behavior.”
Security Policy
Direction from senior management (Strategic)
Standard
Formalized
Procedure
Step-by-step method of accomplishing something (Tactical)
Guideline
Best Practice recommendation
Business Impact Analysis (BIA) goals
- Determine Criticality
- Estimate Maximum downtime
- Evaluate Internal and External Resource Requirements
Business Impact Analysis (BIA) process steps
- Gather requirements/info
- Vulnerability assessment
- Risk Analysis
+ QUANT-itative (ALE = SLE * ARO)
- Facts, numbers, money
+ QUAL-itative - Communicate findings
RTO
Recovery Time Objective
The amount of time that would be a sweet spot to get a system back online in.
RPO
Recovery Point Objective
Data or information that we are willing to walk away from in order to restore (Backup time)
Risk
The probability that a given threat sources will exercise a particular vulnerability and the resulting impact should that occur
Threat
An event or situation that if it occurred, would prevent the organization from operating in its normal manner
A potential occurrence that may cause an undesirable outcome
Vulnerability
Weakness
Likelihood
Chance that something might happen
Impact
What a threat will cost (quantitative/qualitative)
Countermeasure (control)
Mechanism applied to minimize risk
Residual Risk
Remaining risks after all the countermeasures/controls have been applied
Risk Assessment Process (NIST SP800-30R1)
Step 1: Prepare for assessment
Step 2: Conduct assessment
a) Identify threat sources and events
b) Identify vulnerabilities and predisposing conditions
c) Determine likelihood or occurrence
d) Determine magnitude of impact
e) Determine risk
Step 3: Communicate results
Step 4: Maintain assessment
Risk Response
- Avoid (choose not to engage in activities that lead to risk)
- Accept (agree to carry on activities knowing risk)
- Transfer (insurance)
- Mitigate
Countermeasure selection and implementation
Cost
Effectiveness
Appropriateness
Types of Controls
Physical
Administrative
Logical (Technical)
Seven Types of Control
- Directive
- Deterrent
- Preventative
- Compensating
- Detective
- Corrective
- Recovery
Tailoring
Filtering
Scoping
Deciding what is in and what is out. What are you going to focus on. Think rifle scope.
Security Control Assessment (SAC)
Penetration Test Methodology
- Reconnaissance
- Enumeration
- Vulnerability Analysis
- Execution / Exploitation
- Document findings
Process Steps for Qualitative Assessment
- Seek Senior Mgmt Approval
- Form a risk assessment team
- Analyze Data
- Calculate Risk
- Countermeasure Recommendations
The Deming Cycle (PDCA) is part of which stage of the process?
Continuous Improvement (CI)
PDCA stands for what?
Plan
Do
Check
Act
COSO is a risk management framework associated with which sector?
Financial - Reporting and Disclosure Objectives
What are the 5 Lifecycle Phases of ITIL?
- Service STRATEGY
- Service DESIGN
- Service TRANSITION
- Service OPERATION
- Continual Service Improvement (CSI)
COBIT
IT Governance Framework
Governance Risk and Compliance (GRC)
What is the NIST document number for ‘Guide to Conducting Risk Assessments’?
NIST800-30R1
What is ‘threat modeling’?
A process by which potential threats, such as structural vulnerabilities can be identified, enumerated, and prioritized - all from a hypothetical attackers point of view.
What are the 5 steps in the threat modeling process?
- Identify Security Objectives
- Survey the Application / System
- Decompose it
- Identify Threats
- Identify Vulnerabilities
What type of model is STRIDE?
Threat Model
What type of model is OCTAVE?
Threat Model
Which thread model(s) would be used to provide a visual representation based on Data Flow Diagrams?
PASTA
TRIKE
Which thread model(s) would be used to provide a visual representation based on Process Flow Diagrams?
VAST
What is the NIST document number for ‘Supply Chain Risk Management Practices for Federal Information Systems and Organizations’?
NIST800-SP161
How does a SLA differ from a SLR?
SLA is a contract between you the customer and the vendor around certain minimum guarantees for service
SLR is a list of the things that the service must provide
What is the role of a Data Owner?
Responsible for data classification
What is the role of the Data Custodian?
Responsible for implementing data protections at the direction of the Data Owner
Performs all activities necessary to provide CIA protection.
What is another name for a user?
Subject
What is another name for data?
Object
What is an Asset?
Anything within the organization that has value and should be afforded CIA protections
What is Asset Valuation?
Dollar value assigned to an asset
What is deployed to mitigate risk?
Safeguard
Control
Countermeasure
Define ‘attack’
The exploitation of a vulnerability by a threat agent
Formula to determine ALE
ALE = SLE * ARO
What is Governance
All about Oversight
Due Care
Due Diligence
Guidance from Sr Mgmt
What is CRIMINAL law?
Harms done to one of more individuals or organizations
JAIL TIME
What is CIVIL law?
Interactions between business and the individual
FINANCIAL PENALTY
What is ADMINISTRATIVE law?
Day-to-day oversight and regulation
