Domain 3 -InfoSec Governance & Risk Mgt Flashcards
A potentially negative occurrence
Threat
The cost of loss due to risk over a year
Annualised Loss Expectancy (ALE)
A weakness in a system
Vulnerability
A matched threat and vulnerability
Risk
A measure taken to reduce risk
Safeguard
The cost of a safeguard
Total Cost of Ownership
Money saved by deploying a safeguard
Return on Investment - ROI
If your annual TCO is less than your ALE then you have positive ROI and have made a good choice. If the TCO is higher than ALE, you have made a poor choice.
Cornerstone concept of information security that seeks to prevent unauthorised disclosure of information
Confidentiality
Cornerstone concept of information security that seeks to prevent unauthorised modification of information
Integrity
Cornerstone concept of information security that ensures information is available when needed
Availability
Unauthorised disclosure of information
Disclosure
Unauthorised modification of information or data
Alteration
Making systems unavailable
Destruction
Is a claim of who you are
Identity / identification
Proving an identity claim
Authentication
Describes the action you can perform on a system once you have identified and authenticated
Authorisation
Holds user accountable for their actions
Accountability
Means a user cannot deny (repudiate) having performed a transaction
Non-repudiation
You must have both authentication and integrity to have non repudiation. True or False?
True
Means a user should be granted the minimum amount of access (authorisation) required to do his job, but no more
Least privilege
Means a user can access data if he has business need todo so.
Need to know. User must need to know that specific piece of information before accessing it.
Is a layered defences that applies multiple safeguards (also called controls or measures taken to reduce risk) to protect an asset
Defence in depth. All controls can fail and sometimes multiple controls will fail. Deploying a range of different defence in depth safeguards lower the chance that all controls will fail
Assessing risk
Risk analysis
Valuable resources you are trying to protect. Eg. Data, systems, buildings, property etc.
Assets.
The value or criticality of the assets will dictate what safeguards to deploy. People are your most valuable nasset.
A potentially harmful occurrence. Eg. Earthquake, power outage, network based worm.
Threat. A negative action that may harm a system.
Threat * vulnerability
Risk
A weakness that allows a threat to cause harm
Vulnerability
The severity of the damage
Impact
Threat * vulnerability * impact
Risk. When calculating risk using the formula, any risk including loss of human life is extremely high, and must be mitigated.
Allow you to perform qualitative risk analysis based on likelihood ( from rare to almost certain ) , consequences (or impact) from insignificant to catastrophic
Risk Analysis Matrix
It uses a quadrant to map the likelihood of a risk occurring against the consequences or impact the risk would have.
Allows you to determine the annual cost of a loss due to a risk as well as allows you to make informed decisions to mitigate the risk
Annualised Loss Expectance - ALE
The value of an asset that you are trying not protect
Asset value
Is the percentage of value an asset lost due to an incident
Exposure Factor - EF
Cost of single loss
Single Loss Expectancy - SLE
Number of losses you suffer per year
Annual Rate Of Occurrence - ARO
Is your yearly cost due to a risk
Annualised Loss Expectancy -ALE
The total cost of a mitigating safeguards
Total Cost Of Ownership - TCO
Asset value * Exposure Factor
Single Loss Expectancy - SLE
SLE * ARO
ALE
What are the risk choices?
- Accept the risk if TCO is higher than ALE
- Mitigate the risk
- Transfer the risk - Insurance
- Avoid the risk
A risk analysis that uses hard metrics such as dollars. It requires you to calculate the quantity of the asset you are protecting. It is more objective.
Quantitative Risk Analysis
A risk analysis that uses simple approximate values. The Risk Analysis Matrix can also be use. This type is more subjective.
Qualitative Risk Analysis
Is information security at the organisation level: senior management, policies, processes and staffing
Information Security Governance
A high level management directives; is mandatory and does not delve into specifics
Policy
Step by step guide for accomplishing a task; low level and specific; are mandatory
Procedures
Describes the specific use of technology often applied to hardware or software ; are mandatory
Standards
Are recommendations which are discretionary
Guidelines
Uniform ways of implementing a safeguard; are discretionary
Baselines
Changes user behaviour about security
Security Awareness
Teaches a user how to do something
Security Training
Its roles and responsibility is to ensure all assets are protected and creates a security program
Senior Management
The information owner or business owner
Data Owner
He provides hands on protection of assets such as data. Don’t make decisions
Custodian
He follow rules and comply with mandatory policies and procedures
User
Protection of the confidentiality of persona information (PII)
Privacy
Doing what is reasonable person would do. Prudent man rule
Due Care
Management of due care
Due Diligence
Opposite of due care
Gross negligence
A consensus of the best way to protect CIA of assets
Best Practice
The use of third party to provide IT support or services
Outsourcing
Is outsourcing to another country
Offshoring
Means verifying compliance to a security control framework.
Auditing
What is OCTAVE?
Operationally Critical Threat, Asset and Vulnerability Evaluation. A Risk Management Framework from Carnegie Mellon University
What are the 3 phases for managing risks according to OCTAVE?
Phase 1 - identifies staff knowledge, assets and threats
Phase 2 - identifies vulnerabilities and evaluates safeguards
Phase 3 - conducts risk analysis and develop the risk mitigation strategy.
Risk management guide for information technology systems developed by NIST
NIST SP-800-30
9 Steps Risk Analysis Process (NIST SP800-30)
- System characterisation - scope
- Threat identification
- Vulnerability identification
- Control analysis - Safeguard
- Likelihood determination
- Impact analysis
- Risk determination
- Control recommendation
- Results documentation
Information Technology/Security techniques; codes of practice of information security management introduced by ISO
ISO/IEC 17799:2005
11 Areas of ISO 17799
- Policy
- Organisation of Information Security
- Asset Management
- Human Resources Security
- Physical and Environmental Security
- Communications and operations management
- Access Control
- Information systems acquisition,development and maintenance
- Information security incident management
- Business Continuity Management
- Compliance
Is a control framework created by ISACA for deploying/employing information security governance best practices with in an organisation.
COBIT - Control Objectives for Information and related Technology
4 Domains of COBIT
- Plan and organise
- Acquire and implement
- Deliver and support
- Monitor and evaluate
Is a framework for providing best services in IT Service Management or ISTM
ITIL - information technology infrastructure library
5 ITIL Service Management Pactices
- Service strategy
- Service design
- Service transition
- Service operation
- Continual Service Improvement
Is a detailed inspection that verifies whether a system meets the documented security requirements
Certification
Data owner’s acceptance of the risk represented by that system.
Accreditation
NIST guide for Credit and Accreditation
NIST SP-800-37
4 Steps Process of NIST SP800-37 (Certification and Accreditation)
- Initiation phase
- Security certification phase
- Security accreditation phase
- Continuous monitoring phase
Doing what is morally right
Ethics
What are the four ISC2 canons - code of ethics
In order:
- Protect society, the commonwealth and the infrastructure
- Act honourably, honestly, justly, responsibly and legally
- Provide diligent and competent service to principals
- Advance and protect the profession
