Domains 1 & 2: Security and Risk Management / Asset Security

Question 1

What is the CIA Triad ?

Answer 1

Confidentiality: assurance that objects are accessed by authorized subjects only

Integrity: assurance that objects maintain accuracy/truthfulness and are intentionally modified by authorized subjects

Availability: assurance that objects are always accessible to authorized subjects and prevents Denial of Service (DoS) attacks

An enterprise security architecture should be the perfect balance of all 3

Question 2

What are the 3 types of data ?

Answer 2

(1) Data at rest: data sitting on discs somewhere not being used
(2) Data in motion: data traversing the network
(3) Data in use: data actively being used on a workstation or server

Question 3

What is Need-to-Know ?

Answer 3

A user has access to more than they need but can only access what they need to know.

Question 4

What is least privilege ?

Answer 4

Give resources the least amount of access they need to do their job.

Question 5

What is IAAA ?

Answer 5

Identification, Authentication, Authorization, Accountability

Identification: something that identifies you; it is unique

Authentication: proves you are who you claim to be (something you know, something you have, something you are)

Authorization: what you are allowed to access

Accountability: Auditing; trace an action to the identity

Question 6

What is non-repudiation ?

Answer 6

A user cannot deny having performed a certain action; requires both Authentication and Integrity.

Question 7

What is Subject and Object ?

Answer 7

Subject: Most often users but can also be programs (active)

Object: Resource to which access is controlled, i.e. Data (passive)

Object is manipulated by Subject

Question 8

What is PCI - DSS ?

Answer 8

Payment card Industry Data Security Standard

A standard but required if the enterprise handles debit and credit card information

Question 9

What is OCTAVE ?

Answer 9

Operationally Critical Threat, Asset, and Vulnerability Evaluation

Self-directed risk management

Question 10

What is COBIT ?

Answer 10

Control Objectives for Information and related Technology

Goals for IT: Stakeholder needs are mapped down to IT related goals

Question 11

What is ITIL ?

Answer 11

Information Technology Infrastructure Library

IT Service Management

Question 12

What is COSO ?

Answer 12

Committee of Sponsoring Organizations

Goas for the entire organization

Question 13

What is FRAP ?

Answer 13

Facilitated Risk Analysis Process

Analyze one business unit, application or system at a time in a roundtable brainstorm with internal employees. The impact is analyzed and the risks and threats prioritized

Question 14

List the 27000 series (5 in total):

Answer 14

ISO 27001: Establish, Implement, Control and Improvement of Information Security Management Systems (ISMS); uses Plan, Do, Check, Act (PDCA)

ISO 27002: Provides practical advice on how to implement security controls; it has 10 domains it uses for Information Security Management Systems; the more in-depth version of 27001

ISO 27004: Metrics to measure how successful our ISMS is

ISO 27005: Standard-based approach to Risk Management

ISO 27799: Directives on how to protect PHI (protected health information)

Question 15

What is Layered Defense (Onion Defense) ?

Answer 15

Multiple overlapping security controls to protect an asset.

Question 16

What is Due Diligence ?

What is Due Care ?

Answer 16

Due Diligence: the research, the preparing, all the practical “stuff” you do before implementing something.

Due Care: the implementation, monitoring and confirming that everything is working as it should.

Question 17

Code of Ethics Preambles

Answer 17

The safety and welfare of society and the common good, duty to our principles, and to each other, requires that we adhere and be seen to adhere, to the highest ethical standards of behavior.

Question 18

What are the 4 Code of Ethics Canons:

Answer 18

1. Protect society, the common good, necessary public trust and confidence, and the infrastructure.
2. Act honorably, honestly, justly, responsibly, and legally.
3. Provide diligent and competent service to principals.
4. Advance and protect the profession

Question 19

What are the security governance principles?

Answer 19

1. Values (ethics, principles, beliefs)
2. Vision (what we aspire to be - hopes and ambition)
3. Mission (who do we do it for - motivation and purpose)
4. Strategic Objectives (how are we going to progress - plans, goals, sequencing)
5. Action and Key Performance Indicators - (what do we need to do and how do we know we achieved it - actions, resources, outcomes, owners, and timeframe)

Question 20

What are the 3 types of Information Security Governance policies?

Answer 20

Regulatory (associated with regulatory compliance)

Advisory (outlines acceptable behavior expectations)

Informational

Question 21

What are the access control categories?

Answer 21

Administrative (Directive) - organizational policies and procedures; regulation, training and awareness

Technical - hardware, software, firmware, firewalls, routers, encryption

Physical - locks, fences, guards, dogs, gates

Question 22

What are the access control types?

Answer 22

Preventative - prevents actions from happening (least privilege, firewalls, etc)

Detective - controls that detect during or after an attack (alarms, cctv, etc)

Corrective - contracts that correct an attack (patches, anti-virus)

Recovery - controls that help us recover after an attack (DR environments, backups)

Deterrent - controls that deter an attack (fences, lights, beware of the dog signs)

Compensating - when other controls are impossible to do or too costly to implement

Question 23

What is risk?

Answer 23

Threat x Vulnerability x Impact (how bad is it?)

Question 24

What is the risk management lifecycle?

Answer 24

1. IT Risk Identification, 2. IT Risk Assessment, 3. Risk Response and Mitigation, 4. Risk and Control Monitoring and Reporting

Question 25

Risk Assessment

Answer 25

Quantitative Risk Analysis (what will it cost us?) and Qualitative Risk Analysis (how likely it is to happen and how bad is it if it happen); the organization’s risk response is always based on cost-benefit analysis

Question 26

What is total risk?

Answer 26

Threat x Vulnerability x Asset Value

Question 27

What is residual risk?

Answer 27

Total risk - Countermeasures

Question 28

What are tangible assets?

Answer 28

physical hardware, buildings, anything you can touch…

Question 29

What are intagible assets?

Answer 29

data, trade secrets, reputation

Question 30

Asset value (AV)

Answer 30

how much is the asset worth

Question 31

Exposure Factor (EF)

Answer 31

how much of that asset is lost in an incident; the percentage of asset lost

Question 32

Single Loss Expectancy (SLE)

Answer 32

SLE= (AV x EF); what does it cost if it happens once?

Question 33

Annual Rate of Occurrence (ARO)

Answer 33

how often will this happen each year?

Question 34

Annualized Lost Expectancy (ALE)

Answer 34

what it costs per year if we do nothing

Question 35

Total Cost of Ownership (TCO)

Answer 35

the mitigation cost: upfront + ongoing costs (normally operational)

Question 36

What are the risk responses?

Answer 36

Accept the risk: we know the risk is there but the mitigation is more costly that the cost of the risk

Mitigate the risk (Reduction): implement a solution that reduces the risk; whatever risk is leftover is residual risk

Transfer the risk: the insurance risk approach

Risk avoidance: completely eliminating any hazard that might harm the organization its assets or its stakeholders; remove the chance that the risk might become a reality

Risk rejection: you know the risk is there but choose to ignore it; this is NEVER acceptable

Question 37

NIST 800-30

Answer 37

U.S. National Institute of Standards and Technology Special Publication

9-step process for risk management:

1. system characterization (risk management scope, boundaries, system and data sensitivity)
2. threat identification (what are the threats to our systems?)
3. vulnerability identification (what are the vulnerabilities to our systems?)
4. control analysis (Analysis of the current and planned safeguards, controls and mitigations)
5. Likelihood determination (qualitative - how likely is it to happen?)
6. Impact Analysis (qualitative - how bad is it if it happens? Loss of CIA)
7. Risk determination (evaluate 5 + 6 and determine risk and associate risk levels)
8. Control recommendations (what can we do to mitigate, transfer, …the risk)
9. Results documentation (documentation with all the facts and recommendations)