Governance

Question 1

Risk Assessment

Answer 1

o Identify and Valuate Assets

o Identify Threats and Vulnerabilities

Question 2

Risk Analysis

Answer 2

o	Qualitative	
o	Quantitative (best)

Question 3

Risk Mitigation/Response

Answer 3

o Reduce /Avoid
o Transfer
o Accept /Reject

Question 4

Risk Management

Answer 4

1. Risk Assessment
2. Risk Analysis
3. Risk Mitigation/Response
4. Ongoing Risk Monitoring

Question 5

TCO

Answer 5

Total Cost of Ownership (TCO)- total cost of a mitigating safeguard

Question 6

Threat

Answer 6

potentially harmful occurrence (e.g. earthquake, attack)

Question 7

Vulnerability

Answer 7

a weakness that allows a threat to cause harm

Question 8

Impact

Answer 8

consequences or severity of the damage, sometimes expressed in dollars

Question 9

AV

Answer 9

Asset Value (AV)- tangible (i.e. equipment costs) and intangible assets. Intangible assets are calculated by:

• Market approach- price at which comparable assets have been purchased
• Income approach- the present value of the future earning capacity
• Cost approach- the cost incurred to recreate or replace asset

Question 10

EF

Answer 10

Exposure Factor (EF)- percentage of value an asset lost due to an incident

Question 11

ARO

Answer 11

Annual Rate of Occurrence (ARO)- number of losses per year

Question 12

SLE

Answer 12

Single Loss Expectancy (SLE)- cost of a single loss; SLE = AV x EF

Question 13

ALE

Answer 13

Annualized Loss Expectancy (ALE)- annual cost of loss due to risk; ALE = SLE x ARO

Question 14

ROI

Answer 14

Return on Investment (ROI)- money saved by implementing a safeguard; ROI = ALE - TCO

Question 15

Risk Option

Answer 15

Risk Options- Accept, Mitigate, Transfer (eg insurance), Reject (ignore)

Question 16

NIST (800-30) Risk Management Process

Answer 16

NIST (800-30) Risk Management Process:

1. System characterization
2. Threat ID
3. Vulnerability ID
4. Control analysis
5. Likelihood determination
6. Impact analysis
7. Risk determination
8. Control recommendations
9. Results documentation

Question 17

Due Care

Answer 17

Due Care- doing what a reasonable person would do; it’s the actions of performing Due Diligence

Question 18

Due Diligence

Answer 18

Due Diligence- research, documentation & management of Due Care

Question 19

Best Practice

Answer 19

Best Practice- consensus on the best way to accomplish something; demonstrates due care and due diligence

Question 20

ISO 27001

Answer 20

ISO 27001- specification for an information security management system (ISMS). Organizations which meet the standard may gain an official certification issued by an independent and accredited certification body on completion of an audit

Question 21

ISO 27002

Answer 21

ISO 27002 (was ISO 17799 until 2005)- Focused on best practices/techniques for IS, with 11 areas:

1. Policy
2. Organization of information security
3. Asset Management
4. HR Security
5. Physical & Environmental security
6. Communications and Operations management
7. Access Control
8. Info systems acquisition, development & maintenance
9. Info security incident management
10. Business continuity management
11. Compliance

Question 22

ITIL

Answer 22

ITIL (Information Technology Infrastructure Library)

1. Framework for providing best practices on IT Service Management (ITSM)
2. Five practices, publications
3. Service Strategy
4. Service Design
5. Service Transition
6. Service Operations
7. Continual Service Improvement

Question 23

PCI DSS

Answer 23

PCI DSS- Payment Card Industry Data Security Standard

Question 24

COBIT

Answer 24

COBIT (Control Objectives for Information and related Technology)- IT goals focused

Question 25

COSO

Answer 25

COSO ((Committee of Sponsoring Organizations)- business goals focused

Question 26

OCTAVE

Answer 26

OCTAVE (Operationally Critical Threat, Asset, and Vulnerability Analysis) - approach where analysts identify assets, their criticality, identify vulnerabilities and threats, and base the protection strategy to reduce risk

Question 27

FRAP

Answer 27

FRAP (Facilitated Risk Analysis Process) Qualitative analysis used to determine whether or not to proceed with a quantitative analysis. If likelihood or impact is too low, the quantitative analysis if foregone

Question 28

Certification

Answer 28

Certification- a detailed inspection that verifies a system meets the security requirements; precedes and supports accreditation

Question 29

Accreditation

Answer 29

Accreditation- data owners acceptance of the risk represented by the system; authorizes operation

Question 30

NIST 4 step Certification and Accreditation process

Answer 30

NIST 4 step Certification and Accreditation process

1. Initiation
2. Security Certification Phase
3. Security Accreditation Phase
4. Continuous Monitoring Phase