GRC CHAPTER 1 & 2 WEEK 1 Flashcards
What is the purpose of Appendix III to OMB Circular No. A-130?
Establishes a minimum set of controls for Federal automated information security programs
Assigns Federal agency responsibilities for the security of automated information and links agency automated information security programs with agency management control systems.
Define ‘Application’ in the context of information resources.
Use of information resources to satisfy a specific set of user requirements
What is a ‘General Support System’?
An interconnected set of information resources under the same direct management control sharing common functionality
What distinguishes a ‘Major Application’?
Requires special attention to security due to risk and magnitude of harm from loss, misuse, or unauthorized access
List the basic requirements for deploying risk-based IT systems.
- System Risk
- Potential Impact
- Security Control
- Data Classification
- Adequate Security
- System Development Life Cycle (SDLC)
- Risk Management
- Relevant Standards & Regulations
- Roles & Responsibilities
What is an ‘Asset’ in information security?
People, property, and information that we are trying to protect
Define ‘Threat’ in the context of information security.
Anything that can exploit a vulnerability and obtain, damage, or destroy an asset
What does ‘Vulnerability’ refer to?
Weaknesses or gaps in a security program that can be exploited by threats
Define ‘Likelihood’ in information security.
Probability that a potential vulnerability may be exploited in the associated threat environment
What is ‘Risk’ in information security?
Potential for loss, damage, or destruction of an asset due to a threat exploiting a vulnerability
What is the Risk Formula?
R = V + A + T
True or False: Risk is the intersection of assets, threats, and vulnerabilities.
True
Fill in the blank: A _______ is a weakness or gap in our protection efforts.
Vulnerability
What is the definition of Impact in InfoSec?
The magnitude of harm from unauthorized disclosure, modification, destruction of information, or loss of system availability.
Impact is governed by potential mission impacts and produces a relative value for affected IT assets.
What are the basic requirements for Risk-Based IT Systems?
- Adequate Security & Risk
- Security Objectives
- Potential Impact
- Security Controls
- Data Classification
These requirements ensure a comprehensive approach to information security.
What does Adequate Security mean?
Security commensurate with the risk and magnitude of harm from loss, misuse, or unauthorized access to information.
This is defined in OMB A130 Appendix III.
How is Risk defined in InfoSec?
A measure of the extent to which an entity is threatened by a potential circumstance or event, based on likelihood and adverse impacts.
Risk assessment is crucial for determining security measures.
What are the three main Security Objectives?
- Confidentiality
- Integrity
- Availability
These objectives are essential for maintaining the security of information systems.
What does Confidentiality prevent?
The unauthorized disclosure of information.
Loss of confidentiality occurs when information is disclosed to unauthorized individuals or systems.
What is the definition of Integrity in InfoSec?
Prevents the unauthorized modification or destruction of information.
Loss of integrity is characterized by unauthorized changes to information.
What does Availability ensure?
Timely and reliable access to and use of information.
Loss of availability refers to the disruption of access to information or information systems.
What are the three levels of Potential Impact in case of a security breach?
- Low
- Moderate
- High
Each level indicates the severity of the adverse effects on operations, assets, or individuals.
What characterizes a Low level of impact?
Limited adverse effect on organizational operations, assets, or individuals.
Minor harm to individuals may occur.
What characterizes a Moderate level of impact?
Serious adverse effect on organizational operations, assets, or individuals without loss of life.
Significant impact but no serious injuries.
What characterizes a High level of impact?
Severe or catastrophic adverse effect on operations, assets, or individuals, including loss of life.
Major consequences may arise from such incidents.
What are Security Controls?
Safeguards or countermeasures to avoid, counteract, or minimize security risks.
They can be classified by the timing of their occurrence relative to a security incident.
What are Preventive controls?
Controls intended to prevent an incident from occurring.
Example: locking out unauthorized intruders.
What are Detective controls?
Controls intended to identify and characterize an incident in progress.
Example: sounding an alarm to alert security personnel.
What are Corrective controls?
Controls intended to limit the extent of damage caused by an incident.
Example: recovering the organization to normal operations as quickly as possible.
What are Deterrent controls?
Controls that discourage security violations.
Example: presence of security cameras may deter theft.
What are Compensating controls?
Controls intended to reduce risk due to existing or potential control weaknesses.
Often used in real-world situations where a control is missing.
What is Data Classification?
The process of assigning a level of sensitivity to data.
This determines the extent to which data needs to be controlled or secured.
What are typical sensitivity levels in Data Classification?
- Top Secret
- Secret (Highly Confidential)
- Confidential (Proprietary)
- Internal Use Only
- Public
Sensitivity levels indicate the data’s value and required security measures.
What are the five phases of the System Development Lifecycle (SDLC)?
- Initiation
- Development/Acquisition
- Implementation
- Operation and Maintenance
- Disposition/Disposal
These phases outline the process for integrating security into system development.
What is the purpose of the Initiation phase in the SDLC?
Need and Purpose (Business Case)
This phase identifies the necessity and objectives for the system.
What tasks are involved in the Development/Acquisition phase of the SDLC?
Design, Purchased, and Developed
This phase focuses on creating or acquiring the system.
What occurs during the Implementation phase of the SDLC?
Testing, Accept, and Install
This phase ensures the system is tested and accepted before full deployment.
What is the focus of the Operation and Maintenance phase in the SDLC?
Operate, Modify, and Maintain
This phase involves ongoing operation and updates to the system.
What does the Disposition/Disposal phase in the SDLC entail?
System or Parts Termination
This phase deals with the proper termination or disposal of the system or its components.
What are the benefits of integrating security into the SDLC?
- Early identification and mitigation of issues
- Lower cost of control implementation
- Maximize security program ROI
- Awareness of potential challenges
- Mandatory security requirements
- Identification of common and inherited items
- Shared security services
- Reuse of security strategies and tools
- Facilitation of executive decision making
- Comprehensive, timely risk management
These benefits enhance the overall security posture of the organization.
What is the NIST Risk Management Framework (RMF)?
A framework that promotes ongoing authorization and risk management through continuous monitoring processes.
It integrates security with Enterprise Architecture and SDLC.
What are the RMF-Based Characteristics?
- Near real-time risk management and ongoing authorization
- Use of automated support tools for decision making
- Integrates security with Enterprise Architecture and SDLC
- Equal emphasis on phases of the RMF
- Links risk management to all organization levels
- Establishes Responsibility and Accountability
These characteristics ensure a comprehensive approach to risk management.
What is the purpose of Tiers of Risk Management in NIST SP 800-39?
To implement multi-tier organization-wide risk management.
This approach is tightly coupled to Enterprise Architecture and Information Security Architecture.
What does Tier 1 of the Organization-wide Risk Management address?
Risk from the organizational perspective.
It develops a comprehensive governance structure and enterprise-wide risk management strategy.
What does Tier 2 of the Organization-wide Risk Management focus on?
Risk from a mission and business process perspective.
It is guided by risk management decisions taken at Tier 1.
What is the focus of Tier 3 in the Organization-wide Risk Management?
Risk from an information system perspective.
It is guided by risk management decisions taken at Tier 2.
What are the steps in the NIST Risk Management Framework?
- Step 0: Prepare
- Step 1: Categorize Information Systems
- Step 2: Select Security Controls
- Step 3: Implement Security Controls
- Step 4: Assess Security Controls
- Step 5: Authorize Information Systems
- Step 6: Monitor Security Controls
These steps outline the entire RMF process.
What is the purpose of Step 0 in the NIST RMF?
Preparing for the RMF process.
This step sets the groundwork for effective risk management.
What does Step 1 of the NIST RMF involve?
Categorizing the system and identifying security objectives.
This step helps determine the necessary security controls based on the system’s categorization.
What is accomplished in Step 2 of the NIST RMF?
Select a baseline of security controls based on Security Categorization.
This baseline is tailored and supplemented based on a risk assessment.
What is the goal of Step 3 in the NIST RMF?
Implement and describe how the controls are used within the system.
This step ensures that security measures are operational.
What is assessed in Step 4 of the NIST RMF?
The extent to which security controls are implemented correctly, operating as intended, and producing the desired outcome.
This assessment is crucial for understanding the effectiveness of the security measures.
What does Step 5 in the NIST RMF involve?
Authorize the system based on the determination of acceptable risk to the organization.
This step is critical for formal approval of the system’s operation.
What is monitored in Step 6 of the NIST RMF?
System controls assessing effectiveness, documenting changes, and reporting the security posture to officials.
Continuous monitoring is essential for maintaining security compliance.
