Info Gov Flashcards
What are the 5 classifications commonly used by the U.S. department of Defence?
Unclassified Sensitive but Unclassified (SBU) Confidential Secret Top Secret
What is the opposite of CIA?
Disclosure
Alteration
Destruction
Which classification level (US DoD) may often use the terms “for official use only” or “for internal use only”?
Unclassified
What is the difference between unclassified and SBU? (US DoD)
SBU generally contains personal information ie medical records or disciplinary proceedings.
What is the lowest level of classified government information? (US DoD)
Confidential
What term is commonly used to collectively represent policies, procedures, guidelines and standards that help steer an organisations decisions and operations?
Governance
What are the four main types of policies?
SARI
Senior Management
Regulatory
Advisory
Informative
Which type of policy do most policies fall under?
SARI
Advisory
Which type of identity management system facilitates authentication, non-repudiation and access control via digital certificates?
PKI
Which 3 of the following 5 background checks would commonly be included as part of more extensive pre-employment screening?
Credit check
Drug test
Reference check
Special background investigation
Verification of personal/professional data in application
Credit check
Drug test
Special background investigations
Who is ultimately responsible for an organisations information security? management or information security professional?
Management
With regards information a system admin what commonly be known as what? Information owner or custodian?
Custodian
Which term is used to ensure that not one individual has complete authority or control over a critical system or process and also reduces dependence on individuals, ie avoiding a single point of failure?
Separation of duties
Which terms describes regularly transferring key personnel into different roles or positions in different parts of the organisation?
Job rotation
What 3 things does the risk assessment triple consist of?
Quantities risk methodologies
Risk calculations
Safeguard selection criteria and objectives
What 2 elements are multiplied to calculate a risk?
Threat x Vulnerability = Risk
What 3 elements does the risk management triple consist of?
Threat
Vulnerability
Asset
Risk management consists of 3 elements. What are they?
Identification
Analysis
Risk Treatment
When does risk identification occur?
During a risk assessment
What are the two methods used for determining the value of an asset?
Quantitive
Qualities
Which method is related to cost? Quantitive or qualative?
Quantitive
Which method is related to importance? Quantitive or qualative
Qualative
What 3 basic elements are used to determine the value of an asset?
Initial and maintenance costs
Organisational (internal) value
Public value
Which value (organisational or public) includes the cost of acquiring, creating or re-creatinine information, and the business impact or loss if the information is lost or compromised. It can also include liability costs, personal injury, death, etc?
Organisational
Which value (organisational or public) includes loss of proprietary information or processes and business reputation?
Public
What are the 4 basic steps in threat analysis?
- Define the threat
- Identify the consequences if threat occurs
- Determine the probable frequency of threat event
- Assess the probability of threat occurring
What two types are threats generally categorised as?
Man made
Natural
Which 4 steps are involved in risk analysis?
- Identify assets to be protected including sensitivity, value, importance to the organisation.
- Define specific threats including threat frequency and impact data
- Calculate Annualised Loss Expectancy (ALE)
- Select appropriate safeguards
How is the annual loss expectancy calculated?
SLE x ARO = ALE
Single loss expectancy x annual rate of occurrence
How is single loss expectancy (SLE) calculated?
Asset value x Exposure Factor
What is a measure of the negative effect or impact that a realised threat or event would have on a specific asset, expressed as a percentage otherwise known as?
Exposure factor
Which type of risk analysis would include the following advantages?
No complex calculations are required
Time and work effort involved is relatively low
Volume of input data required is relatively low
Qualative
Which type of risk analysis would include the following advantages?
Financial costs are defined (cost-benefit analysis)
More concise, specific data supports analysis, ie fewer assumptions
Analysis and calculations can often be automated
Specific quantifiable results are easier to communicate
Quantitive
Which type of risk analysis is scenario driven and doesn’t use numeric values?
Qualative
Which type of risk analysis attempts to assign objective numeric values?
Quantitive
Purely Quantitive risk analysis is generally not possible or practical? True or false?
True
What are the 4 methods of risk treatment?
Risk reduction
Risk assignment (or transference)
Risk avoidance
Risk acceptance
What is the calculation for cost benefit analysis?
ALE before safeguard - ALE after safeguard - cost of safeguard = value of safeguard
What should be considered when calculating the cost of a safeguard?
Total cost of ownership (TCO)
What 4 criteria should be considered when selecting a safeguard?
Cost effectiveness
Legal liability
Operational impact
Technical factors
What are the 3 main components of an effective security awareness program?
General awareness program, formal training and education
What 5 key factors are critical to a successful security awareness program?
Senior level management support
Demonstration that security supports business objectives
Demonstration that security affects all individuals and job functions
Take into account the target audience ie level of training
Action and follow up
Which person directs, coordinates, plans and organises information security activities throughout the organisation?
Security officer
Information Systems Security professional
Security Administrator
Security Officer
Who is responsible for drafting of policies, standards and supporting guidelines, procedures and baselines?
Security officer
Information Systems Security professional
Security Administrator
Information Systems Security Professional
Who is responsible for designing security controls into information systems, testing the controls and implementing the systems in production?
Security officer
Information Systems Security professional
Security Administrator
Information Systems/Technology Professional
Information Systems/Technology Professional
Who is responsible for managing user access requests and privileges?
Security officer
Information Systems Security professional
Security Administrator
Information Systems/Technology Professional
Security Administrator
NIST SP 800-53 is mandatory for US federal agencies and their contractors. True or False?
True
NIST SP 600-53 and ISO 27001 are examples of what?
Control frameworks
Common organisations that develop standards?
National Institute of Standards and technology (NIST)
Institute of Electronics and Electrical Engineers (IEEE)
American National Standards Institure (ANSI)
National Security Agency (NSA)
Guidelines are recommendations, best practices and templates documented in the frameworks created by other organisations such as:
- Control Objectives For Information and Related Technology (COBIT)
- the Capability Maturity Model (CMM)
- ISO 2700
Which two governance Framework documents are best to keep as standalone? procedures guidelines policies standards baselines
Standards and Policies
How often should a policy be reviewed?
Annually
The following are types of what?
Canada’s “Security of Information Act”
China’s Law on “Guarding State Secrets”
The UK’s “Official Secrets Act”
classification and categorisation systems.
NIST Federal Information Processing Standard 199 and NIST special publication 800-60 “Guide for mapping types of information and information systems to security categories” are required to be followed by whom
The US Federal Government
What are the 9 steps of the NIST Risk Methodology?
- System Characterisation
- Threat Identification
- Vulnerability Identification
- Control Analysis
- Liklihood Determination
- Impact Analysis
- Risk Determination
- Control Reccomendations
- Results Documentation
Which Framework/Methodology identifies 5 areas of internal control necessary to meet the Financial Reporting and disclosure objectives?
-COSO (The Committee of sponsoring organisations of the Treadway Commission)
Which Framework/Methodology contains a set of best practices for IT core operational processes such as change, release and configuration management, incident and problem management, capacity and availability management and IT Financial Management. It’s primary contribution is showing how the controls can be implemented for the service management IT processes?
- ITIL (The IT Infrastructure Library)
- COBIT (Control Objectives for Information and Related Technology)
- ITIL (The IT Infrastructure Library)
Which Framework/Methodology provides an overall structure for information technology control and includes control objectives. Also used to examine effectiveness, efficiency, compliance, confidentiality, etc. of high level control objectives.
- ITIL (The IT Infrastructure Library)
- COBIT (Control Objectives for Information and Related Technology)
- COBIT (Control Objectives for Information and Related Technology)
What is ISO 17799:2005 standard?
contains 134 information security controls
What is ISO/IEC 27000?
the information security management series
What is ISO 27002:2005?
specifies the requirements for establishing, implementing, operating, monitoring, reviewing, maintaining and improving a documented information security management system
name 8 types of risk methodologies?
- NIST SP 800-30, 800-39, 800-66 - Qualative, used by US federal government, plus regulated industries and health care. 9 stages
- CRAMM - staged discipline approach, both technical and non-technical. uses asset identification & valuation, threat and vulnerability assessment and countermeasure selection and recommendation
- Failure Modes and Effect Analysis - hardware/software analysis using Immediate level, intermediate level and system wide
- FRAP - uses a narrow risk assessment. allows for pre-screening to determine is risk analysis is needed
- OCTAVE - driven by operational risk and security practices. criteria is a set of principles, attributes and outputs
- Security Officers Management and Analysis Project (SOMAP) - open information security management project
- Spanning Tree Analysis - creates a tree of all possible threats to or faults in a system
- VAR (Value At Risk) - provides a summary of the worst loss due to a security breach over a target horizon
In a quantitative risk methodology, the calculation ALE = SLE x ARO can be adjusted using which 2 estimates?
Local Annual Frequency Estimate (LAFE)
Standard Annual Frequency Estimate (SAFE)
What are the 4 elements of a risk?
threat
vulnerability
likelihood
impact
What is the calculation for risk?
likelihood x impact
Which risk methodology uses likelihood?
Qualitative
How can the likelihood be determined?
capabilities of the threat and the presence or absence of countermeasures
In asset valuation, what is the consensus/modified Delphi method?
Participants in a valuation exercise are asked to comment anonymously about the task at hand. results collected and then discussed in public forum
What is the difference between a tangible asset and a intangible asset?
Tangible is something physical, intangible is not.
How is a tangible asset generally valued?
Original cost minus depreciation.
What are 3 ways to determine tangible asset value?
- Original cost minus depreciation
- Actual market value through research
- cost of switching to a competing asset
Intangible assets can be defined as what?
Definite - expiration date ,ie patent
Indefinite - no expiration date, ie brand
How can an intangible asset value be calculated?
- cost to create and replace
- capitalisation of historic profits
- cost avoidance or savings
Job descriptions should have some reference to information security responsibilities. True or False?
True
Credit checks carried out as part of employment checks must be done in line with which pieces of legislation in the US?
Fair Credit Reporting Act (FCRA)
Equal Employment Opportunity Commission (EEOC)
In the US the law “Americans with Disabilities Act” (ADA) may provide protection for which individuals in the event of drug screening as part of employment checks?
individuals undergoing drug rehabilitation
What is a CIRT?
Computer Incident Response Team