Info Sec Gov and Risk Mgt Flashcards
Qualitative Risk Analysis
performed via Risk Analysis Matrix and is based on likelihood and consequences; uses simple approximate values, more subjective
senior management
creates the information security program and ensures that it is properly staffed and funded
AV
asset value: value of the asset you are trying to protect
procedure
step-by-step guide for accomplishing a task; low leve and specific; mandatory
accreditation
data owner’s acceptance of the risk represented by that system
HIPAA
Healthcare
due diligence
management of due care
Certification
detailed inspection that verifies whether a system meets the documented security requirements
ROI
return on investment: money saved by deploying a safeguard
Policy purpose
describes the need for the policy
GLBA
Gramm-Leach-Bliley Act: protects financial info in USA
policy types
NIST spec pub 800-12 [4] Chap 5 describes 3 specific policy types: program policy, issue-specific policy, system-specific policy
4 steps to C&A
- initiation phase 2. security certification phase 3. security accreditation phase 4. continuous monitoring phase
Info security governance
Info Sec at the organizational level: senior mgt, policies, processes, staffing
SLE
single loss expectancy: cost of a single loss
who poses biggest security risk to an org
user
privacy
protection of the confidentiality of personal info
risk
a matched threat and vulnerability
transfer the risk
“insurance model”; you pay someone else to assume the risk (like homeowners insurance)
safeguard
measure taken to reduce risk
market approach
assumes that the fair value of an asset reflects the price at which comparable assets have been purchased in transactions under similar circumstances
standards
describes the specific use of technology; mandatory
due care
doing what a reasonable person would do; aka “prudent man rule
4 domains of COBIT
- plan and organize 2. Acquire and implement 3. deliver and support 4. monitor and eval
data owner
management employee responsible for ensureing that specific data is protected
Risk Choices
Accept, Mitigate/eliminate, transfer, avoid
offshoring
outsourcing to another country
Quantitative Risk Analysis
uses hard metrics, such as dollars, more objective; ie calculating ALE
ITL Service Mgt practicces publications
- service strategy 2. service design 3. service transition 4. service operation 5. continual service improvement
cost approach
estimates the fair value of the asset by reference to the costst that would ve incurred in order to recreate or replace the asset
ISO 17799
broadbased approach for info sec code of practice; 11 areas: 1. policy 2. Org of Info Sec 3. asset mg’t 4 Human resources sec 5. physical and environmental sec 6. comm and ops mgt 7. access control 8. info sys acq, dev, and mx 9. info sec incident mgt 10. business continuity mgt 11. compliance
mitigate the risk
lowering the risk to an acceptable level
OCTAVE
operationally critical threat, asset, and vulnerabilty evaluation; 3 phases: 1-ID staff knowledge, assets, threat 2-ID vulnerabiliites and eval safeguards 3-conduct risk analysis and develop risk mitigation strat
ARO
annual rate of occurrence: number of losses you suffer per year
income approach
based on the premise that the value of a security or asset is the present value of the future earning capacity that an asset will generate over the remainder of its useful life
loss of human life
near infinite impact and must be mitigated at almost any cost
SOX
Sarbanes-Oxley: publicly traded data in USA
policy
high-level management directives; mandatory; components: purpose, scope, responsibilities, compliance
vulnerability
weakness in a system
auditing
verifying compliance to a security control framwork
gross negligence
opposite of due care
user
must follow the rules; cannot assume they know, must tell them via information security awareness
outsourcing
use of a 3rd party to provide IT support services that were previously performed in-=house
Risk Equations
Asset Value AV Exposure Factor EF Single Loss Expectancy (SLE) = AV * EF Annual Rate of Occurrence ARO Annualized Loss Expectancy (ALE) = SLE * ARO
ALE
Annualized Loss Expectancy: cost of loss due to a risk over a year; allows you to make informed decisiosn to mitigate risk
three methods for calculating value of intangible assets
Market approach, income approach, cost approach
risk avoidance
simply not doing something that introduces risk
guidelines
recommendations
aspects of personnel security
background checks, employee termination, security awareness and training, contractor security, outsourcing/offshoring
Accepting Risk
low-likelihood/low-condequence risks are candidates for risk acceptance; high and extremem risks cannot be accepted
policy compliance
describes 1) how to judge the effectiveness of the polices (how well are they working) 2) what happens when policy is violated (the sanction)
custodians
provide hands-on protection of assets such as data
assets
valuable resources you are trying to protect
baselines
uniform ways of implementing a safeguard; discretionary
policy responsibilities
include responsibilities of info sec staff, policy and mgt teams, and all members of the org
Threat
a potentially negative occurrence
risk equation
Risk = Threat * Vulnerability (and sometimes * Impact)
ISO 27002
formerly known as ISOP 17799
TCO
total cost of ownership: cost of a mitigating safeguard. Combines upfront costs + annual cost of mx, staff, vendor mx, software, etc
ITIL
Info Tech Infrastructure Library: framework for providing best services in IT Service Mgt
policy scope
describes what systems, people, facilities, and organizations are covered by the policy
EF
exposure factor: percentage of value an asset lost due to an incident
COBIT
control objectives for Info and related Tech: control framework for employing info sec governance best practices w/in an org
