Information Security Governance and Risk Management Flashcards
What are 3 kinds of security policies
Organizational
Functional
System-specific
Functional policy
Focus on specific security issue
A standard
Specify the technology or approach that must be used to control a security risk.
A document from a medical research company specifies the use of multi-factor authentication with a combination of key cards and biometrics for protecting access to a database.
Which component of a policy framework does this document represent?
Standard
A security procedure
Provides step by step instructions on how to comply with a security policy.
A baseline
Describes minimum technical security standards that should be maintained consistently across an organization.
A guideline
Recommendations that individuals can follow or use at their own discretion
For an organization to adhere to legislative and regulatory compliance, its control frameworks need to be 5 things
Consistent Measurable Standardized Comprehensive Modular
COSO - Committee of Sponsoring Organizations of the Treadway Comission
Formed to study and prevent fraud in financial reporting
ITIL - IT Infrastructure Library
set of 34 books written to improve IT service management.
COBIT - Control Objectives for Information and related Technology.
34 high level processes and 214 control objectives to support the processes. Examines effectiveness of confidentiality, integrity, availability
ISO 27000
Standards for information security management
Contains 134 detailed information security controls based on 11 different areas.
ISO 27001
Can be tailored and applied to organizations of varying sizes.
NIST SP 800-53
has 300 controls across 17 families and three classes. Mandatory for US fed govt agencies and contractors.
COBIT divides into how many domains?
4 Planning and organization acquisition and implementation delivery and support Monitoring
CRAMM
Developed by CCTA in Britain for risk analysis. Incorporates securing IT hardware and software with physical and human resources.
How many stages in CRAMM methology?
3
Identifying and valuing assets
assessing threats and vulnerability
Selecting and recommending countermeasures
FMEA - failure modes and effect analysis methodology
Assesses risk by examining the effects at 3 different levels.
FRAP - Facilitated risk analysis process
Qualitative risk analysis method that uses pre-screening to identify critical risk areas.
8 NIST risk assessment methodology steps
characterize systems identify threats identify countermeasures determine likelihood determine impact determine risk recommend additional countermeasures document results
OCTAVE - Operationally critical threat asset and vulnerability evaluation
uses a self-directed interdisciplinary team to analyze and evaluate security risks by reviewing operational risk and security practices.
NIST
Qualitative risk assessment methodology established with healthcare in mind.
PUSH
service based risk assessment solution with 4 phases Preparation Universe definition Scoring Hitting the mark
SOMAP - Security Officers Management and Analysis Project
Swiss non-profit guide and risk assessment tool for open-source systems
How many stages in SOMAP?
5 Risk treatment Data collection Threat analysis vulnerability analysis risk retention
VAR - value at risk methodology
theoretically based quantitative measure of information security risk.
Creates summary of worst loss due to security breach and create a workable balance between the cost of implementing controls and reducing risk.
Number of stages in VAR - value at risk methodology
4 Mitigate risk identify threats estimate var estimate likelihood
Risk management definition
comprises the tasks and activities associated with assessing, mitigating, and preventing potential threats to an organization.
Why is risk management important?
helps ensure legal compliance
enables identification and protection of critical assets
What are the two types of risk assessment?
qualitative
quantitative
Risk Assessment step
Define System characterization
Set the scope of the assessment. Determine system and data criticality and sensitivity at this stage
Risk Assessment step
Define Threat identification
Identify anything that may harm an IT system and system information.
Risk Assessment step
Define vulnerability identification
Review of system security procedures, design, implementation, or internal controls that may fail during an attack.
Risk Assessment step
Define Control analysis
Review of current and planned countermeasures against a security requirements checklist.
Risk Assessment step
Define Likelihood determination
Consider the capability and motivation of threat sources in terms of vulnerability
Risk Assessment step
Define impact analysis
Quantify or rate potential losses of integrity, availability, or confidentiality of system data.
Risk Assessment step
Define risk determination
Quantify the probability of attack, its impact, and the adequacy of current or planned controls.
Risk Assessment step
Define control recommendations
Consider the effectiveness, performance impacts, safety and reliability of control options.
Risk Assessment step
Define results determination
Present threat and vulnerability pairings with associated cost-benefit data.
4 types of risk responses
risk avoidance
risk transfer
risk mitigation
risk acceptance
Risk transfer
Passing risk to a third party
Which frameworks & methodologies are designed for performing risk assessments?
OCTAVE, CRAMM, VAR
Which frameworks & methodologies are designed for implementing and auditing security controls?
COBIT, ITIL, COSO
What 5 things should an information security officer be able to provide information about
each risk the organization is facing
likelihood and potential impact of a risk
costs and benefits of potential solutions
risk that will remain after a response is implemented
a time frame for responding to a risk
6 Responsibilities of an information security officer
communicating risks to senior management
ensuring regulatory compliance
assisting auditors
oversee development and delivery of a security awareness program.
Monitor emerging threats and new technologies
evaluating security incidents and responses
6 steps to reduce employee security policy violations
prepare accurate job descriptions check references conduct background checks ask new employees to sign employment agreements oversee how employees perform control terminations
When determining the value of an intangible asset, which is the best approach?
A. determine the physical storage costs and multiply the expected life of the company.
B. With the assistance of a finance of accounting professional determine how much profit the asset has returned.
C. Review the depreciation of the intangible asset over the past three years.
D. Use the historical acquisition or development cost of the intangible asset.
B. With the assistance of a finance of accounting professional determine how much profit the asset has returned.
Qualitative risk assessment is described by which of the following?
A. ease of implementation and it can be completed by personnel with a limited understanding of the risk assessment process.
B. Can be completed by personnel with a limited understanding of the risk assessment process and uses detailed metrics used for calculation of risk.
C. Detailed metrics used for calculation of risk and eas of implementation.
D. Can be completed by personnel with a limited understanding of the risk assessment process and detailed metrics used for the calculation of risk.
A. ease of implementation and it can be completed by personnel with a limited understanding of the risk assessment process.
single loss expectancy SLE is calculated by using
A. asset value and annualized rate of occurrence.
B. asset value, local annual frequency estimate, and standard annual frequency estimate
C. asset value and exposure factor
D. local annual frequency estimate and annualized rate of occurrence.
C. asset value and exposure factor
Consideration for which type of risk assessment to perform includes all of the following
A. culture of the organization, likelihood of exposure and budget
B. budget, capabilities of resources and likelihood of exposure
C. Capabilities of resources, likelihood of exposure and budget
D. Culture of the organization, budget, capabilities and resources
D. Culture of the organization, budget, capabilities and resources
Security awareness training includes
A. Legislated security compliance objectives
B. Security roles and responsibilities for staff
C. The high-level outcome of vulnerability assessments
D. Specialized curriculum assignments, coursework and an accredited institution
B. Security roles and responsibilities for staff
A signed user acknowledgement of the corporate security policy
A. Ensures that users have read the policy
B. Ensures that users understand the policy, as well as the consequences for not following the policy
C. Can be waived if the organization is satisfied that users have an adequate understanding of the policy
D. helps to protect the organization if a user’s behavior violates the policy.
D. helps to protect the organization if a user’s behavior violates the policy.
Effective security management A. Achieves security at the lowest cost B. reduces risk to an acceptable level C. prioritizes security for new products D. installs patches in a timely manner
B. reduces risk to an acceptable level
Availability makes information accessible by protecting it from:
A. Denial of service, fires, floods, hurricanes, and unauthorized transactions.
B. fires, floods, hurricanes, unauthorized transactions and unreadable backup tapes
C. unauthorized transactions, fires, floods, hurricanes and unreadable backup tapes
D. denial of services, fires, floods, hurricanes, and unreadable tapes.
D. denial of services, fires, floods, hurricanes, and unreadable tapes.
To avoid bias, the security officer could report to any of the following A. CEO, application development, or CFO B. CIO, CFO, or application development C. CFO, CEO, CIO D. application development, CFO, CEO
C. CFO, CEO, CIO
Tactical security plans are best used to
A. establish high-level security policies
B. enable enterprise/entity-wide security management
C. reduce downtime
D. deploy new security technology
D. deploy new security technology
Who is accountable for implementing information security? A. everyone B. senior management C. security officer D. data owners
C. security officer
Security is likely to be most expensive when addressed in which phase? A. design B. rapid prototyping C. testing D. implementation
D. implementation
Information systems auditors help the organization
A. mitigate compliance issues
B. establish an effective control environment
C. identify control gaps
D. address information technology for financial statements.
C. identify control gaps
Long duration security projects A. provide greater organizational value B. increase ROI C. minimize risk D. increase completion risk
D. increase completion risk
Setting clear security roles has the following benefits
A. establishes personal accountability, reduces cross-training requirements and reduces departmental turf battles
B. enables continuous improvement, reduces cross-training requirements and reduces departmental turf battles
C. Establishes personal accountability, establishes continuous improvement and reduces turf battles
D. Reduces departmental turf battles, reduces cross-training requirements and establishes personal accountability.
C. Establishes personal accountability, establishes continuous improvement and reduces turf battles
Well-written security program policies are best reviewed
A. at least annually or at pre-determined organization changes
B. after major project implementations
C. When applications or operating systems are updated
D. When procedures need to be modified.
A. at least annually or at pre-determined organization changes
Orally obtaining a password from an employee is the result of A. social engineering B. weak authentication controls C. ticket granting server authorization D. voice recognition software
A. social engineering
A security policy which will remain relevant and meaningful over time includes the following:
A. Directive words such as shall, must, or will, technical specifications and is short in length
B. Defined policy development process, short in length and contains directive words such as shall, must, or will
C. Short in length, technical specifications and contains directive words such as shall, must or will
D. Directive words such as shall, must, or will defined policy development process and is short in length
D. Directive words such as shall, must, or will defined policy development process and is short in length
The ability of one person in the finance department to add vendors to the vendor database and subsequently pay the vendors violates which concept? A. a well formed transaction B. separation of duties C. least privilege D. data sensitivity level
B. separation of duties
Collusion is best mitigated through A. Job rotation B. Data classification C. defining job sensitivity level D. least privilege
A. Job rotation
Data access decisions are best made by A. user managers B. data owners C. senior management D. application developers
B. data owners
Which of the following best describes the relationship between CobiT and ITIL?
A. CobiT is a model for IT governance, whereas ITIL is a model for corporate governance.
B. CobiT provides a corporate goverance roadmap, whereas ITIL is a customizable framework for IT service management.
C. CobiT defines IT goals, whereas ITIL provides the process level steps on how to achieve them.
D. CobiT provides a framework for achieving business goals, whereas ITIL defines a framework for achieving IT service level goals.
C. CobiT defines IT goals, whereas ITIL provides the process level steps on how to achieve them.
What is a “safe harbor”?
A set of “good faith” conditions which if met, may temporarily or indefinitely protect the organization from the penalties of a new law or regulation.
What information security act must federal agencies adhere to?
FISMA - Federal Information Security Management Act
What directive protects personal information in Europe?
European Data Protection Directive
How often should security policies be reviewed?
Annually
Jane has been charged with ensuring that clients' personal health information is adequately protected before it is exchanged with a new European Partner. What data security requirements must she adhere to? A. HIPPAA B. NIST SP 800-66 C. Safe Harbor D. European Union Principles on Privacy
C. Safe Harbor
Global organizations that transfer data across international boundaries must abide by guidelines and transborder information flow rules developed by an international organization that helps different governments come together and tackle the economic, social, and governance challenges of a globalized economy. What organization is this?
A. Committee of Sponsoring Organizations of the Treadway Commission
B. The Organization for Economic Co-operation and Development.
C. CobiT
D. International Organization for Standardization
B. The Organization for Economic Co-operation and Development.
Steve, a department manager, has been asked to join a committee that is responsible for defining an acceptable level of risk for the organization, reviewing risk assessment and audit reports, and approving significant changes to security policies and programs. What committee is he joining? A. Security policy committee B. Audit committee C. risk management committee D. Security steering committee
D. Security steering committee
As head of sales, Jim is the information owner for the sales department. Which of the following is not Jim’s responsibility as information owner?
A. Assigning information classifications.
B. Dictating how data should be protected
C. Verifying the availability of data
D. Determining how long to retain data.
C. Verifying the availability of data
Assigning data classification levels can help with all of the following except:
A. The grouping of classified information with hierarchical and restrictive security
B. Ensuring that nonsensitive data is not being protected by unnecessary controls
C. Extracting data from a database
D. Lowering the costs of protecting data
C. Extracting data from a database
Which of the following is not included in a risk assessment?
A. Discontinuing activities that introduce risk
B. Identifying assets
C. Identifying threats
D. Analyzing risk in order of cost or criticality
A. Discontinuing activities that introduce risk
Sue has been tasked with implementing a number of security controls, including antivirus and antispam software, to protect the company's email system. What type of approach is her company taking to handle the risk posed by the system? A. Risk mitigation B. Risk acceptance C. Risk avoidance D. Risk transference
A. Risk mitigation
The integrity of data is not related to which of the following?
A. Unauthorized manipulation or changes to data
B. The modification of data without authorization
C. The intentional or accidental substitution of data
D. The extraction of data to share with unauthorized entities.
D. The extraction of data to share with unauthorized entities.
There are several methods an intruder can use to gain access to a company’s assets. Which of the following best describes masquerading?
A. Changing an IP packet’s source address
B. Elevating privileges to gain access
C. An attempt to gain unauthorized access to as another user.
D. Creating a new authorized user with hacking tools
C. An attempt to gain unauthorized access to as another user.
A number of factors should be considered when assigning values to assets. Which of the following is not used to determine the value of an asset?
A. The asset’s value in the external marketplace.
B. The level of insurance required to cover the asset.
C. The initial and outgoing costs of purchasing, licensing, and supporting the asset
D. The asset’s value to the organization’s production operations.
B. The level of insurance required to cover the asset.
Jill is establishing a company wide sales program that will require different user groups with different privileges to access information on a centralized database. How should the security manager secure the database?
A. Increase the database’s security controls and provide more granularity
B. Implement access controls that display each user’s permissions each time they access the database.
C. Change the database’s classification label to higher security status.
D. Decrease the security so that all users can access the information as needed.
A. Increase the database’s security controls and provide more granularity
As his company’s CISCO, George needs to demonstrate to the board of directors the necessity of a strong risk management program. Which of the following should George use to calculate the company’s residual risk?
A. threats x vulnerability x asset value = residual risk
B. SLE x frequency - ALE which is equivalent to residual risk
C. (threats x vulnerability x asset value ) x control gap = residual risk
D. (total risk - asset value) x countermeasures = residual risk
C. (threats x vulnerability x asset value ) x control gap = residual risk
Authorization creep is to access controls what scope creep is to software development. Which of the following is not true of authorization creep?
A. Users have a tendency to request additional permissions without asking for others to be taken away.
B. It is a violation of least privilege.
C. It enforces the “need to know” concept
D. It commonly occurs when users transfer to other departments.
C. It enforces the “need to know” concept
For what purpose was the COSO framwork developed?
A. To address fraudulent financial activities and reporting.
B. To help organizations install, implement, and maintain Cobit controls
C. To serve as a guideline for IT security auditors to use when verifying compliance.
D. To address regulatory requirements related to protecting private health information.
A. To address fraudulent financial activities and reporting.
Susan, an attorney, has been hired to fill a new position at Widgets Inc. The position is chief privacy officer. What is the primary function of her new role?
A. Ensuring the protection of partner data
B. Ensuring the accuracy and protection of company financial information
C. Ensuring that security policies are defined and enforced.
D. Ensuring the protection of customer, company, and employee data
D. Ensuring the protection of customer, company, and employee data
Jared plays a role in his company's classification system. In this role, he must practice due care when accessing data and ensure that the data is used only in accordance with allowed policy while abiding by the rules set for the classification of the data. He does not determine, maintain, or evaluate controls, so what is Jared's role? A. Data owner B. Data custodian C. Data user D. Information systems auditor
C. Data user
Risk assessment has several different methodologies. Which of the following official risk methodologies was not created for the purpose of analyzing security risks? A. FAP B. OCATAVE C. ANZ 4360 D. NIST SP 800-30
C. ANZ 4360
Which of the following is not a characteristic of a company with a security governance program in place?
A. Board members are updated quarterly on the state of security.
B. All security activity takes place within the security department.
C. Security products, services, and consultants are deployed in an informed manner.
D. The organization has established metrics and goals for improving security.
B. All security activity takes place within the security department.
Michael is charged with developing a classification program for his company. Which of the following should he do first?
A. Understand the different levels of protection that must be provided.
B. Specify data classification criteria
C. Identify the data custodians
D. Determine protection mechanisms for each classification level.
A. Understand the different levels of protection that must be provided.
ISO/IEC 27000 is part of a growing family of ISO/IEC information security management systems standards. It comprises information security standards published jointly by the International Organization for Standardization and the International Electrotechnical Commission. Which of the following provides an incorrect mapping of the individual standards that make up this family of standards?
A. ISO/IEC 27002 code of practice for information security management
B. ISO/IEC 27003 guideline for ISMS implementation
C. ISO/IEC 27004 guieldine for information security management measurement and metrics framemwork.
D. ISO/IEC 27005 guideline for bodies providing audit and certification of information security management systems.
D. ISO/IEC 27005 guideline for bodies providing audit and certification of information security management systems.
CobiT defines
goals for the controls that should be used to properly manage IT and ensure IT maps to business needs
Addresses what is to be achieved
ITIL defines
general activities necessary to achieve goals
Addresses how to achieve goals
Name the health care related risk assessment methodology
NIST SP-800-66
Which information role is responsible for verifying data availability?
information custodian
What is the job of the information custodian?
Carry out the mandates of the information owner
What is residual risk?
Risk left after countermeasures are implemented.
What is the Chief privacy officer responsible for?
Ensuring the security of customer, company, and employee data.
