Information Security Governance and Risk Management Flashcards

1
Q

Principles and Terms

CIA Triad
Vulnerability
Threat
Threat Agents

A

CIA Triad - Confidentiality, Integrity, Availability

Vulnerability - absence or weakness of a countermeasure

Threat - occurs when vulnerability is identified or exploited by an attacker

Threat Agents - Entity that carries out the threat. Not all will actually exploit a vulnerability

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Principles and Terms

Risk
Exposure
Countermeasures
Due Care

A

Risk - Probability that a threat agent will exploit a vulnerability and the impact if it’s carried out

Exposure - Occurs when an asset is exposed to loss

Countermeasures - A Control or Mechanism that reduces potential risk. AKA safeguards or controls

Due Care - Organization took all reasonable measures to perfect security breaches and took steps to mitigate damages caused by successful breaches. NOT due diligence. Lack of due care means company new about a risk and did nothing to prevent it

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Principles and Terms

Due Diligence

Job Rotation

A

Due Diligence - Organization investigated all vulnerabilities. Includes performing audits and assessments to ensure they’re protected

Job Rotation - Ensures more than one person can perform job tasks, providing redundancy. Important tool to help recognize when fraudulent activities have occurred

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Principles and Terms

Separation of Duties and 2 ways to do it

split knowledge
dual controls

A

Ensures one person can’t compromise organizational security.

split knowledge - no single employee knows all details to perform task

dual controls - requires 2 employees to be available to do a certain task to complete the job

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Security Frameworks and Methodologies

ISO / IEC 27000 Series (over 40)

27001 - overview, vocabulary 
27002 - ISMS requirements
27003 - code of practice for infosec mgmt
27004 - ISMS implementation guidelines
27005 - ISMS measurement guidelines
A

Security program development standard on how to develop and maintain information security management system (ISMS)

These standards are developed by ISO / IEC bodies but certification or conformity assessment is provided by third parties

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Security Frameworks and Methodologies

Zachman Framework
2D, 6x6 grid of questions and views

A

Enterprise architecture framework

2-Dimensional classification system based on 6 questions (What, Where, When, Why, Who, How) that intersect with different views (Planner, Owner, Designer, Builder, Subcontractor, Actual System)

Allows analysis of an org. to be presented to different groups in the org. in ways that relate to their responsibilities

Not security oriented, but helps relay information in a language and format that is useful to target audience

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Security Frameworks and Methodologies

The Open Group Architecture Framework (TOGAF)

A

TOGAF - enteprise architecture framework

helps orgs design, plan, implement, govern an enterprise information architecture.

Based on 4 domains: technology, applications, data, business

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Security Frameworks and Methodologies

Department of Defense Architecture Framework (DoDAF)

A

DoDAF - architecture framework

organizes set of products under 4 views: operational (OV), system (SV), technical standards (TV), all view (AV)

ensures new DoD technologies integrate properly with current infrastructure

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Security Frameworks and Methodologies

British Ministry of Defense Architecture Framework (MODAF)

A

MODAF - architecture framework

Divides information into 7 viewpoints:

strategic (StV)
operational  (OV)
service-oriented (SOV)
systems (SV)
acquisition (ACV)
technical (TV)
all (AV)
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Security Frameworks and Methodologies

Sherwood Applied Business Security Architecture (SABSA)

A

Enterprise security architecture framework that is risk driven

Similar to Zachman framework
uses same 6 communication questions that intersect with six layers instead of views (operational, component, physical, logical, conceptual)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Security Frameworks and Methodologies

Control Objectives for Information and Related Technology (COBIT)

A

Security Controls development framework

Uses process model to subdivide IT into 4 domains:
Plan and Organize (PO)
Acquire and Implement (AI)
Deliver and Support (DS)
Monitor and Evaluate (ME)

4 domains are further broken down into 34 processes

aligns with ITIL, PMI, ISO, TOGAF frameworks

mainly used in private sector

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Security Frameworks and Methodologies

NIST SP 800-53

NIST SP 800-55

A

SP 800-53
Security CONTROLS DEVELOPMENT framework
Divides controls into 3 classes: technical, operational, mgmt
each class contains categories, or control families

SP 800-55
information security METRICS framework
provides guidance on developing performance measuring procedures with a US Govt viewpoint

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Security Frameworks and Methodologies

NIST SP 800-53

NIST SP 800-55

A

SP 800-53
Security CONTROLS DEVELOPMENT framework
Divides controls (countermeasures) into 3 classes: technical, operational, mgmt
each class contains categories, or control families

SP 800-55
information security METRICS framework
provides guidance on developing performance measuring procedures with a US Govt viewpoint

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Security Frameworks and Methodologies

Committee of Sponsoring Organizations (COSO) of the Treadway Commission Framework

A

COSO
Corporate governance framework.
Consists of 5 inter-related components: control environment, risk assessment, control activities, information and communication, monitoring

COSO is for IT governance
COBIT was derived from COSO and is for corporate governance

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Security Frameworks and Methodologies

ITIL

A

Process Management Development. Primary concern is managing SLA’s, but has a security component

5 Core Publications containing 26 processes
ITIL Service Strategy
ITIL Service Design
ITiL Service Transition
ITIL Service Operation
ITiL Continual Service Improvement

As part of OMB circular A-130 Independent review of security controls should be performed every 3 years

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Security Frameworks and Methodologies

Six Sigma

A

Process Improvement Standard. Designed to ID and remove defects in manufacturing process, but can be applied to many business functions incl. security

2 project methodologies inspired by Deming’s Plan/Do/Check/Act cycle

DMAIC - Define, Measure, Analyze, Improve, Control
DMADV - Define, Measure,Analyze, Design, Verify

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

Security Frameworks and Methodologies

Capability Maturity Model Integration (CMMI)

A

Process Improvement Approach

Addresses 3 areas of interest:
Product, Service Development (CMMI Development)
Service Establishment, Mgmt (CMMI Services)
Product Service, Acquisition (CMM Acquisitions)

5 levels of maturity for processes
1 Initial
2 Managed
3 Defined
4 Quantitatively Managed
5 Optimized

All processes in each level of interest are assigned one of the 5 levels of maturity

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

Security Frameworks and Methodologies

Top-Down vs Bottom-Up approach

A

Top-Down
management initiates, supports, directs security program

Bottom-Up
staff members develop security program before getting direction and support from management

top-down is more efficient because management support is so important

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

Security Frameworks and Methodologies

Steps of Security Program Life Cycle

  1. Plan and Organize
  2. Implement
  3. Operate and maintain
  4. Monitor and evaluate
A

plan and organize
perform risk assessment, establish mgmt and steering committee, evaluate business drivers, get mgmt approval

implement
ID and manage assets, manage risk, identity and access control, training on security and awareness, implement solutions

operate and maintain
perform audits, do tasks, manage SLA’s

monitor and evaluate
review auditing and logs, evaluate security goals, develop improvement plans for integration into Step 1 - Plan and Organize

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

Risk Assessment

A

Tool to identify vulnerabilities and threats, asses impact of them and determine which controls to implement

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

Risk Assessment

4 goals of risk Assessment

A

ID assets and asset value

ID vulnerabilities and threats

calculate threat probability and business impact

balance threat impact with countermeasure cost

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

Risk Assessment Process

A

before starting risk assessment, determine which assets and threats to consider to establish the size of the project

risk assessment team provides report to mgmt on value of assets considered

mgmt finalizes the asset list and determines budget of risk assessment project

if risk assessment project not support by sr. mgmt, it will fail

mgmt must define the purpose and scope, allocate personnel, time and budget for the project

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

Risk Assessment

NIST SP 800-30

A

Identifies these steps in risk assessment process

ID Assets and value 
ID threats
ID vulnerabilities
Determinte likelihood
ID impact
Determine risk as combination of likelihood and impact
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

Asset Values, Vulnerabilities and Threats

Information and Asset (tangible and intangible) Values and Costs

6 considerations to determine asset value

after determining value, then determine vulnerabilities and threats

A

Tangible assets
Intangible assets - IP, data, reputation

6 considerations to determine asset value:

value to owner
work needed to develop or obtain asset
costs to maintain asset
damage caused by losing asset
cost competitors would pay for asset
penalties if asset was lost
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Q

Asset Values, Vulnerabilities and Threats

Vulnerabilities and Threats Identification

Threat agents can be grouped into 6 Categories

A

Human - malicious, non malicious, insiders, outsiders, terrorists

Natural - flood, fire, etc

Technical - hardware, software failure, malware, new tech

Physical - failures of CCTV, biometrics, perimeter security

Environmental - power failure, traffic, hazmat spills, biological warfare, traffic issues

Operational - any process or procedure than can affect CIA

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
26
Q

Quantitative Risk Analysis

A

Assigns monetary and numerical values t all facets of the risk analysis process.

Includes asset value, threat frequency, vulnerability severity, impact, safeguard costs, etc

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
27
Q

Quantitative Risk Analysis

Single Loss Expectancy (SLE)

A

SLE - monetary impact of each threat occurrence.

To determine it, you must know the Asset Value (AV) and the Exposure Factor (EF).

EF is the % value or functionality of an asset that is lost when a threat occurs

SLE = AV * EF

asset costs $20,000 and assessment says exposure factor for power failure is 25% then SLE is $5000

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
28
Q

Quantitative Risk Analysis

Exposure Factor (EF)

A

EF - The percent value or functionality of an asset that will be lost when a threat occurs

29
Q

Quantitative Risk Analysis

Annual Loss Expectancy (ALE)

A

ALE - expected risk factor of an annual threat event
Must first know the SLE and the ARO

ALE = SLE * ARO

ALE = (AV * EF) * ARO

Ex.
If ARO is 50%, AV is $20,000 and EF is 25%

then

ALE = (20,000 * .25) * (.5)
ALE = 5000 * .5
ALE = $2,500
30
Q

Quantitative Risk Analysis

Annual Loss Expectancy (ALE)

A

ALE - expected risk factor of an annual threat event
Must first know the SLE and the ARO

ALE = SLE * ARO

ALE = (AV * EF) * ARO

Ex.
If ARO is 50%, AV is $20,000 and EF is 25%

then

ALE = (20,000 * .25) * (.5)
ALE = 5000 * .5
ALE = $2,500
31
Q

Qualitative Risk Analysis

Techniques

A

intuition, experience, best practices

brainstorming, focus groups

surveys,questionnaires, meetings and Delphi

32
Q

Qualitative Risk Analysis

Advantages of Qualitative Risk Analysis

A

Prioritizes risks and identifies areas for immediate improvement in addressing threats

33
Q

Qualitative Risk Analysis

Disadvantages of Qualitative Risk Analysis

A

results are subjective and dollar value is not provided for cost-benefit analysis or budgeting

All organizations experience issues with any estimates. This lack of confidence in an estimate is called uncertainty and expressed as a percentage

All risk assessment reports should include the uncertainty level

34
Q

Safeguard Selection

Criteria for choosing safeguards (or controls)

A

the cost effectiveness of the safeguard or control. Including planning, designing, implementing, maintenance costs

35
Q

Safeguard Selection

Formula to calculate cost-benefit analysis.

Knowing corrected ARO after safeguard is implemented is necessary for determining safeguard value

legal liability exists if cost of safeguard is less than estimated loss if the threat is exploited

A

safeguard value =

(ALE before safeguard) - (ALE after safeguard) - (annual cost of safeguard)

To complete this equation you have to know the revised ALE after safeguard is implemented (which can be hard to assess)

36
Q

Total Risk vs Residual Risk

Total Risk
Residual Risk

A

Total Risk - risk that organization could encounter if it decides not to implement any safeguards

Residual risk - risk that is left over after safeguards are implemented

37
Q

Total Risk vs Residual Risk

Equation to represent residual risk
equation is more conceptual than an actual calculation

A

residual risk = (total risk) - countermeasures

38
Q

Risk Management

Total Risk vs Residual Risk

Total Risk
Residual Risk

A

Total Risk - risk that organization could encounter if it decides not to implement any safeguards

Residual risk - risk that is left over after safeguards are implemented

39
Q

Risk Management

Total Risk vs Residual Risk

Equation to represent residual risk
(this is more conceptual than an actual calculation)

A

residual risk = (total risk) - countermeasures

40
Q

Risk Management

Handling Risk

4 basic methods

A

risk avoidance - terminating activity that causes risk, or choosing safer alternative

risk transfer - passing risk to a 3rd party (ie insurance company)

risk mitigation - defining acceptable risk level and reducing risks to it

risk acceptance - understanding and accepting risks and potential costs

41
Q

Risk Management

Risk Management Principles

A

After risk assessment is complete, organization must implement and maintain safeguards

organization must decide on future risk analysis that occurs because it should be done regularly

risk mgmt involves developing and maintaining risk mgmt policy and maintaining a risk mgmt and risk analysis team

42
Q

Risk Management

Risk Management Policy objectives to list

A

Formal statement of Sr. management’s commitment to to risk management

Must include overall risk management plan and list these objectives

risk mgmt team objectives
responsibilities and roles
acceptable levels of risk
risk identification process
risk and safeguards mapping
safeguard effectiveness
monitoring process and targets 
future risk analysis plans and tasks
43
Q

Risk Management

Risk Management Team

A

could be one person or a group

goal is to protect organization and assets from risk in most cost effective way

sr. management must put a resource allocation measure in place. Ensure members of the team have necessary training and tools

44
Q

Risk Management

Risk Analysis Team

A

Must have a representative from as many departments and employment levels as possible. Diversity ensures risks from all areas can be addressed

Or the team must interview each department to understand all risks to that department

During Risk Analysis process, the team should determine threat events that could occur, impact of them, frequency of them and level of confidence in the information gathered

45
Q

Information Security Governance Components

Steps for senior management to complete before developing any organizational security policy

A

define scope of program
ID assets that need protection
determine level of protection each asset needs
determine personnel responsibilities
develop consequences for noncompliance with policy

46
Q

Information Security Governance Components

Policies

2 definitions

are broad and provide foundation for developing standards, baselines, guidelines, procedures all of which provide the security structure

A

dictate role of security and is strategic in nature (provides end result of security)

definition 1 - level in organization at which they’re enforced
definition 2 - category to which they’re applied

independent of specific technology or solution

must contain exception area to deal with unforeseen situations

47
Q

Information Security Governance Components

levels of policies

A

organization

system specific

issue-specific

48
Q

Information Security Governance Components

categories of policies

A

regulatory

advisory

informative

49
Q

Information Security Governance Components

Organizational Policies

A

highest level security policy, steered by business goals

should have these components:

define overall goals of security policy
define overall steps and importance of security
define security framework to meet biz goals
state management approval of policy
define all relevant terms
define security roles and responsibilities
address relevant laws and regulations
identify major functional areas
define compliance requirements

50
Q

Information Security Governance Components

Organizational Security Policies

A

highest level security policy, steered by business goals

should have these components:

define overall goals of security policy
define overall steps and importance of security
define security framework to meet biz goals
state management approval of policy
define all relevant terms
define security roles and responsibilities
address relevant laws and regulations
identify major functional areas
define compliance requirements

51
Q

Information Security Governance Components

Organizational Security Policies

system specific
issue specific

A

must be supported by stakeholders, have a high visibility for personnel, be discussed regularly

each version should be maintained and documented

system-specific security policy addresses a specific computer, network, technology or application

issue-specific security policy addresses specific issue like email privacy, virus checking, employee termination, no expectation of privacy, etc.

52
Q

Information Security Governance Components

Regulatory Security Policies

A

address specific industry regulations, including mandatory standards

ie. healthcare, public utilities, financial institutions

53
Q

Information Security Governance Components

Advisory security Policies

A

cover acceptable and unacceptable activities

gives examples of possible consequences if users engage in unacceptable activities

54
Q

Information Security Governance Components

Informative Security Policies

A

provide information on certain topics, act as educational tool

55
Q

Information Security Governance Components

Standards

A

describe how baselines will be implemented

Mandatory actions or rules that are tactical - they provide the steps needed to achieve security

56
Q

Information Security Governance Components

Baselines

A

reference points defined and captured to use as future reference

should be captured when a system is properly configured and updated

when updates occur, new baselines should be captured and compared to previous ones

Adopting new baselines from most recent data may be necessary

capturing is important but so is using them to assess security state

57
Q

Information Security Governance Components

Guidelines

A

recommended actions, allow for unforeseen circumstances

provide guidance when standards don’t apply

58
Q

Information Security Governance Components

Procedures

A

all detailed actions to follow and are closest to the computers and other devices

often include step-by-step lists on how policies, standards, guidelines are implemented

59
Q

Information Classification Lifestyle

A

classify data by its value

assigning value to data lets you determine resources to protect it

classifying data lets you apply different protections

after data is classified, it can be segmented based on level protection needed

organization should determine classification levels based on needs of organization

60
Q

Information Classification Lifestyle

Commercial business usually classify data on 4 main levels

Information life cycle should be based on this classification of data

A

Confidential - trade secrets, intellectual property, code

Private - personnel records, medical, salary, HR

Sensitive - information that needs extra measures

Public - data that wouldn’t cause negative impact if lost

61
Q

Information Classification Lifestyle

Government and Military classify data on 5 main levels

A

Top Secret - weapon blueprints, tech specs. Grave damage if disclosed

Secret - deployment plans, missile placement. Serious damage if disclosed

Confidential - patents, trade secrets. seriously affect if disclosed

Sensitive - medical, personnel records, questions arise if disclosed

Unclassified

62
Q

Responsibilities and Roles

Board of Directors
Senior Officials
Management

A

Board of Directors
elected by shareholders to ensure org is run properly. Loyalty is to shareholders

Senior Officials
Sr. Management, board of directors

Management
responsible for preserving, protecting org data
CEO, CFO, CIO, CPO, CSO

63
Q

Responsibilities and Roles

Business Unit Managers
Audit Committee
Data Owner
Data Custodian
System Owner
System Administrator
A

Business Unit Managers
provide departmental information, controls for dept. data

Audit Committee
evaluates org’s financial reporting to ensure accuracy

Data Owner
determines classification level of information, and protection

Data Custodian
implements info classification and controls after owner determines them

System Owner
ensures appropriate controls exist on systems. multiple data owners can be responsible for info on the system

System Administrator
runs day to day operations

64
Q

Responsibilities and Roles

Security Administrator
Security analyst
application owner
supervisor
user
auditor
A

Security Administrator
maintains security devices and software (firewalls, etc)

Security analyst
analyzes security needs of org, develops governance documents (policies, standards, guidelines)

application owner
determine personnel who can access an application

supervisor
manages group of users and assets in a group

user
any person who access data for work

auditor
monitors user activities to ensure appropriate controls are in place

65
Q

Personnel Security

Personnel cause majority of security issues

Organizations should have personnel security policies (screening, hiring, firing)

Screening
Hiring

A

Screening - occurs before offer of employment. Could include background check, drug testing, education verification

Hiring - signing appropriate documents, NDA’s, policies, etc. Employee ID’s issued at this stage

66
Q

Personnel Security

Termination. Handled differently for friendly and unfriendly situations

Management Control - mandatory vacations

NDA’s (and similar)

A

HR Procedures ensure property is returned, user access is removed

unfriendly terminations
procedures must be proactive to prevent asset damage . Revoke accesses before termination notification, security escort

mandatory vacations ensure another employee can perform job duties in someone else’s absence

NDAs and similar (noncompete clauses, etc)
protect organization and assets after employee is gone

67
Q

Security Awareness Training

Security Awareness Training (what)
vs
Security Training (how)
vs
Security Education (why)
A

Awareness training
reinforces fact that valuable resources must be protected by implementing security measures

Security Training
teaches skills to enable performing job securely

Both Awareness and Security Training are usually combined to improve awareness of security and ensure users can be held accountable for the jobs

Security Education
more independent, targeted at security professionals who require expertise and act as in-house experts

68
Q

Security Awareness Training

Security Awareness Training should be based on the audience

high-level management
middle management
technical staff

A

high-level management
training explains risks, threats, applicable laws and regulations, effects of security issues on reputation

middle management
training covers policies, standards, guidelines, baselines, procedures, how these map to departments

technical staff
training covers technical training on configuring and maintaining security controls. Industry certifications, degrees.