Information Security Governance & Risk Management Flashcards
What is the C-I-A Triad ?
Confidentiality - Integrity - Availability
- three sides domain (triangle shaped)
- all other domans are based on these 3 concepts
What is Confidentiality (CIA) ?
- Prevention of unauthourised use or disclosure of information.
- associated with Privacy.
- Privacy ensures the confidentiality of personal data.
What is Integrity (CIA) ?
Integrity safeguards the accuracy of and completeness of information and processing methods.
What does integrity ensure ?
- Unauthourised users or processes don’t make modications to data.
- Authourised users and processes don’t make unauthourised modifications to data.
- Data is internally and externally consistent, meaning a given input produces an expected output.
What is Availability (CIA) ?
This ensures that authourised users have reliable and times access to informaton and associated systems and assets when needed.
Threats to availability (CIA) ?
- Denial of Service
- Single points of failure
- equipment malfunction
- inadequate capacity planning
- business interuptions / disasters
- fail-safe control mechanisms.
The Opposite of C-I-A ?
D-A-D:
D - Disclosure
A - Alteration
D - Destruction
Defense in Depth ?
- An info. sec. strategy based on layers of defense.
- Has it’s roots in the military.
- Result of a holistic approach to IT Security.
Commerical Data Classification ?
- implemented to protect information that has a monetary value. Criteria include:
- Value - monetary or intrinsic value
- Age / Useful Life - Information that loses value over time, becomes obsolete or irrelevant or becomes common / public knowledge is classified this way.
Government Data Classifications
- protect national interests / security
- comply with applicable laws
- protect privacy
Department of Defense Categories:
- Unclassified
- sensitive but unclassified (SBU)
- Confidential
- secret
- top secret
D.o.D. Classification - Unclassified
- lowest level of classification
- not sensitive, no threat to national security
- Can include data that was previously classified, but has since been declassified.
- Can include - for official use only
- Can include - for internal use only
D.o.D. Classification - Sensitive, but classified (SBU)
- information that is private, personal.
* Ex: Test Questions, disiplinary proceedings, medical records.
D.o.D. Classification - Confidential
- Information that could damage national security
* lowest lest of classified gov. information.
D.o.D. Classification - Secret
- information that could cause serious damage if leaked.
* must be accounted for throughout lifecycle.
D.o.D. Classification - Top Secret
- information that could cause grave damage if leaked.
- must be accounted for throughout lifecycle.
- may include special designations
- handling restrictions
What is a Mission Statement ?
- This expresses an organisations reasons to exist.
- Easily understood.
- general purpose statement.
What are Goals and Objectives ?
- A goal is something(s) that an organisation is attempting to accomplish
- Should align with the mission statement
- Should define a vision for the organisation.
- AN objective is a milestone or a result that is expected to be achieved.
- An objective supports a goal (short term) which in turn supports a mission (Medium-Long term).
What is Governance ?
Governane is a term that collectively represents the system of polices, standards, guidelines and procedures that help steer an organisation’s operations and decisions day in and day out.
What is a security policy ?
a formal statement of rules by which people who are given access to an organisations technology and assets must abide by.
What are the 4 policy Types ?
- Sr. Mgmnt - a high level management statement.
- Regulatory - Highly detailed and precise policy dictated by government or legal requirements.
- Advisory - Not mandatory, but highly recommended set of policies. (Most policies reside here)
- Informative - No restrictions or requirements just an FYI.
What is ISO 27002 (formally 17799) ?
An international standard for information security policies.
Standards (& Baselines?)
Standards are specific & Mandatory requirements that support policies.
Ex: A Policy might demand the use of 2 factor authentication, the standard might dictate that the technology such as an RSA token.
What are Baselines ? (G.C.P)
identify consistencies for certain security architecture requirements.
* These are used to create Standards.
What are Guidelines ? (GCP)
Guidelines are like standards but function as recommendations rather than mandatory requirements.
What are Procedures ? (GCP)
Procedures provide specific details on how to implement specific policies and thus meet the pre-defined standards.
Examples of Procedures (GCP) ?
- Standard Operating Procedures
- Run Books
- User guides
Third Party Governance (GCP) ?
Info. sec. policies and procedures should address outsourced and third party companies and consultants.
Examples: SLAs, Access Control, Document Exchange
What are Service Level Agreements (SLA)?
- stablish minimum performance standard for a system, service, application or network.
What is Identity Management ?
- established through account provisioning and de-provisioning.
- access control and directory services.
- purpose is to identify an object or subject.
What is PKI ?
Public Key Infrastructure:
- A component of identity management
- facilities authentication, non-repudiation and access control using digital certificates.
Benefits of Job rotation
- Reduces opportunity for waste, fraud and abuse
- Reduces dependence through cross training
- Promotes professional growth
- Reduces monotony and / or fatigue for individuals.
Benefits of Seperation of Duty ?
- Reduces opportunity for waste, fraud and abuse
* Provides 2 man control (dual control, 2 person integrity)
What is a threat (Risk Management) ?
A natural or man mad circumstance or event that could have an adverse affect / impact to an organisational asset.
What is a vulnerability (Risk Management) ?
The absense or weakness of a safeguard to to an asset.
What is a Asset (Risk Management) ?
A resource, process, product or system that has value to an organisation and therefore should be protected.
What is Risk ?
Risk = Threat x Vulnerability
What is the Risk management triple ?
- An Asset
- A vulnerability
- A Threat
Risk management elements ?
- Identification
- Analysis
- Risk Treatment
What is Risk Indentification ?
- occurs during Risk Assessment.
* detecting and defining specific elements of the three components of risk.
What is Asset Valuation ?
identifying an organisations assets and determining their value.
* Can be qualitative (importance) and quantitative.(cost)
Threat Analysis (4 steps) ?
1) Identify the actual threat
2) Identify consequences of the threat
3) Determine the frequency of a threat event
4) Assess the probability that a threat will actually happen
What is a vulnerability assessment ?
- provides a baseline for determining appropriate and neccessary safe guards.
What is Risk Analysis ?
An examination of all components of risk management (* Identification * Analysis * Risk Treatment ).
Risk Analysis (4 steps) ?
1) Identify the Assets
2) determine specific threats against assets.
3) calculate annualised loss expectancy (ALE)
4) Select Appropriate safe guards.
What is the Annualised Loss Expectancy (ALE) ?
A standardised qualifiable measure of the impact that a realised threat has on an organisations assets.
* useful for determining the cost-benefit ratio of a safeguard or control
How do you determine ALE ?
SLE x ARO = ALE
Single Loss Expectancy (SLE) ?
A measure of loss incurred from a single realised threat or event.
Asset value x Exposure Factor
What is Exposure Factor ?
A measure of the negative effect or impact that a realised threat or event would have on a specific asset.
What is Annualised Rate of Occurance (ARO) ?
The estimated annual frequency of occurance for a threat or event.
What is a safeguard ?
A safeguard is a control or countermeasure that reduces risk and is associated with a specific threat.
How does a safeguard counter Risk ?
1) Risk Reduction - Mitigation of security controls / policies
2) Risk Assignment - transfering risk to a third party such as an insurance company
3) Risk Avoidance - Eliminating the risk althougher
4) Risk Acceptance - accepting the loss associated with a potential risk. (Not prudent)
Criteria for Safe Guards ?
1) Cost Effectiveness - cost-benefit analysis (TCO)
2) Legal Liability
3) Operational Impact
4) Technical factors - safe guard should not introduce new vulnerabilities.
