Information Security Governance & Risk Management Flashcards

1
Q

What is the C-I-A Triad ?

A

Confidentiality - Integrity - Availability

  • three sides domain (triangle shaped)
  • all other domans are based on these 3 concepts
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What is Confidentiality (CIA) ?

A
  • Prevention of unauthourised use or disclosure of information.
  • associated with Privacy.
  • Privacy ensures the confidentiality of personal data.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What is Integrity (CIA) ?

A

Integrity safeguards the accuracy of and completeness of information and processing methods.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

What does integrity ensure ?

A
  • Unauthourised users or processes don’t make modications to data.
  • Authourised users and processes don’t make unauthourised modifications to data.
  • Data is internally and externally consistent, meaning a given input produces an expected output.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

What is Availability (CIA) ?

A

This ensures that authourised users have reliable and times access to informaton and associated systems and assets when needed.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Threats to availability (CIA) ?

A
  • Denial of Service
  • Single points of failure
  • equipment malfunction
  • inadequate capacity planning
  • business interuptions / disasters
  • fail-safe control mechanisms.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

The Opposite of C-I-A ?

A

D-A-D:
D - Disclosure
A - Alteration
D - Destruction

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Defense in Depth ?

A
  • An info. sec. strategy based on layers of defense.
  • Has it’s roots in the military.
  • Result of a holistic approach to IT Security.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Commerical Data Classification ?

A
  • implemented to protect information that has a monetary value. Criteria include:
  • Value - monetary or intrinsic value
  • Age / Useful Life - Information that loses value over time, becomes obsolete or irrelevant or becomes common / public knowledge is classified this way.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Government Data Classifications

A
  • protect national interests / security
  • comply with applicable laws
  • protect privacy
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Department of Defense Categories:

A
  • Unclassified
  • sensitive but unclassified (SBU)
  • Confidential
  • secret
  • top secret
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

D.o.D. Classification - Unclassified

A
  • lowest level of classification
  • not sensitive, no threat to national security
  • Can include data that was previously classified, but has since been declassified.
  • Can include - for official use only
  • Can include - for internal use only
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

D.o.D. Classification - Sensitive, but classified (SBU)

A
  • information that is private, personal.

* Ex: Test Questions, disiplinary proceedings, medical records.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

D.o.D. Classification - Confidential

A
  • Information that could damage national security

* lowest lest of classified gov. information.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

D.o.D. Classification - Secret

A
  • information that could cause serious damage if leaked.

* must be accounted for throughout lifecycle.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

D.o.D. Classification - Top Secret

A
  • information that could cause grave damage if leaked.
  • must be accounted for throughout lifecycle.
  • may include special designations
  • handling restrictions
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

What is a Mission Statement ?

A
  • This expresses an organisations reasons to exist.
  • Easily understood.
  • general purpose statement.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

What are Goals and Objectives ?

A
  • A goal is something(s) that an organisation is attempting to accomplish
  • Should align with the mission statement
  • Should define a vision for the organisation.
  • AN objective is a milestone or a result that is expected to be achieved.
  • An objective supports a goal (short term) which in turn supports a mission (Medium-Long term).
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

What is Governance ?

A

Governane is a term that collectively represents the system of polices, standards, guidelines and procedures that help steer an organisation’s operations and decisions day in and day out.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

What is a security policy ?

A

a formal statement of rules by which people who are given access to an organisations technology and assets must abide by.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

What are the 4 policy Types ?

A
  • Sr. Mgmnt - a high level management statement.
  • Regulatory - Highly detailed and precise policy dictated by government or legal requirements.
  • Advisory - Not mandatory, but highly recommended set of policies. (Most policies reside here)
  • Informative - No restrictions or requirements just an FYI.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

What is ISO 27002 (formally 17799) ?

A

An international standard for information security policies.

23
Q

Standards (& Baselines?)

A

Standards are specific & Mandatory requirements that support policies.
Ex: A Policy might demand the use of 2 factor authentication, the standard might dictate that the technology such as an RSA token.

24
Q

What are Baselines ? (G.C.P)

A

identify consistencies for certain security architecture requirements.
* These are used to create Standards.

25
Q

What are Guidelines ? (GCP)

A

Guidelines are like standards but function as recommendations rather than mandatory requirements.

26
Q

What are Procedures ? (GCP)

A

Procedures provide specific details on how to implement specific policies and thus meet the pre-defined standards.

27
Q

Examples of Procedures (GCP) ?

A
  • Standard Operating Procedures
  • Run Books
  • User guides
28
Q

Third Party Governance (GCP) ?

A

Info. sec. policies and procedures should address outsourced and third party companies and consultants.
Examples: SLAs, Access Control, Document Exchange

29
Q

What are Service Level Agreements (SLA)?

A
  • stablish minimum performance standard for a system, service, application or network.
30
Q

What is Identity Management ?

A
  • established through account provisioning and de-provisioning.
  • access control and directory services.
  • purpose is to identify an object or subject.
31
Q

What is PKI ?

A

Public Key Infrastructure:

  • A component of identity management
  • facilities authentication, non-repudiation and access control using digital certificates.
32
Q

Benefits of Job rotation

A
  • Reduces opportunity for waste, fraud and abuse
  • Reduces dependence through cross training
  • Promotes professional growth
  • Reduces monotony and / or fatigue for individuals.
33
Q

Benefits of Seperation of Duty ?

A
  • Reduces opportunity for waste, fraud and abuse

* Provides 2 man control (dual control, 2 person integrity)

34
Q

What is a threat (Risk Management) ?

A

A natural or man mad circumstance or event that could have an adverse affect / impact to an organisational asset.

35
Q

What is a vulnerability (Risk Management) ?

A

The absense or weakness of a safeguard to to an asset.

36
Q

What is a Asset (Risk Management) ?

A

A resource, process, product or system that has value to an organisation and therefore should be protected.

37
Q

What is Risk ?

A

Risk = Threat x Vulnerability

38
Q

What is the Risk management triple ?

A
  • An Asset
  • A vulnerability
  • A Threat
39
Q

Risk management elements ?

A
  • Identification
  • Analysis
  • Risk Treatment
40
Q

What is Risk Indentification ?

A
  • occurs during Risk Assessment.

* detecting and defining specific elements of the three components of risk.

41
Q

What is Asset Valuation ?

A

identifying an organisations assets and determining their value.
* Can be qualitative (importance) and quantitative.(cost)

42
Q

Threat Analysis (4 steps) ?

A

1) Identify the actual threat
2) Identify consequences of the threat
3) Determine the frequency of a threat event
4) Assess the probability that a threat will actually happen

43
Q

What is a vulnerability assessment ?

A
  • provides a baseline for determining appropriate and neccessary safe guards.
44
Q

What is Risk Analysis ?

A

An examination of all components of risk management (* Identification * Analysis * Risk Treatment ).

45
Q

Risk Analysis (4 steps) ?

A

1) Identify the Assets
2) determine specific threats against assets.
3) calculate annualised loss expectancy (ALE)
4) Select Appropriate safe guards.

46
Q

What is the Annualised Loss Expectancy (ALE) ?

A

A standardised qualifiable measure of the impact that a realised threat has on an organisations assets.
* useful for determining the cost-benefit ratio of a safeguard or control

47
Q

How do you determine ALE ?

A

SLE x ARO = ALE

48
Q

Single Loss Expectancy (SLE) ?

A

A measure of loss incurred from a single realised threat or event.
Asset value x Exposure Factor

49
Q

What is Exposure Factor ?

A

A measure of the negative effect or impact that a realised threat or event would have on a specific asset.

50
Q

What is Annualised Rate of Occurance (ARO) ?

A

The estimated annual frequency of occurance for a threat or event.

51
Q

What is a safeguard ?

A

A safeguard is a control or countermeasure that reduces risk and is associated with a specific threat.

52
Q

How does a safeguard counter Risk ?

A

1) Risk Reduction - Mitigation of security controls / policies
2) Risk Assignment - transfering risk to a third party such as an insurance company
3) Risk Avoidance - Eliminating the risk althougher
4) Risk Acceptance - accepting the loss associated with a potential risk. (Not prudent)

53
Q

Criteria for Safe Guards ?

A

1) Cost Effectiveness - cost-benefit analysis (TCO)
2) Legal Liability
3) Operational Impact
4) Technical factors - safe guard should not introduce new vulnerabilities.