Information Security Governance & Risk Management

Question 1

What is the C-I-A Triad ?

Answer 1

Confidentiality - Integrity - Availability

• three sides domain (triangle shaped)
• all other domans are based on these 3 concepts

Question 2

What is Confidentiality (CIA) ?

Answer 2

• Prevention of unauthourised use or disclosure of information.
• associated with Privacy.
• Privacy ensures the confidentiality of personal data.

Question 3

What is Integrity (CIA) ?

Answer 3

Integrity safeguards the accuracy of and completeness of information and processing methods.

Question 4

What does integrity ensure ?

Answer 4

• Unauthourised users or processes don’t make modications to data.
• Authourised users and processes don’t make unauthourised modifications to data.
• Data is internally and externally consistent, meaning a given input produces an expected output.

Question 5

What is Availability (CIA) ?

Answer 5

This ensures that authourised users have reliable and times access to informaton and associated systems and assets when needed.

Question 6

Threats to availability (CIA) ?

Answer 6

• Denial of Service
• Single points of failure
• equipment malfunction
• inadequate capacity planning
• business interuptions / disasters
• fail-safe control mechanisms.

Question 7

The Opposite of C-I-A ?

Answer 7

D-A-D:
D - Disclosure
A - Alteration
D - Destruction

Question 8

Defense in Depth ?

Answer 8

• An info. sec. strategy based on layers of defense.
• Has it’s roots in the military.
• Result of a holistic approach to IT Security.

Question 9

Commerical Data Classification ?

Answer 9

• implemented to protect information that has a monetary value. Criteria include:
• Value - monetary or intrinsic value
• Age / Useful Life - Information that loses value over time, becomes obsolete or irrelevant or becomes common / public knowledge is classified this way.

Question 10

Government Data Classifications

Answer 10

• protect national interests / security
• comply with applicable laws
• protect privacy

Question 11

Department of Defense Categories:

Answer 11

• Unclassified
• sensitive but unclassified (SBU)
• Confidential
• secret
• top secret

Question 12

D.o.D. Classification - Unclassified

Answer 12

• lowest level of classification
• not sensitive, no threat to national security
• Can include data that was previously classified, but has since been declassified.
• Can include - for official use only
• Can include - for internal use only

Question 13

D.o.D. Classification - Sensitive, but classified (SBU)

Answer 13

• information that is private, personal.

* Ex: Test Questions, disiplinary proceedings, medical records.

Question 14

D.o.D. Classification - Confidential

Answer 14

• Information that could damage national security

* lowest lest of classified gov. information.

Question 15

D.o.D. Classification - Secret

Answer 15

• information that could cause serious damage if leaked.

* must be accounted for throughout lifecycle.

Question 16

D.o.D. Classification - Top Secret

Answer 16

• information that could cause grave damage if leaked.
• must be accounted for throughout lifecycle.
• may include special designations
• handling restrictions

Question 17

What is a Mission Statement ?

Answer 17

• This expresses an organisations reasons to exist.
• Easily understood.
• general purpose statement.

Question 18

What are Goals and Objectives ?

Answer 18

• A goal is something(s) that an organisation is attempting to accomplish
• Should align with the mission statement
• Should define a vision for the organisation.
• AN objective is a milestone or a result that is expected to be achieved.
• An objective supports a goal (short term) which in turn supports a mission (Medium-Long term).

Question 19

What is Governance ?

Answer 19

Governane is a term that collectively represents the system of polices, standards, guidelines and procedures that help steer an organisation’s operations and decisions day in and day out.

Question 20

What is a security policy ?

Answer 20

a formal statement of rules by which people who are given access to an organisations technology and assets must abide by.

Question 21

What are the 4 policy Types ?

Answer 21

• Sr. Mgmnt - a high level management statement.
• Regulatory - Highly detailed and precise policy dictated by government or legal requirements.
• Advisory - Not mandatory, but highly recommended set of policies. (Most policies reside here)
• Informative - No restrictions or requirements just an FYI.

Question 22

What is ISO 27002 (formally 17799) ?

Answer 22

An international standard for information security policies.

Question 23

Standards (& Baselines?)

Answer 23

Standards are specific & Mandatory requirements that support policies.
Ex: A Policy might demand the use of 2 factor authentication, the standard might dictate that the technology such as an RSA token.

Question 24

What are Baselines ? (G.C.P)

Answer 24

identify consistencies for certain security architecture requirements.
* These are used to create Standards.

Question 25

What are Guidelines ? (GCP)

Answer 25

Guidelines are like standards but function as recommendations rather than mandatory requirements.

Question 26

What are Procedures ? (GCP)

Answer 26

Procedures provide specific details on how to implement specific policies and thus meet the pre-defined standards.

Question 27

Examples of Procedures (GCP) ?

Answer 27

• Standard Operating Procedures
• Run Books
• User guides

Question 28

Third Party Governance (GCP) ?

Answer 28

Info. sec. policies and procedures should address outsourced and third party companies and consultants.
Examples: SLAs, Access Control, Document Exchange

Question 29

What are Service Level Agreements (SLA)?

Answer 29

• stablish minimum performance standard for a system, service, application or network.

Question 30

What is Identity Management ?

Answer 30

• established through account provisioning and de-provisioning.
• access control and directory services.
• purpose is to identify an object or subject.

Question 31

What is PKI ?

Answer 31

Public Key Infrastructure:

• A component of identity management
• facilities authentication, non-repudiation and access control using digital certificates.

Question 32

Benefits of Job rotation

Answer 32

• Reduces opportunity for waste, fraud and abuse
• Reduces dependence through cross training
• Promotes professional growth
• Reduces monotony and / or fatigue for individuals.

Question 33

Benefits of Seperation of Duty ?

Answer 33

• Reduces opportunity for waste, fraud and abuse

* Provides 2 man control (dual control, 2 person integrity)

Question 34

What is a threat (Risk Management) ?

Answer 34

A natural or man mad circumstance or event that could have an adverse affect / impact to an organisational asset.

Question 35

What is a vulnerability (Risk Management) ?

Answer 35

The absense or weakness of a safeguard to to an asset.

Question 36

What is a Asset (Risk Management) ?

Answer 36

A resource, process, product or system that has value to an organisation and therefore should be protected.

Question 37

What is Risk ?

Answer 37

Risk = Threat x Vulnerability

Question 38

What is the Risk management triple ?

Answer 38

• An Asset
• A vulnerability
• A Threat

Question 39

Risk management elements ?

Answer 39

• Identification
• Analysis
• Risk Treatment

Question 40

What is Risk Indentification ?

Answer 40

• occurs during Risk Assessment.

* detecting and defining specific elements of the three components of risk.

Question 41

What is Asset Valuation ?

Answer 41

identifying an organisations assets and determining their value.
* Can be qualitative (importance) and quantitative.(cost)

Question 42

Threat Analysis (4 steps) ?

Answer 42

1) Identify the actual threat
2) Identify consequences of the threat
3) Determine the frequency of a threat event
4) Assess the probability that a threat will actually happen

Question 43

What is a vulnerability assessment ?

Answer 43

• provides a baseline for determining appropriate and neccessary safe guards.

Question 44

What is Risk Analysis ?

Answer 44

An examination of all components of risk management (* Identification * Analysis * Risk Treatment ).

Question 45

Risk Analysis (4 steps) ?

Answer 45

1) Identify the Assets
2) determine specific threats against assets.
3) calculate annualised loss expectancy (ALE)
4) Select Appropriate safe guards.

Question 46

What is the Annualised Loss Expectancy (ALE) ?

Answer 46

A standardised qualifiable measure of the impact that a realised threat has on an organisations assets.
* useful for determining the cost-benefit ratio of a safeguard or control

Question 47

How do you determine ALE ?

Answer 47

SLE x ARO = ALE

Question 48

Single Loss Expectancy (SLE) ?

Answer 48

A measure of loss incurred from a single realised threat or event.
Asset value x Exposure Factor

Question 49

What is Exposure Factor ?

Answer 49

A measure of the negative effect or impact that a realised threat or event would have on a specific asset.

Question 50

What is Annualised Rate of Occurance (ARO) ?

Answer 50

The estimated annual frequency of occurance for a threat or event.

Question 51

What is a safeguard ?

Answer 51

A safeguard is a control or countermeasure that reduces risk and is associated with a specific threat.

Question 52

How does a safeguard counter Risk ?

Answer 52

1) Risk Reduction - Mitigation of security controls / policies
2) Risk Assignment - transfering risk to a third party such as an insurance company
3) Risk Avoidance - Eliminating the risk althougher
4) Risk Acceptance - accepting the loss associated with a potential risk. (Not prudent)

Question 53

Criteria for Safe Guards ?

Answer 53

1) Cost Effectiveness - cost-benefit analysis (TCO)
2) Legal Liability
3) Operational Impact
4) Technical factors - safe guard should not introduce new vulnerabilities.