Lecture 4 Flashcards

1
Q

?

process of identifying and controlling risks facing an organization

Risk Management

A

Risk Management

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

?

process of examining an organization’s current information technology security situation

Risk Management

A

Risk Identification

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

?

applying controls to reduce risks to an organizations data and information systems

Risk Management

A

Risk Control

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

?

Began as a advantage

Competitiveness

Risk Management

A

Information Technology Role

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

?

Now falling behind is a disadvantage

Competitiveness

Risk Management

A

Information Technology Role

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

?

is a necessity

Competitiveness

Risk Management

A

Availability

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

?

Understand the technology and systems in your organization

An Overview of Risk Management

Risk Management

A

Know yourself

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

?

Identify, examine, understand threats

An Overview of Risk Management

Risk Management

A

Know the enemy

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

(3) Role of Communities of Interest

An Overview of Risk Management | Enumerate

Risk Management

A
  • Information Security
  • Management and Users
  • Information Technology
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Verify ? of asset inventory

The Roles of Communities of Interest - Management Review

Risk Management

A

completeness/accuracy

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Review and verify threats as well as ? strategies

The Roles of Communities of Interest - Management Review

Risk Management

A

controls and mitigation

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Review ? of each control

The Roles of Communities of Interest - Management Review

Risk Management

A

cost effectiveness

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

? of controls deployed

The Roles of Communities of Interest - Management Review

Risk Management

A

Verify effectiveness

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Risk management involves identifying ? and identifying ??

Risk Identification

Risk Management

A
  • organization’s assets
  • threats/vulnerabilities
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

?

begins with identification of assets, including all elements of an organization’s system (people, procedures, data and information, software, hardware, networking)

Asset Identification and Valuation

Risk Management

A

Iterative Process

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

?

are then classified and categorized

Asset Identification and Valuation

Risk Management

A

Assets

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

Human resources, documentation, and data information assets are more difficult to ?

People, Procedures, and Data Asset Identification

Risk Management

A

identify

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

People with knowledge, experience, and good judgment should be assigned this ?

People, Procedures, and Data Asset Identification

Risk Management

A

task

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

These assets should be recorded using reliable ? process

People, Procedures, and Data Asset Identification

Risk Management

A

data-handling

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

Asset attributes for ?: position name/number/ID; supervisor; security clearance level; special skills
* Try to avoid names

People, Procedures, and Data Asset Identification

Risk Management

A

people

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

Asset attributes for ?
* Intended purpose
* Relationship to software, hardware, network elements
* Storage location

People, Procedures, and Data Asset Identification

Risk Management

A

procedures

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

Asset attributes for ?
* classification; owner/creator/manager; data structure size; data structure used; online/offline; location; backup procedures employed

People, Procedures, and Data Asset Identification

Risk Management

A

data

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

(4) Asset attributes to be considered are:

Hardware, Software, and Network Asset Identification

Risk Management

A
  • Name (device or program name)
  • IP address
  • Media access control (MAC) address
  • Element type – server, desktop, etc. Device Class, Device OS, Device Capacity
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

Where on network

Hardware, Software, and Network Asset Identification

Risk Management

A

Logical Location

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Organization unit to which it belongs | Hardware, Software, and Network Asset Identification ## Footnote **Risk Management**
Controlling entity
26
Many organizations have **?** schemes (e.g., confidential, internal, public data) | Information Asset Classification ## Footnote **Risk Management**
data classification
27
# **?** must be specific enough to allow determination of priority | Information Asset Classification ## Footnote **Risk Management**
Classification
28
# **?** all info fits in list somewhere | Information Asset Classification ## Footnote **Risk Management**
Comprehensive
29
# **?** fits in one place | Information Asset Classification ## Footnote **Risk Management**
Mutually exclusive
30
# **?** help develop criteria for asset valuation: which information asset | Information Asset Valuation ## Footnote **Risk Management**
Questions
31
# **?** (4) Questions help develop criteria for asset valuation: which information asset | Information Asset Valuation | Enumerate Example ## Footnote **Risk Management**
* is most critical to organization’s success? * generates the most revenue? * generates the most profit? * would be most expensive to replace?
32
# **?** help develop criteria for asset valuation: which information asset | Information Asset Valuation ## Footnote **Risk Management**
Questions
33
# **?** (2) Questions help develop criteria for asset valuation: which information asset | Information Asset Valuation | Enumerate Example ## Footnote **Risk Management**
* would be most expensive to protect? * would be most embarrassing or cause the greatest liability is revealed?
34
# **?** Calculate the relative importance of each asset | Listing Assets in Order of Importance ## Footnote **Risk Management**
Weighted factor analysis
35
(3) Each info asset assigned score for each critical factor (0.1 to 1.0) | Listing Assets in Order of Importance | Enumerate ## Footnote **Risk Management**
* Impact to revenue * Impact to profitability * Impact to public image
36
Each critical factor is assigned a weight **?** | Listing Assets in Order of Importance | Enumerate ## Footnote **Risk Management**
(1-100)
37
(2) Variety of classification schemes used by corporate and military organizations | Data Classification and Management | Enumerate ## Footnote **Risk Management**
* Georgia-Pacific Corporation (G-P) scheme * U.S. military classification scheme
38
# **?** Confidential, sensitive or proprietary | Data Classification and Management ## Footnote **Risk Management**
Georgia-Pacific Corporation (G-P) scheme
39
# **?** Internal, G-P employee, authorized contractors | Data Classification and Management ## Footnote **Risk Management**
Georgia-Pacific Corporation (G-P) scheme
40
# **?** External, public | Data Classification and Management ## Footnote **Risk Management**
Georgia-Pacific Corporation (G-P) scheme
41
(5) U.S. military classification scheme | Data Classification and Management | Enumerate Example ## Footnote **Risk Management**
* Unclassified Data * Sensitive by unclassified data * Confidential data * Secret data * Top secret data
42
# **?** responsible for classifying their information assets | Data Classification and Management ## Footnote **Risk Management**
Information owners
43
# **?** must be reviewed periodically | Data Classification and Management ## Footnote **Risk Management**
Information classifications
44
Most organizations do not need detailed level of classification used by **?** or **??** agencies. | Data Classification and Management ## Footnote **Risk Management**
* military * federal
45
(4) Organizations may need to classify data to provide protection | Data Classification and Management | Enumerate ## Footnote **Risk Management**
* Public * For official use only * Sensitive * classified
46
Assign classification to all **?** | Data Classification and Management ## Footnote **Risk Management**
data
47
Grant access to data based on **?** | Data Classification and Management ## Footnote **Risk Management**
classification and need
48
Devise some method of managing data relative to **?** | Data Classification and Management ## Footnote **Risk Management**
classification
49
# **?** : each data user assigned a single level of authorization indicating classification level | Security Clearances ## Footnote **Risk Management**
Security clearance structure
50
Before accessing specific set of data, employee must meet **?** requirement | Security Clearances ## Footnote **Risk Management**
need-to-know
51
Extra level of protection ensures information confidentiality is **?** | Security Clearances ## Footnote **Risk Management**
maintained
52
Storage, distribution, portability, and destruction of **?** | Management of Classified Data ## Footnote **Risk Management**
classified data
53
Information not unclassified or public must be clearly **?** as such | Management of Classified Data ## Footnote **Risk Management**
marked
54
# **?** requires all information be stored in appropriate storage container daily; unneeded copies of classified information are destroyed | Management of Classified Data ## Footnote **Risk Management**
Clean desk policy
55
# **?** can compromise information security | Management of Classified Data ## Footnote **Risk Management**
Dumpster diving
56
# **?** need investigation; unimportant threats are set aside | Threat Assessment ## Footnote **Risk Management**
Realistic threats
57
Each of the treats must be **?** to assess potential damage | Threat Assessment ## Footnote **Risk Management**
examined
58
(4) (Questions) | Threat Assessment ## Footnote **Risk Management**
* Which threats present a danger to an organization’s assets? * Which threats represent the most danger -probability of attack * How much would it cost to recover * Which treat requires the greatest expenditure to prevent?
59
Identify each **?** and each **??** it faces | Vulnerability Identification ## Footnote **Risk Management**
* asset * threat
60
Create a list of **?** | Vulnerability Identification ## Footnote **Risk Management**
vulnerabilities
61
Examine how each of the threats are likely to be **?** | Vulnerability Identification ## Footnote **Risk Management**
perpetrated
62
**?** evaluates the relative risk for each vulnerability | Risk Assessment ## Footnote **Risk Management**
Risk assessment
63
Assigns a **?** to each **??** | Risk Assessment ## Footnote **Risk Management**
* risk rating or score * information asset
64
Final summary comprised in **?** | Documenting Results of Risk Assessment ## Footnote **Risk Management**
ranked vulnerability risk worksheet
65
(5) Worksheet details **?**, **??**, **???**, **????**, and **?????**. | Documenting Results of Risk Assessment | Enumerate ## Footnote **Risk Management**
* asset * asset impact * vulnerability * vulnerability likelihood * risk-rating factor
66
Order by **?** factor | Documenting Results of Risk Assessment ## Footnote **Risk Management**
risk-rating
67
# **?** is initial working document for next step in risk management process: assessing and controlling risk | Documenting Results of Risk Assessment ## Footnote **Risk Management**
Ranked vulnerability risk worksheet
68
Once ranked vulnerability risk worksheet complete, must choose **one of four strategies to control each risk**: | Risk Control Strategies | Enumerate ## Footnote **Risk Management**
* avoidance * transference * mitigation * acceptance
69
Apply safeguards that eliminate or reduce residual risks (**?**) | Risk Control Strategies - 4 Strategies ## Footnote **Risk Management**
avoidance
70
Transfer the risk to other areas or outside entities (**?**) | Risk Control Strategies - 4 Strategies ## Footnote **Risk Management**
transference
71
Reduce the impact should the vulnerability be exploited (**?**) | Risk Control Strategies - 4 Strategies ## Footnote **Risk Management**
mitigation
72
Understand the consequences and accept the risk without control or mitigation (**?**) | Risk Control Strategies - 4 Strategies ## Footnote **Risk Management**
acceptance
73
# **?** Attempts to prevent exploitation of the vulnerability ## Footnote **Risk Management**
Avoidance
74
# **?** accomplished through countering threats, removing asset vulnerabilities, limiting asset access, and adding protective safeguards | Avoidance ## Footnote **Risk Management**
Preferred approach
75
(3) Three common methods of risk avoidance: | Avoidance | Enumerate ## Footnote **Risk Management**
* Application of policy * Training and education * Applying technology
76
# **?** Control approach that attempts to shift risk to other assets, processes, or organizations ## Footnote **Risk Management**
Transference
77
(5) Examples (of Transference I think) | Transference | Enumerate Example ## Footnote **Risk Management**
* Rethinking how services are offered * Revising deployment models * Outsourcing * Purchasing insurance * Implementing service contracts
78
# **?** Concentrate on what you do best | Transference ## Footnote **Risk Management**
In Search of Excellence
79
# **?** Attempts to reduce impact of vulnerability exploitation through planning and preparation ## Footnote **Risk Management**
Mitigation
80
Approach includes three types of plans: | Mitigation | Enumerate ## Footnote **Risk Management**
* Incident response plan (IRP) * Disaster recovery plan (DRP) * Business continuity plan (BCP)
81
# **?** is most common mitigation procedure | Mitigation | 3 types of plans ## Footnote **Risk Management**
Disaster recovery plan (DRP)
82
The actions to take while incident is in progress is defined in **?** | Mitigation | 3 types of plans ## Footnote **Risk Management**
Incident response plan (IRP)
83
# **?** encompasses continuation of business activities if catastrophic event occurs | Mitigation | 3 types of plans ## Footnote **Risk Management**
Business continuity plan (BCP)
84
# **?** **Doing nothing** to protect a vulnerability and accepting the outcome of its exploitation ## Footnote **Risk Management**
Acceptance
85
# **?** Valid only when the particular function, service, information, or asset **does not justify cost of protection** ## Footnote **Risk Management**
Acceptance
86
# **?** describes the degree to which organization is **willing to accept risk** as trade-off to the expense of applying controls | Acceptance ## Footnote **Risk Management**
Risk appetite
87
Level of threat and value of asset play major role in **?** | Selecting a Risk Control Strategy ## Footnote **Risk Management**
selection of strategy
88
# **?** implement security control to reduce likelihood | Selecting a Risk Control Strategy ## Footnote **Risk Management**
When a vulnerability exists
89
# **?** apply layered protections, architectural designs, and administrative controls | Selecting a Risk Control Strategy ## Footnote **Risk Management**
When a vulnerability can be exploited
90
# **?** apply protection to increase attackers costs | Selecting a Risk Control Strategy ## Footnote **Risk Management**
When attacker’s cost is less than potential gain
91
# **?** redesign, new architecture, controls | Selecting a Risk Control Strategy ## Footnote **Risk Management**
When potential loss is substantial
92
(4) Categories of Controls | Categories of Controls | Enumerate ## Footnote **Risk Management**
* Control Function * Architectural Layer * Strategy Layer * Information Security Principle
93
# **?** Preventive & detective | Categories of Controls ## Footnote **Risk Management**
Control Function
94
# **?** Organizational policy, external networks, intranets, network devices, systems | Categories of Controls ## Footnote **Risk Management**
Architectural layer
95
# **?** Avoidance, mitigation, or transference | Categories of Controls ## Footnote **Risk Management**
Strategy layer
96
# **?** Classified by characteristics: Confidentiality, integrity, availability, authentication, authorization, accountability, privacy | Categories of Controls ## Footnote **Risk Management**
Information security principle
97
# **?** Compare cost to potential loss ## Footnote **Risk Management**
Feasibility Studies
98
# **?** is the process of avoiding the financial impact of an incident | Feasibility Studies ## Footnote **Risk Management**
Cost avoidance
99
# **?** Evaluate worth of asset ## Footnote **Risk Management**
Cost Benefit Analysis
100
Loss of value if asset **?** | Cost Benefit Analysis ## Footnote **Risk Management**
compromised
101
(4) Items affecting **cost of control** | Cost Benefit Analysis | Enumerate Example ## Footnote **Risk Management**
* Cost of development or acquisition * Cost of implementation * Services costs * Cost of maintenance
102
# **?** value gained by using controls | Cost Benefit Analysis ## Footnote **Risk Management**
Benefits
103
Calculate the single loss expectance * **?** = asset value * exposure factor * **??** = % loss from exploitation | Cost Benefit Analysis - Assess worth of asset ## Footnote **Risk Management**
* SLE * Exposure factor
104
Calculate Annualized loss expectancy * **?** = SLE * ARO (annualized rate of occurrence) | Cost Benefit Analysis - Assess worth of asset ## Footnote **Risk Management**
ALE
105
# **?** determines whether or not control alternative being evaluated is worth cost incurred to control vulnerability | Cost Benefit Analysis Formula ## Footnote **Risk Management**
ALE
106
**?** = ALE (prior) – ALE (post) – ACS | Cost Benefit Analysis Formula ## Footnote **Risk Management**
CBA
107
# **?** is annualized loss expectancy of risk before implementation of control | Cost Benefit Analysis Formula ## Footnote **Risk Management**
ALE(prior)
108
# **?** is estimated ALE based on control being in place for a period of time | Cost Benefit Analysis Formula ## Footnote **Risk Management**
ALE(post)
109
# **?** is the annualized cost of the safeguard | Cost Benefit Analysis Formula ## Footnote **Risk Management**
ACS
110
# **?** An alternative approach to risk management ## Footnote **Risk Management**
Benchmarking
111
# **?** is process of seeking out and studying practices in **other organizations** that one’s own organization **desires to duplicate** ## Footnote **Risk Management**
Benchmarking
112
(2) One of two measures typically used to compare practices: | Benchmarking ## Footnote **Risk Management**
* Metrics-based measures * Process-based measures
113
(6) Metrics-based measures are comparisons based on numerical standards: | Benchmarking --Metrics-based measures ## Footnote **Risk Management**
* Number of successful attacks, * staff-hours spent of systems protection, * dollars spent on protection, * number of security personnel, * estimated value of info lost in attacks, * loss in productivity hours
114
# **?** Less focus on numbers ## Footnote **Risk Management**
Benchmarking -- Process-based measures
115
More strategic than **?** | Benchmarking -- Process-based measures ## Footnote **Risk Management**
metrics-based measures
116
Examine **?** an individual company performs | Benchmarking -- Process-based measures ## Footnote **Risk Management**
activities
117
# **?** when **adopting levels of security for a legal defense**, organization shows it **has done what any prudent organization would do in similar circumstances** | Benchmarking ## Footnote **Risk Management**
Standard of due care
118
# **?** demonstration that organization is **diligent in ensuring that implemented standards continue to provide** required level of protection | Benchmarking ## Footnote **Risk Management**
Due diligence
119
Failure to support standard of due care or due diligence can leave organization open to **?** | Benchmarking ## Footnote **Risk Management**
legal liability
120
security efforts that provide a superior level protection of information | Benchmarking – Best Practices ## Footnote **Risk Management**
Best business practices
121
Organizations don’t talk to each other (**?**) | Problems with Applying Benchmarking and Best Practices ## Footnote **Risk Management**
biggest problem
122
No two organizations are **?** | Problems with Applying Benchmarking and Best Practices ## Footnote **Risk Management**
identical
123
Knowing what **was going on** in information security industry in recent years through **?** **doesn’t** necessarily prepare for what’s **next** | Problems with Applying Benchmarking and Best Practices ## Footnote **Risk Management**
benchmarking
124
Analysis of measures against established standards ## Footnote **Risk Management**
Baselining
125
In information security, **?** is comparison of security activities and events against an organization’s future performance. ## Footnote **Risk Management**
baselining
126
The information gathered for an organization’s **?** becomes the baseline for future comparison. | Baselining ## Footnote **Risk Management**
first risk assessment
127
“the goal of information security is not to bring **?** to zero; it is to bring residual risk into line with an organization’s comfort zone or **??** | KEY ## Footnote **Risk Management**
* residual risk * risk appetite
128
At minimum, each information **?** should have documented **control strategy** clearly identifying any remaining residual risk, and **feasibility studies** to justify the findings. | Documenting Results ## Footnote **Risk Management**
asset-threat pair
130
# **?** document outcome of control strategy for each information asset-vulnerability pair as an action plan | Documenting Results ## Footnote **Risk Management**
Another option