Lecture 5 Flashcards

Security Governance/Risk Management

1
Q

______ ensures proper creation, implemenation and enforcement of a ecurity policy

A

security management planning

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

A ____ plan is long-term and is stable. Should define the mission, long-term goal and vision.

A

Strategic

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

A ____ plan is a midterm plan with more details on how to achieve the long-term goals.

A

Tactical

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

The _____ plan is a short-term, highly detailed plan. Based more on day to day operations.

A

Operational

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

A set of practices to support, define and direct the security efforts of an organization.

A: Security policy
B: Security plan
C: Security governance

A

C: Security governance

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Who is ultimately responsible for the security maintained by the organization? Usually sign off on policies.

A

Senior Manager

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Who is responsible for classifying information?

A

Data owner

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

A(n) _____is responsible for testing and verifying that the security policy is properly implemented and the security solutions are adequate

A

auditor

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

_____ is used by grouping security controls together by type or function in order to simplify security.

A. collecting
B. abstraction
c. grouping

A

b. Abstraction

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Data hiding is used for what?

A

Prevent data from being discovered or accessed by a subject

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

______ is the art and science of hiding the meaning or intent of a communication from unintended recipients.

A

Encryption

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

**
A control framework. A documented set of best IT security practices. It encourages mapping IT security ideals to business objectives.

A

CobiT

Control Objectives for Information and Related Technology

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

_________ is using reasonable care to protect the interests of an organization.

A

Due care

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

__________ is practicing the activities that maintain the due care effort.

A

Due diligence

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

____ is information that can be traced back to a person and can be used to compromise their identity.

A

Personally identifiable information (PII)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

T/F: Privacy must be addressed in an organizational security policy.

A

True

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

Match the type of documents to what they are.

  1. Policy
  2. Standards
  3. Guidelines
  4. Procedures

A. Recommendations/best practices
B. Specific mandatory controls
C. Step by step instructions
D. General management statements

A
  1. Policy, D. General management
  2. Standards, B. specific mandatory controls
  3. Guidelines, A. Recommendations/best practices
  4. Procedures, C. Step by step instructions
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

A ___ defines the scope of security, assets to protect, security goals and practices, roles, responsibilities, risk levels. Mandatory to have.

A

security policy

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

A ____ defines mandatory requirements for the use of hardware, software, technology, and security controls.

A

standard

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

The minimum level of security that every system must meet is the ____.

A

baseline

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

A _____ is a recommendation on how standards and baselines can be implemented.

A

guideline

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

A ___ is a detailed step-by-step document to describe exact actions needed to do a specific security mechanism.

A

procedure

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

The goal of _____ is to prevent any change from reducing or compromising security

A

change management

24
Q

Why would you use parallel run in change management?

A

The new and old system run in parallel so functionality can be verified before removing the old system

25
Q

What is the primary means by which data is protected based on its need for secrecy, sensitivity, or confidentiality?

A. Data roles
B. Data Security
C. Data Classification
D. None of the above

A

C. Data classification

26
Q

What is an asset?

A

Something in the environment that should be protected

27
Q

____ is the dollar value assigned to an asset based on actual cost and nonmonetary expenses to develop, and maintain it

A

asset valuation

28
Q

An event or situation that may cause an undesirable or unwanted outcome for an organization or for a specific asset

A

Threat

29
Q

A weakness in an asset or the absence or weakness of a safeguard or countermeasure

A

vulnerability

30
Q

Being susceptible to asset loss because of a threat

A

exposure

31
Q

The possibility or likelihood that a threat will exploit a vulnerability to cause harm to an asset

A

risk

32
Q

Any mechanism that removes or reduces a vulnerability or protects against one or more specific threats

A

safeguard/countermeasure

33
Q

The occurrence of a security mechanism being bypassed or thwarted by a threat agent

A

breach

34
Q

Asset valuation is the ___ step of risk analysis?

A

1st

35
Q

The risk analysis that uses dollar figures and actual costs is what?

A. Qualitative
B. Quantitative

A

B. Quantitative

36
Q

The percentage of loss that an organization would experience if a specific asset were violated by a realized risk

A

Exposure Factor (EF) or loss potential

37
Q

The _________ is the cost associated witha single realized risk against a specific asset.

A

single loss expectancy (SLE)

38
Q

How do you calculate the SLE?

A
SLE = Asset Value * EF
(AV = $200,000 and EF = 45%, then SLE = $90,000)
39
Q

The expected frequency with which a specific threat or risk will occur

A

Annualized Rate of Occurrence (ARO)

40
Q

The possible yearly cost of all instances of a specific realized threat against a specific asset

A

Annualized Loss Expectancy (ALE)

41
Q

How do you calculate the annualized loss expectancy?

A

ALE = SLE * ARO

42
Q

Order the steps of the quantitative risk analysis.

A. Calculate the ALE (annualized loss expectancy)
B. List all possible threats for each asset
C. Perform threat analysis and find the ARO (Annual rate of occurance)
D. Inventory assets and assign value (AV)
E. Perform cost/benefit analysis to find the most appropriate response for each threat of an asset
F. Inventory countermeasures for each threat

A

D. Inventory assets and assign value (AV)
B. List all possible threats for each asset
C. Perform threat analysis and find the ARO (Annual rate of occurance)
A. Calculate the ALE (annualized loss expectancy)
F. Inventory countermeasures for each threat
E. Perform cost/benefit analysis to find the most appropriate response for each threat of an asset

43
Q

The Cost/benefit analysis has 4 steps. What are they?

A
  1. Calculate the annual cost of safeguard (ACS)
  2. Calculate post safeguard ALE (value of ARO and ALE changes when safeguard is applied)
  3. Cost/benefit equation (ALE before safeguard - ALE afterguard) - ACS *If result is positive then it’s a viable choice
  4. Select the countermeasure
44
Q

The risk analysis that is scenario based on how it would affect the organization. Based on a scale (Low - High) and uses judgement, intuition and experience instead of dollar amounts.

A. Qualitative
B. Quantitative

A

A. Qualitative

45
Q

You would use a risk-level matrix for what type of analysis?

A

Qualitative

46
Q

When you ____ risks, you use safeguards.

A. reject
B. accept
C. mitigate

A

C. mitigate

47
Q

When you ____ risk you outsource- such as insurance

A. reject
B. transfer
C. mitigate

A

B. transfer

48
Q

When you ____ risk, upper management signs documents to record it.

A. reject
B. accept
C. mitigate

A

B. accept

49
Q

Residual risk is what?

A

The risk that is left after implementing the control measures

50
Q

What is the weakest element in any security solution?

A

humans/people

51
Q

What does separation of duties mean?

A

It is the security concept that prescribes that critical work tasks are divided among several different people. It ensures that not one person has full control to violate security measures, and it protects against collusion.

52
Q

What is the concept of least privilege?

A

It is the concept that a person/subject has only the minimum access to perform their duties. It can include access to documents and access to specific systems and applications.

53
Q

What are 2 reasons would you implement job rotation?

A

knowledge redundancy
reduce risk of fraud or misuse of information
provide peer auditing
protect against collusion

54
Q

What is meant by screening a candidate for a position?

A

used based on the sensitivity & classification defined by the job description.

55
Q

A background check helps determine what?

A

That a candidate is trustworthy for a secured position

56
Q

Employment agreements includes all of the following except?

A. job description
B. NDA
C. security policy
D. NCA
E. procedures
A

E. procedures