Lecture 5 Flashcards
Security Governance/Risk Management
______ ensures proper creation, implemenation and enforcement of a ecurity policy
security management planning
A ____ plan is long-term and is stable. Should define the mission, long-term goal and vision.
Strategic
A ____ plan is a midterm plan with more details on how to achieve the long-term goals.
Tactical
The _____ plan is a short-term, highly detailed plan. Based more on day to day operations.
Operational
A set of practices to support, define and direct the security efforts of an organization.
A: Security policy
B: Security plan
C: Security governance
C: Security governance
Who is ultimately responsible for the security maintained by the organization? Usually sign off on policies.
Senior Manager
Who is responsible for classifying information?
Data owner
A(n) _____is responsible for testing and verifying that the security policy is properly implemented and the security solutions are adequate
auditor
_____ is used by grouping security controls together by type or function in order to simplify security.
A. collecting
B. abstraction
c. grouping
b. Abstraction
Data hiding is used for what?
Prevent data from being discovered or accessed by a subject
______ is the art and science of hiding the meaning or intent of a communication from unintended recipients.
Encryption
**
A control framework. A documented set of best IT security practices. It encourages mapping IT security ideals to business objectives.
CobiT
Control Objectives for Information and Related Technology
_________ is using reasonable care to protect the interests of an organization.
Due care
__________ is practicing the activities that maintain the due care effort.
Due diligence
____ is information that can be traced back to a person and can be used to compromise their identity.
Personally identifiable information (PII)
T/F: Privacy must be addressed in an organizational security policy.
True
Match the type of documents to what they are.
- Policy
- Standards
- Guidelines
- Procedures
A. Recommendations/best practices
B. Specific mandatory controls
C. Step by step instructions
D. General management statements
- Policy, D. General management
- Standards, B. specific mandatory controls
- Guidelines, A. Recommendations/best practices
- Procedures, C. Step by step instructions
A ___ defines the scope of security, assets to protect, security goals and practices, roles, responsibilities, risk levels. Mandatory to have.
security policy
A ____ defines mandatory requirements for the use of hardware, software, technology, and security controls.
standard
The minimum level of security that every system must meet is the ____.
baseline
A _____ is a recommendation on how standards and baselines can be implemented.
guideline
A ___ is a detailed step-by-step document to describe exact actions needed to do a specific security mechanism.
procedure
The goal of _____ is to prevent any change from reducing or compromising security
change management
Why would you use parallel run in change management?
The new and old system run in parallel so functionality can be verified before removing the old system
What is the primary means by which data is protected based on its need for secrecy, sensitivity, or confidentiality?
A. Data roles
B. Data Security
C. Data Classification
D. None of the above
C. Data classification
What is an asset?
Something in the environment that should be protected
____ is the dollar value assigned to an asset based on actual cost and nonmonetary expenses to develop, and maintain it
asset valuation
An event or situation that may cause an undesirable or unwanted outcome for an organization or for a specific asset
Threat
A weakness in an asset or the absence or weakness of a safeguard or countermeasure
vulnerability
Being susceptible to asset loss because of a threat
exposure
The possibility or likelihood that a threat will exploit a vulnerability to cause harm to an asset
risk
Any mechanism that removes or reduces a vulnerability or protects against one or more specific threats
safeguard/countermeasure
The occurrence of a security mechanism being bypassed or thwarted by a threat agent
breach
Asset valuation is the ___ step of risk analysis?
1st
The risk analysis that uses dollar figures and actual costs is what?
A. Qualitative
B. Quantitative
B. Quantitative
The percentage of loss that an organization would experience if a specific asset were violated by a realized risk
Exposure Factor (EF) or loss potential
The _________ is the cost associated witha single realized risk against a specific asset.
single loss expectancy (SLE)
How do you calculate the SLE?
SLE = Asset Value * EF (AV = $200,000 and EF = 45%, then SLE = $90,000)
The expected frequency with which a specific threat or risk will occur
Annualized Rate of Occurrence (ARO)
The possible yearly cost of all instances of a specific realized threat against a specific asset
Annualized Loss Expectancy (ALE)
How do you calculate the annualized loss expectancy?
ALE = SLE * ARO
Order the steps of the quantitative risk analysis.
A. Calculate the ALE (annualized loss expectancy)
B. List all possible threats for each asset
C. Perform threat analysis and find the ARO (Annual rate of occurance)
D. Inventory assets and assign value (AV)
E. Perform cost/benefit analysis to find the most appropriate response for each threat of an asset
F. Inventory countermeasures for each threat
D. Inventory assets and assign value (AV)
B. List all possible threats for each asset
C. Perform threat analysis and find the ARO (Annual rate of occurance)
A. Calculate the ALE (annualized loss expectancy)
F. Inventory countermeasures for each threat
E. Perform cost/benefit analysis to find the most appropriate response for each threat of an asset
The Cost/benefit analysis has 4 steps. What are they?
- Calculate the annual cost of safeguard (ACS)
- Calculate post safeguard ALE (value of ARO and ALE changes when safeguard is applied)
- Cost/benefit equation (ALE before safeguard - ALE afterguard) - ACS *If result is positive then it’s a viable choice
- Select the countermeasure
The risk analysis that is scenario based on how it would affect the organization. Based on a scale (Low - High) and uses judgement, intuition and experience instead of dollar amounts.
A. Qualitative
B. Quantitative
A. Qualitative
You would use a risk-level matrix for what type of analysis?
Qualitative
When you ____ risks, you use safeguards.
A. reject
B. accept
C. mitigate
C. mitigate
When you ____ risk you outsource- such as insurance
A. reject
B. transfer
C. mitigate
B. transfer
When you ____ risk, upper management signs documents to record it.
A. reject
B. accept
C. mitigate
B. accept
Residual risk is what?
The risk that is left after implementing the control measures
What is the weakest element in any security solution?
humans/people
What does separation of duties mean?
It is the security concept that prescribes that critical work tasks are divided among several different people. It ensures that not one person has full control to violate security measures, and it protects against collusion.
What is the concept of least privilege?
It is the concept that a person/subject has only the minimum access to perform their duties. It can include access to documents and access to specific systems and applications.
What are 2 reasons would you implement job rotation?
knowledge redundancy
reduce risk of fraud or misuse of information
provide peer auditing
protect against collusion
What is meant by screening a candidate for a position?
used based on the sensitivity & classification defined by the job description.
A background check helps determine what?
That a candidate is trustworthy for a secured position
Employment agreements includes all of the following except?
A. job description B. NDA C. security policy D. NCA E. procedures
E. procedures
