Protection Needs Elicitation (PNE) Flashcards

1
Q

PNE

A

The determination of security requirements is also known as Protection Needs Elicitation

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

PNE begins

A

discovery of assets that need to be protected from

unauthorized access and users.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

IATF

A

Information Assurance Technical Framework

IATF) is a set of security guidelines that covers Information Systems Security Engineering (ISSE

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

PNE is the first step of IATF to

A

Engage the customer, Information management modeling, Identify least privilege applications, Conduct threat modeling and analysis, Prioritize based on customer needs, Develop information protection policy, and Seek customer acceptance.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

PNE activities

A

Brainstorming, Surveys (Questionnaires and Interviews), Policy Decomposition, Data Classification, Subject-Object Matrix, Use Case & Misuse Case Modeling.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Brainstorming

A

the quickest and most unstructured method to glean

security requirements.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Brainstorming shortcomings

A

high degree of likelihood that the brainstormed ideas don’t directly relate to the business, technical and security context of the software; can either lead to ignoring certain critical security considerations or going overboard on a non-trivial security aspect of the software; very subjective.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Surveys (Questionnaires and Interviews)

A

Surveys are effective means to collect functional and assurance requirements. The effectiveness of the survey is dependent on how applicable the questions
in the surveys are to the audience that is being surveyed.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Questionnaires cover

A

business risks, process (or project) risks and technology (or product) risks.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Policy Decomposition

A

a crucial step in the process of gathering requirements and an appropriate level of attention must be given to this process.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Policy Decomposition process

A

Policy documents internal & external (e.g. PCI DSS); high level objectives (e.g. confidentiality); security requirements (e.g. Identify Management); software security requirements (e.g. Input Validation).

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

high level objectives

A

CFG – Configuration management; SEG – Segregated environments; SOD – Separation of duties; DAT – Data protection; PRC – Production readiness checking and CRV – Code review.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Types of Data

A

primarily designated as structured data (e.g. database) or unstructured data (e.g. image, video, email) for the purposes of classification.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Data classification

A

the conscious effort to assign labels (a level of sensitivity) to information (data) assets, based on potential impact to confidentiality, integrity and availability (CIA), upon disclosure, alteration or destruction.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Data classification objective

A

to lower the cost of data protection and maximize the return on investment when data is protected.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

NIST SP800-18

A

Guide for developing security plans for Federal Information system. It provides a framework
for classifying information assets based on impact to the CIA.

17
Q

Business owner / Data owner

A

decision to classify data, who has access and what level of access, etc

18
Q

Business/data owner responsibility

A

assets are appropriately classified; validate that security controls are implemented as needed by
reviewing the classification periodically; define authorized list of users and access criteria based on
information classification; ensure appropriate backup and recovery mechanisms are in place; delegate as needed the classification responsibility, access approval authority, backup and recovery duties to a data custodian.

19
Q

data custodian responsibility

A

Perform the information classification exercise; Perform backups and recovery as specified by the data owner; Ensure records retention is in place according to regulatory requirements or organizational retention policy.

20
Q

DLM

A

Data Lifecycle Management - a policy-based approach, involving procedures and practices, to protect data throughout the information life cycle: from the time it is created to the time it is disposed or deleted.

21
Q

First component of DLM

A

Data classification, once data is organized into appropriate categories (or tiers) appropriate controls
can be applied to protect the confidentiality, integrity and availability of data.

22
Q

Secure memory management

A

prevents disclosure of data when data is processed.

23
Q

Cryptographic protection

A

encryption and hashing, in conjunction with end-to-end secure communication protocols operating in the transport (e.g., SSL/TLS) or network (e.g., IPSec) layer protects data when it is transmitted.

24
Q

DLP

A

Data Leakage Prevention technologies come in

handy to protect against unauthorized disclosures when data is transmitted.

25
Q

Database encryption

A

a control that is useful to protect sensitive or private data during storage. E.g. Hierarchical Storage
Management (HSM) represents different types of storage media, ranging from Redundant Array of Inexpensive Disks (RAID) systems, optical storage, or tape, solid state drives.

26
Q

Secure disposal

A

deletion or physically destruction of the data, additionally, the media in which the data was stored must be sanitized.

27
Q

Subject (or role)/Object Matrix

A

used to identify allowable actions between subjects (or role) and objects based on use cases.

28
Q

Use Case Modeling

A

a mechanism by which software functional and security requirements can be determined, it models the intended behavior of the software or system.

29
Q

Misuse Case Modeling

A

known as abuse cases (intentional or accidental) help identify security requirements by modeling negative scenarios, it is an unintended behavior of the system, one that the system owner does not want to occur within the context of the use case.

30
Q

SQuaRE

A

Secure Quality Requirements Engineering methodology consists of nine steps that generate a final deliverable of categorized and prioritized security
requirements.

31
Q

RTM

A

Requirements Traceability Matrix - a table of
information that lists the business requirements in the left most column, the functional requirements that address the business requirements are in the next column. Next to the functional requirements are the testing requirements.

32
Q

RTM benefits

A

Ensures that No scope creep occurs; Assures that the design satisfies the specified security requirements; Ensures that implementation does not deviate from secure design; Provides a firm basis for defining test cases.