Risk

Question 1

The lack of the countermeasure or a weakness that is in place

Answer 1

vulnerability

Question 2

Any potential danger that is associated with the exploitation of the vulnerability

Answer 2

a threat

Question 2

The likelihood of a threat agent exploiting a vulnerability in the corresponding business impact

Answer 2

Risk

Question 3

An instance of being exposed to loss

Answer 3

Exposure

Question 3

Also known as the countermeasure it is put into place to mitigate or reduce the potential risk

Answer 3

a control

Question 4

Controls are put into place reduce the risk of an organization faces and they come in three main flavors:

Answer 4

Administrative, technical and physical controls.

Question 4

We know that the different categories of controls to be used are administrative technical and physical.
But what do these controls actually do? The different functionalities of security controls are (6):

Answer 4

Deterrent 
preventative 
corrective 
recovery 
detected 
compensating

Question 5

What is a group of standards called that serves as industry best practices for the management of security controls in a holistic manner within organizations around the world

Answer 5

ISO/IEC 27000 series

Question 5

Name 4 examples of enterprise architecture development a.k.a. frameworks

Answer 5

Zachman framework, TOGAF, DoDAF, MODAF

Question 6

Name two standards under the security controls development

Answer 6

CobiT (objectives fir IT Mgmt dev by ISACA & ITGI)

SP 800-53 -NISt

Question 6

Name two models for process management

Answer 6

Six Sigma, CMMI

Question 7

Risk = T * V

Answer 7

risk = threat x vulnerability

Question 8

SLE = AV * EF

Answer 8

single loss expectancy = asset value * exposure factor

Question 9

ALE = SLE * ARO

Answer 9

Ale $ = SLE $ x ARO %

Question 10

ARO= #/ yr.

Answer 10

annualized rate of occurrence.

Question 11

Delphi Technique

Answer 11

anonymous survey to gain uninfluenced responses for consensus. (qualitative analysis)

Question 12

CobiT framework.Goal: define controls that should be used to properly manage IT & ensure it maps to business needs. Name the 4 domains:

Answer 12

4 Domains:Plan and OrganizeAcquire and ImplementDeliver and Support Monitor and EvaluateIt’s a chklist approach to guide companies when they buy, install, test, certify and accredit IT products

Question 13

which NISt publication outlines controls agencies. need to put into place to be FISMA complaint ?

Answer 13

NIST 800-53

Question 14

Name 3 categories if control outlined by NIST:

Answer 14

M-O-T

Question 15

COSO is model for corporate governance while CobiT is a model for IT governance. What are the 5 components of COSO:

Answer 15

Control EnviroRisk AssessmentControl ActivitiesInfo & CommMonitoring

Question 16

what’s the difference between a risk assessment and a vulnerability assessment

Answer 16

Vulnerability assessment find the holes. A risk assessment calculates the probability of the vulnerabilities being exploited and the associated business impact

Question 17

What is Delphi technique

Answer 17

Adelphi technique is a group decision method to ensure that each member gets an honest opinion of what here she thinks result of a particular threat will be

Question 18

Residual risk is the risk leftover to deal with after countermeasures have been sent. What is the formula for residual risk?

Answer 18

{Threats x vulnerability x asset value = total risk} x control gap = residual risk

Question 19

Total risk is risk a company faces if it is not going to implement any type of safeguard!! what is the formula for total risk

Answer 19

Threats x vulnerability x asset value = total risk

Question 20

What are standards

Answer 20

Standards referred to mandatory activities actions or rules. They can give a policy it’s support and reinforcement in that direction.

Question 21

What is a baseline

Answer 21

The term baseline refers to a point in time that is used as a comparison for future changes.

Question 23

What is a guideline

Answer 23

Suggestions and best practices

Question 25

What are procedures

Answer 25

Procedures are step-by-step implementation instructions

Question 27

What are the three policy functionality types

Answer 27

Regulatory, advisory, informative.

Question 29

What are common levels of sensitivity for a commercial business

Answer 29

Confidential,. Private, sensitive, public

Question 31

What are the levels of sensitivity for military purposes

Answer 31

Top secret, secrets, confidential, sensitive but unclassified, unclassified

Question 32

It is the users primary responsibility to determine declassification level for information. However who is ultimately responsibile to make sure data is classified and protected

Answer 32

mgmt

Question 33

True or false: if different user groups with different security access levels need to access the same info, Management should increase the security controls on the information.

Answer 33

True. It is going to be available to a wide range of people so more granular security should be implemented to ensure that only the necessary people access the data

Question 34

True or faults: management should consider the availability integrity and confidentiality when classifying data

Answer 34

True

Question 35

Security functionality defines the expected activities of a security mechanism. What does assurance define?

Answer 35

Assurance defines the confidence of the security mechanism is providing

Question 36

Review the proper mapping for the ISO/IEC standards:

Answer 36

ISO/IEC:27001 = ISMS27002= code of prac for infosec mgmt27003= guideline for isms imp27004=metrics27005= infosec risk mgmt27006=audit & cert

Question 37

What best describes a control to be used in order to carry out fraudulent investigation activities

Answer 37

Mandatory vacation is an administrative detective control that allows for an organization to investigate an employees daily business activities to uncover any potential profit maybe taking place

Question 38

What is the relation between COSO and CobiT frameworks

Answer 38

Coso deals more at a strategic level, well CobiT focuses more at the operational level. CobiT is a way to meet many of the COSO objectives but only from the IT perspective. COSO deals with non-IT items. It’s main purpose is to help ensure fraudulent financial reporting cannot take place in an organization

Question 39

Looking at risk stds, What’s the difference between NIST 800-30, octave, and AS/NZS 4360?

Answer 39

Nist 800 – 30 risk management guide for IT systems is focused on IT risks. Octave is a methodology to set up a risk management program within an organizational structure. AS/NZS takes a much broader approach to risk management, it’s mythology can be used to understand the company’s financial, capital, human safety and business decision risks.

Question 40

Single sign-on tech: what is an application protocol that uses a KDC & tickets and is based on some Symmetric key crypto

Answer 40

Kerberos

Question 41

Single sign-on tech: What authentication protocol is simolar to kerberos, uses a PAS and PACs and is based on symmetric and asymmetric Krypto

Answer 41

Sesame (Secure European system for applications and a multi vendor environment)