Risk Management Flashcards
What is the CIA of Security?
Confidentiality, Integrity, Availability
Which element of the CIA of Security is the goal of keeping data secret from anyone who doesn’t have the need or the right to access that data?
Confidentiality
Which element of CIA of Security ensures the data and systems stays in an unaltered state when being transferred, received?
Integrity
Which element of CIA of Security ensures that systems and data are available to users when needed?
Availability
What is the act of keeping track of things that on such as who has been logging in, who has made changes to something, etc?
Auditing and Accountability
A user can’t deny that they have performed a particular action
Non-Repudiation
What are the people and organizations that actually do the attacks called?
Threat Actors
Which threat actor is known for trivial attacks due to lack of knowledge?
Script Kiddies
Which threat actor is motivated by intent to make a public social statement?
Hacktivist
What is the motivation of Nation states and advanced persistent threat (APT) threat actors?
Intelligence
Who is someone inside the company that has information to gain access that can be used as an attack?
Insider
the potential to harm organizations, people, IT equipment, etc.
Risk
Provides benefits to the organizations; equipment or people
Assets
Weakness that allows an asset to be exploited
vulnerabilities
A discovered action that exploits a vulnerability’s potential to do harm to an asset
threat
What defines the level of certainty that something is going to happen?
Likelihood
What is the actual harm caused by a threat?
Impact
an outside party looks for vulnerabilities and reports it
Penetration (pen) testing
effort to reduce impact of a risk
mitigation
offload some of the likelihood and risk on a third party
risk transference
reach a point where the likelihood and impact is so high that i simply don’t want to do deal with it
risk acceptance
What is the workflow or methodology process that helps security professionals deal with risk management?
Framework
What are two examples of a Risk management framework
NIST Risk Management Framework, ISACA Risk IT Framework
What is the threshold value to verify expected throughput or action?
Benchmark
manufacturers’ security guides to setup and review configurations
platform or security guide
What is a general purpose guide in terms of risk assessment?
a list of security controls
What are the three types of security controls?
Administrative (management), Technical, Physical
What are some examples of Administrative security control?
laws, policies, guidelines, best practices
What are some examples of Technical security control?
computer stuff, firewalls, password links, authentication, encryption
What are some examples of Physical security control?
gates, guards, keys, man traps
In terms of security control functions, what is a deterrent?
deters the actor from attempting the threat
In terms of security control functions, what is a preventative?
deters the actor from performing the threat
In terms of security control functions, what is a detective?
recognizes an actor’s threat
In terms of security control functions, what is a corrective
mitigates the impact of a manifested threat
In terms of security control functions, what is compensating?
provides alternative (usually temporary) fix
How is mandatory vacation used a security control
requires individuals to take vacation; used to detect fraud and unauthorized activity
how is job rotation used as a security control
periodically switching jobs prevents fraud and unauthorized activity
How is multi-person control used as a security control
more than one person is required to do a job; allows for checks and balances of critical functions
How is separation of duties used as a security control?
one person is not allowed to perform all duties. this is to prevent unauthorized activity
users are only granted the privilege needed to perform their job (need to know) This prevents unauthorized access to information
principle of least privileged
In terms of defense, repeating the same controls at various intervals
redundancy
In terms of defense , use of variety of controls in a random pattern
diversity
What are the types of sources for IT Security Governance?
Laws and regulations, standards, best practices, common sense
defines how we are going to be doing something; broad in nature, used as directives, defines roles and responsibilities
Governance policy
What defines what a person can or cannot do on company assets?
Acceptable use Policy
Which policies defines how to get access to data or resources and what type of data users have access to?
Access Control Policies
Which policy defines how you deal with passwords, password recovery, bad login, retention, reuse, etc.
Password policy
Which policy defines how to maintain company equipment?
Care and Use of Equipment
What policy defines how your data or data usage will be shared with other resources?
Privacy policies
Which policy defines the people that are dealing with our data
Personnel Polices
What are the sources that frameworks come from?
regulatory, non-regulatory, national standards, international standards, industry-specific frameworks
What is the first go-to for IT security professionals who want to be able to understand to perform a risk management framework?
NIST SP800-37
What are the NIST risk management steps?
Categorize, Select, Implement, Assess, Authorization, Monitor
What is asset value?
the value of an asset + the cost of fixing the asset
What is exposure value?
percentage of an asset that is lost as a result of an incident
What is the formula for Single Loss Expectancy?
Asset Value * Exposure Factor
What is annualized Rate of occurrence (ARO)?
in a given year, what are the chances of this particular instance taking place
What is the formula for Annualized Loss Expectancy (ALE)?
Single Loss Expectancy (SLE) * Annualized rate of occurrence (ARO)
What is mean time to repair?
time it takes to repair
What is mean time to failure?
time it takes to fail (how long is it working)
What is the mean time between the two failures?
The time in between two failures (MTTR+MTTF)
What estimates the cost of loss of personal privacy or proprietary data?
Privacy Impact Assessment (PIA)
What is the min time necessary to restore a critical system to operation?
Recovery Time Object (RTO)
What is the max data that can be lost without substantial impact?
Recovery Point Object (RPO)
What allows recipients of the data to know if or how the data can be shared?
Data sensitivity/labeling
What is the owner in terms of data roles?
legally responsible for the data
What is the steward/custodian in terms of data roles?
maintain the accuracy and integrity of data
What is the privacy officer in terms of data roles?
ensures data adheres to privacy policies and procedures
Which Data (user) role is assigned standard permissions to complete task?
User
Which Data (user) role has increased access and control relative to a user?
Privileged user
Which Data (user) role sets policies on data and incident response actions?
Executive user
Which Data (user) role has complete control over the data or system?
System administrator
Which Data (user) role has legal ownership and responsibility of data or system?
data owner/system owner
Manufacturer and vendor guides provide what?
Setup suggestions
a self-directed combination of administrative, physical, and technical controls is an example of..
defense in depth
What describes the set of overarching rules that defines how an organization and its employees conduct themselves?
Governance
