Risks Management Flashcards
Security Policy Framework Levels
Policies
Standards
Guidelines
Procedures
Risk Factors
Likelihood/probability
Impact
Risk Assessment Methods
Qualitative
Quantitative
Define an AV
Asset Value
AV Assessment Methods
Original
Depreciated
Replacement
Define the EF
Exposure Factor; percent of asset effected
Define SLE
Single Loss Expectancy; AV * EF
Define ARO
Annualized Rate of Occurrence; likely number of occurrences per a year
Define ALE
Annualized Loss Expectancy; ALE = SLE * ARO
Define MTTF
Mean Time to Failure, for non replaceable components
Define MTBF
Mean Time Between Failures, for replaceable components
Define MTTR
Mean Time To Repair, average restoration time
Risks Response Types
Avoidance
Transference
Mitigation/Deterrence
Acceptance
Risk Register Components
Description Categorization Probability Impact Mitigation
Risk Assessment Sources
Vulnerability Scans Penetration Test Audits OS Threat Intelligence Consulting/Vendor
Types of Vendor Agreements
SLR/SLA
MOU/MOA
BPA/BPO
ISA
Define SLR
Service-Level Agreement; outlines service providers commitment to client
Define MOU/MOA
Memorandum of Understanding/Agreement
Define BPA
Business Partnership Agreement
Define ISA
Interconnection Service Agreement; joins networks outlining technical and security requirements
Personnel Risk Management Key Principles
Need to Know
Least Privilege
Separation of Duties
Define a BCP
Business Continuity Planning; focus on maintaining availability
Define a BIA
Business Impact Assessment
BIA Risk Concerns
Safety
Financial
Reputation
Define High Availability
Multiple-systems for same purpose
Fault Tolerance Methods
Power Supply
Memory Storage
Describe RAID O
Striping
Performance, no Redundancy
1 or more disks
Describe RAID 1
Mirroring
Redundancy, low performance
2 or more disks
Describe RAID 5
Striping with Parity
Performance and Redundancy
3 or more disks
Describe RAID 6
Striping with Double Parity
4 or more disks
Describe RAID 10 (also called RAID 1 + 0/0 + 1)
Striping and Mirroring
4 or more disks
Define RTO
Recover Time Objective, goal recovery time
Define RPO
Recovery Point Objective, restoration point to return to after an incident
Backup Types
Full
Differential
Incremental
Snapshot
Describe Full Backups
Backup everything;
Slow backup speed
Fast restoration speed
Describe Differential Backups
Backup changes since last full;
Medium backup speed
Medium restoration speed
Describe Incremental Backups
Backup changes since last full or incremental;
Fast backup speed
Slowest restoration speed
Define a system Snapshot
Capture disk image at a moment in time
Less storage space requirements
Quick backups
Grandfather-Father-Son Backup Media Rotation Method
4 devices backup daily, 1 per a day Monday-Thursday
4 devices backup weekly, 1 per a week for 4 weeks
4 devices backup monthly, 1 per a month for 4 months
Define 3-2-1 Backup Rule
2 Backups on site
1 Backup off-site
Alternate Processing Facility Types
Hot
Cold
Warm
Describe a Hot Site
Fully operational
Quickest restoration (hrs)
Expensive
Describe a Cold Site
Empty facility
Slowest restoration (weeks)
Least expensive
Describe a Warm Site
Hardware and Software ready
Medium restoration speed (days)
Medium expenses
Define Alternate Business Processes
Utilizing alternative methods to accomplish same business purpose
Backup Site Location Considerations
Close enough for relocation of employees
Far enough to not be impacted by same disaster
Ease of access
Away from other industrial facilities
Data sovereignty (only applies to location of storage)
Disaster Response Plan Testing Methods
Read through Walk through Simulation Parallel Test Full Interruption
Define CIRT
Cyber Incident Response Team
CIRT Members
Management Information Security Subject Matter Experts Legal Public Affairs HR Finance
Evidence Types
Real/Physical
Documentary
Testimonial
Types of Testimonial Evidence
Direct, by first degree observation
Expert Opinion
Define Hearsay
Testimonial evidence not given from the first person degree (i.e. “I heard someone else say”)
Documentary Evidence Considerations
Authenticated
Best available
Parole Evidence
Define Best Available Evidence
Original or closest to the original evidence
Define Parole Evidence Rule
Assumes documentary evidence is entire and final
Digital Forensic Order of Volatility
Cache, registers
ARP Cache, routing table, memory, kernel statistics, process table
Temporary files
Disks
Monitoring data and remote logs
Physical configuration and network topology
Archived media
Purpose of Write Blockers
Intercept/prevent request to alter evidence
Purpose of Hashing Collected Evidence
Compare later hashes with initial for data integrity
Storage Bag Labeling Criteria
Name
Date and Time
Contents
Tamper Seal
Data Owner’s Role
administrative control and has been officially designated as accountable for a specific information asset dataset
Data Steward’s Role
Handle data governance and policy on behalf of the Data Owner
Data Custodian’s Role
technical control over an information asset dataset
Define PTA
Privacy Threshold Analysis, determine necessity for privacy controls
Define PIA
Privacy Impact Analysis, evaluate sufficiency of privacy controls
Adverse Background Check Notification PRocess
Investigation
Pre-adverse notification
Employee Response
Incident Response Phases
Preparation Identification Containment Investigation Eradication Recovery Follow Up
Uses of Captive Portals
Monitor/limit Network Activity
User agreements
Branding
Insider Protection Methods
Content and email filter
Strong security policies
Government Information Classification Standards
Top Secret- “exceptionally grave damage”
Secret- “serious damage”
Confidential- “damage”
Unclassified- available for general use
Define Private Information
Information relating to an individual (i.e. PII, PHI)
ISO 27001 Information Classification Standards
Confidential (top confidentiality level)
Restricted (medium confidentiality level)
Internal use (lowest level of confidentiality)
Public (everyone can see the information)
Least Effective Means of Purging Media
Degaussing
Define Security Policy
High-level, general statement about role of security
Define Standard
Legal, industry, or best business practices
Use of Code Escrow
Protect against vendor lack of support in the event they go out of business
Network Protection Steps
ID and document user access permissions ID high-value assets Document trust boundaries ID choke points on the network Segregate and isolate the network Isolate server functions Physically secure high-value systems
Memory Dump Methods
Save and extract the page file
Save contents of physical RAM
Forensic Cloning Method
bit-level cloning
Instant Messaging Vulnerability
Lack of encryption
Define the Delphi Method
anonymous survey to determine value of an asset
Define Two-Man Control
Tasks which require dual custody due to sensitivity
Backup Data Loss Protection Method
Test restoration procedures
Purpose of an Archive Bit
Indicates whether a file has been modified (set if modified)