S3-m3 Flashcards

1
Q

NIST Special Publication 800-39

A

The risk management framework outlies a comprehensive process to manage risks by applying four components
-Risk Framework
-Assess Risk
-Respond to Risk
-Monitor Risk

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Risk Framework

A

Involves defining, or framing, the environment in which risk-based decisions are made. The purpose of this component is to form a strategy that enables a company to asses, respond, and monitor risk. Companies must identify
-Risk assumptions
-Risk constraints
-Risk tolerance
-Priorities and trade offs

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Assess Risk

A

This component addresses the way companies asses risk in the context of the risk framework. The goal is to identify
-threats to nations, organizations, individuals, assets or operations
-vulnerabilities internal and external to orgs and entities
-the harm that may occur given the potential for threats exploiting vulnerabilities
-the likelihood that harm will occur

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Respond to Risk

A

The purpose of this component is to provide a consistent, organization wide response based on the risk assessment results by:
-developing alt courses of action
-evaluation the alt courses of action
-determining appropriate courses of action consistent with org risk tolerance

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Monitor Risk

A

To evaluate and monitor risk over time by:
-determining the ongoing effectiveness of risk responses
-identifying risk impacting changes to org info systems and the environments in which the systems operated
-Verifying that planned risk response are implemented and that info security requirements are satisfied

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Security assessment engagements involve…

A

addressing the second component of the risk management framework, which includes performing a risk assessment and testing controls to obtain data on the company’s current state.
-often results in a SAR to management

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Examination

Assesment Method

A

Process of analyzing, observing, and reviewing one or more assessment objects, security activities, or relevant operations

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Interviewing

Assesment Method

A

Involves having individual or group discussions to better understand, collect, and evaluate evidence

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Testing

Assesment Method

A

The process of testing assessment objects that reflect how the object performs in its current state compared to a target expected state

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Security Assessment Reports (SARs)

A

issued as evidence of controls complying, or not complying, with state security goals and objectives. NIST defines a security assessment report as a report that provides a disciplined and structured approach for documenting the findings of the assessor and the recommendations for correcting any identified issues or vulnerabilities in the security controls

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Satisfied Rating

A

Indicates the assessment objective was met and yielded an acceptable result

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Other Than Satisfied Rating

A

Indicated that an assessor could not obtain sufficient information that me the statements in the assessment procedure.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Summary of Findings

SARs

A

Introductory portion of SAR has a synopsis of key findings and recommended actions to address weaknesses or deficiencies

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

System Overview

SARs

A

The overview of SAR outlines the information management system being assessed, including hardware, software, personnel, and other relevant resources

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Assessment Methodology

SARs

A

This part of a SAR explains the techniques and procedures utilized to perform the assessment

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Security Assessment Findings

SARs

A

The findings section of a SAR discusses the gaps and deficiencies discovered during the assessment

17
Q

Recommendations

SARs

A

This portion of the report provides prescriptive direction to remediate the deficiencies that were discovered

18
Q

Action Plan

SARs

A

This final section of a SAR roadmap that covers the steps that should be taken to remediate the deficiencies

19
Q

Management

Security Awareness

A

Tasked with designing and evaluating security awareness programs or coordinating with third party vendors hired to develop and or perform the security awareness training

20
Q

Specialized IT Personnel

Security Awareness

A

Tasked with caring out the policies set forth in security awareness programs. Specialized jobs include network security engineers, penetration testers, incident response analysts

21
Q

All other Employees

Security Awareness

A

Tasked with following the security procedures based on their specific job roles

22
Q

Phishing Simulations

A

designed to teach employees to recognize phony emails by sending messages that mirror actual phishing emails and other communications. When employees click the email they receive a communication informing them they performed a action in violation

23
Q

Click Rate

A

The % of employees who clicked on a phishing email link

24
Q

Re-click Rate

A

The % of employees who failed first and click again

25
Q

Report Rate

A

The % of employees who report phishing emails

26
Q

Non-responder Rate

A

The % of employees who ignored the email and did not respond in any way

27
Q

Reply Rate

A

The % of employees who replied to the phishing emails

28
Q

Employee Consultations

Program Champion Metric

A

Reports the number of times employees consult with a security’s program champion

29
Q

Security Behaviors (With and without Champions)

Program Champion Metric

A

This would involve capturing and comparing security awareness measures in departments that have champions vs those that do not

30
Q

Champion Density Vs Security Behaviors

Program Champion Metric

A

Measure the degree of correlation and linear relationship of champion activity or density among different departments and security behaviors

31
Q

The centralized incident response team

A

serves as the single incident response team tasked with managing incidents across the organization. They would be responsible for responding to incidents, potentially including those identified as par of a SAR

32
Q

To manage risk, it takes a FARM

A

-Framework
-Assessing
-Responding
-Monitoring