S3-m3 Flashcards
NIST Special Publication 800-39
The risk management framework outlies a comprehensive process to manage risks by applying four components
-Risk Framework
-Assess Risk
-Respond to Risk
-Monitor Risk
Risk Framework
Involves defining, or framing, the environment in which risk-based decisions are made. The purpose of this component is to form a strategy that enables a company to asses, respond, and monitor risk. Companies must identify
-Risk assumptions
-Risk constraints
-Risk tolerance
-Priorities and trade offs
Assess Risk
This component addresses the way companies asses risk in the context of the risk framework. The goal is to identify
-threats to nations, organizations, individuals, assets or operations
-vulnerabilities internal and external to orgs and entities
-the harm that may occur given the potential for threats exploiting vulnerabilities
-the likelihood that harm will occur
Respond to Risk
The purpose of this component is to provide a consistent, organization wide response based on the risk assessment results by:
-developing alt courses of action
-evaluation the alt courses of action
-determining appropriate courses of action consistent with org risk tolerance
Monitor Risk
To evaluate and monitor risk over time by:
-determining the ongoing effectiveness of risk responses
-identifying risk impacting changes to org info systems and the environments in which the systems operated
-Verifying that planned risk response are implemented and that info security requirements are satisfied
Security assessment engagements involve…
addressing the second component of the risk management framework, which includes performing a risk assessment and testing controls to obtain data on the company’s current state.
-often results in a SAR to management
Examination
Assesment Method
Process of analyzing, observing, and reviewing one or more assessment objects, security activities, or relevant operations
Interviewing
Assesment Method
Involves having individual or group discussions to better understand, collect, and evaluate evidence
Testing
Assesment Method
The process of testing assessment objects that reflect how the object performs in its current state compared to a target expected state
Security Assessment Reports (SARs)
issued as evidence of controls complying, or not complying, with state security goals and objectives. NIST defines a security assessment report as a report that provides a disciplined and structured approach for documenting the findings of the assessor and the recommendations for correcting any identified issues or vulnerabilities in the security controls
Satisfied Rating
Indicates the assessment objective was met and yielded an acceptable result
Other Than Satisfied Rating
Indicated that an assessor could not obtain sufficient information that me the statements in the assessment procedure.
Summary of Findings
SARs
Introductory portion of SAR has a synopsis of key findings and recommended actions to address weaknesses or deficiencies
System Overview
SARs
The overview of SAR outlines the information management system being assessed, including hardware, software, personnel, and other relevant resources
Assessment Methodology
SARs
This part of a SAR explains the techniques and procedures utilized to perform the assessment
Security Assessment Findings
SARs
The findings section of a SAR discusses the gaps and deficiencies discovered during the assessment
Recommendations
SARs
This portion of the report provides prescriptive direction to remediate the deficiencies that were discovered
Action Plan
SARs
This final section of a SAR roadmap that covers the steps that should be taken to remediate the deficiencies
Management
Security Awareness
Tasked with designing and evaluating security awareness programs or coordinating with third party vendors hired to develop and or perform the security awareness training
Specialized IT Personnel
Security Awareness
Tasked with caring out the policies set forth in security awareness programs. Specialized jobs include network security engineers, penetration testers, incident response analysts
All other Employees
Security Awareness
Tasked with following the security procedures based on their specific job roles
Phishing Simulations
designed to teach employees to recognize phony emails by sending messages that mirror actual phishing emails and other communications. When employees click the email they receive a communication informing them they performed a action in violation
Click Rate
The % of employees who clicked on a phishing email link
Re-click Rate
The % of employees who failed first and click again
Report Rate
The % of employees who report phishing emails
Non-responder Rate
The % of employees who ignored the email and did not respond in any way
Reply Rate
The % of employees who replied to the phishing emails
Employee Consultations
Program Champion Metric
Reports the number of times employees consult with a security’s program champion
Security Behaviors (With and without Champions)
Program Champion Metric
This would involve capturing and comparing security awareness measures in departments that have champions vs those that do not
Champion Density Vs Security Behaviors
Program Champion Metric
Measure the degree of correlation and linear relationship of champion activity or density among different departments and security behaviors
The centralized incident response team
serves as the single incident response team tasked with managing incidents across the organization. They would be responsible for responding to incidents, potentially including those identified as par of a SAR
To manage risk, it takes a FARM
-Framework
-Assessing
-Responding
-Monitoring
