Sec Mgmt LifeCycle Flashcards

1
Q
Security Mgmt (6) LifeCycle List?   Hint: Cntls
What are the (6) Lifecycle steps?
A
  1. (CAT) Categorize Info Sys – Define Critical IS to
    potential worse case impact
  2. (CNTL) Select Sec CNTL – Baseline Sec Cntl – Apply
    supplement cntl needed for baseline on risk
  3. (Implem) Implem Sec CNTL – Using sound Engineer
    practices, apply Sec Config settings
  4. (Assess) Assess Sec Cntl – PenTest – Confirm chgs
  5. (AO) Authorize IS – if acceptable … authorize
    operations
  6. (CM) Monitor Sec State – Continuous Monitoring –
    track chgs against CNTLs
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What is ROSI?

A

Return on Security Investment

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

ROSI = ___________ - ______________

A

$$RISK Mitigation - Cost of Control

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

For each threat we can then calculate:

A

ALE = ARO * SLE

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

ALE

A

Annual Loss Expectancy

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

ARO

A

Annual Rate of Occurance

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

SLE

A

Single Loss Expectancy

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

PDCA?

A

Plan - Do - Check - Act

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Steps in PLAN of PDCA:

A

Design ISMS, Assess Risk, Select Control

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Steps of Do of PDCA:

A

Implement / Operation Controls

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Steps of Check of PDCA:

A

Review / Evaluate Performance

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Steps of Act of PDCA:

A

Changes made, Bring ISMS back to peak performance

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

ISMS Info Sys Mgmt Sys = (hint: name of standard)

A

ISO /IEC 27001 (FISMA) standard

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Governance is how we do what we do …

Governance = (3)

A

Policy + Standard + Procedure

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Policy is ___________
Standard is _________
Procedure is ________

A

Principle
Control
Step-by-step instructions

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

List (5) Governance Frameworks:

A
  1. ISO / IEC 38500 CORP
  2. ISO 17799 PCI DSS
  3. ISO 27001 FISMA
  4. ISO 13335 HIPAA
  5. COBIT Govt Mgmt Enterprise IT
    * COBIT is a good-practice framework created by international professional association ISACA for information technology management and IT governance.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

RISK to Multi-Tenancy: (5)

A
  1. Inadequate Logical Sec Cntls
    ie: CPU, Ntwk, Stor, DB, & Stack shared btw Multi-
    tenants
  2. Other Tenants > Malicious / Ignorant
    i.e.: weaker logical cntl can affect other Tenants
  3. Shared Svc can become single pt of fail (SPF)
    if common svc not architecture well. Affect other
    Tenants
  4. Uncoordinated Chg Cntl & Misconfiguration –
    All chgs need to be well coordinated & Tested
  5. Co-mingle Tenant Data –
    to reduce cost – providers store data from multiple
    DB & BU tapes.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

What is not a risk for multi-tenancy design?
A. Co-mingled tenant data
B. Inadequate logical Sec Cntl
C. Overcharging for extreme use of resources
D. Uncoordinated change cntl and mis-config

A

C. Overcharging for extreme use of resources

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

A cloud subscriber may come under certain security constraints when hosting sensitive data in the cloud due to government regulations. Which of the following is the BEST mitigating control that could be implemented by the cloud provider?

A. Offer multi-tenancy software as a service with segregated physical infrastructure.
B. Offer a single-tenancy software service with segregated virtualized infrastructure.
C. Offer multi-tenancy software as a service with logically segregated infrastructure.
D. Offer a single-tenancy software service with monitored intrusion detection systems.

A

B. Offer a single-tenancy software service with segregated virtualized infrastructure.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

ISO 27005 defines risk as:

And … it is measured by …. (2)

A

Potential that a given threat will exploit vulnerability of asset/group of assets and thereby cause harm to organization

Likelihood of event
And … Consequences

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

What (Who) are the Cloud Sec Ref Architecture Members (5)

A
Cloud Consumer
Cloud Provider
Cloud Broker
Cloud Carrier ie: VZ, ATT, COX
Cloud Auditor
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

What is CLOUD Bursting?

A

When a Private Cloud or Data Center burst into Public Cloud as capacity spikes

23
Q

An organization has just gone to a start-up cloud provider for its entire infrastructure. Which of the following is one of the new organizational roles required at the cloud provider?

A. Supply manager
B. Commercial manager
C. Infrastructure project manager
D. Credit risk manager

A

C. Infrastructure project manager

24
Q

What are the Cloud Compliance Cntl Layers (8)

A
SaaS
Paas
Iaas
Virtual Cntl
Data Mgmt & Storage Cntl
Access Cntl
Communications Cntl
Support Infrastructure
25
Q

What the (6) steps of Data Security LifeCycle

A
Create
Store
Use
Share
Archive
Destroy
26
Q

What is Vendor Lock-in?

A

Vendor goes out of business, lost data, or changed versions and now unreadable ….

27
Q

Which of the following is an important factor for maintaining strategic flexibility?

A. Return on investment
B. Integrity
C. Elasticity
D. Vendor lock-in

A

D. Vendor lock-in

28
Q

What are the Cloud Risk Assessment List (9)

A
Char(ize) 
Threat 
Vuln 
Cntl
Likelihood Det –
Impact 
Risk Det 
Cntl Recommendation 
Results Doc
29
Q

Cloud Risk Assessment List (9)

A
  1. Sys Char – Char(ize) assets, bus process, or sys to
    Cloud
  2. Threat ID – identify threats to org (exist/new)
  3. Vuln ID – identify potential vuln/current Sec issues
  4. Cntl Analysis – Analyze Sec Cntl / framewk for
    assessmt
  5. Likelihood Det – Determine definite likelihood of
    event based on Criticality
  6. Impact Analysis – Analyze defin of impact if risk was
    exploited
  7. Risk Determ –Detemine risk base on likelihood of
    threat, impact & Mitig Cntl
  8. Cntl Recommendation – ID Process, Cntl, activity to
    manage ID risk
  9. Results Doc – ID risk treatment option such as bear
    risk, transfer risk, mitigate risk.
30
Q

The Risk Assessment methodology has 9 steps.
Which step is THREAT IDENTIFICATION?

A. First
B. Second
C. Third
D. Fourth

A

B. Second

31
Q

The Risk Assessment method has 9 steps.
Which step do you define System, Process scope, & service i.e: Technical Cntls, Mgmt Cntls, Operational Cntls, Physical Cntls, and Environmental Sec get assessed?

  1. Char
  2. Threat ID
  3. Vuln ID
  4. Cntl Analysis
A
  1. Char
32
Q

At what level of the Risk Assessment do you consider Pen Testing?

  1. Char
  2. Threat ID
  3. Vuln ID
  4. Cntl Analysis
A
  1. Vuln ID
33
Q

What stage of risk assessment step focuses on controls to use for assessment?

  1. Impact Analysis
  2. Control Analysis
  3. Risk Determination
  4. Control Remediation
A
  1. Control Analysis
34
Q

At what level of the Risk Assessment do you define a risk criteria that includes likelihood of a threat, magnitude of impact, and capability of mitigating controls?

  1. Control Recommendation
  2. Impact Analysis
  3. Risk Determination
  4. Results Documentation
A
  1. Risk Determination

* RISK Determination = Likelihood

35
Q

At what level of the Risk Assessment do you establish a framework, and document the universe of controls

  1. Char
  2. Threat ID
  3. Vuln ID
  4. Cntl Analysis
A
  1. Cntl Analysis
36
Q

At what level of the Risk Assessment do you create risk assessment report, identify risk management options, ie: accept, transfer, mitigate, and document risk exceptions?

  1. Control Recommendation
  2. Impact Analysis
  3. Risk Determination
  4. Results Documentation
A
  1. Results Documentation
37
Q

At what level of the Risk Assessment do you establish a framework, and document the universe of controls

  1. Char
  2. Threat ID
  3. Vuln ID
  4. Cntl Analysis
A
  1. Cntl Analysis
38
Q

At what level of the Risk Assessment do you analyze the relation to the loss of integrity, availability, or confidentiality, and the definition of impact of a particular risk.

  1. Control Recommendation
  2. Impact Analysis
  3. Risk Determination
  4. Results Documentation
A
  1. Impact Analysis
39
Q

At what level of the Risk Assessment do you identify threats, history of sys attacks, and identify security issues?

  1. Char
  2. Threat ID
  3. Vuln ID
  4. Cntl Analysis
A
  1. Threat ID
40
Q

At what level of the Risk Assessment do you identify processes, controls, and activities that can help manage risks identified.

  1. Control Recommendation
  2. Impact Analysis
  3. Risk Determination
  4. Results Documentation
A
  1. Control Recommendation
41
Q

Which Svc Delivery model requires resource provisioning roles to be defined in the shared responsibility matrix?
A. IaaS
B. PaaS
C. SaaS

A

A. IaaS

42
Q
As part of threat modeling process, owners wish to minimize the \_\_\_\_ and impose countermeasures.  These measures may pose certain vuln in return and might lead to new \_\_\_ being identified. 
A. Risks, Risks
B. Threat Agents, Risks
C. Threat Agents, Assets
D. Vuln, Vuln
A

A. Risks, Risks

43
Q
What stage of risk assessment step focuses on controls to use for assessment?
A. Impact Analysis
B. Control Analysis
C. Risk Determination
D. Control Remediation
A

B. Control Analysis

44
Q

What are the 3 Tiers to Continuous Monitoring ISCM Rqmts?

A

Tier 1 –
Org Bus Process – Estab / define Risk Tolerance of Org
Tier 2 –
ISCM Strategy – Create risk Mitigation strategy
Tier 3 –
ISCM Cloud Computing Strategy – Implement Operationalize

45
Q

How many tiers should an ISCM per NIST 800-137 have:
A. 2 – Tier 1 (Org Bus Process), Tier 2 (Cloud Computing
Strategy Implem)
B. 2 – Tier 1 (Cloud Computing Strategy Implem), Tier 2
(Org Bus Process)
C. 3 – Tier 1 (Org Bus Process), Tier 2 (ICSM Strategy)
Tier 3 (Cloud Computing Strategy Implem)
D. 3 – Tier 1 (Cloud Computing Strategy Implem), Tier 2
(Org Bus Process), Tier 3 (ICSM Strategy)

A
C. 3 – Tier 1 (Org Bus Process), Tier 2 (ICSM Strategy) 
           Tier 3 (Cloud Computing Strategy Implem)
46
Q

What is JAB?

A

Joint Authorization Board

47
Q

What does JAB do?

A

reviews Sec pkg submit by CSP/ grants ATO?

48
Q

What is 3PAO?

And what does 3PAO do?

A

Auditor –

3rd party Assessor Organization, validates / attests to quality and compliance of CBP provided SEC PKG

49
Q

What is PMO?

And what does PMO do?

A

FedRamp Project Mgr Ofc –

manages process assessment, authorize, & CM process. Continuous Monitoring

50
Q

What is SP?
What is its process in FedRAMP?

SP = _________ ___________

A

Cloud Sec Pkg,

follows process for provisional authorization under Fed Ramp

51
Q

What is FEDRAMP?

A

FedRamp is risk management program that provides a standardized approach for assessing and monitoring security of cloud products and services

52
Q

What is SOA acronym for?

A

Service Oriented Architecture

53
Q

What is SOA for?

A

Discrete SW provides Application function / service to other applications . . .