Sec Mgmt LifeCycle Flashcards
Security Mgmt (6) LifeCycle List? Hint: Cntls What are the (6) Lifecycle steps?
- (CAT) Categorize Info Sys – Define Critical IS to
potential worse case impact - (CNTL) Select Sec CNTL – Baseline Sec Cntl – Apply
supplement cntl needed for baseline on risk - (Implem) Implem Sec CNTL – Using sound Engineer
practices, apply Sec Config settings - (Assess) Assess Sec Cntl – PenTest – Confirm chgs
- (AO) Authorize IS – if acceptable … authorize
operations - (CM) Monitor Sec State – Continuous Monitoring –
track chgs against CNTLs
What is ROSI?
Return on Security Investment
ROSI = ___________ - ______________
$$RISK Mitigation - Cost of Control
For each threat we can then calculate:
ALE = ARO * SLE
ALE
Annual Loss Expectancy
ARO
Annual Rate of Occurance
SLE
Single Loss Expectancy
PDCA?
Plan - Do - Check - Act
Steps in PLAN of PDCA:
Design ISMS, Assess Risk, Select Control
Steps of Do of PDCA:
Implement / Operation Controls
Steps of Check of PDCA:
Review / Evaluate Performance
Steps of Act of PDCA:
Changes made, Bring ISMS back to peak performance
ISMS Info Sys Mgmt Sys = (hint: name of standard)
ISO /IEC 27001 (FISMA) standard
Governance is how we do what we do …
Governance = (3)
Policy + Standard + Procedure
Policy is ___________
Standard is _________
Procedure is ________
Principle
Control
Step-by-step instructions
List (5) Governance Frameworks:
- ISO / IEC 38500 CORP
- ISO 17799 PCI DSS
- ISO 27001 FISMA
- ISO 13335 HIPAA
- COBIT Govt Mgmt Enterprise IT
* COBIT is a good-practice framework created by international professional association ISACA for information technology management and IT governance.
RISK to Multi-Tenancy: (5)
- Inadequate Logical Sec Cntls
ie: CPU, Ntwk, Stor, DB, & Stack shared btw Multi-
tenants - Other Tenants > Malicious / Ignorant
i.e.: weaker logical cntl can affect other Tenants - Shared Svc can become single pt of fail (SPF)
if common svc not architecture well. Affect other
Tenants - Uncoordinated Chg Cntl & Misconfiguration –
All chgs need to be well coordinated & Tested - Co-mingle Tenant Data –
to reduce cost – providers store data from multiple
DB & BU tapes.
What is not a risk for multi-tenancy design?
A. Co-mingled tenant data
B. Inadequate logical Sec Cntl
C. Overcharging for extreme use of resources
D. Uncoordinated change cntl and mis-config
C. Overcharging for extreme use of resources
A cloud subscriber may come under certain security constraints when hosting sensitive data in the cloud due to government regulations. Which of the following is the BEST mitigating control that could be implemented by the cloud provider?
A. Offer multi-tenancy software as a service with segregated physical infrastructure.
B. Offer a single-tenancy software service with segregated virtualized infrastructure.
C. Offer multi-tenancy software as a service with logically segregated infrastructure.
D. Offer a single-tenancy software service with monitored intrusion detection systems.
B. Offer a single-tenancy software service with segregated virtualized infrastructure.
ISO 27005 defines risk as:
And … it is measured by …. (2)
Potential that a given threat will exploit vulnerability of asset/group of assets and thereby cause harm to organization
Likelihood of event
And … Consequences
What (Who) are the Cloud Sec Ref Architecture Members (5)
Cloud Consumer Cloud Provider Cloud Broker Cloud Carrier ie: VZ, ATT, COX Cloud Auditor
What is CLOUD Bursting?
When a Private Cloud or Data Center burst into Public Cloud as capacity spikes
An organization has just gone to a start-up cloud provider for its entire infrastructure. Which of the following is one of the new organizational roles required at the cloud provider?
A. Supply manager
B. Commercial manager
C. Infrastructure project manager
D. Credit risk manager
C. Infrastructure project manager
What are the Cloud Compliance Cntl Layers (8)
SaaS Paas Iaas Virtual Cntl Data Mgmt & Storage Cntl Access Cntl Communications Cntl Support Infrastructure
What the (6) steps of Data Security LifeCycle
Create Store Use Share Archive Destroy
What is Vendor Lock-in?
Vendor goes out of business, lost data, or changed versions and now unreadable ….
Which of the following is an important factor for maintaining strategic flexibility?
A. Return on investment
B. Integrity
C. Elasticity
D. Vendor lock-in
D. Vendor lock-in
What are the Cloud Risk Assessment List (9)
Char(ize) Threat Vuln Cntl Likelihood Det – Impact Risk Det Cntl Recommendation Results Doc
Cloud Risk Assessment List (9)
- Sys Char – Char(ize) assets, bus process, or sys to
Cloud - Threat ID – identify threats to org (exist/new)
- Vuln ID – identify potential vuln/current Sec issues
- Cntl Analysis – Analyze Sec Cntl / framewk for
assessmt - Likelihood Det – Determine definite likelihood of
event based on Criticality - Impact Analysis – Analyze defin of impact if risk was
exploited - Risk Determ –Detemine risk base on likelihood of
threat, impact & Mitig Cntl - Cntl Recommendation – ID Process, Cntl, activity to
manage ID risk - Results Doc – ID risk treatment option such as bear
risk, transfer risk, mitigate risk.
The Risk Assessment methodology has 9 steps.
Which step is THREAT IDENTIFICATION?
A. First
B. Second
C. Third
D. Fourth
B. Second
The Risk Assessment method has 9 steps.
Which step do you define System, Process scope, & service i.e: Technical Cntls, Mgmt Cntls, Operational Cntls, Physical Cntls, and Environmental Sec get assessed?
- Char
- Threat ID
- Vuln ID
- Cntl Analysis
- Char
At what level of the Risk Assessment do you consider Pen Testing?
- Char
- Threat ID
- Vuln ID
- Cntl Analysis
- Vuln ID
What stage of risk assessment step focuses on controls to use for assessment?
- Impact Analysis
- Control Analysis
- Risk Determination
- Control Remediation
- Control Analysis
At what level of the Risk Assessment do you define a risk criteria that includes likelihood of a threat, magnitude of impact, and capability of mitigating controls?
- Control Recommendation
- Impact Analysis
- Risk Determination
- Results Documentation
- Risk Determination
* RISK Determination = Likelihood
At what level of the Risk Assessment do you establish a framework, and document the universe of controls
- Char
- Threat ID
- Vuln ID
- Cntl Analysis
- Cntl Analysis
At what level of the Risk Assessment do you create risk assessment report, identify risk management options, ie: accept, transfer, mitigate, and document risk exceptions?
- Control Recommendation
- Impact Analysis
- Risk Determination
- Results Documentation
- Results Documentation
At what level of the Risk Assessment do you establish a framework, and document the universe of controls
- Char
- Threat ID
- Vuln ID
- Cntl Analysis
- Cntl Analysis
At what level of the Risk Assessment do you analyze the relation to the loss of integrity, availability, or confidentiality, and the definition of impact of a particular risk.
- Control Recommendation
- Impact Analysis
- Risk Determination
- Results Documentation
- Impact Analysis
At what level of the Risk Assessment do you identify threats, history of sys attacks, and identify security issues?
- Char
- Threat ID
- Vuln ID
- Cntl Analysis
- Threat ID
At what level of the Risk Assessment do you identify processes, controls, and activities that can help manage risks identified.
- Control Recommendation
- Impact Analysis
- Risk Determination
- Results Documentation
- Control Recommendation
Which Svc Delivery model requires resource provisioning roles to be defined in the shared responsibility matrix?
A. IaaS
B. PaaS
C. SaaS
A. IaaS
As part of threat modeling process, owners wish to minimize the \_\_\_\_ and impose countermeasures. These measures may pose certain vuln in return and might lead to new \_\_\_ being identified. A. Risks, Risks B. Threat Agents, Risks C. Threat Agents, Assets D. Vuln, Vuln
A. Risks, Risks
What stage of risk assessment step focuses on controls to use for assessment? A. Impact Analysis B. Control Analysis C. Risk Determination D. Control Remediation
B. Control Analysis
What are the 3 Tiers to Continuous Monitoring ISCM Rqmts?
Tier 1 –
Org Bus Process – Estab / define Risk Tolerance of Org
Tier 2 –
ISCM Strategy – Create risk Mitigation strategy
Tier 3 –
ISCM Cloud Computing Strategy – Implement Operationalize
How many tiers should an ISCM per NIST 800-137 have:
A. 2 – Tier 1 (Org Bus Process), Tier 2 (Cloud Computing
Strategy Implem)
B. 2 – Tier 1 (Cloud Computing Strategy Implem), Tier 2
(Org Bus Process)
C. 3 – Tier 1 (Org Bus Process), Tier 2 (ICSM Strategy)
Tier 3 (Cloud Computing Strategy Implem)
D. 3 – Tier 1 (Cloud Computing Strategy Implem), Tier 2
(Org Bus Process), Tier 3 (ICSM Strategy)
C. 3 – Tier 1 (Org Bus Process), Tier 2 (ICSM Strategy)
Tier 3 (Cloud Computing Strategy Implem)What is JAB?
Joint Authorization Board
What does JAB do?
reviews Sec pkg submit by CSP/ grants ATO?
What is 3PAO?
And what does 3PAO do?
Auditor –
3rd party Assessor Organization, validates / attests to quality and compliance of CBP provided SEC PKG
What is PMO?
And what does PMO do?
FedRamp Project Mgr Ofc –
manages process assessment, authorize, & CM process. Continuous Monitoring
What is SP?
What is its process in FedRAMP?
SP = _________ ___________
Cloud Sec Pkg,
follows process for provisional authorization under Fed Ramp
What is FEDRAMP?
FedRamp is risk management program that provides a standardized approach for assessing and monitoring security of cloud products and services
What is SOA acronym for?
Service Oriented Architecture
What is SOA for?
Discrete SW provides Application function / service to other applications . . .
