Sec Mgmt LifeCycle Flashcards
Security Mgmt (6) LifeCycle List? Hint: Cntls What are the (6) Lifecycle steps?
- (CAT) Categorize Info Sys – Define Critical IS to
potential worse case impact - (CNTL) Select Sec CNTL – Baseline Sec Cntl – Apply
supplement cntl needed for baseline on risk - (Implem) Implem Sec CNTL – Using sound Engineer
practices, apply Sec Config settings - (Assess) Assess Sec Cntl – PenTest – Confirm chgs
- (AO) Authorize IS – if acceptable … authorize
operations - (CM) Monitor Sec State – Continuous Monitoring –
track chgs against CNTLs
What is ROSI?
Return on Security Investment
ROSI = ___________ - ______________
$$RISK Mitigation - Cost of Control
For each threat we can then calculate:
ALE = ARO * SLE
ALE
Annual Loss Expectancy
ARO
Annual Rate of Occurance
SLE
Single Loss Expectancy
PDCA?
Plan - Do - Check - Act
Steps in PLAN of PDCA:
Design ISMS, Assess Risk, Select Control
Steps of Do of PDCA:
Implement / Operation Controls
Steps of Check of PDCA:
Review / Evaluate Performance
Steps of Act of PDCA:
Changes made, Bring ISMS back to peak performance
ISMS Info Sys Mgmt Sys = (hint: name of standard)
ISO /IEC 27001 (FISMA) standard
Governance is how we do what we do …
Governance = (3)
Policy + Standard + Procedure
Policy is ___________
Standard is _________
Procedure is ________
Principle
Control
Step-by-step instructions
List (5) Governance Frameworks:
- ISO / IEC 38500 CORP
- ISO 17799 PCI DSS
- ISO 27001 FISMA
- ISO 13335 HIPAA
- COBIT Govt Mgmt Enterprise IT
* COBIT is a good-practice framework created by international professional association ISACA for information technology management and IT governance.
RISK to Multi-Tenancy: (5)
- Inadequate Logical Sec Cntls
ie: CPU, Ntwk, Stor, DB, & Stack shared btw Multi-
tenants - Other Tenants > Malicious / Ignorant
i.e.: weaker logical cntl can affect other Tenants - Shared Svc can become single pt of fail (SPF)
if common svc not architecture well. Affect other
Tenants - Uncoordinated Chg Cntl & Misconfiguration –
All chgs need to be well coordinated & Tested - Co-mingle Tenant Data –
to reduce cost – providers store data from multiple
DB & BU tapes.
What is not a risk for multi-tenancy design?
A. Co-mingled tenant data
B. Inadequate logical Sec Cntl
C. Overcharging for extreme use of resources
D. Uncoordinated change cntl and mis-config
C. Overcharging for extreme use of resources
A cloud subscriber may come under certain security constraints when hosting sensitive data in the cloud due to government regulations. Which of the following is the BEST mitigating control that could be implemented by the cloud provider?
A. Offer multi-tenancy software as a service with segregated physical infrastructure.
B. Offer a single-tenancy software service with segregated virtualized infrastructure.
C. Offer multi-tenancy software as a service with logically segregated infrastructure.
D. Offer a single-tenancy software service with monitored intrusion detection systems.
B. Offer a single-tenancy software service with segregated virtualized infrastructure.
ISO 27005 defines risk as:
And … it is measured by …. (2)
Potential that a given threat will exploit vulnerability of asset/group of assets and thereby cause harm to organization
Likelihood of event
And … Consequences
What (Who) are the Cloud Sec Ref Architecture Members (5)
Cloud Consumer Cloud Provider Cloud Broker Cloud Carrier ie: VZ, ATT, COX Cloud Auditor