Sec Mgmt LifeCycle

Question 1

Security Mgmt (6) LifeCycle List?   Hint: Cntls
What are the (6) Lifecycle steps?

Answer 1

1. (CAT) Categorize Info Sys – Define Critical IS to
   potential worse case impact
2. (CNTL) Select Sec CNTL – Baseline Sec Cntl – Apply
   supplement cntl needed for baseline on risk
3. (Implem) Implem Sec CNTL – Using sound Engineer
   practices, apply Sec Config settings
4. (Assess) Assess Sec Cntl – PenTest – Confirm chgs
5. (AO) Authorize IS – if acceptable … authorize
   operations
6. (CM) Monitor Sec State – Continuous Monitoring –
   track chgs against CNTLs

Question 2

What is ROSI?

Answer 2

Return on Security Investment

Question 3

ROSI = ___________ - ______________

Answer 3

$$RISK Mitigation - Cost of Control

Question 4

For each threat we can then calculate:

Answer 4

ALE = ARO * SLE

Question 5

ALE

Answer 5

Annual Loss Expectancy

Question 6

ARO

Answer 6

Annual Rate of Occurance

Question 7

SLE

Answer 7

Single Loss Expectancy

Question 8

PDCA?

Answer 8

Plan - Do - Check - Act

Question 9

Steps in PLAN of PDCA:

Answer 9

Design ISMS, Assess Risk, Select Control

Question 10

Steps of Do of PDCA:

Answer 10

Implement / Operation Controls

Question 11

Steps of Check of PDCA:

Answer 11

Review / Evaluate Performance

Question 12

Steps of Act of PDCA:

Answer 12

Changes made, Bring ISMS back to peak performance

Question 13

ISMS Info Sys Mgmt Sys = (hint: name of standard)

Answer 13

ISO /IEC 27001 (FISMA) standard

Question 14

Governance is how we do what we do …

Governance = (3)

Answer 14

Policy + Standard + Procedure

Question 15

Policy is ___________
Standard is _________
Procedure is ________

Answer 15

Principle
Control
Step-by-step instructions

Question 16

List (5) Governance Frameworks:

Answer 16

1. ISO / IEC 38500 CORP
2. ISO 17799 PCI DSS
3. ISO 27001 FISMA
4. ISO 13335 HIPAA
5. COBIT Govt Mgmt Enterprise IT
   * COBIT is a good-practice framework created by international professional association ISACA for information technology management and IT governance.

Question 17

RISK to Multi-Tenancy: (5)

Answer 17

1. Inadequate Logical Sec Cntls
   ie: CPU, Ntwk, Stor, DB, & Stack shared btw Multi-
   tenants
2. Other Tenants > Malicious / Ignorant
   i.e.: weaker logical cntl can affect other Tenants
3. Shared Svc can become single pt of fail (SPF)
   if common svc not architecture well. Affect other
   Tenants
4. Uncoordinated Chg Cntl & Misconfiguration –
   All chgs need to be well coordinated & Tested
5. Co-mingle Tenant Data –
   to reduce cost – providers store data from multiple
   DB & BU tapes.

Question 18

What is not a risk for multi-tenancy design?
A. Co-mingled tenant data
B. Inadequate logical Sec Cntl
C. Overcharging for extreme use of resources
D. Uncoordinated change cntl and mis-config

Answer 18

C. Overcharging for extreme use of resources

Question 19

A cloud subscriber may come under certain security constraints when hosting sensitive data in the cloud due to government regulations. Which of the following is the BEST mitigating control that could be implemented by the cloud provider?

A. Offer multi-tenancy software as a service with segregated physical infrastructure.
B. Offer a single-tenancy software service with segregated virtualized infrastructure.
C. Offer multi-tenancy software as a service with logically segregated infrastructure.
D. Offer a single-tenancy software service with monitored intrusion detection systems.

Answer 19

B. Offer a single-tenancy software service with segregated virtualized infrastructure.

Question 20

ISO 27005 defines risk as:

And … it is measured by …. (2)

Answer 20

Potential that a given threat will exploit vulnerability of asset/group of assets and thereby cause harm to organization

Likelihood of event
And … Consequences

Question 21

What (Who) are the Cloud Sec Ref Architecture Members (5)

Answer 21

Cloud Consumer
Cloud Provider
Cloud Broker
Cloud Carrier ie: VZ, ATT, COX
Cloud Auditor

Question 22

What is CLOUD Bursting?

Answer 22

When a Private Cloud or Data Center burst into Public Cloud as capacity spikes

Question 23

An organization has just gone to a start-up cloud provider for its entire infrastructure. Which of the following is one of the new organizational roles required at the cloud provider?

A. Supply manager
B. Commercial manager
C. Infrastructure project manager
D. Credit risk manager

Answer 23

C. Infrastructure project manager

Question 24

What are the Cloud Compliance Cntl Layers (8)

Answer 24

SaaS
Paas
Iaas
Virtual Cntl
Data Mgmt & Storage Cntl
Access Cntl
Communications Cntl
Support Infrastructure

Question 25

What the (6) steps of Data Security LifeCycle

Answer 25

Create
Store
Use
Share
Archive
Destroy

Question 26

What is Vendor Lock-in?

Answer 26

Vendor goes out of business, lost data, or changed versions and now unreadable ….

Question 27

Which of the following is an important factor for maintaining strategic flexibility?

A. Return on investment
B. Integrity
C. Elasticity
D. Vendor lock-in

Answer 27

D. Vendor lock-in

Question 28

What are the Cloud Risk Assessment List (9)

Answer 28

Char(ize) 
Threat 
Vuln 
Cntl
Likelihood Det –
Impact 
Risk Det 
Cntl Recommendation 
Results Doc

Question 29

Cloud Risk Assessment List (9)

Answer 29

1. Sys Char – Char(ize) assets, bus process, or sys to
   Cloud
2. Threat ID – identify threats to org (exist/new)
3. Vuln ID – identify potential vuln/current Sec issues
4. Cntl Analysis – Analyze Sec Cntl / framewk for
   assessmt
5. Likelihood Det – Determine definite likelihood of
   event based on Criticality
6. Impact Analysis – Analyze defin of impact if risk was
   exploited
7. Risk Determ –Detemine risk base on likelihood of
   threat, impact & Mitig Cntl
8. Cntl Recommendation – ID Process, Cntl, activity to
   manage ID risk
9. Results Doc – ID risk treatment option such as bear
   risk, transfer risk, mitigate risk.

Question 30

The Risk Assessment methodology has 9 steps.
Which step is THREAT IDENTIFICATION?

A. First
B. Second
C. Third
D. Fourth

Answer 30

B. Second

Question 31

The Risk Assessment method has 9 steps.
Which step do you define System, Process scope, & service i.e: Technical Cntls, Mgmt Cntls, Operational Cntls, Physical Cntls, and Environmental Sec get assessed?

1. Char
2. Threat ID
3. Vuln ID
4. Cntl Analysis

Answer 31

1. Char

Question 32

At what level of the Risk Assessment do you consider Pen Testing?

1. Char
2. Threat ID
3. Vuln ID
4. Cntl Analysis

Answer 32

3. Vuln ID

Question 33

What stage of risk assessment step focuses on controls to use for assessment?

1. Impact Analysis
2. Control Analysis
3. Risk Determination
4. Control Remediation

Answer 33

2. Control Analysis

Question 34

At what level of the Risk Assessment do you define a risk criteria that includes likelihood of a threat, magnitude of impact, and capability of mitigating controls?

1. Control Recommendation
2. Impact Analysis
3. Risk Determination
4. Results Documentation

Answer 34

3. Risk Determination

* RISK Determination = Likelihood

Question 35

At what level of the Risk Assessment do you establish a framework, and document the universe of controls

1. Char
2. Threat ID
3. Vuln ID
4. Cntl Analysis

Answer 35

4. Cntl Analysis

Question 36

At what level of the Risk Assessment do you create risk assessment report, identify risk management options, ie: accept, transfer, mitigate, and document risk exceptions?

1. Control Recommendation
2. Impact Analysis
3. Risk Determination
4. Results Documentation

Answer 36

4. Results Documentation

Question 37

At what level of the Risk Assessment do you establish a framework, and document the universe of controls

1. Char
2. Threat ID
3. Vuln ID
4. Cntl Analysis

Answer 37

4. Cntl Analysis

Question 38

At what level of the Risk Assessment do you analyze the relation to the loss of integrity, availability, or confidentiality, and the definition of impact of a particular risk.

1. Control Recommendation
2. Impact Analysis
3. Risk Determination
4. Results Documentation

Answer 38

2. Impact Analysis

Question 39

At what level of the Risk Assessment do you identify threats, history of sys attacks, and identify security issues?

1. Char
2. Threat ID
3. Vuln ID
4. Cntl Analysis

Answer 39

2. Threat ID

Question 40

At what level of the Risk Assessment do you identify processes, controls, and activities that can help manage risks identified.

1. Control Recommendation
2. Impact Analysis
3. Risk Determination
4. Results Documentation

Answer 40

1. Control Recommendation

Question 41

Which Svc Delivery model requires resource provisioning roles to be defined in the shared responsibility matrix?
A. IaaS
B. PaaS
C. SaaS

Answer 41

A. IaaS

Question 42

As part of threat modeling process, owners wish to minimize the \_\_\_\_ and impose countermeasures.  These measures may pose certain vuln in return and might lead to new \_\_\_ being identified. 
A. Risks, Risks
B. Threat Agents, Risks
C. Threat Agents, Assets
D. Vuln, Vuln

Answer 42

A. Risks, Risks

Question 43

What stage of risk assessment step focuses on controls to use for assessment?
A. Impact Analysis
B. Control Analysis
C. Risk Determination
D. Control Remediation

Answer 43

B. Control Analysis

Question 44

What are the 3 Tiers to Continuous Monitoring ISCM Rqmts?

Answer 44

Tier 1 –
Org Bus Process – Estab / define Risk Tolerance of Org
Tier 2 –
ISCM Strategy – Create risk Mitigation strategy
Tier 3 –
ISCM Cloud Computing Strategy – Implement Operationalize

Question 45

How many tiers should an ISCM per NIST 800-137 have:
A. 2 – Tier 1 (Org Bus Process), Tier 2 (Cloud Computing
Strategy Implem)
B. 2 – Tier 1 (Cloud Computing Strategy Implem), Tier 2
(Org Bus Process)
C. 3 – Tier 1 (Org Bus Process), Tier 2 (ICSM Strategy)
Tier 3 (Cloud Computing Strategy Implem)
D. 3 – Tier 1 (Cloud Computing Strategy Implem), Tier 2
(Org Bus Process), Tier 3 (ICSM Strategy)

Answer 45

C. 3 – Tier 1 (Org Bus Process), Tier 2 (ICSM Strategy) 
           Tier 3 (Cloud Computing Strategy Implem)

Question 46

What is JAB?

Answer 46

Joint Authorization Board

Question 47

What does JAB do?

Answer 47

reviews Sec pkg submit by CSP/ grants ATO?

Question 48

What is 3PAO?

And what does 3PAO do?

Answer 48

Auditor –

3rd party Assessor Organization, validates / attests to quality and compliance of CBP provided SEC PKG

Question 49

What is PMO?

And what does PMO do?

Answer 49

FedRamp Project Mgr Ofc –

manages process assessment, authorize, & CM process. Continuous Monitoring

Question 50

What is SP?
What is its process in FedRAMP?

SP = _________ ___________

Answer 50

Cloud Sec Pkg,

follows process for provisional authorization under Fed Ramp

Question 51

What is FEDRAMP?

Answer 51

FedRamp is risk management program that provides a standardized approach for assessing and monitoring security of cloud products and services

Question 52

What is SOA acronym for?

Answer 52

Service Oriented Architecture

Question 53

What is SOA for?

Answer 53

Discrete SW provides Application function / service to other applications . . .