Section 1 - Secure Architecture for GRC Flashcards

1
Q

GRC stands for

A

Governance, Risk, Compliance

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Cyclical process of identifying, assessing, analyzing and responding to risks

A

Risk Management

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

The comprehensive process of evaluating, measuring, and mitigating the many risks that pervade an orginization

A

Enterprise Risk Management

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

What is NIST Framework for Risk Management

A

RMF ISO 31000
Comprehensive set of standards for enterprise risk management

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

What are the 5 phases of Risk Management?

A
  1. Identification of mission critical functions
  2. Identification of known vulnerabilities
  3. Identification of potential threats
  4. Analysis of Business Impacts
  5. Identification of Risk responses
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

How do you measure Risk

A

Risk is a measure of impact or consequence

the variables are likelihood and impact

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

List of Quantitative Risk Variables

A

Single Loss Expectancy - cost of single event

Annual Rate of Occurrence (ARO) # of times in a year that the single loss occurs

Annual Loss Expectancy -
ALE - SLE x ARO

Asset Value (AV) - value of an asset such as a server

Exposure Factor (EF) % of the AV that would be lost. part of a building is damaged

SLE = AV x EF

Also know
TCO, ROI, MTTR, MTBF

Gap Analysis - difference between current state and desired state - for scoping purposes

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

What is the risk that exists before any type of mitigation has been implemented?

A

Inherent Risk

Website are inherently risky due to attack vectors

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

What is the Residual Risk

A

Risk that remains after controls are put in place

Know what Risk appetites is based on tolerance of organization.

also note that acceptance risk and residual risk are not always equivalent

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

What is a popular Cybersecurity Framework widely adopted in the US

A

NIST CSF
1. Identify
2. Protect
3. Detect
4. Respond
5. Recover

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

What Steps do NIST CSF require when performing risk management

A
  1. Prioritize and Scope
  2. Orient
  3. Create a Current Profile
  4. Conduct a Risk Assessment
  5. Create a Target Profile
  6. Determine, Analyze & Prioritize Gaps
  7. Implement Action Plan
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

What are the NIST Risk Management Frameworks steps (RMF)

A
  1. Prepare
  2. Categorize
  3. Select
  4. Implement
  5. Assess
  6. Authorize
  7. Monitor
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Name 3 other RMF and Provide details

A

ISO 3100 or 31K - International and very comprehensive

COBIT maintained by ISACA
5 Major Components
1. Framework 2. Process Descriptions
3. Control Objectives, 4. Management Guidelines 5. Maturity Models

Committe of Sponsoring Organizations of the Treadway Commission (COSO)
initiative of 5 private sector organizations. Enterprise Risk Managment from a strategic leadership point of view

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

What is the Risk Management LIfecycle

A

Identify Risk Items
Assess risks and their associated level
Control - minimize risk
Review - periodic re-evaluation

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

What are key ingredients to understanding control categories

A

People
Process
Technology

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

What is a formal mechanism designed to measure performance of a program against a desired goal

A

Key Performance Indicators (KPI)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

What is the method by which emerging risks are identified and analyzed so that changes can be adopted to proactively avoid issues from occurring

A

Key Risk Indicators (KRI)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

What framework standard did Risk Registers originate from

A

ISO 27001
An effective visualization of identified risks and information about mitigating the controls.

Risk Item, Threat, Impact, Likelihood, Plan, Risk Level

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

What is the difference between Risk Appetite and Risk Tolerance

A

Appetite is often prescribed via regulation and addresses how an organization will address risks while Tolerance is the threshold that separate different levels of risks

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

Name a Trade Off Analysis developed by a University

A

Architecture Tradeoff Analysis Method (ATAM) developed by SEI at Carnegie Mellon

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

What is the term for putting a vendors source does in a 3rd party in case of a cease of business

A

Source Code Escrow

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

What is the term for how all vendor hardware, software and services are produced and delivered as well as how they impact an organizations operation or finished products

A

Supply Chain Visability

21
Q

Name the Data Types

A

PII - personally identifiable Information

Protected Health Information (PHI)

Personally Identifiable Financial Information (PIFI)

Intellectual Property (IP)

22
Q

What is a Data Owner within an organization

A

A Senior Executive role with ultimate responsibility for maintaining CIA on an asset

23
What is the process of applying confidential and privacy labels to information and some common levels
Data Classification Public - no negative impact Sensitive - negative impact Confidential - considerable harm
24
What type of data destruction technique would be best for cloud data
Crypto Erase - type of sanitization of the keys used to perform decryption of data make recovery effectively impossible
25
Type of sanitization of data where you perform multiple block-level overwrite cycles
Clear Clean room can Potentially recover
26
What type of sanitization is effective from all recovery techniques including clean rooms
Purge
27
What is the data protection princile where the underlying country or state may impose individual requirements on data collected or stored within their jurisdiction
Data Sovereignty Switzerland is popular due to their unique protective privacy laws
28
What is a set of policies, contracts and standards identified as essential in the agreement between two parties
Attestation of Compliance (AOC)
29
Compare Regulations vs Standards in context of compliance
Regulations describe legal requirements and ramifications and the details of the of compliance are typically provided in prescriptive/descriptive form within a standard
30
What was the security program that was required for US Federal Agencies detailed in and what agency provides the standards
Federal Information and Security Modernization Act (FISMA) - detailed piece of legislation NIST - 800-53 and FIPS 199
31
T or F COPPA is only enforceable within the US
False Under the age of 13
32
What is the privacly model that has 5 levels
Capability Maturity Model Integration (CMMI) 1. Initial 2. Managed 3. Defined 4. Quantitative Managed 5. Optimizing
33
Describe Certification vs Accreditation from who owns the systems
Certification can be associated with system builders and documents that their system meets the requirements where Accreditation is for system owners acceptance of this claim which the system can go live.
34
What are the 4 phases of C&A
Initiation and Planning Certification Accreditation Continuous Monitoring
35
Who within the organization is responsible for implementing security policies, frameworks, and controls
Information System Security Officer
36
What entity can provide accreditation and what do they provide when completed
Certifying Authority. - responsible for reviewing the results of a certification and accreditation package Authority to Operate (ATO)
37
What is the set of standards developed by a group of governments working together to create a baseline of security assurance for Trusted OS
Common Criteria Outlines in ISO Standard 15408
38
When it comes to jurisdiction where should your report an incident first (Local, State, National, International)
Local law enforcement first and they will involve other agencies
39
Describe Due Care vs Due Dilligence
Due care is demonstrating response to security issues and due diligence is demonstrating awareness of security incidents. Due care references the prudent man rules - reasonable and expected Due diligence - legal principle that a subject has used best practices
40
What is the export control that was established in 1996
Wassenaar Agreement - weaponry
41
Name the common legally enforceable documents
MSA - Umbrella with indiv SOW NDA MOU - memo of understanding - non binding Interconnection Security Agreement (ISA) - share data via an interface SLA - terms under which a service is provided Operational-Level Agreement (OLA) - these are internal to meet the SLA Privacy Level Agreements - between CSP and goes beyond SLA
42
How long should HIPAA Data base stored from compliance
6 Years
43
What are the ISO 27K standards for Cloud
27017/27018
44
What is the privacy act of Japan
Act on Protection of Personal Information (APPI)
45
Which NIST Publication addresses BCP
NIST 800-34 1. Develop the continuity planning policy statement 2. Conduct the BIA 3. Identify Preventive Measures 4. Create Contingency Strategies 5. Develop an information system contingency plan 6. Ensure Plan testing, training and exercises 7. Ensure Plan Maintenance
46
T or F a DRP is part of BCP
True - just focused on immediate needs of a disaster. Critical Systems only
47
What is the analysis of assessing all of the elements that can have impact on Information Systems
Business Impact Analysis
48
What needs to be completed to accurately disclose how privacy data is handled and for it to be in compliance with regulations
Privacy Impact Assessment
49
An Analysis of events can provide insight into how to improve response process in the future is called
Ater Action Report (AAR) also can be called Lessons Learned Can be a blueprint for improvement
50
List the BCDR Simulation Tests
Checklists - delivered to all departments for review only Walk-Through - all departements participate to review the plans and analyze their effectiveness Tabletop - designed to evaluate the procedures in place to responding to an incident. Based on a specific objective Parallel Test - Full Interruption Test
51
Which NIST Publication identifies appropriate groups that should be part of an incident response plan
NIST 800-61
52