Section 1 - Secure Architecture for GRC Flashcards
GRC stands for
Governance, Risk, Compliance
Cyclical process of identifying, assessing, analyzing and responding to risks
Risk Management
The comprehensive process of evaluating, measuring, and mitigating the many risks that pervade an orginization
Enterprise Risk Management
What is NIST Framework for Risk Management
RMF ISO 31000
Comprehensive set of standards for enterprise risk management
What are the 5 phases of Risk Management?
- Identification of mission critical functions
- Identification of known vulnerabilities
- Identification of potential threats
- Analysis of Business Impacts
- Identification of Risk responses
How do you measure Risk
Risk is a measure of impact or consequence
the variables are likelihood and impact
List of Quantitative Risk Variables
Single Loss Expectancy - cost of single event
Annual Rate of Occurrence (ARO) # of times in a year that the single loss occurs
Annual Loss Expectancy -
ALE - SLE x ARO
Asset Value (AV) - value of an asset such as a server
Exposure Factor (EF) % of the AV that would be lost. part of a building is damaged
SLE = AV x EF
Also know
TCO, ROI, MTTR, MTBF
Gap Analysis - difference between current state and desired state - for scoping purposes
What is the risk that exists before any type of mitigation has been implemented?
Inherent Risk
Website are inherently risky due to attack vectors
What is the Residual Risk
Risk that remains after controls are put in place
Know what Risk appetites is based on tolerance of organization.
also note that acceptance risk and residual risk are not always equivalent
What is a popular Cybersecurity Framework widely adopted in the US
NIST CSF
1. Identify
2. Protect
3. Detect
4. Respond
5. Recover
What Steps do NIST CSF require when performing risk management
- Prioritize and Scope
- Orient
- Create a Current Profile
- Conduct a Risk Assessment
- Create a Target Profile
- Determine, Analyze & Prioritize Gaps
- Implement Action Plan
What are the NIST Risk Management Frameworks steps (RMF)
- Prepare
- Categorize
- Select
- Implement
- Assess
- Authorize
- Monitor
Name 3 other RMF and Provide details
ISO 3100 or 31K - International and very comprehensive
COBIT maintained by ISACA
5 Major Components
1. Framework 2. Process Descriptions
3. Control Objectives, 4. Management Guidelines 5. Maturity Models
Committe of Sponsoring Organizations of the Treadway Commission (COSO)
initiative of 5 private sector organizations. Enterprise Risk Managment from a strategic leadership point of view
What is the Risk Management LIfecycle
Identify Risk Items
Assess risks and their associated level
Control - minimize risk
Review - periodic re-evaluation
What are key ingredients to understanding control categories
People
Process
Technology
What is a formal mechanism designed to measure performance of a program against a desired goal
Key Performance Indicators (KPI)
What is the method by which emerging risks are identified and analyzed so that changes can be adopted to proactively avoid issues from occurring
Key Risk Indicators (KRI)
What framework standard did Risk Registers originate from
ISO 27001
An effective visualization of identified risks and information about mitigating the controls.
Risk Item, Threat, Impact, Likelihood, Plan, Risk Level
What is the difference between Risk Appetite and Risk Tolerance
Appetite is often prescribed via regulation and addresses how an organization will address risks while Tolerance is the threshold that separate different levels of risks
Name a Trade Off Analysis developed by a University
Architecture Tradeoff Analysis Method (ATAM) developed by SEI at Carnegie Mellon
What is the term for putting a vendors source does in a 3rd party in case of a cease of business
Source Code Escrow
What is the term for how all vendor hardware, software and services are produced and delivered as well as how they impact an organizations operation or finished products
Supply Chain Visability
Name the Data Types
PII - personally identifiable Information
Protected Health Information (PHI)
Personally Identifiable Financial Information (PIFI)
Intellectual Property (IP)
What is a Data Owner within an organization
A Senior Executive role with ultimate responsibility for maintaining CIA on an asset
What is the process of applying confidential and privacy labels to information and some common levels
Data Classification
Public - no negative impact
Sensitive - negative impact
Confidential - considerable harm
What type of data destruction technique would be best for cloud data
Crypto Erase - type of sanitization of the keys used to perform decryption of data make recovery effectively impossible
Type of sanitization of data where you perform multiple block-level overwrite cycles
Clear
Clean room can Potentially recover
What type of sanitization is effective from all recovery techniques including clean rooms
Purge
What is the data protection princile where the underlying country or state may impose individual requirements on data collected or stored within their jurisdiction
Data Sovereignty
Switzerland is popular due to their unique protective privacy laws
What is a set of policies, contracts and standards identified as essential in the agreement between two parties
Attestation of Compliance (AOC)
Compare Regulations vs Standards in context of compliance
Regulations describe legal requirements and ramifications and the details of the of compliance are typically provided in prescriptive/descriptive form within a standard
What was the security program that was required for US Federal Agencies detailed in and what agency provides the standards
Federal Information and Security Modernization Act (FISMA) - detailed piece of legislation
NIST - 800-53 and FIPS 199
T or F COPPA is only enforceable within the US
False
Under the age of 13
What is the privacly model that has 5 levels
Capability Maturity Model Integration (CMMI)
1. Initial
2. Managed
3. Defined
4. Quantitative Managed
5. Optimizing
Describe Certification vs Accreditation from who owns the systems
Certification can be associated with system builders and documents that their system meets the requirements where Accreditation is for system owners acceptance of this claim which the system can go live.
What are the 4 phases of C&A
Initiation and Planning
Certification
Accreditation
Continuous Monitoring
Who within the organization is responsible for implementing security policies, frameworks, and controls
Information System Security Officer
What entity can provide accreditation and what do they provide when completed
Certifying Authority. - responsible for reviewing the results of a certification and accreditation package
Authority to Operate (ATO)
What is the set of standards developed by a group of governments working together to create a baseline of security assurance for Trusted OS
Common Criteria
Outlines in ISO Standard 15408
When it comes to jurisdiction where should your report an incident first (Local, State, National, International)
Local law enforcement first and they will involve other agencies
Describe Due Care vs Due Dilligence
Due care is demonstrating response to security issues and due diligence is demonstrating awareness of security incidents.
Due care references the prudent man rules - reasonable and expected
Due diligence - legal principle that a subject has used best practices
What is the export control that was established in 1996
Wassenaar Agreement - weaponry
Name the common legally enforceable documents
MSA - Umbrella with indiv SOW
NDA
MOU - memo of understanding - non binding
Interconnection Security Agreement (ISA) - share data via an interface
SLA - terms under which a service is provided
Operational-Level Agreement (OLA) - these are internal to meet the SLA
Privacy Level Agreements - between CSP and goes beyond SLA
How long should HIPAA Data base stored from compliance
6 Years
What are the ISO 27K standards for Cloud
27017/27018
What is the privacy act of Japan
Act on Protection of Personal Information (APPI)
Which NIST Publication addresses BCP
NIST 800-34
1. Develop the continuity planning policy statement
2. Conduct the BIA
3. Identify Preventive Measures
4. Create Contingency Strategies
5. Develop an information system contingency plan
6. Ensure Plan testing, training and exercises
7. Ensure Plan Maintenance
T or F a DRP is part of BCP
True - just focused on immediate needs of a disaster. Critical Systems only
What is the analysis of assessing all of the elements that can have impact on Information Systems
Business Impact Analysis
What needs to be completed to accurately disclose how privacy data is handled and for it to be in compliance with regulations
Privacy Impact Assessment
An Analysis of events can provide insight into how to improve response process in the future is called
Ater Action Report (AAR) also can be called Lessons Learned
Can be a blueprint for improvement
List the BCDR Simulation Tests
Checklists - delivered to all departments for review only
Walk-Through - all departements participate to review the plans and analyze their effectiveness
Tabletop - designed to evaluate the procedures in place to responding to an incident. Based on a specific objective
Parallel Test -
Full Interruption Test
Which NIST Publication identifies appropriate groups that should be part of an incident response plan
NIST 800-61