Security and Risk Management

Question 1

What are the 3 security control types?

Answer 1

Administrative
Physical
Technical (aka Logical)

Question 2

What are the 6 different functionalities of security controls?

Answer 2

Preventative
Detective
Corrective
Deterrent
Recovery
Compensating

Question 3

What does this describe?

A framework made up of many entities: logical, administrative, and physical protection mechanisms; procedures; business processes; and people that all work together to provide a protection level for an environment.

Answer 3

A Security Program

Question 4

What does ISMS stand for and what is it?

Answer 4

Information Security Management System

It is all the things in a security program within the context of the ISO/IEC 27000 series.

Question 5

What is ISO/IEC 27001?

Answer 5

The standard for establishment, implementation, control, and improvement of the ISMS. The ISO/IEC 27000 series was derived from BS 7799.
(Organizations can seek an ISO/IEC 27001 certification by an accredited third party.)

Question 6

What are Enterprise architecture frameworks used for?

Answer 6

To develop architectures for specific stakeholders and present information in views that best suit the stakeholders. (e.g. Zachman Framework)

Question 7

What is Governance?

Answer 7

Determines what what the organization is going to accomplish.

Ensures that stakeholder needs, conditions and options are evaluated to determine:

• Balanced agree-upon enterprise objectives to be achieved
• Setting direction through prioritization and decision making.
• Monitoring performance and compliance against agreed-upon direction and objectives.

Question 8

What is Management’s responsibility?

Answer 8

Determines how to accomplish the objectives stated by Governance.

Plans, builds, runs and monitors activities in alignment with the direction set by the governance body to achieve the enterprise objectives.

Question 9

This framework focuses on GOALS for IT and takes stakeholder needs and maps it down to IT goals.

Answer 9

COBIT

Control Objectives for Information Technology

Question 10

A team-oriented, self-directed risk management methodology that employs workshops.

Answer 10

OCTAVE

Question 11

This is a governance model for the organization as a whole used to help prevent fraud.

Answer 11

COSO

Committee of Sponsoring Organizations

Question 12

What is ISO/IEC 27002?

Answer 12

Provides practical advice for how to implement security controls. (The “how to”)

Question 13

What framework follows the PDCA?

Answer 13

ISO/IEC 27001

PDCA = Plan, Do, Check, Act

Question 14

ISO 27005

Answer 14

A standards based approach to RISK MANAGEMENT

Question 15

Who is ultimately responsible for Security within an organization? What do they do?

Answer 15

SENIOR MANAGEMENT (CEO, CSO, CIO)

• Development and Support of Polices
• Allocation of Resources
• Decision based on Risk
• Prioritization of business processes.

Question 16

What is the term for the likelihood that a threat will exploit a vulnerability in an asset?

Answer 16

Risk

Question 17

What is the term for a weakness or lack of safeguard

Answer 17

Vulnerability

Question 18

What is the term used to describe the instance of a compromise?

Answer 18

Exploit

Question 19

What is the term for something that mitigates a risk.

Answer 19

Countermeasure

aka control or safegaurd

Question 20

What is Enterprise Security Architecture.

Answer 20

A subset of enterprise architecture and a way to describer current and future security processes, systems, and sub-units to ensure strategic alignment.

(e.g. SABSA)

Question 21

What four qualities should Enterprise Security Architecture have?

Answer 21

1. Strategic Alignment - Business drivers and regulatory and legal requirements are met
2. Business Enablement - Help the business achieve it’s purpose.
3. Process Enhancement - Process improvement (aka process engineering.)
4. Security Effectiveness - Meeting metrics, and proving effectiveness to management.

Question 22

What does NIST stand for? What is NIST?

Answer 22

The National Institute of Standards and Technology is a non-regulatory body of the U.S. Department of Commerce.

Question 23

What is NIST SP 800-53?

Answer 23

Special Publication 800-53 outlines controls that agencies need to put into place to be compliant with the Federal Information Security Management Act of 2002 (FISMA).

Question 24

What are the 3 NIST SP 800-53 control categories?

Answer 24

Technical
Operational
Management

Question 25

What is Six Sigma?

Answer 25

A process improvement methodology.

Question 26

What is CMMI?

Answer 26

Capability Maturity Model Integration developed by Carnegie Mellon University for the U.S. DoD as a way to determine the maturity of an organizations’s processes.

Question 27

What are the four steps in the security program lifecycle?

Answer 27

1. Plan and organize
2. Implement
3. Operate and Maintain
4. Monitor and evaluate

Question 28

What does this describe?

The functional definitions for the integration of technology into business processes.

Answer 28

A security blueprint

Question 29

Describe patent

Answer 29

Grants ownership and use of INVENTIONS.

Question 30

Describe copyright

Answer 30

Protects EXPRESSION of IDEAS.

Question 31

Describe Trademark

Answer 31

Protects words, names, logos, symbols, and shapes.

Question 32

Describe Trade Secrets

Answer 32

Information proprietary to a company. Provides a competitive edge. Protected as long as the owner take necessary protective actions.

Question 33

What are the 4 main goals of risk analysis?

Answer 33

1. Identify Assets and assign values to them.
2. Identify Vulnerabilities and threats
3. Quantify the impact of potential threats
4. Provide an economic balance between the impact of the risk and the cost of the safeguards.

Question 34

What are the 4 Risk Mitigation options?

Answer 34

Transferred (e.g. Insurance)
Avoided (e.g. don’t participate)
Reduced (e.g. institute controls)
Accepted (e.g. acknowledge doing nothing)

Question 35

What is the formula for total risk?

What is the formula for residual risk?

Answer 35

Threats X vulnerability X asset value = Total Risk
Threats X vulnerability X asset value X control gaps = Residual Risk

(The goal is to get residual risk to the level that is acceptable by management.)

Question 36

What is SLE and ARO and how is it used to calculate ALE?

Answer 36

Single Loss Expectancy and Annul Rate of Occurrence

SLE x ARO = ALE (Annual Loss Expectancy)

Question 37

What is a Security Policy and what are the 3 types?

Answer 37

An overall general statement produced by senior management that dictates what role security plays within an organization.

1. Organizational
2. Issue-specific
3. System-specific

Example: Confidential data should be properly protected.

(STRATEGIC. Policies should be technology and solution independent. More granularity is provided with procedures, standards, guidelines, and baselines to provide a framework. The necessary security controls are used to fill in the framework.)

Question 38

What type of Security Policy does this describe? Management establishes how a security program will be set up, lays out the programs goals, assigns responsibilities, shows the strategic and tactical value of security, and outlines how enforcement should be carried out.
A) Organizational
B) Issue-specific
C) System-specific

Answer 38

A) Organizational

Question 39

What are the following policies examples of?
Acceptable Use Policy
Access Control Policy
Email Policy
Physical Security Policy

Answer 39

Issue-Specific Security Policy

Question 40

What term refers to mandatory activities, actions, or rules that can give a policy its support and reinforce direction?

Answer 40

Standards
examples: All confidential information must be encrypted with AES 256 and can not be transmitted unless IPSEC is used.

TACTICAL

Question 41

What is a documented recommended action that can be provided to users and staff when a specific standard does not apply?

Answer 41

Guideline

example: how to handle cases when data is accidentally corrupted or compromised during transmission.

TACTICAL

Question 42

What are detailed step-by-step tasks that should be performed to achieve a certain goal?

Answer 42

Procedures

example: Procedure spells out exactly how to implement AES and IPSEC technologies for encryption called out in a standard.

TACTICAL

Question 43

What is secondary risk?

Answer 43

A risk event that comes as a result of anther risk response.

Example: Software should be regularly patched. However, patching can itself introduce instability.

Question 44

What are the four main components of Risk Management?

Answer 44

1. ) Risk Assessment: Identify Assets, Threats, Vulnerability
2. ) Risk Analysis: Value of Potential Risks
3. ) Risk Mitigation: Responding to Risk
4. ) Risk Monitoring: Risk is FOREVER!

Question 45

What is Risk Assessment and what methodologies are used?

Answer 45

• Identify and Valuate Assets
• Identify Threats and Vulnerabilities

Methodologies:
ISO/IEC 27005 and OCTAVE (organization-wide
NIST 800-30 (IT security risk focus)
FRAP (limited budget, focus assessment on individual system or process)
FMEA and Fault-tree Analysis (detailed look into a specific system or product)

Question 46

This Risk Assessment methodology employs a qualitative analysis to determine whether or not to proceed with a quantitative analysis.

Answer 46

FRAP

Facilitated Risk Analysis Process

Question 47

Name 4 commonly accepted Risk Management Frameworks

Answer 47

1. NIST RMF SP 800-37r1
2. ISO 31000:2009
3. ISACA Risk IT
4. COSO Enterprise Risk Management

Question 48

What are the 2 types of valuation approaches in Risk Analysis?

Answer 48

Qualitative and Quantitative

Question 49

What is the Delphi Technique?

Answer 49

Often used in qualitative analysis, the Delphi technique is a group decision method where each member can communicate anonymously.

Question 50

What do the following Quantitative Analysis acronyms stand for?
AV
EF
SLE
ARO
ALE
TCO
ROI

Answer 50

AV = Asset Value
EF = Exposure Factor (The percentage of loss that is expected to result in the manifestation of a particular risk event.
SLE - Single Lost Expectancy
ARO - Annual Rate of Occurrence
ALE - Annual Loss Expectancy
TCO - Total Cost of Ownership
ROI - Return on Investment

Question 51

How do you calculate SLE?

Answer 51

SLE = AV x EF

Asset Value and Exposure Factor

Question 52

What is HIPPA and HITECH stand for and who does it apply to?

Answer 52

Health Insurance Portability and Accountability Act

Health Information Technology for Economic and Clinical Health

Applies to Health Insurers, Health Providers, Health care clearing houses (claims processing agencies)

(As of 2009, covered entities must disclose security breaches regarding personal information.

BAAs for third party providers

Creates civil and criminal penalties.)

Question 53

What is the GLBA stand for and what industry does it regulate?

Answer 53

Gramm-Leach-Bliley Act

Financial industry. Privacy notices

Question 54

What is Business Continuity Management (BCM)?

Answer 54

BCM is the holistic management process that covers Business Continuity Planning and Disaster Recover.

Question 55

What are BCP categories of disruptions?

Answer 55

1. Non-disaster: Inconvenience
2. Emergency/Crisis - Urgent immediate even where there is a potential for loss of life or property.
3. Disaster - Facility is unusable for a day or longer.
4. Catastrophe - Destroys facility.

ANYONE CAN DECLARE AN EMERGENCY. ONLY THE BCP COORDINATOR CAN DECLARE A DISASTER.

Question 56

What are the 7 steps in NIST SP 800-34?

Answer 56

“Continuity Planning Guide for Federal Information Systems”

1. Develop the continuity planning policy statement.
2. Conduct the business impact analysis.
3. Identify preventative controls.
4. Create contingency strategies.
5. Develop an information system contingency plan.
6. Ensure plan testing, training, and exercise.
7. Ensure plan maintenance.

Question 57

What are the three types of BCP teams?

Answer 57

Rescue Team: Responsible for dealing with the immediacy of the disaster.
Recovery Team: Responsible for getting the alternate facility up and running and restoring most critical services.
Salvage Team: Responsible for the return of operations to the original or permanent facility (reconstitution).

Question 58

What is the DRP and how does it differ from BCP?

Answer 58

IT-oriented. Details what items need to be restored and how.

Question 59

What type of BCP test requires distribution of plan copies to different departments for functional manager review?

A. Full-Interruption test
B. Simulation Test
C. Structured Walk-Through (Table Top) Test
D. Parallel Test
E. Checklist Test

Answer 59

Checklist Test

Question 60

What type of BCP test requires representatives from each department to go over the plan in a room together?

A. Full-Interruption test
B. Simulation Test
C. Structured Walk-Through (Table Top) Test
D. Parallel Test
E. Checklist Test

Answer 60

Structured Walk-Through (Table Top) Test

Question 61

What type of BCP test requires going through actual disaster scenarios and physically checking that the steps can be done? The drill continues up to the point of actual relocation to an offsite facility and actual shipment of replacement equipment.

A. Full-Interruption test
B. Simulation Test
C. Structured Walk-Through (Table Top) Test
D. Parallel Test
E. Checklist Test

Answer 61

Simulation Test

Question 62

What type of BCP test requires systems moved to the alternate site and processing take place there?

A. Full-Interruption test
B. Simulation Test
C. Structured Walk-Through (Table Top) Test
D. Parallel Test
E. Checklist Test

Answer 62

Parallel Test

Question 63

What type of BCP test requires original site shut down and all processing moved to the offsite facility?

A. Full-Interruption test
B. Simulation Test
C. Structured Walk-Through (Table Top) Test
D. Parallel Test
E. Checklist Test

Answer 63

Full-Interruption test

Very risky.

Question 64

What is the difference between BCP testing, BCP drills, and BCP auditing?

Answer 64

Testing - Happens before plan implementation. The goal is to ensure effectiveness of the plan.
Drills - Main goal is to train employees. Employees walk through steps.
Auditing - 3rd party observer ensures that components of the plan are being carried out and are effective.

Question 65

What are the 3 phases of a BCP following a disruption?

Answer 65

1. Notification/Activation (includes performing a damage assessment)
2. Recovery Phase - Failover
3. Reconstitution - Failback

Question 66

What does MTD stand for?

Answer 66

Maximum tolerable downtime.

Also MPTD (Maximum period of distruption)

Question 67

Which of the following are two security metric and measurement systems. (You can choose more than one).

A. ISO/IEC 22301
B. ISO/IEC 27031:2011
C. ISO/IEC 27004:2009
D. NIST SP 800-55
E. NIST SP 800-53
F. ISO 27001

Answer 67

C. ISO/IEC 27004:2009

D. NIST SP 800-55

Question 68

What are the 8 BIA steps?

Answer 68

1. Select individuals to interview for data gathering.
2. Create data-gathering techniques (surveys, questionnaires, qualitative and quantitative approaches.
3. Identify the company’s critical BUSINESS FUNCTIONS.
4. Identify the resources these FUNCTIONS depend upon.
5. Calculate how long these functions can survive without these resources. (MTD or MPTD)
6. Identify vulnerabilities and threats to these functions.
7. Calculate risk for each different business function.
8. Document findings and report them to management.

(Results are used for recovery plans).

Question 69

What is a SLO?

Answer 69

Service Level Objective

Like an SLA but no contract. Goals usually made internally driven by business requirements.

Question 70

What does MOA/MOU stand for?

Answer 70

Memorandums of Agreement/Understanding.

Question 71

What does IAAA stand for?

Answer 71

Identification
Authorization
Authentication
Audit

Question 72

This risk assessment method determines functions, identifies functional failures, and assesses the causes of failure and their failure effects through a structured approach.

A. FRAP
B. OCTAVE
C. ISO/IEC 27005 
D. FMEA
E. NIST 800-30

Answer 72

FMEA and Fault-tree Analysis (detailed look into a specific system or product)

Question 73

Which of the following is a standard for business continuity management?

A. ISO/IEC 27004:2009
B. ISO/IEC 22301
C. NIST SP 800-55
D. NIST SP 800-53
E. ISO 27001

Answer 73

ISO/IEC 22301