Security and Risk Management Flashcards
What are the 3 security control types?
Administrative
Physical
Technical (aka Logical)
What are the 6 different functionalities of security controls?
Preventative Detective Corrective Deterrent Recovery Compensating
What does this describe?
A framework made up of many entities: logical, administrative, and physical protection mechanisms; procedures; business processes; and people that all work together to provide a protection level for an environment.
A Security Program
What does ISMS stand for and what is it?
Information Security Management System
It is all the things in a security program within the context of the ISO/IEC 27000 series.
What is ISO/IEC 27001?
The standard for establishment, implementation, control, and improvement of the ISMS. The ISO/IEC 27000 series was derived from BS 7799.
(Organizations can seek an ISO/IEC 27001 certification by an accredited third party.)
What are Enterprise architecture frameworks used for?
To develop architectures for specific stakeholders and present information in views that best suit the stakeholders. (e.g. Zachman Framework)
What is Governance?
Determines what what the organization is going to accomplish.
Ensures that stakeholder needs, conditions and options are evaluated to determine:
- Balanced agree-upon enterprise objectives to be achieved
- Setting direction through prioritization and decision making.
- Monitoring performance and compliance against agreed-upon direction and objectives.
What is Management’s responsibility?
Determines how to accomplish the objectives stated by Governance.
Plans, builds, runs and monitors activities in alignment with the direction set by the governance body to achieve the enterprise objectives.
This framework focuses on GOALS for IT and takes stakeholder needs and maps it down to IT goals.
COBIT
Control Objectives for Information Technology
A team-oriented, self-directed risk management methodology that employs workshops.
OCTAVE
This is a governance model for the organization as a whole used to help prevent fraud.
COSO
Committee of Sponsoring Organizations
What is ISO/IEC 27002?
Provides practical advice for how to implement security controls. (The “how to”)
What framework follows the PDCA?
ISO/IEC 27001
PDCA = Plan, Do, Check, Act
ISO 27005
A standards based approach to RISK MANAGEMENT
Who is ultimately responsible for Security within an organization? What do they do?
SENIOR MANAGEMENT (CEO, CSO, CIO)
- Development and Support of Polices
- Allocation of Resources
- Decision based on Risk
- Prioritization of business processes.
What is the term for the likelihood that a threat will exploit a vulnerability in an asset?
Risk
What is the term for a weakness or lack of safeguard
Vulnerability
What is the term used to describe the instance of a compromise?
Exploit
What is the term for something that mitigates a risk.
Countermeasure
aka control or safegaurd
What is Enterprise Security Architecture.
A subset of enterprise architecture and a way to describer current and future security processes, systems, and sub-units to ensure strategic alignment.
(e.g. SABSA)
What four qualities should Enterprise Security Architecture have?
- Strategic Alignment - Business drivers and regulatory and legal requirements are met
- Business Enablement - Help the business achieve it’s purpose.
- Process Enhancement - Process improvement (aka process engineering.)
- Security Effectiveness - Meeting metrics, and proving effectiveness to management.
What does NIST stand for? What is NIST?
The National Institute of Standards and Technology is a non-regulatory body of the U.S. Department of Commerce.
What is NIST SP 800-53?
Special Publication 800-53 outlines controls that agencies need to put into place to be compliant with the Federal Information Security Management Act of 2002 (FISMA).
What are the 3 NIST SP 800-53 control categories?
Technical
Operational
Management
What is Six Sigma?
A process improvement methodology.
What is CMMI?
Capability Maturity Model Integration developed by Carnegie Mellon University for the U.S. DoD as a way to determine the maturity of an organizations’s processes.
What are the four steps in the security program lifecycle?
- Plan and organize
- Implement
- Operate and Maintain
- Monitor and evaluate
What does this describe?
The functional definitions for the integration of technology into business processes.
A security blueprint
Describe patent
Grants ownership and use of INVENTIONS.
Describe copyright
Protects EXPRESSION of IDEAS.
Describe Trademark
Protects words, names, logos, symbols, and shapes.
Describe Trade Secrets
Information proprietary to a company. Provides a competitive edge. Protected as long as the owner take necessary protective actions.
What are the 4 main goals of risk analysis?
- Identify Assets and assign values to them.
- Identify Vulnerabilities and threats
- Quantify the impact of potential threats
- Provide an economic balance between the impact of the risk and the cost of the safeguards.
What are the 4 Risk Mitigation options?
Transferred (e.g. Insurance)
Avoided (e.g. don’t participate)
Reduced (e.g. institute controls)
Accepted (e.g. acknowledge doing nothing)
What is the formula for total risk?
What is the formula for residual risk?
Threats X vulnerability X asset value = Total Risk
Threats X vulnerability X asset value X control gaps = Residual Risk
(The goal is to get residual risk to the level that is acceptable by management.)
What is SLE and ARO and how is it used to calculate ALE?
Single Loss Expectancy and Annul Rate of Occurrence
SLE x ARO = ALE (Annual Loss Expectancy)
What is a Security Policy and what are the 3 types?
An overall general statement produced by senior management that dictates what role security plays within an organization.
- Organizational
- Issue-specific
- System-specific
Example: Confidential data should be properly protected.
(STRATEGIC. Policies should be technology and solution independent. More granularity is provided with procedures, standards, guidelines, and baselines to provide a framework. The necessary security controls are used to fill in the framework.)
What type of Security Policy does this describe? Management establishes how a security program will be set up, lays out the programs goals, assigns responsibilities, shows the strategic and tactical value of security, and outlines how enforcement should be carried out.
A) Organizational
B) Issue-specific
C) System-specific
A) Organizational
What are the following policies examples of? Acceptable Use Policy Access Control Policy Email Policy Physical Security Policy
Issue-Specific Security Policy
What term refers to mandatory activities, actions, or rules that can give a policy its support and reinforce direction?
Standards
examples: All confidential information must be encrypted with AES 256 and can not be transmitted unless IPSEC is used.
TACTICAL
What is a documented recommended action that can be provided to users and staff when a specific standard does not apply?
Guideline
example: how to handle cases when data is accidentally corrupted or compromised during transmission.
TACTICAL
What are detailed step-by-step tasks that should be performed to achieve a certain goal?
Procedures
example: Procedure spells out exactly how to implement AES and IPSEC technologies for encryption called out in a standard.
TACTICAL
What is secondary risk?
A risk event that comes as a result of anther risk response.
Example: Software should be regularly patched. However, patching can itself introduce instability.
What are the four main components of Risk Management?
- ) Risk Assessment: Identify Assets, Threats, Vulnerability
- ) Risk Analysis: Value of Potential Risks
- ) Risk Mitigation: Responding to Risk
- ) Risk Monitoring: Risk is FOREVER!
What is Risk Assessment and what methodologies are used?
- Identify and Valuate Assets
- Identify Threats and Vulnerabilities
Methodologies:
ISO/IEC 27005 and OCTAVE (organization-wide
NIST 800-30 (IT security risk focus)
FRAP (limited budget, focus assessment on individual system or process)
FMEA and Fault-tree Analysis (detailed look into a specific system or product)
This Risk Assessment methodology employs a qualitative analysis to determine whether or not to proceed with a quantitative analysis.
FRAP
Facilitated Risk Analysis Process
Name 4 commonly accepted Risk Management Frameworks
- NIST RMF SP 800-37r1
- ISO 31000:2009
- ISACA Risk IT
- COSO Enterprise Risk Management
What are the 2 types of valuation approaches in Risk Analysis?
Qualitative and Quantitative
What is the Delphi Technique?
Often used in qualitative analysis, the Delphi technique is a group decision method where each member can communicate anonymously.
What do the following Quantitative Analysis acronyms stand for? AV EF SLE ARO ALE TCO ROI
AV = Asset Value EF = Exposure Factor (The percentage of loss that is expected to result in the manifestation of a particular risk event. SLE - Single Lost Expectancy ARO - Annual Rate of Occurrence ALE - Annual Loss Expectancy TCO - Total Cost of Ownership ROI - Return on Investment
How do you calculate SLE?
SLE = AV x EF
Asset Value and Exposure Factor
What is HIPPA and HITECH stand for and who does it apply to?
Health Insurance Portability and Accountability Act
Health Information Technology for Economic and Clinical Health
Applies to Health Insurers, Health Providers, Health care clearing houses (claims processing agencies)
(As of 2009, covered entities must disclose security breaches regarding personal information.
BAAs for third party providers
Creates civil and criminal penalties.)
What is the GLBA stand for and what industry does it regulate?
Gramm-Leach-Bliley Act
Financial industry. Privacy notices
What is Business Continuity Management (BCM)?
BCM is the holistic management process that covers Business Continuity Planning and Disaster Recover.
What are BCP categories of disruptions?
- Non-disaster: Inconvenience
- Emergency/Crisis - Urgent immediate even where there is a potential for loss of life or property.
- Disaster - Facility is unusable for a day or longer.
- Catastrophe - Destroys facility.
ANYONE CAN DECLARE AN EMERGENCY. ONLY THE BCP COORDINATOR CAN DECLARE A DISASTER.
What are the 7 steps in NIST SP 800-34?
“Continuity Planning Guide for Federal Information Systems”
- Develop the continuity planning policy statement.
- Conduct the business impact analysis.
- Identify preventative controls.
- Create contingency strategies.
- Develop an information system contingency plan.
- Ensure plan testing, training, and exercise.
- Ensure plan maintenance.
What are the three types of BCP teams?
Rescue Team: Responsible for dealing with the immediacy of the disaster.
Recovery Team: Responsible for getting the alternate facility up and running and restoring most critical services.
Salvage Team: Responsible for the return of operations to the original or permanent facility (reconstitution).
What is the DRP and how does it differ from BCP?
IT-oriented. Details what items need to be restored and how.
What type of BCP test requires distribution of plan copies to different departments for functional manager review?
A. Full-Interruption test B. Simulation Test C. Structured Walk-Through (Table Top) Test D. Parallel Test E. Checklist Test
Checklist Test
What type of BCP test requires representatives from each department to go over the plan in a room together?
A. Full-Interruption test B. Simulation Test C. Structured Walk-Through (Table Top) Test D. Parallel Test E. Checklist Test
Structured Walk-Through (Table Top) Test
What type of BCP test requires going through actual disaster scenarios and physically checking that the steps can be done? The drill continues up to the point of actual relocation to an offsite facility and actual shipment of replacement equipment.
A. Full-Interruption test B. Simulation Test C. Structured Walk-Through (Table Top) Test D. Parallel Test E. Checklist Test
Simulation Test
What type of BCP test requires systems moved to the alternate site and processing take place there?
A. Full-Interruption test B. Simulation Test C. Structured Walk-Through (Table Top) Test D. Parallel Test E. Checklist Test
Parallel Test
What type of BCP test requires original site shut down and all processing moved to the offsite facility?
A. Full-Interruption test B. Simulation Test C. Structured Walk-Through (Table Top) Test D. Parallel Test E. Checklist Test
Full-Interruption test
Very risky.
What is the difference between BCP testing, BCP drills, and BCP auditing?
Testing - Happens before plan implementation. The goal is to ensure effectiveness of the plan.
Drills - Main goal is to train employees. Employees walk through steps.
Auditing - 3rd party observer ensures that components of the plan are being carried out and are effective.
What are the 3 phases of a BCP following a disruption?
- Notification/Activation (includes performing a damage assessment)
- Recovery Phase - Failover
- Reconstitution - Failback
What does MTD stand for?
Maximum tolerable downtime.
Also MPTD (Maximum period of distruption)
Which of the following are two security metric and measurement systems. (You can choose more than one).
A. ISO/IEC 22301 B. ISO/IEC 27031:2011 C. ISO/IEC 27004:2009 D. NIST SP 800-55 E. NIST SP 800-53 F. ISO 27001
C. ISO/IEC 27004:2009
D. NIST SP 800-55
What are the 8 BIA steps?
- Select individuals to interview for data gathering.
- Create data-gathering techniques (surveys, questionnaires, qualitative and quantitative approaches.
- Identify the company’s critical BUSINESS FUNCTIONS.
- Identify the resources these FUNCTIONS depend upon.
- Calculate how long these functions can survive without these resources. (MTD or MPTD)
- Identify vulnerabilities and threats to these functions.
- Calculate risk for each different business function.
- Document findings and report them to management.
(Results are used for recovery plans).
What is a SLO?
Service Level Objective
Like an SLA but no contract. Goals usually made internally driven by business requirements.
What does MOA/MOU stand for?
Memorandums of Agreement/Understanding.
What does IAAA stand for?
Identification
Authorization
Authentication
Audit
This risk assessment method determines functions, identifies functional failures, and assesses the causes of failure and their failure effects through a structured approach.
A. FRAP B. OCTAVE C. ISO/IEC 27005 D. FMEA E. NIST 800-30
FMEA and Fault-tree Analysis (detailed look into a specific system or product)
Which of the following is a standard for business continuity management?
A. ISO/IEC 27004:2009 B. ISO/IEC 22301 C. NIST SP 800-55 D. NIST SP 800-53 E. ISO 27001
ISO/IEC 22301
