Security Governance Flashcards

1
Q

What are the goals of the ISO/IEC 27000?

A
  1. Outlined how an InfoSec mgmt System should be built and maintained
  2. Goal to provide guidance to orgs on how to design, implement and maintain policies, processes and technologies to manage risks to sensitive info assets
  3. Std was needed to centrally manage the various security controls deployed throughout an org. w/ this std controls should not be managed in an ad hoc way
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What are components of Enterprise Architecture Development?

A
  1. Model for developing enterprise architecture
  2. Org. has choices in attempting to secure the env.
  3. Ad hoc approach - constantly putting out fires
  4. Managed Approach - by taking time to understand their env, layout the sec. req. of the biz env
  5. Allows you to understand the org from different views and how changes take place at one level will affect other levels
  6. Allows you to understand all things that will need to change to support a new biz function
  7. Architecture allows you to understand the org as a complete organism and illustrate how changes to one internal component can directly affect another
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

what are the steps in developing Enterprise Security Architecture?

A

Guide when implementing solutions to:
1. to ensure business needs are met
2. provide standard protection across the env
3. reduce the act of security surprises in the org
Implementing ESA is not the final solution to all sec. problems but it reduces the chaos and puts the org in a proactive instead of reactive stance

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

What are the basics of Enterprise Architecture?

A
  1. Encompasses the essential and unifying components of an org. it expresses the ent. structure (form) and behavior (function), it embodies the ent. components their relationships to each other and their relationships to the env
  2. use framework as a guideline on how to build an architecture that best fits the org’s needs; each org starts with the same blueprint/framework/guideline and customizes it 4 their business
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

What steps are involved in developing an Ent. Architecture?

A
  1. ID Stakeholders - people looking at and using the architecture
  2. Develop views - which is how the info that is most imp to the diff stakeholders will be illustrated in a useful manner.
    According to NIST companies have several viewpoints:
    - executives need to understand the company from a biz POV
    - Biz process developers need to understand what they of info needs to be collected to support biz activities
    -app dev need to know the structure of data
    All groups are looking at an architecture of the same org it just being presented from different perspectives
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

What is SMART?

A
S- specific
M - Measurable
A - actionable
R - Realistic
T - Timed
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

What is the Zachman Architecture Framework?

A
  1. Generic model and framework done in Info Security
  2. 2 dimensional model uses 6 basic communication interrogates: who, what, where, how, when why
  3. Based on the principle of classical biz architecture that contain rules that governs an ordered set of relationships
  4. Goal is to be able to look at the same org from diff. perspectives - IT, executives, biz, operations
  5. Different groups w/in a company need the same info but presented in ways that directly relate to their responsibilities
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

What is TOGAF?

A

The Open Group Architecture Framework

  • provides an approach to design implement and govern an enterprise info architecture
  • TOGAF can be used to dev the following architecture framework:
    1. Biz architecture
    2. Data Architecture
    3. Application architecture
    4. Technology architecture
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

What are the characteristics of TOGAF?

A

TOGAF:

  1. used to create the individual architecture types through the use of it Architecture Development Model (ADM)
  2. ADM - iterative method that allows requirements to be continuously reviewed and the individual architectures updated as required. The different architectures can allow a technology engineer to understand from 4 perspectives (biz, app, data and tech) to ensure teams dev the necessary tech to work with in the env and all the components that make up that env and meet biz requirements
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

What is Military Oriented Architecture Framework?

A

MODAF

  • enterprise architecture documentation required for military procurement based on Dept of Defense (DOD) Architecture Framework) DoDAF
  • documentation illustrate how they will properly integrate into the current infrastructure
  • focus on DoDAF is on command, control, communications, computer, intelligence, surveillance and reconnaissance systems and processes.
  • important that different devices communicate using the same protocol and interoperable software components and use the same data item
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

What is MoDAF?

A

Ministry of Defense Architecture Framework - (British) - Goal able to get data in the right format to the right people at the right time based on DoDAF

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

How to determine which Enterprise Architecture framework is correct for your org?

A
  1. to determine which framework is best for your org, start with stakeholders requests. Architecture needs to represent the org and be useful to folks who understand it best
  2. architects need to design system that reflect biz needs and represents the design based on the individuals perspective. if folks need to understand the org from a biz, tech, security perspective design needs to be presented in those views
  3. one difference b/w the various architecture frameworks is what type of info they provide and how they provide it
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

What is Enterprise Security Architecture?

A

Enterprise Security Architecture defines the info security strategy that consists of layers of solutions, processes and procedures and the way they are linked across the org.
-strategically, tactically and proactively

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

What are char. of Enterprise Security Architecture? (ESA)

A
  1. Rigorous and comprehensive method for describing the structure and behavior of all components that make up a holistic ISMS:
  2. Reasons to dev. ESA
    a. ensure that security efforts align with biz practices in a standardized and cost effective way
    b. architecture works at an abstract level and provides a frame of reference. it also allows orgs to better achieve interoperability, integration, ease of use, standardization and governance
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

What are indicators/components of Enterprise Security Architecture?

A
  1. Security should not be in silos throughout the org
  2. Continuous communications b/w senior mgmt and security staff
  3. No redundant product purchased for overlapping security needs
  4. Security programs makeup policies that are implemented and enforced policy and controls for user access centralized and mentored
  5. No “one offs” efforts take place, must follow standard procedures for info security
  6. Biz manager aware of sec responsibility and how their responsibility map to legal and regulatory requirements
  7. Sensitive data defined in policy with controls and monitored; enterprise-wide infused solutions implemented
  8. Security governance available and the org is viewed in a standardized and holistic way
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

How is ESA implemented?

A
  • place one person in charge of a team that dev a phased approach ESA rollout with goals to integrate tech oriented and biz centric security processes, link admin, technical and physical controls to properly managed risks and integrate these processed and the org’s culture.
  • org do not implemente ESA b/c they do not understand it and ESA seems overwhelming
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

Define Sherwood Applied Biz Security Architecture (SABSA)?

A

SABSA - similar to Zachman ESA layered framework with 1st layer defining biz req from a security perspective

  1. Each layer of the FW decreases in abstraction and increases in detail so it builds on others and moves from policy to practical implementation of tech solutions
  2. Goal is provide a chain of traceability through the contextual, conceptual, logical, physical component and operational levels, questions to be answered at each level:
  3. what are you trying to do at this layer - assets to be protected by the sec. architecture
  4. why are you doing it? motivation for wanting to apply security
  5. how are you trying to do it? functions needed to achieve security at this layer
  6. who is involved? people and org aspects
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

What are SABSA characteristics?

A

Sherwood Applied Biz Security Architecture
more questions:
- what are you doing? location where are you applying security
- when are you doing it? time related aspect of security

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

What is SABSA?

A

SABSA (Sherwood applied business security architecture framework)

  • a framework and methodology for enterprise security architecture and service mgmt.
  • since its a framework this means it provides a structure for individual architectures to built from.
  • Since it’s a methodology it provides the processes to follow to build the methodology
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

What is the SABSA Lifecycle Model?

A

SABSA provides a lifecycle model so that the architecture can be constantly monitored and improved upon over time

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

What are 4 critical components of SABSA?

A

Strategic Alignment
Business Enablement
Process Enhancements
Security Effectiveness

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

What is Strategic Alignment (SABSA component)?

A

Strategic Alignment - business drivers and regulatory and legal requirements are being met by sec. Ent Arch Sec efforts must provide and support an env that allows an org to not only survive but thrive

Technology are tools that support the goals. Therefore IT Sec should support the biz and its strategic objective

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

What is business enablement (SABSA component)?

A
  • each org exist for one or more purpose; publicly traded company - to increase shareholder value
    non-profit - to further a specific cause; Gov - provide services to citizens

components and orgs do not exist for the sole purpose of being secure. security cannot stand in the way of biz processes.

Business enablement means the core biz process are integrated into security operating model. they are standards based and follow a risk tolerance cirteria

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

What is process enhancements

(SABSA component)?

A

Re-engineering processes

  • an org that is serious about securing it env will take a close look at biz processes that take place on an ongoing basis - continuous improvement - plan - do - check - act;
  • typically biz processes are duplicated, manual but process re-engineering can streamline and automate these processes for increase efficiency and ROI.
  • Process re-engineering should be integrated to all for security to be built into the daily operations
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Q

What is Security Effectiveness (SABSA component)?

A
  • security effectiveness deals with metrics, meeting service level agreements, SLA requirements, achieving ROI, meeting set baselines and providing mgmt with a dashboard or balanced scorecard - these are ways to determine how useful the current security solutions and architecture are performing
  • ensure that the controls in place are providing the necessary levels of protection and ensure that the finite $$ are being properly spent - do this by setting baselines, and metrics to be verified
  • metrics are rolled up to mgmt which allows them to make informed decisions
26
Q

what is the relationship between enterprise and system architecture?

A

Enterprise and system architecture overlap.

  • Sys. Architecture address the structure of software and computing components
  • Ent Architecture focuses on the org as a whole
  • IT architects need to understand the org as a whole while designing software for the org or designing the network
  • Rules outline in Org. Sec. Policy must be supported in systems design. Security has to be integrated at all levels of the org including system design
  • Ensure detailed biz and sec dependencies, interactions are understood and designed into the system
27
Q

What is IT Security Mgmt System (ITSM)?

A

ITSM outlines controls that need to be implemented

  • Risk mgmt, physical security
  • data protection, configuration mgmt
  • vulnerability mgmt, biz continuity planning
  • auditing
  • ITSM provides direction on how these controls should be managed through their lifecycle
  • ITSM specifies the pieces and parts that need to be put together to provide a holistic security program for the org and how to properly care for these components
28
Q

Enterprise Security Architecture

A
  • Illustrates how ITSM components are to be integrated
    into the different layers of the current sec env
  • security components have to be weaved/interwoven throughout the biz and not siloed with/in individual departments
29
Q

ISO/IEC 27000 Series

A

ISO/IEC 27000 Series - outlines the necessary components of an org’s security program

30
Q

Security Enterprise Architecture

A

Security Enterprise Architecture - helps integrate the requirements outlined in the Security program into existing business architecture

31
Q

Security Controls Development

A

Security Controls Development - documents the objectives of the controls to be implemented to accomplish the goals of the security program

32
Q

Security Controls - COBIT

A

Controls Objectives for Information and Technology - COBIT

  • framework for governance by ISACA
  • Helps orgs organize the value of IT by balancing resource utilization, risk levels and realization of benefits done by explicitly tying stakeholders drivers to stakeholders needs to org goals to IT goals to meet or support the org goals
33
Q

COBIT - 5 Key Principles

A

COBIT - Holistic approach based on 5 principles:

  1. Meeting stakeholders need
  2. Covering the enterprise end to end
  3. Applying a single integrated framework
  4. Enabling a holistic approach
  5. Separating governance from mgmt
34
Q

COBIT Characteristics

A
  • Everything in COBIT is ultimately linked to stakeholders through a series of transforms called cascading goals
  • Cascading goals at any org points to our IT governance or mgmt processes, you should be able to ask why are you doing this? and be led to an IT goal that is tied to an enterprise goal, which is tied to a stakeholder need
35
Q

COBIT Cascading Goals

A

2 sets of goals (enterprise goals) are to ensure that we meet the 2nd goals (IT Goals) of covering the enterprise end to end by explicitly tying enterprise goals to IT goals

36
Q

COBIT - Enterprise Governance vs. Management

A

Enterprise governance - enterprise goals - high level
- a set of high level processes aimed at balancing the stakeholders value proposition

Management - a set of activities that achieve enterprise objects. things that org leaders do

CORBIT = private sector

37
Q

NIST SP 800 - 53

A

Government controls

- gov use - outlines controls that gov agencies need to put in place to be compliant with federal info

38
Q

COSO (Committee on Sponsor Organazation) Integrated Framework

A

COBIT derived from COSO
- IDs 17 internal controls principles groups into 5 internal control components - Control Env
Controls Environment:
1. Demonstrates commitment to integrity and ethical value
2. exercise oversight responsibilities
3. Est. structure, authority and responsibility
4. Demonstrate commitment to competence
5. Enforce accountability

Risk Assessment

  1. Specifies suitable objectives
  2. IDs and analyze risks
  3. Assess fraud risk
  4. IDs and analyze significant changes
39
Q

COSO Controls

A
  • Selects and dev control activities
  • Select and dev general controls over technology
  • Deploys through policies and procedures

Info and communications
- uses relevant and quality info
Monetary Activity
- conduct ongoing and or separate evaluations, evaluate & communicate deficiencies

40
Q

Whats the difference between the COSO and COBIT Models?

A
COSO Internal Controls
- Model for corp governance 
- operates at the strategic level 
- deals with non IT items like corp culture, Fin. accounting, board of directors responsibilities and internal communications structure
- SOX based on COSO - illegal for orgs to "cook their books"
COBIT 
- model for IT governance
- implemented at the operational level 
- is a way to meet COSO objectives
41
Q

Process Management Development

A
  • along with ensuring the right controls are in place, org must have ways to construct and improve biz, IT and security processed in a structured and controlled manner
  • security controls can be considered “things” and processes are how to use this things - use controls (things) properly, effectively and efficiently
42
Q

Information Technology Infrastructure Library (ITIL)

A

ITIL - defect standard of practices for IT service mgmt

  • customizable framework that provides the goals, general activities necessary to achieve those goals and the input and output values for each process required to see these determined goals
  • focused on SLAs
43
Q

What are the 5 stages of ITIL Lifecycle?

A
  1. Service Strategy
  2. Service Design
  3. Service Transition
  4. Service Operations
  5. Continuous Service Improvement
44
Q

What is Six Sigma?

A
  • Six Sigma is a process improvement methodology;
  • Focused on Total Quality mgmt with goals to improve process quality by using statistical methods of measuring OPS efficiency and reducing variation, defects and waste
  • used in security to measure the success factors of different controls and procedures
45
Q

What is Capability Maturity Model Integration (CMMI)?

A
  • CMMI was developed as a way to determine the maturity of an org’s processes used within the org to help lay out a pathway of how incremental improvement can take place.
  • only way to improve is to know where you’re starting from, where you need to go and the steps to take in between
46
Q

What are the stages of CMMI?

A
  1. NON Existent
    - nonexistent management, no processes, no assessment
  2. Unpredictable
    - unpredictable, ad hoc and disorganized, reactive activities.
  3. Repeatable processes
    - immature and developing, security assigned to IT
  4. Defined processes
    - documented and communicated; defined procedures
  5. Managed Processes
    - monitored and measured;
    - Security and business objectives are mapped
  6. Optimized Processes
    - Automated practices; structured and enterprise wide
47
Q

What is the Security Program Lifecycle?

A
  1. Plan and organic
    - mgmt commitment, dev. security architecture, assess business drivers, assign roles and responsibilities
  2. Dev and Implement Security Policies
  3. Operate and Maintain - follow procedures, audits and SLAs
  4. Monitor and evaluate - review logs, dev. improvement steps
48
Q

What are the crux of computer crime laws?

A

crux of computer crime laws

  • is to deal with core issues
  • unauthorized modification and destruction of data
  • disclosure of sensitive info
  • unauthorized access and the use of malware
49
Q

What are the categories of computer crime?

A
  1. Computer Assisted Crime
  2. Computer Targeted Crime
  3. Computer Incidental
50
Q

What is computer Incidental (crime?)

A

Computer Incidental Crime:
- Where a computer is not necessarily the attacker or attacker but just happened to be involved when a crime was carried out. i.e child porn

51
Q

What is computer assisted crime?

A
  • Computer assisted crime is covered by criminal law
  • when a computer was used as a tool to help carry out a crime
    ex. attacking a financial system to carry out the theft of funds and or sensitive info
52
Q

what is Computer Targeted Crime?

A
  • Computer targeted crime concerns incidents where your computer was a victim of an attack crafted to harm it and its owners specifically
    ex. DDoS attacks, capturing PW or sensitive data
  • installing malware with the intent to cause harm
  • installing rootkits and sniffers for malicious reasons
  • buffer overflows to take control of a system
53
Q

What is the Counsel of European Convention on Cybercrime?

A
  • the Counsel of European Convention on Cybercrime is an attempt to crate a standard international response to cybercrime
  • coordinate national laws and improve investigative techniques and international corporations
  • goals- creation of a framework for establishing jurisdiction and extradition of the accused
54
Q

What are the OECD Guidelines on Protection of Privacy and Trans-boarder flow of Personal Data? 1- 4

A

OECD Guidelines on Protection of Privacy and Trans-boarder flow of Personal Data

  1. Collection Limitation principle
    - collect limited personal data
    - obtain personal data by lawful and fair means with subject knowledge
  2. Data Quality Principle
    - personal data should be kept complete and current and relevant for the purpose being used
  3. Purpose Specific Principle
    - notify subject of personal data collection at the time of collection and why
  4. use Limitation Principle
    - use personal data with subject consent or authority of law should personal data be disclosed
55
Q

What are the OECD Guidelines on Protection of Privacy and Trans-boarder flow of Personal Data? 5-8

A

OECD Guidelines on Protection of Privacy and Trans-boarder flow of Personal Data

  1. Security Safeguard Principles
    - reasonable safeguards in place to protect personal data
  2. Openness Principle
    - develop practices and policies regarding personal data should be opening communicated
  3. Individual Participation Principle
    - subject should be able to find out whether an org has his/hers personal data and what that info is; correct wrong data and to challenge denied requests
  4. Accountability Principles
    - org should be accountable for complying with measures that support these principles
56
Q

what are the European Principles of Privacy?

A

European Principles Privacy addresses using and transmitting info considered private in nature.
- principles are encompassed in the EU’s Data Protection Directive which all EU state must abide by anon with orgs doing biz in the EU

57
Q

What are EU Safe Harbor Principles?

A

EU Safe Harbor Principles;

  • construct that outlines how US based companies can comply with EU privacy principles. NON EU companies will have to adhere to Safe Harbor requirements if certain types of data will be passed back and forth during biz processes
  • EU has tighter privacy controls than US
58
Q

Define the EU Safe Harbor Framework

A

EU Safe Harbor Framework for Privacy data protection rules for data transfer

  1. Notice
    - individuals must be informed that their data is being collected and about how it will be used
  2. Choice
    - individuals must have the ability to opt out of the collection and forward xfer of data to 3rd parties
  3. Onward Transfer
    - xfer of data to 3rd parties may only occur to other orgs that follow adequate data protection
  4. Security
    - Reasonable efforts must be made to prevent loss of collected info
  5. Data Integrity
    - data must be relevant and reliable for collected purpose
  6. Access
    - individual must be able to access info held about them and correct or delete it if inaccurate
  7. Enforcement
    - there must be effective means for enforcing the law
59
Q

what legal requirements for Import and Export?

A

Legal requirements for import and export are:

  • complexity is when an org is attempting toward with org in other parts of the world is import/export laws
  • each country has it’s own specs when it comes to what is allows in its boarders
60
Q

What is the Wassenaar Arrangement?

A

Wassenaar Arrangements:

  • signed by 41 countries
  • following items can be exported
    1. material processing
    2. electronics
    3. computers
    4. marine
    5. aerospace and propulsion
    6. special materials and related equipment
    7. Part 1: telecommunications
    8. Part 2: Information Security
    9. Sensors and lasers
61
Q

What are the goals of the Wassenaar Agreement?

A

goals of the Wassenaar Agreement

  • prevent the buildup of military capabilities that could threaten regional and international security and stability
  • ensure everyone has similar military offense and defense capabilities with hoe it won’t end up in the wrong hands
  • cryptography is seen as a dual use good. it can be used for military and civilian use and is seen as dangerous to export products with crypto functions to countries in the offensive column i.e terrorist friendly
  • crypto import restrictions - countries do not allow their citizens to use crypto