Security Governance and Risk Management - Domain 3 Flashcards

1
Q

Q

A

A

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Business Model for Information Security

A
  1. Organization Design/Strategy 2. People 3. Process 4. Technology
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Security Governance

A

Corporate governance is the set of responsibilities and practices exercised by the board and executive management with the goal of providing strategic direction, ensuring that objectives are achieved, ascertaining that risks are managed appropriately and verifying that the enterprises resources are used responsibly.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Information Security Governance

A
  1. Subset of corporate governance 2. Provides strategic direction for security activities 3. Ensure that objectives are achieved 4 Ensures that Information security risks are appropriately managed 5. Ensures the enterprises information resources ar used responsibly
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Control Frameworks and methodologies (4)

A

1.Committe of Sponsoring Organizations (COSO) - managing risk 2. IT Infrastructure Library (ITIL) 3. Control Objectives for Information and related Technology (COBIT) 4 ISO/IEC 27000 Series

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Committee of Sponsoring Organizations (COSO)

A

Emphasis on identifying and managing risks

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

IT Infrastructure Library (ITIL)

A
  1. Emphasis on It services and IT service management 2. Can be used as a compliment to COBIT
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Control Objectives for Information and related Technology (COBIT)

A

Acts as a model for IT governance and focuses more on operational goals and regulatory compliance

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Cobit - PDCA Model

A
  1. PLan - establish ISMS 2. Do - Implement and operate ISMS 3. Check monitor and review ISMS check 4. Act - maintain and improve ISMS
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Cobit

A
  1. Control objectives for information related technology 2 Focuses on IT related process and provides a security management lifecycle 3 A process that subdivides IT into four domains- a. Plan and organize b. acquire and implement c. deliver and support d. monitor and evaluate
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

ISO 27000

A

glossary of Terms

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

ISO 27001

A

IS Managment Systems Requirements - employs the PDCA model to structure processes and reflects the principals set out in the OECD guidelines.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

ISO 27002

A

Code of IS practice - basic outline of hundreds of potential controls and control mechanisms, which maybe implemented, in theory, subject to the guidance provided within ISO 27001.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

ISO 27005

A

IS Risk Management - provides guidelines for information security risk management (ISRM) in an organization, specifically supporting the requirements of an information security management system.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

ISO 27799

A

IS for Healthcare Organizations - defines guidelines to support the interpretation and implementation in health informatics of ISO 27002 and is a companion to that standard. It specifies a set of detailed controls for managing health information security and provides health information security best practices guidelines.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

ISO 27001 Controls (11) -.-

A
  1. Physical and environmental Sec. 2. Human resource Sec. 3. Organizing Information Security 4. Asset Management 5. Communications and operations Managment 6. Information Security Incident Managment 7. Business Continuity Managment 8. Security Policy 9. Access Control 10. Compliance 11 Information Systems Acquisition Development and Maintenance
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

Goals of a security model

A

Strategic goals - Overarching - supported by tactical and operational goals 2. tactical goals - mid-term - lay the necessary foundation to accomplish strategic goals 3. Operational goals - Day-to-Day - focus on productivity and task-oriented activities.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

Due Care

A
  1. Do the right thing to protect assets 2. Functional requirements
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

Due Diligence

A
  1. To investigate actual threats and risks 2. Assurance requirements
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

Center of (ISC)2’s CBK: C-I-A Triad

A
  1. Confidentiality - prevent unauthorized disclosure of sensitive information 2. Integrity - Prevent unauthorized modification of systems and information 3. Availability - prevent disruption of service and productivity
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

Confidentiality (opposite: disclosure)

A
  1. Only authorized individuals, process or systems have access to information on a need to know basis 2. This level of access, also known as the principles of least privilege, is at the level necessary for the individual to do their job 3. Confidentiality ensures that the necessary level of security is enforced at each instance of data processing; while the data is at rest and while the data is in transit
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

Integrity (opposite: alteration)

A
  1. This principle implies that data should be protected from intentional, unauthorized, and/or accidental changes. 2. Controls are put in place to ensure that information is only modified through approved and accepted practices 3. Hardware, software, and communication mechanisms should work in concert to maintain and process data correctly and to move data to intended destinations without unexpected alteration
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

Availability (opposite: destruction)

A
  1. Availibity ensures reliability and timely access to data and resources to authorized individuals 2. The two primary areas affecting the availability of systems are (1) denial of service attacks (2) loss of service due to a disaster 3. Disaster recovery ensures that all or parts of information technology processing systems can be recovered. Disaster recovery and business continuity work together to minimize the impact of critical events.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

Security Policy Document Relationships (think org chart)

A

Laws, regulations best practices (drivers) —> Program or Organizational policy (managements security statement) —> Functional Policies (managmements security directives) —> 1. Standards 2. Procedures 3. Baselines 4. Guidelines

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Q

Functions for Supporting Policies - Standards

A

Compulsory rules that dictate how hardware and software are to be used and expected behavior of employees - binding.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
26
Q

Functions for Supporting Policies - Baselines

A

A minimum level of security that is required throughout the organization - binding.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
27
Q

Functions for Supporting Policies - Procedures

A

Detailed step-by-step actions to be taken to achieve a specific task - binding.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
28
Q

Functions for Supporting Policies - Guidlines

A

Recommended actions and operational guides for users and staff members where standards do not apply - non-binding.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
29
Q

Asset Valuation

A
  1. Acquisitionor development costs 2. Replacement costs 3. Maintenance and protection costs 4. Productivity and operational losses 5. Owners value 6. Outside valuation 7 liability - if the asset is compromised
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
30
Q

Data Classification Procedure

A
  1. Custodian - identify 2. Classification criteria - specify 3. Controls - per classification 4. Exceptions - document 5. Transfer custody - methods 6. Declassification - reclassification/ termination 7. Awareness - of security program
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
31
Q

Manage third party governance

A

An important aspect of information security governance is the rules and processes employed when dealing with third party relationships and may include: 1. Service providers 2. Outsourced operations 3. Trading partners 4. Merged or acquired organizations

32
Q

RACI Model

A
  1. Responsible 2. Accountable 3. Informed
33
Q

Risk Management

A

The process of identifying, analyzing, and reducing the risk to an acceptable level.

34
Q

Risk Management - Risk Assessment

A
  1. A method of identifying a company’s assets, their associated risks, and the potential loss that the organization could suffer. 2. Detailed estimate of likelihood and impact of particular events. 3. Suggested countermeasures
35
Q

Risk Management - Risk mitigation

A

Managment selects countermeasures

36
Q

Risk Management - Controls evaluation

A

Ongoing process

37
Q

Risk Management Models - ANZ 4360

A

Australian-New Zealand risk management framework

38
Q

Risk Management Model - NIST SP 800-30

A

US GOV risk management standard - risk

39
Q

Risk Management Model - OCTAVE

A

Operationally Critical Threat Asset and Vulnerability Evaluations - risk

40
Q

Risk Management Model - Basel II

A

Financial Risk management framework adopted by the EU as a minimum acceptable standard of practice

41
Q

Risk Management Process (org chart)

A

Plan (top) —> Identify (risk identification) —> Analyze (qual and can risk anal) —> Prioritize —> Plan (risk response) —> Execute —> Evaluate —> Document —> back to (top)

42
Q

Risk Management - How to handle - Asset

A

Any resource valuable to the organization - server/workstation

43
Q

Risk Management - How to handle - Threat

A

Potential danger to an asset should a threat-agent take advantage of an assets vulnerability - think thumb drive

44
Q

Risk Management - How to handle - Threat Source/Threat Agent

A

Anything and/or anyone that has the potential to cause threat - think thumb drive

45
Q

Risk Management - How to handle - Vulnerability

A

A flaw or weakness of an asset - think thumb drive

46
Q

Identifying threats and vulnerabilities - Possible losses

A
  1. Potential loss 2. Delayed loss
47
Q

Identifying threats and vulnerabilities - Hard to identify

A
  1. Buffer overflows 2. Employee fraud 3. Illogical processing
48
Q

Possible threats - Confidentiality

A
  1. Shoulder surfing 2. Interception of a message 3. Social engineering
49
Q

Possible threats - Integrity

A
  1. Disabling the alert mechanism of an IDS 2. Modifying a message in transmission 3. Changing accounting records or system logs 4. Modifying configuration files
50
Q

Possible threats - Availability

A
  1. Man made 2. Component failure within a device 3. terrorist attack 4 Denial of Service attack
51
Q

Security Risk Definitions - Risk

A

Likelihood of a threat agent exploiting a vulnerability

52
Q

Security Risk Definitions - Exposure

A

An opportunity for a threat to cause loss

53
Q

Security Risk Definitions - Exploit

A

Instance of loss experienced

54
Q

Security Risk Definitions - Loss

A

real or perceived devaluation of an asset

55
Q

Security Risk Definitions - Controls

A

technical and nontechnical risk mitigation mechanisms

56
Q

4 goals of Risk Assessment

A
  1. Assets - identify, valuate, classify 2. Risk - identify 3. Quantify - the impact
57
Q

Risk Approach - Quantitative

A

Numeric and monetary values

58
Q

Risk Approach - Qualitative

A
  1. Subjective rating assigned 2. Intuition 3. Delphi method
59
Q

Annualized Loss Expectancy - (SLE)

A

Single Loss Expectancy - 1. Asset Value (AV) X Exposure Factor (EF) = SLE 2. The exposure factor represents the percentage of loss a realized threat could have on a certain asset.

60
Q

Annualized Loss Expectancy - (ALE)

A
  1. SLE X Annualized rate of occurrence (ARO) = ALE 2. The ARO is the value that represents the estimated possibility of a specific threat taking place.
61
Q

ALE Example

A
  1. Tornado is estimated to damage (50%) of a facility it hits and the value of the facility is $200K. 2. The probability is one in ten years. ALE is $10K. AV X FE = SLE then SLE X ARO = ALE 3. Managment should not spend over $10K in countermeasures to protect against this risk.
62
Q

Qualitative Risk Analysis Steps (5)

A
  1. Develop risk scenarios 2. Gather company “SME’s” 3. Walk through scenarios to determine results 4. Prioritize risks and threats to assets 5. Build consensus for best countermeasures
63
Q

Types of Risk - Total

A

Risk that exists before controls

64
Q

Types of Risk - Residual

A

risk after countermeasures or safeguards

65
Q

Types of Risk - Accepted

A

If a company chooses not to implement countermeasures they make the choice of the total risk of a threat

66
Q

Risk Assessment Team

A
  1. Ensure business managers maintain accountability for their decisions 2. Representatives from each department should be on the team or at least interviewed 3. Identify company assets by interviewing individuals, reviewing documents and tours. 4. Many factors play into estimating the value of an asset, not just the value of a purchase order.
67
Q

Risk Mitigation Options - Reject

A

Ignore Neglect

68
Q

Risk Mitigation Options - Reduce

A
  1. Risk Avoidance 2. Risk Limitation
69
Q

Risk Mitigation Options - Accept

A

Risk assumptions

70
Q

Risk Mitigation Options - Transfer

A

Insurance

71
Q

Control Criteria - Good security control

A

!. Achieves its goal by mitigating the risk 2. Makes good business sense because it is cost effective

72
Q

Control Criteria - Cost Benefit Analysis Formula

A
  1. ALE before control. 2. ALE after control. 3. Annual Cost of Control
73
Q

Employee Management Policies - Address

A
  1. Dangerous shortcuts 2. Collusion 3. Fraud
74
Q

Employee Management Policies - Apply to

A
  1. Pre-employment 2. Mid-employment 3. Post-employment
75
Q

Employees Policies - Pre employment

A
  1. Background check 2. drug screening 3. Security clearance 4. credit check
76
Q

Employees Policies - Termination

A
  1. Person should leave facility immediately upon term. 2. Surrender Badge, keys and co. prop. 3. Review the non-disclosure agreement 4. Exit interview 5. Disable user accounts 6. Change passwords 7. be respectful
77
Q

Knowledge transfer

A

Awareness, training and education - People are often the weakest link in securing information. Awareness of the need to protect information, training in the skills needed to operate them securely, and education in security measures and practices are of critical importance for the success of an organizations security program.