Security Governance and Risk Management - Domain 3

Question 1

Q

Answer 1

A

Question 2

Business Model for Information Security

Answer 2

1. Organization Design/Strategy 2. People 3. Process 4. Technology

Question 3

Security Governance

Answer 3

Corporate governance is the set of responsibilities and practices exercised by the board and executive management with the goal of providing strategic direction, ensuring that objectives are achieved, ascertaining that risks are managed appropriately and verifying that the enterprises resources are used responsibly.

Question 4

Information Security Governance

Answer 4

1. Subset of corporate governance 2. Provides strategic direction for security activities 3. Ensure that objectives are achieved 4 Ensures that Information security risks are appropriately managed 5. Ensures the enterprises information resources ar used responsibly

Question 5

Control Frameworks and methodologies (4)

Answer 5

1.Committe of Sponsoring Organizations (COSO) - managing risk 2. IT Infrastructure Library (ITIL) 3. Control Objectives for Information and related Technology (COBIT) 4 ISO/IEC 27000 Series

Question 6

Committee of Sponsoring Organizations (COSO)

Answer 6

Emphasis on identifying and managing risks

Question 7

IT Infrastructure Library (ITIL)

Answer 7

1. Emphasis on It services and IT service management 2. Can be used as a compliment to COBIT

Question 8

Control Objectives for Information and related Technology (COBIT)

Answer 8

Acts as a model for IT governance and focuses more on operational goals and regulatory compliance

Question 9

Cobit - PDCA Model

Answer 9

1. PLan - establish ISMS 2. Do - Implement and operate ISMS 3. Check monitor and review ISMS check 4. Act - maintain and improve ISMS

Question 10

Cobit

Answer 10

1. Control objectives for information related technology 2 Focuses on IT related process and provides a security management lifecycle 3 A process that subdivides IT into four domains- a. Plan and organize b. acquire and implement c. deliver and support d. monitor and evaluate

Question 11

ISO 27000

Answer 11

glossary of Terms

Question 12

ISO 27001

Answer 12

IS Managment Systems Requirements - employs the PDCA model to structure processes and reflects the principals set out in the OECD guidelines.

Question 13

ISO 27002

Answer 13

Code of IS practice - basic outline of hundreds of potential controls and control mechanisms, which maybe implemented, in theory, subject to the guidance provided within ISO 27001.

Question 14

ISO 27005

Answer 14

IS Risk Management - provides guidelines for information security risk management (ISRM) in an organization, specifically supporting the requirements of an information security management system.

Question 15

ISO 27799

Answer 15

IS for Healthcare Organizations - defines guidelines to support the interpretation and implementation in health informatics of ISO 27002 and is a companion to that standard. It specifies a set of detailed controls for managing health information security and provides health information security best practices guidelines.

Question 16

ISO 27001 Controls (11) -.-

Answer 16

1. Physical and environmental Sec. 2. Human resource Sec. 3. Organizing Information Security 4. Asset Management 5. Communications and operations Managment 6. Information Security Incident Managment 7. Business Continuity Managment 8. Security Policy 9. Access Control 10. Compliance 11 Information Systems Acquisition Development and Maintenance

Question 17

Goals of a security model

Answer 17

Strategic goals - Overarching - supported by tactical and operational goals 2. tactical goals - mid-term - lay the necessary foundation to accomplish strategic goals 3. Operational goals - Day-to-Day - focus on productivity and task-oriented activities.

Question 18

Due Care

Answer 18

1. Do the right thing to protect assets 2. Functional requirements

Question 19

Due Diligence

Answer 19

1. To investigate actual threats and risks 2. Assurance requirements

Question 20

Center of (ISC)2’s CBK: C-I-A Triad

Answer 20

1. Confidentiality - prevent unauthorized disclosure of sensitive information 2. Integrity - Prevent unauthorized modification of systems and information 3. Availability - prevent disruption of service and productivity

Question 21

Confidentiality (opposite: disclosure)

Answer 21

1. Only authorized individuals, process or systems have access to information on a need to know basis 2. This level of access, also known as the principles of least privilege, is at the level necessary for the individual to do their job 3. Confidentiality ensures that the necessary level of security is enforced at each instance of data processing; while the data is at rest and while the data is in transit

Question 22

Integrity (opposite: alteration)

Answer 22

1. This principle implies that data should be protected from intentional, unauthorized, and/or accidental changes. 2. Controls are put in place to ensure that information is only modified through approved and accepted practices 3. Hardware, software, and communication mechanisms should work in concert to maintain and process data correctly and to move data to intended destinations without unexpected alteration

Question 23

Availability (opposite: destruction)

Answer 23

1. Availibity ensures reliability and timely access to data and resources to authorized individuals 2. The two primary areas affecting the availability of systems are (1) denial of service attacks (2) loss of service due to a disaster 3. Disaster recovery ensures that all or parts of information technology processing systems can be recovered. Disaster recovery and business continuity work together to minimize the impact of critical events.

Question 24

Security Policy Document Relationships (think org chart)

Answer 24

Laws, regulations best practices (drivers) —> Program or Organizational policy (managements security statement) —> Functional Policies (managmements security directives) —> 1. Standards 2. Procedures 3. Baselines 4. Guidelines

Question 25

Functions for Supporting Policies - Standards

Answer 25

Compulsory rules that dictate how hardware and software are to be used and expected behavior of employees - binding.

Question 26

Functions for Supporting Policies - Baselines

Answer 26

A minimum level of security that is required throughout the organization - binding.

Question 27

Functions for Supporting Policies - Procedures

Answer 27

Detailed step-by-step actions to be taken to achieve a specific task - binding.

Question 28

Functions for Supporting Policies - Guidlines

Answer 28

Recommended actions and operational guides for users and staff members where standards do not apply - non-binding.

Question 29

Asset Valuation

Answer 29

1. Acquisitionor development costs 2. Replacement costs 3. Maintenance and protection costs 4. Productivity and operational losses 5. Owners value 6. Outside valuation 7 liability - if the asset is compromised

Question 30

Data Classification Procedure

Answer 30

1. Custodian - identify 2. Classification criteria - specify 3. Controls - per classification 4. Exceptions - document 5. Transfer custody - methods 6. Declassification - reclassification/ termination 7. Awareness - of security program

Question 31

Manage third party governance

Answer 31

An important aspect of information security governance is the rules and processes employed when dealing with third party relationships and may include: 1. Service providers 2. Outsourced operations 3. Trading partners 4. Merged or acquired organizations

Question 32

RACI Model

Answer 32

1. Responsible 2. Accountable 3. Informed

Question 33

Risk Management

Answer 33

The process of identifying, analyzing, and reducing the risk to an acceptable level.

Question 34

Risk Management - Risk Assessment

Answer 34

1. A method of identifying a company’s assets, their associated risks, and the potential loss that the organization could suffer. 2. Detailed estimate of likelihood and impact of particular events. 3. Suggested countermeasures

Question 35

Risk Management - Risk mitigation

Answer 35

Managment selects countermeasures

Question 36

Risk Management - Controls evaluation

Answer 36

Ongoing process

Question 37

Risk Management Models - ANZ 4360

Answer 37

Australian-New Zealand risk management framework

Question 38

Risk Management Model - NIST SP 800-30

Answer 38

US GOV risk management standard - risk

Question 39

Risk Management Model - OCTAVE

Answer 39

Operationally Critical Threat Asset and Vulnerability Evaluations - risk

Question 40

Risk Management Model - Basel II

Answer 40

Financial Risk management framework adopted by the EU as a minimum acceptable standard of practice

Question 41

Risk Management Process (org chart)

Answer 41

Plan (top) —> Identify (risk identification) —> Analyze (qual and can risk anal) —> Prioritize —> Plan (risk response) —> Execute —> Evaluate —> Document —> back to (top)

Question 42

Risk Management - How to handle - Asset

Answer 42

Any resource valuable to the organization - server/workstation

Question 43

Risk Management - How to handle - Threat

Answer 43

Potential danger to an asset should a threat-agent take advantage of an assets vulnerability - think thumb drive

Question 44

Risk Management - How to handle - Threat Source/Threat Agent

Answer 44

Anything and/or anyone that has the potential to cause threat - think thumb drive

Question 45

Risk Management - How to handle - Vulnerability

Answer 45

A flaw or weakness of an asset - think thumb drive

Question 46

Identifying threats and vulnerabilities - Possible losses

Answer 46

1. Potential loss 2. Delayed loss

Question 47

Identifying threats and vulnerabilities - Hard to identify

Answer 47

1. Buffer overflows 2. Employee fraud 3. Illogical processing

Question 48

Possible threats - Confidentiality

Answer 48

1. Shoulder surfing 2. Interception of a message 3. Social engineering

Question 49

Possible threats - Integrity

Answer 49

1. Disabling the alert mechanism of an IDS 2. Modifying a message in transmission 3. Changing accounting records or system logs 4. Modifying configuration files

Question 50

Possible threats - Availability

Answer 50

1. Man made 2. Component failure within a device 3. terrorist attack 4 Denial of Service attack

Question 51

Security Risk Definitions - Risk

Answer 51

Likelihood of a threat agent exploiting a vulnerability

Question 52

Security Risk Definitions - Exposure

Answer 52

An opportunity for a threat to cause loss

Question 53

Security Risk Definitions - Exploit

Answer 53

Instance of loss experienced

Question 54

Security Risk Definitions - Loss

Answer 54

real or perceived devaluation of an asset

Question 55

Security Risk Definitions - Controls

Answer 55

technical and nontechnical risk mitigation mechanisms

Question 56

4 goals of Risk Assessment

Answer 56

1. Assets - identify, valuate, classify 2. Risk - identify 3. Quantify - the impact

Question 57

Risk Approach - Quantitative

Answer 57

Numeric and monetary values

Question 58

Risk Approach - Qualitative

Answer 58

1. Subjective rating assigned 2. Intuition 3. Delphi method

Question 59

Annualized Loss Expectancy - (SLE)

Answer 59

Single Loss Expectancy - 1. Asset Value (AV) X Exposure Factor (EF) = SLE 2. The exposure factor represents the percentage of loss a realized threat could have on a certain asset.

Question 60

Annualized Loss Expectancy - (ALE)

Answer 60

1. SLE X Annualized rate of occurrence (ARO) = ALE 2. The ARO is the value that represents the estimated possibility of a specific threat taking place.

Question 61

ALE Example

Answer 61

1. Tornado is estimated to damage (50%) of a facility it hits and the value of the facility is $200K. 2. The probability is one in ten years. ALE is $10K. AV X FE = SLE then SLE X ARO = ALE 3. Managment should not spend over $10K in countermeasures to protect against this risk.

Question 62

Qualitative Risk Analysis Steps (5)

Answer 62

1. Develop risk scenarios 2. Gather company “SME’s” 3. Walk through scenarios to determine results 4. Prioritize risks and threats to assets 5. Build consensus for best countermeasures

Question 63

Types of Risk - Total

Answer 63

Risk that exists before controls

Question 64

Types of Risk - Residual

Answer 64

risk after countermeasures or safeguards

Question 65

Types of Risk - Accepted

Answer 65

If a company chooses not to implement countermeasures they make the choice of the total risk of a threat

Question 66

Risk Assessment Team

Answer 66

1. Ensure business managers maintain accountability for their decisions 2. Representatives from each department should be on the team or at least interviewed 3. Identify company assets by interviewing individuals, reviewing documents and tours. 4. Many factors play into estimating the value of an asset, not just the value of a purchase order.

Question 67

Risk Mitigation Options - Reject

Answer 67

Ignore Neglect

Question 68

Risk Mitigation Options - Reduce

Answer 68

1. Risk Avoidance 2. Risk Limitation

Question 69

Risk Mitigation Options - Accept

Answer 69

Risk assumptions

Question 70

Risk Mitigation Options - Transfer

Answer 70

Insurance

Question 71

Control Criteria - Good security control

Answer 71

!. Achieves its goal by mitigating the risk 2. Makes good business sense because it is cost effective

Question 72

Control Criteria - Cost Benefit Analysis Formula

Answer 72

1. ALE before control. 2. ALE after control. 3. Annual Cost of Control

Question 73

Employee Management Policies - Address

Answer 73

1. Dangerous shortcuts 2. Collusion 3. Fraud

Question 74

Employee Management Policies - Apply to

Answer 74

1. Pre-employment 2. Mid-employment 3. Post-employment

Question 75

Employees Policies - Pre employment

Answer 75

1. Background check 2. drug screening 3. Security clearance 4. credit check

Question 76

Employees Policies - Termination

Answer 76

1. Person should leave facility immediately upon term. 2. Surrender Badge, keys and co. prop. 3. Review the non-disclosure agreement 4. Exit interview 5. Disable user accounts 6. Change passwords 7. be respectful

Question 77

Knowledge transfer

Answer 77

Awareness, training and education - People are often the weakest link in securing information. Awareness of the need to protect information, training in the skills needed to operate them securely, and education in security measures and practices are of critical importance for the success of an organizations security program.