Security Risk Management (SRM) Flashcards
27001
specifies the requirements for establishing, implementing, operating, monitoring, reviewing, maintaining, and improving a documented information security management system within the context of the organization’s overall business risks
27002
A standard that defines information’s confidentiality, integrity, and availability controls in a comprehensive information security management system
ISO/IEC 27011
telecommunications organization guidelines
ISO/IEC 27015
financial organization guidelines
ISO/IEC 27037
Digital evidence guidelines
ISO/IEC 27799
health organization guidelines
acceptable risk
concern that is acceptable to responsible management, due to the cost and magnitude of implementing controls
acceptable use policy
A policy that establishes an agreement between users and the organization and defines for all parties the ranges of use that are approved before gaining access to a network or the Internet
access rights
Permissions or privileges granted to users, programs, or workstations to create, change, delete or view data and files within a system as defined by rules established by data owners and the information security policy
accountablity
The ability to map a given activity or event back to the responsible party
administrative controls
The rules, procedures, and practices dealing with operational effectiveness, efficiency, and adherence to regulations and management policies
advanced threat
an attacker repeatedly using multiple different attack vectors repeatedly to generate opportunities
application controls
Manual or programmed activities intended to ensure the completeness and accuracy of records and the validity of entries made. The objectives of application controls are to ensure the completeness and accuracy of the records and the validity of the entries made therein resulting from manual and programmed processing
Assurance
Grounds for confidence that the other four security controls (integrity, availability, confidentiality, and accountability) have been adequately met by a specific implementation. “Adequately met” includes (1) functionality that performs correctly, (2) sufficient protection against unintentional errors (by users or software), and (3) sufficient resistance to intentional penetration or bypass.
audit trail
A visible trail of evidence enabling one to trace information contained in statements or reports back to the original input source
Availability
Uptime, ready, in a condition to be used
Chief information security officer
An executive position charged with responsibility for managing and protecting information assets
CFAA of 1986
Computer Fraud and Abuse Act (CFAA)
Affects any entities that may engage in hacking of “protected computers” as defined in the Act
Computer Security Act of 1987
Was the first law written to require a formal computer security plan
Confidentiality
An organization’s protection of data in storage, during processing, and in transit for use by the subjects that are specifically intended to have access to the data or resource
Control Objectives for Information and related Technology
A complete, internationally accepted process framework for IT that supports business and IT executives and IT management in their definition and achievement of business goals and related IT goals by providing a comprehensive IT governance, management, control and assurance model. COBIT describes IT processes and associated control objectives, management guidelines (activities, accountabilities, responsibilities, and performance metrics) and maturity models. COBIT supports enterprise management in the development, implementation, continuous improvement and monitoring of good IT-related practices.
Control gaps
The amount of risk reduced by implementing safeguards
Corporate governance
The system by which organizations are directed and controlled. Boards of directors are responsible for the governance of their organizations. It consists of the leadership and organizational structures and processes that ensure the organization sustains and extends strategies and objectives.
Corporate strategy
The pattern of decisions in a company that determines and reveals its objectives, purposes or goals; produces the principal policies and plans for achieving those goals; and defines the range of business the company is to pursue, the kind of economic and human organization it is or intends to be, and the nature of the economic and non-economic contribution it intends to make to its shareholders, employees, customers and communities.
Countermeasure
a control after attack
Cross training
to know more than one job
Custodian
the guardian of asset(s), a maintenance activity
Data classification
The assignment of a level of sensitivity to data (or information) that results in the specification of controls for each level of classification. Levels of sensitivity of data are assigned according to predefined categories as data are created, amended, enhanced, stored or transmitted. The classification level is an indication of the value or importance of the data to the organization.
Data regrade
Data is transferred from high network users to low network users
Decentralization
The process of distributing computer processing to different locations within an organization
Denial of Service
The prevention of authorized access to resources or the delaying of time critical operations
Dual control
A procedure that uses two or more entities (usually persons) operating in concert to protect a system resource such that no single entity acting alone can access that resource
Due care
Managers and their organizations have a duty to provide for information security to ensure that the type of control, the cost of control, and the deployment of control are appropriate for the system being managed. Doing the right action at the right time.
Due diligence
Establishing a plan, policy, and process to protect the interests of an organization. Knowing what should be done and planning for it.
ECPA of 1986
Electronic Communications Privacy Act
Extended government restrictions on wiretaps from telephone calls to include transmissions of electronic data by computer and prohibited access to stored electronic communications
Education
long term knowledge building
Ethics
the principles a person sets for themselves to follow
Exposure
an opportunity for a threat to cause loss. (terminology that encompasses many recent risk terms)
Federal Privacy Act of 1974
Affects any computer that contains records used by a federal agency
FISA of 1978
Federal Intelligence Surveillance Act (FISA)
Affects law enforcement and intelligence agencies
Governance
Executive responsibilities of goal setting, delegation, and verification, based upon the mission.
Guidelines
written suggestions that direct choice to a few alternatives
Information owner
the one person responsible for data, its classification and control setting
Information security governance
The set of responsibilities and practices exercised by the board and executive management with the goal of providing strategic direction, ensuring objectives are achieved, ascertaining that risks are managed appropriately and verifying that the enterprise’s resources are used responsibly
Information security program
The overall combination of technical, operational and procedural measures, and management structures implemented to provide for the confidentiality, integrity and availability of information based on business requirements and risk analysis
inherent risk
the amount of risk that exists in the absence of controls
IT-Related Risk
The net mission impact considering (1) the probability that a particular threat-source will exercise (accidentally trigger or intentionally exploit) a particular information system vulnerability and (2) the resulting impact if this should occur. IT-related risks arise from legal liability or mission loss due to these 4 items: 1. Unauthorized (malicious or accidental) disclosure, modification, or destruction of information 2. Unintentional errors and omissions 3. IT disruptions due to natural or man-made disasters 4. Failure to exercise due care and diligence in the implementation and operation of the IT system.
job rotation
to move from location to location, keeping the same function
job training
employment education done one per position or at significant change of function
mandatory access control
A means of restricting access to data based on varying degrees of security requirements for information contained in the objects and the corresponding security clearance of users’ programs acting on their behalf
mandatory vacations
requirement to take time off
mitigate
a choice in risk management, to implement a control that limits or lessens negative effects
monitoring policy
The rules outlining or delineating the way in which information about the use of computers, networks, applications and information is captured
objects
Data or systems, passive
operational
intermediate level, pertaining to planning
PASTA
Threat modeling focusing on developing countermeasures based on asset value
Stage 1 - Definition of Objectives
Stage 2 - Definition of Technical Scope
Stage 3 - App Decomposition and Analysis
Stage 4 - Threat Analysis
Stage 5 - Weakness and Vulnerability analysis
Stage 6 - Attack modeling and simulation
Stage 7 - Risk Analysis and Management
policy
written core statements that rarely change
privacy
Freedom from unauthorized intrusion or disclosure of information about individuals
private/privacy
Individual owned or ownership
procedure
written step-by-step actions
procedures
The portion of a security policy that states the general process that will be performed to accomplish a security goal
qualitative
a risk assessment method, intrinsic value
quantitative
a risk assessment method, measurable real money cost
residual risk
quantity of risk remaining after a control is applied
total risk - controls gap
risk
the chance that something negative will occur
risk analysis steps
- Inventory assets and assign a value (asset value or AV)
- Identify threats. Research each asset and produce a list of all possible threats of each asset. (and calculate EF and SLE)
- Perform a threat analysis to calculate the likelihood of each threat being realized within a single year (the ARO)
- Estimate the potential loss by calculating the annualized loss expectancy (ALE)
- Research the countermeasure for each threat, and then calculate the changes to ARO and ALE based on an applied countermeasure
- Perform a cost/benefit analysis of each countermeasure for each threat for each asset
risk assessment
the collection and summation of risk data relating to a particular asset and controls for that asset
risk formula
threat * vulnerability
risk management
The total process of identifying, controlling, and mitigating information system-related risks. It includes risk assessment; cost-benefit analysis; and the selection, implementation, test, and security evaluation of safeguards. This overall system security review considers both effectiveness and efficiency, including impact on the mission and constraints due to policy, regulations, and laws.
risk management phases
Framing
Assessing
Responding
Alternatives
Monitoring
safeguard
a control before attack
safeguard evaluation
Good security controls mitigate risk, are transparent to users, difficult to bypass, and are cost effective
safeguard value
ALE before safeguard - ALE after safeguard - annual cost of safeguard
security clearance
the level and label given to an individual for the purpose of compartmentalization
security goals
The five security goals are integrity, availability, confidentiality, accountability, and assurance
security metrics
Any form of measurement used to determine any aspect of the operation of any security-related activity
separation of duties
to break a business process into separate functions and assign to different people
standard
written internalized or nationalized norms that are internal to an organization
steering committee
A management committee assembled to sponsor and manage various projects, such as an information security program
strategic
high level, pertaining to planning
STRIDE
Threat modeling
Spoofing
Tampering
Repudiation
Information Disclosure
Denial of Service
Elevation of Privilege
subjects
people or groups, active
tactical
low level, pertaining to planning
threat
The potential for a threat-source to exercise (accidentally trigger or intentionally exploit) a specific vulnerability
threat agent
those who initiate the attack
threat analysis
The examination of threat-sources against system vulnerabilities to determine the threats for a particular system in a particular operational environment
threats
vehicle or tool that exploits a weakness
threat-source
Either (1) intent and method targeted at the intentional exploitation of a vulnerability or (2) a situation and method that may accidentally trigger a vulnerability.
total risk
the amount of risk an organization would face if no safeguards were implemented
total risk formula
calculation encompassing threats, vulnerabilities and assets
threats * vulnerabilities * assets
transfer
a choice in risk management, to convince another to assume risk, typically by payment
user
people who interact with assets
VAST
Visual, Agile and Simple Threat model
Threat modeling concept that integrates threat and risk management into an Agile programming environment on a scalable basis
vulnerability
weakness or flaw in an asset
Framing Phase
Tactical/System
Operational/Business Process
Strategic/Whole business
Assessing Phase
Set scope (Tactical/System, Operational/Business Process, Strategic/Whole business from Framing Phase)
Identify threat sources
Identify threat events
Identify vulnerabilities
Determine likelihood
Determine impacts
Determine risks
Responding Phase
Developing alternatives
Evaluating alternatives (Avoid, Accept, Transfer from Alternatives Phase)
Determining course of action
Implementing (Mitigate = Control from Alternatives Phase)
Alternatives Phase
Avoid = Stop Doing,
Accept = Do Nothing,
Transfer = Buy Insurance,
Mitigate = Control
Monitoring Phase
Determining effectiveness of responses,
Identifying risk-impacting changes,
Verifying controls/compliance
NIST 800-37
Risk Management Framework
NIST 800-37 steps
People Can See I Am Always Monitoring
Prepare to execute RMF
Categorize information systems
Select security controls
Implement security controls
Assess the security controls
Authorize the system
Monitor security controls