Security Risk Management (SRM)

Question 1

27001

Answer 1

specifies the requirements for establishing, implementing, operating, monitoring, reviewing, maintaining, and improving a documented information security management system within the context of the organization’s overall business risks

Question 2

27002

Answer 2

A standard that defines information’s confidentiality, integrity, and availability controls in a comprehensive information security management system

Question 3

ISO/IEC 27011

Answer 3

telecommunications organization guidelines

Question 4

ISO/IEC 27015

Answer 4

financial organization guidelines

Question 5

ISO/IEC 27037

Answer 5

Digital evidence guidelines

Question 6

ISO/IEC 27799

Answer 6

health organization guidelines

Question 7

acceptable risk

Answer 7

concern that is acceptable to responsible management, due to the cost and magnitude of implementing controls

Question 8

acceptable use policy

Answer 8

A policy that establishes an agreement between users and the organization and defines for all parties the ranges of use that are approved before gaining access to a network or the Internet

Question 9

access rights

Answer 9

Permissions or privileges granted to users, programs, or workstations to create, change, delete or view data and files within a system as defined by rules established by data owners and the information security policy

Question 10

accountablity

Answer 10

The ability to map a given activity or event back to the responsible party

Question 11

administrative controls

Answer 11

The rules, procedures, and practices dealing with operational effectiveness, efficiency, and adherence to regulations and management policies

Question 12

advanced threat

Answer 12

an attacker repeatedly using multiple different attack vectors repeatedly to generate opportunities

Question 13

application controls

Answer 13

Manual or programmed activities intended to ensure the completeness and accuracy of records and the validity of entries made. The objectives of application controls are to ensure the completeness and accuracy of the records and the validity of the entries made therein resulting from manual and programmed processing

Question 14

Assurance

Answer 14

Grounds for confidence that the other four security controls (integrity, availability, confidentiality, and accountability) have been adequately met by a specific implementation. “Adequately met” includes (1) functionality that performs correctly, (2) sufficient protection against unintentional errors (by users or software), and (3) sufficient resistance to intentional penetration or bypass.

Question 15

audit trail

Answer 15

A visible trail of evidence enabling one to trace information contained in statements or reports back to the original input source

Question 16

Availability

Answer 16

Uptime, ready, in a condition to be used

Question 17

Chief information security officer

Answer 17

An executive position charged with responsibility for managing and protecting information assets

Question 18

CFAA of 1986

Answer 18

Computer Fraud and Abuse Act (CFAA)

Affects any entities that may engage in hacking of “protected computers” as defined in the Act

Question 19

Computer Security Act of 1987

Answer 19

Was the first law written to require a formal computer security plan

Question 20

Confidentiality

Answer 20

An organization’s protection of data in storage, during processing, and in transit for use by the subjects that are specifically intended to have access to the data or resource

Question 21

Control Objectives for Information and related Technology

Answer 21

A complete, internationally accepted process framework for IT that supports business and IT executives and IT management in their definition and achievement of business goals and related IT goals by providing a comprehensive IT governance, management, control and assurance model. COBIT describes IT processes and associated control objectives, management guidelines (activities, accountabilities, responsibilities, and performance metrics) and maturity models. COBIT supports enterprise management in the development, implementation, continuous improvement and monitoring of good IT-related practices.

Question 22

Corporate governance

Answer 22

The system by which organizations are directed and controlled. Boards of directors are responsible for the governance of their organizations. It consists of the leadership and organizational structures and processes that ensure the organization sustains and extends strategies and objectives.

Question 23

Corporate strategy

Answer 23

The pattern of decisions in a company that determines and reveals its objectives, purposes or goals; produces the principal policies and plans for achieving those goals; and defines the range of business the company is to pursue, the kind of economic and human organization it is or intends to be, and the nature of the economic and non-economic contribution it intends to make to its shareholders, employees, customers and communities.

Question 24

Countermeasure

Answer 24

a control after attack

Question 25

Cross training

Answer 25

to know more than one job

Question 26

Custodian

Answer 26

the guardian of asset(s), a maintenance activity

Question 27

Data classification

Answer 27

The assignment of a level of sensitivity to data (or information) that results in the specification of controls for each level of classification. Levels of sensitivity of data are assigned according to predefined categories as data are created, amended, enhanced, stored or transmitted. The classification level is an indication of the value or importance of the data to the organization.

Question 28

Data regrade

Answer 28

Data is transferred from high network users to low network users

Question 29

Decentralization

Answer 29

The process of distributing computer processing to different locations within an organization

Question 30

Denial of Service

Answer 30

The prevention of authorized access to resources or the delaying of time critical operations

Question 31

Dual control

Answer 31

A procedure that uses two or more entities (usually persons) operating in concert to protect a system resource such that no single entity acting alone can access that resource

Question 32

Due care

Answer 32

Managers and their organizations have a duty to provide for information security to ensure that the type of control, the cost of control, and the deployment of control are appropriate for the system being managed.

Question 33

Due diligence

Answer 33

Establishing a plan, policy, and process to protect the interests of an organization

Question 34

ECPA of 1986

Answer 34

Electronic Communications Privacy Act

Extended government restrictions on wiretaps from telephone calls to include transmissions of electronic data by computer and prohibited access to stored electronic communications

Question 35

Education

Answer 35

long term knowledge building

Question 36

Ethics

Answer 36

the principles a person sets for themselves to follow

Question 37

Exposure

Answer 37

an opportunity for a threat to cause loss. (terminology that encompasses many recent risk terms)

Question 38

Federal Privacy Act of 1974

Answer 38

Affects any computer that contains records used by a federal agency

Question 39

FISA of 1978

Answer 39

Federal Intelligence Surveillance Act (FISA)

Affects law enforcement and intelligence agencies

Question 40

Governance

Answer 40

Executive responsibilities of goal setting, delegation, and verification, based upon the mission.

Question 41

Guidelines

Answer 41

written suggestions that direct choice to a few alternatives

Question 42

Information owner

Answer 42

the one person responsible for data, its classification and control setting

Question 43

Information security governance

Answer 43

The set of responsibilities and practices exercised by the board and executive management with the goal of providing strategic direction, ensuring objectives are achieved, ascertaining that risks are managed appropriately and verifying that the enterprise’s resources are used responsibly

Question 44

Information security program

Answer 44

The overall combination of technical, operational and procedural measures, and management structures implemented to provide for the confidentiality, integrity and availability of information based on business requirements and risk analysis

Question 45

IT-Related Risk

Answer 45

The net mission impact considering (1) the probability that a particular threat-source will exercise (accidentally trigger or intentionally exploit) a particular information system vulnerability and (2) the resulting impact if this should occur. IT-related risks arise from legal liability or mission loss due to these 4 items: 1. Unauthorized (malicious or accidental) disclosure, modification, or destruction of information 2. Unintentional errors and omissions 3. IT disruptions due to natural or man-made disasters 4. Failure to exercise due care and diligence in the implementation and operation of the IT system.

Question 46

job rotation

Answer 46

to move from location to location, keeping the same function

Question 47

job training

Answer 47

employment education done one per position or at significant change of function

Question 48

mandatory access control

Answer 48

A means of restricting access to data based on varying degrees of security requirements for information contained in the objects and the corresponding security clearance of users’ programs acting on their behalf

Question 49

mandatory vacations

Answer 49

requirement to take time off

Question 50

mitigate

Answer 50

a choice in risk management, to implement a control that limits or lessens negative effects

Question 51

monitoring policy

Answer 51

The rules outlining or delineating the way in which information about the use of computers, networks, applications and information is captured

Question 52

objects

Answer 52

Data or systems, passive

Question 53

operational

Answer 53

intermediate level, pertaining to planning

Question 54

policy

Answer 54

written core statements that rarely change

Question 55

privacy

Answer 55

Freedom from unauthorized intrusion or disclosure of information about individuals

Question 56

private/privacy

Answer 56

Individual owned or ownership

Question 57

procedure

Answer 57

written step-by-step actions

Question 58

procedures

Answer 58

The portion of a security policy that states the general process that will be performed to accomplish a security goal

Question 59

qualitative

Answer 59

a risk assessment method, intrinsic value

Question 60

quantitative

Answer 60

a risk assessment method, measurable real money cost

Question 61

residual risk

Answer 61

quantity of risk remaining after a control is applied
total risk - controls gap

Question 62

risk

Answer 62

the chance that something negative will occur

Question 63

risk assessment

Answer 63

the collection and summation of risk data relating to a particular asset and controls for that asset

Question 64

risk management

Answer 64

The total process of identifying, controlling, and mitigating information system-related risks. It includes risk assessment; cost-benefit analysis; and the selection, implementation, test, and security evaluation of safeguards. This overall system security review considers both effectiveness and efficiency, including impact on the mission and constraints due to policy, regulations, and laws.

Question 65

risk management phases

Answer 65

Framing
Assessing
Responding
Alternatives
Monitoring

Question 66

safeguard

Answer 66

a control before attack

Question 67

security clearance

Answer 67

the level and label given to an individual for the purpose of compartmentalization

Question 68

security goals

Answer 68

The five security goals are integrity, availability, confidentiality, accountability, and assurance

Question 69

security metrics

Answer 69

Any form of measurement used to determine any aspect of the operation of any security-related activity

Question 70

separation of duties

Answer 70

to break a business process into separate functions and assign to different people

Question 71

standard

Answer 71

written internalized or nationalized norms that are internal to an organization

Question 72

steering committee

Answer 72

A management committee assembled to sponsor and manage various projects, such as an information security program

Question 73

strategic

Answer 73

high level, pertaining to planning

Question 74

subjects

Answer 74

people or groups, active

Question 75

tactical

Answer 75

low level, pertaining to planning

Question 76

threat

Answer 76

The potential for a threat-source to exercise (accidentally trigger or intentionally exploit) a specific vulnerability

Question 77

threat agent

Answer 77

those who initiate the attack

Question 78

threat analysis

Answer 78

The examination of threat-sources against system vulnerabilities to determine the threats for a particular system in a particular operational environment

Question 79

threats

Answer 79

vehicle or tool that exploits a weakness

Question 80

threat-source

Answer 80

Either (1) intent and method targeted at the intentional exploitation of a vulnerability or (2) a situation and method that may accidentally trigger a vulnerability.

Question 81

total risk

Answer 81

calculation encompassing threats, vulnerabilities and assets
threats * vulnerabilities * assets

Question 82

transfer

Answer 82

a choice in risk management, to convince another to assume risk, typically by payment

Question 83

user

Answer 83

people who interact with assets

Question 84

vulnerability

Answer 84

weakness or flaw in an asset

Question 85

Framing Phase

Answer 85

Tactical/System
Operational/Business Process
Strategic/Whole business

Question 86

Assessing Phase

Answer 86

Set scope (Tactical/System, Operational/Business Process, Strategic/Whole business from Framing Phase)
Identify threat sources
Identify threat events
Identify vulnerabilities
Determine likelihood
Determine impacts
Determine risks

Question 87

Responding Phase

Answer 87

Developing alternatives
Evaluating alternatives (Avoid, Accept, Transfer from Alternatives Phase)
Determining course of action
Implementing (Mitigate = Control from Alternatives Phase)

Question 88

Alternatives Phase

Answer 88

Avoid = Stop Doing,
Accept = Do Nothing,
Transfer = Buy Insurance,
Mitigate = Control

Question 89

Monitoring Phase

Answer 89

Determining effectiveness of responses,
Identifying risk-impacting changes,
Verifying controls/compliance