Security Risk Management (SRM)

Question 1

27001

Answer 1

specifies the requirements for establishing, implementing, operating, monitoring, reviewing, maintaining, and improving a documented information security management system within the context of the organization’s overall business risks

Question 2

27002

Answer 2

A standard that defines information’s confidentiality, integrity, and availability controls in a comprehensive information security management system

Question 3

ISO/IEC 27011

Answer 3

telecommunications organization guidelines

Question 4

ISO/IEC 27015

Answer 4

financial organization guidelines

Question 5

ISO/IEC 27037

Answer 5

Digital evidence guidelines

Question 6

ISO/IEC 27799

Answer 6

health organization guidelines

Question 7

acceptable risk

Answer 7

concern that is acceptable to responsible management, due to the cost and magnitude of implementing controls

Question 8

acceptable use policy

Answer 8

A policy that establishes an agreement between users and the organization and defines for all parties the ranges of use that are approved before gaining access to a network or the Internet

Question 9

access rights

Answer 9

Permissions or privileges granted to users, programs, or workstations to create, change, delete or view data and files within a system as defined by rules established by data owners and the information security policy

Question 10

accountablity

Answer 10

The ability to map a given activity or event back to the responsible party

Question 11

administrative controls

Answer 11

The rules, procedures, and practices dealing with operational effectiveness, efficiency, and adherence to regulations and management policies

Question 12

advanced threat

Answer 12

an attacker repeatedly using multiple different attack vectors repeatedly to generate opportunities

Question 13

application controls

Answer 13

Manual or programmed activities intended to ensure the completeness and accuracy of records and the validity of entries made. The objectives of application controls are to ensure the completeness and accuracy of the records and the validity of the entries made therein resulting from manual and programmed processing

Question 14

Assurance

Answer 14

Grounds for confidence that the other four security controls (integrity, availability, confidentiality, and accountability) have been adequately met by a specific implementation. “Adequately met” includes (1) functionality that performs correctly, (2) sufficient protection against unintentional errors (by users or software), and (3) sufficient resistance to intentional penetration or bypass.

Question 15

audit trail

Answer 15

A visible trail of evidence enabling one to trace information contained in statements or reports back to the original input source

Question 16

Availability

Answer 16

Uptime, ready, in a condition to be used

Question 17

Chief information security officer

Answer 17

An executive position charged with responsibility for managing and protecting information assets

Question 18

CFAA of 1986

Answer 18

Computer Fraud and Abuse Act (CFAA)

Affects any entities that may engage in hacking of “protected computers” as defined in the Act

Question 19

Computer Security Act of 1987

Answer 19

Was the first law written to require a formal computer security plan

Question 20

Confidentiality

Answer 20

An organization’s protection of data in storage, during processing, and in transit for use by the subjects that are specifically intended to have access to the data or resource

Question 21

Control Objectives for Information and related Technology

Answer 21

A complete, internationally accepted process framework for IT that supports business and IT executives and IT management in their definition and achievement of business goals and related IT goals by providing a comprehensive IT governance, management, control and assurance model. COBIT describes IT processes and associated control objectives, management guidelines (activities, accountabilities, responsibilities, and performance metrics) and maturity models. COBIT supports enterprise management in the development, implementation, continuous improvement and monitoring of good IT-related practices.

Question 22

Control gaps

Answer 22

The amount of risk reduced by implementing safeguards

Question 23

Corporate governance

Answer 23

The system by which organizations are directed and controlled. Boards of directors are responsible for the governance of their organizations. It consists of the leadership and organizational structures and processes that ensure the organization sustains and extends strategies and objectives.

Question 24

Corporate strategy

Answer 24

The pattern of decisions in a company that determines and reveals its objectives, purposes or goals; produces the principal policies and plans for achieving those goals; and defines the range of business the company is to pursue, the kind of economic and human organization it is or intends to be, and the nature of the economic and non-economic contribution it intends to make to its shareholders, employees, customers and communities.

Question 25

Countermeasure

Answer 25

a control after attack

Question 26

Cross training

Answer 26

to know more than one job

Question 27

Custodian

Answer 27

the guardian of asset(s), a maintenance activity

Question 28

Data classification

Answer 28

The assignment of a level of sensitivity to data (or information) that results in the specification of controls for each level of classification. Levels of sensitivity of data are assigned according to predefined categories as data are created, amended, enhanced, stored or transmitted. The classification level is an indication of the value or importance of the data to the organization.

Question 29

Data regrade

Answer 29

Data is transferred from high network users to low network users

Question 30

Decentralization

Answer 30

The process of distributing computer processing to different locations within an organization

Question 31

Denial of Service

Answer 31

The prevention of authorized access to resources or the delaying of time critical operations

Question 32

Dual control

Answer 32

A procedure that uses two or more entities (usually persons) operating in concert to protect a system resource such that no single entity acting alone can access that resource

Question 33

Due care

Answer 33

Managers and their organizations have a duty to provide for information security to ensure that the type of control, the cost of control, and the deployment of control are appropriate for the system being managed. Doing the right action at the right time.

Question 34

Due diligence

Answer 34

Establishing a plan, policy, and process to protect the interests of an organization. Knowing what should be done and planning for it.

Question 35

ECPA of 1986

Answer 35

Electronic Communications Privacy Act

Extended government restrictions on wiretaps from telephone calls to include transmissions of electronic data by computer and prohibited access to stored electronic communications

Question 36

Education

Answer 36

long term knowledge building

Question 37

Ethics

Answer 37

the principles a person sets for themselves to follow

Question 38

Exposure

Answer 38

an opportunity for a threat to cause loss. (terminology that encompasses many recent risk terms)

Question 39

Federal Privacy Act of 1974

Answer 39

Affects any computer that contains records used by a federal agency

Question 40

FISA of 1978

Answer 40

Federal Intelligence Surveillance Act (FISA)

Affects law enforcement and intelligence agencies

Question 41

Governance

Answer 41

Executive responsibilities of goal setting, delegation, and verification, based upon the mission.

Question 42

Guidelines

Answer 42

written suggestions that direct choice to a few alternatives

Question 43

Information owner

Answer 43

the one person responsible for data, its classification and control setting

Question 44

Information security governance

Answer 44

The set of responsibilities and practices exercised by the board and executive management with the goal of providing strategic direction, ensuring objectives are achieved, ascertaining that risks are managed appropriately and verifying that the enterprise’s resources are used responsibly

Question 45

Information security program

Answer 45

The overall combination of technical, operational and procedural measures, and management structures implemented to provide for the confidentiality, integrity and availability of information based on business requirements and risk analysis

Question 46

inherent risk

Answer 46

the amount of risk that exists in the absence of controls

Question 47

IT-Related Risk

Answer 47

The net mission impact considering (1) the probability that a particular threat-source will exercise (accidentally trigger or intentionally exploit) a particular information system vulnerability and (2) the resulting impact if this should occur. IT-related risks arise from legal liability or mission loss due to these 4 items: 1. Unauthorized (malicious or accidental) disclosure, modification, or destruction of information 2. Unintentional errors and omissions 3. IT disruptions due to natural or man-made disasters 4. Failure to exercise due care and diligence in the implementation and operation of the IT system.

Question 48

job rotation

Answer 48

to move from location to location, keeping the same function

Question 49

job training

Answer 49

employment education done one per position or at significant change of function

Question 50

mandatory access control

Answer 50

A means of restricting access to data based on varying degrees of security requirements for information contained in the objects and the corresponding security clearance of users’ programs acting on their behalf

Question 51

mandatory vacations

Answer 51

requirement to take time off

Question 52

mitigate

Answer 52

a choice in risk management, to implement a control that limits or lessens negative effects

Question 53

monitoring policy

Answer 53

The rules outlining or delineating the way in which information about the use of computers, networks, applications and information is captured

Question 54

objects

Answer 54

Data or systems, passive

Question 55

operational

Answer 55

intermediate level, pertaining to planning

Question 56

PASTA

Answer 56

Threat modeling focusing on developing countermeasures based on asset value

Stage 1 - Definition of Objectives
Stage 2 - Definition of Technical Scope
Stage 3 - App Decomposition and Analysis
Stage 4 - Threat Analysis
Stage 5 - Weakness and Vulnerability analysis
Stage 6 - Attack modeling and simulation
Stage 7 - Risk Analysis and Management

Question 57

policy

Answer 57

written core statements that rarely change

Question 58

privacy

Answer 58

Freedom from unauthorized intrusion or disclosure of information about individuals

Question 59

private/privacy

Answer 59

Individual owned or ownership

Question 60

procedure

Answer 60

written step-by-step actions

Question 61

procedures

Answer 61

The portion of a security policy that states the general process that will be performed to accomplish a security goal

Question 62

qualitative

Answer 62

a risk assessment method, intrinsic value

Question 63

quantitative

Answer 63

a risk assessment method, measurable real money cost

Question 64

residual risk

Answer 64

quantity of risk remaining after a control is applied
total risk - controls gap

Question 65

risk

Answer 65

the chance that something negative will occur

Question 66

risk analysis steps

Answer 66

1. Inventory assets and assign a value (asset value or AV)
2. Identify threats. Research each asset and produce a list of all possible threats of each asset. (and calculate EF and SLE)
3. Perform a threat analysis to calculate the likelihood of each threat being realized within a single year (the ARO)
4. Estimate the potential loss by calculating the annualized loss expectancy (ALE)
5. Research the countermeasure for each threat, and then calculate the changes to ARO and ALE based on an applied countermeasure
6. Perform a cost/benefit analysis of each countermeasure for each threat for each asset

Question 67

risk assessment

Answer 67

the collection and summation of risk data relating to a particular asset and controls for that asset

Question 68

risk formula

Answer 68

threat * vulnerability

Question 69

risk management

Answer 69

The total process of identifying, controlling, and mitigating information system-related risks. It includes risk assessment; cost-benefit analysis; and the selection, implementation, test, and security evaluation of safeguards. This overall system security review considers both effectiveness and efficiency, including impact on the mission and constraints due to policy, regulations, and laws.

Question 70

risk management phases

Answer 70

Framing
Assessing
Responding
Alternatives
Monitoring

Question 71

safeguard

Answer 71

a control before attack

Question 72

safeguard evaluation

Answer 72

Good security controls mitigate risk, are transparent to users, difficult to bypass, and are cost effective

Question 73

safeguard value

Answer 73

ALE before safeguard - ALE after safeguard - annual cost of safeguard

Question 74

security clearance

Answer 74

the level and label given to an individual for the purpose of compartmentalization

Question 75

security goals

Answer 75

The five security goals are integrity, availability, confidentiality, accountability, and assurance

Question 76

security metrics

Answer 76

Any form of measurement used to determine any aspect of the operation of any security-related activity

Question 77

separation of duties

Answer 77

to break a business process into separate functions and assign to different people

Question 78

standard

Answer 78

written internalized or nationalized norms that are internal to an organization

Question 79

steering committee

Answer 79

A management committee assembled to sponsor and manage various projects, such as an information security program

Question 80

strategic

Answer 80

high level, pertaining to planning

Question 81

STRIDE

Answer 81

Threat modeling
Spoofing
Tampering
Repudiation
Information Disclosure
Denial of Service
Elevation of Privilege

Question 82

subjects

Answer 82

people or groups, active

Question 83

tactical

Answer 83

low level, pertaining to planning

Question 84

threat

Answer 84

The potential for a threat-source to exercise (accidentally trigger or intentionally exploit) a specific vulnerability

Question 85

threat agent

Answer 85

those who initiate the attack

Question 86

threat analysis

Answer 86

The examination of threat-sources against system vulnerabilities to determine the threats for a particular system in a particular operational environment

Question 87

threats

Answer 87

vehicle or tool that exploits a weakness

Question 88

threat-source

Answer 88

Either (1) intent and method targeted at the intentional exploitation of a vulnerability or (2) a situation and method that may accidentally trigger a vulnerability.

Question 89

total risk

Answer 89

the amount of risk an organization would face if no safeguards were implemented

Question 90

total risk formula

Answer 90

calculation encompassing threats, vulnerabilities and assets
threats * vulnerabilities * assets

Question 91

transfer

Answer 91

a choice in risk management, to convince another to assume risk, typically by payment

Question 92

user

Answer 92

people who interact with assets

Question 93

VAST

Answer 93

Visual, Agile and Simple Threat model

Threat modeling concept that integrates threat and risk management into an Agile programming environment on a scalable basis

Question 94

vulnerability

Answer 94

weakness or flaw in an asset

Question 95

Framing Phase

Answer 95

Tactical/System
Operational/Business Process
Strategic/Whole business

Question 96

Assessing Phase

Answer 96

Set scope (Tactical/System, Operational/Business Process, Strategic/Whole business from Framing Phase)
Identify threat sources
Identify threat events
Identify vulnerabilities
Determine likelihood
Determine impacts
Determine risks

Question 97

Responding Phase

Answer 97

Developing alternatives
Evaluating alternatives (Avoid, Accept, Transfer from Alternatives Phase)
Determining course of action
Implementing (Mitigate = Control from Alternatives Phase)

Question 98

Alternatives Phase

Answer 98

Avoid = Stop Doing,
Accept = Do Nothing,
Transfer = Buy Insurance,
Mitigate = Control

Question 99

Monitoring Phase

Answer 99

Determining effectiveness of responses,
Identifying risk-impacting changes,
Verifying controls/compliance

Question 100

NIST 800-37

Answer 100

Risk Management Framework

Question 101

NIST 800-37 steps

Answer 101

People Can See I Am Always Monitoring

Prepare to execute RMF
Categorize information systems
Select security controls
Implement security controls
Assess the security controls
Authorize the system
Monitor security controls