Study Guide Ch 2 Flashcards
The six steps of the risk management
framework
Categorize, Select, Implement, Assess, Authorize, Monitor
Separation of duties
the security concept in which critical, significant,
and sensitive work tasks are divided among personnel
Job responsibilities
the specific work tasks an employee is required
to perform on a regular basis
Job rotation serves two functions
First, it provides a type of knowledge redundancy
Second, moving personnel around reduces the risk of fraud, data modification, theft, sabotage, and misuse of information
Collusion
When several people work together to perpetrate a crime
NDA
nondisclosure agreement
What is the purpose of a NDA?
An NDA is used to protect the confidential information within an organization from being disclosed by a former employee
NCA
non-compete agreement
What purpose does a NCA serve?
NCAs attempt to prevent an employee with special knowledge of secrets from one organization from working in a competing organization
NCAs are also used to prevent workers from jumping from one company to another competing company just because of salary increases or other incentives
the best time to terminate an employee…
at the end of their shift midweek
The primary purpose of the exit interview…
To review the liabilities and restrictions placed on the former employee based on the employment agreement, nondisclosure agreement, and any other security-related documentation
Compliance
the act of conforming to or adhering to rules, policies, regulations, standards, or requirements
Pll
personally identifiable information = any data item that can be easily and/or obviously traced back to the person of origin or concern
Security governance
the collection of practices related to supporting, defining, and directing the security efforts of an organization
Third-party governance
the system of oversight that may be mandated by law, regulation, industry standards, contractual obligation, or licensing requirements
Documentation review
the process of reading the exchanged materials and verifying them against standards and expectations
ATO
authorization to operate
Risk
The possibility that something could happen to damage, destroy, or disclose data or other resources
What is the primary goal of risk management?
To reduce risk to an acceptable level
Risk analysis
The process by which the goals of risk management are achieved
Asset
An asset is anything within an environment that should be protected
Asset valuation
A dollar value assigned to an asset based on actual
cost and non-monetary expenses
Threats
Any potential occurrence that may cause an undesirable or unwanted outcome for an organization or for a specific asset is a threat
Vulnerability
The weakness in an asset or the absence or the weakness of a safeguard or countermeasure
Exposure
Being susceptible to asset loss because of a threat
Risk formula
risk = threat * vulnerability
Safeguard
A countermeasure
Anything that removes or reduces a vulnerability or protects against one or more specific threats
Attack
the exploitation of a vulnerability by a threat agent
Breach
the occurrence of a security mechanism being bypassed or thwarted by a threat agent.
How does quantitative analysis function?
To assign real dollar figures to the loss of an asset
How does qualitative analysis function?
To assign subjective and intangible values to the loss of an asset
The six major steps or phases in quantitative risk analysis
Inventory assets, and assign a value
For each listed threat, calculate exposure factor (EF)
and single loss expectancy (SLE)
Assess the annualized rate of occurrence (ARO)
Derive the annualized loss expectancy (ALE)
Perform cost/benefit analysis of countermeasures
EF (exposure factor)
The EF simply indicates the expected overall asset value loss because of a single realized risk.
The EF is expressed as a percentage.
Single Loss Expectancy (SLE)
SLE = asset value (AV) * exposure factor (EF)
The SLE is expressed in a dollar value
Annualized Rate of Occurrence (ARO)
The expected frequency with which a specific threat or risk will occur (that is, become realized) within a single year.
Annualized Loss Expectancy
The annualized loss expectancy (ALE) is the possible yearly cost of all instances of a specific realized threat against a specific asset
ALE= single loss expectancy (SLE) * annualized rate of occurrence (ARO)
How should a safeguard function?
To reduce the ARO for any asset
Safeguard cost/benefit formula
(pre-countermeasure ALE - post-countermeasure ALE) -ACS
(ALEl - ALE2) - ACS
scenario
a written description of a single major threat
The Delphi technique
an anonymous feedback-and-response process used to enable a group to reach an anonymous consensus
Risk Mitigation
the implementation of safeguards and countermeasures to eliminate vulnerabilities or block threats
Risk Assignment
the placement of the cost of loss a
risk represents onto another entity or organization
Risk Rejection
Denying that a risk exists and hoping that it will never be realized
Risk Acceptance
accepting the consequences and the loss if the risk is realized
Total risk formula
threats * vulnerabilities * asset value = total risk
the * does not imply multiplication, but a combination function; this is not a true mathematical formula
Residual risk formula
total risk - controls gap = residual risk
controls gap
the amount of risk that is reduced by implementing
safeguards.
three categories of security controls implementation include:
Administrative
Logical/technical
Physical
Technical access control mechanisms
involves the hardware or software mechanisms used to manage access and to provide protection
Administrative access control mechanisms
the policies and procedures defined by an organization’s security policy and other regulations or requirements
Physical access control mechanisms
items you can physically touch
Types of access controls
Deterrent Preventive Detective Compensating Corrective Recovery Directive
Difference between deterrent and preventive access controls
Deterrent controls often depend on individuals
deciding not to take an unwanted action
In contrast, a preventive control actually blocks
the action
Compensating access control
can be any control used in addition to, or in place of, another control
What is the goal of asset valuation?
To assign to an asset a specific dollar value that encompasses tangible costs as well as intangible ones
What is a risk framework?
A risk framework is a guideline or recipe for how risk is to be assessed, resolved, and monitored
What are the six steps of the NIST SP 800-37 RMF?
Categorize the information system Select an initial set of baseline security controls Implement the security controls Assess the security controls Authorize information system operation Monitor the security controls
What is the goal of security awareness?
The goal of creating awareness is to bring security to the forefront and make it a recognized entity for users
Define “training”
Training is teaching employees to perform their work tasks and to comply with the security policy
True or false: Training is typically hosted by an organization and is targeted to groups of employees with similar job functions
True
Some partial definitions of privacy
Active prevention of unauthorized access to PII
Freedom from unauthorized access to PII
Freedom from being observed, monitored, or examined without consent or knowledge
When addressing privacy, what two issues must be balanced?
there is usually a balancing act between individual rights and the rights or activities of an organization
