Study Guide Ch 2 Flashcards

1
Q

The six steps of the risk management

framework

A
Categorize, 
Select, 
Implement, 
Assess, 
Authorize, 
Monitor
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Separation of duties

A

the security concept in which critical, significant,

and sensitive work tasks are divided among personnel

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Job responsibilities

A

the specific work tasks an employee is required

to perform on a regular basis

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Job rotation serves two functions

A

First, it provides a type of knowledge redundancy

Second, moving personnel around reduces the risk of fraud, data modification, theft, sabotage, and misuse of information

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Collusion

A

When several people work together to perpetrate a crime

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

NDA

A

nondisclosure agreement

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

What is the purpose of a NDA?

A

An NDA is used to protect the confidential information within an organization from being disclosed by a former employee

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

NCA

A

non-compete agreement

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

What purpose does a NCA serve?

A

NCAs attempt to prevent an employee with special knowledge of secrets from one organization from working in a competing organization

NCAs are also used to prevent workers from jumping from one company to another competing company just because of salary increases or other incentives

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

the best time to terminate an employee…

A

at the end of their shift midweek

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

The primary purpose of the exit interview…

A

To review the liabilities and restrictions placed on the former employee based on the employment agreement, nondisclosure agreement, and any other security-related documentation

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Compliance

A

the act of conforming to or adhering to rules, policies, regulations, standards, or requirements

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Pll

A

personally identifiable information = any data item that can be easily and/or obviously traced back to the person of origin or concern

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Security governance

A

the collection of practices related to supporting, defining, and directing the security efforts of an organization

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Third-party governance

A

the system of oversight that may be mandated by law, regulation, industry standards, contractual obligation, or licensing requirements

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Documentation review

A

the process of reading the exchanged materials and verifying them against standards and expectations

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

ATO

A

authorization to operate

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

Risk

A

The possibility that something could happen to damage, destroy, or disclose data or other resources

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

What is the primary goal of risk management?

A

To reduce risk to an acceptable level

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

Risk analysis

A

The process by which the goals of risk management are achieved

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

Asset

A

An asset is anything within an environment that should be protected

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

Asset valuation

A

A dollar value assigned to an asset based on actual

cost and non-monetary expenses

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

Threats

A

Any potential occurrence that may cause an undesirable or unwanted outcome for an organization or for a specific asset is a threat

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

Vulnerability

A

The weakness in an asset or the absence or the weakness of a safeguard or countermeasure

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Q

Exposure

A

Being susceptible to asset loss because of a threat

26
Q

Risk formula

A

risk = threat * vulnerability

27
Q

Safeguard

A

A countermeasure

Anything that removes or reduces a vulnerability or protects against one or more specific threats

28
Q

Attack

A

the exploitation of a vulnerability by a threat agent

29
Q

Breach

A

the occurrence of a security mechanism being bypassed or thwarted by a threat agent.

30
Q

How does quantitative analysis function?

A

To assign real dollar figures to the loss of an asset

31
Q

How does qualitative analysis function?

A

To assign subjective and intangible values to the loss of an asset

32
Q

The six major steps or phases in quantitative risk analysis

A

Inventory assets, and assign a value
For each listed threat, calculate exposure factor (EF)
and single loss expectancy (SLE)
Assess the annualized rate of occurrence (ARO)
Derive the annualized loss expectancy (ALE)
Perform cost/benefit analysis of countermeasures

33
Q

EF (exposure factor)

A

The EF simply indicates the expected overall asset value loss because of a single realized risk.

The EF is expressed as a percentage.

34
Q

Single Loss Expectancy (SLE)

A

SLE = asset value (AV) * exposure factor (EF)

The SLE is expressed in a dollar value

35
Q

Annualized Rate of Occurrence (ARO)

A

The expected frequency with which a specific threat or risk will occur (that is, become realized) within a single year.

36
Q

Annualized Loss Expectancy

A

The annualized loss expectancy (ALE) is the possible yearly cost of all instances of a specific realized threat against a specific asset

ALE= single loss expectancy (SLE) * annualized rate of occurrence (ARO)

37
Q

How should a safeguard function?

A

To reduce the ARO for any asset

38
Q

Safeguard cost/benefit formula

A

(pre-countermeasure ALE - post-countermeasure ALE) -ACS

(ALEl - ALE2) - ACS

39
Q

scenario

A

a written description of a single major threat

40
Q

The Delphi technique

A

an anonymous feedback-and-response process used to enable a group to reach an anonymous consensus

41
Q

Risk Mitigation

A

the implementation of safeguards and countermeasures to eliminate vulnerabilities or block threats

42
Q

Risk Assignment

A

the placement of the cost of loss a

risk represents onto another entity or organization

43
Q

Risk Rejection

A

Denying that a risk exists and hoping that it will never be realized

44
Q

Risk Acceptance

A

accepting the consequences and the loss if the risk is realized

45
Q

Total risk formula

A

threats * vulnerabilities * asset value = total risk

the * does not imply multiplication, but a combination function; this is not a true mathematical formula

46
Q

Residual risk formula

A

total risk - controls gap = residual risk

47
Q

controls gap

A

the amount of risk that is reduced by implementing

safeguards.

48
Q

three categories of security controls implementation include:

A

Administrative
Logical/technical
Physical

49
Q

Technical access control mechanisms

A

involves the hardware or software mechanisms used to manage access and to provide protection

50
Q

Administrative access control mechanisms

A

the policies and procedures defined by an organization’s security policy and other regulations or requirements

51
Q

Physical access control mechanisms

A

items you can physically touch

52
Q

Types of access controls

A
Deterrent
Preventive
Detective
Compensating
Corrective
Recovery
Directive
53
Q

Difference between deterrent and preventive access controls

A

Deterrent controls often depend on individuals
deciding not to take an unwanted action

In contrast, a preventive control actually blocks
the action

54
Q

Compensating access control

A

can be any control used in addition to, or in place of, another control

55
Q

What is the goal of asset valuation?

A

To assign to an asset a specific dollar value that encompasses tangible costs as well as intangible ones

56
Q

What is a risk framework?

A

A risk framework is a guideline or recipe for how risk is to be assessed, resolved, and monitored

57
Q

What are the six steps of the NIST SP 800-37 RMF?

A
Categorize the information system
Select an initial set of baseline security controls
Implement the security controls
Assess the security controls
Authorize information system operation
Monitor the security controls
58
Q

What is the goal of security awareness?

A

The goal of creating awareness is to bring security to the forefront and make it a recognized entity for users

59
Q

Define “training”

A

Training is teaching employees to perform their work tasks and to comply with the security policy

60
Q

True or false: Training is typically hosted by an organization and is targeted to groups of employees with similar job functions

A

True

61
Q

Some partial definitions of privacy

A

Active prevention of unauthorized access to PII

Freedom from unauthorized access to PII

Freedom from being observed, monitored, or examined without consent or knowledge

62
Q

When addressing privacy, what two issues must be balanced?

A

there is usually a balancing act between individual rights and the rights or activities of an organization