Topic 1 - Supporting IT Governance and Risk Management Flashcards
1
Q
What are two widely used “Information Classification” systems?
A
Government Classification System, which focuses on Confidentiality, and Commercial Classification System with focuses on Integrity
2
Q
What’s the equation to calculate Single Loss Expectancy (SLE)?
A
Asset Value (AV) x Exposure Factor (EF)
3
Q
Define Mergers and Acquisitions
A
The combination of two or more commercial companies into a single surviving entity
4
Q
What is the name of a risk report containing the findings, information, assessments, and recommendations for an organization?
A
Risk assessment report
5
Q
What is an IT Audit?
A
An examination of controls within an information technology system or network
6
Q
Ranking elements of a risk assessment by non-monetary values is to do a…
A
Qualitative Risk Assessment
7
Q
Assigning a monetary value to elements of a risk assessment is to do a …
A
Quantitative Risk Assessment
8
Q
What are the four categories of the Commercial Classification System?
A
Public, Sensitive, Private, Confidential
9
Q
What is FISMA?
A
Federal Information Security Management Act addresses info sec requirements for no n-national security government agencies.
10
Q
Explain the final phase of the risk management process, “continuous monitoring “
A
Continuous monitoring allows organizations to evaluate the effectiveness of controls on a near or real-time basis since it occurs immediately or closely after events
11
Q
What are examples of insecure data transmission protocols?
A
FTP, Telnet, HTTP, SMTP
12
Q
Who is responsible for identifying and analyzing risks?
A
The risk management team
13
Q
Define a “Risk Detterence”
A
A process, policy or system that discourages others from exploiting a vulnerability
14
Q
What is COBIT?
A
Control Objectives for Information Related Technology. It is a leading governance framework
15
Q
Define the ESA framework SABSA
A
Sherwood Applied Business Security Architecture is a strategy based on an architectural viewpoint
16
Q
What is GLBA?
A
Gramm-Leach-Bliley Act is a law overhauling financial services regulation in the US and applies to financial institutions.
Subtitle A requires institutions to make disclosures about privacy policies and opt-out capability.
17
Q
What is an SLA?
A
Service Level Agreement that defines performance targets for hardware and software
18
Q
What are SLA examples?
A
Help Desk and Caller Services, Uptime and Availability Agreements,
19
Q
What is FISMA 2014?
A
The updated version of the original 2002 Federal Information Security Management Act
20
Q
What is ISAM?
A
INFOSEC Assessment Methodology - A qualitative assessment
21
Q
What is an HSM?
A
Hardware Security Module. It’s a type of secure cryptoprocessor targeted at managing keys
22
Q
What is “business continuity planning”?
A
The formation of a plan on what to do if your business suffers a disruption
23
Q
What are policies?
A
High-level documents that outline the security goals and objectives of the company
24
Q
What is the measurement called that tracks the time it takes to go from a failure to repaired for an asset
A
MTTR - Mean time to Repair
25
Define a Partnership business model
A model where two or more entities share potential profit and risk with each other.
26
What is a vulnerability?
A vulnerability can be described as a weakness in hardware or software that may be exploited
27
Encrypted file system (EFS) and VeraCrypt are examples of?
Software encryption options for data-at-rest
28
A group risk assessment that allows people to contribute anonymously is known as ...
Delphi Technique
29
What is the IT Governance Institute Framework?
A process that begins with setting objectives for the enterprise's IT , providing initial direction and then evolving into a continuous loop
30
What is Outsourcing?
An arrangement in which one company provides services for another company that may or may not have been provided in-house
31
What is GDPR?
General Data Protection Regulation in the EU that affects multi-national companies
32
Define "Asset Identification"
The process of identifying all of the organization's assets.
33
What is a vulnerability window?
When an IT asset is most vulnerable
34
What are the types of business models?
Outsourcing, Partnerships and Mergers and Acquisitions
35
What is a TPM?
Trusted Platform Module.
A specialized chip that can be installed on the motherboard of a computer and is used for hardware authentication
36
Define the ESA framework EA
Enterprise Architecture used by the federal government to ensure business strategy and IT investments are aligned
37
What is an asset?
An asset is an item of value to an institution, such as data, hardware, software or physical property.
38
What are the four categories of the Government Classification System?
Unclassified, Confidential, Secret and Top Secret
39
What are examples of risk sources?
The source of a risk can be either internal or external. Internal example is a disgruntled employee and external example is a natural disaster
40
What is HIPAA?
Health Insurance Portability and Accountability Act is a law regarding privacy that has three major purposes:
1. To provide consumers with access to their health information
2. To improve quality of health care in the US by restoring trust in the system
3. Creating a national framework for health privacy protection
41
What are examples of "Tangible Assets"?
Hardware and software
42
List the three security control types
Physical controls (door locks), technical controls (cameras, anti-virus), operation controls (background checks, security awareness training)
43
A quick risk assessment based on a series of questions is known as ...
FRAP - Facilitated Risk Assessment Process
44
List potential risks in a Partnership business model
Loss of Competency, broken agreements, service deterioration, poor cultural fit, hidden costs
45
What is a Zero-Day?
An exploit the vendor either doesn't know about, or that no patch or mitigation exists for
46
What is a network boundary?
The point at which your control ends
47
List proper equipment disposal methods
Drive wiping, zeroization, degaussing, physical destruction
48
Define Annualized Rate of Occurrence (ARO)
Frequency at which a specified risk will be realized over a single year
49
What are threat examples that pertain to IT security?
Natural disaster, malicious code, breach of physical security, hacker attack, DDoS, cyberterrorism
50
Define "Risk Appetite"
The amount of risk a company is willing to accept
51
What is a threat?
Any situation that affects confidentiality, availability or integrity of an IT asset
52
What does "CVE" stand for?
Common vulnerabilities and exposures. It's a system to normalize data about a vuln so fixing or mitigating is less of a challenge
53
What is SOX?
Sarbanes-Oxley Act mandated reforms to enhance corporate responsibility, enhance financial disclosures and combat corporate and accounting fraud. Section 302 requires the CEO and CFO to certify personally that the org has proper internal controls. Section 404 requires infrastructure designed to archive records and data while protecting it from destruction and loss.
54
What are examples of "Intangible Assets"?
Reputation and services
55
Define "RPO" and "RTO"
Recovery Point Object - the tolerable period of time between the last backup and the failure, which is what data would be lost. A 5 minute RPO provides you with data lost only over the last 5 minutes.
Recovery Time Objective - The amount of time required to bring the systems back online and restore normal access that the company wants to tolerate
56
What do you call an unmitigated risk when discussing risk assessment?
An exemption
57
Explain "Risk Mitigation Planning"
Comes after a quantitative or qualitative assessment and is to make a determination and decide which security controls should be applied.
58
What is the name of a predictable interval between failures of an asset?
MTBF - Mean time between failures
59
What is Operational Risk?
Either a company's internal and external practices, or external sources such as government agencies or regulatory requirements.
60
List two common "Enterprise Security Architecture (ESA)" frameworks
Enterprise Architecture (EA) and Sherwood Applied Business Security Architecture (SABSA)
61
Define Exposure Factor (EF)
The percentage of loss experienced IF a specific asset were attacked. Based on asset value
Examples: Perhaps an attack doesn't render an asset totally inaccessible or inoperable
62
What is Risk?
Risk is the probability/likelihood of the occurrence or realization of a threat
63
What is motivation?
The driving force behind an activity
64
List the four alternatives for handling potential risks
Avoid, Accept, Transfer, Mitigate
Avoid - to eliminate - examples being withdraw from a practice or not become involved
Accept - acknowledging it has been understood and evaluated but senior management has made the decision that the benefits of moving forward outweigh the risk.
Transfer - Deflect to a third party
Mitigate - A control is used to reduce the risk
65
What is the equation to calculate Annualized Loss Expectancy (ALE)
Annualized Rate of Occurrence (ARO) x Single Loss Expectancy (SLE)
66
Define compliance
Being in accordance with agreed-upon guidelines, specifications, legislation, or regulations
67
Enterprise Resilience is ..
An approach to risk management that anticipates disruptions, better ensures recovery, and protects business profitability
68
Explain the purpose of "Risk Assessment"
To evaluate risks in terms of the likelihood and the magnitude of an impact, to determine a response strategy and to monitor progress in reducing the threat.
69
What are the four strategic responses to positive risks?
exploit, share, enhance and accept
70
List the Qualitative risk assessment grade scale
Low, Medium and High across CIA
```
Low = Minor inconvenience
Medium = Can Result in damage to an organization
High = Will result in a loss of goodwill, legal action or fine
```
71
What is the CIA triad?
Confidentiality, Integrity and Availability
72
Define Confidentiality and list the most common controls...
Keeping good data away from bad actors | Encryption, data classification, awareness training
73
Define Integrity and list the most common controls..
Change control for data with no unauthorized modification without knowledge and consent of data owner | hashing, IDS, strict access controls
74
Define Availability and list the most common controls..
Authorized subjects can access objects in a timely manner without interruption | redundant system design, continuous monitoring and testing of backups
75
Define IT governance
A concept in which stakeholders ensure that those who govern IT resources are fulfilling objectives and strategies
76
What is "Due Diligence"
Good governance/good oversight. Loosely, overseeing action, directing it with governance, policy and providing strategy so people understand objectives
77
What is "Due Care"
Good actions/acting aligned with the structure from due diligence so we are doing the right things, not wrong things.
Loosely, if you are at a pool and there are rules on the wall, like no running, the actions abiding by those rules is Due Care.
78
What is a countermeasure (control)?
mechanism to minimize risk
79
What is residual risk?
remaining risk after countermeasures applied
80
Define the risk management cyclical process
Identify, Assess, Analyze and Respond
81
What is ERM
Enterprise Risk Management - process of evaluation, measuring and mitigating risks at an organization level
82
What is a semi-quantitative analysis
Attempts to find a middle ground between the two types
83
What is a security framework?
A reference point with common language. Examples: SOX, NIST, SABSA,
84
What is a policy?
Direction from senior management (strategic)
85
What is a standard?
Formalized from external guidance (regulatory example GDPR)
86
What is a procedure?
Step by step method of accomplishing something (tactical)
87
What is a Guideline?
best practice re commendation
88
What is de-perimeterization?
The process of shifting, reducing or removing some enterprise boundaries to facilitate interactions with the world outside of it's domain
89
When talking system-specific risk analysis, what are common questions to ask?
How can the attack be performed? / Can the attack be performed in the current network?
90
What is a Aggregate CIA score?
A subjective score on a sliding scale of harm. The highest risks are rated a 10, the lowest risks are rated at 1 and data having no risk is rated at 0.
The CIA attributes of information are compared to the threat that each attribute faces, then multiplied to produce a total. Value x threat = total for an attribute
The total risk for each attribute are added to produce the aggregate CIA score for that entire risk.
91
What is the "Golden Rule"
It's very important to incorporate stakeholder input as part of the process.
Seek the blessing and the authorization and the acceptance of senior leadership before you implement anything.
92
What is the CVSS?
Common Vulnerability Scoring System - A risk management approach where vuln data is quantified and then the degrees of risk to systems or information are taken into account. v3.1 is the current vector.
Metrics are base (AV/AC/PR/UI/S/C/I/A), temporal (E/RL/RC), environmental or specific context (
Used to score vulnerabilities in CVE
93
What is a Business Impact Analysis (BIA)
Business Impact Analysis - Used to determine impact a disruptive event would have on an org.
Goals: determine criticality/ estimate max downtime / evaluate resource requirements
Steps: gather requirements & info/vuln assessment/risk anlysis/ communicate findings
94
What are examples of documents that support security initiatives
MSA - Master Services Agreement - Expedites agreement process
SOA - Statement of applicability - identifies controls in place
BIA - Business Impact Analysis - identifies present organizational risks
IA - Interoperability Agreement - general term for any doc that outlines a business partnership
ISA - Interconnection security agreement -
MOU - Memorandum of Understanding - not legally binding
SLA - Service Level Agreement - clearly defines what services are to be provided to the client
OLA - Operating Level Agreement - identifies and defines the working relationships between groups or divisions
NDA - Non Disclosure Agreement - an agreemnt between entities stipulating you will not share specific information with unauthorized third parties
BPA - Business Partner Agreement - defines how a partnership between business entities will be conducted
95
What are all the ways you can measure downtime?
```
Maximum allowable downtime (MAD)/ Maximum tolerable downtime (MTD )
recovery time objective (RTO)
recovery point objective (RPO)
mean time to failure (MTTF)
meant time to repair (MTTR)
mean time between failures (MTBF)
```
96
What are the 5 steps of incident response?
Detection, Response, Reporting, Recovery, Remediation and Review
97
Describe two-man control
Two operators review and approve each other's work
98
What are the MIL levels for a Cyber Resilience Review (CRR)
```
MIL0 - Incomplete
MIL1 - Performed
MIL2 - Planned
MIL3 - Managed
MIL4 - Measured
MIL5 - Defined
```
