Topic 1 - Supporting IT Governance and Risk Management Flashcards
What are two widely used “Information Classification” systems?
Government Classification System, which focuses on Confidentiality, and Commercial Classification System with focuses on Integrity
What’s the equation to calculate Single Loss Expectancy (SLE)?
Asset Value (AV) x Exposure Factor (EF)
Define Mergers and Acquisitions
The combination of two or more commercial companies into a single surviving entity
What is the name of a risk report containing the findings, information, assessments, and recommendations for an organization?
Risk assessment report
What is an IT Audit?
An examination of controls within an information technology system or network
Ranking elements of a risk assessment by non-monetary values is to do a…
Qualitative Risk Assessment
Assigning a monetary value to elements of a risk assessment is to do a …
Quantitative Risk Assessment
What are the four categories of the Commercial Classification System?
Public, Sensitive, Private, Confidential
What is FISMA?
Federal Information Security Management Act addresses info sec requirements for no n-national security government agencies.
Explain the final phase of the risk management process, “continuous monitoring “
Continuous monitoring allows organizations to evaluate the effectiveness of controls on a near or real-time basis since it occurs immediately or closely after events
What are examples of insecure data transmission protocols?
FTP, Telnet, HTTP, SMTP
Who is responsible for identifying and analyzing risks?
The risk management team
Define a “Risk Detterence”
A process, policy or system that discourages others from exploiting a vulnerability
What is COBIT?
Control Objectives for Information Related Technology. It is a leading governance framework
Define the ESA framework SABSA
Sherwood Applied Business Security Architecture is a strategy based on an architectural viewpoint
What is GLBA?
Gramm-Leach-Bliley Act is a law overhauling financial services regulation in the US and applies to financial institutions.
Subtitle A requires institutions to make disclosures about privacy policies and opt-out capability.
What is an SLA?
Service Level Agreement that defines performance targets for hardware and software
What are SLA examples?
Help Desk and Caller Services, Uptime and Availability Agreements,
What is FISMA 2014?
The updated version of the original 2002 Federal Information Security Management Act
What is ISAM?
INFOSEC Assessment Methodology - A qualitative assessment
What is an HSM?
Hardware Security Module. It’s a type of secure cryptoprocessor targeted at managing keys
What is “business continuity planning”?
The formation of a plan on what to do if your business suffers a disruption
What are policies?
High-level documents that outline the security goals and objectives of the company
What is the measurement called that tracks the time it takes to go from a failure to repaired for an asset
MTTR - Mean time to Repair
Define a Partnership business model
A model where two or more entities share potential profit and risk with each other.
What is a vulnerability?
A vulnerability can be described as a weakness in hardware or software that may be exploited
Encrypted file system (EFS) and VeraCrypt are examples of?
Software encryption options for data-at-rest
A group risk assessment that allows people to contribute anonymously is known as …
Delphi Technique
What is the IT Governance Institute Framework?
A process that begins with setting objectives for the enterprise’s IT , providing initial direction and then evolving into a continuous loop
What is Outsourcing?
An arrangement in which one company provides services for another company that may or may not have been provided in-house
What is GDPR?
General Data Protection Regulation in the EU that affects multi-national companies
Define “Asset Identification”
The process of identifying all of the organization’s assets.
What is a vulnerability window?
When an IT asset is most vulnerable
What are the types of business models?
Outsourcing, Partnerships and Mergers and Acquisitions
What is a TPM?
Trusted Platform Module.
A specialized chip that can be installed on the motherboard of a computer and is used for hardware authentication
Define the ESA framework EA
Enterprise Architecture used by the federal government to ensure business strategy and IT investments are aligned
What is an asset?
An asset is an item of value to an institution, such as data, hardware, software or physical property.
What are the four categories of the Government Classification System?
Unclassified, Confidential, Secret and Top Secret
What are examples of risk sources?
The source of a risk can be either internal or external. Internal example is a disgruntled employee and external example is a natural disaster
What is HIPAA?
Health Insurance Portability and Accountability Act is a law regarding privacy that has three major purposes:
- To provide consumers with access to their health information
- To improve quality of health care in the US by restoring trust in the system
- Creating a national framework for health privacy protection
What are examples of “Tangible Assets”?
Hardware and software
List the three security control types
Physical controls (door locks), technical controls (cameras, anti-virus), operation controls (background checks, security awareness training)
A quick risk assessment based on a series of questions is known as …
FRAP - Facilitated Risk Assessment Process
List potential risks in a Partnership business model
Loss of Competency, broken agreements, service deterioration, poor cultural fit, hidden costs
What is a Zero-Day?
An exploit the vendor either doesn’t know about, or that no patch or mitigation exists for
What is a network boundary?
The point at which your control ends
List proper equipment disposal methods
Drive wiping, zeroization, degaussing, physical destruction
Define Annualized Rate of Occurrence (ARO)
Frequency at which a specified risk will be realized over a single year
What are threat examples that pertain to IT security?
Natural disaster, malicious code, breach of physical security, hacker attack, DDoS, cyberterrorism
Define “Risk Appetite”
The amount of risk a company is willing to accept
What is a threat?
Any situation that affects confidentiality, availability or integrity of an IT asset
What does “CVE” stand for?
Common vulnerabilities and exposures. It’s a system to normalize data about a vuln so fixing or mitigating is less of a challenge
What is SOX?
Sarbanes-Oxley Act mandated reforms to enhance corporate responsibility, enhance financial disclosures and combat corporate and accounting fraud. Section 302 requires the CEO and CFO to certify personally that the org has proper internal controls. Section 404 requires infrastructure designed to archive records and data while protecting it from destruction and loss.
What are examples of “Intangible Assets”?
Reputation and services
Define “RPO” and “RTO”
Recovery Point Object - the tolerable period of time between the last backup and the failure, which is what data would be lost. A 5 minute RPO provides you with data lost only over the last 5 minutes.
Recovery Time Objective - The amount of time required to bring the systems back online and restore normal access that the company wants to tolerate
What do you call an unmitigated risk when discussing risk assessment?
An exemption
Explain “Risk Mitigation Planning”
Comes after a quantitative or qualitative assessment and is to make a determination and decide which security controls should be applied.
What is the name of a predictable interval between failures of an asset?
MTBF - Mean time between failures
What is Operational Risk?
Either a company’s internal and external practices, or external sources such as government agencies or regulatory requirements.
List two common “Enterprise Security Architecture (ESA)” frameworks
Enterprise Architecture (EA) and Sherwood Applied Business Security Architecture (SABSA)
Define Exposure Factor (EF)
The percentage of loss experienced IF a specific asset were attacked. Based on asset value
Examples: Perhaps an attack doesn’t render an asset totally inaccessible or inoperable
What is Risk?
Risk is the probability/likelihood of the occurrence or realization of a threat
What is motivation?
The driving force behind an activity
List the four alternatives for handling potential risks
Avoid, Accept, Transfer, Mitigate
Avoid - to eliminate - examples being withdraw from a practice or not become involved
Accept - acknowledging it has been understood and evaluated but senior management has made the decision that the benefits of moving forward outweigh the risk.
Transfer - Deflect to a third party
Mitigate - A control is used to reduce the risk
What is the equation to calculate Annualized Loss Expectancy (ALE)
Annualized Rate of Occurrence (ARO) x Single Loss Expectancy (SLE)
Define compliance
Being in accordance with agreed-upon guidelines, specifications, legislation, or regulations
Enterprise Resilience is ..
An approach to risk management that anticipates disruptions, better ensures recovery, and protects business profitability
Explain the purpose of “Risk Assessment”
To evaluate risks in terms of the likelihood and the magnitude of an impact, to determine a response strategy and to monitor progress in reducing the threat.
What are the four strategic responses to positive risks?
exploit, share, enhance and accept
List the Qualitative risk assessment grade scale
Low, Medium and High across CIA
Low = Minor inconvenience Medium = Can Result in damage to an organization High = Will result in a loss of goodwill, legal action or fine
What is the CIA triad?
Confidentiality, Integrity and Availability
Define Confidentiality and list the most common controls…
Keeping good data away from bad actors | Encryption, data classification, awareness training
Define Integrity and list the most common controls..
Change control for data with no unauthorized modification without knowledge and consent of data owner | hashing, IDS, strict access controls
Define Availability and list the most common controls..
Authorized subjects can access objects in a timely manner without interruption | redundant system design, continuous monitoring and testing of backups
Define IT governance
A concept in which stakeholders ensure that those who govern IT resources are fulfilling objectives and strategies
What is “Due Diligence”
Good governance/good oversight. Loosely, overseeing action, directing it with governance, policy and providing strategy so people understand objectives
What is “Due Care”
Good actions/acting aligned with the structure from due diligence so we are doing the right things, not wrong things.
Loosely, if you are at a pool and there are rules on the wall, like no running, the actions abiding by those rules is Due Care.
What is a countermeasure (control)?
mechanism to minimize risk
What is residual risk?
remaining risk after countermeasures applied
Define the risk management cyclical process
Identify, Assess, Analyze and Respond
What is ERM
Enterprise Risk Management - process of evaluation, measuring and mitigating risks at an organization level
What is a semi-quantitative analysis
Attempts to find a middle ground between the two types
What is a security framework?
A reference point with common language. Examples: SOX, NIST, SABSA,
What is a policy?
Direction from senior management (strategic)
What is a standard?
Formalized from external guidance (regulatory example GDPR)
What is a procedure?
Step by step method of accomplishing something (tactical)
What is a Guideline?
best practice re commendation
What is de-perimeterization?
The process of shifting, reducing or removing some enterprise boundaries to facilitate interactions with the world outside of it’s domain
When talking system-specific risk analysis, what are common questions to ask?
How can the attack be performed? / Can the attack be performed in the current network?
What is a Aggregate CIA score?
A subjective score on a sliding scale of harm. The highest risks are rated a 10, the lowest risks are rated at 1 and data having no risk is rated at 0.
The CIA attributes of information are compared to the threat that each attribute faces, then multiplied to produce a total. Value x threat = total for an attribute
The total risk for each attribute are added to produce the aggregate CIA score for that entire risk.
What is the “Golden Rule”
It’s very important to incorporate stakeholder input as part of the process.
Seek the blessing and the authorization and the acceptance of senior leadership before you implement anything.
What is the CVSS?
Common Vulnerability Scoring System - A risk management approach where vuln data is quantified and then the degrees of risk to systems or information are taken into account. v3.1 is the current vector.
Metrics are base (AV/AC/PR/UI/S/C/I/A), temporal (E/RL/RC), environmental or specific context (
Used to score vulnerabilities in CVE
What is a Business Impact Analysis (BIA)
Business Impact Analysis - Used to determine impact a disruptive event would have on an org.
Goals: determine criticality/ estimate max downtime / evaluate resource requirements
Steps: gather requirements & info/vuln assessment/risk anlysis/ communicate findings
What are examples of documents that support security initiatives
MSA - Master Services Agreement - Expedites agreement process
SOA - Statement of applicability - identifies controls in place
BIA - Business Impact Analysis - identifies present organizational risks
IA - Interoperability Agreement - general term for any doc that outlines a business partnership
ISA - Interconnection security agreement -
MOU - Memorandum of Understanding - not legally binding
SLA - Service Level Agreement - clearly defines what services are to be provided to the client
OLA - Operating Level Agreement - identifies and defines the working relationships between groups or divisions
NDA - Non Disclosure Agreement - an agreemnt between entities stipulating you will not share specific information with unauthorized third parties
BPA - Business Partner Agreement - defines how a partnership between business entities will be conducted
What are all the ways you can measure downtime?
Maximum allowable downtime (MAD)/ Maximum tolerable downtime (MTD ) recovery time objective (RTO) recovery point objective (RPO) mean time to failure (MTTF) meant time to repair (MTTR) mean time between failures (MTBF)
What are the 5 steps of incident response?
Detection, Response, Reporting, Recovery, Remediation and Review
Describe two-man control
Two operators review and approve each other’s work
What are the MIL levels for a Cyber Resilience Review (CRR)
MIL0 - Incomplete MIL1 - Performed MIL2 - Planned MIL3 - Managed MIL4 - Measured MIL5 - Defined
