Video Content Lesson 1

Question 2

Security Triad

Answer 2

CIA
Confidentiality
Integrity
Availability

Question 3

Confidentiality

Protects from

Answer 3

Protects Data from Unauthorized Disclosure

Question 4

Confidentiality

4 parts

Answer 4

Physical Security
Access Control
Encryption
Perimeter Defense

Question 5

Integrity

Protects from

Answer 5

Protects Data from Unauthorized Modification

Question 6

Integrity

3 parts

Answer 6

Physical Security
Access Control
Perimeter Defense

Question 7

Availability

Answer 7

Ensures the system is available when needed

Question 8

InfoSec Management Governance

Answer 8

1-Assurance that appropriate security activities are being carried out
2-Security risks are being reduced
3-Security budget is being properly used

Question 9

Audit Frameworks for Compliance

Answer 9

1-COSO (Committee of Sponsoring Organizations of the Treadway Commission)
2-ITIL (Information Technology Infrastructure Library)
3-COBIT (Control Objectives for Information and related Technology)
4- ISO 17799 / BS 7799

Question 10

COSO (Committee of Sponsoring Organizations of the Treadway Commission)

Answer 10

1-Defines 5 areas of internal control

2-Useful in meeting Sarbanes-Oxley Section 404 compliance

Question 11

ITIL (Information Technology Infrastructure Library)

Answer 11

1-British government’s TSO (The Stationary Office)

2-Best practices for IT service management

Question 12

COBIT (Control Objectives for Information and related Technology)

Answer 12

1-ITGI (IT Governance Institue)

2-Overall structure for Information Technology Control

Question 13

ISO 17799 / BS 7799

Answer 13

1-Originially, UK Department of Trade and Industry Code of Practices
2-Basis for developing security standards and security management practices

Question 14

Security Administration

Answer 14

1-Management is responsible to ensure security
2-Look at Security Goals
a-Strategic - Long-term
b-Tactical - Medium Term
c-Operational - day-to-day

Question 15

Organizational Requirements

Answer 15

1-Government or Commercial

2-Management Style and Organizational Culture

Question 16

Physical Risks

Answer 16

Handling risks that can cause loss
Physical Damage
Hardware Malfunction
Software Malfunction

Question 17

Human Risks

Answer 17

Malicious Attack
Espionage and theft
Human Errors

Question 18

Risk Management

Answer 18

RM involves assessing risks and choosing appropriate responses

Question 19

Risk Management Terms

Answer 19

Threat
Vulnerability
Probablility Determination
Control

Question 20

Risk Management Options

Answer 20

Allow risk to exist

Reduce Loss

Question 21

Legal Responsibility

Answer 21

Due Care

Due Dilligence

Question 22

Risk Assessment Methodologies

Answer 22

A methodology is a starting point or a structure that helps the process begin
NIST 800-30 and 800-66
OCTAVE
FRAP (Facilitated Risk Analysis Process)
CRAM (CCTA Risk Analysis Management)

Question 23

NIST 800-30 and 800-66

Answer 23

1-Qualitative

2-800-66 written with HIPAA in mind

Question 24

OCTAVE

Answer 24

Carnegie Mellons self-directed infromation security risk evaluation

Question 25

Risk Assessment Team

Answer 25

1-Upper Management (most Important)
2-multiple departments
3-accept all input equally
4-document all proceedings

Question 26

Risk Assessment

Types

Answer 26

Qualitative (no numbers, just comparisions)

Quantative (assign numberical value to risks)

Question 27

Single Loss Expectancy

Answer 27

Calculate Exposure
1-Assign a value for each asset
2-Determine % of loss for each realized threat (Exposure Factor-EF)
Calculate the Loss of a single threat occurrence
1-Single Loss Expectancy (SLE)
SLE = Asset Value * EF

Question 28

Annual Loss Expectancy

Answer 28

Calculate the annual probability of loss
Annual Rate of Occurrence (ARO)
Based on an estimage of annual probability a stated threat will be realized
Calculate the annual estimated loss of a specific realized threat
1-Annual Loss expectancy (ALE)
SLE * ARO = ALE

Question 29

Overall Risk

Answer 29

Look at costs of risks and cost of controls

Question 30

Qualiltative Risk Assessment

Answer 30

Ranked by impact and likelihood

Summarize each risk and its impact

Question 31

Selecting Controls

Answer 31

Choose appropriate controls to mitigate risk
Value is always related to amount of loss a control prevents
Explore alternate options for expensive controls

Question 32

Security Policy

Answer 32

Starts with Upper Management
Policy
1-Statement of expected performance
2-Consequences of noncompliance
Very High Level with Limited Specifics

Question 33

Security Policy Types

Answer 33

1-Regulatory (mandatory to satisfy legal/regulatory requirments)
2-Advisory (things which we require as a business ex. ID)
3-Informative (explains organizational strategies and behavior)

Question 34

Standards

Answer 34

What you must do
Lower level than policy
specify what products can be used (IE vs. Netscape)
specify best practices for each product
Compliance is mandatory (password expiry)

Question 35

Guidelines

Answer 35

Recommended action/guide
typically not mandatory
provide details on how to implement standards

Question 36

Procedures

Answer 36

“How to” documents
detailed step-by-step instructions
specific to well-defined areas
May have multiple sets of procedures

Question 37

Job Policies and Training

Answer 37

1-Hiring Practices
2-Terminations Practices
3-Job Descriptions
4-Job Activities
5-Security Awareness
6-Tailoring Training
7-ISO Responsibilities

Question 38

Hiring Practices

Answer 38

Background check
drug testing
security clearance
nondisclosure agreements

Question 39

Terminations practices

Answer 39

Revocation of Privileges
Security Escort
Exit Interview

Question 40

Job Descriptions

Answer 40

Roles and Responsibilities

Question 41

Job Activities

Answer 41

Separation of Duties and responsibilities
Mandatory Vacation Increments (audit employee’s work)
Job Rotation

Question 42

Security Awareness

Answer 42

most security incidents occur due to negligence
Awareness training informs and reminds participants and security responsibilities
Tailor training to match appropriate level of security needed
Various levels of training

Question 43

Tailoring Training

Answer 43

1-management
2-non-technical staff
3-technical staff

Question 44

ISO Responsibilities

Answer 44

ISO - Information Security Officer
Communicate risk to upper management
Budget for Infromation Security Activities
Ensure Development of (Policies, Procedures, Baselines, Standards, Guidelines)

Question 45

Ethics

Answer 45

Overview
(ISC)2 Code of Ethics
Ten Commandments
REC 1087
Ethics Topics
Common Computer Ethics Fallacies

Question 46

(ISC)2 Code of Ethics

Answer 46

Preamble
Four Canons
1-protect society
2-act honorably, honestly
3-provide diligent service to principles
4-advance and protect the profession

Question 47

Ten Commandments

Answer 47

Computer Ethics Institute

Question 48

RFC 1087

Answer 48

Internet Activities Board

Question 49

Ethics Topics

Answer 49

Computers in the Workplace
Computer Crime
Privacy and anonymity
Intellectual property
Professional Responsibilities

Question 50

Ethics Fallacies

Answer 50

The Computer Game Fallacy
The Law-abiding Citizen Fallacy
The Shatterproof Fallacy
The Candy-from-a-Baby Fallacy
The Hacker's Fallacy
The Free Information Fallacy