1 - Security Governance

Question 1

What is Confidentiality?

Answer 1

The concept of the measures used to ensure the protection of the secrecy of data, objects, and resources.

Question 2

Object vs Subject

Answer 2

Object: passive element in a security relationship such as files, computers, and applications.

Subject: active element in a security relationship such as users, programs, and computers.

A subject acts upon an object.

The management of the relationship between objects and subjects is known as _access control_.

Question 3

What is the CIA triad?

Answer 3

Confidentiality Integrity Availability

Question 4

What is Integrity?

Answer 4

Protecting the reliability and correctness of data.

Question 5

Availability

Answer 5

Authorized subjects granted timely and uninterrupted access to objects.

Question 6

What are the components of AAA services?

Answer 6

Identification: subject professes an identity.

Authentication: the process of verifying or testing that the claimed identity is valid.

Authorization: ensures requested activity or access to an object is possible given the rights and privileges assigned to the identity.

Auditing: (or monitoring) programmatic means by which a subject’s actions are tracked and recorded for the purpose of holding the subject accountable for their actions while Authenticated on a system.

Accountability: linking a human to the activities of an online identity.

Question 7

What is Layering?

Answer 7

Also known as Defense in Depth, the use of multiple controls in a series.

Question 8

What is abstraction?

Answer 8

Where similar objects are put into groups, classes, or roles that are assigned security controls, restrictions, or permissions as a collective. Also defines what type of data an object can contain, what functions can be performed on them/by them, and what capabilities that object has.

Question 9

What is Data Hiding?

Answer 9

Preventing data from being discovered or accessed by a subject by positioning the data in a logical storage compartment that is not accessible or seen by the subject.

Question 10

What is encryption?

Answer 10

The art and science of hiding the meaning or intent of a communication from unintended recipients.

Question 11

What is Security Governance?

Answer 11

The collection of practices related to supporting, defining, and directing the security efforts of an organization.

Question 12

What is the most effective way to tackle security management planning?

Answer 12

Via the Top-Down Approach, where upper and senior management is responsible for initiating and defining policies for the organization. Middle management fleshes out security polices into stardards, baselines, guidelines, and procedures. Ops managers and/or security professionals implement the the configurations prescribed in the security management documentation. End users must comply with all security polices of an organization.

Question 13

What position should lead the information security team?

Answer 13

Generally the Chief Information Security Officer (CISO), sometimes referred to as Chief Security Officer (CSO), but these 2 roles can be subpositions to each other depending on the organization. Sometimes also refered to as Information Security Officer (ISO).

Question 14

What is the key factor of success for every security plan?

Answer 14

Approval by security management.

Question 15

What are the different types of security plans?

Answer 15

• Strategic Plan: A long-term plan that defines organization’s security purpose. Should include a risk assessment.
• Tactical Plan: A midterm plan developed to provide more details on accomplishing the goals set forth in the strategic plan or crafted ad-hoc based on unpredicted events.
• Operational Plan: A short-term, highly detailed plan based on strategic and tactial plans.

Question 16

What is the purpose of Change Management?

Answer 16

To ensure that any change does not lead to reduced or compromised security.

• Implement changes in orderly manner
• Formalized testing process
• Changes can be reversed (rolled-back)
• Users are informed of changes
• Effects of changes are systematically analyzed
• negative impacts are minimized
• Changes are reveiwed and approved by Change Advisory Board (CAB)

Question 17

What is Data Classification?

Answer 17

The primary means by which data is protected based on its need for secrecy, sensitivity, or confidentiality. Used to determine how much effort, money, and resources are allocated to protect the data and control access to it.

Question 18

What are the 7 major steps to implement a classification scheme?

Answer 18

1. Identify custodian
2. Specify evaluation criteria
3. Classify and label each resource
4. Document any exceptions
5. Select the security controls
6. Specify declassification procudure
7. Create awareness program for organization

Question 19

What is declassification?

Answer 19

When an asset no longer warrants or needs the protection of its currently assigned classification or sensitivity level.

Question 20

What are the commonly used classification themes?

(Levels of classification)

Answer 20

• Government/Military
  
  • Top Secret: Disclosure will have grave damage to national security.
  • Secret: Disclosure will cause serious damage to national security.
  • Confidential: Disclosure will cause damage to national security.
  • Sensitive but Unclassified: Protects data that could violate the privacy rights of individuals.
  • Unclassified: Does not cause damage.
• Commercial Business/Private
  
  • Confidential: Drastic effects on competitive edge of an organization.
  • Private: A significant negative impact could occur for the company or individuals if private data is disclosed.
  • Sensitive: A negative impact could occur for the company if disclosed.
  • Public: Disclosure does not have have a serious impact on the organization.

Question 21

What is a security role?

Answer 21

The part an individual plays in the overall scheme of security implementation and administration within an organization.

Question 22

What are the 6 roles seen in a secured environment?

Answer 22

• Senior Manager: The person who is ultimately responsible for the security maintained by an organization.
• Security Professional: A trained and experienced network, systems, and security engineer who is respnsible for following the directives mandated by senior management.
• Data Owner: Person responsible for classifying information for placement and protection within the security solution.
• Data Custodian: The user who is responsible for the tasks of implementing the prescribed protection within teh security solution.
• User: Any person who has access to secured system.
• Auditor: Responsible for reviewing and verifying that the security policy is properly implemented.

Question 23

What is a Security Control Framework?

Answer 23

The structure of the security solution desired by the organization.

Question 24

What are the 5 key priniciples of COBIT (Control Objectives for Information and Related Technology)?

Answer 24

1. Meeting Stakeholder Needs
2. Covering the Enterprise End-to-End
3. Applying a Single, Integrated Framework
4. Enabling a Holistic Approach
5. Seperating Governance from Management

Question 25

What is Due Care and Due Dilligence?

Answer 25

* **_Due Care_**: Using reasonable care to protect the interests of an organization. * **_Due Dilligence_**: Practicing the activities that maintain the due care effort.

Question 26

What is a **security policy**?

Answer 26

* A document that defines the **scope of security** needed by the organization * discusses the **assets that require protection** * which **security solutions** should provide protection.

Question 27

What are the different focuses of security policies?

Answer 27

* **_Organizational Security Policy_**: Issues relevant to every aspect of an organization. * **_Issue-Specific Policy_**: A specific network service, department, function, or other that is distinct from the organization as a whole. * **_System-Specific Security Policy_**: Individual systems or types of systems.

Question 28

What are the different security policy categories?

Answer 28

* **_Regulatory Policy_**: When industry or legal standards are applicable to your organization. * **_Advisory Policy_**: Behaviors and activities that are acceptable and defines consequences of violations. * **_Informative Policy_**: Designed to provide information or knowledge about a specific subject or how an organization interacts with partners and customers.

Question 29

What are Standards, Baselines, and Guidelines?

Answer 29

* **_Standards_**: Tactical documents that define steps or methods to accomplish the goals defined by security policies. * **_Baseline_**: Defines a minimum level of security that every system throughout the organization must meet. * **_Guidelines_**: Offers recommendations on how standards and baselines are implemented.

Question 30

What is a **Security Procedure**?

Answer 30

aka, ***Standard Operating Procedure*** (SOP), a detailed, step-by-step how-to document that describes the exact actions necessary to implement a specific security solution.

Question 31

What is the heiracrhy of security policies?

Answer 31

1. Policies 2. Standards/Baselines 3. Guidelines 4. Procedures

Question 32

What is **Threat Modeling**?

Answer 32

The security process where potential threats are identified, categorized, and analyzed.

Question 33

What are the different approaches for **Threat Modeling**?

Answer 33

* **_Proactive Approach_**: Modeling takes place during the early stages of systems development, specifically during initial design. * **_Reactive Approach_**: Modeling takes place after a product has been created and deployed.

Question 34

What are the different approaches for identifying threats?

Answer 34

1. **Focused on Assets**: Uses asset valuation results and attempts to identify threats to the valuable assets. 2. **Focused on Attackers**: Identifies potential attackers and teh threats they represent. 3. **Focused on Software**: If an organization develops software, it can consider potential threats againts the software.

Question 35

What is the Microsoft **STRIDE** threat model?

Answer 35

* **S**poofing * **T**ampering * **R**epudiation * **I**nformation Disclosure * **D**enial of Service * **E**levation of Privilege

Question 36

What is the **PASTA** (Process for Attack ) threat model?

Answer 36

* Definition of the Objectives (DO) for analysis of risks * Definition of Technical Scope (DTS) * Application Decomposition and Analysis (ADA) * Threat Analysis (TA) * Weakness and Vulnerability Analysis (WVA) * Attack Modeling & Simulation (AMS) * Risk Analysis & Management (RAM)

Question 37

What is **Reduction Analysis**/**Decomposition**?

Answer 37

Attempt to gain a greater understanding of the logic of the product as well as its interactions with external elements. Key Concepts: * **Trust Boundaries**: Any location where the level of trust or security changes. * **Data Flow Paths**: The movement of data between locations * **Privileged Operations**: Any activity that requires greater privileges than of a standard user account or process, typically required to make system changes or alter security. * **Details about Security Stance and Approach**: The declaration of the security policy, security foundations, and security assumptions.

Question 38

What is the **DREAD** rating system?

Answer 38

* **D**amage Potential * **R**eproducibility * **E**xploitability * **A**ffected Users * **D**iscoverability

Question 39

What are the different types of assessments for 3rd parties?

Answer 39

* **On-Site Assessment**: Visit the site of the organization to interview personnel and observe * **Document Exchange and Review**: Investigate the means by which datasets and documentation are exchanged. * **Process/Policy Review**: Request copies of their security policies, processes/procedures, and documentation of incidents and responses for review. * **Third-Party Audit**: Have an independent third-party auditor provide an unbiased review of entity's security infrastructure.