Section 1 - Secure Architecture for GRC

Question 1

GRC stands for

Answer 1

Governance, Risk, Compliance

Question 2

Cyclical process of identifying, assessing, analyzing and responding to risks

Answer 2

Risk Management

Question 3

The comprehensive process of evaluating, measuring, and mitigating the many risks that pervade an orginization

Answer 3

Enterprise Risk Management

Question 4

What is NIST Framework for Risk Management

Answer 4

RMF ISO 31000
Comprehensive set of standards for enterprise risk management

Question 5

What are the 5 phases of Risk Management?

Answer 5

1. Identification of mission critical functions
2. Identification of known vulnerabilities
3. Identification of potential threats
4. Analysis of Business Impacts
5. Identification of Risk responses

Question 6

How do you measure Risk

Answer 6

Risk is a measure of impact or consequence

the variables are likelihood and impact

Question 7

List of Quantitative Risk Variables

Answer 7

Single Loss Expectancy - cost of single event

Annual Rate of Occurrence (ARO) # of times in a year that the single loss occurs

Annual Loss Expectancy -
ALE - SLE x ARO

Asset Value (AV) - value of an asset such as a server

Exposure Factor (EF) % of the AV that would be lost. part of a building is damaged

SLE = AV x EF

Also know
TCO, ROI, MTTR, MTBF

Gap Analysis - difference between current state and desired state - for scoping purposes

Question 8

What is the risk that exists before any type of mitigation has been implemented?

Answer 8

Inherent Risk

Website are inherently risky due to attack vectors

Question 9

What is the Residual Risk

Answer 9

Risk that remains after controls are put in place

Know what Risk appetites is based on tolerance of organization.

also note that acceptance risk and residual risk are not always equivalent

Question 10

What is a popular Cybersecurity Framework widely adopted in the US

Answer 10

NIST CSF
1. Identify
2. Protect
3. Detect
4. Respond
5. Recover

Question 11

What Steps do NIST CSF require when performing risk management

Answer 11

1. Prioritize and Scope
2. Orient
3. Create a Current Profile
4. Conduct a Risk Assessment
5. Create a Target Profile
6. Determine, Analyze & Prioritize Gaps
7. Implement Action Plan

Question 12

What are the NIST Risk Management Frameworks steps (RMF)

Answer 12

1. Prepare
2. Categorize
3. Select
4. Implement
5. Assess
6. Authorize
7. Monitor

Question 12

Name 3 other RMF and Provide details

Answer 12

ISO 3100 or 31K - International and very comprehensive

COBIT maintained by ISACA
5 Major Components
1. Framework 2. Process Descriptions
3. Control Objectives, 4. Management Guidelines 5. Maturity Models

Committe of Sponsoring Organizations of the Treadway Commission (COSO)
initiative of 5 private sector organizations. Enterprise Risk Managment from a strategic leadership point of view

Question 12

What is the Risk Management LIfecycle

Answer 12

Identify Risk Items
Assess risks and their associated level
Control - minimize risk
Review - periodic re-evaluation

Question 13

What are key ingredients to understanding control categories

Answer 13

People
Process
Technology

Question 14

What is a formal mechanism designed to measure performance of a program against a desired goal

Answer 14

Key Performance Indicators (KPI)

Question 15

What is the method by which emerging risks are identified and analyzed so that changes can be adopted to proactively avoid issues from occurring

Answer 15

Key Risk Indicators (KRI)

Question 16

What framework standard did Risk Registers originate from

Answer 16

ISO 27001
An effective visualization of identified risks and information about mitigating the controls.

Risk Item, Threat, Impact, Likelihood, Plan, Risk Level

Question 17

What is the difference between Risk Appetite and Risk Tolerance

Answer 17

Appetite is often prescribed via regulation and addresses how an organization will address risks while Tolerance is the threshold that separate different levels of risks

Question 18

Name a Trade Off Analysis developed by a University

Answer 18

Architecture Tradeoff Analysis Method (ATAM) developed by SEI at Carnegie Mellon

Question 19

What is the term for putting a vendors source does in a 3rd party in case of a cease of business

Answer 19

Source Code Escrow

Question 20

What is the term for how all vendor hardware, software and services are produced and delivered as well as how they impact an organizations operation or finished products

Answer 20

Supply Chain Visability

Question 21

Name the Data Types

Answer 21

PII - personally identifiable Information

Protected Health Information (PHI)

Personally Identifiable Financial Information (PIFI)

Intellectual Property (IP)

Question 22

What is a Data Owner within an organization

Answer 22

A Senior Executive role with ultimate responsibility for maintaining CIA on an asset

Question 23

What is the process of applying confidential and privacy labels to information and some common levels

Answer 23

Data Classification

Public - no negative impact
Sensitive - negative impact
Confidential - considerable harm

Question 24

What type of data destruction technique would be best for cloud data

Answer 24

Crypto Erase - type of sanitization of the keys used to perform decryption of data make recovery effectively impossible

Question 25

Type of sanitization of data where you perform multiple block-level overwrite cycles

Answer 25

Clear
Clean room can Potentially recover

Question 26

What type of sanitization is effective from all recovery techniques including clean rooms

Answer 26

Purge

Question 27

What is the data protection princile where the underlying country or state may impose individual requirements on data collected or stored within their jurisdiction

Answer 27

Data Sovereignty

Switzerland is popular due to their unique protective privacy laws

Question 28

What is a set of policies, contracts and standards identified as essential in the agreement between two parties

Answer 28

Attestation of Compliance (AOC)

Question 29

Compare Regulations vs Standards in context of compliance

Answer 29

Regulations describe legal requirements and ramifications and the details of the of compliance are typically provided in prescriptive/descriptive form within a standard

Question 30

What was the security program that was required for US Federal Agencies detailed in and what agency provides the standards

Answer 30

Federal Information and Security Modernization Act (FISMA) - detailed piece of legislation

NIST - 800-53 and FIPS 199

Question 31

T or F COPPA is only enforceable within the US

Answer 31

False
Under the age of 13

Question 32

What is the privacly model that has 5 levels

Answer 32

Capability Maturity Model Integration (CMMI)
1. Initial
2. Managed
3. Defined
4. Quantitative Managed
5. Optimizing

Question 33

Describe Certification vs Accreditation from who owns the systems

Answer 33

Certification can be associated with system builders and documents that their system meets the requirements where Accreditation is for system owners acceptance of this claim which the system can go live.

Question 34

What are the 4 phases of C&A

Answer 34

Initiation and Planning
Certification
Accreditation
Continuous Monitoring

Question 35

Who within the organization is responsible for implementing security policies, frameworks, and controls

Answer 35

Information System Security Officer

Question 36

What entity can provide accreditation and what do they provide when completed

Answer 36

Certifying Authority. - responsible for reviewing the results of a certification and accreditation package

Authority to Operate (ATO)

Question 37

What is the set of standards developed by a group of governments working together to create a baseline of security assurance for Trusted OS

Answer 37

Common Criteria
Outlines in ISO Standard 15408

Question 38

When it comes to jurisdiction where should your report an incident first (Local, State, National, International)

Answer 38

Local law enforcement first and they will involve other agencies

Question 39

Describe Due Care vs Due Dilligence

Answer 39

Due care is demonstrating response to security issues and due diligence is demonstrating awareness of security incidents.

Due care references the prudent man rules - reasonable and expected

Due diligence - legal principle that a subject has used best practices

Question 40

What is the export control that was established in 1996

Answer 40

Wassenaar Agreement - weaponry

Question 41

Name the common legally enforceable documents

Answer 41

MSA - Umbrella with indiv SOW
NDA
MOU - memo of understanding - non binding

Interconnection Security Agreement (ISA) - share data via an interface

SLA - terms under which a service is provided

Operational-Level Agreement (OLA) - these are internal to meet the SLA

Privacy Level Agreements - between CSP and goes beyond SLA

Question 42

How long should HIPAA Data base stored from compliance

Answer 42

6 Years

Question 43

What are the ISO 27K standards for Cloud

Answer 43

27017/27018

Question 44

What is the privacy act of Japan

Answer 44

Act on Protection of Personal Information (APPI)

Question 45

Which NIST Publication addresses BCP

Answer 45

NIST 800-34
1. Develop the continuity planning policy statement
2. Conduct the BIA
3. Identify Preventive Measures
4. Create Contingency Strategies
5. Develop an information system contingency plan
6. Ensure Plan testing, training and exercises
7. Ensure Plan Maintenance

Question 46

T or F a DRP is part of BCP

Answer 46

True - just focused on immediate needs of a disaster. Critical Systems only

Question 47

What is the analysis of assessing all of the elements that can have impact on Information Systems

Answer 47

Business Impact Analysis

Question 48

What needs to be completed to accurately disclose how privacy data is handled and for it to be in compliance with regulations

Answer 48

Privacy Impact Assessment

Question 49

An Analysis of events can provide insight into how to improve response process in the future is called

Answer 49

Ater Action Report (AAR) also can be called Lessons Learned

Can be a blueprint for improvement

Question 50

List the BCDR Simulation Tests

Answer 50

Checklists - delivered to all departments for review only

Walk-Through - all departements participate to review the plans and analyze their effectiveness

Tabletop - designed to evaluate the procedures in place to responding to an incident. Based on a specific objective

Parallel Test -

Full Interruption Test

Question 51

Which NIST Publication identifies appropriate groups that should be part of an incident response plan

Answer 51

NIST 800-61