What is a vulnerability?
1-3
a weakness that could be exploited by a threat
Give the formula for “impact” and explain the terms in the formula.
1-5
SLE x ARO = ALE
(AV x EF) x ARO = ALE
SLE - single loss expectancy, determined by multiplying the asset value by the exposure factor
ARO - annualized rate of occurrence
ALE - annual loss expectancy
EF - exposure factor)
True or False
SLE, ALE, and ARO are all quantitative.
1-7
True. All number based.
What is a threat vector?
1-8
a tool or path an attacker uses to pose a threat
What is MTBF?
1-8
Mean Time Between Failures. Basically it tells you the lifespan of the device.
What is MTTF?
1-8
Mean Time To Failure. Tells you average time to failure for a nonrepairable system.
What is MTTR?
1-8
Mean Time To Restore. Tells you how long it will take to repair a system.
What is RTO?
1-9
Recovery Time Objective. This tells you how much time you’re allotted to use for restoring the system.
What is RPO?
1-9
Recovery Point Objective. This is the point in time at which the system was last operational and therefore what you need to restore it to.
Contrast Risk Avoidance, Transference, Mitigation, Deterrence, and Acceptance.
1-9,10
Avoidance-stop doing the stuff that causes the risk.
Transference-share the risk
Mitigation-lower the risk
Deterrence-tell the risk creator “if you do this to me, I’ll do this to you.”
Acceptance-live with the risk and don’t do anything about it because its the cheaper alternative.
Explain PaaS, Saas, IaaS.
Tell me 2 risks associated with virtualization.
1-17,18,19
platform as a service
software as a service
infrastructure as a service
breaking out of the virtual machine
network and security controls can intermingle
What is Hypervisor?
1-19
the software that allows virtual machines to exist
What is the Scope Statement?
What is the Accountability Statement?
1-19
outlines what the policy intends to accomplish
who is responsible for ensuring that a problem gets dealt with
5 Key Aspects of Standards Documents
1-21,22
Scope and Purpose Roles and Responsibilities Reference Documents Performance Criteria Maintenance and Administrative Requirements
How are guidelines different from standards?
1-22
Guidelines tell you HOW to enforce standards.
Tell me the 3 ways guidelines help an organization.
1-22
provide memory refreshment on how processes and routines are carried out
reduce the learning curve
help in a crisis or high-stress situation
What is “separation of duties” for?
1-23
to reduce the risk of fraud
What is collusion?
What is Pod slurping?
Least Privelage equals what?
1-23,26
agreement established for purposes of deception
using a portable device to bypass security to get a copy of data
minimum permissions
What’s one of the best ways to address business continuity?
1-28
do a BIA and implement best practices
What is BIA?
1-29
Business Impact Analysis, is the process of evaluating all of the critical systems in the organization to define impact and recovery plans
A thorough BIA will accomplish what 3 things?
1-29
the true impact and damage that an outage can cause will be visible
understanding the true loss potential may help you in a fight for budget
process will document which business processes are being used, the impact they have, and how to restore them quickly
What’s the best way to remove a Single Point of Failure?
1-30
add redundancy
What is High Availability?
What is Redundancy?
What is clustering?
1-32
measures used to keep services and systems operational during an outage
systems that fail over to other systems
multiple systems connected together cooperatively (provides load balancing)
Fault Tolerance = ?
1-33
the ability of a system to sustain operations in the event of a component failure
What are the 4 types of RAID?
1-34
0 - disk striping
1 - disk mirroring
3 - disk striping with parity disk
5 - disk striping with parity
Disaster Recovery = ?
1-36
the ability to recover systems after a disaster
What is a backup?
1-36
duplicate copy of key information
Give 3 examples of key paper records that should be archived.
1-37
Board Resolutions
Critical Contracts
Tax Records
Give 4 examples of critical files that should be backed up.
1-38
Audit files
Database files
Transaction files
User files
Tabletop Exercise = ?
1-39
individuals sitting at a table discussing how to deal with situations that could arise
A good policy design includes what 4 things?
1-39
scope statements
overview statements
accountability expectations
exceptions
