Chapter 2 - Governance and Risk

Question 0

Availability?

Answer 0

Uptime and timeliness

Question 1

What is AIC or CIA?

Answer 1

Availability Integrity Confidentiality

Used to define security platform and threat surfaces

Question 2

Integrity?

Answer 2

Unaltered information accuracy

Question 3

Confidentiality?

Answer 3

Authorized disclosure

Question 4

Shoulder surfing

Answer 4

Looking over the shoulder to view screen data or passwords

Question 5

Social engineering

Answer 5

Tricking someone into divulging information

Question 6

Vulnerability?

Answer 6

Lack of or weakness in a countermeasure that is exploitable

Question 7

Threat?

Answer 7

The potential danger if a vulnerability is exploited

Question 8

Threat Agent?

Answer 8

The entity that takes action on the threat and vulnerability

Question 9

Risk?

Answer 9

The likelihood a threat agent will exploit a vulnerability and the impact that could cause to the business

Question 10

Exposure?

Answer 10

This is the damage caused by a successful attack

Question 11

Control?

Answer 11

Countermeasure to reduce risk a vulnerability may cause

Also known as safeguard

Question 12

Deterrent control?

Answer 12

Discourage attacker

Question 13

What three categories make for defense in depth ?

Answer 13

Administrative
Technical
Physical controls

Question 14

Preventive control?

Answer 14

Avoid an incident entirely

Question 15

Corrective control?

Answer 15

Fixes after an incident

Question 16

Recovery control?

Answer 16

Intended to bring the environment back

Question 17

Detective control?

Answer 17

Detect what occurred and who did it

Question 18

Compensating control?

Answer 18

Alternative controls (a proxy server instead of a port block)

Question 19

What three controls commonly make up a security policy?

Answer 19

Preventative, detective, and recovery

Question 20

Why is security by obscurity a bad thing?

Answer 20

It assumes you are smarter than the attacker and in most cases lowers productivity

Question 21

What cycle does the ISO standards follow?

Answer 21

Plan-Do-Check-Act (PDCA)

Question 22

What is the BS7799? What did it become?

Answer 22

BS7799 was a British security defacto standard that was adopted by ISO 27000 it also goes by the name ISO 17799

Question 23

What is the difference between framework and architecture?

Answer 23

Framework is an outline blueprint and architecture is the blueprint that fits the specific need

Question 24

Define a view in terms of an enterprise architecture..

Answer 24

A view is how an individual element of a business supports the architectural integrity of a business

Question 25

What is the benefit of having an architecture?

Answer 25

It shows the company as an organism and how each part has a role

Question 26

An architecture is to a human body as views are to what?

Answer 26

A circulatory system
A bone structure
A digestive track
Etc.

Question 27

What is the zachman framework best at illustrating?

Answer 27

A two dimensional view of each view in an architecture asking the 5 w’s for each

Question 28

TOGAF is a comprised of what views of architecture?

Answer 28

In order:

Business
Data
Applications
Technology

Question 29

What framework uses ADM as part of its definition?

Answer 29

TOGAF

Question 30

What is the primary benefit of the complex DoD architectures like DODAF and MODAF?

Answer 30

Synchronous data types and standard communication channel so everyone is quickly on the same page

Question 31

When do stakeholders become important?

Answer 31

When choosing an architecture that fits the business model. There concerns will help guide that decision.

Question 32

What does tactical, strategic, and operational mean?

Answer 32

Strategic - the long term goals..(a retirement)
Tactical - the medium goals (a security plan in place)
Operational - short term (lock down that port)

Question 33

ISMS

Answer 33

Information security management system

Question 34

SABSA

Answer 34

It is a 2 dimension model like Zachman, using the 5 w’s to define security in increasing detail

Question 35

What is a methodology?

Answer 35

A step by step process to implement and architecture

Question 36

Strategic alignment?

Answer 36

The alignment of the business within an enterprise architecture

Question 37

Business enablement?

Answer 37

Business needs and productivity come before security

Question 38

Process enhancement?

Answer 38

Architecture planning will force diagnostics of business process and give a rich opportunity to fine tune the business process

Question 39

Security effectiveness?

Answer 39

Use of tools like ROI SLA or baselines to see security efficiency

Question 40

CobiT?

Answer 40

Controls oriented private business framework with 32 domains and complete checklist of it governance policies

Question 41

NIST 800-53

Answer 41

Government version of a cobit like framework with specific steps

Question 42

What is unique about the NIST categories?

Answer 42

Management
Technical
Operational

Instead of the standard:
Administrative
Technical
Physical

Question 43

COSO

Answer 43

Architecture model focused on corporate governance instead of IT governance

Question 44

What common law is built on COSO?

Answer 44

SOX

Question 45

What is the primary focus of ITIL?

Answer 45

SLA

Question 46

Six Sigma?

Answer 46

Process methodology architecture

Question 47

CMMI?

Answer 47

Capability Maturity Model Integration

Used to help define maturity level of process, similar to cobit maturity model

Question 48

Top-Down approach vs bottom-up approach

Answer 48

Top down is starting from senior management and working down. Bottom up is the other way around starting from the janitor up

Question 49

What are the 4 domains of a security program life cycle?

Answer 49

Plan and organize
Implement
Operate and maintain
Monitor and evaluate

Question 50

What is a blueprint?

Answer 50

Specific roles, outlines, responsibilities, or guidelines within the architecture

Question 51

What is the first thing you do when securing and environment?

Answer 51

Find out how the business works down to the user and client experiences and up to the board members day to day

Question 52

What is IRM?

Answer 52

Information Risk Management

Question 53

What are the types of risk?

Answer 53

Physical damage (fire)
Human interaction (disruptive interaction)
Equipment failure
Attacks (hacking)
Misuse of data (sharing trade secrets)
Loss of data (format /s /f)
Application error (bad loops)

Question 54

What allows a company to pick and choose vulnerabilities?

Answer 54

Risk management

Question 55

What does risk effect in a company?

Answer 55

Everything in an organization.

Question 56

What is the key thing for management to contribute to risk management?

Answer 56

A definition of what is considered and acceptable level of risk

Question 57

What are the goals of a risk assessment?

Answer 57

Identify assets and value
Identify vulnerabilities and threats
Quantify the probability and business impact of threats
Provide an economic balance between impact and cost of control

Cost/Benefit

Question 58

Finally got that risk assessment done? Now what?

Answer 58

React to it and make adjustments to reduce risk

Question 59

What level of a department should be working with the risk assessment team?

Answer 59

The top level, far too often it is delegated to the lower people due to time, but they don’t know the amswers

Question 60

What 4 questions should be asked in a risk assessment?

Answer 60

Threat event?
Risk?
Frequency?

Certainty of the last 3 questions?

Question 61

How does the value of an object or piece of information dictate risk assessment?

Answer 61

More value, more risk

Question 62

What is an intangible risk assessment?

Answer 62

Something not physical.

Reputation
Data
Intellectual property

It is critical to be able to assign a cost to these

Question 63

Loss potential?

Answer 63

What would the company lose of the threat agent exploited the vulnerability

Question 64

Delayed loss?

Answer 64

Damage reputation
Loss of market share
Late penalties
Civil suits
Etc.

This happens long after the exploit took place.

Question 65

What is SP 800-30?

Answer 65

NIST methodology guide focused only on it security

Question 66

What is FRAP?

Answer 66

This is a to the point risk methodology that focuses only on the most critical risks for cost and time efficiency

Question 67

OCTAVE?

Answer 67

This a high level it security methodology focused on allowing the upper people within each department to make the risk assessment

Question 68

AS/NZS 4360

Answer 68

This is a methodology focused on business health particularly financially and economically

Question 69

FMEA ?

Answer 69

Failure modes and effect analysis

Used in development and operations to find flaws and potentially failures before they happen

Question 70

Failure mode?

Answer 70

How a system can break?

Question 71

Effect analysis

Answer 71

Impact of a failure

Question 72

Fault Tree Analysis

Answer 72

Used for complex failure modes with multiple dependencies.

This model starts from what can go wrong and diagrams everything that can cause that to happen

Question 73

Logic diagrams are used in what methodology?

Answer 73

Failure tree analysis

Question 74

CRAMM

Answer 74

A UK methology that is fully automated with Siemens products

Question 75

Risk assessment vs risk analysis?

Answer 75

Assessment is gathering information

Analysis is using and acting on the assessment

Question 76

What 4 things can be done with a risk?

Answer 76

Accept
Mitigate
Transfer
Avoid

Question 77

Qualitative analysis ?

Answer 77

Financial estimate of a risk

Question 78

Quantitative analysis?

Answer 78

Assigning rating to risk like red, yellow, green.

Question 79

Single loss expectancy ?

Answer 79

Dollar amount assigned to a single event if a threat took place

Asset value * exposure factor

Question 80

Exposure factor

Answer 80

% of an asset lost

Question 81

Annual loss expectancy

Answer 81

SLE * ARO = ALE

Question 82

ARO?

Answer 82

Annualized rate of occurrence

Question 83

Uncertainty?

Answer 83

This is the amount of guessing put into a risk analysis. This should be tracked.

Question 84

Delphi?

Answer 84

A group discussion technique designed to anonymously give opinions

Question 85

Cost/benefit analysis?

Answer 85

Prevent spending more money than the threat would cost annually (ALE)

Question 86

Safeguard considerations?

Answer 86

Must be visible to evildoer but non discoverable

Question 87

Residual risk?

Answer 87

No countermeasure is fully affective. The remainder is the residual risk.

Mitigation not prevention

Question 88

Total risk?

Answer 88

The entire risk quotient .. Companies will accept this only if the cost/benefit supports that action

Question 89

How can one deal with risk?

Answer 89

Accept it
Avoid it
Mitigate it
Transfer it

Question 90

Transfer risk?

Answer 90

“It’s not my risk anymore, it’s his”

Question 91

Risk avoidance

Answer 91

We will discontinue using that product.due to the risk

Question 92

Mitigated risk

Answer 92

I implemented a new security device to reduce risk

Question 93

Acceptable risk

Answer 93

I’m okay with that!

Question 94

Security policy

Answer 94

General statement of security by senior management that dictates the role of security

Question 95

Organizational security policy

Answer 95

Shows the tactical and strategic value of a security policy and a defined acceptable level of risk

Question 96

Issue specific policies or functional policies

Answer 96

Specific security policy to one segment of the master organizational policy

Question 97

System specific policy

Answer 97

This is an IT specific acceptable use policy defining roles access system security

Question 98

Regulatory policy

Answer 98

Very detailed and specific standards used by industry, medical, and government

Ie. HIPPA, SOX

Question 99

Advisory policy

Answer 99

Strongly shows exactly what is acceptable and unacceptable with consequences

Question 100

Informative policy

Answer 100

Non-enforceable policy telling people relevant information

Question 101

What is a baseline?

Answer 101

Clean data at a point on time to reference against

Question 102

Guidelines

Answer 102

Recommended actions and operational guides

Question 103

Procedure

Answer 103

Very detailed step-by-step task list

Question 104

Data classification

Answer 104

Level of confidentiality of stored data

Question 105

Board of directors?

Answer 105

Shareholder elected individuals in a public traded company used for steering a company from the shareholder side

Question 106

CPO

Answer 106

Chief privacy officer - business legal advisor

Question 107

Privacy impact analysis

Answer 107

Risk assessment specifically for the protection of sensitive data

Question 108

Privacy

Answer 108

Controlled and expected release of sensitive data

Question 109

PII

Answer 109

Personal identifiable information

Question 110

Convergence

Answer 110

The combination of all security realms

Question 111

Security steering committee

Answer 111

Everyone who is personally responsible or in charge of directing security in an organization

Question 112

Audit committee

Answer 112

Independent auditing among the board of directors

Question 113

Data owner

Answer 113

The person responsible for a subset of data and it’s business access and defined sensitivity

Question 114

Data custodian

Answer 114

This is the person who manages where the data is stored .. Typically the IT person

Question 115

System owner

Answer 115

The person to call when xyz application had a problem

Question 116

Security administrator

Answer 116

Controls network security devices like IDS , IPS , firewalls , anti malware, etc

Question 117

Security analyst

Answer 117

Works at a higher level and analyses the environment for security flaws. Works with risk analysis

Question 118

Application owner

Answer 118

The person directly responsible for the security of an application

Question 119

Supervisor

Answer 119

This is someone who is responsible for the users themself

Question 120

Change control analyst

Answer 120

Ensure change control happens and stays secure

Question 121

Data analyst

Answer 121

Ensures data is placed where it needs to be and is secured correctly

Question 122

Solution provider

Answer 122

An external provider of a solution to a business ailment

Question 123

Product line manager

Answer 123

Similar to a systems analyst, more specifically targeting products and licensing

Question 124

Separation of duties

Answer 124

When multiple people are necessary to enable a control or process

Question 125

Collision

Answer 125

This means working together.

separation of duties implies collusion occurred if the process became fraudulent

Question 126

Split-knowledge

Answer 126

Two people required for a task, each knowing how to do half the task

Question 127

Dual control

Answer 127

Both people understand the entire process but no one person can accomplish the task

Question 128

Rotation of duties

Answer 128

Changing roles and shifts and handing them to others in order to encourage employee auditing

Question 129

Mandatory vacation

Answer 129

Forcing people to take vacation and relinquish their role to someone else who could potentially find fraud

Question 130

Non disclosure agreements

Answer 130

Used to link employees to a policy stating you cannot share sensitive data

Question 131

Security Governance

Answer 131

This is how well the security is integrated into the organization as a whole

Question 132

ISO 27004:2009 / NIST 800-55

Answer 132

Tells how to measure a security program