Chapter 3 - Info Sec Governance & Risk Management Flashcards Preview

My Notes of CISSP CBK > Chapter 3 - Info Sec Governance & Risk Management > Flashcards

Flashcards in Chapter 3 - Info Sec Governance & Risk Management Deck (44)
Loading flashcards...
1

ITGI

IT Governance Institute defines IT governance as being the responsibility of the board of directors and executive management

2

Executive Management

maintains the overal responsibility for protection of the information assets. - Must be aware of risks that they are accepting

3

Security Officer

responsible for design, implementation, management, and review of the organization's security policies, standards, procedures, baselines, and guidlines.

4

Information Systems Security Professional

drafting of policies, standards, guidelines and baselines is coordinated through these individuals.

5

Data/Information/Business Owners

assign appropriate classification to information assets. ensure business information is protected with appropriate controls. Need to determine the criticality, sensitivity, retention, backups and safeguards for the information. need to understand risks for information that they control.

6

Data/Information Custondian/Steward

takes care of the information on behalf of the owner. This group administers rights to the information assets.

7

Information Systems Auditor

determine compliance with policy, procedures, standards, baselines, designs, architectures, management direction and other requirements placed on systems. Provide top management with an independent view of controls and their effectiveness.

8

Business Continuity Planner

develop contigency plans. ensures business process can continue through the disaster and coordinates those activities with the buisness areas and information technology personnel responsible for disaster recovery.

9

Information Systems/Information Technology Professionals

responsible for designing security controls into information systems, testing the controls, and implementing the systems in production through agreed upon policies and procedures

10

Security Administrator

manages the user acces request process and ensures that privileges are provided to those individuals who have been authorized for access by application/system/data owners. Has elevated privileges and creates and deletes accounts and access permissions. Maintains records

11

Network/System Administrator

configures network and server hardware and the operating system, ensuring informaion is available and accessible

12

Physical Security

establish relationships with external law enforcement to assist in investigations. Manage the installation, maintenance and ongoin operation of the closed circuit television, burglar alarms, card reader access. Act as a deterrent to unauthorized access

13

Administrative Assistants/Secretaries

be subject to social engineering attacks

14

Help desk administrator

ususally where first security incidents will be seen. Contacts Computer Security Incident response team (CIRT). Reswet passwords, tokens and smart cards

15

Safe Harbor Provision

"good faith" conditions

16

Control Frameworks

Must be Consistent. meaurable, standardized, comprehensive, and modular

17

European Data Protection Directive

compliance with a legal action, protect life of subject, subject provided consent, performed within the scope of public interest and the law. NIST 800-3 ISO 27001

18

Due Care

care a reasonable person would exercise, lack is negligence

19

Due dilligence

measure made to avoid harm to other persons or property

20

Guidelines for writing security policies

formally define a policy creation and policy maintenance practice; policies should survive for two or three years; do not be too specific; use forceful wording; do not include technical implementation details; keep each policy as short as possible; provide references to supporting documents; thoroughly review; conduct management review and sign-off, employees should acknowledge policies; do not use jargon; review incidents and adjust policies; periodically review; define exception rules;and sanctions for non-compliance

21

Spanning Tree Analysis

creates a tree of all possible threat or faults of the system

22

VAR

Value at risk

23

Threat types

Human; Natural; Technical, Physical, Environmental, and Operational

24

When determining the value of an intagible asset which is sthe BEST apprach? A. Determine the physical storage cost and multiply by the expected life of the compancy B. With the assistance of finance of accounting professional determine how much profit the asset has returned C. Review the depreciation of the intangible asset over the past three years D. Use teh historical acquisition or development cost of the intangible asset

B. With the assistance of finance of accounting professional determine how much profit the asset has returned

25

Qualitative risk assessment is earmarked by which of the following? A. Ease of implementation and it can be completed by Personnel with a limited understanding of the risk assessment process B. Can be completed by personnel with a limited understanding of the risk assessment process and uses detailed metrics for calculation of risk C. Detailed metrics used for calculation of risk and ease of implementation D. Can be completed by personnel with a limited understanding of the risk assessment process and detailed metrics used for the calculation of risk

A. Ease of implementation and it can be completed by Personnel with a limited understanding of the risk assessment process

26

Single loss expectancy is calculated by using: A. Asset value an annulaized rate of occurrence (ARO) B. Asset value, local annual frequeny estimate (LAFE) and standard annual frequency estimate (SAFE) C. Asset value and exposure factor D. Local annual frequency estimate and annualized rate of occurrence

C. Asset value and exposure factor

27

Consideration for which the type of risk assessment to perform includes all of the following: A. Culture of the organization, liklihood of exposure and budget B. Budget, capabilities of resources, and liklihood of exposure C. Capabilities of resources, liklihood of exposure and budget D. Culture of the organization, budget, capabilities and resources

D. Culture of the organization, budget, capabilities and resources

28

Security awareness training includes A. Legislated secuirty compliance objectives B. Security roles and responsibilities for staff C. The high-level outcome of vulnerability assessments D. Specialilzed curriculum assignments, course work and an accredited institution

B. Security roles and responsibilities for staff

29

A signed user acknowledgment of the corporate security policy A. Ensures that users have read the policy B. Esures that users understand the policy, as well as the consequences for not following the policy C. Can be waived if the organization is satisfied that users have an adequate understanding of the policy D. Helps to protect the orgainzation if a user's behavior violates the policy

D. Helps to protect the orgainzation if a user's behavior violates the policy

30

Effective security management A. Achieves security at the lowest cost B. Reduces risk to an acceptable level C. Prioritizes security for new products D. Installs patches in a timely manner

B. Reduces risk to an acceptable level