Chatper 6 Review Control type descriptors include; 1. P____ ; Tangiable such as fench 2. T____ ; Uses software configuration 3. A____ ; Managing a system effectively 4. P____ ; To stop something happening 5. D____ ; To identify something happening 6. M____ ; To do something by hand 7. A____ ; To allow a system to respond 8. C____ ; To reduce or counteract something 9. R____ ; To restore

1. PHYSICAL 2. TECHNICAL 3. ADMINISTRATIVE 4. PREVENTIVE 5. DETECTIVE 6. MANUAL 7. AUTOMATIC 8. COMPENSATING 9. RECOVERY

Chapter 6 Review Controls should include Metdata that describes the; 1. P____ ; A reasons for existing 2. A____ ; What the control services 3. S____ ; The extent of coverage 4. C____ ; A category something is put into 5. M____ ; Ability to take metrics 6. T____ P ____ ; A number of criteria to determine effectiveness 7. C____ R ____ ; Refer to other systems and relationships

1. PURPOSE 2. APPLICABILITY 3. SCOPE 4. CLASSIFICATION 5. MEASUREMENTS 6. TESTING PROCEDURES 7. CROSS REFERENCES

Chatper 6 Review The implementation of a new control should be guided by formal processes. A new control should have a the following things met; 1. This is the purpose of its existence 2. This will be done to validate the control is effective 3. This endorsement is needed to implement the control 4. This processes should be followed to identify potential risk through implementation and ensure a valid plan

1. CONTROL OBJECTIVE 2. TEST PLAN 3. AUTHORIZATION 4. CHANGE MANAGEMENT

Chapter 6 Review Flashcards by C MC

Chatper 6 Review

These things are the procedures, mechanisms, systems, and other measures designed to reduce risk through compliance to policies

CONTROLS

How well did you know this?

Not at all

Perfectly

Chatper 6 Review

To ensure that its business objectives will be met, risks are reduced, and errors will be prevented or corrected, an organisation will develope what.

CONTROLS

How well did you know this?

Not at all

Perfectly

Chatper 6 Review

To achieve desired outcomes, an organisation may adopt one or more of these to identify and implement controls

CONTROL FRAMEWORKS

How well did you know this?

Not at all

Perfectly

Chatper 6 Review

Each control consumes this and should therefore be carefully considered

RESOURCES

How well did you know this?

Not at all

Perfectly

Chapter 6 Review

This person need to understand the various types of controls (such as preventive, detective, deterrent, manual, automatic, and so on) so that the correct types of controls can be implemented.

SECURITY MANAGER

How well did you know this?

Not at all

Perfectly

Chatper 6 Review

This is done to Controls so that security professionals can better understand and work with them.

CLASSIFIED

How well did you know this?

Not at all

Perfectly

Chatper 6 Review

Control type descriptors include;

P____ ; Tangiable such as fench
T____ ; Uses software configuration
A____ ; Managing a system effectively
P____ ; To stop something happening
D____ ; To identify something happening
M____ ; To do something by hand
A____ ; To allow a system to respond
C____ ; To reduce or counteract something
R____ ; To restore

PHYSICAL
TECHNICAL
ADMINISTRATIVE
PREVENTIVE
DETECTIVE
MANUAL
AUTOMATIC
COMPENSATING
RECOVERY

How well did you know this?

Not at all

Perfectly

Chatper 6 Review

These things are general in nature and implemented in different ways on different information systems based on their individual capabilities, limitations, and applicaibility

GENERAL COMPUTING CONTROLS
(GCCs)

How well did you know this?

Not at all

Perfectly

Chatper 6 Review

A control framework is a collection of controls organized into these things

LOGICAL CATEGORIES

How well did you know this?

Not at all

Perfectly

Chatper 6 Review

Well-known control frameworks are intended to address a broad set of information risks common to most organizations. Examples include;

ISO/IEC ____
NIST SP 800-____
C____ C ____

ISO/IEC 27002
NIST SP 800-53
CIS CSC

How well did you know this?

Not at all

Perfectly

Chatper 6 Review

This is a term/method which maps two or more control frameworks together.

CROSSWALK

How well did you know this?

Not at all

Perfectly

Chatper 6 Review

Before a control can be designed, the security manager needs to have some idea of this otherwise they will bit have a clear objective.

THE NATURE OF THE RISKS THE CONTROL IS INTENDED TO ADDRESS

How well did you know this?

Not at all

Perfectly

Chatper 6 Review

In this program, new risks may be identified during a risk assessment that led to the creation of additional controls.

RISK MANAGEMENT PROGRAM

How well did you know this?

Not at all

Perfectly

Chatper 6 Review

After a control has been designed, it should be put into service and then it should have this done to it.

MANAGED THROUGHOUT ITS LIFE

How well did you know this?

Not at all

Perfectly

Chatper 6 Review

Management of a control throughout its life could involve this happening in the form of changes to business processes and information systems.

OPERATIONAL IMPACT

How well did you know this?

Not at all

Perfectly

Chatper 6 Review

Management of a control throughout its life could involve operational impact through changes to business process or information systems. Changes with this will require greater care so that business processes are not adversely affected.

GREATER IMPACT

How well did you know this?

Not at all

Perfectly

Chatper 6 Review

Controls should include this information which describes the purpose, applicability, scope, classification, measurements, testing procedures, cross references, and more.

METADATA

How well did you know this?

Not at all

Perfectly

Chapter 6 Review

Controls should include Metdata that describes the;

P____ ; A reasons for existing
A____ ; What the control services
S____ ; The extent of coverage
C____ ; A category something is put into
M____ ; Ability to take metrics
T____ P ____ ; A number of criteria to determine effectiveness
C____ R ____ ; Refer to other systems and relationships

PURPOSE
APPLICABILITY
SCOPE
CLASSIFICATION
MEASUREMENTS
TESTING PROCEDURES
CROSS REFERENCES

How well did you know this?

Not at all

Perfectly

Chatper 6 Review

The implementation of a new control should be guided by formal processes. A new control should have a the following things met;

This is the purpose of its existence
This will be done to validate the control is effective
This endorsement is needed to implement the control
This processes should be followed to identify potential risk through implementation and ensure a valid plan

CONTROL OBJECTIVE
TEST PLAN
AUTHORIZATION
CHANGE MANAGEMENT

How well did you know this?

Not at all

Perfectly

Chatper 6 Review

Controls that have been placed into service will transition into this

ROUTINE OPERATIONS

How well did you know this?

Not at all

Perfectly

Chatper 6 Review

These inidividuals will operate their controls and try to be aware of any problems, especially early on.

CONTROL OWNERS

How well did you know this?

Not at all

Perfectly

Chatper 6 Review

Whether controls are automatic or manual, preventive or corrective, these individuals are responsible for ensuring that their controls operate correctly in every respect.

CONTROL OWNERS

How well did you know this?

Not at all

Perfectly

Chatper 6 Review

It is essential for security managers to understand the technology underpinning controls to ensure that these 2 things are effectively met

Study These Flashcards

DESIGN and OPERATION

Chatper 6 Review

Any organization that implements controls to address risks should periodically examine those controls to determine that this is being achieved.

Study These Flashcards

WORKING AS INTENDED and DESIGNED

# Chatper 6 Review **SOC 1 and SOC 2 audits** provide assurances of **effective control design** (Type I and Type II) and implementation (Type II only) in who

THIRD-PARTY SERVICE PROVIDERS

# Chpater 6 Review These 2 **audits** provide **assurances** of **effective control design** (Type I and Type II) and implementation (Type II only) in third-parties

SOC 1 and SOC 2

# Chatper 6 Review An **essential function** in **information security management** is to set **activities that determine** that these 2 things in regards to **security safeguarding** are happening

IN PLACE and WORKING PROPERLY ## Footnote These activities range from informal security reviews to formal and highly structured security audits.

# Chatper 6 Review This is a systematic and repeatable **process** whereby a competent and independent professional **evaluates** one or more **controls**, interviews personnel, obtains and analyzes evidence, and develops a written opinion on the **effectiveness of a control**.

AUDIT

# Chapter 6 Review An **audit** is a systematic and repeatable **process** whereby a competent and independent professional; 1. ____ ; Evaluates one or more of these safeguards 2. ____ ; Interviews these people 3. ____ ; Obtains and analyses this which is proof of results 4. ____ ; Develops a written opinion on this in regards to control(s)

1. CONTROLS 2. PERSONNEL 3. EVIDENCE 4. EFFECTIVENESS OF A CONTROL

# Chatper 6 Review This is a methodology used by an organization to internally **review** these 3 components; 1. Key business objectives 2. Risks related to achieving objectives 3. Key controls designed to manage risks.

CONTROL SELF-ASSESSMENT (CSA)

# Chatper 6 Review This organisation asset is generally considered the **largest** and most **vulnerable** portion of an organization's **attack surface**.

PERSONNEL

# Chapter 6 Review **Personnel** are the **primary weak point** in information security, mainly because of; 1. ____ ; a decision that can often cause a mistake 2. ____ ; Someone not paying complete attention 3. ____ ; A person feeling run down or tired 4. ____ ; a feeling when you recognise the importance or deadlines of duties 5. ____ ; Lack of training

1. LAPSE IN JUDGEMENT 2. INATTENTIVENESS 3. FATIGUE 4. WORK PRESSURE 5. SHORTAGE OF SKILLS

# Chatper 6 Review This **critical activity** attempts to **identify risks** in **third-party organizations** that have access to critical or sensitive data or that perform critical operational functions.

THIRD-PARTY RISK MANAGEMENT

# Chatper 6 Review Various **techniques** are needed to **identify** and manage **risks** with **third-parties** because with their internal operations and risks, they are not seen to be very what.

TRANSPARENT

# Chatper 6 Review **Third parties** are **assessed** mainly through the use of these 2 methods

1. QUESTIONNAIRES 2. REQUESTS FOR EVIDENCE

# Chatper 6 Review Most organizations depend on large numbers of **third-party services**, so they employ a this matrix to **identify** the third parties that are the **most critical** to the organization.

RISK TIER SCHEME ## Footnote Third Parties at a **higher level of risk** undergo **more frequent** and rigorous risk assessments, while those at **lower levels** undergo **less frequent** and less rigorous risk assessments.

# Chatper 6 Review The **management** of **business relationships** with third parties is a what sort of process.

LIFE-CYCLE ## Footnote The life cycle begins when an organization contemplates the use of a third party to augment or support the organization's operations in some way.

# Chatper 6 Review The **life cycle management** process with third-parties continues during the ongoing relationship with the third party and **concludes** when the organization has no what

REQUIREMENT OF THE SERVICE

# Chatper 6 Review This is the lifeblood of an **effective information security program**.

COMMUNICATIONS

# Chatper 6 Review Lacking **effective communication**, the **security manager** will have difficulty **interacting** with these people for the **exchange of objectives, risk information and metrics**.

EXECUTIVE MANAGEMENT

# Chatper 6 Review If **communication** is **Ineffective** it will **hamper** these 2 security-related things throughout the business

ACTIVITIES and PROCESSES

# Chatper 6 Review **Security programs** include a variety of these **activities** that are **vital** to its **success**.

ADMINISTRATIVE

# Chatper 6 Review One **important success factor** of a **security program** is the **development** of these with internal departments external organisations.

STRATEGIC PARTNERSHIPS / RELATIONSHIPS

# Chatper 6 Review **Strategic partnerships** with internal departments and external organisations **enable** the **security manager** to do this in terms of events.

BETTER INFLUENCE ## Footnote It also allows them to learn more about external events, and obtain assistance from outside entities as needed

# Chatper 6 Review This represents a **collection of operational activities** designed to ensure the **quality of IT services** and includes several business processes such as; 1. service desk 2. incident management 3. problem management 4. change management 5. configuration management 6. release management 7. service-level management 8. financial management 9. capacity management 10. service continuity management 11. availability management

IT SERVICE MANAGEMENT

# Chatper 6 Review When **senior management express concerns** for the **effectiveness** of the **information security program**, the **security manager** should carry out this activity with senior managers to **address their concerns**

INTERVIEW SENIOR MANAGEMENT

# Chatper 6 Review Achieving this in regards to **resources** is the **best indication** a security manager is **achieving value delivery**

HIGH RESOURCE UTILIZATION

# Chatper 6 Review This is the **best metric** a security manager can use to **evaluate** the **result of a security program**

PERCENTAGE OF CONTROL OBJECTIVES ACHIEVED

# Chatper 6 Review **Control objectives** are directly related to these objectives

BUSINESS OBJECTIVES

# Chatper 6 Review Obtaining another party's **public key** is required to initiate this activity

AUTHENTICATION

# Chatper 6 Review This type of **secret key encryption** is **computationally** more **intensive**

PUBLIC KEY ## Footnote * Public key encryption is computationally intensive due to the long key lengths required * Secret key encryption requires much shorter key lengths to achieve equivalent strength

# Chatper 6 Review This type of **key** is more **problematic for scaling** as it requires a **key for each pair of individuals**

SYMMETRICAL KEY (secret key encryption) ## Footnote Symmetrical or secret key encryption requires a key for each pair of individuals who wish to have confidential communications resulting in an exponential increase in the number of keys resulting in intractable distribution and storage problems

# Chatper 6 Review Wi-Fi Protected Access 2 (**WPA2**) and this type of **authentication** is the **strongest form** of wireless authentication currently available

802.1x ## Footnote WPA2 and 802.1x authentication is the strongest form of wireless authentication currently available. WPA2 combined with 802.1x forces the user to authenticate using strong Advanced Encryption Standard encryption

# Chatper 6 Review This service is an **authrotiy** within an organisation network that **verifies (authenticates) user requests** for a **digital certificate** which tells the Certificate Authority (CA) to issue it

REGISTRATION AUTHORITY (RA) ## Footnote The registration authority’s (RA’s) private key is in the possession of the RA, often stored on a smart card or laptop, and is typically protected by a password and, therefore, is potentially accessible. If the RA’s private key is compromised, it can be used to register anyone for a certificate using any identity, compromising the entire public key infrastructure for that CA

# Chatper 6 Review This service is either **internal or public** and is responsible for the **issuing and revoking of certificates**

CERTIFICATE AUTHORITY (CA)

Chapter 6 Review Flashcards

(56 cards)