Domain 1 Flashcards
Due Diligence (Definition)
Practicing the activities that maintain the due care effort
Due care (Definition)
Doing what a reasonable person would do in a given situation. Sometimes called the prudent man rule
Due Diligence
Research
Planning
Evaluation
Increases understanding and reduces risk
Largely done before the decision (Think before you act)
Do Detect
Due Care
Implementation
Operation (upkeep)
Reasonable measures
Doing after the decision
Action speak louder than words
Do Correct
Due diligence examples
Related to knowledge and research
Laws and regulations
Industry standards
Best practices
Due care examples
Related to delivery or execution
Reporting security incidents
Security awareness training
Disabling access in a timely way
Incident Management Framework
Detection
Response
Mitigation
Reporting
Recovery
Remediation
Lessons learned
Mnemonic DRMRRRL
Confidentiality
Access controls help ensure that only authorized subjects can access objects
Integrity
Ensures that data or system configurations are not modified without authorization
Availability
Authorized requests for objects must be granted to subjects within a reasonable amount of time
ISC2 Code of Ethics
- Protect society the commonwealth and the infrastructure
- Act honorably honesty justly responsibly and legally
- Provide diligent and competent service to principals
- Advance and protect the profession
4 levels of security policy development
Security procedures- detailed step by step
Security guidelines- offer recommendations
Security baselines - define minimum levels
Acceptable use policy- assign roles and responsibilities
Risk Categories
Group of potential causes of risk
Damage- result in physical loss of an asset or the inability to access the assets
Disclosure- disclosing critical information regardless of where or how it was disclosed
Losses- these might be permanent or temporary including altered data or inaccessible data
Risk Factors
Something that increases risk or susceptibility
Physical damage- natural disaster power loss or vandalism
Malfunctions- failure of systems networks or peripherals
Attacks- purposeful acts whether from the inside or outside such as unauthorized disclosure
Human errors- usually considered accidental incidents whereas attacks are purposeful incidents
Application errors- Failures of the application including the operating system
Strategic
Security planning type that is long term stable plan that should include a risk assessment
5 year horizon with annual updates
Tactical
Security planning type that is a midterm plan developed to provide more details on goals of the strategic plan. Usually a 1 horizon
Operational
Security planning type that is a short term highly detailed plan based on the strategic and tactical plans. Usually monthly or quarterly horizon
Risk acceptance
A response to risk where you do nothing and you must accept the risk and potential loss if threat occurs
Risk Mitigation
A response to risk where you implementing a countermeasure and accepting the residual risk
Risk assignment
A response to risk where it is transfer (assign) to 3rd party like by purchasing insurance against damage
Risk avoidance
A response to risk where the costs of mitigating or accepting are higher than benefits of the service
Risk deterrence
Response to risk where implementing deterrents to would be violators of security and policy
Risk Rejection
A response to risk that is unacceptable response to risk. Also known as ignore risk
NIST 800-37
Risk management framework has 7 steps
1. Prepare to execute the RMF
2. Categorize information systems
3. Select security controls
4. Implement security controls
5. Assess the security controls
6. Authorize the system
7. Monitor security controls
Mnemonic PCSIAAM
Operationally critical threat asset and vulnerability evaluation
OCTAVE is a risk management framework
Factor analysis of information risk
FAIR is a risk management framework
Threat Agent Risk Assessment
TARA is a risk management framework
Residual Risk
Is a risk type that remains even with all conceivable safeguards in place
Risk management has chosen to accept rather than mitigate
After safeguards
Inherent Risk
Newly identified risk not yet addressed with risk management strategies
The amount of risk exists in the absence of controls
Before safeguards
Total Risk
The amount of risk an organization would face if no safeguards were implemented
Without safeguards
Total risk calculation
Threats * Vulnerabilities * asset value = total risk
Risk calculation
Risk= threat * vulnerability
Quantitative Risk Analysis
Assigns a dollar value to evaluate effectiveness of countermeasures
Objective
Quantitative risk analysis steps
- Inventory assets (asset value or AV)
- Identify threats (EF and SLE)
- Perform a threat analysis (ARO)
- Estimate the potential loss (ALE)
- Research countermeasures for each threat (calculate changes to ARO and ALE)
- Perform a cost/benefit analysis of each countermeasure for each threat for each asset
Qualitative risk analysis
Uses a scoring system to rank threats and effectiveness of countermeasures
Subjective
Delphi Technique
An anonymous feedback and response process used to arrive at a consensus
An example of Qualitative Risk Analysis