Domain 1 Flashcards

Question

Security Frameworks - Frameworks for Implementation - COSO IC (ident-created-categories)

Answer 1

* Identifies 17 control principles grouped into 5 categories * Created in the 80s as a result of financial fraud * Provides Corporate Governance * Categories - Control Environments - Risk Assessments - Control Activities - Information and Communication - Monitoring Activities

Answer 2

* Created by ISACA and ITGI * Defines 17 enterprise and 17 IT goals * It's not strictly security related * It is an IT related subset of COSO IC * Principles Meeting stakeholder needs Covering the enterprise end-to-end Applying a single integrated framework Enabling a holistic approach Separating governance from management

Answer 3

* Created by the US government * Specifies the control that federal agencies must implement * If an agency doesn't comply, they are violating the FISMA (Federal Information Security Management Act of 2002) * Contains a list of 18 control categories

Answer 4

``` Administrative = Management Technical = Technical Physical = Operational ```

Answer 5

* ITIL * Six Sigma * Capability Maturity Model Integration (CMMI)

Answer 6

* Developed in the UK in the 80s * De facto standard for IT management best practices * Focuses on achieving SLAs between the IT department and its customer * Stages - Design - Transition - Operation * Each stage has between 3 and 5 steps

Answer 7

* Measures process quality by using statistical calculations | * A sigma rating is applied to a process to indicate the percentage of defects it contains

Answer 8

* Created by Carnegie Mellon for US DoD * Determines the maturity of an organization's processes * Designed to make improvements in an incremental and standard manner * Levels: - Level 0: Nonexistent Management - Level 1: Unpredictable Processes - Level 2: Repeatable Processes - Level 3: Defined Processes - Level 4: Managed Processes - Level 5: Optimized Processes

Answer 9

* Focuses on how to keep processes up-to-date and healthy * Four steps, and the last one feeds right back into the first one to start a new iteration * Steps: Plan, Implement, Operate, Evaluate

Answer 10

- Establish MGMT and oversight committees - Identify business drivers and threats - Perform a risk assessment - Create security architectures for the business, data, application and infrastructure - Select possible solutions for the problems identified - Get mgmt approval to move to the next steps

Answer 11

- Assign duties - Establish baselines - Put security policies into operation - Identify data that needs to be secured - Create blueprints - Implement controls based on the blueprints - Implement solutions to monitor the controls based on the blueprints - Establish goals, SLAs and metrics based on the blueprints

Answer 12

- Follow established procedures to ensure baselines met the blueprints - Execute audits - Execute tasks defined by the blueprints - Ensure SLAs are met

Answer 13

- Review logs, audit results, metrics and SLAs - Determine if the blueprint goals have been met - Hold quarterly meetings with the steering committee - Identify actions to improve as an input into the first step

Answer 14

Any law that deals with computer-based crime

Answer 15

* Computer-assisted: Computer is a tool - Example: Stealing money from a bank across the Internet * Computer-targeted: Computer is the victim - Example: DoS attack * Computer is incidental: Computer is involved but didn't play a significant role in the crime - Example: If a computer is used to temporarily store stolen or illegal goods

Answer 16

* Script Kiddies: Unsophisticated individuals who know just enough about pre-built hacking tools *Types of serious hackers 1- The ones who randomly sniff around 2- APT (Advanced Persistent Threats) - Most dangerous - They target specific persons or organizations

Answer 17

* OECD has issued guidelines on how to deal with data that is transfered between countries * Core principles: Collection Limitation Data Quality Purpose Specification Use Limitation Security Safeguards Openness Individual Participation Accountability

Answer 18

* They deal with US and EU data transfer requirements * Rules: - Notice - Choice - Onward Transfer - Security - Data Integrity - Access - Enforcement

Answer 19

* Each country has its own laws regarding import and export of goods * Wassenaar Agreement - Followed by 41 countries including the US - Goal: To prevent the buildup of further military capabilities - The Information Security part deals with the exchange of cryptography

Answer 20

* Civil (Code) Law System: Lower courts are not compelled to follow the decisions made by upper courts * Common Law System: Based on precedence * Customary Law System: deals with personal conduct and behavior, * Religious Law System: Based on religious beliefs of that region * Mixed Law System: Two or more of the previously mentioned systems used together

Answer 21

* Criminal - To be convicted, guilt beyond reasonable doubt must be established - Cases are usually brought about by government prosecutors with a guilty or not guilty verdict * Civil/Tort - Offshoot of Criminal Law - Deals with wrongs commited against an individual or company that has resulted in injury or damages - If found liable, monetary reparations are usually made by the defendant, but loss of freedom is never a result * Administrative It addresses issues such as international trade, manufacturing, environment and immigration

Answer 22

* Law that allows individuals or companies to protect what is rightly theirs from illegal duplication or use * IP types: - Trade Secret - Copyright - Trademark - Patent

Answer 23

* Something a company creates or owns that is crucial to its survival and profitability * Doesn't expire until it's not a trade secret * Most companies with trade secrets make their employees sign an NDA * Example: Coca-Cola formula

Answer 24

* Gives the author of a work the rights to control the display, adaptation, reproduction or distribution of that original work * Protects the expression of the idea rather than the idea itself * Expires after a limited amount of time * Specific to the computer industry - Protects source code and object code - Protects user interfaces

Answer 25

* Protects a name, symbol, word, sound, shape, color or any combination thereof * Represents a company's brand identity to its potential consumers * WIPO (World Intellectual Property Organization) oversees International Trademark Law

Answer 26

* Given to individuals or companies to protect an invention * Strongest form of IP protection * The invention must be novel, useful and non-obvious * Has an expiration date (20 years) * Specific to computer industry - Algorithms are commonly patented - Patent infringement prosecution is a matter of everyday life - Patent trolls buy patents only to sue infringing companies

Answer 27

* A company must properly classify the data and implement sufficient protection (Due care) * If Due Care is not taken, litigation will fail * Software Piracy: Occurs whem protected works or data is duplicated or used without permission or compensation to the author * Software Licensing: Freeware, Shareware, Commercial, Academic * EULA: Used for communicating the licensing requirements * FAST/BSA: Promote enforcement of software rights in order to combat piracy * DMCA: - Prohibits attempts to circumvent copyright protection mechanisms - In Europe, a similar law is the Copyright Directive

Answer 28

* Any data that can be used to identify, contact or locate an individual * It's sensitive data because it can be used for identity theft * Typical PII components Full Name ID Number Biometrics Digital Identities Birthdate

Answer 29

* Federal Privacy Act of 1974 * Federal Information Security Management Act of 2002 (FISMA) * Department of Veterans Affairs Information Security Protection Act * Health Insurance Portability and Accountability Act (HIPAA) * Health Information Technology for Economic and Clinical Health Act (HITECH) * USA Patriot Act * Gramm-Leach-Bliley Act (GLBA) * Personal Information Protection and Electronic Documents Act (PIPEDA) * Payment Card Industry Data Security Standard (PCI DSS) * Economic Espionage Act of 1996

Answer 30

Federal agencies could collect and store info about an individual's academic, medical, financial, criminal and employment history only if the agency had a necessary and relevant need to

Answer 31

* Requires high-level officials of each agency to hold annual reviews of the information security programs and report the results to the Office of Management and Budget (OMB), which in turn reports to congress on the level of compliance achieved * Requirements - Inventory of Information Systems - Categorization of the information and information systems according to risk - Security controls - Risk Assessment - System security plan - Certification and accreditation - Continuous monitoring

Answer 32

* FISMA + Additional requirements on that agency alone | * Due to an incident in 2006

Answer 33

* PHI (Patient Health Information): PII+specific health details * Defines rules for any facility that creates, accesses, shares or destroys patient data * Works with fines * Does not require notification of data breaches

Answer 34

* Created in 2009 * Subtitle D - Electronic transmission of health information - Helps enforce HIPAA rules * It directs the US Secretary of Health and Services (HHS) to provide guidance on effective controls to protect data * Companies that comply with this guidance do not have to report data breaches. Otherwise, they have 60 days to report to HHS and the affected individuals

Answer 35

* Reduces restrictions on law enforcement when searching electronic records * Allows greater foreign intelligence gathering within the US * Gives the Secretary of Treasury greater power to regulate financial transactions * Broadens the ability to detain or deport immigrants suspected of terrorism * Expands the definition on terrorism to include domestic terrorism * Now the government can monitor individual's electronic communications at will

Answer 36

* aka Financial Services Modernization Act * Requires financial institutions to create privacy notices and give their customers the ability to opt out of sharing their information with third parties * In the event of a data breach the institution must report it to the federal regulators, law enforcement and affected customers

Answer 37

Canadian protection of privacy law regarding e-commerce

Answer 38

* It's a standard for data security created by the major credit companies * Credit companies will not work with a company that it's not PCI compliant

Answer 39

* Passed in 1996 * Defines who can investigate data breaches * Protects IP

Answer 40

USA: Has a number of laws on the book | EU data protection regulation: Standardized data breach notification

Answer 41

High-level statement that describes how security works within the organization.

Answer 42

Organizational Security Policy: Dictates how a security program will be constructed and describes how enforcement will be implemented. Sets the various goals.Addresses laws and regulations. Provides direction on the amount of risk management it's willing to accept. Should be periodically reviewed and updated. Documentation should be version-controlled and applicable for several years into the future. Issue-specific policy: Provides more detail on an area that needs further explanation. Must not be technology-specific. Examples: E-mail policy System-specific policies: Contain details that are specific to a system. Sufficiently generic to allow for other technologies and solutions

Answer 43

* Informative:Informs employees on a broad range of topics in an unenforceable manner * Regulatory: Addresses regulatory requirements for a specific industry such as GLBA, PCI or HIPAA * Advisory: Advises employees on enforceable rules governing actions and behaviors

Answer 44

* Provide instruction on how to meet the policy | * Standards must always be enforced

Answer 45

* Point in time that is used as a comparison for future changes * A baseline results in a consistent reference point

Answer 46

Reflect recommendations and guides for employees when a specific standard does not really apply

Answer 47

Where policies tell us where we want to go and standards provide the tools, procedures give us the step-by-step instructions on how to do it

Answer 48

Organizational Business Process Information Systems (Our focus)

Answer 49

ISRM policy should address the following elements - The objectives of the ISRM team - What is considered an acceptable level of risk - How risks will be identified - How the ISRM policy fits within the organization’s strategic planning - Roles and responsibilities for the ISRM - Mapping of risk to controls, performance targets and budgets - How staff behavior and resource allocation will be modified - How the effectiveness of controls will be monitored

Answer 50

* It can be a single person or more | * Usually not 100% of their time in ISRM

Answer 51

* Frame: Define the assumptions, constraints, priorities and the amount of risk the organization can tolerate * Assess: Determine threats, vulnerabilities and attack vectors * Respond: Match the available resources against a prioritized list of risks * Monitor: Continuously watch the controls to assess their effectiveness against the risk each was designed to protect the organization from

Answer 52

* Information: Data at rest / Data in motion / Data in use * Processes: Blocks of code executing in-memory * People: Usual attack vector / Social engineering / Social networks / Passwords

Answer 53

* Potential cause of an unwanted incident, which may result in harm to a system or organization * Sources: - Deliberate outsiders - Deliberate insiders (The most dangerous group) - Accidental insiders

Answer 54

* There are two ends to an attack - Attacker - Target - Means to an attack * Attack Tree: Steps and substeps in an attack * Attack Chain: One path that can be contained in an attack tree

Answer 55

* Reduces the number of attacks to consider by identifying commonalities * Reduces the threat posed by attackers: the closer to the root a mitigation is implemented, the more risks it is likely to control

Answer 56

* Method of identifying vulnerabilities and threats and assessing the possible impacts to determine where to implement security controls * Outputs a list of vulnerabilities and threats

Answer 57

* Prioritizes the list obtained through the Risk Assessment * Assesses the amount of resources to properly mitigate the top threats * Goals - Identify and valuate assets - Identify vulnerabilities and associated threats - Quantify the likelihood of the threats - Calculate an economic balance between each threat and the cost of a countermeasure * Outputs a cost/benefit comparison

Answer 58

* Individuals from all departments * Good questions for this team to ask are 1. What could happen? 2. What would the impact be? 3. How often could it happen? 4. Do we really believe the first three answers?

Answer 59

* Calculating currency-based value for each asset * Issues to be examined - Cost to acquire or develop the asset - Cost to maintain and protect the asset - Value of the asset to owners and users - Value of the asset to adversaries - Price others are willing to pay for the asset - Cost to replace the asset if lost - Operational and production activities affected if the asset is unavailable - Liability issues if the asset is compromised - Usefulness and role of the asset in the organization * Two questions should be asked: - What is the cost to protect an asset? - What is the cost if we did not protect an asset? * Allows us to do the following - Perform an effective cost/benefit analysis - Select proper controls - Determine the amount of insurance to purchase - Define exactly what is at risk - Comply with legal and regulatory requirements

Answer 60

* Threats can arise from seemingly innocuous sources such as our own applications and users Examples: - An application could have a logic flaw, known as illogical processing, which destroys or compromises data or resources. This can then lead to cascading errors wherein a small flaw is passed to another process, which can amplify the flaw - A user can enter invalid data or even accidently delete important data * Loss Potential:Each risk has it * Delayed Loss: It happens after the vulnerability has been exploited. Example: Your company's reputation takes a hit

Answer 61

* NIST SP 800-30 * Facilitated Risk Analysis Process (FRAP) * Operationally Critical Threat Asset and Vulnerability Evaluation (OCTAVE) * AS/NZS 4360 * ISO 27005 * Failure Mode and Effect Analysis (FMEA) * Central Computing and Telecommunications Agency Risk Analysis and Management Method (CRAMM)

Answer 62

``` 1- Prepare for the assessment 2- Conduct the assessment a. Identify threats b. Identify vulnerabilities c. Determine likelihood d. Determine magnitude e. Calculate risk 3- Communicate the results 4- Maintain the assessment ```

Answer 63

Stresses a qualitative measurement of risk instead of trying to actually calculate a risk value

Answer 64

* The premise of this methodology is that the people involved with a system or process should be the only ones making the decisions on security, as opposed to higher-level or external influences * Meant for entire organization

Answer 65

Focuses on the organization's overall health, but could be used in Security

Answer 66

Describes how RM should be carried out for ISMS

Answer 67

* Focuses on identifying functions, their failures and the causes of those failures * Excels when examining a single system, but tends to break down when considering multiple systems * Steps 1) Create a block diagram 2) Consider what happens when each block fails 3) Create a table of each failure and the corresponding impact 4) Correct the design and repeat #3 until the system no longer has unacceptable weaknesses 5) Have engineers review the design and table

Answer 68

* UK originated * Siemens has an automated tool for it * Stages 1) Define objectives 2) Assess risk 3) Identify countermeasures

Domain 1 Flashcards

(92 cards)