Brainscape's Knowledge GenomeTM

Browse over 1 million classes created by top students, professors, publishers, and experts.


See full index

Estudio CISSP > Domain 1 > Flashcards

Domain 1 Flashcards

1
Q

CIA - Confidentiality (definition-attacks-defense)

A
  • High level of assurance that info is kept from unauthorized parties
  • Attacks: Shoulder surfing, social engineering, decryption, brute-force
  • Defense: Encryption, access controls
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

CIA - Confidentiality - Related concepts (SDCSPSI)

A
  • Sensitivity: What could happen if this info was disclosed
  • Discretion: When you choose to control the information disclosure to limit damage
  • Concealment: Act of hiding or preventing disclosure
  • Secrecy: Keeping something secret
  • Privacy: Keeping sensible info confidential
  • Seclusion: Storing something in an out-of-the-way manner
  • Isolation: Keeping something separated from others
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

CIA - Integrity (def - approaches)

A

When info remains unaltered by unauthorized parties
Approaches:
Preventing intentional unauthorized modification
Preventing accidental modifications
Ensure internal and external consistency of the information

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

CIA - Availability (def - examples)

A

Usable access to a resource is always provided in a timely and uninterrupted manner

  • Examples:Load Balancing
    Clustering
    Backups
    Redundancy
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

AAA (IAAAA)

A
  • Identification: A subject claims a specific identity
  • Authentication: A subject proves he is who he claims to be
  • Authorization: Deciding what the subject can access and how can it be used
  • Auditing: Recording activities of the subject in a log
  • Accountability: Reviewing the log to check for compliance
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

From Vulnerability to Exposure - Vulnerability (def -example)

A

A weakness in a system that allows a threat to compromise security

Examples:

AP without security enabled

Too many ports allowed on a firewall

Unneeded service running on a server

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

From Vulnerability to Exposure - Exploit

A

Occurs when a vulnerability is taken advantage of by an attacker

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

From Vulnerability to Exposure - Threat

A

Danger that a vulnerability will be exploited

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

From Vulnerability to Exposure - Threat Agent

A

Entity that exploits a vulnerability

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

From Vulnerability to Exposure - Risk

A

The likelihood that a threat agent will exploit a vulnerability combined with the damage that could result

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

From Vulnerability to Exposure - Exposure

A

Single real-world instance of a vulnerability being exploited by a threat agent

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

From Vulnerability to Exposure - Control

A

Countermeasure put into place to mitigate the risk

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Controls - Categories (ATP)

A
  • Administrative Controls: Controls put in place by management
    Examples
    Training
    Security Policy
  • Technical Controls: Software elements such as hashing, encryption or authentication enforcement
  • Physical Controls: Controls that are physical
    Examples
    Lighting
    Fences
    Keycards
    Security Guards
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Controls - Functions (PCDDRC)

A
  • Preventative: Avoid an incident
  • Corrective: Fix a component or system
  • Deterrent: Discourage an attacker
  • Detective: Identify an intruder
  • Recovery: Bring environment back to normal operation
  • Compensating: Alternative control if the first choice is unavailable
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Security Frameworks - ISO 27000 Series - BS7799 (year-who-what-parts)

A
  • Created in 1995
  • Published by British Standards Institute
  • Outlines how an ISMS should be created and maintained
  • Part 1
    Describes controls
  • Part 2
    Shows how an ISMS can be setup
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Security Frameworks - ISO 27000 Series (1-8, 11, 14-15,31-35,37,799)

A 
ISO 27000
	Overview and vocabulary for the rest of the 27000 series
ISO 27001
	Standard for creation, implementation, control and improvement of ISMS
ISO 27002
	General guidelines for implementing an ISMS
ISO 27003
	ISMS implementation
ISO 27004
	ISMS measurement
ISO 27005
	Risk management
ISO 27006
	 Certification body requirements
ISO 27007
	 ISMS auditing
ISO 27008
	Guidance for auditors
ISO 27011
	Telecommunications organizations
ISO 27014
	Information security governance
ISO 27015
	Financial sector
ISO 27031
	Business continuity
ISO 27032
	Cybersecurity
ISO 27033
	 Network security
ISO 27034
	Application security
ISO 27035
	Incident management
ISO 27037
	 Digital evidence collection and preservation
ISO 27799
	Health organizations
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

Security Frameworks - Enterprise Architecture Development - Introduction (structure-guidance-terms)

A
  • Addresses the structure and behavior of an organization
  • It’s a guidance on how to build an architecture
  • Allows each group of people within an organization to view the business in terms they can understand
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

Security Frameworks - Enterprise Architecture Development - Zachman (who-orientation-matrix)

A
  • Created by John Zachman in the 80s
  • This framework is not security oriented, but it is a good template to work with because it offers direction on how to understand an actual enterprise in a modular fashion
* 2-dimensional matrix
	X-axis
		5 different audiences
	Y-axis
		6 different views
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

Security Frameworks - Enterprise Architecture Development - Zachman (audiencies - views)

A 
Audiences
	Executives
	Business Managers
	System Architects
	Engineers
	Technicians
	Entire enterprise
Views
	What
	How
	Where
	Who
	When
	Why
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

Security Frameworks - Enterprise Architecture Development - TOGAF (who-arch types-adm)

A
  • Created by US DoD
* Architecture types
	Business
	Data
	Application
	Technology
  • Architecture Development Method (ADM)
    Used to create each type
    The last step feeds back into the first step
    After each iteration, the process has been improved to reflect changing requirements
    Each iteration addresses each of the four views
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

Security Frameworks - Enterprise Architecture Development - Military Oriented (DoDAF-Brits)

A
  • Department of Defense Architecture Framework:
    • Involves things as command, control, surveillance and reconnaissance
    • One of its primary objectives is to ensure a common communication protocol and standard payloads
  • Ministry of Defence Architecture Framework
    • British version of DoDAF
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

Security Frameworks - Enterprise Architecture Development - Sherwood Applied Business Security Architecture (SABSA) (ESA-views-yaxis-differences)

A
  • It’s an Enterprise Security Architecture: Ensures an organization has an effective ISMS in place
  • Similar to Zachman
  • Views:
    • Assets (What)
    • Motivation (Why)
    • Process (How)
    • People (Who)
    • Location (Where)
      Time (When)
  • Y-Axis from wide to narrow
    • Contextual
    • Conceptual
    • Logical
    • Physical
    • Component
    • Operational
  • Difference between SABSA and the others
  • It is also a methodology
  • Provides an actual process to follow
  • It is geared toward security
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

Security Frameworks - Architecture Framework Terms (strat-business-process enh-sec effec)

A
  • Strategic Alignment: An architecture is strategically aligned when it meets the needs of the business and all legal or regulatory requirements
  • Business Enablement: A good security architecture must enable the business to thrive by not getting in the way, but still providing proper security
  • Process Enhancement: Security forces us to take a closer look at existing processes. This could lead us to improve them
  • Security Effectiveness: Most quantifiable of the attributes. Examples: ROI, SLA achievements
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

Security Frameworks - Frameworks for Implementation (C C N)

A
  • COSO Internal Control
  • COBIT
  • NIST SP 800-53
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Q

Security Frameworks - Frameworks for Implementation - COSO IC (ident-created-categories)

A
  • Identifies 17 control principles grouped into 5 categories
  • Created in the 80s as a result of financial fraud
  • Provides Corporate Governance
  • Categories
    • Control Environments
    • Risk Assessments
    • Control Activities
    • Information and Communication
    • Monitoring Activities
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
26
Q

Security Frameworks - Frameworks for Implementation - COBIT (created-goals-subset-principles)

A
  • Created by ISACA and ITGI
  • Defines 17 enterprise and 17 IT goals
  • It’s not strictly security related
  • It is an IT related subset of COSO IC
  • Principles
    Meeting stakeholder needs
    Covering the enterprise end-to-end
    Applying a single integrated framework
    Enabling a holistic approach
    Separating governance from management
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
27
Q

Security Frameworks - Frameworks for Implementation - NIST SP 800-53 (created-fed agencies-controlcategories)

A
  • Created by the US government
  • Specifies the control that federal agencies must implement
  • If an agency doesn’t comply, they are violating the FISMA (Federal Information Security Management Act of 2002)
  • Contains a list of 18 control categories
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
28
Q

Security Frameworks - Frameworks for Implementation - Private vs Federal controls

A 
Administrative = Management
Technical = Technical
Physical = Operational
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
29
Q

Security Frameworks - Process Development

A
  • ITIL
  • Six Sigma
  • Capability Maturity Model Integration (CMMI)
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
30
Q

Security Frameworks - Process Development - ITIL (wherewhen-standard-focus-stages-steps)

A
  • Developed in the UK in the 80s
  • De facto standard for IT management best practices
  • Focuses on achieving SLAs between the IT department and its customer
  • Stages
    • Design
    • Transition
    • Operation
  • Each stage has between 3 and 5 steps
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
31
Q

Security Frameworks - Process Development - Six Sigma (measures-rating)

A
  • Measures process quality by using statistical calculations

* A sigma rating is applied to a process to indicate the percentage of defects it contains

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
32
Q

Security Frameworks - Process Development - Capability Maturity Model Integration (CMMI) (determines-design-levels)

A
  • Created by Carnegie Mellon for US DoD
  • Determines the maturity of an organization’s processes
  • Designed to make improvements in an incremental and standard manner
  • Levels:
    • Level 0: Nonexistent Management
    • Level 1: Unpredictable Processes
    • Level 2: Repeatable Processes
    • Level 3: Defined Processes
    • Level 4: Managed Processes
    • Level 5: Optimized Processes
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
33
Q

Security Frameworks - The Process Life Cycle (focus-steps)

A
  • Focuses on how to keep processes up-to-date and healthy
  • Four steps, and the last one feeds right back into the first one to start a new iteration
  • Steps: Plan, Implement, Operate, Evaluate
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
34
Q

Security Frameworks - The Process Life Cycle - Steps - 1: Plan (6)

A
  • Establish MGMT and oversight committees
    • Identify business drivers and threats
    • Perform a risk assessment
    • Create security architectures for the business, data, application and infrastructure
    • Select possible solutions for the problems identified
    • Get mgmt approval to move to the next steps
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
35
Q

Security Frameworks - The Process Life Cycle - Steps - 2: Implement (8)

A
  • Assign duties
    • Establish baselines
    • Put security policies into operation
    • Identify data that needs to be secured
    • Create blueprints
    • Implement controls based on the blueprints
    • Implement solutions to monitor the controls based on the blueprints
    • Establish goals, SLAs and metrics based on the blueprints
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
36
Q

Security Frameworks - The Process Life Cycle - Steps - 3: Operate (4)

A
  • Follow established procedures to ensure baselines met the blueprints
    • Execute audits
    • Execute tasks defined by the blueprints
    • Ensure SLAs are met
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
37
Q

Security Frameworks - The Process Life Cycle - Steps - 4: Evaluate (4)

A
  • Review logs, audit results, metrics and SLAs
    • Determine if the blueprint goals have been met
    • Hold quarterly meetings with the steering committee
    • Identify actions to improve as an input into the first step
38
Q

Computer Crime Law - Cyberlaw

A

Any law that deals with computer-based crime

39
Q

Computer Crime Law - Computer Crime Categories (CA-CT-CI)

A
  • Computer-assisted: Computer is a tool
    • Example: Stealing money from a bank across the Internet
  • Computer-targeted: Computer is the victim
    • Example: DoS attack
  • Computer is incidental: Computer is involved but didn’t play a significant role in the crime
    • Example: If a computer is used to temporarily store stolen or illegal goods
40
Q

Computer Crime Law - Computer Crime (kiddies-hackers)

A
  • Script Kiddies: Unsophisticated individuals who know just enough about pre-built hacking tools
    *Types of serious hackers
    1- The ones who randomly sniff around
    2- APT (Advanced Persistent Threats)
    - Most dangerous
    - They target specific persons or organizations
41
Q

Computer Crime Law - Computer Crime - OECD (guidelines-principles)

A
  • OECD has issued guidelines on how to deal with data that is transfered between countries
  • Core principles:
    Collection Limitation
    Data Quality
    Purpose Specification
    Use Limitation
    Security Safeguards
    Openness
    Individual Participation
    Accountability
42
Q

Computer Crime Law - Computer Crime - Safe Harbor Privacy Principles (definition-rules)

A
  • They deal with US and EU data transfer requirements
  • Rules:
    • Notice
    • Choice
    • Onward Transfer
    • Security
    • Data Integrity
    • Access
    • Enforcement
43
Q

Computer Crime Law - Computer Crime - Import and Export Law (countries - wassenaar)

A
  • Each country has its own laws regarding import and export of goods
  • Wassenaar Agreement
    • Followed by 41 countries including the US
    • Goal: To prevent the buildup of further military capabilities
    • The Information Security part deals with the exchange of cryptography
44
Q

Computer Crime Law - Types of Legal Systems (CCCRM)

A
  • Civil (Code) Law System: Lower courts are not compelled to follow the decisions made by upper courts
  • Common Law System: Based on precedence
  • Customary Law System: deals with personal conduct and behavior,
  • Religious Law System: Based on religious beliefs of that region
  • Mixed Law System: Two or more of the previously mentioned systems used together
45
Q

Computer Crime Law - Types of Legal Systems - Common Law System types (CCA)

A
  • Criminal
    • To be convicted, guilt beyond reasonable doubt must be established
    • Cases are usually brought about by government prosecutors with a guilty or not guilty verdict
  • Civil/Tort
    • Offshoot of Criminal Law
    • Deals with wrongs commited against an individual or company that has resulted in injury or damages
    • If found liable, monetary reparations are usually made by the defendant, but loss of freedom is never a result
  • Administrative
    It addresses issues such as international trade, manufacturing, environment and immigration
46
Q

Computer Crime Law - Intellectual Property (def-types: TCTP)

A
  • Law that allows individuals or companies to protect what is rightly theirs from illegal duplication or use
  • IP types:
    • Trade Secret
    • Copyright
    • Trademark
    • Patent
47
Q

Computer Crime Law - Intellectual Property - Trade Secret (def-expiry-nda-example)

A
  • Something a company creates or owns that is crucial to its survival and profitability
  • Doesn’t expire until it’s not a trade secret
  • Most companies with trade secrets make their employees sign an NDA
  • Example: Coca-Cola formula
48
Q

Computer Crime Law - Intellectual Property - Copyright (def-expression-expiry-computer specific)

A
  • Gives the author of a work the rights to control the display, adaptation, reproduction or distribution of that original work
  • Protects the expression of the idea rather than the idea itself
  • Expires after a limited amount of time
  • Specific to the computer industry
    • Protects source code and object code
    • Protects user interfaces
49
Q

Computer Crime Law - Intellectual Property - Trade Mark (def-brand-wipo)

A
  • Protects a name, symbol, word, sound, shape, color or any combination thereof
  • Represents a company’s brand identity to its potential consumers
  • WIPO (World Intellectual Property Organization) oversees International Trademark Law
50
Q

Computer Crime Law - Intellectual Property - Patent (protect-strongest-invention-computer specific)

A
  • Given to individuals or companies to protect an invention
  • Strongest form of IP protection
  • The invention must be novel, useful and non-obvious
  • Has an expiration date (20 years)
  • Specific to computer industry
    • Algorithms are commonly patented
    • Patent infringement prosecution is a matter of everyday life
    • Patent trolls buy patents only to sue infringing companies
51
Q

Computer Crime Law - Intellectual Property - Protection of Intellectual Property

A
  • A company must properly classify the data and implement sufficient protection (Due care)
  • If Due Care is not taken, litigation will fail
  • Software Piracy: Occurs whem protected works or data is duplicated or used without permission or compensation to the author
  • Software Licensing: Freeware, Shareware, Commercial, Academic
  • EULA: Used for communicating the licensing requirements
  • FAST/BSA: Promote enforcement of software rights in order to combat piracy
  • DMCA:
    • Prohibits attempts to circumvent copyright protection mechanisms
    • In Europe, a similar law is the Copyright Directive
52
Q

Computer Crime Law - Privacy - Personally Identified Information (PII)

A
  • Any data that can be used to identify, contact or locate an individual
  • It’s sensitive data because it can be used for identity theft
  • Typical PII components
    Full Name
    ID Number
    Biometrics
    Digital Identities
    Birthdate
53
Q

Computer Crime Law - Privacy - Laws and Regulations

A
  • Federal Privacy Act of 1974
  • Federal Information Security Management Act of 2002 (FISMA)
  • Department of Veterans Affairs Information Security Protection Act
  • Health Insurance Portability and Accountability Act (HIPAA)
  • Health Information Technology for Economic and Clinical Health Act (HITECH)
  • USA Patriot Act
  • Gramm-Leach-Bliley Act (GLBA)
  • Personal Information Protection and Electronic Documents Act (PIPEDA)
  • Payment Card Industry Data Security Standard (PCI DSS)
  • Economic Espionage Act of 1996
54
Q

Computer Crime Law - Privacy - Laws and Regulations - Federal Privacy Act of 1974

A

Federal agencies could collect and store info about an individual’s academic, medical, financial, criminal and employment history only if the agency had a necessary and relevant need to

55
Q

Computer Crime Law - Privacy - Federal Information Security Management Act of 2002 (FISMA)

A
  • Requires high-level officials of each agency to hold annual reviews of the information security programs and report the results to the Office of Management and Budget (OMB), which in turn reports to congress on the level of compliance achieved
  • Requirements
    • Inventory of Information Systems
    • Categorization of the information and information systems according to risk
    • Security controls
    • Risk Assessment
    • System security plan
    • Certification and accreditation
    • Continuous monitoring
56
Q

Computer Crime Law - Privacy - Department of Veterans Affairs Information Security Protection Act

A
  • FISMA + Additional requirements on that agency alone

* Due to an incident in 2006

57
Q

Computer Crime Law - Privacy - Health Insurance Portability and Accountability Act (HIPAA)

A
  • PHI (Patient Health Information): PII+specific health details
  • Defines rules for any facility that creates, accesses, shares or destroys patient data
  • Works with fines
  • Does not require notification of data breaches
58
Q

Computer Crime Law - Privacy - Health Information Technology for Economic and Clinical Health Act (HITECH)

A
  • Created in 2009
  • Subtitle D
    • Electronic transmission of health information
    • Helps enforce HIPAA rules
  • It directs the US Secretary of Health and Services (HHS) to provide guidance on effective controls to protect data
  • Companies that comply with this guidance do not have to report data breaches. Otherwise, they have 60 days to report to HHS and the affected individuals
59
Q

Computer Crime Law - Privacy - Patriot Act

A
  • Reduces restrictions on law enforcement when searching electronic records
  • Allows greater foreign intelligence gathering within the US
  • Gives the Secretary of Treasury greater power to regulate financial transactions
  • Broadens the ability to detain or deport immigrants suspected of terrorism
  • Expands the definition on terrorism to include domestic terrorism
  • Now the government can monitor individual’s electronic communications at will
60
Q

Computer Crime Law - Privacy - Gramm-Leach-Bliley Act (GLBA)

A
  • aka Financial Services Modernization Act
  • Requires financial institutions to create privacy notices and give their customers the ability to opt out of sharing their information with third parties
  • In the event of a data breach the institution must report it to the federal regulators, law enforcement and affected customers
61
Q

Computer Crime Law - Privacy - Personal Information Protection and Electronic Documents Act (PIPEDA)

A

Canadian protection of privacy law regarding e-commerce

62
Q

Computer Crime Law - Privacy - Payment Card Industry Data Security Standard (PCI DSS)

A
  • It’s a standard for data security created by the major credit companies
  • Credit companies will not work with a company that it’s not PCI compliant
63
Q

Computer Crime Law - Privacy - Economic Espionage Act of 1996

A
  • Passed in 1996
  • Defines who can investigate data breaches
  • Protects IP
64
Q

Computer Crime Law - Privacy - International Data Breaches

A

USA: Has a number of laws on the book

EU data protection regulation: Standardized data breach notification

65
Q

Policies, Standards, Baselines, Guidelines and Procedures - Policies - Security Policy

A

High-level statement that describes how security works within the organization.

66
Q

Policies, Standards, Baselines, Guidelines and Procedures - Policies - Security Policy Types (OIS)

A

Organizational Security Policy: Dictates how a security program will be constructed and describes how enforcement will be implemented. Sets the various goals.Addresses laws and regulations. Provides direction on the amount of risk management it’s willing to accept. Should be periodically reviewed and updated. Documentation should be version-controlled and applicable for several years into the future.

Issue-specific policy: Provides more detail on an area that needs further explanation. Must not be technology-specific. Examples: E-mail policy

System-specific policies: Contain details that are specific to a system. Sufficiently generic to allow for other technologies and solutions

67
Q

Policies, Standards, Baselines, Guidelines and Procedures - Policies - Another Policy Classification (IRA)

A
  • Informative:Informs employees on a broad range of topics in an unenforceable manner
  • Regulatory: Addresses regulatory requirements for a specific industry such as GLBA, PCI or HIPAA
  • Advisory: Advises employees on enforceable rules governing actions and behaviors
68
Q

Policies, Standards, Baselines, Guidelines and Procedures - Standards

A
  • Provide instruction on how to meet the policy

* Standards must always be enforced

69
Q

Policies, Standards, Baselines, Guidelines and Procedures - Baselines

A
  • Point in time that is used as a comparison for future changes
  • A baseline results in a consistent reference point
70
Q

Policies, Standards, Baselines, Guidelines and Procedures - Guidelines

A

Reflect recommendations and guides for employees when a specific standard does not really apply

71
Q

Policies, Standards, Baselines, Guidelines and Procedures - Procedures

A

Where policies tell us where we want to go and standards provide the tools, procedures give us the step-by-step instructions on how to do it

72
Q

Risk Management - NIST SP 800-53 three tiers to risk management (OBI)

A

Organizational

Business Process

Information Systems (Our focus)

73
Q

Risk Management - Information Systems Risk Management

A

ISRM policy should address the following elements

- The objectives of the ISRM team
- What is considered an acceptable level of risk
- How risks will be identified
- How the ISRM policy fits within the organization’s strategic planning
- Roles and responsibilities for the ISRM
- Mapping of risk to controls, performance targets and budgets
- How staff behavior and resource allocation will be modified
- How the effectiveness of controls will be monitored
74
Q

Risk Management - The Risk Management Team

A
  • It can be a single person or more

* Usually not 100% of their time in ISRM

75
Q

Risk Management - The Risk Management Process - Four components: (FARM)

A
  • Frame: Define the assumptions, constraints, priorities and the amount of risk the organization can tolerate
  • Assess: Determine threats, vulnerabilities and attack vectors
  • Respond: Match the available resources against a prioritized list of risks
  • Monitor: Continuously watch the controls to assess their effectiveness against the risk each was designed to protect the organization from
76
Q

Modeling Threats - Vulnerabilities (info-proc-people)

A
  • Information: Data at rest / Data in motion / Data in use
  • Processes: Blocks of code executing in-memory
  • People: Usual attack vector / Social engineering / Social networks / Passwords
77
Q

Modeling Threats - Threats (def-sources)

A
  • Potential cause of an unwanted incident, which may result in harm to a system or organization
  • Sources:
    • Deliberate outsiders
    • Deliberate insiders (The most dangerous group)
    • Accidental insiders
78
Q

Modeling Threats - Attacks (ends-tree-chain)

A
  • There are two ends to an attack
    • Attacker
    • Target
    • Means to an attack
  • Attack Tree: Steps and substeps in an attack
  • Attack Chain: One path that can be contained in an attack tree
79
Q

Modeling Threats - Reduction Analysis

A
  • Reduces the number of attacks to consider by identifying commonalities
  • Reduces the threat posed by attackers: the closer to the root a mitigation is implemented, the more risks it is likely to control
80
Q

Assessing and Analyzing Risk - Risk Assessment

A
  • Method of identifying vulnerabilities and threats and assessing the possible impacts to determine where to implement security controls
  • Outputs a list of vulnerabilities and threats
81
Q

Assessing and Analyzing Risk - Risk Analysis

A
  • Prioritizes the list obtained through the Risk Assessment
  • Assesses the amount of resources to properly mitigate the top threats
  • Goals
    • Identify and valuate assets
    • Identify vulnerabilities and associated threats
    • Quantify the likelihood of the threats
    • Calculate an economic balance between each threat and the cost of a countermeasure
  • Outputs a cost/benefit comparison
82
Q

Assessing and Analyzing Risk - Risk Analysis Team (alldepts-4questions)

A
  • Individuals from all departments
  • Good questions for this team to ask are
    1. What could happen?
    2. What would the impact be?
    3. How often could it happen?
    4. Do we really believe the first three answers?
83
Q

Assessing and Analyzing Risk - Calculating Value (calc-issues-2questions-allows)

A
  • Calculating currency-based value for each asset
  • Issues to be examined
    • Cost to acquire or develop the asset
    • Cost to maintain and protect the asset
    • Value of the asset to owners and users
    • Value of the asset to adversaries
    • Price others are willing to pay for the asset
    • Cost to replace the asset if lost
    • Operational and production activities affected if the asset is unavailable
    • Liability issues if the asset is compromised
    • Usefulness and role of the asset in the organization
  • Two questions should be asked:
    • What is the cost to protect an asset?
    • What is the cost if we did not protect an asset?
  • Allows us to do the following
    • Perform an effective cost/benefit analysis
    • Select proper controls
    • Determine the amount of insurance to purchase
    • Define exactly what is at risk
    • Comply with legal and regulatory requirements
84
Q

Assessing and Analyzing Risk - Identifying Vulnerabilities and Threats

A
  • Threats can arise from seemingly innocuous sources such as our own applications and users
    Examples:
    • An application could have a logic flaw, known as illogical processing, which destroys or compromises data or resources. This can then lead to cascading errors wherein a small flaw is passed to another process, which can amplify the flaw
    • A user can enter invalid data or even accidently delete important data
  • Loss Potential:Each risk has it
  • Delayed Loss: It happens after the vulnerability has been exploited. Example: Your company’s reputation takes a hit
85
Q

Assessing and Analyzing Risk - Methodologies for Risk Assessment (NFOAIFC)

A
  • NIST SP 800-30
  • Facilitated Risk Analysis Process (FRAP)
  • Operationally Critical Threat Asset and Vulnerability Evaluation (OCTAVE)
  • AS/NZS 4360
  • ISO 27005
  • Failure Mode and Effect Analysis (FMEA)
  • Central Computing and Telecommunications Agency
    Risk Analysis and Management Method (CRAMM)
86
Q

Assessing and Analyzing Risk - Methodologies for Risk Assessment - NIST SP 800-30 (PCiiddcCM)

A 
1- Prepare for the assessment
2- Conduct the assessment
	a. Identify threats
	b. Identify vulnerabilities
	c. Determine likelihood
	d. Determine magnitude
	e. Calculate risk
3- Communicate the results
4- Maintain the assessment
87
Q

Assessing and Analyzing Risk - Methodologies for Risk Assessment - Facilitated Risk Analysis Process (FRAP)

A

Stresses a qualitative measurement of risk instead of trying to actually calculate a risk value

88
Q

Assessing and Analyzing Risk - Methodologies for Risk Assessment - Operationally Critical Threat Asset and Vulnerability Evaluation (OCTAVE) (premise-entireorg)

A
  • The premise of this methodology is that the people involved with a system or process should be the only ones making the decisions on security, as opposed to higher-level or external influences
  • Meant for entire organization
89
Q

Assessing and Analyzing Risk - Methodologies for Risk Assessment - AS/NZS 4360

A

Focuses on the organization’s overall health, but could be used in Security

90
Q

Assessing and Analyzing Risk - Methodologies for Risk Assessment - ISO 27005

A

Describes how RM should be carried out for ISMS

91
Q

Assessing and Analyzing Risk - Methodologies for Risk Assessment - Failure Mode and Effect Analysis (FMEA)

A
  • Focuses on identifying functions, their failures and the causes of those failures
  • Excels when examining a single system, but tends to break down when considering multiple systems
  • Steps
    1) Create a block diagram
    2) Consider what happens when each block fails
    3) Create a table of each failure and the corresponding impact
    4) Correct the design and repeat #3 until the system no longer has unacceptable weaknesses
    5) Have engineers review the design and table
92
Q

Assessing and Analyzing Risk - Methodologies for Risk Assessment - Central Computing and Telecommunications Agency
Risk Analysis and Management Method (CRAMM)

A
  • UK originated
  • Siemens has an automated tool for it
  • Stages
    1) Define objectives
    2) Assess risk
    3) Identify countermeasures

Estudio CISSP (1 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2024 Bold Learning Solutions. Terms and Conditions