Domain 1: Governance, Risk & Compliance Flashcards
What is Governance?
Governance is accountability, authorization to make decisions, and oversight. Proper governance ensures that the organization’s strategies are aligned with its business, regulatory, and operating environment.
What is Information Security Governance?
Information security governance is the framework for reducing information security risk to the organization. The framework should include:
* Definition of the information security strategy aligned with the organization’s governance and organizational goals.
* Information security organizational structure
* A methodology for risk management
* Information security management directives (including policies, standards, guidelines, and so on)
* Continuous measurement and improvement of the program
What are some of the external and internal drivers that shape a security program?
External drivers that shape security programs, include regulatory drivers, industry best practices, risks and threats specific to the organisation.
Internal drivers that shape the information security program include leadership understanding and perception to ensure security is a priority at the highest levels, Management structure: to ensure CISO has communication with leadership, culture and climate, history, and lessons learned.
What is a fundamental aspect of Security Governance?
Measuring and monitoring the governance program itself, which supports the organization’s understanding of the security return on investment (ROI).
What are the factors that influence the size and spend of the CISO organisation?
Factors that can impact security organisations spending and sizing are extensive:
* value of assets, especially the assets most important
* type and frequency of risks and threats
* current state of the organization’s security posture
* Regulatory requirements
Based on industry, and published numbers and trends, what are the numbers that align to CISO spending?
- security spending can range from $1,000 to $3,000 per full-time employee.
- security spending as a percentage of IT spending ranges from 1 percent to 15 percent
- surveys report 6 percent as an average and some report information security spending as a percentage of IT spending as high as 30
- range from .2 percent to .9 percent of company revenue.
What are the elements of the CISO management structure regardless of organisation?
Should have the following elements:
* Clear lines of authority (chain of command): clearly defined lines of reporting and authority
* Situational awareness: provide the CISO with a view of the performance of the entire security program.
* Internal and external communication and reporting: provide ways of reporting the most essential information within the security organization as well as outside of it.
What are the types of management structures?
The most common organisation types:
* Hierarchical (tiered): provides clear lines of reporting, tight controls, and well defined roles. But, can also be bureaucratic, causing slow decision making and added costs.
* Flat (horizontal): best suited for smaller organisations.
* Matrix: thought of hybrid of hierarchal and flat, where resources are reporting in a grid to multiple lines to share resources more efficiently. However, this can create confusion and even conflicting goals and priorities.
What is the CIA triad?
- Confidentiality refers to the protection of data to ensure the data is only accessible by the people authorized to see it.
- Integrity refers to the accuracy of the data.
- Availability refers to the protection of systems to ensure reliable access to data and resources.
What are the definitions of Security Vulnerabilities, Threats, Risks, and Exposures?
- Vulnerability: Any weakness that could potentially be exploited.
- Threat: A potentially damaging event associated with the exploitation of a vulnerability.
- Risk: The likelihood that a vulnerability could be exploited and the corresponding impact of such an event.
- Exposure: The potential that a security breach could occur.
- Countermeasure: A control that is put in place to mitigate a risk
What the four steps of cyber attacks?
- Reconnaissance: attacker conducts research to learn about the target by performing web searches, examining social media accounts of the organization and its employees, reading press releases and media articles, or even physically observing the organization’s employees or facilities.
- Enumeration: identify the organization’s information assets and corresponding vulnerabilities to exploit in the next phase.
- Exploitation: using attack methods for probing and exploiting specific vulnerabilities with the goal of gaining unauthorized access to the enterprise.
- Action on objectives: Once the attacker gains access, they can exfiltrate or steal data, modify data, destroy data and otherwise disrupt the environment. Often the goal is expand laterally gaining access to other systems.
What are the common attack methods used within exploitation?
i. Phishing
ii. Fake websites
iii. Malware
iv. Virus: A type of malware that is usually hidden inside another application
v. Trojan: A virus disguised as something useful
vi. Worm A virus that propagates itself to other systems
vii. Vulnerability-specific attacks
What is risk management?
The process of identifying and assessing risk, reducing it to an acceptable level, and implementing the right controls to maintain that level.
According to SP 800-39, what are the three tiers to ensure risk management is applied to the entire organisation?
Three tiers:
1. Organizational tier
2. Mission/business process: using “risk-aware” business processes or addressing risk via the enterprise architecture as a whole
3. Information system: SSDLC of a given system.
What are the three components of Risk management?
Approach: Encompass all the activities and factors that go into implementing, managing, and improving the risk management program.
Process: Encompasses the activities from identifying the team, defining scope, the method of identifying risk (quantitative or qualitative), understanding risk levels, and finally making recommendations.
Method: The type of risk assessment methodology used to assess risk.