Domain 1: Sec. Risk mgt. Flashcards
(21 cards)
What are the different roles and responsibilities?
- Senior mgt
- Steering Committee
- CISO
- Information Security Manager
- Business Managers
- Security Practitioners
- Auditors
- Sec owners
What are the different kind of controls?
Physical
Technical
Administrative
- safeguards (Prevent/Deter)
- Countermeasure (reactive/respond/recover
What is the order of Risk Identification?
Assets -> Threats -> Ex. Controls -> Vulnerabilities -> Consequences
What is the 1., 2. and 3. Lines in Risk mgt?
1st: Business Unit (Day to day, apply controls)
2nd: Risk and Compliance (Oversee Risk mgt, develop framework)
3rd: Audit (Review 1st and 2nd line, objective and offer assurance
What are the elements of quantitative Risk assessment?
- AV (asset value). Dollars
- EF (Exposure). Percentage
- SLE (Single loss Expectancy). Dollar
- ARO (Annual rate of Occurrence)
- ALE (Annual Loss Expectancy)
- TCO (Total cost of ownership to the control)
- ROI (Return of investment). Saved money
What are the four overall Risk mitigation types?
- Reduce likelihood/impact via controls
- Transfer. Share Risk with another org. SLA
- Acceptance. Based on cost-benefit analysis. Justify the reason for non-mitigation. Still includes due diligence
- Rejection. Not acceptable!
How do you ensure Risk monitoring?
- Reevaluate the Risk assessment
- be up-to-date about threats/controls
- Use Key Risk Indicators (KRI): Early warnings, analysis of trends, indikation of Risk appetite and tolerance, optimizing Risk governance
What is neglience?
The lack of due care or due diligence
What is the difference between Due Care and Due Diligence?
Due Care: ENFORCING policy to bring ORG into compliance
Due Diligence: RESEARCH standards and best practices
What kind of laws are there?
Criminial law
Civil law
Administrative law
Intellectual Property law: Protecting products
What is mandatory vacation?
Forcing the employee into vacation and rotere another person in that position to check if any suspicious activities
What is the definition of Cvil law, Common law, Customary law, Religious law?
Civil: rule-based law, not precedent based
Common law: based on previous interpretations of laws
Customary law: Deals mainly with personal conduct and patterns of behaviour
Religious law: Based on beliefs of the religion
What is the purpose of Awareness, training and Education?
- about behaviour change
- part of due care, adm. control
- optimally tailored to the employees job description
- ability to hold employees accountable for actions
- to raise collective sec. awareness in the ORG
What is the difference between BCP and DRP?
BCP: sustaining operations. Long term by nature. An umbrella. The safety net for Risk management. Unknown unknowns
DRP: Deals with the immediate aftermath. Critical systems, which are time sensitive. Short term. IT-focused
What is the scale of disruptions?
Non-disaster: incident. Imconvenience. Hard drive failure
Emergency/crisis: immident potential for loss of life or property
Disaster: unusable facilities for longer time
Catastrophe: Destruction
Which frameworks speak about BCP?
- DRII (Disaster recovery Institute int.)
- NIST 800-34 rev1
- ISO 27031
- BCI GPG (Good practice Guidelines)
- ISC2 org. Four processes of BCP
What is the typical order of BCP?
BCP policy ->
BIA
ID preventative controls
Contingency strategies
BCP
Testing, training, exercises
Maintenance
What are the ISC2 four steps of BCP?
- Project scope and planning
- BIA
- C. Planning
- Approval and implementation
What is step 1 of BCP?
- Project scope and planning
- policy statement
- Asset analysis. Operational departments. Core services
- BCP team creation. Cross functional senior mgt. rep
- analysis of ressources available
- legal and regulatory landscape (HR/Legal)
What is step 2 of BCP?
BIA
- processes based on criticality (RPO/RTO/SLO service level objective)
- MTD (maximum tolerable downtime) > RTO
- RPO: the amount of data the ORG can lose
- WRT (work recovery time): the amount of time to restore the function of the asset, But not nessecarily the asset itself.
What is step 3 of BCP?
CP
- strategy Development
- provisions and processes
1. People
2. Buildings and facilities (Mirrored: direct ownership/Cold (weeks)/Warm(weeks)/Hot site (hours): MOA or SLA. Vendor agreement
Memorandums of understanding - internal
Memorandums og agreements - external
Sign off/approval!
