Domain 1: Security and Risk Management Flashcards
1
Q
3 main elements of Security Program
A
People, Process, Technology
2
Q
Important for people
A
training, knowledge/skill set, company culture
3
Q
important about process
A
controls how people interact with the technology
4
Q
Information Security Triad
A
Confidentiality, Integrity, Availability
5
Q
cost v. performance
A
always a balance between levels of security and performance. Security will reduce performance.
6
Q
Confidentiality
A
Prevent unauthorized disclosure
7
Q
Integrity
A
Prevent unauthorized modification
8
Q
Availability
A
Timely access to resources
9
Q
Why implement security?
A
to support the mission of the organization. Not security for security sake
10
Q
GRC
A
Governance, Risk, Compliance
11
Q
Why GRC Came about
A
Response to widescale fraud and unethical behaviors of organizations in the early 2000s. Open Compliance & Ethics Group (OCEG) provided open standards addressing GRC
12
Q
Culpable Negligence
A
Not doing something a reasonably cautious person would do
13
Q
Due Care
A
Acting on the research to show you have acted prudently
14
Q
Due Care
A
Acting on the research to show you have acted prudently
15
Q
Prudent Person Rule
A
You have used due diligence and due care to take reasonable actions, responsibly and cautiously
16
Q
Ulimate Responsibliity/Liability
A
Senior Management
17
Q
Information Security Frameworks
A
Provide standard set of IS requirements to guide organizations; foundation, structure
18
Q
ISO 27001 has how many domains
A
14
19
Q
ISO 27001
A
Specifies requirements for establishing, implementing, maintaining, and improving an IS Management system within an organization
20
Q
GDPR
A
General Data Privacy Regulation
21
Q
Who adheres to GDPR
A
Not the US, more popular in Europe
22
Q
Goal of GDPR
A
Protect the Rights of data subjects
23
Q
Data subject
A
person the data pertains to
24
Q
Timeline for Breach Disclosure under GDPR
A
72 hours to notification
25
Seven Steps of the NIST CSF
Prioritize and scope, Orient, Create a current profile, Conduct a Risk Assessment, Create a Target Profile, Determine analyze and prioritize gaps, implement action plan
26
Gap Analysis
Identifying and prioritizing gaps between where you are and where you want to be
27
5 goals of NIST CSF
Identify, Protect, Detect, Respond, Recover
28
CMMI Five Maturity Levels
Initial, Developing, Defined, Managed, Optimized
29
CMMI Maturity Model
Identifies Maturity of Technology, Process, and People
30
CMMI Level 1
People are unstaffed or uncoordinated, no formal security program, no security controls exist
31
CMMI Level 2
Infosec leadership established, Basic governance and risk management process/policies, some controls in development with limited documentation
32
CMMI Level 3
Some roles and responsibilities established, organization wide processes and policies in place with minimal verification, more controls documented and developed, over reliant on individual efforts
33
CMMI Level 4
Increased resources and awareness, clearly defined roles and responsibilities, formal infosec committees, verification and measurement processes, controls monitored, measured for compliance but uneven levels of automation
34
CMMI Level 5
Culture supports continuous improvements, processes comprehensively implemented, risk based and quantitatively understood, controls comprehensively implemented and automated
35
Information Security Program Steps
Provide means for achieving strategy, policies/standards/procedures/guidelines, controls and control objectives, 3rd party governance, data classification/security, Certification and Accredidation (aka Assessment and Authorization), auditing
36
Corporate Policy
Comes from senior leadership, expresses their vision for security
37
System Specific Policy
Every system or role of system should have their own policy
38
Issue Specific Policy
Policy focusing on a specific issue ex. Change Management Policy
39
List of Issue Specific Policies
```
Change Management
Acceptable Use policy
privacy
Data/System Ownership
Separation of Duties
Mandatory Vacations
Job Rotation
Least privilege
need to know
dual control
M of N control
```
40
Change management policy
discusses how to manage and approve changes to the system
41
Acceptable Use policy
Policy stating how to use system resources and restrictions
42
Privacy policy
Pertains to employee privacy and notification of employees
43
Data/System Ownership Policy
Data is more important for security, policy states who has security ownership as it pertains to systems and data
44
Separation of Duties
Prevents any 1 individual from being too powerful, separates duties and forces collusion (multiple people coming together to perform an action)
45
Mandatory vacations
Only in finance, mandates a set number of days in a row where employee can do absolutely no work actions or communications. Detective control
46
Job Rotation
Personnel rotation through positions to avoid knowing all the workarounds and provide cross-training
47
Least Privilege / Need to Know
Only allow people to perform actions they need to or access data they need to know
48
Dual Control
Takes multiple personnel to perform an action, identifies specific personnel
49
M of N Control
X out of Y personnel need to be present, more flexible than Dual Control
50
Standards, Procedures, and Guidelines difference
Standards and Procedures are mandatory, guidelines are not.
51
Strategic Policy Framework pieces
Driven by senior management. Org Drivers, Principles, Policies
52
Tactical Policy Framework pieces
Standards, Guidelines, Procedures, and Baselines
53
Compensating control
When plan A doesn't work or provide a full and complete solution
54
Control Objectives
understanding of the long-term objectives of an organization. strategy should describe a well-articulated vision of the desired outcomes for a security program through SMART objectives
55
Senior Management Responsibilities
Provide oversight
Provide funding and support
Ensure Testing
Prioritize Business functions
establish a common vision/strategy/framework
Sign off on policy, BIA (business impact analysis), and other organizational documents
56
Steering committee Responsibilities
Oversight of Information Security Program
Act as liaison b/w management, business, IT, and IS
Assess and incorporate result of risk assessment
Into the decision-making process
Ensure all stakeholder interests are addressed
Oversees compliance activities
57
Chief Informational Officer Responsibilities
```
Strategic Planning
Policy development
technology assessments
process improvements
acquisitions
capital planning
security
```
58
Chief Information Security Office (CISO) Responsibilities
```
Responsible for the CIA Triad
Usually reports to the CIO
Conduct risk assessments
program management
loss prevention
incident management
security operations
```
59
Information Security manager Responsibilities
Functional manager responsible for achieving and determining the how
Play a leading role in introducing an appropriate methodology
Act as major consultants in support of senior management
60
Busines Managers Responsibilities
The Data owners
Responsible for business operations. individual lines of business
provide direction to ensure security is implemented in such a way to meet objectives
responsible for security enforcement and direction
responsible for the day to day
61
Security Practitioners Responsibilities
Responsible for implementation of security requirements
Support or use the Risk management process to identify and assess new potential risk and implement new security controls as needed
62
Auditors Responsibilities
Evaulation of controls and policies
Can be internal or external
Document, not modify
63
Security Trainers Responsibilities
Understnad the risk management process
develop training materials
conduct security trainings and awareness programs catered to roles within the org
incorporate risk assessment into training programs to educate end users
encourage users to report violations
64
Information Security Risk Management
ISRM, process of managing risks associated with the use of information technology; identifying assessing and treating risks to the CIA of organization's assets
65
Asset
Anything of value to the company
66
Vulnerability
A weakness, the absence of a safeguard
67
Threat
Something that could pose loss to all or part of an asset
68
Threat Agent
What carries out the attack
69
Exploit
An instance of compromise
70
Risk
The probability of a threat materializing
71
Controls
Physical, Administrative, and Technical Protections
72
Safeguards
Deterrents or Preventive Controls
73
Countermeasures
Detective or Corrective Controls
74
Total Risk
The risk that exists before any control is implemented
75
Residual Risk
Risk that is left after applying a control
76
Secondary Risk
When one risk response triggers another risk event
77
Incident
A risk event that has transpired
78
Risk Management Lifecycle
Identify, assess, mitigate, monitor
79
Risk Identification
First step in lifecycle, Discovery all of threats and vulnerabilities against assets. Record risks in a risk register
80
Risk Assessment
Second step in lifecycle, Determining loss potential. Probability * Impact
81
RIsk mitigation
Third step in lifecycle, How we respond based on risk assessment. Could be controls, removal of risk, or transferring risk
82
Risk Monitoring
Final step in lifecycle, ensuring risks stay in allowable range
83
Formula for Risk
Asset Value * Threat * Vulnerability = Risk
84
STRIDE Threats
Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, Escalation of Privilege
85
DREAD Vulnerabilties
Damage potential, Reproducibility, Exploitability, Affected user base, Discoverability
86
Qualitative Risk Assessment
Subjective analysis to help prioritize probability and impact of risk events. May use Delphi Technique (anonymous inputs from users)
Uses terms like high medium low; probability and impact
Produces a heat map
87
Quantitative Risk Assessment
Provides a dollar value to risk event
More difficult and requires a special skill set
Can't exist on its own, depends on qualitative info
88
Asset Value (AV)
Dollar figure that represents what the asset is worth to the organization
89
Exposure Factor (EF)
Percentage of loss that is expected to result in the manifestation of an actual risk event
90
Single Loss Expectancy (SLE)
Dollar figure that represents the cost of a single occurrence of a threat instance
91
Annual Rate of Occurrence (AOR)
How often the threat is expected to materialize
92
Annual Loss Expectancy (ALE)
Cost per year as a result of the threat
93
Total Cost of Ownership (TCO)
cost of implementing a safeguard, includes initial cost and maintenance fees
94
Return on Investment (ROI)
money saved by implementing a safeguard; also known as value of safeguard/control
95
Single Loss Expectancy (SLE) Formula
AV * EF
96
ALE Formula
SLE * ARO
97
TCO Formula
Initial Cost of Control + Yearly Fees
98
ROI Formula
ALE before Control - ALE after Control - Cost of control
99
Steps for Quantitative Analysis
Assign Asset value (AV)
Calculate Exposure Factor (EF)
Calculate Single Loss Expectancy (SLE)
Assess the annualized rate of occurrence (ARO)
Derive the Annualized loss expectancy (ALE)
Perform cost/benefit analysis of countermeasures
100
Key Performance Indicator (KPI)
Performance objectives for the system. not meeting objectives could be a sign of an incident
101
Key Risk Indicator (KRI)
A trigger for a risk
Provide early warning
Provide backward-looking view on risk events
Enable documentation and analysis of trends
Provide an indication of risk appetite and tolerance
Increase the likelihood of achieving strategic objectives
Assist in optimizing risk governance
102
Wassenaar Arrangement
Cryptographic software is allowed to non-government end-users of other countries
No exporting of strong encryption software to terrorist states
103
Import Restrictions
Some countries do not allow import of crypto tools with strong encryption unless a copy of the private keys is provided to law enforcement so they can break the encryption
104
HIPAA
Regulation of Health info for individuals
105
Gramm-Leach-Bliley Financial Services Modernization Act (GLBA)
Financial agencies required to protect financial information
106
Payment Card Industry Data Security Standard (PCI DSS)
Self regulated for credit card information
107
Parol Evidence
When agreement in written form, it contains all terms of the agreement. No verbal agreements can modify written agreement
