Domain 1. Security and Risk Management. BEINFOSEC. Flashcards
At what point is the BCP considered validated for use within the organization?
When it has been tested and proven effective under realistic conditions.
A common answer might be “after it has been approved by senior management.” However, senior management’s approval merely activates the implementation of BCP processes. Senior management is only accountable for the BCP process.
Best describe the Recovery Time Objective (RTO).
Defines the maximum amount of time that a system resource can remain unavailable before there is an unacceptable impact on other system resources, supported mission/business processes, and the MTD.
The goal of the RTO is to restore the identified business processes to normal operations before the maximum amount of time has passed.
The Security Operations Center (SOC) has discovered that an internal server has become infected with a virus. When responding to this virus infection, which of the following canons from the code of ethics would be considered the most important?
- Provide diligent and competent service to principals.
Providing diligent and competent service would be the most important. If not for your ability to contain and eradicate the virus, it would be impossible to apply any of the other canons.
When conducting a risk analysis, what would be the least important factor when determining the value of an organizational asset?
How long it will take to replace the asset.
Impact on the organization, as well as budgeting concerns, should come before any timelines should be considered. If the asset is critical to the business, timeframes such as recovery time objective (RTO) will be addressed in Business Continuity Planning (BCP).
Senior management has asked you to help with a risk assessment for the Information Technology (IT) department. They want this risk assessment to be done as quickly as possible to identify some general risks so that they can determine some next steps. What type of risk assessment would be the best choice in this situation?
A qualitative risk assessment is the best option as it is a general risk assessment that does not require the use of numbers or monetary values to perform risk calculations.
“Qualitative methodology differs in that measures are based on the subjective judgment from assessors and organizational decision-makers. The way these assessments are communicated is in terms like high, medium, and low. The process is equivalent to the general risk management equation used throughout assessment of information risk.”
What is the Policy, Standard, Procedure, and Guideline?
- Policy = High-level mandate to comply with security requirements
- Standard = Consistent set of requirements for compliance
- Procedure = Highly detailed instructions for implementation
- Guideline = Best practice recommendations for implementation
You have been invited to attend a webinar on Docker containers and want to use this training to better understand how to apply security to these containers. Which canon from the code of ethics (CoE) best describes your attendance at this webinar?
- Advance and protect the profession.
This would be an example of advancing and protecting the profession. Learning how to secure Docker containers will help make you a better security professional. This will lead to being able to provide diligent and competent service.
Ruth is working with the system stakeholders to update the security program and has identified several policies, processes, and procedures that need to be created or updated. One of the processes Ruth is concerned with is an acquisition policy. Why is this important to security?
To prevent security risks as a result of an acquired product.
Organizational acquisition strategies aim to reduce security risks from the introduction of newly acquired products. Each product that is acquired, or brought in from outside the organization, poses a security risk.
Your organization is performing business continuity planning to establish recovery objectives for their critical business objectives. Which of the following does not pertain to business continuity planning (BCP)?
Identifying the necessary recovery steps is a part of Disaster Recovery Planning (DRP) and is not part of BCP.
BCP focuses on assessing and minimizing risks to critical business processes in the event of a major disruption. It ensures organizations can maintain system operations during a disaster or interruption.
Douglas is working on a security software project that will be sold internationally by his organization when it is complete. He wants to ensure that the project complies with import and export regulations as the project contains multiple technologies and security features. Which of these would most likely violate most import/export regulations?
Encryption and decryption techniques used by the software.
Encryption and decryption techniques would be the most likely regulated capability, especially if the countries importing and exporting goods participate in the Wassenaar Arrangement. Under Category 5 part 2 “information security” of the arrangement, cryptographic products are explicitly defined as a controlled import/export.
Newly hired employees are required to complete security awareness training, that is specifically focused on their roles and responsibilities. The new hires are also required to provide a certificate of completion to their security manager before they are given access to the information system, and are required to repeat the training annually. What security concept does the certificate of completion demonstrate?
Due Diligence.
Due diligence is an organization’s ongoing effort to ensure assets and/or personnel remain protected. A good way to think of this is “Do Maintain” Ongoing training (due diligence) ensures employees are up-to-date on their responsibilities. This gives the organization, and security, an opportunity to train employees on modern-day risks. The certificate of completion shows that the organization requires employees to take security awareness training annually, which demonstrates maintenance of due care.
As part of threat modeling, what would be the least expected outcome?
Identify and mitigate the different threat vectors targeting the system design.
The purpose of threat modeling is to identify and analyze potential threats from the attack and defense perspectives. The goal is not to correct, fix, or otherwise mitigate any findings. Threat modeling is designed to provide situational awareness using external threat information and indicators to better understand the security posture. This will allow for the design and implementation of a better defense posture, after conducting a risk analysis with the threat findings.
Kevin is performing a risk assessment to help determine the proper level of classification and security for a data owner’s sensitive data. What should Kevin verify with the data owner first before he conducts the risk assessment?
Understand how the sensitive data is accessed and used in the organization.
Before data can be classified or categorized, it’s critical to understand the value and how the data is used within an organization. “The classification helps to determine the security controls to be used to manage and safeguard the data against unauthorized access, improper retention, and unsafe destruction.”
An information system in your organization contains multiple categories of information. At any given time, there is data that can be released to the public, sensitive data such as personally identifiable information, and trade secret data that pertains to a special organizational project. How should each of these data types be protected?
The data should be protected at the same level as the special project data.
If the data is not isolated or segmented, all of the system data must be protected at the same classification level as the most critical information.
“You will not be able to know which assets are more valuable than others. The result will be an inefficient, costly information security plan attempting to secure all assets, with an assumption that the assets are located in all parts of the organization (local storage, shared storage, in the cloud, etc.). Worse, some assets requiring minimal protection, like public information, will be secured the same as confidential information. You will want to be able to locate, categorize, and differentiate the security approaches to your assets.”
When building an information security program, what is the first thing you should consider?
Understand the intrinsic value of the information assets.
“The value in properly categorizing data is to permit appropriate security controls based on the level of risk. Oversecuring data is a waste of resources, while not securing data can present risks that may be unacceptable. At the enterprise level, the combination of mismanaging data categorization can be profound.”
Before we can decide what laws and regulations apply, what level of risk the data owners would accept, or how any business relationships would be impacted, we have to identify what kind of data we are trying to protect, and what the value is to the business. Then we can categorize that data and begin to select security controls in accordance with laws, regulations, and other governance.
