Info Gov Flashcards by Linden Taggart

What are the 5 classifications commonly used by the U.S. department of Defence?

Unclassified
Sensitive but Unclassified (SBU)
Confidential
Secret
Top Secret

How well did you know this?

Not at all

Perfectly

What is the opposite of CIA?

Disclosure
Alteration
Destruction

How well did you know this?

Not at all

Perfectly

Which classification level (US DoD) may often use the terms “for official use only” or “for internal use only”?

Unclassified

How well did you know this?

Not at all

Perfectly

What is the difference between unclassified and SBU? (US DoD)

SBU generally contains personal information ie medical records or disciplinary proceedings.

How well did you know this?

Not at all

Perfectly

What is the lowest level of classified government information? (US DoD)

Confidential

How well did you know this?

Not at all

Perfectly

What term is commonly used to collectively represent policies, procedures, guidelines and standards that help steer an organisations decisions and operations?

Governance

How well did you know this?

Not at all

Perfectly

What are the four main types of policies?

SARI

Senior Management
Regulatory
Advisory
Informative

How well did you know this?

Not at all

Perfectly

Which type of policy do most policies fall under?

SARI

Advisory

How well did you know this?

Not at all

Perfectly

Which type of identity management system facilitates authentication, non-repudiation and access control via digital certificates?

PKI

How well did you know this?

Not at all

Perfectly

Which 3 of the following 5 background checks would commonly be included as part of more extensive pre-employment screening?
Credit check
Drug test
Reference check
Special background investigation
Verification of personal/professional data in application

Credit check
Drug test
Special background investigations

How well did you know this?

Not at all

Perfectly

Who is ultimately responsible for an organisations information security? management or information security professional?

Management

How well did you know this?

Not at all

Perfectly

With regards information a system admin what commonly be known as what? Information owner or custodian?

Custodian

How well did you know this?

Not at all

Perfectly

Which term is used to ensure that not one individual has complete authority or control over a critical system or process and also reduces dependence on individuals, ie avoiding a single point of failure?

Separation of duties

How well did you know this?

Not at all

Perfectly

Which terms describes regularly transferring key personnel into different roles or positions in different parts of the organisation?

Job rotation

How well did you know this?

Not at all

Perfectly

What 3 things does the risk assessment triple consist of?

Quantities risk methodologies
Risk calculations
Safeguard selection criteria and objectives

How well did you know this?

Not at all

Perfectly

What 2 elements are multiplied to calculate a risk?

Threat x Vulnerability = Risk

How well did you know this?

Not at all

Perfectly

What 3 elements does the risk management triple consist of?

Threat
Vulnerability
Asset

How well did you know this?

Not at all

Perfectly

Risk management consists of 3 elements. What are they?

Identification
Analysis
Risk Treatment

How well did you know this?

Not at all

Perfectly

When does risk identification occur?

During a risk assessment

How well did you know this?

Not at all

Perfectly

What are the two methods used for determining the value of an asset?

Quantitive

Qualities

How well did you know this?

Not at all

Perfectly

Which method is related to cost? Quantitive or qualative?

Quantitive

How well did you know this?

Not at all

Perfectly

Which method is related to importance? Quantitive or qualative

Qualative

How well did you know this?

Not at all

Perfectly

What 3 basic elements are used to determine the value of an asset?

Initial and maintenance costs
Organisational (internal) value
Public value

How well did you know this?

Not at all

Perfectly

Which value (organisational or public) includes the cost of acquiring, creating or re-creatinine information, and the business impact or loss if the information is lost or compromised. It can also include liability costs, personal injury, death, etc?

Organisational

How well did you know this?

Not at all

Perfectly

Which value (organisational or public) includes loss of proprietary information or processes and business reputation?

Public

What are the 4 basic steps in threat analysis?

1. Define the threat 2. Identify the consequences if threat occurs 3. Determine the probable frequency of threat event 4. Assess the probability of threat occurring

What two types are threats generally categorised as?

Man made | Natural

Which 4 steps are involved in risk analysis?

1. Identify assets to be protected including sensitivity, value, importance to the organisation. 2. Define specific threats including threat frequency and impact data 3. Calculate Annualised Loss Expectancy (ALE) 4. Select appropriate safeguards

How is the annual loss expectancy calculated?

SLE x ARO = ALE | Single loss expectancy x annual rate of occurrence

How is single loss expectancy (SLE) calculated?

Asset value x Exposure Factor

What is a measure of the negative effect or impact that a realised threat or event would have on a specific asset, expressed as a percentage otherwise known as?

Exposure factor

Which type of risk analysis would include the following advantages? No complex calculations are required Time and work effort involved is relatively low Volume of input data required is relatively low

Qualative

Which type of risk analysis would include the following advantages? Financial costs are defined (cost-benefit analysis) More concise, specific data supports analysis, ie fewer assumptions Analysis and calculations can often be automated Specific quantifiable results are easier to communicate

Quantitive

Which type of risk analysis is scenario driven and doesn't use numeric values?

Qualative

Which type of risk analysis attempts to assign objective numeric values?

Quantitive

Purely Quantitive risk analysis is generally not possible or practical? True or false?

True

What are the 4 methods of risk treatment?

Risk reduction Risk assignment (or transference) Risk avoidance Risk acceptance

What is the calculation for cost benefit analysis?

ALE before safeguard - ALE after safeguard - cost of safeguard = value of safeguard

What should be considered when calculating the cost of a safeguard?

Total cost of ownership (TCO)

What 4 criteria should be considered when selecting a safeguard?

Cost effectiveness Legal liability Operational impact Technical factors

What are the 3 main components of an effective security awareness program?

General awareness program, formal training and education

What 5 key factors are critical to a successful security awareness program?

Senior level management support Demonstration that security supports business objectives Demonstration that security affects all individuals and job functions Take into account the target audience ie level of training Action and follow up

Which person directs, coordinates, plans and organises information security activities throughout the organisation? Security officer Information Systems Security professional Security Administrator

Security Officer

Who is responsible for drafting of policies, standards and supporting guidelines, procedures and baselines? Security officer Information Systems Security professional Security Administrator

Information Systems Security Professional

Who is responsible for designing security controls into information systems, testing the controls and implementing the systems in production? Security officer Information Systems Security professional Security Administrator Information Systems/Technology Professional

Information Systems/Technology Professional

Who is responsible for managing user access requests and privileges? Security officer Information Systems Security professional Security Administrator Information Systems/Technology Professional

Security Administrator

NIST SP 800-53 is mandatory for US federal agencies and their contractors. True or False?

True

NIST SP 600-53 and ISO 27001 are examples of what?

Control frameworks

Common organisations that develop standards?

National Institute of Standards and technology (NIST) Institute of Electronics and Electrical Engineers (IEEE) American National Standards Institure (ANSI) National Security Agency (NSA)

Guidelines are recommendations, best practices and templates documented in the frameworks created by other organisations such as:

- Control Objectives For Information and Related Technology (COBIT) - the Capability Maturity Model (CMM) - ISO 2700

``` Which two governance Framework documents are best to keep as standalone? procedures guidelines policies standards baselines ```

Standards and Policies

How often should a policy be reviewed?

Annually

The following are types of what? Canada's "Security of Information Act" China's Law on "Guarding State Secrets" The UK's "Official Secrets Act"

classification and categorisation systems.

NIST Federal Information Processing Standard 199 and NIST special publication 800-60 "Guide for mapping types of information and information systems to security categories" are required to be followed by whom

The US Federal Government

What are the 9 steps of the NIST Risk Methodology?

1. System Characterisation 2. Threat Identification 3. Vulnerability Identification 4. Control Analysis 5. Liklihood Determination 6. Impact Analysis 7. Risk Determination 8. Control Reccomendations 9. Results Documentation

Which Framework/Methodology identifies 5 areas of internal control necessary to meet the Financial Reporting and disclosure objectives?

-COSO (The Committee of sponsoring organisations of the Treadway Commission)

Which Framework/Methodology contains a set of best practices for IT core operational processes such as change, release and configuration management, incident and problem management, capacity and availability management and IT Financial Management. It's primary contribution is showing how the controls can be implemented for the service management IT processes? - ITIL (The IT Infrastructure Library) - COBIT (Control Objectives for Information and Related Technology)

- ITIL (The IT Infrastructure Library)

Which Framework/Methodology provides an overall structure for information technology control and includes control objectives. Also used to examine effectiveness, efficiency, compliance, confidentiality, etc. of high level control objectives. - ITIL (The IT Infrastructure Library) - COBIT (Control Objectives for Information and Related Technology)

- COBIT (Control Objectives for Information and Related Technology)

What is ISO 17799:2005 standard?

contains 134 information security controls

What is ISO/IEC 27000?

the information security management series

What is ISO 27002:2005?

specifies the requirements for establishing, implementing, operating, monitoring, reviewing, maintaining and improving a documented information security management system

name 8 types of risk methodologies?

- NIST SP 800-30, 800-39, 800-66 - Qualative, used by US federal government, plus regulated industries and health care. 9 stages - CRAMM - staged discipline approach, both technical and non-technical. uses asset identification & valuation, threat and vulnerability assessment and countermeasure selection and recommendation - Failure Modes and Effect Analysis - hardware/software analysis using Immediate level, intermediate level and system wide - FRAP - uses a narrow risk assessment. allows for pre-screening to determine is risk analysis is needed - OCTAVE - driven by operational risk and security practices. criteria is a set of principles, attributes and outputs - Security Officers Management and Analysis Project (SOMAP) - open information security management project - Spanning Tree Analysis - creates a tree of all possible threats to or faults in a system - VAR (Value At Risk) - provides a summary of the worst loss due to a security breach over a target horizon

In a quantitative risk methodology, the calculation ALE = SLE x ARO can be adjusted using which 2 estimates?

Local Annual Frequency Estimate (LAFE) | Standard Annual Frequency Estimate (SAFE)

What are the 4 elements of a risk?

threat vulnerability likelihood impact

What is the calculation for risk?

likelihood x impact

Which risk methodology uses likelihood?

Qualitative

How can the likelihood be determined?

capabilities of the threat and the presence or absence of countermeasures

In asset valuation, what is the consensus/modified Delphi method?

Participants in a valuation exercise are asked to comment anonymously about the task at hand. results collected and then discussed in public forum

What is the difference between a tangible asset and a intangible asset?

Tangible is something physical, intangible is not.

How is a tangible asset generally valued?

Original cost minus depreciation.

What are 3 ways to determine tangible asset value?

- Original cost minus depreciation - Actual market value through research - cost of switching to a competing asset

Intangible assets can be defined as what?

Definite - expiration date ,ie patent | Indefinite - no expiration date, ie brand

How can an intangible asset value be calculated?

- cost to create and replace - capitalisation of historic profits - cost avoidance or savings

Job descriptions should have some reference to information security responsibilities. True or False?

True

Credit checks carried out as part of employment checks must be done in line with which pieces of legislation in the US?

Fair Credit Reporting Act (FCRA) | Equal Employment Opportunity Commission (EEOC)

In the US the law "Americans with Disabilities Act" (ADA) may provide protection for which individuals in the event of drug screening as part of employment checks?

individuals undergoing drug rehabilitation

What is a CIRT?

Computer Incident Response Team

Info Gov Flashcards

(77 cards)