Info Sec Gov and Risk Mgt

Question 1

Qualitative Risk Analysis

Answer 1

performed via Risk Analysis Matrix and is based on likelihood and consequences; uses simple approximate values, more subjective

Question 2

senior management

Answer 2

creates the information security program and ensures that it is properly staffed and funded

Question 3

AV

Answer 3

asset value: value of the asset you are trying to protect

Question 4

procedure

Answer 4

step-by-step guide for accomplishing a task; low leve and specific; mandatory

Question 4

accreditation

Answer 4

data owner’s acceptance of the risk represented by that system

Question 5

HIPAA

Answer 5

Healthcare

Question 5

due diligence

Answer 5

management of due care

Question 5

Certification

Answer 5

detailed inspection that verifies whether a system meets the documented security requirements

Question 7

ROI

Answer 7

return on investment: money saved by deploying a safeguard

Question 8

Policy purpose

Answer 8

describes the need for the policy

Question 9

GLBA

Answer 9

Gramm-Leach-Bliley Act: protects financial info in USA

Question 10

policy types

Answer 10

NIST spec pub 800-12 [4] Chap 5 describes 3 specific policy types: program policy, issue-specific policy, system-specific policy

Question 11

4 steps to C&A

Answer 11

1. initiation phase 2. security certification phase 3. security accreditation phase 4. continuous monitoring phase

Question 12

Info security governance

Answer 12

Info Sec at the organizational level: senior mgt, policies, processes, staffing

Question 13

SLE

Answer 13

single loss expectancy: cost of a single loss

Question 13

who poses biggest security risk to an org

Answer 13

user

Question 14

privacy

Answer 14

protection of the confidentiality of personal info

Question 15

risk

Answer 15

a matched threat and vulnerability

Question 16

transfer the risk

Answer 16

“insurance model”; you pay someone else to assume the risk (like homeowners insurance)

Question 18

safeguard

Answer 18

measure taken to reduce risk

Question 18

market approach

Answer 18

assumes that the fair value of an asset reflects the price at which comparable assets have been purchased in transactions under similar circumstances

Question 18

standards

Answer 18

describes the specific use of technology; mandatory

Question 19

due care

Answer 19

doing what a reasonable person would do; aka “prudent man rule

Question 19

4 domains of COBIT

Answer 19

1. plan and organize 2. Acquire and implement 3. deliver and support 4. monitor and eval

Question 20

data owner

Answer 20

management employee responsible for ensureing that specific data is protected

Question 21

Risk Choices

Answer 21

Accept, Mitigate/eliminate, transfer, avoid

Question 21

offshoring

Answer 21

outsourcing to another country

Question 22

Quantitative Risk Analysis

Answer 22

uses hard metrics, such as dollars, more objective; ie calculating ALE

Question 23

ITL Service Mgt practicces publications

Answer 23

1. service strategy 2. service design 3. service transition 4. service operation 5. continual service improvement

Question 24

cost approach

Answer 24

estimates the fair value of the asset by reference to the costst that would ve incurred in order to recreate or replace the asset

Question 24

ISO 17799

Answer 24

broadbased approach for info sec code of practice; 11 areas: 1. policy 2. Org of Info Sec 3. asset mg't 4 Human resources sec 5. physical and environmental sec 6. comm and ops mgt 7. access control 8. info sys acq, dev, and mx 9. info sec incident mgt 10. business continuity mgt 11. compliance

Question 26

mitigate the risk

Answer 26

lowering the risk to an acceptable level

Question 27

OCTAVE

Answer 27

operationally critical threat, asset, and vulnerabilty evaluation; 3 phases: 1-ID staff knowledge, assets, threat 2-ID vulnerabiliites and eval safeguards 3-conduct risk analysis and develop risk mitigation strat

Question 29

ARO

Answer 29

annual rate of occurrence: number of losses you suffer per year

Question 30

income approach

Answer 30

based on the premise that the value of a security or asset is the present value of the future earning capacity that an asset will generate over the remainder of its useful life

Question 31

loss of human life

Answer 31

near infinite impact and must be mitigated at almost any cost

Question 32

SOX

Answer 32

Sarbanes-Oxley: publicly traded data in USA

Question 34

policy

Answer 34

high-level management directives; mandatory; components: purpose, scope, responsibilities, compliance

Question 35

vulnerability

Answer 35

weakness in a system

Question 35

auditing

Answer 35

verifying compliance to a security control framwork

Question 36

gross negligence

Answer 36

opposite of due care

Question 37

user

Answer 37

must follow the rules; cannot assume they know, must tell them via information security awareness

Question 38

outsourcing

Answer 38

use of a 3rd party to provide IT support services that were previously performed in-=house

Question 40

Risk Equations

Answer 40

Asset Value AV Exposure Factor EF Single Loss Expectancy (SLE) = AV \* EF Annual Rate of Occurrence ARO Annualized Loss Expectancy (ALE) = SLE \* ARO

Question 41

ALE

Answer 41

Annualized Loss Expectancy: cost of loss due to a risk over a year; allows you to make informed decisiosn to mitigate risk

Question 43

three methods for calculating value of intangible assets

Answer 43

Market approach, income approach, cost approach

Question 45

risk avoidance

Answer 45

simply not doing something that introduces risk

Question 47

guidelines

Answer 47

recommendations

Question 48

aspects of personnel security

Answer 48

background checks, employee termination, security awareness and training, contractor security, outsourcing/offshoring

Question 50

Accepting Risk

Answer 50

low-likelihood/low-condequence risks are candidates for risk acceptance; high and extremem risks cannot be accepted

Question 51

policy compliance

Answer 51

describes 1) how to judge the effectiveness of the polices (how well are they working) 2) what happens when policy is violated (the sanction)

Question 52

custodians

Answer 52

provide hands-on protection of assets such as data

Question 53

assets

Answer 53

valuable resources you are trying to protect

Question 54

baselines

Answer 54

uniform ways of implementing a safeguard; discretionary

Question 55

policy responsibilities

Answer 55

include responsibilities of info sec staff, policy and mgt teams, and all members of the org

Question 56

Threat

Answer 56

a potentially negative occurrence

Question 57

risk equation

Answer 57

Risk = Threat \* Vulnerability (and sometimes \* Impact)

Question 58

ISO 27002

Answer 58

formerly known as ISOP 17799

Question 59

TCO

Answer 59

total cost of ownership: cost of a mitigating safeguard. Combines upfront costs + annual cost of mx, staff, vendor mx, software, etc

Question 60

ITIL

Answer 60

Info Tech Infrastructure Library: framework for providing best services in IT Service Mgt

Question 61

policy scope

Answer 61

describes what systems, people, facilities, and organizations are covered by the policy

Question 62

EF

Answer 62

exposure factor: percentage of value an asset lost due to an incident

Question 63

COBIT

Answer 63

control objectives for Info and related Tech: control framework for employing info sec governance best practices w/in an org