Information Security Governance and Risk Management Flashcards
(99 cards)
What are 3 kinds of security policies
Organizational
Functional
System-specific
Functional policy
Focus on specific security issue
A standard
Specify the technology or approach that must be used to control a security risk.
A document from a medical research company specifies the use of multi-factor authentication with a combination of key cards and biometrics for protecting access to a database.
Which component of a policy framework does this document represent?
Standard
A security procedure
Provides step by step instructions on how to comply with a security policy.
A baseline
Describes minimum technical security standards that should be maintained consistently across an organization.
A guideline
Recommendations that individuals can follow or use at their own discretion
For an organization to adhere to legislative and regulatory compliance, its control frameworks need to be 5 things
Consistent Measurable Standardized Comprehensive Modular
COSO - Committee of Sponsoring Organizations of the Treadway Comission
Formed to study and prevent fraud in financial reporting
ITIL - IT Infrastructure Library
set of 34 books written to improve IT service management.
COBIT - Control Objectives for Information and related Technology.
34 high level processes and 214 control objectives to support the processes. Examines effectiveness of confidentiality, integrity, availability
ISO 27000
Standards for information security management
Contains 134 detailed information security controls based on 11 different areas.
ISO 27001
Can be tailored and applied to organizations of varying sizes.
NIST SP 800-53
has 300 controls across 17 families and three classes. Mandatory for US fed govt agencies and contractors.
COBIT divides into how many domains?
4 Planning and organization acquisition and implementation delivery and support Monitoring
CRAMM
Developed by CCTA in Britain for risk analysis. Incorporates securing IT hardware and software with physical and human resources.
How many stages in CRAMM methology?
3
Identifying and valuing assets
assessing threats and vulnerability
Selecting and recommending countermeasures
FMEA - failure modes and effect analysis methodology
Assesses risk by examining the effects at 3 different levels.
FRAP - Facilitated risk analysis process
Qualitative risk analysis method that uses pre-screening to identify critical risk areas.
8 NIST risk assessment methodology steps
characterize systems identify threats identify countermeasures determine likelihood determine impact determine risk recommend additional countermeasures document results
OCTAVE - Operationally critical threat asset and vulnerability evaluation
uses a self-directed interdisciplinary team to analyze and evaluate security risks by reviewing operational risk and security practices.
NIST
Qualitative risk assessment methodology established with healthcare in mind.
PUSH
service based risk assessment solution with 4 phases Preparation Universe definition Scoring Hitting the mark
SOMAP - Security Officers Management and Analysis Project
Swiss non-profit guide and risk assessment tool for open-source systems