Information Security Governance and Risk Management Flashcards by David Geneve

What are 3 kinds of security policies

Organizational
Functional
System-specific

How well did you know this?

Not at all

Perfectly

Functional policy

Focus on specific security issue

How well did you know this?

Not at all

Perfectly

A standard

Specify the technology or approach that must be used to control a security risk.

How well did you know this?

Not at all

Perfectly

A document from a medical research company specifies the use of multi-factor authentication with a combination of key cards and biometrics for protecting access to a database.
Which component of a policy framework does this document represent?

Standard

How well did you know this?

Not at all

Perfectly

A security procedure

Provides step by step instructions on how to comply with a security policy.

How well did you know this?

Not at all

Perfectly

A baseline

Describes minimum technical security standards that should be maintained consistently across an organization.

How well did you know this?

Not at all

Perfectly

A guideline

Recommendations that individuals can follow or use at their own discretion

How well did you know this?

Not at all

Perfectly

For an organization to adhere to legislative and regulatory compliance, its control frameworks need to be 5 things

Consistent
Measurable
Standardized
Comprehensive
Modular

How well did you know this?

Not at all

Perfectly

COSO - Committee of Sponsoring Organizations of the Treadway Comission

Formed to study and prevent fraud in financial reporting

How well did you know this?

Not at all

Perfectly

ITIL - IT Infrastructure Library

set of 34 books written to improve IT service management.

How well did you know this?

Not at all

Perfectly

COBIT - Control Objectives for Information and related Technology.

34 high level processes and 214 control objectives to support the processes. Examines effectiveness of confidentiality, integrity, availability

How well did you know this?

Not at all

Perfectly

ISO 27000

Standards for information security management

Contains 134 detailed information security controls based on 11 different areas.

How well did you know this?

Not at all

Perfectly

ISO 27001

Can be tailored and applied to organizations of varying sizes.

How well did you know this?

Not at all

Perfectly

NIST SP 800-53

has 300 controls across 17 families and three classes. Mandatory for US fed govt agencies and contractors.

How well did you know this?

Not at all

Perfectly

COBIT divides into how many domains?

4
Planning and organization
acquisition and implementation
delivery and support
Monitoring

How well did you know this?

Not at all

Perfectly

CRAMM

Developed by CCTA in Britain for risk analysis. Incorporates securing IT hardware and software with physical and human resources.

How well did you know this?

Not at all

Perfectly

How many stages in CRAMM methology?

3
Identifying and valuing assets
assessing threats and vulnerability
Selecting and recommending countermeasures

How well did you know this?

Not at all

Perfectly

FMEA - failure modes and effect analysis methodology

Assesses risk by examining the effects at 3 different levels.

How well did you know this?

Not at all

Perfectly

FRAP - Facilitated risk analysis process

Qualitative risk analysis method that uses pre-screening to identify critical risk areas.

How well did you know this?

Not at all

Perfectly

8 NIST risk assessment methodology steps

characterize systems
identify threats
identify countermeasures
determine likelihood
determine impact
determine risk
recommend additional countermeasures
document results

How well did you know this?

Not at all

Perfectly

OCTAVE - Operationally critical threat asset and vulnerability evaluation

uses a self-directed interdisciplinary team to analyze and evaluate security risks by reviewing operational risk and security practices.

How well did you know this?

Not at all

Perfectly

NIST

Qualitative risk assessment methodology established with healthcare in mind.

How well did you know this?

Not at all

Perfectly

PUSH

service based risk assessment solution with 4 phases
Preparation
Universe definition
Scoring
Hitting the mark

How well did you know this?

Not at all

Perfectly

SOMAP - Security Officers Management and Analysis Project

Swiss non-profit guide and risk assessment tool for open-source systems

How well did you know this?

Not at all

Perfectly

How many stages in SOMAP?

``` 5 Risk treatment Data collection Threat analysis vulnerability analysis risk retention ```

VAR - value at risk methodology

theoretically based quantitative measure of information security risk. Creates summary of worst loss due to security breach and create a workable balance between the cost of implementing controls and reducing risk.

Number of stages in VAR - value at risk methodology

``` 4 Mitigate risk identify threats estimate var estimate likelihood ```

Risk management definition

comprises the tasks and activities associated with assessing, mitigating, and preventing potential threats to an organization.

Why is risk management important?

helps ensure legal compliance | enables identification and protection of critical assets

What are the two types of risk assessment?

qualitative | quantitative

Risk Assessment step | Define System characterization

Set the scope of the assessment. Determine system and data criticality and sensitivity at this stage

Risk Assessment step | Define Threat identification

Identify anything that may harm an IT system and system information.

Risk Assessment step | Define vulnerability identification

Review of system security procedures, design, implementation, or internal controls that may fail during an attack.

Risk Assessment step | Define Control analysis

Review of current and planned countermeasures against a security requirements checklist.

Risk Assessment step | Define Likelihood determination

Consider the capability and motivation of threat sources in terms of vulnerability

Risk Assessment step | Define impact analysis

Quantify or rate potential losses of integrity, availability, or confidentiality of system data.

Risk Assessment step | Define risk determination

Quantify the probability of attack, its impact, and the adequacy of current or planned controls.

Risk Assessment step | Define control recommendations

Consider the effectiveness, performance impacts, safety and reliability of control options.

Risk Assessment step | Define results determination

Present threat and vulnerability pairings with associated cost-benefit data.

4 types of risk responses

risk avoidance risk transfer risk mitigation risk acceptance

Risk transfer

Passing risk to a third party

Which frameworks & methodologies are designed for performing risk assessments?

OCTAVE, CRAMM, VAR

Which frameworks & methodologies are designed for implementing and auditing security controls?

COBIT, ITIL, COSO

What 5 things should an information security officer be able to provide information about

each risk the organization is facing likelihood and potential impact of a risk costs and benefits of potential solutions risk that will remain after a response is implemented a time frame for responding to a risk

6 Responsibilities of an information security officer

communicating risks to senior management ensuring regulatory compliance assisting auditors oversee development and delivery of a security awareness program. Monitor emerging threats and new technologies evaluating security incidents and responses

6 steps to reduce employee security policy violations

``` prepare accurate job descriptions check references conduct background checks ask new employees to sign employment agreements oversee how employees perform control terminations ```

When determining the value of an intangible asset, which is the best approach? A. determine the physical storage costs and multiply the expected life of the company. B. With the assistance of a finance of accounting professional determine how much profit the asset has returned. C. Review the depreciation of the intangible asset over the past three years. D. Use the historical acquisition or development cost of the intangible asset.

B. With the assistance of a finance of accounting professional determine how much profit the asset has returned.

Qualitative risk assessment is described by which of the following? A. ease of implementation and it can be completed by personnel with a limited understanding of the risk assessment process. B. Can be completed by personnel with a limited understanding of the risk assessment process and uses detailed metrics used for calculation of risk. C. Detailed metrics used for calculation of risk and eas of implementation. D. Can be completed by personnel with a limited understanding of the risk assessment process and detailed metrics used for the calculation of risk.

A. ease of implementation and it can be completed by personnel with a limited understanding of the risk assessment process.

single loss expectancy SLE is calculated by using A. asset value and annualized rate of occurrence. B. asset value, local annual frequency estimate, and standard annual frequency estimate C. asset value and exposure factor D. local annual frequency estimate and annualized rate of occurrence.

C. asset value and exposure factor

Consideration for which type of risk assessment to perform includes all of the following A. culture of the organization, likelihood of exposure and budget B. budget, capabilities of resources and likelihood of exposure C. Capabilities of resources, likelihood of exposure and budget D. Culture of the organization, budget, capabilities and resources

D. Culture of the organization, budget, capabilities and resources

Security awareness training includes A. Legislated security compliance objectives B. Security roles and responsibilities for staff C. The high-level outcome of vulnerability assessments D. Specialized curriculum assignments, coursework and an accredited institution

B. Security roles and responsibilities for staff

A signed user acknowledgement of the corporate security policy A. Ensures that users have read the policy B. Ensures that users understand the policy, as well as the consequences for not following the policy C. Can be waived if the organization is satisfied that users have an adequate understanding of the policy D. helps to protect the organization if a user's behavior violates the policy.

D. helps to protect the organization if a user's behavior violates the policy.

``` Effective security management A. Achieves security at the lowest cost B. reduces risk to an acceptable level C. prioritizes security for new products D. installs patches in a timely manner ```

B. reduces risk to an acceptable level

Availability makes information accessible by protecting it from: A. Denial of service, fires, floods, hurricanes, and unauthorized transactions. B. fires, floods, hurricanes, unauthorized transactions and unreadable backup tapes C. unauthorized transactions, fires, floods, hurricanes and unreadable backup tapes D. denial of services, fires, floods, hurricanes, and unreadable tapes.

D. denial of services, fires, floods, hurricanes, and unreadable tapes.

``` To avoid bias, the security officer could report to any of the following A. CEO, application development, or CFO B. CIO, CFO, or application development C. CFO, CEO, CIO D. application development, CFO, CEO ```

C. CFO, CEO, CIO

Tactical security plans are best used to A. establish high-level security policies B. enable enterprise/entity-wide security management C. reduce downtime D. deploy new security technology

D. deploy new security technology

``` Who is accountable for implementing information security? A. everyone B. senior management C. security officer D. data owners ```

C. security officer

``` Security is likely to be most expensive when addressed in which phase? A. design B. rapid prototyping C. testing D. implementation ```

D. implementation

Information systems auditors help the organization A. mitigate compliance issues B. establish an effective control environment C. identify control gaps D. address information technology for financial statements.

C. identify control gaps

``` Long duration security projects A. provide greater organizational value B. increase ROI C. minimize risk D. increase completion risk ```

D. increase completion risk

Setting clear security roles has the following benefits A. establishes personal accountability, reduces cross-training requirements and reduces departmental turf battles B. enables continuous improvement, reduces cross-training requirements and reduces departmental turf battles C. Establishes personal accountability, establishes continuous improvement and reduces turf battles D. Reduces departmental turf battles, reduces cross-training requirements and establishes personal accountability.

C. Establishes personal accountability, establishes continuous improvement and reduces turf battles

Well-written security program policies are best reviewed A. at least annually or at pre-determined organization changes B. after major project implementations C. When applications or operating systems are updated D. When procedures need to be modified.

A. at least annually or at pre-determined organization changes

``` Orally obtaining a password from an employee is the result of A. social engineering B. weak authentication controls C. ticket granting server authorization D. voice recognition software ```

A. social engineering

A security policy which will remain relevant and meaningful over time includes the following: A. Directive words such as shall, must, or will, technical specifications and is short in length B. Defined policy development process, short in length and contains directive words such as shall, must, or will C. Short in length, technical specifications and contains directive words such as shall, must or will D. Directive words such as shall, must, or will defined policy development process and is short in length

D. Directive words such as shall, must, or will defined policy development process and is short in length

``` The ability of one person in the finance department to add vendors to the vendor database and subsequently pay the vendors violates which concept? A. a well formed transaction B. separation of duties C. least privilege D. data sensitivity level ```

B. separation of duties

``` Collusion is best mitigated through A. Job rotation B. Data classification C. defining job sensitivity level D. least privilege ```

A. Job rotation

``` Data access decisions are best made by A. user managers B. data owners C. senior management D. application developers ```

B. data owners

Which of the following best describes the relationship between CobiT and ITIL? A. CobiT is a model for IT governance, whereas ITIL is a model for corporate governance. B. CobiT provides a corporate goverance roadmap, whereas ITIL is a customizable framework for IT service management. C. CobiT defines IT goals, whereas ITIL provides the process level steps on how to achieve them. D. CobiT provides a framework for achieving business goals, whereas ITIL defines a framework for achieving IT service level goals.

C. CobiT defines IT goals, whereas ITIL provides the process level steps on how to achieve them.

What is a "safe harbor"?

A set of "good faith" conditions which if met, may temporarily or indefinitely protect the organization from the penalties of a new law or regulation.

What information security act must federal agencies adhere to?

FISMA - Federal Information Security Management Act

What directive protects personal information in Europe?

European Data Protection Directive

How often should security policies be reviewed?

Annually

``` Jane has been charged with ensuring that clients' personal health information is adequately protected before it is exchanged with a new European Partner. What data security requirements must she adhere to? A. HIPPAA B. NIST SP 800-66 C. Safe Harbor D. European Union Principles on Privacy ```

C. Safe Harbor

Global organizations that transfer data across international boundaries must abide by guidelines and transborder information flow rules developed by an international organization that helps different governments come together and tackle the economic, social, and governance challenges of a globalized economy. What organization is this? A. Committee of Sponsoring Organizations of the Treadway Commission B. The Organization for Economic Co-operation and Development. C. CobiT D. International Organization for Standardization

B. The Organization for Economic Co-operation and Development.

``` Steve, a department manager, has been asked to join a committee that is responsible for defining an acceptable level of risk for the organization, reviewing risk assessment and audit reports, and approving significant changes to security policies and programs. What committee is he joining? A. Security policy committee B. Audit committee C. risk management committee D. Security steering committee ```

D. Security steering committee

As head of sales, Jim is the information owner for the sales department. Which of the following is not Jim's responsibility as information owner? A. Assigning information classifications. B. Dictating how data should be protected C. Verifying the availability of data D. Determining how long to retain data.

C. Verifying the availability of data

Assigning data classification levels can help with all of the following except: A. The grouping of classified information with hierarchical and restrictive security B. Ensuring that nonsensitive data is not being protected by unnecessary controls C. Extracting data from a database D. Lowering the costs of protecting data

C. Extracting data from a database

Which of the following is not included in a risk assessment? A. Discontinuing activities that introduce risk B. Identifying assets C. Identifying threats D. Analyzing risk in order of cost or criticality

A. Discontinuing activities that introduce risk

``` Sue has been tasked with implementing a number of security controls, including antivirus and antispam software, to protect the company's email system. What type of approach is her company taking to handle the risk posed by the system? A. Risk mitigation B. Risk acceptance C. Risk avoidance D. Risk transference ```

A. Risk mitigation

The integrity of data is not related to which of the following? A. Unauthorized manipulation or changes to data B. The modification of data without authorization C. The intentional or accidental substitution of data D. The extraction of data to share with unauthorized entities.

D. The extraction of data to share with unauthorized entities.

There are several methods an intruder can use to gain access to a company's assets. Which of the following best describes masquerading? A. Changing an IP packet's source address B. Elevating privileges to gain access C. An attempt to gain unauthorized access to as another user. D. Creating a new authorized user with hacking tools

C. An attempt to gain unauthorized access to as another user.

A number of factors should be considered when assigning values to assets. Which of the following is not used to determine the value of an asset? A. The asset's value in the external marketplace. B. The level of insurance required to cover the asset. C. The initial and outgoing costs of purchasing, licensing, and supporting the asset D. The asset's value to the organization's production operations.

B. The level of insurance required to cover the asset.

Jill is establishing a company wide sales program that will require different user groups with different privileges to access information on a centralized database. How should the security manager secure the database? A. Increase the database's security controls and provide more granularity B. Implement access controls that display each user's permissions each time they access the database. C. Change the database's classification label to higher security status. D. Decrease the security so that all users can access the information as needed.

A. Increase the database's security controls and provide more granularity

As his company's CISCO, George needs to demonstrate to the board of directors the necessity of a strong risk management program. Which of the following should George use to calculate the company's residual risk? A. threats x vulnerability x asset value = residual risk B. SLE x frequency - ALE which is equivalent to residual risk C. (threats x vulnerability x asset value ) x control gap = residual risk D. (total risk - asset value) x countermeasures = residual risk

C. (threats x vulnerability x asset value ) x control gap = residual risk

Authorization creep is to access controls what scope creep is to software development. Which of the following is not true of authorization creep? A. Users have a tendency to request additional permissions without asking for others to be taken away. B. It is a violation of least privilege. C. It enforces the "need to know" concept D. It commonly occurs when users transfer to other departments.

C. It enforces the "need to know" concept

For what purpose was the COSO framwork developed? A. To address fraudulent financial activities and reporting. B. To help organizations install, implement, and maintain Cobit controls C. To serve as a guideline for IT security auditors to use when verifying compliance. D. To address regulatory requirements related to protecting private health information.

A. To address fraudulent financial activities and reporting.

Susan, an attorney, has been hired to fill a new position at Widgets Inc. The position is chief privacy officer. What is the primary function of her new role? A. Ensuring the protection of partner data B. Ensuring the accuracy and protection of company financial information C. Ensuring that security policies are defined and enforced. D. Ensuring the protection of customer, company, and employee data

D. Ensuring the protection of customer, company, and employee data

``` Jared plays a role in his company's classification system. In this role, he must practice due care when accessing data and ensure that the data is used only in accordance with allowed policy while abiding by the rules set for the classification of the data. He does not determine, maintain, or evaluate controls, so what is Jared's role? A. Data owner B. Data custodian C. Data user D. Information systems auditor ```

C. Data user

``` Risk assessment has several different methodologies. Which of the following official risk methodologies was not created for the purpose of analyzing security risks? A. FAP B. OCATAVE C. ANZ 4360 D. NIST SP 800-30 ```

C. ANZ 4360

Which of the following is not a characteristic of a company with a security governance program in place? A. Board members are updated quarterly on the state of security. B. All security activity takes place within the security department. C. Security products, services, and consultants are deployed in an informed manner. D. The organization has established metrics and goals for improving security.

B. All security activity takes place within the security department.

Michael is charged with developing a classification program for his company. Which of the following should he do first? A. Understand the different levels of protection that must be provided. B. Specify data classification criteria C. Identify the data custodians D. Determine protection mechanisms for each classification level.

A. Understand the different levels of protection that must be provided.

ISO/IEC 27000 is part of a growing family of ISO/IEC information security management systems standards. It comprises information security standards published jointly by the International Organization for Standardization and the International Electrotechnical Commission. Which of the following provides an incorrect mapping of the individual standards that make up this family of standards? A. ISO/IEC 27002 code of practice for information security management B. ISO/IEC 27003 guideline for ISMS implementation C. ISO/IEC 27004 guieldine for information security management measurement and metrics framemwork. D. ISO/IEC 27005 guideline for bodies providing audit and certification of information security management systems.

D. ISO/IEC 27005 guideline for bodies providing audit and certification of information security management systems.

CobiT defines

goals for the controls that should be used to properly manage IT and ensure IT maps to business needs Addresses what is to be achieved

ITIL defines

general activities necessary to achieve goals | Addresses how to achieve goals

Name the health care related risk assessment methodology

NIST SP-800-66

Which information role is responsible for verifying data availability?

information custodian

What is the job of the information custodian?

Carry out the mandates of the information owner

What is residual risk?

Risk left after countermeasures are implemented.

What is the Chief privacy officer responsible for?

Ensuring the security of customer, company, and employee data.

Information Security Governance and Risk Management Flashcards

(99 cards)