Information Security Governance and Risk Management Flashcards

(68 cards)

1
Q

Principles and Terms

CIA Triad
Vulnerability
Threat
Threat Agents

A

CIA Triad - Confidentiality, Integrity, Availability

Vulnerability - absence or weakness of a countermeasure

Threat - occurs when vulnerability is identified or exploited by an attacker

Threat Agents - Entity that carries out the threat. Not all will actually exploit a vulnerability

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Principles and Terms

Risk
Exposure
Countermeasures
Due Care

A

Risk - Probability that a threat agent will exploit a vulnerability and the impact if it’s carried out

Exposure - Occurs when an asset is exposed to loss

Countermeasures - A Control or Mechanism that reduces potential risk. AKA safeguards or controls

Due Care - Organization took all reasonable measures to perfect security breaches and took steps to mitigate damages caused by successful breaches. NOT due diligence. Lack of due care means company new about a risk and did nothing to prevent it

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Principles and Terms

Due Diligence

Job Rotation

A

Due Diligence - Organization investigated all vulnerabilities. Includes performing audits and assessments to ensure they’re protected

Job Rotation - Ensures more than one person can perform job tasks, providing redundancy. Important tool to help recognize when fraudulent activities have occurred

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Principles and Terms

Separation of Duties and 2 ways to do it

split knowledge
dual controls

A

Ensures one person can’t compromise organizational security.

split knowledge - no single employee knows all details to perform task

dual controls - requires 2 employees to be available to do a certain task to complete the job

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Security Frameworks and Methodologies

ISO / IEC 27000 Series (over 40)

27001 - overview, vocabulary 
27002 - ISMS requirements
27003 - code of practice for infosec mgmt
27004 - ISMS implementation guidelines
27005 - ISMS measurement guidelines
A

Security program development standard on how to develop and maintain information security management system (ISMS)

These standards are developed by ISO / IEC bodies but certification or conformity assessment is provided by third parties

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Security Frameworks and Methodologies

Zachman Framework
2D, 6x6 grid of questions and views

A

Enterprise architecture framework

2-Dimensional classification system based on 6 questions (What, Where, When, Why, Who, How) that intersect with different views (Planner, Owner, Designer, Builder, Subcontractor, Actual System)

Allows analysis of an org. to be presented to different groups in the org. in ways that relate to their responsibilities

Not security oriented, but helps relay information in a language and format that is useful to target audience

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Security Frameworks and Methodologies

The Open Group Architecture Framework (TOGAF)

A

TOGAF - enteprise architecture framework

helps orgs design, plan, implement, govern an enterprise information architecture.

Based on 4 domains: technology, applications, data, business

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Security Frameworks and Methodologies

Department of Defense Architecture Framework (DoDAF)

A

DoDAF - architecture framework

organizes set of products under 4 views: operational (OV), system (SV), technical standards (TV), all view (AV)

ensures new DoD technologies integrate properly with current infrastructure

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Security Frameworks and Methodologies

British Ministry of Defense Architecture Framework (MODAF)

A

MODAF - architecture framework

Divides information into 7 viewpoints:

strategic (StV)
operational  (OV)
service-oriented (SOV)
systems (SV)
acquisition (ACV)
technical (TV)
all (AV)
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Security Frameworks and Methodologies

Sherwood Applied Business Security Architecture (SABSA)

A

Enterprise security architecture framework that is risk driven

Similar to Zachman framework
uses same 6 communication questions that intersect with six layers instead of views (operational, component, physical, logical, conceptual)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Security Frameworks and Methodologies

Control Objectives for Information and Related Technology (COBIT)

A

Security Controls development framework

Uses process model to subdivide IT into 4 domains:
Plan and Organize (PO)
Acquire and Implement (AI)
Deliver and Support (DS)
Monitor and Evaluate (ME)

4 domains are further broken down into 34 processes

aligns with ITIL, PMI, ISO, TOGAF frameworks

mainly used in private sector

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Security Frameworks and Methodologies

NIST SP 800-53

NIST SP 800-55

A

SP 800-53
Security CONTROLS DEVELOPMENT framework
Divides controls into 3 classes: technical, operational, mgmt
each class contains categories, or control families

SP 800-55
information security METRICS framework
provides guidance on developing performance measuring procedures with a US Govt viewpoint

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Security Frameworks and Methodologies

NIST SP 800-53

NIST SP 800-55

A

SP 800-53
Security CONTROLS DEVELOPMENT framework
Divides controls (countermeasures) into 3 classes: technical, operational, mgmt
each class contains categories, or control families

SP 800-55
information security METRICS framework
provides guidance on developing performance measuring procedures with a US Govt viewpoint

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Security Frameworks and Methodologies

Committee of Sponsoring Organizations (COSO) of the Treadway Commission Framework

A

COSO
Corporate governance framework.
Consists of 5 inter-related components: control environment, risk assessment, control activities, information and communication, monitoring

COSO is for IT governance
COBIT was derived from COSO and is for corporate governance

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Security Frameworks and Methodologies

ITIL

A

Process Management Development. Primary concern is managing SLA’s, but has a security component

5 Core Publications containing 26 processes
ITIL Service Strategy
ITIL Service Design
ITiL Service Transition
ITIL Service Operation
ITiL Continual Service Improvement

As part of OMB circular A-130 Independent review of security controls should be performed every 3 years

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Security Frameworks and Methodologies

Six Sigma

A

Process Improvement Standard. Designed to ID and remove defects in manufacturing process, but can be applied to many business functions incl. security

2 project methodologies inspired by Deming’s Plan/Do/Check/Act cycle

DMAIC - Define, Measure, Analyze, Improve, Control
DMADV - Define, Measure,Analyze, Design, Verify

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

Security Frameworks and Methodologies

Capability Maturity Model Integration (CMMI)

A

Process Improvement Approach

Addresses 3 areas of interest:
Product, Service Development (CMMI Development)
Service Establishment, Mgmt (CMMI Services)
Product Service, Acquisition (CMM Acquisitions)

5 levels of maturity for processes
1 Initial
2 Managed
3 Defined
4 Quantitatively Managed
5 Optimized

All processes in each level of interest are assigned one of the 5 levels of maturity

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

Security Frameworks and Methodologies

Top-Down vs Bottom-Up approach

A

Top-Down
management initiates, supports, directs security program

Bottom-Up
staff members develop security program before getting direction and support from management

top-down is more efficient because management support is so important

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

Security Frameworks and Methodologies

Steps of Security Program Life Cycle

  1. Plan and Organize
  2. Implement
  3. Operate and maintain
  4. Monitor and evaluate
A

plan and organize
perform risk assessment, establish mgmt and steering committee, evaluate business drivers, get mgmt approval

implement
ID and manage assets, manage risk, identity and access control, training on security and awareness, implement solutions

operate and maintain
perform audits, do tasks, manage SLA’s

monitor and evaluate
review auditing and logs, evaluate security goals, develop improvement plans for integration into Step 1 - Plan and Organize

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

Risk Assessment

A

Tool to identify vulnerabilities and threats, asses impact of them and determine which controls to implement

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

Risk Assessment

4 goals of risk Assessment

A

ID assets and asset value

ID vulnerabilities and threats

calculate threat probability and business impact

balance threat impact with countermeasure cost

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

Risk Assessment Process

A

before starting risk assessment, determine which assets and threats to consider to establish the size of the project

risk assessment team provides report to mgmt on value of assets considered

mgmt finalizes the asset list and determines budget of risk assessment project

if risk assessment project not support by sr. mgmt, it will fail

mgmt must define the purpose and scope, allocate personnel, time and budget for the project

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

Risk Assessment

NIST SP 800-30

A

Identifies these steps in risk assessment process

ID Assets and value 
ID threats
ID vulnerabilities
Determinte likelihood
ID impact
Determine risk as combination of likelihood and impact
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

Asset Values, Vulnerabilities and Threats

Information and Asset (tangible and intangible) Values and Costs

6 considerations to determine asset value

after determining value, then determine vulnerabilities and threats

A

Tangible assets
Intangible assets - IP, data, reputation

6 considerations to determine asset value:

value to owner
work needed to develop or obtain asset
costs to maintain asset
damage caused by losing asset
cost competitors would pay for asset
penalties if asset was lost
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Asset Values, Vulnerabilities and Threats Vulnerabilities and Threats Identification Threat agents can be grouped into 6 Categories
Human - malicious, non malicious, insiders, outsiders, terrorists Natural - flood, fire, etc Technical - hardware, software failure, malware, new tech Physical - failures of CCTV, biometrics, perimeter security Environmental - power failure, traffic, hazmat spills, biological warfare, traffic issues Operational - any process or procedure than can affect CIA
26
Quantitative Risk Analysis
Assigns monetary and numerical values t all facets of the risk analysis process. Includes asset value, threat frequency, vulnerability severity, impact, safeguard costs, etc
27
Quantitative Risk Analysis Single Loss Expectancy (SLE)
SLE - monetary impact of each threat occurrence. To determine it, you must know the Asset Value (AV) and the Exposure Factor (EF). EF is the % value or functionality of an asset that is lost when a threat occurs SLE = AV * EF asset costs $20,000 and assessment says exposure factor for power failure is 25% then SLE is $5000
28
Quantitative Risk Analysis Exposure Factor (EF)
EF - The percent value or functionality of an asset that will be lost when a threat occurs
29
Quantitative Risk Analysis Annual Loss Expectancy (ALE)
ALE - expected risk factor of an annual threat event Must first know the SLE and the ARO ALE = SLE * ARO ALE = (AV * EF) * ARO Ex. If ARO is 50%, AV is $20,000 and EF is 25% then ``` ALE = (20,000 * .25) * (.5) ALE = 5000 * .5 ALE = $2,500 ```
30
Quantitative Risk Analysis Annual Loss Expectancy (ALE)
ALE - expected risk factor of an annual threat event Must first know the SLE and the ARO ALE = SLE * ARO ALE = (AV * EF) * ARO Ex. If ARO is 50%, AV is $20,000 and EF is 25% then ``` ALE = (20,000 * .25) * (.5) ALE = 5000 * .5 ALE = $2,500 ```
31
Qualitative Risk Analysis Techniques
intuition, experience, best practices brainstorming, focus groups surveys,questionnaires, meetings and Delphi
32
Qualitative Risk Analysis Advantages of Qualitative Risk Analysis
Prioritizes risks and identifies areas for immediate improvement in addressing threats
33
Qualitative Risk Analysis Disadvantages of Qualitative Risk Analysis
results are subjective and dollar value is not provided for cost-benefit analysis or budgeting All organizations experience issues with any estimates. This lack of confidence in an estimate is called uncertainty and expressed as a percentage All risk assessment reports should include the uncertainty level
34
Safeguard Selection Criteria for choosing safeguards (or controls)
the cost effectiveness of the safeguard or control. Including planning, designing, implementing, maintenance costs
35
Safeguard Selection Formula to calculate cost-benefit analysis. Knowing corrected ARO after safeguard is implemented is necessary for determining safeguard value legal liability exists if cost of safeguard is less than estimated loss if the threat is exploited
safeguard value = (ALE before safeguard) - (ALE after safeguard) - (annual cost of safeguard) To complete this equation you have to know the revised ALE after safeguard is implemented (which can be hard to assess)
36
Total Risk vs Residual Risk Total Risk Residual Risk
Total Risk - risk that organization could encounter if it decides not to implement any safeguards Residual risk - risk that is left over after safeguards are implemented
37
Total Risk vs Residual Risk | Equation to represent residual risk equation is more conceptual than an actual calculation
residual risk = (total risk) - countermeasures
38
Risk Management Total Risk vs Residual Risk Total Risk Residual Risk
Total Risk - risk that organization could encounter if it decides not to implement any safeguards Residual risk - risk that is left over after safeguards are implemented
39
Risk Management Total Risk vs Residual Risk Equation to represent residual risk (this is more conceptual than an actual calculation)
residual risk = (total risk) - countermeasures
40
Risk Management Handling Risk 4 basic methods
risk avoidance - terminating activity that causes risk, or choosing safer alternative risk transfer - passing risk to a 3rd party (ie insurance company) risk mitigation - defining acceptable risk level and reducing risks to it risk acceptance - understanding and accepting risks and potential costs
41
Risk Management Risk Management Principles
After risk assessment is complete, organization must implement and maintain safeguards organization must decide on future risk analysis that occurs because it should be done regularly risk mgmt involves developing and maintaining risk mgmt policy and maintaining a risk mgmt and risk analysis team
42
Risk Management Risk Management Policy objectives to list
Formal statement of Sr. management's commitment to to risk management Must include overall risk management plan and list these objectives ``` risk mgmt team objectives responsibilities and roles acceptable levels of risk risk identification process risk and safeguards mapping safeguard effectiveness monitoring process and targets future risk analysis plans and tasks ```
43
Risk Management Risk Management Team
could be one person or a group goal is to protect organization and assets from risk in most cost effective way sr. management must put a resource allocation measure in place. Ensure members of the team have necessary training and tools
44
Risk Management Risk Analysis Team
Must have a representative from as many departments and employment levels as possible. Diversity ensures risks from all areas can be addressed Or the team must interview each department to understand all risks to that department During Risk Analysis process, the team should determine threat events that could occur, impact of them, frequency of them and level of confidence in the information gathered
45
Information Security Governance Components Steps for senior management to complete before developing any organizational security policy
define scope of program ID assets that need protection determine level of protection each asset needs determine personnel responsibilities develop consequences for noncompliance with policy
46
Information Security Governance Components Policies 2 definitions are broad and provide foundation for developing standards, baselines, guidelines, procedures all of which provide the security structure
dictate role of security and is strategic in nature (provides end result of security) definition 1 - level in organization at which they're enforced definition 2 - category to which they're applied independent of specific technology or solution must contain exception area to deal with unforeseen situations
47
Information Security Governance Components levels of policies
organization system specific issue-specific
48
Information Security Governance Components categories of policies
regulatory advisory informative
49
Information Security Governance Components Organizational Policies
highest level security policy, steered by business goals should have these components: define overall goals of security policy define overall steps and importance of security define security framework to meet biz goals state management approval of policy define all relevant terms define security roles and responsibilities address relevant laws and regulations identify major functional areas define compliance requirements
50
Information Security Governance Components Organizational Security Policies
highest level security policy, steered by business goals should have these components: define overall goals of security policy define overall steps and importance of security define security framework to meet biz goals state management approval of policy define all relevant terms define security roles and responsibilities address relevant laws and regulations identify major functional areas define compliance requirements
51
Information Security Governance Components Organizational Security Policies system specific issue specific
must be supported by stakeholders, have a high visibility for personnel, be discussed regularly each version should be maintained and documented system-specific security policy addresses a specific computer, network, technology or application issue-specific security policy addresses specific issue like email privacy, virus checking, employee termination, no expectation of privacy, etc.
52
Information Security Governance Components Regulatory Security Policies
address specific industry regulations, including mandatory standards ie. healthcare, public utilities, financial institutions
53
Information Security Governance Components Advisory security Policies
cover acceptable and unacceptable activities gives examples of possible consequences if users engage in unacceptable activities
54
Information Security Governance Components Informative Security Policies
provide information on certain topics, act as educational tool
55
Information Security Governance Components Standards
describe how baselines will be implemented Mandatory actions or rules that are tactical - they provide the steps needed to achieve security
56
Information Security Governance Components Baselines
reference points defined and captured to use as future reference should be captured when a system is properly configured and updated when updates occur, new baselines should be captured and compared to previous ones Adopting new baselines from most recent data may be necessary capturing is important but so is using them to assess security state
57
Information Security Governance Components Guidelines
recommended actions, allow for unforeseen circumstances provide guidance when standards don't apply
58
Information Security Governance Components Procedures
all detailed actions to follow and are closest to the computers and other devices often include step-by-step lists on how policies, standards, guidelines are implemented
59
Information Classification Lifestyle
classify data by its value assigning value to data lets you determine resources to protect it classifying data lets you apply different protections after data is classified, it can be segmented based on level protection needed organization should determine classification levels based on needs of organization
60
Information Classification Lifestyle Commercial business usually classify data on 4 main levels Information life cycle should be based on this classification of data
Confidential - trade secrets, intellectual property, code Private - personnel records, medical, salary, HR Sensitive - information that needs extra measures Public - data that wouldn't cause negative impact if lost
61
Information Classification Lifestyle Government and Military classify data on 5 main levels
Top Secret - weapon blueprints, tech specs. Grave damage if disclosed Secret - deployment plans, missile placement. Serious damage if disclosed Confidential - patents, trade secrets. seriously affect if disclosed Sensitive - medical, personnel records, questions arise if disclosed Unclassified
62
Responsibilities and Roles Board of Directors Senior Officials Management
Board of Directors elected by shareholders to ensure org is run properly. Loyalty is to shareholders Senior Officials Sr. Management, board of directors Management responsible for preserving, protecting org data CEO, CFO, CIO, CPO, CSO
63
Responsibilities and Roles ``` Business Unit Managers Audit Committee Data Owner Data Custodian System Owner System Administrator ```
Business Unit Managers provide departmental information, controls for dept. data Audit Committee evaluates org's financial reporting to ensure accuracy Data Owner determines classification level of information, and protection Data Custodian implements info classification and controls after owner determines them System Owner ensures appropriate controls exist on systems. multiple data owners can be responsible for info on the system System Administrator runs day to day operations
64
Responsibilities and Roles ``` Security Administrator Security analyst application owner supervisor user auditor ```
Security Administrator maintains security devices and software (firewalls, etc) Security analyst analyzes security needs of org, develops governance documents (policies, standards, guidelines) application owner determine personnel who can access an application supervisor manages group of users and assets in a group user any person who access data for work auditor monitors user activities to ensure appropriate controls are in place
65
Personnel Security Personnel cause majority of security issues Organizations should have personnel security policies (screening, hiring, firing) Screening Hiring
Screening - occurs before offer of employment. Could include background check, drug testing, education verification Hiring - signing appropriate documents, NDA's, policies, etc. Employee ID's issued at this stage
66
Personnel Security Termination. Handled differently for friendly and unfriendly situations Management Control - mandatory vacations NDA's (and similar)
HR Procedures ensure property is returned, user access is removed unfriendly terminations procedures must be proactive to prevent asset damage . Revoke accesses before termination notification, security escort mandatory vacations ensure another employee can perform job duties in someone else's absence NDAs and similar (noncompete clauses, etc) protect organization and assets after employee is gone
67
Security Awareness Training ``` Security Awareness Training (what) vs Security Training (how) vs Security Education (why) ```
Awareness training reinforces fact that valuable resources must be protected by implementing security measures Security Training teaches skills to enable performing job securely Both Awareness and Security Training are usually combined to improve awareness of security and ensure users can be held accountable for the jobs Security Education more independent, targeted at security professionals who require expertise and act as in-house experts
68
Security Awareness Training Security Awareness Training should be based on the audience high-level management middle management technical staff
high-level management training explains risks, threats, applicable laws and regulations, effects of security issues on reputation middle management training covers policies, standards, guidelines, baselines, procedures, how these map to departments technical staff training covers technical training on configuring and maintaining security controls. Industry certifications, degrees.