IS Governance & Risk Management

Question 1

Availability

Answer 1

Availability: Reliable and timely access to data and resources is provided to authorized individuals.

Question 2

Integrity

Answer 2

Integrity: Accuracy and reliability of the information and systems are provided and any unauthorized modification is prevented.

Question 3

Confidentiality

Answer 3

Confidentiality: Necessary level of secrecy is enforced and unauthorized disclosure is prevented.

Question 4

Shoulder surfing

Answer 4

Viewing information in an unauthorized manner

by looking over the shoulder of someone else.

Question 5

Social engineering

Answer 5

Gaining unauthorized access by tricking someone

into divulging sensitive information.

Question 6

What controls can be implemented to protect data confidentiality?

Answer 6

Confidentiality
• Encryption for data at rest (whole disk, database encryption)
• Encryption for data in transit (IPSec, SSL, PPTP, SSH)
• Access control (physical and technical)

Question 7

What controls can be implemented to protect asset integrity? Including

1. Data integrity
2. System integrity
3. Process Integrity

Answer 7

1. Hashing (data integrity)
2. Configuration management (system integrity)
3. Change control (process integrity)
   • Access control (physical and technical)
   • Software digital signing
   • Transmission CRC functions

Question 8

What controls can be implemented to ensure asset availability?

Answer 8

• Redundant array of inexpensive disks (RAID)
• Clustering
• Load balancing
• Redundant data and power lines
• Software and data backups
• Disk shadowing
• Co-location and off-site facilities
• Roll-back functions
• Fail-over configurations

Question 9

Vulnerability

Answer 9

Weakness or lack of countermeasure.
Can be software, hardware, a procedural, or human weakness that can be exploited.

e.g. service running on a server, unpatched applications or operating systems, an unrestricted wireless access point, an open port on a firewall,
lax physical security that allows anyone to enter a server room, or unenforced password
management on servers and workstations

Question 10

Threat Agent

Answer 10

An entity that can exploit a vulnerability
e.g.
• an intruder accessing the network through a port on the firewall
• a process accessing data in a way that violates the security policy
• a tornado wiping out a facility
• an employee making an unintentional mistake that could expose confidential information

Question 11

Threat

Answer 11

The danger of a threat agent exploiting a vulnerability

Question 12

Risk

Answer 12

The probability of a threat agent exploiting a vulnerability and the associated business impact.

e.g.
• If a firewall has several ports open, there is a higher likelihood that an intruder will use one to access the network in an unauthorized method.
• If users are not educated on processes and procedures, there is a higher likelihood that
an employee will make an unintentional mistake that may destroy data.
• If an intrusion detection system (IDS) is not implemented on a network, there is a higher likelihood
an attack will go unnoticed until it is too late.

Question 13

Control

Answer 13

Safeguard/countermeasure that is put in place to reduce a risk.

A countermeasure may be a software configuration, a hardware device, or a procedure that eliminates a vulnerability or that reduces the likelihood a threat agent will be able to exploit a vulnerability.

e.g.
• strong password
• management, firewalls, a security guard, access 
• control mechanisms, encryption, and
• security-awareness training.

Question 14

Exposure

Answer 14

Presence of a vulnerability, which exposes the organization to a threat.
e.g.
• If password management is lax and password rules
are not enforced, the company is exposed to the possibility of having users’ passwords
captured and used in an unauthorized manner.
• If a company does not have its wiring
inspected and does not put proactive fire prevention steps into place, it exposes itself to
potentially devastating fires

Question 15

Relationship between security concepts

Answer 15

A threat agent > gives rise to a threat > which exploits a vulnerability > leading to a risk > which can damage an asset > and cause an exposure > Can be countermeasures by a safeguard/control > which directly affects the threat agent.

Question 16

Three types of controls required to provide defence-in-depth

Answer 16

• Administrative/Management controls
Management-oriented e.g. security documentation, risk management, personnel security, and training
• Technical/Logical controls
Software or hardware components, as in firewalls, IDS, encryption, identification and authentication mechanisms.
• Physical/Operational controls
Items put into place to protect facility, personnel, and resources e.g.security guards, locks, fencing, and lighting

Question 17

Six functionalities of controls

Answer 17

• Deterrent Intended to discourage a potential attacker
• Preventive Intended to avoid an incident from occurring
• Detective Helps identify an incident’s activities and potentially an intruder
• Corrective Fixes components or systems after an incident has occurred
• Recovery Intended to bring the environment back to regular operations
• Compensating Controls that provide an alternative measure of control

Question 18

Defence-in-depth

Answer 18

Defense-in-depth

Implementation of multiple controls so that successful penetration and compromise is more difficult to attain

Question 19

Security through obscurity

Answer 19

Relying upon the secrecy or complexity of

an item as its security, instead of practicing solid security practices.

Question 20

FRAP

Answer 20

Facilitated Risk Analysis Process (FRAP) A focused, qualitative approach that carries out prescreening to save time and money

Question 21

OCTAVE

Answer 21

Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE) Team-oriented approach that assesses organizational and IT risks through facilitated workshops.

Question 22

ISO/IEC 27005

Answer 22

ISO/IEC 27005 International standard for the implementation of a risk management program that integrates into an information security management system (ISMS).

Question 23

Failure Modes and Effect Analysis

Answer 23

Approach that dissects a component into its basic functions to identify flaws and those flaws’ effects.

Question 24

CRAMM

Answer 24

CRAMM Central Computing and Telecommunications Agency Risk Analysis and Management Method.

Question 25

Data classification procedures

Answer 25

1. Define classification levels.
2. Specify the criteria that will determine how data are classified.
3. Identify data owners who will be responsible for classifying data.
4. Identify the data custodian who will be responsible for maintaining
   data and its security level.
5. Indicate the security controls, or protection mechanisms, required for
   each classification level.
6. Document any exceptions to the previous classification issues.
7. Indicate the methods that can be used to transfer custody of the
   information to a different data owner.
8. Create a procedure to periodically review the classification and
   ownership. Communicate any changes to the data custodian.
9. Indicate procedures for declassifying the data.
10. Integrate these issues into the security-awareness program so all employees
    understand how to handle data at different classification levels.