Security and Risk Management

Question 1

CIA Triad

Answer 1

Confidentiality

Integrity

Availability

Question 2

ISO 27001/27002

Answer 2

“The International Standards Organization (ISO) is recognized globally, and it is probably the most pervasive and used source of security standards outside the United States (American organizations often use standards from other sources). ISO 27001 is known as the information security management system (ISMS) and is a comprehensive, holistic view of security governance within an organization, mostly focused on policy. “

Question 3

COBIT

Answer 3

Created and maintained by ISACA, the COBIT framework (currently COBIT 5) is designed as a way to manage and document enterprise IT and IT security functions for an organization. COBIT widely uses a governance and process perspective for resource management and is intended to address:

IT performance,

security operations,

risk management,

and regulatory compliance

Question 4

ITIL

Answer 4

IT Infrastructure Library - Best practices for IT core operational processes, not technologies to business customers

ITIL v3 has 5 Phases

1. Service Strategy
2. Service Design
3. Service Transition
4. Service Operation
5. Continuous service improvement

Question 5

RMF

Answer 5

RISK MANAGEMENT FRAMEWORK

“NIST, the U.S. National Institute of Standards and Technology, publishes two methods that work in concert (similar to how ISO 27001 and 27002 function); the Risk Management ““Framework (RMF), and the applicable list of security and privacy controls that goes along with it (respectively, these documents are Special Publications (SPs) 800-37 and 800-53). While the NIST SP series is only required to be followed by federal agencies in the United States, it can easily be applied to any kind of organization as the methods and concepts are universal. Also, like all American government documents, it is in the public domain; private organizations do not have to pay to adopt and use this framework. However, there is no private certification for the NIST framework.”

Question 6

CSA STAR

Answer 6

“The Cloud Security Alliance (CSA)

is a volunteer organization with participant members from both public and private sectors, concentrating—as the name suggests—on security aspects of cloud computing. The CSA publishes standards and tools for industry and practitioners, at no charge. The CSA also hosts the Security, Trust, and Assurance Registry (STAR), which is a voluntary list of all cloud service providers who comply with the STAR program framework and agree to publish documentation on the STAR website attesting to compliance. Customers and potential customers can review and consider cloud vendors at no cost by accessing the STAR website. The STAR framework is a composite of various standards, regulations, and statutory requirements from around the world, covering a variety of subjects related to IT and data security; entities that choose to subscribe to the STAR program are required to complete and publish a questionnaire (the Consensus Assessments Initiative Questionnaire (CAIQ), colloquially pronounced “cake”) published by CSA. The STAR program has three tiers, 1–3, in ascending order of complexity. Tier 1 only requires the vendor self-assessment, using the CAIQ. Tier 2 is an assessment of the organization by an external auditor certified by CSA to perform CAIQ audits. Tier 3 is in draft form as of the time of publication of this CBK; it will require continuous monitoring of the target organization by independent, certified entities.”

Question 7

DUE CARE

Answer 7

Obligation
(looking out for safety of others)
“due” = required or legally required

“is a legal concept pertaining to the duty owed by a provider to a customer. In essence, a vendor has to engage in a reasonable manner so as not to endanger the customer: the vendor’s products/services should deliver what the customer expects, without putting the customer at risk of undue harm”

Question 8

DUE DILIGENCE

Answer 8

Action that support “due care”

• verifying background checks
• information security assessments
• risk assessment of physical security systems
• threat intelligence services

Question 9

RISK

Answer 9

The possibility of damage or harm and likelihood that damage or harm will be realized.

Question 10

ACCEPTABLE RISK

Answer 10

The level of risk that is suitable relative to the rewards offered by conducting operations.

Question 11

Business Impact Analysis (BIA)

Answer 11

Measures the value of an asset, the threats and risks posed by the asset, and the impact to the organization if the asset were affected.

Question 12

Intellectual Property Laws

Answer 12

Intellectual Property

Patent

Copyright

Trademark Laws

Trade Secrets

Question 13

THREATS

Answer 13

Any aspects that create a risk to the organization, its function or assets:

Natural

Criminal

User error

Question 14

VULNERABILITIES

Answer 14

Any aspect of the organization’s operation that could enhance a risk or the possibility of a risk being realized:
Software

Physical

Personnel

Question 15

VULNERABILITY

Answer 15

An inherent weakness in an information system, security procedures, internal controls, or implementation that could be exploited by a threat source.

Tends to focus on technology aspects

Question 16

DATA BREACH TECHNOLOGY

Answer 16

Incident

Breach

Data disclosure

Question 17

RISK AVOIDANCE

Answer 17

The practice of coming up with alternatives so the risk in question is not realized.

Question 18

RISK TRANSFERENCE

Answer 18

The practice of passing on the risk to another entity.

Question 19

RISK MITIGATION

Answer 19

The decrease in the level of risk through implementation of controls.

Question 20

RISK ACCEPTANCE

Answer 20

The practice of accepting certain risks based on a business decision that weighs the cost vs. the benefit of a risk.

Question 21

RESIDUAL RISK

Answer 21

The risk that remains after controls are put in place.

Question 22

Who is responsible for security at company

Answer 22

Security is responsibility of everyone at a company.

Question 23

SECURITY CONTROLS

Answer 23

Methods, tools, mechanisms, and processes used in risk mitigation.
Safeguards - before risk is realized
Countermeasures - after the risk is realized
All security controls have detrimental effects on operations; control selection must entail cost/benefit analysis.

Question 24

ANNUAL LOSS EXPECTANCY

Answer 24

QUANTITATIVE RISK ANALYSIS

Single Loss Expectancy (SLE) X Annual Rate of Occurance (ARO)

Cost of countermeasures must be smaller than ALE

Question 25

TYPES OF CONTROLS

Answer 25

Technological/logical

Physical

Administrative (Procedures/ policy)

Question 26

CONTROLS CONTINUUM

Answer 26

Pre-Event

• Directive
• Preventative
• Compensating
• Deterrent
• Detective

Post-Event

• Corrective
• Recovery

Question 27

DEFENSE IN DEPTH

Answer 27

OPTIMAL CONTROL IMPLEMENTATION

with layered defenses.

Question 28

MONITORING AND MEASUREMENT

Answer 28

After control selection, monitoring and enforcement is necessary.

May involve a Security Control Assessment (SCA).

Should include continuous improvement efforts

Vulnerability Assessments

Penetration Testing

Question 29

RISK FRAMEWORKS

Answer 29

ISO

COSO

ISACA

NIST

Question 30

COSO

Answer 30

Identifies 5 internal control areas to meet financial reporting and disclosure objectives:

Control Environment

Risk Assessment

Control Activities

Information and Communications

Monitoring

Question 31

THIRD PARTY REVIEW ENTITIES

Answer 31

ISO certified audits

CSA STAR Evaluation

AICPA SSAE 16 SOC Reports

Question 32

RISK MANAGEMENT METHODOLOGIES

Answer 32

Governance Review

Site Security Review

Formal Security

Penetration Testing

Question 33

THREAT MODELING

Answer 33

Looking at an environment, system, or application from an attacker’s point of view and trying to determine vulnerabilities the attacker would exploit.

Question 34

STRIDE MODEL

Answer 34

SPOOFING

TAMPERING

REPUDIATION

INFORMATION DISCLOSURE

DOS (Denial of Service)

Elevation of privilege

Question 35

MINIMUM SECURITY REQUIREMENTS

Answer 35

Involve stakeholders as soon as possible

Ensure requirements are specific, realistic and measurable

Restate your understanding of the requirements back to them to confirm

Don’t choose tools or solutions until the requirements are understood

Create prototypes, diagrams or visuals to help solidify understanding on all sides

Question 36

SERVICE LEVEL REQUIREMENTS (SLR)

Answer 36

Detailed service level requirements

Mutual responsibilities

Other requirements specific to certain customer groups

Both SLR and SLA become addendum to contracts

Compares agreed against achieved performance

Includes information service usage

Provides ongoing measures for service improvement

Exceptional events

Question 37

SERVICE LEVEL REQUIREMENTS (SLA)

Answer 37

Defines the minimum requirements of a business arrangement and codifies their provision

Every element of the SLA should include a discrete, objective, numeric metric to judge success or failure

Often used as a payment calculator / discriminator

Best serves recurring, continual requirements, not singular or infrequent events

Both SLR and SLA become addendum to contracts

Define the agreed upon level of performance and compensation or penalty between the provider and the customer

if it’s not measurable, a metric or reoccurring it’s NOT a SLA

Question 38

ASSURANCE

Answer 38

Can only be gained through inspection, review and assessment

Question 39

COMPLIANCE

Answer 39

Adherence to an external mandate.

Question 40

PRIVACY

Answer 40

The right of a human being to control the manner and extent to which information about him is distributed.

Question 41

AUDITS AND AUDITING

Answer 41

The tools, processes, and activities used to perform compliance reviews ( finding the truth)

Question 42

PCI

Answer 42

PAYMENT CARD INDUSTRY DATA SECURITY STANDARD (PCI DSS)

• Voluntary
  -Comprehensive
  -Consequences enforced by the PCI Council
  Multiple merchant levels
  Requirements for :
  —Protecting cardholder data
  —Not saving the CVV
  Not a contract - Not a law

Question 43

LEGAL STANDARDS

Answer 43

Case law sets precedents used in future cases; these can become legal standards the courts use to determine expectations such as due care.

Question 44

INDUSTRY STANDARDS

Answer 44

Set by industry participants and concerned entities

Can eventually evolve into a legal standard

May be accepted by regulators

Standards you should be familiar with:
ISO
CSA STAR
Uptime Institute

Question 45

REGULATORY STANDARDS

Answer 45

Standards set by government bodies

Regulations you should know of:
GDPR(EU)
The Privacy Act (Australia)
HIPAA
APPI (Japan)
Personal Data Protection Law (Argentina)
Personal Data Protection Law (Singapore)
GLBA
PIEDA
SOX
FISMA

Question 46

COMMON PRIVACY TENETS

Answer 46

Notification
Participation
Scope
Limitation
Accuracy
Retention
Security
Dissemination

Question 47

INTELLECTUAL PROPERTY

Answer 47

Intellectual property: intangible assets.

The use of someone else’s intellectual property (including software) often requires licensing. Some forms include:

Site
Per-seat
Shareware
Public Domain (not a license but property type)

Question 48

DRM

Answer 48

DIGITAL RIGHTS MANAGEMENT

Some countries limit import of security tools, particularity encryption solution (Russia, Brunei, Mongolia)

International legal restrictions (Wassenaar Arrangement)

Some countries limit export (United States)

DRM TRAITS:

Persistence (access controls follow protected material)

Dynamic policy control(centralized capability to modify permissions)

Automatic Expiration(enforce the time expiration)

Continuous audit trail

Interoperability

Question 49

IMPORT/EXPORT CONTROLS

Answer 49

International Traffic in Arms Regulations (ITAR)
Controls manufacture, sale, and distribution of defense and and space-related articles and services as defined in the United States Munitions List (USML)

Export Administration Regulation (EAR)
Contains a list called the Commerce Control List(CCL). The CCL is a limited list of items within the scope of the EAR which merit particular attention because they could potentially have military use in addition to commercial use. CCL-listed items are therefore often referred to as “dual-use”.

Question 50

GDPR

Answer 50

General Data Protection Regulation (GDPR) prevents any EU citizen’s privacy data from going to any country that does not have equivalent privacy laws.

Question 51

GDPR COMPLIANCE

Answer 51

Countries that have equivalent laws:
All EU Countries
Andorra
Singapore
Switzerland
Japan
Israel
Australia
Argentina
Uruguay
Canada
NOT US

Question 52

PRIVACY SHIELD PROGRAM

Answer 52

EU/US and US/Swiss Safe Harbor Frameworks to preserve data flows from the EU and Switzerland to the US

Question 53

REP

Answer 53

Reasonable Expectation of Privacy - all individuals have this.

Question 54

WREP

Answer 54

WAIVER OF REASONABLE EXPECTATION OF PRIVACY

Communication about the organization’s privacy is key to ensuring understanding of WREP.

Question 55

PII

Answer 55

Personally Identifiable Information (PII)

Any data about a human being that could be used to identify that person.

Examples:
Name
Tax id/social security number
Home address
Mobile phone number
Specific computer (MAC address, IP address of PC)

Question 56

PRIVACY TERMS

Answer 56

Credit Card Number
Bank Account Number
Facial Photograph
Data Subject
Data Owner/Data controller
Data Processor
Data Custodian

Question 57

RISK OPTIONS

Answer 57

Avoidance
Acceptance
Mitigation (controls)
Transfer

Question 58

SECURITY CONTROL CATEGORIES

Answer 58

DIRECTIVE (impose)mandates or requirements

DETERRENT (reduce likelihood)

PREVENTATIVE (prohibit certain activities)

COMPENSATING (mitigate the effects of losing primary controls)

DETECTIVE (recognize hostile activity)

CORRECTIVE (reacting to activity to do remediation or restoration

RECOVERY (restore operations of state)

Question 59

VULNERABILITY ASSESSMENT

Answer 59

Reviews organization IT environment for known vulnerabilities. (usually done via automated tools)

Question 60

PENETRATION TESTING

Answer 60

Trusted party attempts to gain access to protected environment to test security defenses.

Question 61

COSO

Answer 61

Committee of Sponsoring Organizations of the Treadway Commission. Formed after 10980’s financial scandals.

In 2004 it published the Enterprise Risks Management - Integrated Framework - seen as definitive guide on the topic.

Question 62

ISACA

Answer 62

Published the RISK IT Framework - described as connecting risk management from a strategic perspective with risk-related IT management.

Question 63

RISK BASED MGMT FOR SUPPLY CHAIN

Answer 63

Governance review
Site security review
Formal security audit
Penetration testing

Question 64

OCTAVE

Answer 64

Carnagie-Mellon University model -

Designed for viewing the overall risk of IT systems across the organization.

Question 65

TRIKE

Answer 65

Open source methodology and tool-set from MIT

Question 66

UPTIME INSTITUTE

Answer 66

Certification program for data-centers - in support of CIA elements

Question 67

SSAE 16

Answer 67

Audit standard designed for publicly traded companies , including managed cloud providers, devised by the AICPA.

Question 68

GLBA

Answer 68

Graham-Leach-Bliley Act

Federal law that allowed banks to merge with insurance companies and includes protection, collection and dissemination protections.

Question 69

FISMA

Answer 69

Federal Information Systems Management

US law that applies to federal government agencies requiring the compliance to NIST guidance and standards.

Question 70

DATA SUBJECT

Answer 70

Individual human being that the PII refers to.

Question 71

DATA OWNER/CONTROLLER

Answer 71

Entity that collects and creates PII

DO and CO are legally responsible for the protection of the PII and are liable for any unauthorized release of PII.

Organizations are the owner/controller usually.

Question 72

DATA PROCESSOR

Answer 72

Entity working on behalf of the data owner that processes PII. The data owner is still legally liable - regardless of what the Processor does.

Question 73

DATA CUSTODIAN

Answer 73

Person within an organization that manages the data on a day-to-day basis on behalf of the owner/controller. This could be the database administrator or anyone with privileged to the database.

Question 74

POLICY

Answer 74

Communicate management expectations, which are fulfilled through the execution of procedures and adherence to standards, baselines, and guidelines.

This is what companies adopt in the absence of laws and contractual obligations.

Question 75

Candidate Screening and Hiring

Answer 75

Detailed job descriptions

Checking references

Employment history

Background check

Financial profile

Question 76

CANDIDATE SCREENING

Answer 76

JOB DESCRIPTIONS

REFERENCE CHECKS

BACKGROUND INVESTIGATION

EDUCATION LICENSING CERTIFICATION VERIFICATION

Question 77

EMPLOYMENT AGREEMENTS AND POLICIES

Answer 77

Employee handbook

Employment contract

Non-disclosure agreement

Question 78

ONBOARDING

Answer 78

Review of contract terms and job description

Formal initial training to familiarize the new employee with the organization’s security policy and procedures

Signing NDA

Secure process for issuing the employee any access, information or tools

Question 79

TERMINATION

Answer 79

Lock user account

Do exit interview

Review NDA with person leaving

Recover organization property

Question 80

VENDOR, CONSULTANT and CONTRACTOR Agreements and Controls

Answer 80

Additional contractual protections

Distinct accounts

Escort requirements

Distinguishing identification

NDA

Question 81

COMPLIANCE POLICY REQUIREMENTS

Answer 81

Acceptable Use Policy

Common Facets:
Data Access
System Access
Data Disclosure
Passwords
Data Retention
Internet Usage

Surveillance, within restraints of applicable law

Question 82

PRIVACY POLICY REQUIREMENTS

Answer 82

Document organization’s privacy requirements, within constrain of the law

Available to all staff

Available to customers

Question 83

FORMS OF INSTRUCTION

Answer 83

Education (formal classes)

Training (semi-formal by SME’s)

Awareness (informal unscheduled)

Question 84

METHODS AND TECHNIQUES for AWARENESS AND TRAINING

Answer 84

Computer based training

Live instruction

Reward mechanism

Regular communications

Question 85

PERIODIC CONTENT REVIEWS

Answer 85

Any instruction must be kept current - instructor shall review the following on a regular basis:

Applicable laws

Security tools

Organizational security policy

Recent widespread attack styles and methodology

Question 86

PROGRAM EFFECTIVENESS EVALUATION

Answer 86

Participant testing

Penetration testing

Log reviews

Question 87

BUSINESS CONTINUITY REQUIREMENTS

Answer 87

BUSINESS CONTINUITY (BC) - actions, processes, and tools for ensuring an organization can continue critical operations during a contingency

DISASTER RECOVERY (DR) - tasks and activities required to bring an organization back from a contingency operations and reinstate regular operations

Often referred to as BCDR

Question 88

MAXIMUM ALLOWABLE DOWNTIME (MAD)

Answer 88

Measures how long an organization can survive an interruption can survive an interruption of critical functions (also referred to as maximum tolerable downtime MTD)

Question 89

RECOVERY TIME OBJECTIVE (RTO)

Answer 89

The target time set or recovering from an interruption..

If RTO > MTD company is not viable

Question 90

RECOVERY POINT OBJECTIVE (RPO)

Answer 90

Measure of how much data the organization can lose before the organization is no longer viable.

Question 91

BUSINESS IMPACT ANALYSIS

Answer 91

The effort to determine the value of each asset belonging to the organization, as well as the potential risk of losing assets, the threats likely to affect the organization, and the potential for common threats to be realized.

Methods:

Survey

Financial Audit

Customer Response

The Organization benefits from information about potential threats and attacks (specifically combination of threats)

External business/security intelligence vendors

Open sources

Malware management firms

Government and industry feeds

Question 92

ETHICS

Answer 92

Moral principles that govern a person’s behavior, or conducting an activity

Ethics is about the methods and ways we interact with each other

Not limited to human-to-human interaction

Question 93

ISC2 CODE OF ETHICS

Answer 93

Preamble:

The safety and welfare of society and the common good, duty to our principles, and to each other, requires that we adhere, and be seen to adhere, to the highest ethical standards of behavior.

Therefore, strict adherence to this Code is a condition of certification.

Global to local priority…

Question 94

ORGANIZATIONAL CODE OF ETHICS

Answer 94

An organization can create internal guidance, as well , reflecting applicable law, social norms, and cultural mores.

Example:

Is the admin’s report acceptable and valid?

What should be done with/to the employee?

What should be done with/to the admin?