Security and Risk Management

Question 1

CIA Triad

Answer 1

Confidentiality

Integrity

Availability

Question 2

ISO 27001/27002

Answer 2

“The International Standards Organization (ISO) is recognized globally, and it is probably the most pervasive and used source of security standards outside the United States (American organizations often use standards from other sources). ISO 27001 is known as the information security management system (ISMS) and is a comprehensive, holistic view of security governance within an organization, mostly focused on policy. “

Question 3

COBIT

Answer 3

Created and maintained by ISACA, the COBIT framework (currently COBIT 5) is designed as a way to manage and document enterprise IT and IT security functions for an organization. COBIT widely uses a governance and process perspective for resource management and is intended to address:

IT performance,

security operations,

risk management,

and regulatory compliance

Question 4

ITIL

Answer 4

IT Infrastructure Library - Best practices for IT core operational processes, not technologies to business customers

ITIL v3 has 5 Phases

1. Service Strategy
2. Service Design
3. Service Transition
4. Service Operation
5. Continuous service improvement

Question 5

RMF

Answer 5

RISK MANAGEMENT FRAMEWORK

“NIST, the U.S. National Institute of Standards and Technology, publishes two methods that work in concert (similar to how ISO 27001 and 27002 function); the Risk Management ““Framework (RMF), and the applicable list of security and privacy controls that goes along with it (respectively, these documents are Special Publications (SPs) 800-37 and 800-53). While the NIST SP series is only required to be followed by federal agencies in the United States, it can easily be applied to any kind of organization as the methods and concepts are universal. Also, like all American government documents, it is in the public domain; private organizations do not have to pay to adopt and use this framework. However, there is no private certification for the NIST framework.”

Question 6

CSA STAR

Answer 6

“The Cloud Security Alliance (CSA)

is a volunteer organization with participant members from both public and private sectors, concentrating—as the name suggests—on security aspects of cloud computing. The CSA publishes standards and tools for industry and practitioners, at no charge. The CSA also hosts the Security, Trust, and Assurance Registry (STAR), which is a voluntary list of all cloud service providers who comply with the STAR program framework and agree to publish documentation on the STAR website attesting to compliance. Customers and potential customers can review and consider cloud vendors at no cost by accessing the STAR website. The STAR framework is a composite of various standards, regulations, and statutory requirements from around the world, covering a variety of subjects related to IT and data security; entities that choose to subscribe to the STAR program are required to complete and publish a questionnaire (the Consensus Assessments Initiative Questionnaire (CAIQ), colloquially pronounced “cake”) published by CSA. The STAR program has three tiers, 1–3, in ascending order of complexity. Tier 1 only requires the vendor self-assessment, using the CAIQ. Tier 2 is an assessment of the organization by an external auditor certified by CSA to perform CAIQ audits. Tier 3 is in draft form as of the time of publication of this CBK; it will require continuous monitoring of the target organization by independent, certified entities.”

Question 7

DUE CARE

Answer 7

Obligation
(looking out for safety of others)
“due” = required or legally required

“is a legal concept pertaining to the duty owed by a provider to a customer. In essence, a vendor has to engage in a reasonable manner so as not to endanger the customer: the vendor’s products/services should deliver what the customer expects, without putting the customer at risk of undue harm”

Question 8

DUE DILIGENCE

Answer 8

Action that support “due care”

• verifying background checks
• information security assessments
• risk assessment of physical security systems
• threat intelligence services

Question 9

RISK

Answer 9

The possibility of damage or harm and likelihood that damage or harm will be realized.

Question 10

ACCEPTABLE RISK

Answer 10

The level of risk that is suitable relative to the rewards offered by conducting operations.

Question 11

Business Impact Analysis (BIA)

Answer 11

Measures the value of an asset, the threats and risks posed by the asset, and the impact to the organization if the asset were affected.

Question 12

Intellectual Property Laws

Answer 12

Intellectual Property

Patent

Copyright

Trademark Laws

Trade Secrets

Question 13

THREATS

Answer 13

Any aspects that create a risk to the organization, its function or assets:

Natural

Criminal

User error

Question 14

VULNERABILITIES

Answer 14

Any aspect of the organization’s operation that could enhance a risk or the possibility of a risk being realized:
Software

Physical

Personnel

Question 15

VULNERABILITY

Answer 15

An inherent weakness in an information system, security procedures, internal controls, or implementation that could be exploited by a threat source.

Tends to focus on technology aspects

Question 16

DATA BREACH TECHNOLOGY

Answer 16

Incident

Breach

Data disclosure

Question 17

RISK AVOIDANCE

Answer 17

The practice of coming up with alternatives so the risk in question is not realized.

Question 18

RISK TRANSFERENCE

Answer 18

The practice of passing on the risk to another entity.

Question 19

RISK MITIGATION

Answer 19

The decrease in the level of risk through implementation of controls.

Question 20

RISK ACCEPTANCE

Answer 20

The practice of accepting certain risks based on a business decision that weighs the cost vs. the benefit of a risk.

Question 21

RESIDUAL RISK

Answer 21

The risk that remains after controls are put in place.

Question 22

Who is responsible for security at company

Answer 22

Security is responsibility of everyone at a company.

Question 23

SECURITY CONTROLS

Answer 23

Methods, tools, mechanisms, and processes used in risk mitigation.
Safeguards - before risk is realized
Countermeasures - after the risk is realized
All security controls have detrimental effects on operations; control selection must entail cost/benefit analysis.

Question 24

ANNUAL LOSS EXPECTANCY

Answer 24

QUANTITATIVE RISK ANALYSIS

Single Loss Expectancy (SLE) X Annual Rate of Occurance (ARO)

Cost of countermeasures must be smaller than ALE

Question 25

TYPES OF CONTROLS

Answer 25

Technological/logical Physical Administrative (Procedures/ policy)

Question 26

CONTROLS CONTINUUM

Answer 26

Pre-Event - Directive - Preventative - Compensating - Deterrent - Detective Post-Event - Corrective - Recovery

Question 27

DEFENSE IN DEPTH

Answer 27

OPTIMAL CONTROL IMPLEMENTATION with layered defenses.

Question 28

MONITORING AND MEASUREMENT

Answer 28

After control selection, monitoring and enforcement is necessary. May involve a Security Control Assessment (SCA). Should include continuous improvement efforts Vulnerability Assessments Penetration Testing

Question 29

RISK FRAMEWORKS

Answer 29

ISO COSO ISACA NIST

Question 30

COSO

Answer 30

Identifies 5 internal control areas to meet financial reporting and disclosure objectives: Control Environment Risk Assessment Control Activities Information and Communications Monitoring

Question 31

THIRD PARTY REVIEW ENTITIES

Answer 31

ISO certified audits CSA STAR Evaluation AICPA SSAE 16 SOC Reports

Question 32

RISK MANAGEMENT METHODOLOGIES

Answer 32

Governance Review Site Security Review Formal Security Penetration Testing

Question 33

THREAT MODELING

Answer 33

Looking at an environment, system, or application from an attacker's point of view and trying to determine vulnerabilities the attacker would exploit.

Question 34

STRIDE MODEL

Answer 34

SPOOFING TAMPERING REPUDIATION INFORMATION DISCLOSURE DOS (Denial of Service) Elevation of privilege

Question 35

MINIMUM SECURITY REQUIREMENTS

Answer 35

Involve stakeholders as soon as possible Ensure requirements are specific, realistic and measurable Restate your understanding of the requirements back to them to confirm Don't choose tools or solutions until the requirements are understood Create prototypes, diagrams or visuals to help solidify understanding on all sides

Question 36

SERVICE LEVEL REQUIREMENTS (SLR)

Answer 36

Detailed service level requirements Mutual responsibilities Other requirements specific to certain customer groups Both SLR and SLA become addendum to contracts Compares agreed against achieved performance Includes information service usage Provides ongoing measures for service improvement Exceptional events

Question 37

SERVICE LEVEL REQUIREMENTS (SLA)

Answer 37

Defines the minimum requirements of a business arrangement and codifies their provision Every element of the SLA should include a discrete, objective, numeric metric to judge success or failure Often used as a payment calculator / discriminator Best serves recurring, continual requirements, not singular or infrequent events Both SLR and SLA become addendum to contracts Define the agreed upon level of performance and compensation or penalty between the provider and the customer if it's not measurable, a metric or reoccurring it's NOT a SLA

Question 38

ASSURANCE

Answer 38

Can only be gained through inspection, review and assessment

Question 39

COMPLIANCE

Answer 39

Adherence to an external mandate.

Question 40

PRIVACY

Answer 40

The right of a human being to control the manner and extent to which information about him is distributed.

Question 41

AUDITS AND AUDITING

Answer 41

The tools, processes, and activities used to perform compliance reviews ( finding the truth)

Question 42

PCI

Answer 42

PAYMENT CARD INDUSTRY DATA SECURITY STANDARD (PCI DSS) - Voluntary -Comprehensive -Consequences enforced by the PCI Council Multiple merchant levels Requirements for : ---Protecting cardholder data ---Not saving the CVV Not a contract - Not a law

Question 43

LEGAL STANDARDS

Answer 43

Case law sets precedents used in future cases; these can become legal standards the courts use to determine expectations such as due care.

Question 44

INDUSTRY STANDARDS

Answer 44

Set by industry participants and concerned entities Can eventually evolve into a legal standard May be accepted by regulators Standards you should be familiar with: ISO CSA STAR Uptime Institute

Question 45

REGULATORY STANDARDS

Answer 45

Standards set by government bodies ``` Regulations you should know of: GDPR(EU) The Privacy Act (Australia) HIPAA APPI (Japan) Personal Data Protection Law (Argentina) Personal Data Protection Law (Singapore) GLBA PIEDA SOX FISMA ```

Question 46

COMMON PRIVACY TENETS

Answer 46

``` Notification Participation Scope Limitation Accuracy Retention Security Dissemination ```

Question 47

INTELLECTUAL PROPERTY

Answer 47

Intellectual property: intangible assets. The use of someone else's intellectual property (including software) often requires licensing. Some forms include: Site Per-seat Shareware Public Domain (not a license but property type)

Question 48

DRM

Answer 48

DIGITAL RIGHTS MANAGEMENT Some countries limit import of security tools, particularity encryption solution (Russia, Brunei, Mongolia) International legal restrictions (Wassenaar Arrangement) Some countries limit export (United States) DRM TRAITS: Persistence (access controls follow protected material) Dynamic policy control(centralized capability to modify permissions) Automatic Expiration(enforce the time expiration) Continuous audit trail Interoperability

Question 49

IMPORT/EXPORT CONTROLS

Answer 49

International Traffic in Arms Regulations (ITAR) Controls manufacture, sale, and distribution of defense and and space-related articles and services as defined in the United States Munitions List (USML) Export Administration Regulation (EAR) Contains a list called the Commerce Control List(CCL). The CCL is a limited list of items within the scope of the EAR which merit particular attention because they could potentially have military use in addition to commercial use. CCL-listed items are therefore often referred to as "dual-use".

Question 50

GDPR

Answer 50

General Data Protection Regulation (GDPR) prevents any EU citizen's privacy data from going to any country that does not have equivalent privacy laws.

Question 51

GDPR COMPLIANCE

Answer 51

``` Countries that have equivalent laws: All EU Countries Andorra Singapore Switzerland Japan Israel Australia Argentina Uruguay Canada NOT US ```

Question 52

PRIVACY SHIELD PROGRAM

Answer 52

EU/US and US/Swiss Safe Harbor Frameworks to preserve data flows from the EU and Switzerland to the US

Question 53

REP

Answer 53

Reasonable Expectation of Privacy - all individuals have this.

Question 54

WREP

Answer 54

WAIVER OF REASONABLE EXPECTATION OF PRIVACY Communication about the organization's privacy is key to ensuring understanding of WREP.

Question 55

PII

Answer 55

Personally Identifiable Information (PII) Any data about a human being that could be used to identify that person. ``` Examples: Name Tax id/social security number Home address Mobile phone number Specific computer (MAC address, IP address of PC) ```

Question 56

PRIVACY TERMS

Answer 56

``` Credit Card Number Bank Account Number Facial Photograph Data Subject Data Owner/Data controller Data Processor Data Custodian ```

Question 57

RISK OPTIONS

Answer 57

Avoidance Acceptance Mitigation (controls) Transfer

Question 58

SECURITY CONTROL CATEGORIES

Answer 58

DIRECTIVE (impose)mandates or requirements DETERRENT (reduce likelihood) PREVENTATIVE (prohibit certain activities) COMPENSATING (mitigate the effects of losing primary controls) DETECTIVE (recognize hostile activity) CORRECTIVE (reacting to activity to do remediation or restoration RECOVERY (restore operations of state)

Question 59

VULNERABILITY ASSESSMENT

Answer 59

Reviews organization IT environment for known vulnerabilities. (usually done via automated tools)

Question 60

PENETRATION TESTING

Answer 60

Trusted party attempts to gain access to protected environment to test security defenses.

Question 61

COSO

Answer 61

Committee of Sponsoring Organizations of the Treadway Commission. Formed after 10980's financial scandals. In 2004 it published the Enterprise Risks Management - Integrated Framework - seen as definitive guide on the topic.

Question 62

ISACA

Answer 62

Published the RISK IT Framework - described as connecting risk management from a strategic perspective with risk-related IT management.

Question 63

RISK BASED MGMT FOR SUPPLY CHAIN

Answer 63

Governance review Site security review Formal security audit Penetration testing

Question 64

OCTAVE

Answer 64

Carnagie-Mellon University model - Designed for viewing the overall risk of IT systems across the organization.

Question 65

TRIKE

Answer 65

Open source methodology and tool-set from MIT

Question 66

UPTIME INSTITUTE

Answer 66

Certification program for data-centers - in support of CIA elements

Question 67

SSAE 16

Answer 67

Audit standard designed for publicly traded companies , including managed cloud providers, devised by the AICPA.

Question 68

GLBA

Answer 68

Graham-Leach-Bliley Act Federal law that allowed banks to merge with insurance companies and includes protection, collection and dissemination protections.

Question 69

FISMA

Answer 69

Federal Information Systems Management US law that applies to federal government agencies requiring the compliance to NIST guidance and standards.

Question 70

DATA SUBJECT

Answer 70

Individual human being that the PII refers to.

Question 71

DATA OWNER/CONTROLLER

Answer 71

Entity that collects and creates PII DO and CO are legally responsible for the protection of the PII and are liable for any unauthorized release of PII. Organizations are the owner/controller usually.

Question 72

DATA PROCESSOR

Answer 72

Entity working on behalf of the data owner that processes PII. The data owner is still legally liable - regardless of what the Processor does.

Question 73

DATA CUSTODIAN

Answer 73

Person within an organization that manages the data on a day-to-day basis on behalf of the owner/controller. This could be the database administrator or anyone with privileged to the database.

Question 74

POLICY

Answer 74

Communicate management expectations, which are fulfilled through the execution of procedures and adherence to standards, baselines, and guidelines. This is what companies adopt in the absence of laws and contractual obligations.

Question 75

Candidate Screening and Hiring

Answer 75

Detailed job descriptions Checking references Employment history Background check Financial profile

Question 76

CANDIDATE SCREENING

Answer 76

JOB DESCRIPTIONS REFERENCE CHECKS BACKGROUND INVESTIGATION EDUCATION LICENSING CERTIFICATION VERIFICATION

Question 77

EMPLOYMENT AGREEMENTS AND POLICIES

Answer 77

Employee handbook Employment contract Non-disclosure agreement

Question 78

ONBOARDING

Answer 78

Review of contract terms and job description Formal initial training to familiarize the new employee with the organization's security policy and procedures Signing NDA Secure process for issuing the employee any access, information or tools

Question 79

TERMINATION

Answer 79

Lock user account Do exit interview Review NDA with person leaving Recover organization property

Question 80

VENDOR, CONSULTANT and CONTRACTOR Agreements and Controls

Answer 80

Additional contractual protections Distinct accounts Escort requirements Distinguishing identification NDA

Question 81

COMPLIANCE POLICY REQUIREMENTS

Answer 81

Acceptable Use Policy ``` Common Facets: Data Access System Access Data Disclosure Passwords Data Retention Internet Usage ``` Surveillance, within restraints of applicable law

Question 82

PRIVACY POLICY REQUIREMENTS

Answer 82

Document organization's privacy requirements, within constrain of the law Available to all staff Available to customers

Question 83

FORMS OF INSTRUCTION

Answer 83

Education (formal classes) Training (semi-formal by SME's) Awareness (informal unscheduled)

Question 84

METHODS AND TECHNIQUES for AWARENESS AND TRAINING

Answer 84

Computer based training Live instruction Reward mechanism Regular communications

Question 85

PERIODIC CONTENT REVIEWS

Answer 85

Any instruction must be kept current - instructor shall review the following on a regular basis: Applicable laws Security tools Organizational security policy Recent widespread attack styles and methodology

Question 86

PROGRAM EFFECTIVENESS EVALUATION

Answer 86

Participant testing Penetration testing Log reviews

Question 87

BUSINESS CONTINUITY REQUIREMENTS

Answer 87

BUSINESS CONTINUITY (BC) - actions, processes, and tools for ensuring an organization can continue critical operations during a contingency DISASTER RECOVERY (DR) - tasks and activities required to bring an organization back from a contingency operations and reinstate regular operations Often referred to as BCDR

Question 88

MAXIMUM ALLOWABLE DOWNTIME (MAD)

Answer 88

Measures how long an organization can survive an interruption can survive an interruption of critical functions (also referred to as maximum tolerable downtime MTD)

Question 89

RECOVERY TIME OBJECTIVE (RTO)

Answer 89

The target time set or recovering from an interruption.. If RTO > MTD company is not viable

Question 90

RECOVERY POINT OBJECTIVE (RPO)

Answer 90

Measure of how much data the organization can lose before the organization is no longer viable.

Question 91

BUSINESS IMPACT ANALYSIS

Answer 91

The effort to determine the value of each asset belonging to the organization, as well as the potential risk of losing assets, the threats likely to affect the organization, and the potential for common threats to be realized. Methods: Survey Financial Audit Customer Response The Organization benefits from information about potential threats and attacks (specifically combination of threats) External business/security intelligence vendors Open sources Malware management firms Government and industry feeds

Question 92

ETHICS

Answer 92

Moral principles that govern a person's behavior, or conducting an activity Ethics is about the methods and ways we interact with each other Not limited to human-to-human interaction

Question 93

ISC2 CODE OF ETHICS

Answer 93

Preamble: The safety and welfare of society and the common good, duty to our principles, and to each other, requires that we adhere, and be seen to adhere, to the highest ethical standards of behavior. Therefore, strict adherence to this Code is a condition of certification. Global to local priority...

Question 94

ORGANIZATIONAL CODE OF ETHICS

Answer 94

An organization can create internal guidance, as well , reflecting applicable law, social norms, and cultural mores. Example: Is the admin's report acceptable and valid? What should be done with/to the employee? What should be done with/to the admin?