Security Risk and Management Flashcards
1
Q
What are the three pillars of Information Security? (Information Security Triad)
A
Confidentiality, Integrity and Availability (C.I.A)
2
Q
Can you define Confidentiality?
A
Property that information is not made available or disclosed to unauthorised individuals, entities or processes.
3
Q
Can you define Integrity?
A
Property of accuracy and completeness.
4
Q
Can you define Availability?
A
Property of being accessible and usable upon demand by an authorised entity.
5
Q
What is an ISMS?
A
Information Security Management System
6
Q
What does PDCA stand for?
A
Plan, Do, Check, Act.
7
Q
What does IAAA stand for?
A
Identification, Authentication, Authorisation (Permissions) Auditing.
8
Q
Define due care.
A
The care that are reasonable person would use in order to approach a problem or a concern. Under any given certain circumstances, what are the actions I would engage in, in order to deal with the concern of a problem.
9
Q
List five qualities a Control Framework must be?
A
- Consistent - In approach and application.
- Measurable - To determine progress and set goals.
- Standardised - Results can be compared within & between organisations.
- Comprehensive - Should cover minimum requirements and be extensible.
- Modular - Allow changes to be easily incorporated.
10
Q
List five qualities a Control Framework must be?
A
- Consistent - In approach and application.
- Measurable - To determine progress and set goals.
- Standardised - Results can be compared within & between organisations.
- Comprehensive - Should cover minimum requirements and be extensible.
- Modular - Allow changes to be easily incorporated.
11
Q
Name an example of an ISMS?
A
ISO270001
12
Q
What does an ISMS consist of?
A
Policies, Procedures, Guidelines, and Associated Resources and Activities, in the pursuit of protecting its assets.
13
Q
What are missing words?
An ISMS is a systematic approach for establishing, _________, __________, ___________, ____________, __________ and ___________ an organisation’s information security to achieve business objectives.
A
implementing, operating, monitoring, reviewing, maintaining and improving
14
Q
Explain the difference between “due care” and “due diligence’.
A
Due Care
- Conduct that a reasonable and prudent person will exercise in a particular situation.
Due Dilidence
- Similar to due care but usually pre-emptive
- The processes undertaken to ensure that a course of action is prudent and within risk appetite before committing to the action
- Will lead to due care being observed
15
Q
Give some exmaples of due diligence?
A
- Background checks for employees
- Credit checks of business partners
- Information system security assessments
- Risk assessments of physical security systems
- Penetration tests
- Contingency testing of backup systems
- Checking the availability of company IP on the internet
16
Q
What does GRC stand for?
A
Governance, Risk Management and Compliance.
17
Q
What is COBIT and who is the entity that maintains it?
A
COBIT is a governance framework managed by ISACA.
18
Q
Risk Management is the systematic process used to identify, ________, _________, remedy and _________ risk.
A
analyse, evaluate, monitor
19
Q
As a result of risk management, what options does the organisation have to deal with risk?
A
The result of the risk management processes that an organisation will either mitigate, transfer, accept or avoid a particular risk.
20
Q
Define a computer crime?
A
The use of a computer to take or alter data, or to gain unlawful use of computers or services.
- The threat can be from internal or external sources
Examples include:
- Sale of IP or personal information
- Malware or Ransomware
- Fraud
- Hacking - attacking CIA of systems
21
Q
Provide a definition of a ‘patent’?
A
A patent is a legally enforceable right to exclude others from practising the invention for some length of time - usually 20 years.
- Must make the invention public during the patent process.
22
Q
Provide a definition of a ‘trademark’?
A
A trademark is a recognisable sign, design or expression which identifies products or services.
23
Q
What is copyright?
A
A copyright covers the expression of ideas rather than the ideas themselves and usually protects artistic property such as writing, recordings, databases and computer programs.
- Usually protected for life of the author, plus 50-100 years.
24
Q
What is a trade secret?
A
A trade secret usually refers to the proprietary business or technical information, processes, designs, practices, etc., that are confidential and critical to the business.
- The Coca-Cola formula
25
Does copyright grant the creator territorial or international copyright?
Territorial
26
Briefly, explain the Wassenaar Arrangement?
The Wassenaar Arrangement was established to contribute to regional and international security and stability by transparency and greater responsibility in transfers of conventional arms and dual-use goods and technologies.
27
What are the risks to Trans-Border Data Flow? List a few.
1. Personally identifiable information such as ID cards, driving license, enhanced passport, etc., leave data trails that may create risks in countries unless there is adequate data protection.
2. There are major concerns about the security and misuse of information which has been transferred to countries whose laws do not offer the same level of data protection.
3. Rapidly increasing trans-border data flows are creating new and complex challenges for security professionals and organisations responsible for overseeing privacy and data protection laws.
4. Technologies and applications (search engines, RFID, VoIP, etc) generate huge amounts of data and create data trails that can survive long after the transaction or conversation has taken place.
28
Which of the following describes an "incident"?
a. A breach for which it was confirmed that data was actually disclosed to an unauthorised party.
b. A security event that compromises the integrity, confidentiality, or availability of an information asset.
c. An incident that results in the disclosure or potential exposure of data.
Answer: b
A security event that compromises the integrity, confidentiality, or availability of an information asset.
29
Which of the following describes a "breach"?
a. A breach for which it was confirmed that data was actually disclosed to an unauthorised party.
b. A security event that compromises the integrity, confidentiality, or availability of an information asset.
c. An incident that results in the disclosure or potential exposure of data.
Answer: c
An incident that results in the disclosure or potential exposure of data.
30
Which of the following describes "data disclosure"?
a. A breach for which it was confirmed that data was actually disclosed to an unauthorised party.
b. A security event that compromises the integrity, confidentiality, or availability of an information asset.
c. An incident that results in the disclosure or potential exposure of data.
Answer: a
A breach for which it was confirmed that data was actually disclosed to an unauthorised party.
31
Can you list any of the four Code of Ethics Canons?
1. Protect society, the common good, necessary public trust and confidence and the Infrastructure.
2. Act honourably, honestly, justly, responsibly and legally.
3. Provide diligent and compentent service to principals.
4. Advance and protect the profession.
32
Which of the four Code of Ethics Canons does the following description best fit?
"Tell the truth; make all stakeholders aware of your actions on a timely basis. Observe all contracts and agreements, expressed or implied."
Answer: Act honourably, honestly, justly, responsibly and legally.
33
Which of the four Code of Ethics Canons does the following description best fit?
"Promote and preserve public trust and confidence in information and systems. Promote the understanding and acceptance of prudent information security measures."
Answer: Protect society, the common good, necessary public trust and confidence and the Infrastructure.
34
Which of the four Code of Ethics Canons does the following description best fit?
"Sponsor for professional advancement those best qualified."
Answer: Advance and protect the profession.
35
What supports the implementation of the security policy?
Procedures, Standards, Guidelines and Baselines.
36
Define a [security] "Policy"?
A policy is a high-level statement of values, goals and objectives.
- Contains the general approach for achieving values, goals and objectives
- Obligatory compliance
- Relatively long-lived
37
Define a [security] "Standard"?
A standard quantifies actions to support the policy
- Contains prescriptive language.
- Can be general or technical
- Obligatory compliance
38
Define a [security] "Procedure"?
A procedure is a set of detailed instructions
- Supports policies and standards
- Obligatory
39
Define a [security] "Guideline"?
A guideline contains suggestions
| - Not obligatory
40
What are the goals for a Business Impact Analysis?
1. Determine the criticality of organisation functions.
2. Determine the Maximum Tolerable Downtime (MTD).
3. Assess the exposure to Outages.
- External and Internal Threats and Vulnerabilities
The recovery priority for functions will be identified during the Business Impact Analysis (BIA) process.
41
What is the protection of intellectual property that must be novel, provide utility and can be produced?
a. Copyright
b. Trademark
c. Patent
d. Service Mark
e. Registered Trademark
Answer: c
A Patent
42
What is the BIA process?
1. Gather information
2. Analyse Information
3. Perform a threat analysis
4. Document results and present recommendations
43
Match "Risk Avoidance" with one of the correct descriptions below:
a. Shifting all of the liability or consequences
b. Implementing additional controls or countermeasures
c. Shifting a portion of the liability or consequences
d. Ceasing the activity associated with the risk
e. Accepting the consequences of a given activity or process
Answer: d
Ceasing the activity associated with the risk
44
Match "Risk Transference" with one of the correct descriptions below:
a. Shifting all of the liability or consequences
b. Implementing additional controls or countermeasures
c. Shifting a portion of the liability or consequences
d. Ceasing the activity associated with the risk
e. Accepting the consequences of a given activity or process
Answer: a
Shifting all of the liability or consequences
45
Match "Risk Mitigation" with one of the correct descriptions below:
a. Shifting all of the liability or consequences
b. Implementing additional controls or countermeasures
c. Shifting a portion of the liability or consequences
d. Ceasing the activity associated with the risk
e. Accepting the consequences of a given activity or process
Answer: b
Implementing additional controls or countermeasures
46
Define the Maximum Tolerable Downtime (MTD)?
Time after which an unavailable service causes irreversible consequences
- The MTD of functions will be identified during the Business Impact Analysis (BIA) process.
47
_________ is the maximum period of time before function restored to function.
Recovery Time Objective (RTO)
* This must be less than MTD
48
Define the Recovery Point Objective (RPO)?
Amount of data that can be lost in the disaster
e.g. Point between last data backup and disaster.
- The backup strategy dependant on RPO
- RPO decided by Business Impact Analysis
49
What are the principal approaches for achieving separation of duties (SOD)?
1. Sequential separation
- Two signatures principles
2. Individual separation
- Four eyes principles
3. Spatial separation
- Separate action in separate location
4. Factorial separation
- Several factors contribute to completion
50
Can you name other types of Employee Policies that protect the employee and organisation?
Code of Conduct
Conflict of Interest
Gift-handling Policies
Ethics Agreements
51
Least Privilege aka _______ __ ______
Need to know
52
Define "Risk Management"?
...the technique or profession of assessing, minimising, and preventing accidental loss to a business, as through the use of insurance, safety measures, etc.
53
A risk assessment must evaluate the following: (fill in the blanks)
- ________ to its assets
- __________ present in the evironment
- The likelihood that a _______ will be realised by taking advantage of an ________
- The impact that the _______ being realised will have on the organisation
- ______________ available that can _______ the threat's ability to _______ the exposure or that can lessen the impact to the organisation when a _______ is able to _________ a ___________
- The __________ risk (the amount of risk that is left over when appropriate controls are properly applied to lessen or remove the vulnerability)
- Threats to its assets
- Vulnerabilities present in the environment
- The likelihood that a threat will be realised by taking advantage of an exposure
- The impact that the exposure being realised will have on the organisation
- Countermeasures available that can reduce the threat's ability to exploit the exposure or that can lessen the impact to the organisation when a threat is able to exploit a vulnerability
- The residual risk (the amount of risk that is left over when appropriate controls are properly applied to lessen or remove the vulnerability)
54
Risk is determined as the byproduct of __________ and _______.
Risk is determined as the byproduct of likelihood and impact.
55
When identifying assets as part of a risk assessment, what could qualify as an asset?
Information, information systems, processes, or people (anything that has value to an organisation)
56
What are the two types of risk assessments are there?
Qualitative and Quantitative (or a hybrid of the two)
57
Qualitative risk assessments use a ________ _________.
Risk Matrix
58
How do qualitative risk assessments define risk in relative terms?
High, moderate (medium) or low
59
According to the NIST Risk Assessment Process, what are the four steps
1. Prepare for Assessment
2. Conduct Assessment
3. Communicate Results
4. Maintain Assessment
60
What specific tasks are involved in step two of the NIST Risk Assessment Process, conducting the risk assessment?
1. Identify Assets
2. Identify vulnerabilities in assets
3. Identify threat sources
4. Identify threat events
5. Determine the likelihood of risk occurring
6. Determine magnitude of impact
7. Determine the overall risk
61
Can you list other Risk Management Frameworks?
- ISO 31000 Risk Management
- COBIT
- NIST SP 800-37
- COSO (ERM)
- The Risk Management Framework (ISACA)
- ISO 27003:2013
62
Countermeasures (controls, security measures) reduce the ___________ or ___________ of, or prevent, a risk event
Likelihood and Impact
63
Considerations for selecting appropriate countermeasures or controls include: (list some)
* Accountability (someone held responsible)
* Auditability (can it be tested)
* Cost effective
* Reliable
Ease of use
Secure
*Automation
* important criteria
64
Which type of controls can you list?
```
Directive
Deterrent
Preventative
Compensating
Detective
Corrective
Recovery
```
65
Define a "Preventative" control?
Controls implemented to prevent a security incident or information breach
66
Define a "Detective" control?
Controls designed to signal a warning when a security control has been breached
67
Define a "Directive" control?
A policy control designed to specify acceptable rules of behaviour
68
What are the three control categories?
1. Physical
e. g. Doors, locks, windows, guards, etc.
2. Administrative
e. g. Policies and Procedures, privilege management, monitoring, etc.
3. Logical (Technical)
e. g. Remote Access, cryptography, application access, malware controls, etc.
69
What are the three steps for vulnerability assessment?
1. Vulnerability scanning
e. g nmap, zenmap, Metasploit, etc
2. Analysis
3. Communicate results
70
What are the five stages of penetration test methodology?
1. Reconnaissance
2. Enumeration
3. Vulnerability Analysis
4. Execution/Exploitation
5. Document Findings
71
The minimum security requirements must be documented and clearly defined in the ____________ of ___________?
Statement of Requirements (SoR)
72
What do the acronyms SLA and SLR stand for?
Service Level Agreement
| Service Level Requirements
73
The terminology associated with this type of risk assessment is scenario based and descriptive.
a. Subjective
b. Qualitative
c. NIST Compliant
c. Quantitative
Answer: b
Qualitative
74
Which of the following formulas is correct?
a. ARO = EF * SLE
b. AV = EF * Cost of Asset
c. ALE = SLE * ARO
d. SLE = EF * ARO
Answer: c
ALE = SLE * ARO
75
In a quantitative risk assessment, __________ describes likelihood and __________ describes impact.
Possible choices:
cost, ARO, probability, magnitude, exposure factor
Answer: ARO and exposure factor
76
Which of the following choices best describes a risk management activity?
a. identifying associated vulnerabilities
b. calculating annualised rate of occurrence
c. authorising risk acceptance
d. reviewing previous risk assessments
Answer: authorising risk acceptance
77
The cost/benefit calculation for a new control is -$9,000. Assuming that ALE1 is $30,000 and ALE2 is $19,000, what is the cost of the new control?
a. $20,000
b. $11,000
c. $19,000
d. $9,000
Answer: a
$20,000
Cost Benefit Calculation:
(ALE1 - ALE2) - Cost of new control
($30,000 - $19,000) - ?? = -$9,000
$11,000 - ?? = -$9,000 (11,000 - -9000)
= $20,000
78
SLE = ________ __ __________
Possible choices:
AV, ARO, *, Exposure Factor, Replacement Cost, +, ALE, /, Impact Factor
Answer: AV * Exposure Factor
79
Anytown Booksellers has determined that they would lose customers if their e-commerce website was unavailable for more than 3mins. Loss or corruption of more than 2mins of data is unacceptable. Which of the following best describes their requirements?
a. RTO = 3, RPO = 0
b. MTD = 2, RPO = 3
c. RPO = 2, RTO = 0
d. RPO = 2, MTD = 3
Answer: d
RPO = 2, MTD = 3
80
Arrange the following items in the correct order:
1. Report to Management
2. Identify Essential Services and MTD
3. Determine the RPO
4. Identify Infrastructure and Dependencies
5. Determine Current RPO, RTO and WRT
6. Conduct a Gap Analysis
Answer: 2, 3, 4, 5, 6, 1
```
Identify Essential Services and MTD
Determine the RPO
Identify Infrastructure and Dependencies
Determine Current RPO, RTO and WRT
Conduct a Gap Analysis
Report to Management
```
81
Which of the following is least relevant to a BIA discussion?
a. Current restore and recovery time frames
b. Non-essential business processes
c. Infrastructure
d. Dependencies
Answer: b
Non-essential business processes
