Test 2 Flashcards
(19 cards)
ASSET “integrity of customer and financial data files on desktop systems”
Threat “corruption of these files due to import of a worm/virus onto system.”
Existing Controls - Anti-Virus program
Likelihood rating - 5-Almost Certain
Consequence Rating - 4-Major
Level of Risk - Extreme
i. Small accounting firm contains very limited IT (Information Technology) support, hence the systems and the anti-virus programs installed in the systems may be outdated
ii. Because of the outdated system and antivirus program, it is almost certain that the worm or virus will affect the system
iii. Small accounting firm does not contain necessary backup services; hence, the infection could cause loss of critical data in the system
iv. The loss of data seriously impacts the operations of the organization
What are the categories of the Risk Register?
Asset Threat Existing Controls Likelihood Consequence Level of Risk Risk Priority
ASSET “integrity of the accounting records on the server” THREAT “financial fraud by an employee, disguised by altering the accounting records.”
Existing controls - Monthly account audit
Likelihood Rating - 3 – possible
Consequence Rating - 3 – moderate
Level of Risk - High
i. Operations of the small legal firm are based on the employees in the organization
ii. Hence, it is highly that the financial fraud by an insider is clearly possible and it is very hard to predict the time of occurrence
iii. The financial fraud by an employee will have significant impact on the functions of the organization as well as cause huge financial loss until the fraud is identified by the organization
iv. Existing controls in the organization states that the small legal firm’s cash flow is checked during the regular monthly account audit
v. So, the financial fraud can be detected during the monthly audit. Hence, the consequence rating is given as moderate
ASSET “integrity of the organization’s Web server”
THREAT “hacking and defacement of the Web server.”
Existing Controls - None
Likelihood Rating - 3 – Possible
Consequence Rating - 2 - Minor
Level of Risk - Medium
i. The website of the small web design company uses some common GUI (graphical user interface) programs such as blogs and guestbook
ii. The rate of threat is very high in programs such as blogs and guestbook and the company’s website can be easily exploited
iii. Hence, the likelihood of attack on the company’s website is highly possible
iv. After hacking the company’s website, website defacement (changing the visual appearance of the website) is done
v. This will cause an embarrassing situation for the company and it is publically criticized
vi. Restoring the defaced pages from the company’s backup will not take long time and it is an easy process also
ASSET “confidentiality of techniques used to conduct penetration tests on customers”
THREAT “theft/breach of this confidential and sensitive information by either an external or internal source.”
Existing Controls - Risk assessed, hardened O/S, automated patching IDS (intrusion detection system)
Likelihood Rating - 2 – Unlikely
Consequence Rating - 5 – Catastrophic
Level of Risk - Extreme
i. Risk likelihood rating:
1. Unlikely – the threat is not likely to occur in the current circumstances due to the control measures followed
ii. Consequence rating:
1. Catastrophic – the threat is caused due to the major security breach and the impact will last for more than 3 months
a. The threat cannot be dealt without the intervention of senior management level, because of the severity of the incident
iii. Level of risk:
1. Extreme (E) – high level of management planning is required to get the detailed report about the incident. Existing controls must be changed
ASSET “confidentiality of personnel information in a copy of a database stored unencrypted on the laptop” THREAT “theft of personal information, and its subsequent use in identity theft caused by the theft of the laptop.”
Existing Controls - Insurance
Likelihood Rating - 3 – Possible
Consequence Rating - 4 – Major
Level of Risk - Extreme
i. The laptops used by the employees in the government department contain highly sensitive data and the data is not encrypted in it
ii. If the laptop is stolen, there is high level of risk that the data can be accessed and the identity of the personnel can be stolen
iii. Hence, the likelihood of the risk is possible in many ways
iv. There is a high theft rate of laptops is reported in the country in recent years, if the laptop of government department is stolen, it will be a major embarrassment for the government
v. The financial penalty for the department will be huge for the loss of laptop, so, the government department will face financial loss as well as their reputation will get damaged
vi. Hence, the government department will face major consequences for the incident
- Refer to issues that management needs to address
- Focuses on reducing the risk of loss and protecting the organization’s mission
Management Controls
- Address correct implementation and use of security policies
- Relate to mechanisms and procedures that are primarily implemented by people rather than systems
Operational Controls
Involve the correct use of hardware and software security capabilities in systems
Technical controls
ISO vs NIST
ISO - Generally regarded as the master list of controls and is cited by most other standards, It describes the information security management system, and it places security in the context of the overall management and processes in a company.
NIST - intended for U.S. companies that are considered part of critical infrastructure. Structures the areas of security that are to be implemented when it comes to defining exactly the security profiles that are to be achieved
ISO - Framework focuses only on how to plan and implement cybersecurity, ISO 27001 takes a much wider approach – its methodology is based on the Plan-Do-Check-Act (PDCA) cycle, which means it builds the management system that not only plans and implements cybersecurity, but also maintains and improves the whole system.
RISK “integrity of customer and financial data files on system”
FROM “corruption of these files due to import of a worm/virus onto system.”
i. The security controls which are used to minimize the threat are listed below:
1. Security awareness and security training
2. Access control for the employees
3. Recurrent system maintenance
4. Occasional system audit
5. Protecting the system from harmful code
6. Intrusion detection system (IDS)
7. Protection of systems from spyware and spam
Cost effective security control system:
- Protection of systems against malicious code, spam and spyware seems cost effective in identifying the threats and blocking it
- Recurrent system maintenance and updating the system with new patches are also cost effective methods
RISK “integrity of the accounting records on the server” FROM “financial fraud by an employee, disguised by altering the accounting records.”
- Separation of work between employees
- Access control for the employees should be supervised and reviewed
- Occasional system audit and report generation
- User identification
- User and system authentication
- Employee screening
Cost effective security control system:
- Separation of work between employees seems most cost effective, Because, during the financial transaction multiple employees need to authorize the transaction, this method will reduce the significant financial fraud
- Next cost effective method is supervision and reviewing the access controls of the employees to detect employee frauds
RISK “integrity of the organization’s Web server”
FROM “hacking and defacement of the Web server.”
- Access restrictions for the employees
- Recurrent system maintenance
- Occasional system audit
- Remedy for the errors and security flaws
- Incident handling and response
- Vulnerability/weakness examination
- Intrusion detection systems
- Security alert systems
Cost effective security control system:
- Recurrent system maintenance and updating the system with new patches seems the most cost effective method
- Next security control method is remedy for the errors and security flaws to lessen the possibility of running spam software in the information system’s web server
- Finally, good incident handling and response teams are necessary to correct threat and bring back the organization’s operations
RISK “confidentiality of techniques for conducting penetration tests on customers, and the results of these tests, which are stored on the server”
FROM “theft/breach of this confidential and sensitive information.”
- User account management
- Access restrictions for the employees
- Separation of work between employees
- Recurrent system maintenance
- Access control for the employees should be supervised and reviewed
- Occasional system audit and report generation
- Remedy for the errors and security flaws
- Incident handling and response
- Vulnerability/weakness examination
- Intrusion detection systems
- Employee screening
Cost effective security control system:
- Employee screening and personnel sanctions seem the most cost effective security control method
- Recurrent system maintenance and update the system with new patches is also considered as the cost effective method
- Good incident handling and response teams are necessary to correct the system threat and bringing back the organization’s operations, access restrictions to avoid external threats are some of other cost effective security control methods
RISK “confidentiality of personnel information in a copy of a database stored unencrypted on the laptop”
FROM “theft of personal information, and its subsequent use in identity theft caused by the theft of the laptop.”
- Access control for portable devices inside the organization
- Security awareness and training about personal devices
- Physical access control inside the organization premises
- Employee screening and employee sanctions
- Valid cryptography usage
Cost effective security control system:
- Using valid cryptography mechanism and access control for portable devices inside the organization seems to be the most cost effective security control system
a. Because, cryptographic mechanism will encrypt the data and protect it from unauthorized access and the data cannot be stolen
b. Security awareness and security training is next cost effective security control method, because it will reduce the use of portable devices inside the organization and data theft can be reduced
Consider the risks you determined in the assessment of a small public service agency. From the list shown in Table 3, select what you believe are the most critical risks, and suggest some suitable specific controls that could reduce these risks. Indicate which you believe would be most cost effective.
- Better environment and physical protection controls to avoid natural threats
- Security awareness and training
- Physical access control inside the organization premises
- Avoiding accidental errors and operational failures
- Employee screening and employee sanctions
- Occasional system audit and report generation
- Valid cryptography usage
Cost effective security control system:
- Security awareness and security training is most cost effective security control method, because it will reduce accidental errors and operational failures inside the organization
- Employee screening and personnel sanctions are also one of the cost effective security control method
- Protecting the environment of the organization from fire, flood and storm will avoid natural threats.
Security awareness, training, and education programs provide four major benefits to organizations
- Improving employee behavior
- Increasing employee accountability
- Mitigating liability for employee behavior
- Complying with regulations and contractual obligations
Learning Continuum (Bottom to Top)
Bottom:
all employees need an AWARENESS of the important of security and general understanding of policies
Two Middle Layers:
TRAINING, required for individuals who will be using IT systems and data, they need detailed knowledge of IT security threats, vulnerabilities, and safeguards.
Top Layer:
Applied to individuals who have a specific role center on IT systems, such as programmers. EDUCATION
Section 1 includes a quotation from SP 800-100 to the effect that awareness deals with the what but not the how of security. Explain the distinction in this context.
Security awareness:
a. A formal process of educating the employees in the organizations about protection of assets such as information systems and data is called as security awareness
Security training:
a. A program designed specially to teach the employees of the organization to access secured information in the information systems more securely is called as security training
