Video Content Lesson 1

Question 2

Security Triad

Answer 2

CIA
Confidentiality
Integrity
Availability

Question 3

Confidentiality

Protects from

Answer 3

Protects Data from Unauthorized Disclosure

Question 4

Confidentiality

4 parts

Answer 4

Physical Security
Access Control
Encryption
Perimeter Defense

Question 5

Integrity

Protects from

Answer 5

Protects Data from Unauthorized Modification

Question 6

Integrity

3 parts

Answer 6

Physical Security
Access Control
Perimeter Defense

Question 7

Availability

Answer 7

Ensures the system is available when needed

Question 8

InfoSec Management Governance

Answer 8

1-Assurance that appropriate security activities are being carried out
2-Security risks are being reduced
3-Security budget is being properly used

Question 9

Audit Frameworks for Compliance

Answer 9

1-COSO (Committee of Sponsoring Organizations of the Treadway Commission)
2-ITIL (Information Technology Infrastructure Library)
3-COBIT (Control Objectives for Information and related Technology)
4- ISO 17799 / BS 7799

Question 10

COSO (Committee of Sponsoring Organizations of the Treadway Commission)

Answer 10

1-Defines 5 areas of internal control

2-Useful in meeting Sarbanes-Oxley Section 404 compliance

Question 11

ITIL (Information Technology Infrastructure Library)

Answer 11

1-British government’s TSO (The Stationary Office)

2-Best practices for IT service management

Question 12

COBIT (Control Objectives for Information and related Technology)

Answer 12

1-ITGI (IT Governance Institue)

2-Overall structure for Information Technology Control

Question 13

ISO 17799 / BS 7799

Answer 13

1-Originially, UK Department of Trade and Industry Code of Practices
2-Basis for developing security standards and security management practices

Question 14

Security Administration

Answer 14

1-Management is responsible to ensure security
2-Look at Security Goals
a-Strategic - Long-term
b-Tactical - Medium Term
c-Operational - day-to-day

Question 15

Organizational Requirements

Answer 15

1-Government or Commercial

2-Management Style and Organizational Culture

Question 16

Physical Risks

Answer 16

Handling risks that can cause loss
Physical Damage
Hardware Malfunction
Software Malfunction

Question 17

Human Risks

Answer 17

Malicious Attack
Espionage and theft
Human Errors

Question 18

Risk Management

Answer 18

RM involves assessing risks and choosing appropriate responses

Question 19

Risk Management Terms

Answer 19

Threat
Vulnerability
Probablility Determination
Control

Question 20

Risk Management Options

Answer 20

Allow risk to exist

Reduce Loss

Question 21

Legal Responsibility

Answer 21

Due Care

Due Dilligence

Question 22

Risk Assessment Methodologies

Answer 22

A methodology is a starting point or a structure that helps the process begin
NIST 800-30 and 800-66
OCTAVE
FRAP (Facilitated Risk Analysis Process)
CRAM (CCTA Risk Analysis Management)

Question 23

NIST 800-30 and 800-66

Answer 23

1-Qualitative

2-800-66 written with HIPAA in mind

Question 24

OCTAVE

Answer 24

Carnegie Mellons self-directed infromation security risk evaluation

Question 25

Risk Assessment Team

Answer 25

1-Upper Management (most Important)
2-multiple departments
3-accept all input equally
4-document all proceedings

Question 26

Risk Assessment | Types

Answer 26

Qualitative (no numbers, just comparisions) | Quantative (assign numberical value to risks)

Question 27

Single Loss Expectancy

Answer 27

Calculate Exposure 1-Assign a value for each asset 2-Determine % of loss for each realized threat (Exposure Factor-EF) Calculate the Loss of a single threat occurrence 1-Single Loss Expectancy (SLE) SLE = Asset Value * EF

Question 28

Annual Loss Expectancy

Answer 28

Calculate the annual probability of loss Annual Rate of Occurrence (ARO) Based on an estimage of annual probability a stated threat will be realized Calculate the annual estimated loss of a specific realized threat 1-Annual Loss expectancy (ALE) SLE * ARO = ALE

Question 29

Overall Risk

Answer 29

Look at costs of risks and cost of controls

Question 30

Qualiltative Risk Assessment

Answer 30

Ranked by impact and likelihood | Summarize each risk and its impact

Question 31

Selecting Controls

Answer 31

Choose appropriate controls to mitigate risk Value is always related to amount of loss a control prevents Explore alternate options for expensive controls

Question 32

Security Policy

Answer 32

``` Starts with Upper Management Policy 1-Statement of expected performance 2-Consequences of noncompliance Very High Level with Limited Specifics ```

Question 33

Security Policy Types

Answer 33

1-Regulatory (mandatory to satisfy legal/regulatory requirments) 2-Advisory (things which we require as a business ex. ID) 3-Informative (explains organizational strategies and behavior)

Question 34

Standards

Answer 34

What you must do Lower level than policy specify what products can be used (IE vs. Netscape) specify best practices for each product Compliance is mandatory (password expiry)

Question 35

Guidelines

Answer 35

Recommended action/guide typically not mandatory provide details on how to implement standards

Question 36

Procedures

Answer 36

"How to" documents detailed step-by-step instructions specific to well-defined areas May have multiple sets of procedures

Question 37

Job Policies and Training

Answer 37

``` 1-Hiring Practices 2-Terminations Practices 3-Job Descriptions 4-Job Activities 5-Security Awareness 6-Tailoring Training 7-ISO Responsibilities ```

Question 38

Hiring Practices

Answer 38

Background check drug testing security clearance nondisclosure agreements

Question 39

Terminations practices

Answer 39

Revocation of Privileges Security Escort Exit Interview

Question 40

Job Descriptions

Answer 40

Roles and Responsibilities

Question 41

Job Activities

Answer 41

Separation of Duties and responsibilities Mandatory Vacation Increments (audit employee's work) Job Rotation

Question 42

Security Awareness

Answer 42

most security incidents occur due to negligence Awareness training informs and reminds participants and security responsibilities Tailor training to match appropriate level of security needed Various levels of training

Question 43

Tailoring Training

Answer 43

1-management 2-non-technical staff 3-technical staff

Question 44

ISO Responsibilities

Answer 44

ISO - Information Security Officer Communicate risk to upper management Budget for Infromation Security Activities Ensure Development of (Policies, Procedures, Baselines, Standards, Guidelines)

Question 45

Ethics

Answer 45

``` Overview (ISC)2 Code of Ethics Ten Commandments REC 1087 Ethics Topics Common Computer Ethics Fallacies ```

Question 46

(ISC)2 Code of Ethics

Answer 46

``` Preamble Four Canons 1-protect society 2-act honorably, honestly 3-provide diligent service to principles 4-advance and protect the profession ```

Question 47

Ten Commandments

Answer 47

Computer Ethics Institute

Question 48

RFC 1087

Answer 48

Internet Activities Board

Question 49

Ethics Topics

Answer 49

``` Computers in the Workplace Computer Crime Privacy and anonymity Intellectual property Professional Responsibilities ```

Question 50

Ethics Fallacies

Answer 50

``` The Computer Game Fallacy The Law-abiding Citizen Fallacy The Shatterproof Fallacy The Candy-from-a-Baby Fallacy The Hacker's Fallacy The Free Information Fallacy ```