Use LEFT and RIGHT arrow keys to navigate between flashcards;
Use UP and DOWN arrow keys to flip the card;
H to show hint;
A reads text to speech;
36 Cards in this Set
- Front
- Back
|
How does privacy fit into the realm of IT security? |
Privacy is the active prevention or unauthorized access to information that is personally identifiable. Freedom from unauthorized access to information deemed personal or confidential Freedom from being observed, monitored, or examined without consent. |
|
|
Discuss third- party governance of security |
Third party governance is the system of oversight that may be mandated by law, regulation, industry standards, or licensing requirements. |
|
|
Define overall risk management |
Risk Management is the process of identifying factors that could damage or disclose data, evaluating those factors in the light of data value and countermeasure cost, and implementing cost- effective solutions for mitigating or reducing risk is know as risk management. |
|
|
What is risk analysis and the key elements involved. |
Risk analysis is the process by which upper management is provided with details to make decisions about which risks are to be mitigated, which should be transferred, and which should be accepted. To fully evaluate risks and subsequently take the proper precautions, you must analyze the following: 1. assets 2. asset valuation 3. threats 4. vulnerability exposure 5. risk 6. realized risk 7. safeguards 8. countermeasures 9. attacks 10. breaches. |
|
|
How does one evaluate threats? |
Threats can originate from numerous sources, including IT, humans, and nature. Threat assessment should be performed as a team effort to provide the widest range of perspectives. By fully evaluating risk from all angles, you reduce your system's vulnerability. |
|
|
What is quantitative risk analysis? |
Quantitative risk analysis focuses on hard values and percentages. A complete qualitative analysis is not possible because of intangible aspects of risk. The process involves asset valuation, and threat identification and then determining a threat's potential frequency and the resulting damage. The result is a cost/benefit analysis of safeguards. |
|
|
Explain the concept of exposure factor. |
An exposure factor is an element of quantitative risk analysis that represents the percentage of loss that an organization would experience if a specific asset were violated by a realized risk. By calculating the exposure factor, you are able to implement a sound risk management policy. |
|
|
What is single loss expectancy and how do you calculate it? |
Single loss expectancy (SLE)- is an element of quantitative risk anlysis that represents the cost associated with a single realized risk against a specific asset. Formula: SLE = asset value (AV) * exposure factor(EF) |
|
|
What is annualized rate of occurrence (ARO) |
Annualized Rate of Occurance (ARO) is an element of quantitative risk analysis that represents the expected frequency with which a specific threat or risk will occur ( in other words, become realized) within a single year. Understanding AROs further enables you to calculate the risk and take proper precautions. |
|
|
What is annualized loss expectancy(ALE) and how do you calculate it? |
ALE is an element of quantitative risk analysis that represents the possible yearly cost of all instances of a specific realized threat against a specific asset. Formula : ALE = Single loss expectancy(SLE) X annualized rate of occurrence (ARO) Example: if the SLE of an asset is $90,000 and the ARO for a specific threat (such as total power loss) is .5, then the ALE is $45,000. On the other hand, if the ARO for a specific threat (such as compromised user account) were 15, then the ALE would be $1,350,000. |
|
|
What is the formula for safeguard evalutation |
Safeguard evaluation = ( ALE before safeguard - ALE after Safeguard) - Annual cost of safeguard. |
|
|
What is qualitative analysis- |
Qualitative risk analysis is based more on scenarios than calculations. Exact dollar figures are not assigned to possible losses; instead, threats are ranked on a scale to evaluate their risks, costs, and effects. Such an analysis assists those responsible in creating proper risk management policies. |
|
|
Explain the Delphi technique |
Delphi technique is simply an anonymous feedback- and response process used to arrive at a consensus. Such a consensus gives the responsible parties the opportunity to properly evaluate risks and implement solutions |
|
|
What are some options for handling risk? |
Reducing or mitigating risk, is the implementation of safeguards and countermeasures.Assigning risk or transferring a risk places the cost of loss a risk represents onto another entity or organization. Purchasing insurance is one form of assigning or transferring risk. Accepting risk means the management has evaluated the cost/benefit analysis of possible safeguards and has determined that the cost of the countermeasure greatly outweighs greatly outweigh the possible cost of loss due to a risk. It also means the management has agreed to accept the consequences and the loss if the risk is realized. |
|
|
What is total risk? |
Total risk is the amount of risk an organization would face if no safeguards were implemented. Formula Total Risk= Threats x Vulnerabilities X Asset Value |
|
|
What is residual risk? |
Residual risk is the risk that management has chosen to accept rather than mitigate. Formula Residual Risk =Total risk - Control Gap |
|
|
What is Controls Gap? |
Control gap is the amount of risk that is reduced by implementing safeguards. |
|
|
Explain control types |
The term access control refers to a broad range of controls that perform such tasks as ensuring that only authorized users can log on and preventing unauthorized users from gaining access to resources. Example: Preventative, Detective, Corrective, etc. |
|
|
Explain Preventative control: |
A preventive access control is deployed to thwart or physically stop unwanted or unauthorized activity from occurring. Examples: fences, locks, bio metrics, man traps, lighting, alarm systems, separation of duties, job rotation, data classification, pen testing, etc. |
|
|
Explain Detective control: |
A detective access control is deployed to discover or detect unwanted or unauthorized activity. Detective controls operate after the fact and can discover the activity only after it has occurred. Examples: security guards, motion detectors, recording and reviewing of events captured by security cameras, job rotation, audit trails. |
|
|
Explain corrective control type: |
A corrective access control modifies the environment to return systems to normal after an unwanted or unauthorized activity has occurred. It attempts to correct any problems as a result of security incident. Example : Antivirus, backup solution |
|
|
Explain Deterrent control type: |
A deterrent access control is deployed to discourage violation of security policies before they occur. Deterrent and preventative access are similar, but deterrent controls often depend on individuals deciding not to take an unwanted action. Example: policies, security- awareness training, locks, fences, security badges, guards, mantraps, security camera. |
|
|
Explain Recovery control type: |
Recovery controls are extension of corrective controls but have more advanced or complex abilities. Example: backup and restores, fault- tolerant drive systems, system imaging, server clustering, antivirus software, and database shadowing. |
|
|
Explain Directive control type: |
A directive access control is deployed to direct confine, or control the actions of subjects to force or encourage compliance with security polices. Example: security policies requirements or criteria, posted notifications, escape route exit, monitoring, supervision, and procedures. |
|
|
What is Compensation access control |
Compensation access control is deployed to provide various options to other existing controls to aid in enforcement and support of policies. For example, an organizational policy may dictate that all PII must be encrypted. A review discovers that a preventive control is encrypting all PII data in databases, but PII transferred over the network is sent in cleartext. A compensation control can be added to protect the data in transit. |
|
|
What are the security implications of hiring new employees? |
To properly plan for security, you must have standards in place for job descriptions, job classification, work tasks, job responsibilities, preventing collusion, candidate screening, background checks, security clearance, employment agreements, and nondisclosure agreements. By deploying such mechanisms, you ensure that new hires are aware of the required security standards, this protecting your organization's assets. |
|
|
Explain separation of duties |
Separation of duties is the security concept of dividing critical significant, sensitive work tasks among several individuals. by separating duties in this manner, you ensure that no one person can compromise system security. |
|
|
What is the principle of least privilege |
The principle of least privilege states that in a secured environment, users should be granted the minimum amount of access necessary for them to complete their required work tasks or job responsibilities. |
|
|
Why are job rotations and mandatory vacations necessary? |
Job Rotations serve two functions. It provides a type of knowledge redundancy, and moving personnel around reduces the risk of fraud, data modification, theft, sabotage, and misuse of information. Mandatory vacations of one or two weeks are used to audit and verify the work tasks and privileges of employees. This often results in easy detection of abuse, fraud, or negligence. |
|
|
What are vendor, consultant, and contract controls? |
Vendor consultant and contractor controls are used to define the levels of performance, expectation, compensation, and consequences for entities, persons, or organizations that are external to the primary org. Often these controls are defined in a document or policy known as a service-level agreement. |
|
|
What is the proper termination policy? |
A termination policy defines the procedure for terminating employees. It should include items such as always having a witness, disabling the employee's network access, and performing an exit interview. A termination policy should also include escorting the terminated employee off the premises and requiring the return of security tokens and badges and company property. |
|
|
How should we manage security functions |
To manage security functions, an organization must implement proper and sufficient security governance. The act of performing a risk assessment to drive the security policy is the clearest and most direct example of management of the security function. This also relates to budget, metrics, resources, information security strategy, and assessing completeness and effectiveness of security program. |
|
|
What are the six steps of Risk management Framework |
1.Categorize- the information system and the information processed, stored, and transmitted by that system based on an impact analysis. 2. Select- an initial set of baseline security controls for the information system based on the security categorization; tailor and supplementing the security control baseline as needed based on an organizational assessment of risk and local conditions 3. Implement- the security controls and describe how the controls are employed within the information system and its environment of operation. 4. Assess-the security controls using the appropriate assessment procedures to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the system. 5. Authorize - information system operation based on a determination of the risk to organizational operations and assets, individuals, other organizations, and the Nation resulting from the operation of the information system and the decision that the risk is acceptable. 6. Monitor- the security controls in the information system on an ongoing basis including assessing control effectiveness, documenting changes to the system or its environment of operation, conducting security impact analyses of the associated changes, and reporting the security state of the system to designated organizational officials. |
|
|
What is a threat event? |
Accidental or intentional exploitation of vulnerabilities. |
|
|
When a safeguard or countermeasure is not present or is not sufficient, what remains? |
Vulnerability |
|
|
What process or event is typically hosted by an organization and is targeted to groups of employees with similar job functions |
Training |
