Use LEFT and RIGHT arrow keys to navigate between flashcards;
Use UP and DOWN arrow keys to flip the card;
H to show hint;
A reads text to speech;
165 Cards in this Set
- Front
- Back
Framework and policies, concepts, principles, structures, and standards describes what
|
Domain 1, Information Security & Risk Management
|
|
three categories of internal control standards
|
1. general standards
2. specific standards, and 3. audit resolution standards |
|
Ensures that the appropriate policies, procedures, standards, and guidelines are implemented to provide the proper balance of security controls with business
operations |
Security Management
|
|
Who ultimately makes the final decision on the level of security expenditures and the risk they are willing to take?
|
Senior Management
|
|
Core Information Security Principles:
|
Confidentiality, Integrity and Availability
|
|
principle that only authorized individuals, processes, or systems should have access to information on a need-to-know basis
|
Confidentiality
|
|
principle that information should be protected from intentional, unauthorized,
or accidental changes |
Integrity
|
|
principle that information is accessible by users when needed
|
Availability
|
|
Ensures that the department can function without the computer system within a defined period using alternate processes
|
Business Continuity Planning
|
|
Ensures the recovery of the information technology processing capability at a permanent site to an acceptable operational state
|
Disaster Recovery Planning
|
|
What guarantees that the appropriate information security activities are being performed to ensure that the risks are appropriately reduced
|
Security Governance
|
|
What establishes the glue that ensures everyone has a common set of expectations and communicates management's goals and objectives.
|
Policies
|
|
Name the components that support the implementation of a security policy
|
Procedures, standards, guidelines, and baselines
|
|
supporting component of a security policy that address specific software and hardware
|
Standards
|
|
Supporting component of a security policy that provides step by step instructions
|
proceedures
|
|
Supporting component of a security policy that gives consistent level of security
|
Baselines
|
|
Supporting component of a security policy that gives recommendations
|
Guidelines
|
|
Place the following in order (highest to lowest):
1) Functional implementing policies 2) Laws, regulations, reqts, organizational goals and objectives 3) General organizational Policy |
1) Laws, regulations, reqts, organizational goals and objectives
2) General organizational Policy 3) Functional implementing policies |
|
Name two reasons Security policies need to written in collaboration with executive oversight
|
1) distributing them without business input is likely to miss important business considerations
2) organization is also more likely to accept security policies that have been approved and endorsed by the business leaders versus the security officer or the IT department |
|
define what the organization needs to accomplish at a high level and serves as management's intentions to control the operation of the organization to meet business objectives
or high-level statements of the objectives of the organization |
Polices
|
|
Addresses specific technical areas of existing and emerging technologies, such as use of the Internet, e-mail and corporate communication systems, wireless access, or remote system access
|
Functional Security Policy
|
|
purpose of the program is described, and the
assigned responsibility is defined for carrying out the information security mission |
Organizational Security Policy
|
|
- descriptions of how to implement security packages to ensure that these implementationsare consistent throughout the organization
- specific rules necessary to implement the security controls in support of the policy and standards that have been developed |
Baselines
|
|
step-by-step instructions in support of the policies, standards, guidelines, and baselines
|
Proceedures
|
|
discretionary or optional controls used to enable individuals to make judgments with respect to
security actions |
Guidelines
|
|
- hardware and software security mechanisms selected as the organization's method of controlling security risks.
|
Standards
|
|
Control Objectives for Information and related Technology (COBIT), the Capability Maturity Model
(CMM), ISO 17799, and British Standard 7799, security configuration recommendations such as those from the National Institute of Standards and Technology (NIST) or the National Security Agency (NSA) are examples of? |
Guidelines
|
|
ISSO stands for
|
Information Systems Security Officer
|
|
CISO stands for
|
Chief Information Security Officer
|
|
5 Job controls implemented to minimize risk of loss
|
Segregation of duties, Job description documentation, mandatory vacations, job/shift rotations and need to know (least privilege)
|
|
duties, which should not be combined within one person or group
|
incompatible duties
|
|
who is responsible to Communicate Risks to Executive Management, Budget for Information Security Activities, Ensure Development of Policies, Procedures, Baselines, Standards, and Guidelines, Develop and Provide Security Awareness Program, Understand Business Objectives, Maintain Awareness of Emerging Threats and Vulnerabilities, Evaluate Security Incidents and Response, Develop Security Compliance Program, Establish Security Metrics, Participate in Management Meetings, Ensure Compliance with Government Regulations, Assist Internal and External Auditor, Stay Abreast of Emerging Technologies,
|
Information Security Officer
|
|
Projects greater than___ are generally considered to be long term and strategic in nature and typically require more funding and resources or are more complex in their implementation.
|
12 to 18 months
|
|
what are two reasons the security officer should report as high in the organization as possible?
|
(1) maintain visibility of the importance of information security and
(2) limit the distortion or inaccurate translation of messages that can occur due to hierarchical, deep organizations |
|
are objectives that support the overall vision, created by the Security Oversight Committee
|
Mission Statement
|
|
Who chairs the security oversight committee?
|
The security officer
|
|
Who is responsible for protecting the information assets on a daily basis through adherence to the security policies that have been communicated?
|
End User
|
|
Who maintains the overall responsibility for protection of the information assets
|
Executive Management
|
|
Who directs, coordinates, plans, and organizes information security activities throughout the organization
|
The Security officer
|
|
Who develops the security policies and the supporting procedures, standards, baselines, and guidelines, and subsequent implementation and review?
|
Information System Security Professionals
|
|
Who is responsible for an information asset, assign the appropriate classification to the asset and ensure that the business information is protected with the
appropriate controls. |
Data/Information/Business owners
|
|
Who takes care of the information on behalf of the data owner?
These individuals ensure that the information is available to the end users and is backed up to enable recovery in the event of data loss or corruption |
Data custodian
|
|
Who determines whether systems are in compliance with the security policies, procedures, standards, baselines, designs, architectures, management direction, and other requirements
|
Information Systems Auditor
|
|
Who is responsible for designing security controls into information systems, testing the controls, and implementing the systems in production environments through agreed upon operating policies and procedures
|
IS/IT professionals
|
|
manages the user access request process and ensures that privileges are provided to those individuals that have been authorized for access by the proper management.
|
Security Administrator
|
|
3 types of security planning
|
1) Strategic (3-5yr horizon)
2) Tactical (6-18mo) 3) Operational/Project Planning (short term) |
|
Name the activities performed as part of hiring practices
|
1) Developing job descriptions
2) Contacting references 3) screening/investigating background 4) Developing confidentiality agreements 5) Determining policies on vendor, contractor, consultant and temporary staff access |
|
Job descriptions should contain:
|
1) responsibilities of the position
2) Education 3) Experience 4) Expertise |
|
What is the purpose of employee agreements?
|
To protect the organization while the individual is employed as well as after the employee has left.
Examples (non-disclosure, code of conduct, conflict of interest, gift-handling, ethics) |
|
Two types of Terminations
|
Friendly and Unfriendly
|
|
Aspects of a curriculum in a course on security awarness
|
what is it, why is _ important, how does this _ fit into my role at the organization, Do I have to comply, penalties for non-compliance, Effect of _ on my work, content
|
|
Method by which organizations can inform employees about their roles, and expectations surrounding their roles, in the observance of information security requirements.
|
Security Awareness Training
|
|
assists personnel with the development of their skills sets relative to performance of security functions within their roles
|
Security training
|
|
Who is always ultimately responsible in the organization for information security?
|
Senior Management
|
|
Provides decision-making and security management skills that are important for the success of an organization's security program
|
Security/Professional Education
|
|
a discipline for living with the possibility that future events may cause harm
or The technique or profession of assessing, minimizing and preventing accidental loss to a business, as through the use of insurance, safety measures, etc |
Risk management
|
|
reduces risks by defining and controlling threats and vulnerabilities
|
Risk Management
|
|
What are the two types of risk assessments?
|
1) Qualitative
2) Quantitative |
|
Which risk assessment is used when the time frame is short, assessors have limited expertise or the organization does not have a significant amount of data readily?
|
Qualitative
|
|
Which type of risk assessment is used when the following methods are used; mgmt approval and oversight req'd, documentation is collected, interviews w/ organizational members
|
Qualitative
|
|
Residual risk is
|
Risk left over after countermeasure application
|
|
Which risk assessment type uses numbers
|
Quantitative
|
|
What are the three steps taken in quantitative risk assessment?
|
1) Initial management approval
2) Construction of risk assessment team 3) review of information currently available within the organization |
|
SLE
|
Single Loss Expectancy. Calculated to provided an estimate of loss
|
|
The difference between the original value and the remaining value of an asset after a single exploit
|
SLE
|
|
SLE (loss in success threat exploit, as %) = ?
|
Asset value ($) * exposure factor
|
|
ARO
|
Annual Rate of Occurrence. How often a threat will be successful in exploiting a vulonerability over the period of a year
|
|
ALE
|
Annualized Loss Expectancy. Product of the yearly estimate for the exploit (ARO) and the loss in value of an asses after a single exploitation
|
|
ALE =
|
ARO * SLE
|
|
LAFE
|
Localized Annual Frequency Estimate (adjusted for geographical distances)
|
|
SAFE
|
Standard Annual Frequency Estimate
|
|
ALE makes it possible for the organization to determine what?
|
what amount, if any, to spend to apply countermeasure for the risk in question. (no countermeasure should be greater in cost than the risk it mitigates, transfers or avoids)
|
|
self-direction is one of the principles of which public risk assessment Methodologies?
|
OCTAVE
|
|
Which public risk assessment Methodology is written specifically with HIPAA clients in mind?
|
NIST's 800-66
|
|
The OCTAVE criteria are a set of
|
principles, attributes and outputs
|
|
FRAP
|
Facilitated Risk Analysis Process
|
|
CRAMM
|
CCTA Risk Analysis and Management Method
|
|
CRAMM is divided into three stages:
|
1) asset identification and valuation
2) threat and vulnerability assessment 3) counter measures selection and recommendation |
|
creates a tree of all possible threats to or faults of the system
|
Spanning Tree Analysis
|
|
What are the four risk management principles?
|
1) Avoidance
2) Transfer 3) Mitigation 4) Acceptance |
|
principle described by "practice of comping up with alternatives so that risk in question is not realized"
|
Risk avoidance
|
|
principle described by "practice of passing on the risk in question to another entity, such as insurance company"
|
Risk Transfer
|
|
Principle described by "practice of the elimination of or the significant decrease in the level or risk presented"
|
Risk Mitigation
|
|
Principle described by "accepting the risk that is present"
|
Risk Acceptance
|
|
Who ultimately owns the risk that are present during operation of the company?
|
Senior Management
|
|
a flaw or weakness in system security procedures, design, implementation or internal controls" Per NIST SP 800-30
|
Vulnerability (people, process, technology, data, and facilities)
|
|
the potential to successfully exercise a particular vulnerability
|
Threat
|
|
Threat categories:
|
Human
Natural Technical Physical Environmental Operational |
|
Likelihood is a component of which type of risk assessment
|
Qualitative
|
|
Impact is defined by
|
loss of life, dollars, market share, and other facets
|
|
Risk is determined by the product of
|
Likelihood and impact
|
|
Consideration for countermeasures
|
Accountability, auditability, publicly available, trusted source, independeence, consistently applied, cost-effective, reliable, distinct from other countermeasures, ease of use, minimum manual intervention, sustainable, secure, protects CIA, can be "backed out", creates no add'l issues during operations, leaves no residual data from its function
|
|
Process of judging information's cost and its perceived value
|
Information Valuation
|
|
descriptive is a ___ approach to information valuation
|
subjective
|
|
metric is a ___ approach to information valuation
|
objective
|
|
who is credited with beginning the the consideration of computer ethics
|
MIT professor Norbert Wiener
|
|
Who is credited with coining the phrase "Computer ethics"
|
Walter Maner
|
|
when the the area of computer ethics really begin to grow/flourish?
|
1990s
|
|
what provides the basis for a minimal ethical standard upon which an org can expand?
|
regulatory requirements (e.g 1991 Federal Sentencing Guidelines for Orgs and Sarbanes-Oxley 2002)
|
|
Topics to include in a computer ethics program
|
Computers in the workplace, Computer crime, Privacy and Anonymity, Intellectual Property, Professional Responsibility and Globalization
|
|
Name three regulations which call for ethic training/program
|
1) US Federal Sentencing Guidelines for Organizations
2) Sarbanes-Oxley 2002 3) New York Stock Exchange |
|
Example of code of Ethics
|
Code of Fair Information Practices, Internet Activities Board/RFC 1087, Computer Ethics Institute (CEI)
|
|
What are the four primary values proposed by the National Conference on Computing and Values?
|
1) Preserve the public trues and confidence in computer
2) Enforce fair information practices 3) Protect the legitimate interestes of the consitituents of the system 4) Resist fraud, waste and abuse |
|
who created the End User's basic tenets of Responsible Computing
|
the Working Group on Computer ethics 1991
|
|
NCERC stands for
|
National Computer Ethics and Responsibilities Campaign
|
|
Name the steps of organizational Ethics plan of action:
|
1) Develop a corporate guide to computer ethics
2) develop a computer ethics policy to supplement the security policy 3) Add information about computer ethics to the employee handbook 4) Find out whether the org has a business ethics policy and expand it to include computer ethics 5) Learn more about computer ethics and spreading what is learned 6)foster awareness 7) Make sure there's an E-mail privacy policy 8) Make sure employees know what the e-mail privacy is |
|
what is "a contract between professionals"
|
Professional code of ethics
|
|
Donn B Parker's 5 ethical principles:
|
1) Informed consent
2) Choose the higher ethic (least harm) 3) Amplified scale test 4) Owners' conservation of ownership 5) User's conservation of ownership |
|
Consideration of computer ethics is recognized to have begun with who?
|
Norbert Wiener
|
|
Need to input sample q's from book.
|
p.88
|
|
1) Consideration of computer ethics is recognized to have begun with the work of which of the
following? |
Norbert Wiener
|
|
2) Which of the following U.S. laws, regulations, and guidelines does not have a requirement for
organizations to provide ethics training? |
Health Insurance Portability and Accountability Act
|
|
According to Peter S. Tippett, which of the following common ethics fallacies is demonstrated by
3) Tthe belief that if a computer application allows an action to occur, the action is allowable because if it was not, the application would have prevented it? |
The computer game fallacy
|
|
4) According to Stephen Levy, which of the following is one of the six beliefs he described within the
hacker ethic? |
Computers can change your life for the better.
|
|
5) According to Fritz H. Grupe, Timothy Garcia-Jay, and William Kuechler, which of the following
represents the concept behind the "no free lunch" rule ethical basis for IT decision making |
Assume that all property and information belong to someone.
|
|
6) The concept of risk management is best described as the following:
|
Risk management reduces risks by defining and controlling threats and vulnerabilities
|
|
7) Qualitative risk assessment is earmarked by which of the following?
|
Ease of implementation
AND Can be completed by personnel with a limited understanding of the risk assessment process |
|
8) Single loss expectancy (SLE) is calculated by using
|
Asset value and exposure factor
|
|
9) Consideration for which type of risk assessment to perform includes all of the following except
a) Cultural org b) Budget c) Capabilities of resources d) likelihood of exposure |
Likelihood of exposure
|
|
10. Security awareness training includes:
|
b. Security roles and responsibilities for staff
|
|
11. A signed user acknowledgment of the corporate security policy:
|
Helps to protect the organization if a user's behavior violates the policy
|
|
12. Effective security management:
|
b. Reduces risk to an acceptable level
|
|
13. Identity theft is best mitigated by:
|
b. Implementing authentication controls
|
|
14. Availability makes information accessible by protecting from each of the following except:
|
d. Unauthorized transactions
|
|
15. The security officer could report to any of the following except:
a. CEO b. Chief information officer c. Risk manager d. Application development |
d. Application development
|
|
16. Tactical security plans:
|
b. Enable entitywide security management
|
|
17. Who is accountable for information security?
|
Security Officer
|
|
18. Security is most expensive when addressed in which phase?
|
d. Implementation
|
|
19. Information systems auditors help the organization:
|
c. Identify control gaps
|
|
20. Long-duration security projects:
|
d. Increase completion risk
|
|
21. Setting clear security roles has the following benefits except:
|
c. Reduces cross-training requirements
|
|
22. Well-written security program policies should be reviewed:
|
a. Annually
|
|
23. Orally obtaining a password from an employee is the result of:
|
a. Social engineering
|
|
24. A security policy that will stand the test of time includes the following except:
a. Directive words such as shall, must, or will b. Defined policy development process c. Short in length d. Technical specifications |
d. Technical specifications
|
|
25. Consistency in security implementation is achieved through:
|
b. Standards and baselines
|
|
26. The ability of one person in the finance department to add vendors to the vendor database and subsequently pay the vendor illustrates which concept?
|
b. Separation of duties
|
|
27. Which function would be most compatible with the security function?
|
c. Change management
|
|
28. Collusion is best mitigated by:
|
a. Job rotation
|
|
29. False-positives are primarily a concern during:
a. Drug and substance abuse testing b. Credit and background checks c. Reference checks d. Forensic data analysis |
a. Drug and substance abuse testing
|
|
30. Data access decisions are best made by:
|
b. Data owners
|
|
31. Company directory phone listings would typically be classified as:
a. Public b. Classified c. Sensitive information d. Internal use only |
d. Internal use only
|
|
ISC2 ethics cannon in order
|
1) protect society, commonwealth, infrastrucuture
2) Act honorably, honestly, justly, responsible and legally 3) duty to our principles 4) Advance and protect the profession |
|
According to Peter S. Tippett, which of the folloing common ethic fallacies is deomonstrated by the believe that if a computer app allows an aciton to occure the action asl allowable becaause if it was not, the app would have prevented it?
|
The computer game fallacy
|
|
According to Stephen levy, which of the following is one of the six beliefes he describe w/in the hacker ethic
|
Computers can change your life for the better
|
|
IT system are normally operated by
|
Data Custodians
|
|
Security Awarness begins when
|
first day of employement
|
|
What is a primary step in Qualitative Risk Analysis
|
Develop scenarios
|
|
Which is possible to totally complete quantitative or qualitative risk analysis
|
Qualitative
|
|
Risk management principles
|
Avoidance, acceptance, mitigation
|
|
IT governance is comprised of
|
Roles and Responsibilities
Security Planning Security Administration |
|
total risk formula
|
Threats * vulnerability * asset Value
|
|
residual risk formual
|
(Threats * vulnerability * asset Value) * control gap
|
|
What are the sections of ISO 17799?
|
1. Info Sec policy
2. Creation of security infrastructure 3. Asset classification and control 4. Personnel Security 5. Physical and environment security 6. Communications and ops mgmt 7. Access Control 8. System development and mx 9. BC management 10. Compliance |
|
Why is it important to make safeguards highly visible?
|
To deter attackers
|
|
What is the difference between the modified and consensus Delphi methods?
|
Modified is for brainstorming and consensus is for solving problems
|
|
is the Delphi method anonymous
|
yes
|
|
What do uncertainty values have to do with risk values and calculations?
|
It is a confidence level in the data that has been gatherd
|
|
Employee Badge-ID policy is an example of what kind of policy
|
Issue-specific
|
|
A policy written soley to educate and not to enforce action is what type of policy?
|
Informative
|
|
describes the probability of a theat materializing
|
Risk
|
|
of Regulatory, Advisory and Informative, which is non-enforceable
|
Informative
|
|
Value representing the likelihood of an event taking place within the span of a year
|
Annualized rate of occurance
|
|
Three phases of Risk Mgmt
|
1) Risk assessment (analysis)
2) Risk Mitigation 3) Evaluation and Assurance |
|
What statement describes the proper relationship of the words "thread" "exposure" and "risk"
|
A threat is that a threat agent will exploit a vulnerability. The probability of this happening is risk. Once the vulnerability is exploited, there is an exposure.
|
|
A signed user acknowledge ment of the corporate security policy:
|
ensure that user understand the policy as well as the consequences for not following the policy
|