Chapter 1 - Information Security And Risk Management

Front 1

Qualitative Risk Assessment - For a given scope of assets, identify (5) things.

Back 1

(1) Vulnerabilities

(2) Threats

(3) Threat probability (low / medium / high)

(4) Impact (low / medium / high)

(5) Countermeasures

Front 2

Quantitative Risk Assessment - Metrics for each risk are: (5).

Back 2

(1) Asset Value

(2) EF

(3) SLE

(4) ARO

(5) ALE

Front 3

What does EF stand for?

Back 3

Exposure Factor

Front 4

What does Exposure Factor refer to?

Back 4

Portion of asset damaged.

Front 5

What does SLE stand for?

Back 5

Single Loss Expectancy

Front 6

What is the formula for SLE?

Back 6

SLE = Asset ($) x EF (%)

Front 7

What does ARO stand for?

Back 7

Annualized Rate of Occurence

Front 8

What does ARO refer to?

Back 8

Probability of loss in a year, %

Front 9

What does ALE stand for?

Back 9

Annual Loss Expectancy

Front 10

What is the formula for ALE?

Back 10

SLE x ARO

Front 11

Impact of quantifying countermeasures: (3)

Back 11

(1) Cost of countermeasure

(2) Changes in EF

(3) Changes in SLE

Front 12

What does OCTAVE stand for?

Back 12

Operationally Critical Threat, Asset, and Vulnerability Evaluation.

Front 13

What does FRAP stand for?

Back 13

Facilitated Risk Analysis Process

Front 14

What is FRAP?

Back 14

A risk assessment methodology that offers qualitative pre-screening.

Front 15

Name 4 Risk Assessment Methodologies.

Back 15

(1) NIST 800-30, Risk Management Guide for IT Systems.

(2) OCTAVE

(3) FRAP

(4) Spanning Tree Analysis

Front 16

What are the 4 outcomes from a risk assessment?

Back 16

(1) Risk acceptance

(2) Risk avoidance
(3) Risk reduction

(4) Risk transfer

Front 17

What is Risk Acceptance?

Back 17

"Yeah, we can live with that."

Front 18

What is Risk Avoidance?

Back 18

Discontinue the risk-related activity.

Front 19

What is Risk Reduction?

Back 19

Mitigate.

Front 20

What is Risk Transfer?

Back 20

Buy insurance.

Front 21

What does CIA stand for?

Back 21

Confidentiality, Integrity, Availability.

Front 22

What is the CIA Triad?

Back 22

(1) confidentiality - information and functions can be accessed only by properly authorized parties.

(2) integrity - information and functions can be added, altered, or removed only by authorized persons and means.

(3) availability - systems, functions, and data must be available on-demand according to any agreed-upon parameters regarding levels of service.

Front 23

What does SPOF stand for?

Back 23

Single Point of Failure

Front 24

What is a single point of failure?

Back 24

is a weakness in a system where the failure of a single component results in the failure of the entire system

Front 25

When a security mechanism fails, there are usually two possible outcomes. What are they?

Back 25

Fail open, and fail close.

Front 26

What is "Fail open"?

Back 26

The mechanism permits all activity.

Front 27

What is "Fail closed"?

Back 27

The mechanism blocks all activity.

Front 28

What is the definition of Privacy?

Back 28

The protection and proper handing of sensitive personal information.

Front 29

What are the 9 components of Security Management?

Back 29

- Executive oversight

- Governance

- Policy, guidelines, standards, and procedures

- Roles and responsibilities

- Service level agreements

- Secure outsourcing

- Data classification and protection

- Certification and accreditation

- Internal audit

Front 30

What are the 4 components of Security Executive Oversight?

Back 30

- Support and enforcement of policies

- Allocation of resources

- Prioritization of activities

- Risk treatment

Front 31

What is the definition of "governance"?

Back 31

"Security governance is the set of responsibilities and practices exercised by the board and executive management with the goal of providing strategic direction, ensuring that objectives are achieved ascertaining that risks are managed appropriately and verifying that the enterprise's resources are used responsibly.”

– IT Governance Institute

Front 32

What are the 5 components for governance?

Back 32

(1) Steering committee oversight

(2) Resource allocation and prioritization

(3) Status reporting

(4) Strategic decisions

(5) The process and action that supports executive oversight.

Front 33

What are policies?

Back 33

Constraints of behaviour on systems and people. Defines what but not how.

Front 34

What are requirements?

Back 34

Required characteristics of a system of process.

Front 35

What are guidelines?

Back 35

Defines how to support a policy

Front 36

What are standards?

Back 36

What products, technical standards, and methods will the used to support policy.

Front 37

What are procedures?

Back 37

Step by step instructions.

Front 38

In terms of Roles and Responsibilities, what are 4 things that need to be defined?

Back 38

(1) Ownership of assets

(2) Access to assets

(3) Use of assets

(4) Managers responsible for employee behaviour

Front 39

What does SLA stand for and what does it mean?

Back 39

Service Level Agreement. SLAs define a formal level of service.

Front 40

SLAs for security activities include 4 things:

Back 40

(1) Security incident response

(2) Security alert / advisory delivery

(3) Security investigation

(4) Policy and procedure review

Front 41

What is certification?

Back 41

Certification is the process of evaluating a system against a set of formal standards, policies, or specifications.

Front 42

What is accreditation?

Back 42

Accreditation is the formal approval for the use of a certified system, for a defined period of time (and possibly other conditions).

Front 43

What are the 4 components of personnel / staffing security?

Back 43

(1) Hiring practices and procedures

(2) Periodic performance evaluation

(3) Disciplinary action policy and procedures

(4) Termination procedures

Front 44

What are 3 work practices for a more secure work environment?

Back 44

(1) Separation of duties

(2) Job rotation

(3) Mandatory vacations

Front 45

What is "separation of duties"?

Back 45

Designing sensitive processes so that two or more persons are required to complete them.

Front 46

What is "Job rotation"?

Back 46

Good for cross-training, and also reduces the likelihood that employees will collude for personal gain.

Front 47

What are "mandatory vacations"?

Back 47

Used to detect / prevent irregularities that violate policy and practices.

Front 48

An organization's security program should support it's _______________, _________________, and ______________.

Back 48

mission, objectives, and goals.

Front 49

The core principles of information security are _______________, ______________, and _____________.

Back 49

confidentiality, integrity, availability.

Front 50

________ is related to the protection and proper handing of personal information.

Back 50

Privacy.

Front 51

_________________ ________________ is the set of responsibilities and practices related to the development of strategic direction and risk management.

Back 51

Security governance.

Front 52

________ ____________ specify the required characteristics of information systems and required code of conduct of employees.

Back 52

Security policies

Front 53

______________________________ define the ownership, access, and use of assets, and the general responsibilities of managers and employees.

Back 53

Security roles and responsibilities

Front 54

What is an internal audit?

Back 54

The activity of evaluating security controls and policies to measure their effectiveness.

Front 55

And organization's hiring process should include (6) things.

Back 55

(1) the use of non-disclosure

(2) employment

(3) non-compete

(4) intellectual property

(5) acceptable use agreements

(6) background checks

Front 56

Sound work practices include _______, _______, and ________.

Back 56

Separation of duties, job rotation and mandatory vacations.