Reading...
Play button
Play button
Use LEFT and RIGHT arrow keys to navigate between flashcards;
Use UP and DOWN arrow keys to flip the card;
H to show hint;
A reads text to speech;
43 Cards in this Set
- Front
- Back
|
Benchmarking
|
Comparing paths taken by organizations similar to the one whose plan you are developing.
|
|
|
What are the two categories of benchmarking?
|
Standards of due care and due diligence & Recommended practices
|
|
|
What are recommended practices?
|
Security efforts that seek to provide a superior level of performance in the protection of information (best practices). They balance the need for information access with the need for adequate protection while simultaneously demonstrating fiscal responsibility.
|
|
|
What are standards of due care and due diligence?
|
Minimum levels of security taken by organizations to establish a legal defense are know as standards of due care. Implementing controls at this minimum level and maintaining them demonstrates that an organization has performed due diligence. Companies may be exposed to legal liability if they fail to establish and maintain standards of due care and due diligence, if it can be shown that they were negligent in their application or lack thereof of information protection.
|
|
|
What is the gold standard?
|
A model level of performance that demonstrates industrial leadership, quality, and concern for the protection of information. The implementation of gold-standard security requires a heavy investment in financial and personnel resources. No published criteria for gold standards exists. The gold standard is a level of security that is realistically out of reach for most organizations.
|
|
|
Government guidelines can serve as...
|
excellent sources of information about the steps other organizations are required to take to control information security risks, and can inform the selection of recommended practices.
|
|
|
When selecting recommended practices, what criteria should you use?
|
Does your organization resemble the target one?
Are they in a similar industry? Do you face similar challenges? Is you organizational structure similar? Can you expend resources at the level required by the recommended practice? Is your threat environment similar to the one assumed by the recommended practice? |
|
|
When choosing recommended practices, what limitations should you keep in mind?
|
The biggest barrier is the fact that organizations do not talk to each other. Successful attacks are kept as secret as possible, and consequently, cannot be recorded, disseminated, and evaluated. Another is that no two organization are identical. They may differ in size, composition, philosophy, culture, technological infrastructure, and budgets for security. A third problem is that recommended practices are a moving target. Knowing what happened in the past doesn't necessarily tell you what to do next. Security programs must continually keep abreast of new threats, as well as methods, techniques, policies, guidelines, educational and training approaches, and technologies to combat them.
|
|
|
What is baselining?
|
Baselining is the process of measuring against established standards. Baseline measurements of security activities and events are used to evaluate the organization's future security performance.
|
|
|
How do baselining and benchmarking differ from one another?
|
Baselining can provide the foundation for internal benchmarking, this is due to the information gathered for an organization's first risk assessment becoming the baseline for future benchmarks.
|
|
|
What are the NIST documents that support baselining?
|
SP 800-27 Revision A,SP 800-53 Revision 3, and SP 800-53 A are some publications specifically written to support baselining activities.
|
|
|
What is a performance measure in the context of information security management?
|
Data points and computed trends that may indicate the effectiveness of security countermeasure or controls, whether technical or managerial, as implement in the organization.
|
|
|
What types of measures are used for information security management programs?
|
1. Those that determine the effectiveness of the execution of information security policy, most commonly issue specific.
2.Those that determine the effectiveness and/or efficiency of the delivery of information security services, whether they be managerial services such as security training, or technical services such as the installation of antivirus software. 3.Those that assess the impact of an incident or other security event on the organization or its mission. |
|
|
What are the critical questions to be kept in mind when developing a measurements program?
|
Why should these statistics be collected?
What specific statistics will be collected? How will they be collected? When will they be collected? Who will collect them? Where (in the function's process) will they be collected? |
|
|
What factors are critical to the success of an information security performance program?
|
An information security measures program, as part of a security performance management program, must be able to demonstrate value to the organization, and the chief information security officer must assist in building the case for the program.
|
|
|
What is a performance target, and how is it used in establishing a measurement program?
|
A performance target is the goal that an organization sets which they progress towards over time. The performance target represents "effective security", which is hard to define. Researchers continue to grapple with the question of what effective security is.
|
|
|
List and describe the fields found in a properly and fully defined performance measure.
|
The fields should measure ID, goal, measure type, formula, target, implementation evidence, frequency, responsible parties, data source, and reporting format.
|
|
|
Describe the recommended process for the development of information security measurement program implementation.
|
This involves six subordinate tasks:Prepare for data collection. Collect data and analyze results. Identify corrective actions. Develop the business case. Obtain resources. Apply corrective actions.
|
|
|
Why is a simple list of measurement data usually insufficient when reporting information security measures?
|
It does not adequately convey their meaning. The audience to whom the results should be disseminated and how they should be delivered should be considered.
|
|
|
What is the capability maturity model, and which organization is responsible for its development?
|
It is a Performance Measures Program developed by The Software Engineering Institute at Carnegie Mellon. It is designed specifically to integrate an organization's process improvement activities across disciplines.
|
|
|
What is systems accreditation?
|
The authorization of an IT system to process, store, or transmit information. It is issued by management officials and serves as a means of assuring that systems are of adequate quality.
|
|
|
What is systems certification?
|
The comprehensive evaluation of the technical and nontechnical security controls of an IT system to support the accreditation process that establishes the extent to which a particular design and implementation meets a set of specified security requirements.
|
|
|
Which reference document describes the new initiative for certification and accreditation of federal IT systems?
|
SP 800-37 provides guidelines for the security certification and accreditation of federal information technology systems.
|
|
|
What is a baseline?
|
A value or profile of a performance metric against which changes in the performance metric can be usefully compared.
|
|
|
What is competitive advantage?
|
Having superior products or services over the competition. As far as IT is concerned, not being at a competitive disadvantage is more important now. This is to avoid the possibility of losing market share when faltering systems make it impossible to maintain the current standard of service.
|
|
|
What are the four risk control strategies?
|
Avoidance, transference, mitigation, and acceptance.
|
|
|
Describe risk avoidance.
|
A risk control strategy that attempts to prevent the exploitation of the vulnerability. It is the preferred approach, as it seeks to avoid risk rather than deal with it after it has been realized.
|
|
|
Describe risk transference.
|
A control approach that attempts to shift the risk to other assets, processes, or organizations.The goal may be accomplished by rethinking how services are offered, revising deployment models, outsourcing to other organizations, purchasing insurance, or implementing service contracts with providers.
|
|
|
Describe risk mitigation.
|
A control approach that attempts to reduce, by means of planning an preparation, the damage cause by the exploitation of vulnerability. This approach includes three types of plans: incident response, disaster recovery, and business continuity. Mitigation depends on the ability to detect and respond to an attack as quickly and efficiently as possible.
|
|
|
Describe risk acceptance.
|
Acceptance is the choice to do nothing to protect an information asset from risk, and to accept the outcome from any resulting exploitation. It may or may not be a conscious business decision.
|
|
|
Describe residual risk.
|
The remaining risk that has not been completely removed, shifted, or planned for.
|
|
|
What four types of controls or applications can be used to avoid risk?
|
It is accomplished through:
1. the application of policy 2. training and education 3. countering threats 4. the implementation of security controls and safeguards |
|
|
Describe how outsourcing can be used for risk transference.
|
By hiring an outside organization that provides expertise in an area it is not accustom to, an organization can transfer the risk associated with the management of other complex systems to the outsourced organization that has more experience in dealing with those risks.
|
|
|
What conditions must be met to ensure that risk acceptance has been used properly?
|
The only valid use of the acceptance strategy occurs when: the level of risk posed to the information asset has been determined, the probability of attack and the likelihood of a successful exploitation of a vulnerability has been assessed, the ARO has been approximated, the potential loss has been estimated, controls have been evaluated, and the cost of protection is not justified.
|
|
|
What is risk appetite? Explain why risk appetite varies from one organization to another.
|
The quantity and nature of risk that organizations are willing to accept as they evaluate the trade-offs between perfect security and unlimited accessibility. It varies from one organization to another because the expense versus the possible losses if exploited
|
|
|
What is a cost benefit analysis?
|
A way to determine whether a control alternative is worth its associated cost. CBA = ALE(pre-control) - ALE(post-control) - ACS, where ALE(pre-control) is the ALE of the risk before implementation of the control, ALE(post-control) is the ALE examined after the control has been in place for a period of time, and the ACS is the annual cost of the safeguard.
|
|
|
What is the difference between intrinsic value and acquired value?
|
Intrinsic value is the essential worth of the asset under consideration. Acquired value is the worth of an asset that has acquired value over time.
|
|
|
What is single loss expectancy?
|
The calculation of the value associated with the most likely loss from an attack. This calculation takes into account both the value of the asset and the expected percentage of loss that would occur from a particular attack. SLE = asset value * exposure factor (AV*EF) where EF is the percentage loss that would occur from a give vulnerability being exploited.
|
|
|
What is annual loss expectancy?
|
A calculation of the overall loss potential per risk. ALE = SLE * ARO, where ARO is the annual rate of occurrence, or how often you expect a specific type of attack to occur.
|
|
|
What is the difference between organization feasibility and operational feasibility?
|
Organizational feasibility examines how well the proposed information security alternatives will contribute to the efficiency, effectiveness, and overall operation of an organization. Operational feasibility refers to the user acceptance and support, management acceptance and support, and the system;s compatibility with the requirements of the organization's stakeholders.
|
|
|
What is the difference between qualitative measurement and quantitative measurement?
|
A qualitative approach uses labels for value rather than numbers. Quantitative measurements put a number value on assets, such as once a year for an ARO.
|
|
|
What is the OCTAVE method? What does it provide to those who adopt it?
|
The Operationally Critical Threat, Asset, and Vulnerability Evaluation is an information security evaluation methodology that allows organizations to balance the protection of critical information assets against the costs of providing protective and detection controls.
|
|
|
How does Microsoft define risk management? What phases are used in its approach?
|
Microsoft asserts that risk management is not a stand-alone subject and should be part of a general governance program to allow the organizational general management community of interest to evaluate the organization's operations and make better, more informed decisions. The four phases in their approach consist of:
1. Assessing Risk 2. Conducting decision support 3. Implementing controls 4. Measuring program effectiveness |
