• Shuffle
    Toggle On
    Toggle Off
  • Alphabetize
    Toggle On
    Toggle Off
  • Front First
    Toggle On
    Toggle Off
  • Both Sides
    Toggle On
    Toggle Off
  • Read
    Toggle On
    Toggle Off
Reading...
Front

Card Range To Study

through

image

Play button

image

Play button

image

Progress

1/44

Click to flip

Use LEFT and RIGHT arrow keys to navigate between flashcards;

Use UP and DOWN arrow keys to flip the card;

H to show hint;

A reads text to speech;

44 Cards in this Set

  • Front
  • Back
NIST Publication 800-14
NIST's special publication "Generally accepted principles and practices for securing information technology systems", an American national standard recommends seven steps for a security awareness and training program. These seven steps can be divided into three broad areas of the program such as identification, management, and evaluation.
In the identification phase, an organization would establish scope, goals and objectives, training staff identification, and the audience
In managing the program, an organization would motivate the management and employees; administering as well as maintaining the program
Periodically, an organization will evaluate the program for its effectiveness
Which of these is a standard rather than a policy?

A. Data Classification
B. Access Control
C. Privacy
D. Ethernet
D. Ethernet
Best practices include:

A. ISO 25999
B. "Taking candy from a baby"
C. ISO 27002
D. Understanding that ethics are situationall
C. ISO 27002
Which of the following is correct?

A. ALE = ARO x EF
B. ARO = EF x SLE
C. ALE = SLE x ARO
D. SRO = ALE x SLE
C. ALE = SLE x ARO
IT systems are normally operated by:

A. Auditors
B. Custodians
C. CISSPs
D. Management
B. Custodians
From a security perspective, mandatory vacations:

A. Make it easier to detect fraud
B. Keeps employees fresh
C. Make it easier to find out who can be replaced
D. Comply with the least privilege principle
A. Make it easier to detect fraud
Security awareness:

A. Is the same as professional education
B. Includes background checks and verifying education
C. Makes it easier to find out who is a security risk
D. Begins the first day of employment
D. Begins the first day of employment
Which one of the following is a primary step in Qualitative risk analysis?

A. Develop scenarios
B. Conduct a threat analysis
C. Determine annual loss expectancy
D. Estimate potential losses
A. Develop scenarios
Guidelines are:

A. Recommendations
B. The same as standards
C. Mandatory
D. Part of High-Level Policy statements
A. Recommendations
It is possible to:

A. Totally eliminate risk
B. Do a totally Qualitative risk assessment
C. Do a totally Quantitative risk assessment
D. Have ARO equal a negative number when doing a qualitative risk assessment
B. Do a totally Qualitative risk assessment
When establishing the value of information, the least important factor is?

A. Trade Secrets
B. Operational impact
C. Value of the information to others
D. Quantity of information
D. Quantity of information
Which of the following is the FIRST (ISC)2 canon?

A. Advance and protect the profession
B. Protect society, the commonwealth, and the infrastructure
C. Provide competent service to principals
D. Act honorably, honestly, justly, responsibly, and legally
B. Protect society, the commonwealth, and the infrastructure
Risk management principles include all the following except:

A. Avoidance
B. Ignorance
C. Acceptance
D. Mitigation
B. Ignorance
Assurance mechanisms provide us with:

A. Confidence in the appropriateness of controls
B. The SLE during risk assessment
C. A measure of the likelihood of security breaches
D. The standards to be followed to be compliant with policy
A. Confidence in the appropriateness of controls
When selecting countermeasures...

A. We should always select the most expensive countermeasures because they provide better security
B. Cost must exceed or equal the benefit obtained
C. Cost of the countermeasure should be less than the value of the asset
D. Technical countermeasures are better than operational ones
C. Cost of the countermeasure should be less than the value of the asset
Which is least likely to be the basis for personal ethics?

A. Mandated actions
B. Law/justice/sense of fairness
C. Religious beliefs
D. Professional code of ethics
A. Mandated actions
The right amount of security is

A. The more secure the better
B. Based on the analysis of the users
C. Determined by the level of acceptable risk
D. As long as threats exist, we cannot have the right amount of security
C. Determined by the level of acceptable risk
Information classification is the responsibility:

A. Executive management
B. Information owner
C. Data custodians
D. IT system owner
B. Information owner
IT Governance is made up of which of these components:

I. Roles and responsibilities
II. Security planning
III. Security administration
IV. Risk assessment

A. I, II, III
B. I, II, IV
C. I, III, IV
D. II, III, IV
A. I, II, III
I. Roles and responsibilities
II. Security planning
III. Security administration
Which of the following is the definition of risk acceptance?

A. Not mitigating the risk and absorbing the cost when and if an exposure occurs
B. Pass risk to another party
C. Decision to discontinue the activity due to the identified risk
D. Provide countermeasures to reduce the risk and strengthen the security posture
A. Not mitigating the risk and absorbing the cost when and if an exposure occurs
Qualitative risk assessments are scenario-based and are measured by:

A. Percentages
B. Calculation of ARO
C. High/Med/Low
D. Dollar values
C. High/Med/Low
Which control framework has 34 IT processes?

A. COSO
B. COBIT
C. ITIL
D. OCTAVE
B. COBIT
What is the difference between a standard and a guideline?

A. Standards are compulsory; guidelines are mandatory
B. Standards are recommendations; guidelines are requirements
C. Standards are requirements; guidelines are optional
D. Standards are recommendations; guidelines are optional
C. Standards are requirements; guidelines are optional
Which phase of OCTAVE identifies vulnerabilities and evaluates safeguards?

A. Phase 1
B. Phase 2
C. Phase 3
D. Phase 4
B. Phase 2
What was ISO 17799 renamed as?

A. BS 7799-1
B. ISO 27000
C. ISO 27001
D. ISO 27002
D. ISO 27002
Which of the following describes a duty of the Data Owner?

A. Patch systems
B. Report suspicious activity
C. Ensure that files are backed up
D. Ensure that data has proper security labels
D. Ensure that data has proper security labels
Formulas

Risk =
Threat x Vulnerability

Note: To have risk, a threat must connect to a vulnerability
Formulas

Annualized Loss Expectancy (ALE) =
= Single Loss Expectancy x Annual Rate of Occurence

= SLE x ARO

*Cost of losses per year

Note: Once calculated, allows you to make informed decisions to mitigate the risk
Formulas

Single Loss Expectancy
(SLE) =
= Asset Value x Exposure Factor

= AV x EF

*Cost of one loss
Formulas

Annual Rate of Occurrence
(ARO) =
Number of losses per year
Total Cost of Ownership
(TCO)
The total cost of a mitigated safeguard. Combines upfront costs and annual cost of operatinal expenses (maintenance, staff hours, SW subscriptions, etc.)
Return on Investment
(ROI)
The amount of money saved by implementing a safeguard.

*If your annual TCO is less than your ALE, you have a positive ROI.

* If your TCO is higher than your ALE, yo have made a poor choice.
Risk Options
Accepting
Mitigate
Transfer
Avoid
Policy
High-level management directives and is mandatory.

3 Types:
Program
Issue-specific
System-specific

Contins basic components of :
Purpose
Scope
Responsibilities
Compliance
Procedure
a step-by-step guise for accomplishing a task. They are low-level, specific and mandatory
Standards
Describes the specific use of technolgy; often applied to HW and SW. They are mandatory. Also, lower the TCO of a safeguard, support disaster recovery.
Guidelines
Recommendations (discretionary) and can include a useful piece of advice such as suggestions for creating a strong password
Baselines
Uniform ways of implementing a safeguard and are discretionary.
OCTAVE
Operationally Critical Threat, Asset, and Vulnerability Evaluation, and a risk management fraework from Carnegie Mellon University (free resource).
It describes a 3-phase process for managing risk
Phase 1 identifies staff knowledge, assets and threats
Phase 2 identifies vulnerabilities and evaluates safeguards
Phase 3 conducts the Risk Analysis and develops the risk mitigation plan
COBIT
Control Objectives for Information and Related Technology
- a control framework for employing information security governance best practices within an organization.
- has 34 IT processes; developed by ISACA
Purpose is to provide management and business process owners with an IT governance model that helps in delivering value form IT and understanding and managing the risks associated with IT. Helps bridge the gaps amongst business requirements, control needs, and technical issues. It is a control model to meet the needs of IT governance and ensure the integrity of information and ISs.
ITIL
Information Technology Infrastructure Library
- a framework for providing best services in IT Service Management (ITSM).
Contains 5 "Service Management Practices-Core Guidance" publications:
Service strategy - helps IT provide services
Service Design - details infrastructure & architecture
Service transition - making new projects operational
Service Operation - IT operation controls
Continual Service Improvement - improving existing IT services
Certification
-detailed inspection that verifies whether a system meets the documented secrity requirements

NIST - a comprehensive assessment of the management, operational, and technical security controls in an IS made in support of security accreditation, to determint the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the system
Accreditation
the Data Owner's acceptance of the risk represented by the system

NIST - the official mgmt. decision given by a senior agency official to authorize operation of an IS and to explicitly accept the risk to agency operations, agency assets, or individuals based on implementation of an agreed-upon set of security controls
NIST SP 800-37
4-step Certification and Accreditation process

Initial Phase
Security Certification Phase
Security Accreditation Phase
Continuous Monitoring Phase