Security and Risk Management Flashcards Preview

CISSP Study > Security and Risk Management > Flashcards

Flashcards in Security and Risk Management Deck (73)
Loading flashcards...
1
Q

What are the 3 security control types?

A

Administrative
Physical
Technical (aka Logical)

2
Q

What are the 6 different functionalities of security controls?

A
Preventative
Detective
Corrective
Deterrent
Recovery
Compensating
3
Q

What does this describe?

A framework made up of many entities: logical, administrative, and physical protection mechanisms; procedures; business processes; and people that all work together to provide a protection level for an environment.

A

A Security Program

4
Q

What does ISMS stand for and what is it?

A

Information Security Management System

It is all the things in a security program within the context of the ISO/IEC 27000 series.

5
Q

What is ISO/IEC 27001?

A

The standard for establishment, implementation, control, and improvement of the ISMS. The ISO/IEC 27000 series was derived from BS 7799.
(Organizations can seek an ISO/IEC 27001 certification by an accredited third party.)

6
Q

What are Enterprise architecture frameworks used for?

A

To develop architectures for specific stakeholders and present information in views that best suit the stakeholders. (e.g. Zachman Framework)

7
Q

What is Governance?

A

Determines what what the organization is going to accomplish.

Ensures that stakeholder needs, conditions and options are evaluated to determine:

  • Balanced agree-upon enterprise objectives to be achieved
  • Setting direction through prioritization and decision making.
  • Monitoring performance and compliance against agreed-upon direction and objectives.
8
Q

What is Management’s responsibility?

A

Determines how to accomplish the objectives stated by Governance.

Plans, builds, runs and monitors activities in alignment with the direction set by the governance body to achieve the enterprise objectives.

9
Q

This framework focuses on GOALS for IT and takes stakeholder needs and maps it down to IT goals.

A

COBIT

Control Objectives for Information Technology

10
Q

A team-oriented, self-directed risk management methodology that employs workshops.

A

OCTAVE

11
Q

This is a governance model for the organization as a whole used to help prevent fraud.

A

COSO

Committee of Sponsoring Organizations

12
Q

What is ISO/IEC 27002?

A

Provides practical advice for how to implement security controls. (The “how to”)

13
Q

What framework follows the PDCA?

A

ISO/IEC 27001

PDCA = Plan, Do, Check, Act

14
Q

ISO 27005

A

A standards based approach to RISK MANAGEMENT

15
Q

Who is ultimately responsible for Security within an organization? What do they do?

A

SENIOR MANAGEMENT (CEO, CSO, CIO)

  • Development and Support of Polices
  • Allocation of Resources
  • Decision based on Risk
  • Prioritization of business processes.
16
Q

What is the term for the likelihood that a threat will exploit a vulnerability in an asset?

A

Risk

17
Q

What is the term for a weakness or lack of safeguard

A

Vulnerability

18
Q

What is the term used to describe the instance of a compromise?

A

Exploit

19
Q

What is the term for something that mitigates a risk.

A

Countermeasure

aka control or safegaurd

20
Q

What is Enterprise Security Architecture.

A

A subset of enterprise architecture and a way to describer current and future security processes, systems, and sub-units to ensure strategic alignment.

(e.g. SABSA)

21
Q

What four qualities should Enterprise Security Architecture have?

A
  1. Strategic Alignment - Business drivers and regulatory and legal requirements are met
  2. Business Enablement - Help the business achieve it’s purpose.
  3. Process Enhancement - Process improvement (aka process engineering.)
  4. Security Effectiveness - Meeting metrics, and proving effectiveness to management.
22
Q

What does NIST stand for? What is NIST?

A

The National Institute of Standards and Technology is a non-regulatory body of the U.S. Department of Commerce.

23
Q

What is NIST SP 800-53?

A

Special Publication 800-53 outlines controls that agencies need to put into place to be compliant with the Federal Information Security Management Act of 2002 (FISMA).

24
Q

What are the 3 NIST SP 800-53 control categories?

A

Technical
Operational
Management

25
Q

What is Six Sigma?

A

A process improvement methodology.

26
Q

What is CMMI?

A

Capability Maturity Model Integration developed by Carnegie Mellon University for the U.S. DoD as a way to determine the maturity of an organizations’s processes.

27
Q

What are the four steps in the security program lifecycle?

A
  1. Plan and organize
  2. Implement
  3. Operate and Maintain
  4. Monitor and evaluate
28
Q

What does this describe?

The functional definitions for the integration of technology into business processes.

A

A security blueprint

29
Q

Describe patent

A

Grants ownership and use of INVENTIONS.

30
Q

Describe copyright

A

Protects EXPRESSION of IDEAS.

31
Q

Describe Trademark

A

Protects words, names, logos, symbols, and shapes.

32
Q

Describe Trade Secrets

A

Information proprietary to a company. Provides a competitive edge. Protected as long as the owner take necessary protective actions.

33
Q

What are the 4 main goals of risk analysis?

A
  1. Identify Assets and assign values to them.
  2. Identify Vulnerabilities and threats
  3. Quantify the impact of potential threats
  4. Provide an economic balance between the impact of the risk and the cost of the safeguards.
34
Q

What are the 4 Risk Mitigation options?

A

Transferred (e.g. Insurance)
Avoided (e.g. don’t participate)
Reduced (e.g. institute controls)
Accepted (e.g. acknowledge doing nothing)

35
Q

What is the formula for total risk?

What is the formula for residual risk?

A

Threats X vulnerability X asset value = Total Risk
Threats X vulnerability X asset value X control gaps = Residual Risk

(The goal is to get residual risk to the level that is acceptable by management.)

36
Q

What is SLE and ARO and how is it used to calculate ALE?

A

Single Loss Expectancy and Annul Rate of Occurrence

SLE x ARO = ALE (Annual Loss Expectancy)

37
Q

What is a Security Policy and what are the 3 types?

A

An overall general statement produced by senior management that dictates what role security plays within an organization.

  1. Organizational
  2. Issue-specific
  3. System-specific

Example: Confidential data should be properly protected.

(STRATEGIC. Policies should be technology and solution independent. More granularity is provided with procedures, standards, guidelines, and baselines to provide a framework. The necessary security controls are used to fill in the framework.)

38
Q

What type of Security Policy does this describe? Management establishes how a security program will be set up, lays out the programs goals, assigns responsibilities, shows the strategic and tactical value of security, and outlines how enforcement should be carried out.
A) Organizational
B) Issue-specific
C) System-specific

A

A) Organizational

39
Q
What are the following policies examples of?
Acceptable Use Policy
Access Control Policy
Email Policy
Physical Security Policy
A

Issue-Specific Security Policy

40
Q

What term refers to mandatory activities, actions, or rules that can give a policy its support and reinforce direction?

A

Standards
examples: All confidential information must be encrypted with AES 256 and can not be transmitted unless IPSEC is used.

TACTICAL

41
Q

What is a documented recommended action that can be provided to users and staff when a specific standard does not apply?

A

Guideline

example: how to handle cases when data is accidentally corrupted or compromised during transmission.

TACTICAL

42
Q

What are detailed step-by-step tasks that should be performed to achieve a certain goal?

A

Procedures

example: Procedure spells out exactly how to implement AES and IPSEC technologies for encryption called out in a standard.

TACTICAL

43
Q

What is secondary risk?

A

A risk event that comes as a result of anther risk response.

Example: Software should be regularly patched. However, patching can itself introduce instability.

44
Q

What are the four main components of Risk Management?

A
  1. ) Risk Assessment: Identify Assets, Threats, Vulnerability
  2. ) Risk Analysis: Value of Potential Risks
  3. ) Risk Mitigation: Responding to Risk
  4. ) Risk Monitoring: Risk is FOREVER!
45
Q

What is Risk Assessment and what methodologies are used?

A
  • Identify and Valuate Assets
  • Identify Threats and Vulnerabilities

Methodologies:
ISO/IEC 27005 and OCTAVE (organization-wide
NIST 800-30 (IT security risk focus)
FRAP (limited budget, focus assessment on individual system or process)
FMEA and Fault-tree Analysis (detailed look into a specific system or product)

46
Q

This Risk Assessment methodology employs a qualitative analysis to determine whether or not to proceed with a quantitative analysis.

A

FRAP

Facilitated Risk Analysis Process

47
Q

Name 4 commonly accepted Risk Management Frameworks

A
  1. NIST RMF SP 800-37r1
  2. ISO 31000:2009
  3. ISACA Risk IT
  4. COSO Enterprise Risk Management
48
Q

What are the 2 types of valuation approaches in Risk Analysis?

A

Qualitative and Quantitative

49
Q

What is the Delphi Technique?

A

Often used in qualitative analysis, the Delphi technique is a group decision method where each member can communicate anonymously.

50
Q
What do the following Quantitative Analysis acronyms stand for?
AV
EF
SLE
ARO
ALE
TCO
ROI
A
AV = Asset Value
EF = Exposure Factor (The percentage of loss that is expected to result in the manifestation of a particular risk event.
SLE - Single Lost Expectancy
ARO - Annual Rate of Occurrence
ALE - Annual Loss Expectancy
TCO - Total Cost of Ownership
ROI - Return on Investment
51
Q

How do you calculate SLE?

A

SLE = AV x EF

Asset Value and Exposure Factor

52
Q

What is HIPPA and HITECH stand for and who does it apply to?

A

Health Insurance Portability and Accountability Act

Health Information Technology for Economic and Clinical Health

Applies to Health Insurers, Health Providers, Health care clearing houses (claims processing agencies)

(As of 2009, covered entities must disclose security breaches regarding personal information.

BAAs for third party providers

Creates civil and criminal penalties.)

53
Q

What is the GLBA stand for and what industry does it regulate?

A

Gramm-Leach-Bliley Act

Financial industry. Privacy notices

54
Q

What is Business Continuity Management (BCM)?

A

BCM is the holistic management process that covers Business Continuity Planning and Disaster Recover.

55
Q

What are BCP categories of disruptions?

A
  1. Non-disaster: Inconvenience
  2. Emergency/Crisis - Urgent immediate even where there is a potential for loss of life or property.
  3. Disaster - Facility is unusable for a day or longer.
  4. Catastrophe - Destroys facility.

ANYONE CAN DECLARE AN EMERGENCY. ONLY THE BCP COORDINATOR CAN DECLARE A DISASTER.

56
Q

What are the 7 steps in NIST SP 800-34?

A

“Continuity Planning Guide for Federal Information Systems”

  1. Develop the continuity planning policy statement.
  2. Conduct the business impact analysis.
  3. Identify preventative controls.
  4. Create contingency strategies.
  5. Develop an information system contingency plan.
  6. Ensure plan testing, training, and exercise.
  7. Ensure plan maintenance.
57
Q

What are the three types of BCP teams?

A

Rescue Team: Responsible for dealing with the immediacy of the disaster.
Recovery Team: Responsible for getting the alternate facility up and running and restoring most critical services.
Salvage Team: Responsible for the return of operations to the original or permanent facility (reconstitution).

58
Q

What is the DRP and how does it differ from BCP?

A

IT-oriented. Details what items need to be restored and how.

59
Q

What type of BCP test requires distribution of plan copies to different departments for functional manager review?

A. Full-Interruption test
B. Simulation Test
C. Structured Walk-Through (Table Top) Test
D. Parallel Test
E. Checklist Test
A

Checklist Test

60
Q

What type of BCP test requires representatives from each department to go over the plan in a room together?

A. Full-Interruption test
B. Simulation Test
C. Structured Walk-Through (Table Top) Test
D. Parallel Test
E. Checklist Test
A

Structured Walk-Through (Table Top) Test

61
Q

What type of BCP test requires going through actual disaster scenarios and physically checking that the steps can be done? The drill continues up to the point of actual relocation to an offsite facility and actual shipment of replacement equipment.

A. Full-Interruption test
B. Simulation Test
C. Structured Walk-Through (Table Top) Test
D. Parallel Test
E. Checklist Test
A

Simulation Test

62
Q

What type of BCP test requires systems moved to the alternate site and processing take place there?

A. Full-Interruption test
B. Simulation Test
C. Structured Walk-Through (Table Top) Test
D. Parallel Test
E. Checklist Test
A

Parallel Test

63
Q

What type of BCP test requires original site shut down and all processing moved to the offsite facility?

A. Full-Interruption test
B. Simulation Test
C. Structured Walk-Through (Table Top) Test
D. Parallel Test
E. Checklist Test
A

Full-Interruption test

Very risky.

64
Q

What is the difference between BCP testing, BCP drills, and BCP auditing?

A

Testing - Happens before plan implementation. The goal is to ensure effectiveness of the plan.
Drills - Main goal is to train employees. Employees walk through steps.
Auditing - 3rd party observer ensures that components of the plan are being carried out and are effective.

65
Q

What are the 3 phases of a BCP following a disruption?

A
  1. Notification/Activation (includes performing a damage assessment)
  2. Recovery Phase - Failover
  3. Reconstitution - Failback
66
Q

What does MTD stand for?

A

Maximum tolerable downtime.

Also MPTD (Maximum period of distruption)

67
Q

Which of the following are two security metric and measurement systems. (You can choose more than one).

A. ISO/IEC 22301
B. ISO/IEC 27031:2011
C. ISO/IEC 27004:2009
D. NIST SP 800-55
E. NIST SP 800-53
F. ISO 27001
A

C. ISO/IEC 27004:2009

D. NIST SP 800-55

68
Q

What are the 8 BIA steps?

A
  1. Select individuals to interview for data gathering.
  2. Create data-gathering techniques (surveys, questionnaires, qualitative and quantitative approaches.
  3. Identify the company’s critical BUSINESS FUNCTIONS.
  4. Identify the resources these FUNCTIONS depend upon.
  5. Calculate how long these functions can survive without these resources. (MTD or MPTD)
  6. Identify vulnerabilities and threats to these functions.
  7. Calculate risk for each different business function.
  8. Document findings and report them to management.

(Results are used for recovery plans).

69
Q

What is a SLO?

A

Service Level Objective

Like an SLA but no contract. Goals usually made internally driven by business requirements.

70
Q

What does MOA/MOU stand for?

A

Memorandums of Agreement/Understanding.

71
Q

What does IAAA stand for?

A

Identification
Authorization
Authentication
Audit

72
Q

This risk assessment method determines functions, identifies functional failures, and assesses the causes of failure and their failure effects through a structured approach.

A. FRAP
B. OCTAVE
C. ISO/IEC 27005 
D. FMEA
E. NIST 800-30
A

FMEA and Fault-tree Analysis (detailed look into a specific system or product)

73
Q

Which of the following is a standard for business continuity management?

A. ISO/IEC 27004:2009
B. ISO/IEC 22301
C. NIST SP 800-55
D. NIST SP 800-53
E. ISO 27001
A

ISO/IEC 22301