Term
What are the three types of security controls? |
|
Definition
Administrative Controls, Logical (or Technical) Controls, and Physical Controls |
|
|
Term
What are some examples of Administrative Controls? |
|
Definition
Publishing policies, standards, procedures, and guidelines, personnel screening, risk management, change controls, and security awareness training |
|
|
Term
What are some examples of Technical (or Logical) Controls? |
|
Definition
This is SOFTWARE - infrastructure configuration, access control mechanisms, network security devices, identification and authentication methods, password and resource management |
|
|
Term
What are some examples of Physical Controls? |
|
Definition
Fences, locking down hardware (no floppys), controlling access to buildings and rooms, monitoring intrusions, and environmental controls. |
|
|
Term
The Planning Horizon defines what three types of goals, and what are their scopes? |
|
Definition
Operational Goals = daily tasks Tactical Goals = mid-term Strategic Goals = long-term |
|
|
Term
|
Definition
A framework of goals and a set of best practices. It defines WHAT is to be achieved. |
|
|
Term
What are the four domains of CobiT? |
|
Definition
Plan and Organize Acquire and Implement Deliver and Support Monitor and Evaluate |
|
|
Term
Who developed CobiT and from what? |
|
Definition
The ISACA and the ITGI, from the COSO. |
|
|
Term
What is the most common set of security standards called, and what was it derived from? |
|
Definition
ISO 17799. Derived from the BS-7799-I(II), that became the ISO/IEC 27002(1) |
|
|
Term
What security standards deal with controls? |
|
Definition
BS 7799-I and ISO/IEC 27002 |
|
|
Term
What security standards deal with how to develop a security program? |
|
Definition
BS 7799-II and ISO/IEC 27001 |
|
|
Term
What standard protects personal health information? |
|
Definition
|
|
Term
What NIST standard establishes risk Assesment procedures? |
|
Definition
|
|
Term
What NIST standard esablishes HIPAA (health care) Assesment standards? |
|
Definition
|
|
Term
What Risk Assesment methodology was created by Carnegie Mellon University's Software Engineering Institute, and what does it intend? |
|
Definition
OCTAVE, states that people within the company are better suited to identify, manage, and direct their own security measures. |
|
|
Term
What does FRAP stand for and what is it used for? |
|
Definition
Facilitated Risk Analysis Process, and it is a risk assessment methodology. |
|
|
Term
Who Publishes FIPS, and what does it stand for, and who has to approve them? |
|
Definition
Federal Information Processing Standards, published by NIST (National Institute of Standards and Technology, approved by the Secretary of Commerce. |
|
|
Term
What is SLE and what is the formula to find it? |
|
Definition
Single Loss Expectancy, AV (Asset Value) x EF (Exposure Factor) = SLE |
|
|
Term
What is ALE and what is the formula to find it? |
|
Definition
Annual Loss Expectancy, SLE (Single Loss Expectancy) x ARO (Annual Rate of Occurance) = ALE |
|
|
Term
What is the formula to calculate Total Risk and Residual Risk? |
|
Definition
(Threats x Vulnerability x Asset Value) = Total Risk. (Threats x Vulnerability x Asset Value) x Control Gaps = Residual Risk |
|
|
Term
|
Definition
It is an anonymous group decision method used for QuaLitative Risk Analysis. |
|
|
Term
What are the 3 types of security policies? |
|
Definition
Regulatory, Advisory, and Informative |
|
|
Term
What is a Regulatory Security Policy? |
|
Definition
Industry specific policies that ensure an organization is following specific industry standards. (i.e. HIPAA) |
|
|
Term
What is a Advisory Security Policy? |
|
Definition
Tells employees what is acceptable and not acceptable behavior, and the ramifications. |
|
|
Term
What is a Informative Security Policy? |
|
Definition
It teaches and informs individuals about specific issues relevant to the company. |
|
|
Term
What is baseline security? |
|
Definition
the minimum level of security required |
|
|
Term
What does Due Diligence mean? |
|
Definition
simple answer - Do Detect |
|
|
Term
|
Definition
simple answer - Do Correct |
|
|
Term
What are some industry tools to stop collusion? |
|
Definition
Separation of duties (Split knowledge and dual control), rotation of duties, and mandatory vacation |
|
|
Term
What are the 4 military classification levels and give a definition of each. |
|
Definition
Unclass - no damage if published (a manual) SBU - no major damage if published (medical data) Secret - Serious damage to national security TS - Grave damage to national security. |
|
|
Term
what are the 4 civilian classification levels and explain them. |
|
Definition
Public - Disclosure not welcome Sensitive - requires special precautions Private - medical information Confidential - trade secrets, source code |
|
|
Term
In the world of security, who is ultimately responsible? |
|
Definition
|
|
Term
In regard to a security program, what is better - top-down, or bottom-up, and why? |
|
Definition
Top-down, because it has management buy-in. |
|
|
Term
What is another term for data owner? |
|
Definition
|
|
Term
Who is responsible for assigning classifications to information and dictating how is should be protected? |
|
Definition
the Information owner (Data owner). |
|
|
Term
|
Definition
The absence or weakness of a safeguard that could be exploited. |
|
|
Term
|
Definition
Any potential danger to information or systems. |
|
|
Term
|
Definition
The likelihood of a threat taking advantage of a vulnerability. |
|
|
Term
|
Definition
An instance of being exposed to losses from a threat agent. (an incident) |
|
|
Term
Define a Countermeasure or Safeguard. |
|
Definition
things put in place to mitigate a potential risk. |
|
|
Term
What is the full-circle relationship of security components? |
|
Definition
A Threat, exploits a Vulnerability, that leads to Risk, that can damage an Asset, and cause an Exposure, that can be mitigated by a Safeguard/CM, that directly affects a threat agent, who gives rise to a Threat... |
|
|
Term
What does CobiT define and what does ITIL provide? |
|
Definition
CobiT defines IT Goals, ITIL provides the steps to achieve them. |
|
|
Term
What is security governance? |
|
Definition
All of the tools, personnel, and business processes necessary to ensure that security implemented meets the organization's specific needs. |
|
|
Term
What are security bleuprints? |
|
Definition
important tools to identify, develop, and design, security requirements for specific business needs. |
|
|
Term
What is Information Risk Management? |
|
Definition
The PROCESS of identifying and assessing risk, reducing it to an acceptable level, and implementing mechanisms to maintain that level. |
|
|
Term
What is the overall goal of the Risk Management Team? |
|
Definition
To ensure the company is protected in the most cost-effective manner. |
|
|
Term
What is the most important goal of the Risk Management Team IRT the IRM policy? |
|
Definition
That senior management has established a risk acceptance level. |
|
|
Term
What are the four goals of Risk Analysis? |
|
Definition
1. ID assets and their value 2. ID Vulnerabilities and threats 3. Quantify the probability and business impact of the threats 4. Provide an economic balance between the impact of the threat and the cost of the countermeasures. |
|
|
Term
What questions must a risk analysis team ask? |
|
Definition
What event could occur (threat event)? What is the impact (risk)? How often could it happen (frequency)? What level of confidence do we have in the first 3 questions (certainty)? |
|
|
Term
What is FMEA and what does it do? |
|
Definition
Failure Modes and Effect Analysis - tells you how much can go wrong. |
|
|
Term
What does a fault tree apply to? |
|
Definition
|
|
Term
What is the difference between Quantitative and Qualitative Risk? |
|
Definition
Quan - deals with dollar values Qual - deals with abstract values (1-10). |
|
|
Term
Once it is discovered, what 4 options can you do with risk. |
|
Definition
Reduce, transfer, accept, avoid |
|
|
Term
What are SLE, ALE, EF, and ARO |
|
Definition
Single Loss Expectancy, Annual Loss Expectancy, Exposure Factor (how much in-percent of something would be lost to a threat), and Annual Rate of Occurance. |
|
|
Term
What are other names for Qualitative Risk Analysis? |
|
Definition
Scenario-based, Subjective, Best-Effort, Intuitive. |
|
|
Term
What is the formula for Cost/Benefit Analysis? |
|
Definition
(ALE before) - (ALE after) - (Annual cost of safeguard) = value of safeguard. |
|
|
Term
What is the first step in developing a security program? |
|
Definition
|
|
Term
What is the difference between a security policy, and an organizational security policy? |
|
Definition
SP - A high level document that is broad in nature. OSP - states how a program will be set up, along with its goals, roles, responsibilities, and enforcement. |
|
|
Term
What are safe harbor requirements? |
|
Definition
rules for exchanging privacy information between the US and Europe. |
|
|
Term
What is the OECD and what is it used for? |
|
Definition
the Organization for Economic Co-operation and Development guidelines. Used to protect transborder information flows. |
|
|
Term
What is the difference between a data owner and data custodian? |
|
Definition
Owner - responsible for the protection and use of information. Cust - responsible for maintaining and protecting data. |
|
|