Personnel Security and Risk Management Concepts

What are the three ways security controls, countermeasures, and safeguards can be implemented?

1. Administratively 2. Logically / Technically 3. Physically

What are 3 techniques you can use to perform a qualitative risk analysis?

1. Brainstorming 2. Delphi Technique 3. Story boarding 4. Focus Groups 5. Surveys 6. Questionnaires 7. Checklists 8. One-on-One Meetings 9. Interviews

What are the RMF steps?

1. Categorize 2. Select 3. Implement 4. Assess 5. Authorize 6. Monitor

What factors are involved with calculating the value of a countermeasure?

1. Cost of purchase, development, and licensing 2. Cost of implementation and customization 3. Cost of annual operation, maintenance, administration, and so on 4. Cost of annual repairs and upgrades 5. Productivity improvement or loss 6. Changes to environment 7. Cost of testing and evaluation

What are the Six types of Access Control?

1. Deterrent 2. Preventive 3. Detective 4. Compensation 5. Corrective 6. Recovery

What five things are essential elements in proving that a candidate is adequate, qualified, and trustworthy for a secured position.

1. Employment candidate screening 2. background checks 3. reference checks 4. education verification 5. security clearance validation

What are the six major steps in quantitative risk analysis?

1. Inventory assets and assign an asset value (AV) 2. Research each asset, and produce a list of all possible threats of each individual asset. For each listed threat, calculate the exposure factor (EF) and single loss expectancy (SLE) 3. Perform a threat analysis to calculate the likelihood of each threat being realized within a single year ---- that is the annualized rate of occurrence (ARO) 4. Derive the overall loss potential per threat by calculating the annualized loss expectancy (ALE) 5. Research countermeasures for each threat, and then calculate the changes to ARO and ALE based on an applied countermeasure 6. Perform a cost / benefit analysis for each countermeasure for each the for each asset. Select the most appropriate response to each threat.

Job rotation serves what two functions?

1. Provides a type of knowledge redundancy 2.Moving personnel around reduces the risk of fraud, data modification, theft, sabotage, and misuse of information

What are some of the issues that contribute to the valuation of assets?

1. Purchase Cost 2. Development Cost 3. Administrative or management cost 4. Maintenance or upkeep cost 5. Cost in acquiring asset 6. Cost to protect or sustain asset 7. Value to owners and users 8. Value to competitors Intellectual property or equity value 9. Market valuation (sustainable price) 10. Replacement cost 11. Productivity enhancement or degradation 12. Operational costs of asset presence and loss 13. Liability of asset loss 14. Usefulness

What are the four possible responses to risk?

1. Reduce or mitigate 2. Assign or transfer 3. Accept 4. Reject or ignore

What are the three forms of governance and their overall goal?

1. Security Governance 2. Corporate Governance 3. IT Governance Goal: To maintain business processes while striving toward growth and resiliency

What issues are commonly addressed in SLAs (Service Level Agreement)

1. System Up-time 2. Maximum consecutive Down-Time 3. Peak Load 4. Average Load 5. Responsibility for Diagnostics 6. Failover time

List 4 factors you should consider when assessing the value of a security control

1. The Cost of the countermeasure should be less than the value of the asset 2. the cost of the countermeasure should be less than the benefit of the countermeasure 3. The result of the applied countermeasure should make the cost of an attack greater for the perpetrator than the derived benefit from an attack 4. The countermeasure should provide a solution to a real and identified problem 5. The benefit of the countermeasure should not be dependent on its secrecy. 6. The benefit of the countermeasure should be testable and verifiable. 7. The countermeasure should provide consistent and uniform protection across all users, systems, protocols, and so on. 8. The countermeasures should have few or no dependencies to reduce cascade failures 9. The countermeasure should require minimal human intervention after initial deployment and configuration 10. The countermeasure should be tamper-proof. 11. The countermeasure should have overrides accessible to privileged operators only. 12. The countermeasures should provide fail-safe and/or fail-secure options

What controls are used to define the levels of performance, expectation, compensation, and consequences for entities, persons, or organizations that are external to the primary organization.

1. Vendor 2. Consultant 3. Contractor

List 10 potential threats to IT.

1. Viruses 2. Cascade Errors and dependency faults 3. Criminal Activities by Authorized Users 4. Movement (vibrations, jarring, etc) 5. Intentional Attacks 6. Reorganization 7. Authorized User Illness or Epidemics 8. Malicious Hackers 9. Disgruntled Employees 10. User Errors 11. Natural Disasters 12. Physical Damage 13. Misuse of Data, resources, or services. 14. Changes or compromises to data classification or security policies 15. Government, political, or military intrusion or restrictions 16. processing errors, buffer overflows 17. Personnel privilege abuse 18. temperature extremes 19. energy anomalies 20. Loss of data 21. Information Warfare 22. Bankruptcy or alteration/interruption of business activity 23. coding / programming errors 24. intruders (physical and logical) 25. Environmental Factors 26. Equipment Failure 27. Physical Theft 28. Social Engineering

What is the formula used to determine ALE?

ALE = SLE * ARO Or ALE = single loss expectancy (SLE) * annualized rate of occurrence (ARO)

What is the formula you would use to determine whether the safeguard is financially equitable?

ALE before safeguard - ALE after implementing the safeguard - annual cost of safeguard (ACS) = value of the safeguard to the company

________ controls are the policies and procedures defined by an organization's security policy and other regulations or requirements.

Administrative access

______ is a dollar value assigned to an asset based on actual cost and nonmonetary expenses.

Asset valuation

_________is the act of conforming to or adhering to rules, policies, regulations, standards, or requirements.

Compliance

The ______ is simply an anonymous feedback-and-response process used to enable a group to reach an anonymous consensus. Its primary purpose is to elicit honest and uninfluenced responses from all participants.

Delphi technique

____________ is the process of reading the exchanged materials and verifying them against standards and expectations.

Documentation review

_________ is being susceptible to asset loss because of a threat;

Exposure

True / False Denying that a risk exists and hoping that it will never be realized are valid or prudent due-care responses to risk.

False Denying that a risk exists and hoping that it will never be realized are not valid or prudent due-care responses to risk.

True / False Security doesn't need to be cost effective?

False Security needs to be cost effective.

True / False Without proper asset valuations, it is possible to prioritize and compare risks with possible losses.

False Without proper asset valuations, it is not possible to prioritize and compare risks with possible losses.

True / False The personal files of users are considered assets of the organization and thus are considered in a risk analysis.

False The personal files of users are not usually considered assets of the organization and thus are not considered in a risk analysis.

Regardless of the specifics of a security solution, _______ are the weakest element.

Humans

_______ are the specific work tasks an employee is required to perform on a regular basis.

Job responsibilities

________ means that the various aspects of the security mechanisms function, provide a clear benefit, and have one or more metrics that can be recorded and analyzed.

Measurable security

The primary purpose of an exit interview is to review _______ and other liabilities and restrictions placed on the former employee based on the employment agreement and any other security-related documentation.

NDA (Non-Disclosure Agreement)

An ______ is used to protect the confidential information within an organization from being disclosed by a former employee.

NDA (Nondisclosure Agreement)

________ controls are items you can physically touch.

Physical access

________ assigns subjective and intangible values to the loss of an asset.

Qualitative risk analysis

________ assigns real dollar figures to the loss of an asset.

Quantitative risk analysis

___________ controls are an extension of corrective controls but have more advanced or complex abilities.

Recovery

_______ is the possibility or likelihood that a threat will exploit a vulnerability to cause harm to an asset.

Risk

_________ is performed to provide upper management with the details necessary to decide which risks should be mitigated, which should be transferred, and which should be accepted.

Risk analysis

___________ is a detailed process of identifying factors that could damage or disclose data, evaluating those factors in light of data value and countermeasure cost, and implementing cost-effective solutions for mitigating or reducing risk.

Risk management

_______ is the ability of an organization to absorb the losses associated with realized risks.

Risk tolerance

What is the formula used to calculate the SLE?

SLE = AV * EF or Single Loss Expectancy (SLE) = asset value (AV) * exposure factor (EF)

_____________ is the security concept in which critical, significant, and sensitive work tasks are divided among several individual administrators or high-level operators

Separation of duties

_________ involves the hardware or software mechanisms used to manage access and to provide protection for resources and systems.

Technical or logical access

___________ is the application of security oversight on third parties that your organization relies on.

Third-party governance

What is the primary goal of risk management?

To Reduce risk to an acceptable level.

What is the goal of asset valuation?

To assign an asset a specific dollar value that encompasses tangible costs as well as intangible costs.

__________ is teaching employees to perform their work tasks and to comply with the security policy.

Training

True / False Assigning risk or transferring risk is the placement of the cost of loss a risk represents onto another entity or organization.

True

True / False Because security changes over time, reassessing on a periodic basis is essential to maintaining reasonable security.

True

True / False Benefits can only be accurately measured if the starting point (that is, the normal point or initial risk level) is known.

True

True / False For each specific risk, you must evaluate one or more safeguards, or countermeasures, on a cost/ benefit basis.

True

True / False If a continuous improvement path is not provided by a selected countermeasure, then it should be replaced with one that offers scalable improvements to security.

True

True / False If a security control's benefits cannot be quantified, evaluated, or compared, then it does not actually provide any security.

True

True / False In many situations, especially related to government or military agencies or contractors, failing to provide sufficient documentation to meet requirements of third-party governance can result in a loss of or a voiding of authorization to operate (ATO).

True

True / False In most cases, accepting risk requires a clearly written statement that indicates why a safeguard was not implemented, who is responsible for the decision, and who will be responsible for the loss if the risk is realized, usually in the form of a sign-off letter.

True

True / False In most cases, especially when privacy is being violated or restricted, the individuals and companies must be informed; otherwise, you may face legal ramifications. Privacy issues must also be addressed when allowing or restricting personal use of email, retaining email, recording phone conversations, gathering information about surfing or spending habits.

True

True / False Quantitative analysis can be thought as the act of assigning a quantity to risk— in other words, placing a dollar figure on each asset and threat.

True

True / False To manage the security function, an organization must implement proper and sufficient security governance.

True

True / False When a countermeasure or safeguard is implemented, security metrics should show a reduction in unwanted occurrences or an increase in the detection of attempts.

True

True / False You should remove or disable the employee's network user account immediately before or at the same time they are informed of their termination.

True

True / False countermeasure selection is a post-risk-assessment or post-risk-analysis activity.

True

True / False A risk report should be accurate, timely, comprehensive of the entire organization, clear and precise to support decision making, and updated on a regular basis.

True

Why is cross-training often discussed as an alternative to job rotation?

Workers learn the responsibilities and tasks of multiple job positions. Which enables the employee to fill the position when needed.

The term ________ refers to a broad range of controls that perform such tasks as ensuring that only authorized users can log on and preventing unauthorized users from gaining access to resources.

access control

The annual costs of safeguards should not exceed the expected ______

annual cost of asset loss.

The _________ is the possible yearly cost of all instances of a specific realized threat against a specific asset.

annualized loss expectancy (ALE)

The ____________ is the expected frequency with which a specific threat or risk will occur (that is, become realized) within a single year.

annualized rate of occurrence (ARO)

An _______ is anything within an environment that should be protected.

asset

An __________ is the exploitation of a vulnerability by a threat agent.

attack

A ________ is the occurrence of a security mechanism being bypassed or thwarted by a threat agent.

breach

Separation of duties is also a protection against _________, which is the occurrence of negative activity undertaken by two or more people, often for the purposes of fraud, theft, or espionage.

collusion

A __________ control is deployed to provide various options to other existing controls to aid in enforcement and support of security policies.

compensation access

A ___________ control modifies the environment to return systems to normal after an unwanted or unauthorized activity has occurred.

corrective access

Security is aimed at preventing loss or disclosure of _____ while sustaining authorized access.

data

A __________ control is deployed to discover or detect unwanted or unauthorized activity.

detective access

A _________control is deployed to discourage violation of security policies.

deterrent access

A ___________ control is deployed to direct, confine, or control the actions of subjects to force or encourage compliance with security policies.

directive access

The ____________ is used to verify that the employment candidate has read and understood the associated documentation for their prospective job position

employment agreement

The ____ represents the percentage of loss that an organization would experience if a specific asset were violated by a realized risk.

exposure factor (EF)

In the auditing and assessment process, both the target and the governing body should participate in ____________

full and open document exchange and review

The method of combining quantitative and qualitative analysis into a final assessment of organizational risk is known as __________

hybrid assessment or hybrid analysis

The first step in hiring new employees is to create a ________ . Without it, there is no consensus on what type of individual needs to be found and hired.

job description

A _________ control is deployed to thwart or stop unwanted or unauthorized activity from occurring.

preventive access

Once countermeasures are implemented, the risk that remains is known as _____.

residual risk

Accepting ____is the valuation by management of the cost/ benefit analysis of possible safeguards and the determination that the cost of the countermeasure greatly outweighs the possible cost of loss.

risk

What is the formula that defines risk?

risk = threat * vulnerability

The process by which the goals of risk management are achieved is known as ________

risk analysis

A ____ is a guideline or recipe for how risk is to be assessed, resolved, and monitored.

risk framework

A _______ is anything that removes or reduces a vulnerability or protects against one or more specific threats.

safeguard

A ________ is a written description of a single major threat.

scenario

Any potential occurrence that may cause an undesirable or unwanted outcome for an organization or for a specific asset is a ________.

threat

What is the formula used to calculate total risk?

threats * vulnerabilities * asset value = total risk

What is the formula used to calculate residual risk?

total risk - controls gap = residual risk

Risk management/ analysis is primarily an exercise for _____.

upper management

The weakness in an asset or the absence or the weakness of a safeguard or countermeasure is a ________.

vulnerability