CISSP Chapter 1: Security and Risk Management
Formula for Residual Risk is what?
(Threats X Vulnerability X Asset Value) X Controls Gap
What are the three TYPES of controls?
1. Administrative 2. Technical 3. Physical
Six major steps in the RMF process
1. Categorize the Information System 2. Select Security Controls 3. Implement Security Controls 4. Assess Security Controls 5. Authorize the Information System 6. Monitor Security Controls
There are five categories of Administrative, Technical, and Physical controls. What are they?
1. Deterrent 2. Preventive 3. Detective 4. Corrective 5. Recovery
Four main goals of Risk Analysis
1. Identify assets and assign values 2. Identify vulnerabilities and threats 3. Quantify the impact of potential threats 4. Provide an economic balance between the impact of Risk and cost of safeguard
What seven things does FISMA require?
1. Inventory of Systems 2. Categorize by Risk Level 3. Security Controls 4. Risk Assessment 5. Systems Security Plan 6. Certification & Accreditation 7. Continuous Monitoring
Three things a BCP provide:
1. Procedures for emergency responses. 2. Extended backup operations. 3. Post-disaster recovery
Baseline
A measure of how a system operates normally, considered A MINIMUM LEVEL OF SECURITY. Provides a reference for administrators to compare deviations from normal.
Security Policy
A statement by management dictating the role SECURITY plays in the organization.
OCTAVE
A team-oriented risk management methodology that employs workshops and is commonly used in the commercial sector.
If you want to understand business risks, which is the most appropriate standard to use?
AS/NZS 4360
SABSA
An example of a SECURITY Enterprise Architecture Framework
Single Loss Expectancy * Annualized Rate of Occurrence = ?
Annualized Loss Expectancy
Preventive: Physical
Badges, Dogs, Guards, and Fences are this type of Control mechanism.
Why is it impossible to conduct purely quantitative risk analysis?
Because qualitative items cannot be quantified with precision.
PIPEDA
Canadian law that protects personal data, requires obtaining consent when collecting, using, or disclosing PI, collecting PI by lawful means, and having clear PI policies.
Rotation of Duties is considered which category of control?
Detective
Standards
Documents that outline rules that are compulsory in nature and support security policies.
If your budget is limited and you want to focus your assessment on an individual system or process, which is the most appropriate standard to use?
Facilitated Risk Analysis Process (FRAP)
If you really want to dig down into the details of security flaws and effects, which two standards would be best to use?
Failure Modes and Effects Analysis or Fault Tree Analysis
Transferred, avoided, reduced, or accepted
Four ways of handling risk.
Internet Architecture Board (IAB)
Group that issues ethics-related statements concerning the use of the Internet, and is the coordinating committee for Internet design, engineering, and management.
IF you want to deploy an organization-wide risk management program and integrate it into your security program, which two standards would be most useful?
ISO/IEC 27005 or OCTAVE
With ISO/IEC 27004:2009
International Standard that assesses the effectiveness of an Information Security Management System and the controls that make up the security program.
ISO/IEC 22301
International standard for Business Continuity Management.
ISO/IEC 27001
International standard that describes HOW to build a security program.
ISO/IEC 27031:2011
International standard that describes the concepts and principles of information and communication technology readiness for Business continuity.
Religious Law
Laws are derived from religious beliefs in this system.
Common Law
Made up of criminal, civil, and administrative laws.
If you want to focus on IT security risks during assessment, which standard would be best to use?
NIST SP 800-30
Preventive: Technical
Passwords, biometrics, encryption, antivirus software, access control lists, firewalls, IDPS, and smart cards are all this type of control mechanism.
Preventive: Administrative
Policies, effective hiring practices, background checks, and data classification/labeling are this type of control mechanism.
Separation of Duties is considered which category of control?
Preventive
HITECH
Promotes the adoption and meaningful use of health information. Lists four categories of violations that reflect increasing levels of culpability and penalty amounts for violations and states that DATA LOSS MUST BE REPORTED TO HHS WITHIN 60 DAYS. Corrects HIPAA issues.
Trade Secrets
Proprietary to a company, often information that provides a competitive edge.
GLBA (Graham Leach Bliley Act)
REQUIRES: Giving customers option to opt out of having their information shared with third parties. Financial Privacy Rules that inform customers of how their data is used. Safeguards Rules: Written rules on how client's info is protected. Safeguards against social engineering attempts Must inform federal regulators, law enforcement, and customers if a breach is discovered.
Guidelines
Recommendations and general approaches that provide advice and flexibility.
FISMA
Requires federal agencies to create, document, and implement an agency-wide security program to protect information and systems used by that agency.
NIST SP 800-55
Standard for performance measurement in information security.
NIST SP 800-53
Standard that uses the following CONTROL categories: Technical, Management, and Operational.
Procedures
Step-by-step instructions that should be followed to achieve a task.
HIPAA
Storage, use, transmission of personal medical data, this covers how security should be managed for any facility that deals with medical information, warns of steep penalties for noncompliance, BUT DOES NOT REQUIRE NOTIFICATION WHEN DATA LOSS OCCURS.
Security Governance
The general term for a framework that provides oversight, accountability, and compliance.
Executive Committment and Support
The most critical elements in developing a JCP are...
Business Continuity Management
The overarching approach to managing all aspects of BCP and DRP.
Enterprise Architecture Frameworks
These are used to DEVELOP architectures for specific stakeholders and present information in views, AND are used to build individual architectures that best map to individual organizational needs and business drivers,
Quantitative Risk Analysis
This attempts to assign monetary values components within the analysis.
Business Continuity Plan
This contains strategy documents that provide detailed procedures to ensure critical business functions are maintained and help minimize loss of life, operations, and systems.
Corrective
This control functionality fixes components or systems after an incident.
Detective
This control functionality helps identify an incident's activities.
Deterrent
This control functionality is meant to discourage an attacker.
Preventive
This control functionality is used to avoid an incident from occurring.
Recovery
This control functionality is used to bring the environment back to regular operations.
Compensating
This control functionality provides an alternative measure of control.
The Zachman Framework
This is an early Enterprise Architecture Framework, generic in nature, and uses a two-dimensional model (What, How, Where, Who, When, and Why) intersecting with different perspectives (Executives, Business Managers, System Architects, Engineers, Technicians, and Enterprise-wide)
Total Risk is calculated how?
Threats x vulnerability x asset value
True or False: plans should be prepared by the people who will carry them out?
True
Criminal Law
Type of law dealing with individual conduct that violates government laws developed to protect the public. Punishment can range from fines to imprisonment to death.
Administrative Law
Type of law that covers standards of performance or conduct expected by government agencies from companies, industries, and officials.
Civil Law
Types of laws that deals with wrongs committed against individuals or companies that result in injury or damages. No prison, but requires financial restitution.
Civil Law
Uses prewritten rules not based on precedence.
Customary Law
Uses regional traditions and customs as the foundations of the laws. Usually mixed with another type of legal system.
Cost, Functionality, and Effectiveness
When choosing the right safeguard to reduce a specific risk, what three things must be considered in addition to performing a Cost Benefit Analysis?