SSCP uC

Pataasin ang iyong marka sa homework at exams ngayon gamit ang Quizwiz!

Switching

Switching is the process used by one node to receive data on one of its input ports and choose which output port to send the data to. Segmentation is the process of breaking a large network into smaller ones

Risk Treatment and Controls

Accept Transfer Remediate or Mitigate (Also Known as Reduce or Treat)

zero-day exploit

A zero-day exploit is an exploitation of a newly discovered vulnerability before that vulnerability is discovered by or reported to the developers, vendors, or users of the affected system. The term suggests that the system's defenders have zero time to prepare for such an exploit, since they are not aware of the vulnerability or the potential for an attack based on it.

OODA - Observe, Orient, Decide and Act

CIA triad: nonrepudiation and authentication.

Implement Controls

Controls, also called countermeasures, are the active steps we take to put technologies, features, and procedures in place to help prevent a vulnerability from being exploited and causing a harmful or disruptive impact

What is Zero Day exploit?

Exploitation of an unreported vulnerability in commercial or widely available software or firmware.

OODA LOOP

Observe, Orient, Decide, Act

Segmentation

Segmentation is the process of breaking a large network into smaller ones.

Here are the classes of systems that pose specific information risks:

Standalone:Meets some specific business needs but is not as integrated into organizational systems planning, management, and control as other systems areMay be kept apart for valid reasons, such as to achieve a more cost-effective solution to data protection needs or to support product, software, or systems development and testing Shadow IT:Created by talented users on their own, often using the powerful applications programs that come with modern office and productivity suitesRefers to data and application programs that are outside of the IT department's areas of responsibilities and control

Simple Network Management Protocol (SNMP)

TCP/UDP161/162

Lightweight Directory Access Protocol (LDAP)

TCP/UDP389

Which of the following steps of the PDCA cycle is part of conducting due diligence on what the plan asked us to achieve and how it asked us to get it done? This task contains the radio buttons and checkboxes for options. The shortcut keys to perform this task are A to H and alt+1 to alt+9. A Checking B Planning C Doing D Acting

A Checking Checking is part of conducting due diligence on what the plan asked us to achieve and how it asked us to get it done. Planning is the process of laying out the step-by-step path we need to take to go from "where we are" to "where we want to be". Doing is the phase that encompasses everything it takes to accomplish the plan. Acting is the phase that involves making decisions and taking corrective or amplifying actions based on what the checking activities revealed

Here are the steps of the PDCA cycle

Acting: The phase that involves making decisions and taking corrective or amplifying actions based on what the checking activities revealed Checking: The part of conducting due diligence on what the plan asked us to achieve and how it asked us to get it done Doing: The phase that encompasses everything it takes to accomplish the plan Planning: The process of laying out the step-by-step path we need to take to go from "where we are" to "where we want to be"

risk-averse or risk-tolerant

Being risk-averse or risk-tolerant is a measure of an appetite for risk, whether that risk is involved with trying something new or with dealing with vulnerabilities or threats. The higher the risk appetite, the more likely the organization's decision makers are to accept risk or to accept higher levels of residual risk.

tangible assets

Buildings, machinery, or money on deposit in a bank are examples of hard, or tangible assets

Which of the following are the individual facts, observations, or elements of measurement? This task contains the radio buttons and checkboxes for options. The shortcut keys to perform this task are A to H and alt+1 to alt+9. A Wisdom B Information C Data D Knowledge

C

Here are the key ingredients of a communications system:

Communications medium: Transports the message from one place to another place using flashes of light or puffs of smoke or anything else Purpose: Accomplishes something that somebody has and shapes the whole communication process Senders and recipients: Actual people or groups on both ends of the conversation, often called parties to the communication Protocols: Involves a choice of language, character or symbol set, and restricted domain of ideas to communicate about Message content: Ideas exchanged, encoded or represented in the chosen language, character or symbol sets, and protocols

All are the major steps described by the risk management framework to information and privacy risk management except for which one? This task contains the radio buttons and checkboxes for options. The shortcut keys to perform this task are A to H and alt+1 to alt+9. A Prepare B Categorize C Implement D Mitigate

D Option D is one of the risk treatment strategies. The risk management framework (RMF) describes seven major steps to information and privacy risk management: prepare, categorize, select, implement, assess, authorize, and monitor.

Detective access control

Detective access control is deployed to discover unwanted or unauthorized activity. Examples of detective access controls include security guards, guard dogs, motion detectors, recording and reviewing of events seen by security cameras or CCTV, job rotation, mandatory vacations, audit trails, intrusion detection systems, honeypots, supervision and reviews of users, and incident investigations.

Due diligence

Due diligence is continually monitoring and assessing whether those necessary and prudent steps are achieving required results and that they are still necessary, prudent, and sufficient.

Deterrence can be passive, active, or a combination of the two

Fences, the design of parking, access roads and landscaping, and lighting tend to be passive deterrence measures; Active measures give the defender the opportunity to create doubt in the attacker's mind: Is the guard looking my way? Is anybody watching those CCTV cameras?

Here are the incident investigation events:

Here are the incident investigation events: Unauthorized attempts to elevate a user's or process privilege state to systems owner or root level Unauthorized attempts to extract, download, or otherwise delete restricted data from the facility Warnings from malware, intrusion detection, or other defensive systems Unplanned or unauthorized attempts to connect a device, cable, or process to the system Unplanned or unauthorized attempts to initiate system backup or recovery tasks An unplanned shutdown of any asset, such as a router, switch, or server

CIA

If it is publicly known, we must have confidence that everybody knows it or can know it; if it is private to us or those we are working with, we need to trust that it stays private or confidential. The information we need must be reliable. It must be accurate enough to meet our needs and come to us in ways we can trust. It must have integrity. The information must be there when we need it. It must be available.

The following are correct statements about ethical penetration testing:

It is illegal to gain unauthorized entry into someone else's information systems without their express written permission. Pen-testing firms hire reformed former criminal hackers because they've got the demonstrated technical skills and a hacker mindset. Reporting relationships between the people doing the pen-testing, their line managers, and leadership within your own organization must be clear and effective.

Need to know

Need to know limits who has access to read, use, or modify data based on whether their job functions require them to do so. Need-to-know leads to compartmentalization of information approaches, which create procedural boundaries (administrative controls) around such sets of information.

Here are the steps of John Boyd's OODA loop:

Observe: Gather information about what is happening, right now, and what's been happening very recently. Orient: Remember what are the organization's goals and objectives. Decide: Make an educated guess as to what's going on and what needs to be done about it. Act: Take action on the decision that was made

Patch

Patch: A patch is a piece of software intended to update an application, operating system, or control program to improve its usability and performance. A patch may be broad in nature and fix or repair various problems identified within the software.

Physical systems technologies

Physical systems technologies, such as buildings, locks, cabinets, fire detection and suppression systems, and even exterior and interior lighting, all can play multiple roles. They can prevent or deter unwanted activities; they can contain damage; they can either directly generate an alarm (and thus notify responders) or indicate that something has happened because of a change in their appearance or condition. (A broken window clearly indicates something has gone wrong; you ignore it at your peril!) Getting our money's worth of security out of our physical systems' elements usually requires human monitoring, whether by on-site inspection or remote (CCTV or other) monitoring.

Procedures

Procedures take the broad statements expressed in policies and break them down into step-by-step detailed instructions to those people who are assigned responsibility to perform them. Procedures state how a task needs to be performed and should also state what constraints or success criteria apply. As instructions to people who perform these tasks, procedures are administrative in nature

What is existential Risk?

Risk of an impact that can put the business out of business. It causes to cease to exist as a legal and functioning entity.

Root cause analysis

Root cause analysis looks to find what the underlying vulnerability or mechanism of failure is that leads to the incident, for example

SLE

SLE - Single loss expectancy is defined as damage or loss anticipated by a single occurrence of a risk event. SLE = asset value x exposure factor

he following are the correct statements about routing:

The following are the correct statements about routing: It is used to determine what path or set of paths to use to send a set of data from one endpoint device through the network to another. The Internet routes individually addressed packets from sender to recipient. The Internet handles routing as a distributed, loosely coupled, and dynamic process.

Transfer

Transferring a risk means that rather than spend our own money, time, and effort to reduce, contain, or eliminate the risk, we assign responsibility for it to someone else. For example: Insuring your home against fire or flood transfers the risk of repairing or replacing your home and possessions to the insurance company. You take no real actions to decrease the likelihood of fire, or the extent to which it could damage your home and possessions, beyond what is normally reasonable and prudent to do. You don't redesign the home to put in more fire-retardant walls, doors, or floor coverings, for example. You paid for this via your insurance premiums. In the event of a fire in your home, you have transferred the responsibility for dealing with the fire to the local emergency responders, the fire department, and even the city planners who required the builders to put water mains and fire hydrants throughout your neighborhood. You paid for this risk to be assumed by the city and the fire department as part of your property taxes, and perhaps even a part of the purchase price (or rent you pay) on your home. You know that another nation might go to war with your homeland, causing massive destruction, death, injury, and suffering. Rather than taking up arms yourself, you pay taxes to your government to have it raise armed forces, train and equip them, and pursue strategies of deterrence and foreign relations to reduce the likelihood of an all-out war in our times.

Threat-Based (or Vulnerability-Based) Risk

Typically, threats or threat actors exploit (make use of) vulnerabilities. Threats can be natural (such as storms or earthquakes), accidental (failures of processes or systems due to unintentional actions or normal wear and tear, causing a component to fail), or deliberate actions taken by humans or instigated by humans. Such intentional attackers have purposes, goals, or objectives they seek to accomplish; Mother Nature or a careless worker does not intend to cause disruption, damage, or loss.

Remember the PLA

Your ongoing security assessments should always take the opportunity to assess the entire set of information risk controls—be they physical, logical, or administrative in nature.

Patsy is reviewing the quantitative risk assessment spreadsheet, and she sees multiple entries where the annual rate of occurrence (ARO) is far greater than the single loss expectancy (SLE). This suggests that: This task contains the radio buttons and checkboxes for options. The shortcut keys to perform this task are A to H and alt+1 to alt+9. A it looks like an error in estimation or assessment, and it should be further investigated. B the particular risk is assessed to happen many times per year; thus, its ARO is much greater than 1.0. C ARO is less than 1. D RTO is greater than RPO.

b According to the scenario, it suggests that the particular risk is assessed to happen many times per year; thus, its ARO is much greater than 1.0. Option C has the annualized rate of occurrence (ARO) use incorrect; if ARO was less than 1, the single loss expectancy is in effect spread over multiple years (as if it were amortized). Option D involves restore time and point objectives, which are not involved in the annualized loss expectancy (ALE) calculation. Option A misunderstands ALE = ARO * SLE as the basic math involved.

A thunderstorm knocks out the commercial electric power to your company's datacenter, shutting down everything. This impacts which aspect of information security? This task contains the radio buttons and checkboxes for options. The shortcut keys to perform this task are A to H and alt+1 to alt+9. A Confidentiality B Privacy C Availability D Integrity

c

The protection of intellectual property (IP) is an example of what kind of information security need? This task contains the radio buttons and checkboxes for options. The shortcut keys to perform this task are A to H and alt+1 to alt+9. A Integrity B Availability C Confidentiality D Nonrepudiation

c

company confidential or proprietary information

company confidential or proprietary information almost every day. Both terms declare that the business owns this information; the company has paid the costs to develop this information (such as the salaries of the people who thought up these ideas or wrote them down in useful form for the company), which represents part of the business's competitive advantage over its competitors. Both terms reflect the legitimate business need to keep some data and ideas private to the business.

Annual loss expectancy (ALE)

ALE is the total expected losses for a given year and is determined by multiplying the SLE by the ARO.

Your company uses computer-controlled machine tools on the factory floor as part of its assembly line. This morning, you've discovered that somebody erased a key set of machine control parameter files, and the backups you have will need to be updated and verified before you can use them. This may take most of the day to accomplish. What information security attribute is involved here? This task contains the radio buttons and checkboxes for options. The shortcut keys to perform this task are A to H and alt+1 to alt+9. A Confidentiality B Due care C Availability D Integrity

D

knowledge pyramid

Data: The individual facts, observations, or elements of a measurement Information: Data plus conclusions or inferences Knowledge: A set of broader, more general conclusions or principles that are derived from lots of information Wisdom: The insightful application of knowled

Here are the strategies for limiting or containing the damage:

Deter: Discourage or dissuade someone from taking an action because of their fear or dislike of the possible consequences. Detect: Notice or consciously observe that an event of interest is happening. Prevent: Stop an attack from happening or, if it is already underway, to halt it in its tracks, thus limiting its damage. Avoid: Terminate the activity that incurs the risk, or redesign or relocate the activity to nullify the risk.

Domain 1: Access Controls

Domain 1: Access Controls: Policies, standards, and procedures that define who users are, what they can do, which resources and information they can access, and what operations they can perform on a system, such as: 1.1 Implement and maintain authentication methods 1.2 Support internetwork trust architectures 1.3 Participate in the identity management lifecycle 1.4 Implement access controls

Availability

Is the data there, when we need it, in a form we can use? The information might be in our files, but if we cannot retrieve it, organize it, and display it in ways that inform the decision, then the information isn't available. If the information has been deleted, by accident, sabotage (an attack committed against an organization by an insider, such as an employee), or systems failure, then it's not available to inform the decision.

Here are the terms related to quantitative risk assessment:

MTTR (mean time to repair or restore): The amount of time it takes to get the failed system, component, or process repaired or replaced MAO (maximum acceptable outage): The maximum time that a business process or task cannot be performed without causing intolerable disruption or damage to the business RTO (recovery time objective): The amount of time in which system functionality or ability to perform the business process must be back in operation RPO (recovery point objective): The maximum data loss that the organization can tolerate because of a risk event

Policies

Policies are broad statements of direction and intention; in most organizations, they establish direction and provide constraints to leaders, managers, and the workforce. Policies direct or dictate what should be done, to what standards of compliance, who does it, and why they should do it. Policies are usually approved ("signed out") by senior leadership, and are used to guide, shape, direct, and evaluate the performance of the people who are affected by the policies; they are thus considered administrative in nature.

Due Care

Taking steps to ensure that all of your responsibilities can be accomplished satisfactorily.

maximum acceptable outage (MAO)

The maximum acceptable outage (MAO) is the maximum time that a business process or task cannot be performed without causing intolerable disruption or damage to the business. Sometimes referred to as the maximum tolerable outage (MTO), or the maximum tolerable period of disruption (MTPOD), determining this maximum outage time starts with first identifying mission-critical outcomes. These outcomes, by definition, are vital to the ongoing success (and survival!) of the organization; thus, the processes, resources, systems, and no doubt people they require to properly function become mission-critical resources. If only one element of a mission-critical process is unavailable, and no immediate substitute or workaround is at hand, then the MAO clock starts tickin

Whistleblowers

Whistleblowers are individuals who see something that they believe is wrong, and then turn to people outside of their own context to try to find relief, assistance, or intervention. Historically, most whistleblowers have been responsible for bringing public pressure to bear to fix major workplace safety issues, child labor abuses, graft and corruption, or damage to the environment, in circumstances where the responsible parties could harass, fire, or sometimes even physically assault or kill the whistleblower.

The following are correct statements about the risk register:

A central repository or knowledge bank of the risks that have been identified in its business and business process systems Constantly refreshed as the company moves from risk identification through mitigation to the "new normal" of operations after instituting risk controls A compendium of the company's weaknesses and should be considered as closely held, confidential, and proprietary business information

CBK

Common Body of Knowledge- SSCP has 7 Domains

Compensation access control

Compensation access control is deployed to provide various options to other existing controls to aid in the enforcement and support of a security policy. Examples of compensation access controls include security policy, personnel supervision, monitoring, and work task procedures

Which of the following states how a task needs to be performed and what constraints or success criteria apply? A Policy B Standard C Principle D Procedure

D Procedures state how a task needs to be performed and what constraints or success criteria apply. A policy is a broad statement of direction and intention. In most organizations, it establishes direction and provides constraints to leaders, managers, and the workforce. A standard is a technical document designed to be used as a rule, guideline, or definition. A principle is a basic truth or the source or origin of something or someone.

What are the basic choices for limiting or containing the damage from risks? This task contains the radio buttons and checkboxes for options. The shortcut keys to perform this task are A to H and alt+1 to alt+9. A Accept, mitigate, transfer, and avoid B Quantitative and qualitative C Outcomes-based, assets-based, process-based, and threat-based D Deter, detect, prevent, and avoid

D The basic choices for limiting or containing the damage from risks are deter, detect, prevent, and avoid. Option A includes risk treatment strategies, option C includes the four faces of risk, and option B includes the types of risk assessments.

Which of the following is referred to as the maximum tolerable period of disruption? This task contains the radio buttons and checkboxes for options. The shortcut keys to perform this task are A to H and alt+1 to alt+9. A MTTR B RTO C RPO D MAO

D MAO The maximum acceptable outage (MAO) is the maximum time that a business process or task cannot be performed without causing intolerable disruption or damage to the business. It is referred to as the maximum tolerable outage (MTO), or the maximum tolerable period of disruption (MTPOD)

Defense

Defense is a set of strategies, management is about making decisions, and mitigation is a set of tactics chosen to implement those decisions

Deterrent access control

Deterrent access control is deployed to discourage the violation of security policies. A deterrent control picks up where prevention leaves off. The deterrent doesn't stop with trying to prevent an action; instead, it goes further to exact consequences in the event of an attempted or successful violation. Examples of deterrent access controls include locks, fences, security badges, security guards, mantraps, security cameras, trespass or intrusion alarms, separation of duties, work task procedures, awareness training, encryption, auditing, and firewalls

Domain 2: Security Operations and Administration:

Domain 2: Security Operations and Administration: Identification of information assets and documentation of policies, standards, procedures, and guidelines that ensure confidentiality, integrity, and availability, such as: 2.1 Comply with codes of ethics 2.2 Understand security concepts 2.3 Document, implement, and maintain functional security controls 2.4 Participate in asset management 2.5 Implement security controls and assess compliance 2.6 Participate in change management 2.7 Participate in security awareness and training 2.8 Participate in physical security operations (e.g., data center assessment, badging)

Here are the four faces of risk:

Here are the four faces of risk: Outcomes-based: Looks at why people or organizations do what they do or set out to achieve their goals or objectives Process-based: Looks at your business procedures and how different risks can impact, disrupt, or block your ability to run those procedures successfully and correctly Asset-based: Looks at any tangible or intangible tool used for performing the business process and asks how risks can decrease the value of the tool to the business Threat-based: Focuses on how things go wrong—what the root and proximate causes of risks might be—whether natural, accidental, or deliberately caused

The following are correct statements about the business impact analysis (BIA):

Informs, guides, and shapes risk management decisions by senior leadership Provides the insight to choose a balanced, prudent mix of risk mitigation tactics and techniques Guides the organization in accepting residual risk to goals, objectives, processes, areas, or assets in areas where this is appropriate Meets external stakeholder needs, such as for insurance, financial, regulatory, or other compliance purposes Reflects today's set of concerns, priorities, assets, and processes

Decide

Make an educated guess as to what's going on and what needs to be done about it. This hypothesis you make, based on having oriented yourself to put the "right now" observations in a proper mental frame or context, suggests actions you should take to deal with the situation and continue toward your goals.

Patents

Patents are legal recognition by governments that someone has created a new and unique way of doing something. The patent grants a legal monopoly right in that idea, for a fixed length of time. Since the patent is a published document, anyone can learn how to do what the patent describes. If they start to use it in a business, they either must license its use from the patent holder (typically involving payment of fees) or risk being found guilty of patent infringement by patents and trademarks tribunal or court of law.

Qualitative Risk Assessment

Qualitative assessments focus on an inherent quality, aspect, or characteristic of the risk as it relates to the outcome(s) of a risk occurrence. "Loss of business" could be losing a few customers, losing many customers, or closing the doors and going out of business entirely! litative assessment of information is most often used as the basis of an information classification system, which labels broad categories of data to indicate the range of possible harm or impact. Most of us are familiar with such systems through their use by military and national security communities. Such simple hierarchical information classification systems often start with "Unclassified" and move up through "For Official Use Only," "Confidential," "Secret," and "Top Secret" as their way of broadly outlining how severely the nation would be impacted if the information was disclosed, stolen, or otherwise compromised. Yet even these cannot stay simple for long. Businesses, private organizations, and the military have another aspect of data categorization in common: the concept of need to know

Recovery access control

Recovery access control is deployed to repair or restore resources, functions, and capabilities after a violation of security policies. For example, recovery access control can repair damage as well as stop further damage. Examples of recovery access controls include backups and restores, fault-tolerant drive systems, server clustering, antivirus software, and database shadowing.

NIST Special Publication 800-37,

Risk Management Framework (RMF) for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy.

Risk

Rule 1: All things will end. Systems will fail; parts will wear out. People will get sick, quit, die, or change their minds. Information will never be complete or absolutely accurate or true. Rule 2: The best you can do in the face of Rule 1 is spend money, time, and effort making some things more robust and resilient at the expense of others, and thus trade off the risk of one kind of failure for another. Rule 3: There's nothing you can do to avoid Rule 1 and Rule 2.

Quantitative Risk Assessment

Safeguard value: Annual rate of occurrence (ARO) Annual loss expectancy (ALE) Single loss expectancy (SLE)

Safeguard value:

Safeguard value: This is the estimated cost to implement and operate the chosen risk mitigation control. You cannot know this until you've chosen a risk control or countermeasure and an implementation plan for it; we'll cover that in the next lesson.

ISO Standard 31000:2018, Risk Management Guidelines,

Scope, Context, Criteria Risk Assessment, consisting of Risk Identification, Risk Analysis, and Risk Evaluation Risk TreatmentThree additional, broader functions support or surround these central risk mitigation tasks: Recording and Reporting Monitoring and Review Communication and Consultation

Security Patch

Security Patch: A security patch is a specific update to an application, operating system, or control program in response to the identification of a vulnerability. Many manufacturers attempt to distribute security patches as soon as they are tested and available.

Single loss expectancy (SLE):

Single loss expectancy (SLE): Usually measured in monetary terms, SLE is the total cost you can reasonably expect should the risk event occur. It includes immediate and delayed costs, direct and indirect costs, costs of repairs, and restoration. In some circumstances, it also includes lost opportunity costs, or lost revenues due to customers needing or choosing to go elsewhere

Jayne owns a small 3D-printing facility that provides custom parts for various design and engineering firms. She deals with customers across the nation via the Internet. Her business is located in an earthquake zone, and a sufficiently strong earthquake could devastate her facility and damage or destroy her 3D-printing machines. It would cost up to $500,000 to replace her facility or to rebuild it in a new location after such a disaster. It could take six months to get new equipment installed in a new or repaired facility and get back in business. This could lead to a loss of $200,000 in revenues. Official government estimates suggest that such a devastating earthquake might happen once every 50 years. Jayne needs to appreciate how much she stands to lose if such an earthquake strikes her business.First, how much does she expect to lose altogether if such an earthquake occurs? This is her single loss expectancy, which is the sum of all costs she incurs plus all lost business revenues because of the earthquake. This is calculated as follows:

Single loss expectancy = (replacement costs) + (lost revenue) SLE = $500,000 + $200,000 = $700,000

Lightweight Directory Access Protocol over TLS/SSL (LDAPS)

TCP/UDP636

Act

Take the action that you just decided on. Make it so! And go right back to the first step and observe what happens! Assess the newly unfolding situation (what was there plus your actions) to see if your hypothesis was correct. Check your logic. Correct your decision logic if need be. Decide to make other, different observations.

Private vs Public

The following are correct statements about public places: Areas in which anyone and everyone can see, hear, or notice the presence of other people One of the examples of the public place is a city park Refers to a place where there is little to no degree of control as to who can be in a public place Private areas in which gatherings can be attended only by a particular group of people.

Decision assurance, then, consists of protecting the availability, reliability, and integrity of the four main components of the decision process:

The knowledge we already have (our memory and experience), including knowledge of our goals, objectives, and priorities New information we receive from others (the marketplace, customers, others in the organization, and so on) Our cognitive ability to think and reason with these two sets of information and to come to a decision Taking action to carry out that decision or to communicate that decision to others, who will then be responsible for taking action

mean time to repair (MTTR)

The mean time to repair (MTTR), or mean time to restore, reflects our average experience in doing whatever it takes to get the failed system, component, or process repaired or replaced. The MTTR must include time to get suitable staff on scene who can diagnose the failure, identify the right repair or restoration needed, and draw from parts or replacement components on hand to effect repairs. MTTR calculations should also include time to verify that the repair has been done correctly and that the repaired system works correctly. This last requirement is very important—it does no good at all to swap out parts and say that something is fixed if you cannot assure management and users that the repaired system is now working the way it needs to in order to fulfill mission requirements.

intangible assets

The people in your organization (including you!), the knowledge that is recorded in the business logic of your business processes, your reputation in the marketplace, the intellectual property that you own as patents or trade secrets, and every bit of information that you own or use are examples of soft, or intangible assets.

recovery point objective (RPO)

The recovery point objective (RPO) measures the data loss that is tolerable to the organization, typically expressed in terms of how much data needs to be loaded from backup systems in order to bring the operational system back up to where it needs to be. For example, an airline ticketing and reservations system takes every customer request as a transaction, copies the transactions into log files, and processes the transactions (which causes updates to its databases). Once that's done, the transaction is considered completed. If the database is backed up in its entirety once a week, let's say, then if the database crashes five days after the last backup, that backup is reloaded and then five days' worth of transactions must be reapplied to the database to bring it up to where customers, aircrew, airport staff, and airplanes expect it to be. Careful consideration of an RPO allows the organization to balance costs of routine backups with time spent reapplying transactions to get back into business.

Deter

To deter means to discourage or dissuade someone from taking an action because of their fear or dislike of the possible consequences. Deterring an attacker means that you get them to change their mind and choose to do something else instead.

Network Time Protocol (NTP)

UDP123

Dynamic Host Configuration Protocol (DHCP)

UDP67/68

Trivial File Transfer Protocol (TFTP)

UDP69

Which of the following describes the correct relationship between confidentiality and privacy? This task contains the radio buttons and checkboxes for options. The shortcut keys to perform this task are A to H and alt+1 to alt+9. A Privacy laws allow criminals to hide their actions and intentions from society, but confidentiality allows for the government to protect defense-related information from being leaked to enemies. B Confidential information is information that must be kept private, so they really have similar meanings. C Confidentiality is about keeping information secret so that we retain advantage or do not come to harm; privacy is about choosing who can enter into one's life or property. D Confidentiality means that something is whole and complete; privacy refers to information that is specifically about individuals' lives, activities, or interests.

c

ARO

ARO- annual rate of occurrence is the number of times a risk event is anticipated to occur within a calendar year. ARO = 0.1 indicates a once-every-ten year event.

Administrative systems

Administrative systems dictate the command and control aspects of integrated and proactive systems. By translating our planning results into people-facing products, we inform, advise, and direct our team how to plan, monitor, and act when faced with various circumstances. Administrative procedures delegate authority to incident managers (individual people or organizational units), for example; without this authoritative statement of delegation, all we can do is hope that somebody will keep their head when an incident actually happens, and that the right, knowledgeable head will take charge of the scene

Annual rate of occurrence (ARO)

Annual rate of occurrence (ARO): ARO is an estimate of how often during a single year this event could reasonably be expected to occur

CIANA

CIANA: confidentiality, integrity, availability, nonrepudiation, and authentication. Thus, nonrepudiation is the characteristic of a communications system that prevents a user from claiming that they never sent or never received a particular message. Authentication is the verification that the sender or receiver is who they claim to be, and then the further validation that they have been granted permission to use that communications system. Authentication might also go further by validating that a particular sender has been granted the privilege of communicating with a particular sender.

Corrective access control

Corrective access control is deployed to restore systems to normal after an unwanted or unauthorized activity has occurred. Examples of corrective access controls include intrusion detection systems, antivirus solutions, alarms, mantraps, business continuity planning, and security policies.

Logical elements or Risk Management

Logical elements (sometimes called technical elements) are the software, firmware, database, or other control systems settings that you use to make the physical elements of the organization's IT systems obey the dictates and meet the needs of the administrative ones

Logical systems technologies

Logical systems technologies can and should provide the connectivity, information sharing, and analytical capabilities that keep everyone informed and enable assured decision making in the event of an incident. Getting everybody out of a building in the event of a fire requires the integrated capability to detect the fire and then notify building occupants about it; occupants have to be trained to recognize that the alarm is directing them to evacuate. Signage and other building features, such as emergency lighting and crash-bar door locks (that allow keyless exit), are also part of the end-to-end safety requirement, as is the need to notify first responders and organizational leadership. These provide the communications element of the C3 system.

Due Diligence

Making sure that all of your due care tasks are getting the job done correctly and completely.

Example of Deterance

Physical assets such as buildings (which probably contain or protect other kinds of assets) may have very secure and tamper-proof doors, windows, walls, or rooflines that prevent physical forced entry. Guard dogs, human guards or security patrols, fences, landscaping, and lighting can make it obvious that an attacker has very little chance to approach the building without being detected or prevented from carrying out their attack. Strong passwords and other access control technologies can make it visibly difficult for an attacker to hack into your computer systems (be they local or cloud-hosted). Policies and procedures can be used to train your people to make them less vulnerable to social-engineering attacks.

Border Gateway Protocol (BGP)

TCP179

FTP over TLS/SSL(RFC 4217)

TCP989/990

What Is Risk?

. A risk is a possibility that an event can occur that can disrupt or damage the organization's planned activities, assets, or processes, which may impact the organization's ability to achieve some or all of its goals and objectives. This involves a threat (an actor, or a force of nature) acting on an asset's vulnerabilities so as to cause undesired or unplanned results. This is described using the equation Risk = Threat * Vulnerability.

Why is the preamble to (ISC)2 Code of Ethics important to us as SSCPs? This task contains the radio buttons and checkboxes for options. The shortcut keys to perform this task are A to H and alt+1 to alt+9. A It is vital to understand the code because it sets purpose and intention; it's our mission statement as professionals. B It sets the priorities for us to address, highest to lowest, starting with the profession, the organization, the people we work for or our customers, and then society as a whole. C It's not that important since it only provides a context for the canons, which are the real ethical responsibilities that we have. D It sounds like it ought to be important, but it just states personal values; the canons tell us what to do and why that matters.

A

Hot Patch

A hot patch is a patch that can be applied to a piece of hardware or software without the requirement to power down or reboot the product, thus making it unavailable to users. This type of patch addresses the availability component of the CIA triad.

Next, let's look at how often Jayne might expect or anticipate such a loss to occur. For natural events such as earthquakes or storms, governments usually publish data about expected rates of occurrence. In Jayne's case, the published annual rate of occurrence for such an earthquake is once in each 50-year period; we must normalize that to show number of occurrences anticipated in any single year:

ARO = (number of occurrences) / (number of years) ARO = 1/50 = 0.02

An unwarranted action is one that is either (regarding Privacy):

An unwarranted action is one that is either: Without a warrant, a court order, or other due process of law that allows the action to take place Has no reasonable cause; serves no reasonable purpose; or exceeds the common sense of what is right and proper

Now Jayne wants to know how much of a loss, in any given year, she can anticipate because of such a major earthquake. She gets this annual loss expectancy (ALE) by simply multiplying the loss on a single event by the probability of that event occurring in any given year:

Annual loss expectancy = SLE * ARO ALO = $700,000 * 0.02 = $14,000

Orient

Apply your memory, your training, and your planning! Remember why you are here—what your organization's goals and objectives are. Reflect upon similar events you've seen before. Combine your observations and your orientation to build the basis for the next step.

Avoid or Eliminate

Avoid or EliminateThe logical opposite of accepting a risk is to make the informed decision to stop doing business in ways or in places that expose you to that risk. Closing a store in a neighborhood with a high crime rate eliminates the exposure to risk (a store you no longer operate cannot be robbed, and your staff who no longer work there are no longer at risk of physical assault during such a robbery).

Which of the following is defined as the estimated cost to implement and operate the chosen risk mitigation control? This task contains the radio buttons and checkboxes for options. The shortcut keys to perform this task are A to H and alt+1 to alt+9. A Single loss expectancy B Safeguard value C Annual loss expectancy D Annual rate of occurrence

B The safeguard value is the estimated cost to implement and operate the chosen risk mitigation control. The single loss expectancy is the total cost you can reasonably expect should the risk event occur. The annual rate of occurrence is an estimate of how often during a single year the risk event could reasonably be expected to occur. The annual loss expectancy is the total expected losses for a given year.

Configuration control

Configuration control is the process of regulating changes so that only authorized changes to controlled systems baselines can be made. Configuration control implements what the configuration management process decides and prevents unauthorized changes. Configuration control also provides audit capabilities that can verify that the contents of the controlled baseline in use today are in fact what they should be.

Configuration management

Configuration management is the process by which the organization decides what changes in controlled systems baselines will be made, when to implement them, and the verification and acceptance needs that the change and business conditions dictate as necessary and prudent. Change management decisions are usually made by a configuration management board, and that board may require impact assessments as part of a proposed change. Change management is specifically an IT process in which the objective is to ensure that the methods and procedures for change are standardized and are used for an efficient and prompt response to all change requests. Change management is a system that records a request, processes requests, elicits a denial or authorization, and records the outcome of the change to a configuration item. The goals of a formal change management program are to implement change in an orderly fashion, test changes prior to implementation, and provide rollback plans for changes. Stakeholders should be informed of changes before, not after, they occur.

When we call an attack a "zero-day exploit," we mean that: This task contains the radio buttons and checkboxes for options. The shortcut keys to perform this task are A to H and alt+1 to alt+9. A this term is meaningless hyperbole, invented by the popular press. B the attack exploited a vulnerability within the first 24 hours of its being announced by the affected systems or software vendor, or when it was posted in the common vulnerabilities and exposures (CVE). C the attack exploited a vulnerability within the first 24 hours of its discovery. D the attack exploited a previously unreported vulnerability before the affected systems or software vendor recognized and acknowledged it, reported or disclosed it, or provided a warning to its customers.

D Option D correctly explains the period from discovery in the wild to first recognition by system owners, users, or the IT community, and how this element of surprise may give the attacker an advantage. Despite the name, the 24 hours of a day have nothing to do with the element of surprise associated with attacking a heretofore-unknown vulnerability. Option A is false since the term is well understood in IT security communities.

What is business logic? This task contains the radio buttons and checkboxes for options. The shortcut keys to perform this task are A to H and alt+1 to alt+9. A The set of procedures that must be performed to achieve an objective within cost and schedule constraints B The set of rules and constraints that drive a business to design a process that gets business done correctly and effectively C Software and data used to process transactions and maintain accounts or inventories correctly D The set of rules that dictate or describe the processes that a business uses to perform the tasks that lead to achieving the required results

D Business logic is the set of rules that dictate or describe the processes that a business uses to perform the tasks that lead to achieving the required results, goals, or objectives. The rules and constraints by themselves are not the business logic. Processes (software or people procedures) are not business logic, but they should accurately and effectively implement that logic.

Logical (or Technical) Controls

Here is where you use software and the parameter files or databases that direct that software to implement and enforce policies and procedures that you've administratively decided are important and necessary. It is a bit confusing that a "policy" can be a human-facing set of rules, guidelines, and instructions, and a set of software features and their control settings. Many modern operating systems, and identity-as-a-service provisioning systems, refer to these internal implementations of rules and features as policy objects, for example. So we write our administrative "acceptable use" policy document, and use it to train our users so that they know what is proper and what is not; our systems administrators then "teach" it to the operating system by setting parameters and invoking features that implement the software side of that human-facing policy.

Hotfix

Hotfix: Similar to a hot patch, a hotfix may be applied to a piece of hardware or software that is currently online and in use.

What's at Risk with Uncontrolled and Unmanaged Baselines?

How do we know when a new device, such as a computer, phone, packet sniffer, etc., has been attached to our systems or networks? How do we know that one of our devices has gone missing, possibly with a lot of sensitive data on it? How do we know that someone has changed the operating system, updated the firmware, or updated the applications that are on our end users' systems? How do we know that an update or recommended set of security patches, provided by the systems vendor or our own IT department, has actually been implemented across all of the machines that need it? How do we know that end users have received updated training to make good use of these updated systems?

Integrity

Integrity, in the most common sense of the word, means that something is whole and complete. Can we rely on the information we have and trust in what it is telling us?

Confidentiality

Often thought of as "keeping secrets," confidentiality is actually about sharing secrets. Confidentiality is both a legal and ethical concept about privileged communications or privileged information. Privileged information is information you have, own, or create, and that you share with someone else with the agreement that they cannot share that knowledge with anyone else without your consent, or without due process in law. You place your trust and confidence in that other person's adherence to that agreement. Relationships between professionals and their clients, such as the doctor-patient or attorney-client ones, are prime examples of this privilege in action. Except in very rare cases, courts cannot compel parties in a privileged relationship to violate that privilege and disclose what was shared in confidence Confidentiality needs dictate who can read specific information or files, or who can download or copy them. This is very different from who can modify, create, or delete those files.One way to think about this is that integrity violations change what we think we know; confidentiality violations tell others what we think is our private knowledge.

Risk Treatment Controls

Once again, you see the trio of physical, logical, and administrative (PLA) actions as possible controls you can apply to a given risk or set of risks.

Access Controls

Preventative access control Deterrent access control Detective access control Corrective access control Recovery access control Compensation access control Directive access control

Preventative access control

Preventative access control is deployed to stop unwanted or unauthorized activity from occurring. Examples of preventative access controls include fences, locks, biometrics, mantraps, lighting, antivirus software, presence of security cameras or closed-circuit television (CCTV), smart cards, callback, security policies, and security awareness training

Private places

Private places are areas or spaces in which, by contrast, you as the owner (or the person responsible for that space) have every reason to believe that you can control who can enter, participate in activities with you (or just be a bystander), observe what you are doing, or hear what you are saying. You choose to share what you do in a private space with the people you choose to allow into that space with you. By law, this is your reasonable expectation of privacy, because it is "your" space, and the people you allow to share that space with you share in that reasonable expectation of privacy.

Service Pack

Service Pack: A service pack is made up of a number of updates, enhancements, fixes, or patches that are delivered by the manufacturer in the form of a single executable file. The executable file will cause the service pack to be installed on the target machine.

Internet Message Access Protocol (IMAP)

TCP143

PSec provides an open and extensible architecture that consists of a number of protocols and features used to provide greater levels of message confidentiality, integrity, authentication, and nonrepudiation protection:

The IP Security Authentication Header (AH) protocol uses a secure hash and secret key to provide connectionless integrity and a degree of IP address authentication. Encapsulating Security Payloads (ESP) by means of encryption supports confidentiality, connectionless integrity, and anti-replay protection, and authenticates the originator of the data (thus providing a degree of nonrepudiation).

penetration testing or operational test and evaluation (OT&E)

The first major risk to be considered in pen-testing is that first and foremost, pen testers are trying to actively and surreptitiously find exploitable vulnerabilities in your information security posture and systems. This activity could disrupt normal business operations, which in turn could disrupt your customers' business operations. For this reason, the scope of pen-testing activities should be clearly defined

recovery time objective (RTO)

The recovery time objective (RTO) is the amount of time in which system functionality or ability to perform the business process must be back in operation. Note that the RTO must be less than or equal to the MAO (if not, there's an error in somebody's thinking). As an objective, RTO asks systems designers, builders, maintainers, and operators to strive for a better, faster result. But be careful what you ask for; demanding too rapid an RTO can cause more harm than it deflects by driving the organization to spend far more than makes bottom-line sense.

Residual Risk

This has been defined as the risk that's left over, unmitigated, after you have applied a selected risk treatment or control. Let's look at this more closely via the following example.

Recast

This term refers to the never-ending effort to identify risks, characterize them, select the most important ones to mitigate, and then deal with what's left. As we've said before, most risk treatments won't deal with 100% of a given risk; there will be some residual risk left over. Recasting the risk usually requires that first you clearly state what the new residual risk is, making it more clearly address what still needs to be dealt with. From the standpoint of the BIA, the original risk has been reduced—its nature, frequency, impact, and severity have been recast or need to be described anew so that future cycles of risk management and mitigation can take the new version of the risk into consideration.

Tradesecrets

Trade secrets are those parts of a company's business logic that it believes are unique, not widely known or understood in the marketplace, and not easily deduced or inferred from the products themselves. Declaring part of its business logic as a trade secret allows a company to claim unique use of it—in effect, declare that it has a monopoly on doing business i

command, control, and communicationsC3,

Who notices that something has happened or that something has changed? Whom do they tell? How quickly? Why? Then who decides to have other people take what kind of action? How quickly must all of those conversations happen so that the organization can adapt fast enough when the risk happens, prevent or contain damage, and take the right steps to get back to normal? In other words, where is the decision assurance about risks and incidents as they occur?

Detect

detect means to notice or consciously observe that an event of interest is happening. Notice the built-in limitation here: you have to first decide what set of events to "be on the lookout for" and therefore which events you possibly need to make action decisions about in real time.

Due care

is making sure that you have designed, built, and used all the necessary and prudent steps to satisfy all of your responsibilities.

Which of the following starts with the premise that all systems have an external boundary that separates what the system owner, builder, and user own, control, or use, from what's not part of the system? This task contains the radio buttons and checkboxes for options. The shortcut keys to perform this task are A to H and alt+1 to alt+9. A Threat modeling B Qualitative assessment C Business impact analysis D Quantitative assessment

A Threat modeling starts with the premise that all systems have an external boundary that separates what the system owner, builder, and user own, control, or use, from what's not part of the system. Quantitative assessments attempt to arithmetically compute values for the probability of occurrence and the single loss expectancy. Qualitative assessments depend on experienced people to judge the level or extensiveness of a potential impact, as well as its frequency of occurrence. The business impact analysis is a consolidated statement of how different risks could impact the prioritized goals and objectives of an organization.

Which of the following ensures that you have designed, built, and used all the necessary and prudent steps to satisfy all your responsibilities? This task contains the radio buttons and checkboxes for options. The shortcut keys to perform this task are A to H and alt+1 to alt+9. A Due care B Confidentiality C Integrity D Due diligence

A Due care is making sure that you have designed, built, and used all the necessary and prudent steps to satisfy all your responsibilities.

Administrative Controls

Administrative ControlsIn general terms, anything that human organizations write, state, say, or imply that dictates how the humans in that organization should do business (and also what they should not do) can be considered an administrative control. Policy documents, procedures, process instructions, training materials, and many other forms of information all are intended to guide, inform, shape, and control the way that people act on the job (and to some extent, too, how they behave off the job!).Administrative controls are typically the easiest to create—but sometimes, because they require the sign-off of very senior leadership, they can be ironically the most difficult to update in some organizational cultures. It usually requires a strong sense of the underlying business logic to create good administrative controls.Administrative controls can cover a wide range of intentions, from informing people about news and useful information, to offering advice, and from defining the recommended process or procedure to dictating the one accepted way of doing a task or achieving an objective.

risk mitigation process NIST SP 800-37 and ISO 31000:2018

Assess the information architecture and the information technology architectures that support it. Assess vulnerabilities, and conduct threat modeling as necessary. Choose risk treatments and controls. Implement risk mitigation controls. Verify control implementations. Engage and train users as part of the control. Begin routine operations with new controls in place. Monitor and assess system security with new controls in place.

Here are the steps involved in the risk mitigation process

Assess the information architecture and the information technology architectures that support it. Assess vulnerabilities, and conduct threat modeling as necessary. Choose risk treatments and controls. Implement risk mitigation controls. Verify control implementations. Engage and train users as part of the control. Begin routine operations with new controls in place. Monitor and assess system security with new controls in place

Asset management

Asset management is the process of identifying everything that could be a key or valuable asset and adding it to an inventory system that tracks information about its acquisition costs, its direct users, its physical (or logical) location, and any relevant licensing or contract details. Asset management also includes processes to periodically verify that tagged property (items that have been added to the formal inventory) are still in the company's possession and have not disappeared, been lost, or been stolen. It also includes procedures to make changes to an asset's location, use, or disposition.

Which of the following looks at why people or organizations do what they set out to achieve their goals or objectives? This task contains the radio buttons and checkboxes for options. The shortcut keys to perform this task are A to H and alt+1 to alt+9. A Process-based risk B Outcomes-based risk C Threat-based risk D Asset-based risk

B The outcomes-based risk looks at why people or organizations do what they set out to achieve their goals or objectives. The process-based risk looks at your business procedures and how different risks can impact, disrupt, or block your ability to run those procedures successfully and correctly. The asset-based risk looks at any tangible or intangible asset and asks how risks can decrease the value of the asset to the business. The threat-based risk focuses on how things go wrong—what the root and proximate causes of risks might be—whether natural, accidental, or deliberately caused.

Which of the following is a consolidated statement of how different risks could impact the prioritized goals and objectives of an organization? This task contains the radio buttons and checkboxes for options. The shortcut keys to perform this task are A to H and alt+1 to alt+9. A MAO B BIA C SLA D SLE

B BIA The business impact analysis (BIA) is a consolidated statement of how different risks could impact the prioritized goals and objectives of an organization. The service-level agreement (SLA) is a written contract that documents service expectations. The single loss expectancy (SLE) is the total of all losses that could be incurred as a result of one occurrence of a risk. The maximum acceptable outage (MAO) is the time limit to restore all mission-essential systems and services to avoid impact on the mission of the organization.

In what ways can you asses the risk?

Based on the impacts or anticipated losses to organizational outcomes or goals, business processes, and key assets, or can be caused by a particular class of threats or vulnerabilities.

Which of the following shows the major steps of the information risk management process in the correct order? This task contains the radio buttons and checkboxes for options. The shortcut keys to perform this task are A to H and alt+1 to alt+9. A Set priorities; assess risks; continuous monitoring; implementing risk treatment plans B Assess risks; implementing risk treatment plans; set priorities; continuous monitoring C Set priorities; assess risks; implementing risk treatment plans; continuous monitoring D Continuous monitoring; set priorities; assess risks; implementing risk treatment plans

C Information risk management is a process that guides organizations through identifying risks to their information, information systems, and information technology systems; setting priorities and characterizing those risks in terms of impacts to prioritized goals and objectives; making decisions about which risks to treat, accept, transfer, or ignore; and then implementing risk treatment plans. As an ongoing management effort, it requires continuous monitoring of internal systems and processes, as well as a constant awareness of how threats and vulnerabilities are evolving throughout the world.

What kind of information is part of an information risk assessment process? A Total costs to create an asset that is damaged or disrupted by the risk event B Estimated costs to implement chosen solutions, remediations, controls, or countermeasures C Lost revenues during the downtime caused by the risk incident, including the time it takes to get things back to norm

C Option C is part of an information risk assessment process, which is a systematic process of identifying risks to achieving organizational priorities. Option B is the safeguard value, which we cannot compute until we have completed a risk assessment and a vulnerability assessment, and then designed, specified, or selected such controls or countermeasures. Option A is typically not the loss incurred by damage of an asset; of greater interest regarding impact to an asset would be the cost to repair it (if repairable), replace it, or design and implement new processes to do without the damaged or disrupted asset.

Which of the following is the probability of an event occurring that disrupts your information and the business processes and systems that use it? This task contains the radio buttons and checkboxes for options. The shortcut keys to perform this task are A to H and alt+1 to alt+9. A Eradication B Event C Risk D Containment

C RISK Risk is the probability of an event occurring that disrupts your information and the business processes and systems that use it. Containment primarily addresses shutting down connectivity between networks, subnets, systems, and servers. Eradication addresses locating the causal agents (malware, bogus user IDs, etc.) and removing them from each system. An event is something that happens, especially when it is unusual or important.

Due diligence means which of the following? This task contains the radio buttons and checkboxes for options. The shortcut keys to perform this task are A to H and alt+1 to alt+9. A Doing what you must do to fulfill your responsibilities B Paying your debts completely, on time C Developing a formalized security structure containing a security policy, standards, and procedures D Monitoring and assessing that the actions you've taken to fulfill your responsibilities are working correctly and completely

D

Which of the following looks at your business procedures and how different risks can impact, disrupt, or block your ability to run those procedures successfully and correctly? This task contains the radio buttons and checkboxes for options. The shortcut keys to perform this task are A to H and alt+1 to alt+9. A Outcomes-based B Asset-based C Threat-based D Process-based

D The process-based risk looks at your business procedures and how different risks can impact, disrupt, or block your ability to run those procedures successfully and correctly. The outcomes-based risk looks at why people or organizations do what they do or set out to achieve their goals or objectives. The asset-based risk looks at any tangible or intangible asset and asks how risks can decrease the value of the asset to the business. The threat-based risk focuses on how things go wrong—what the root and proximate causes of risks might be—whether natural, accidental, or deliberately caused.

Which of the following choices for limiting or containing the damage from risks keeps an attack from happening or contains it so that it cannot progress further into the target's systems? This task contains the radio buttons and checkboxes for options. The shortcut keys to perform this task are A to H and alt+1 to alt+9. A Deter B Avoid C Detect D Prevent

D Prevent Prevention keeps an attack from happening or contains it so that it cannot progress further into the target's systems. Deter means to convince the attacker that costs they'd incur and difficulties they'd encounter by doing an attack are probably far greater than anticipated gains. Detecting that an attack is imminent or actually occurring is vital to taking any corrective, evasive, or containment actions. Avoiding the possible damage from risk requires terminating the activity that incurs the risk, or redesigning or relocating the activity to nullify the risk.

Directive access control

Directive access control is deployed to direct, confine, or control the actions of the subject to force or encourage compliance with security policies. Examples of directive access controls include security guards, guard dogs, security policy, posted notifications, escape route exit signs, monitoring, supervising, work task procedures, and awareness training.

IPv6

Dual stack, in which your network hardware and management systems run both protocols simultaneously, over the same Physical layer. Tunnel, by encapsulating one protocol's packets within the other's structure. Usually, this is done by encapsulating IPv6 packets inside IPv4 packets. NAT-PT, or network address translation-protocol translation, but this seems best done with Application layer gateways. Dual-stack Application layer gateways, supported by almost all major operating systems and equipment vendors, provide a somewhat smoother transition from IPv4 to IPv6. MAC address increases from EUI-48 to EUI-64 (48 to 64 bit).

Integrity attributes

First, is the information accurate? Have we gathered the right data, processed it in the right ways, and dealt with errors, wild points, or odd elements of the data correctly so that we can count on it as inputs to our processes? We also have to have trust and confidence in those processes—do we know that our business logic that combined experience and data to produce wisdom actually works correctly? Next, has the information been tampered with, or have any of the intermediate steps in processing from raw data to finished "decision support data" been tampered with? This highlights our need to trust not only how we get data, and how we process it, but also how we communicate that data, store it, and how we authorize and control changes to the data and the business logic and software systems that process that data.

Observe

Look around you! Gather information about what is happening, right now, and what's been happening very recently. Notice how events seem to be unfolding; be sensitive to what might be cause and effect being played out in front of you. Listen to what people are saying, and watch what they are doing. Look at your instruments, alarms, and sensors. Gather the data. Feed all of this into the next step.

What is PII?

Personally identifiable information- provides information about a specific person, when disclosed to the wrong parties can allow for fraudulent misuse of the person's identity.

Physical Controls

Physical controls are combinations of hardware, software, electrical, and electronic mechanisms that, taken together, prevent, delay, or deter somebody or something from physically crossing the threat surface around a set of system components you need to protect

Physical systems elements (Risk Management)

Physical systems elements are typically things such as buildings, machinery, wiring systems, and the hardware elements of IT systems. The land surrounding the buildings, the fences and landscaping, lighting, and pavements are also some of the physical elements you need to consider as you plan for information risk management. The physical components of infrastructures, such as electric power, water, sewer, storm drains, streets and transportation, and trash removal, are also important. What's missing from this list? People. People are of course physical (perhaps illogical?) elements that should not be left out of our risk management considerations!

Here are the threat surface categories:

Physical: Walls, doors, and other barriers that restrict the movement of people and information into and out of the finance office Logical: User authentication and authorization processes that control who can access, use, extract, or change finance office information Administrative: Set of policies, procedures, and instructions that separate proper, authorized use from unauthorized use

RMF (Risk Management Framework) goes on specific major phases (steps) of activities for information risk managment:

Prepare Categorize Select Implement Assess Authorize Monitor

Privacy

Privacy, which refers to a person (or a business), is the freedom from intrusion by others into one's own life, place of residence or work, or relationships with others. Privacy means that you have the freedom to choose who can come into these aspects of your life and what they can know about you. Privacy is an element of common law, or the body of unwritten legal principles that are just as enforceable by the courts as the written laws are in many countries. It starts with the privacy rights and needs of one person and grows to treat families, other organizations, and other relationships (personal, professional, or social) as being free from unwarranted intrusion.

Privacy, Confidentiality, Integrity and Availability

Privacy:The freedom from intrusion by others into one's own lifeA state in which one is not observed or disturbed by other people Confidentiality:A legal and ethical concept about privileged communications or privileged informationRefers to how much an individual trusts that the information they are about to use to make a decision has not been seen by unauthorized people Integrity:Means that something is whole and complete and that its parts are smoothly joined togetherMeans that the information as a set is reliable and has been created, modified, or used only by people and processes that are trusted Availability:Means that the information can be extracted, produced, or displayed where it is neededRefers to a term where a good decision cannot be made if the information has been deleted, by accident, sabotage, or systems failure

The code is equally short, containing four canons or principles to abide by:

Protect society, the common good, necessary public trust and confidence, and the infrastructure. Act honorably, honestly, justly, responsibly, and legally. Provide diligent and competent service to principals. Advance and protect the profession.

Quantitative Risk Assessment: Risk by the Numbers

Quantitative assessments use simple techniques (like counting possible occurrences, or estimating how often they might occur) along with estimates of the typical cost of each loss

Remediate or Mitigate (Also Known as Reduce or Treat)

Remediate or Mitigate (Also Known as Reduce or Treat) Simply put, this means that we find and fix the vulnerabilities to the best degree that we can; failing that, we put in place other processes that shield, protect, augment, or bridge around the vulnerabilities. Most of the time this is remedial action—we are repairing something that either wore out during normal use or was not designed and built to be used the way we've been using it. We are applying a remedy, a cure, either total or partial, for something that went wrong.Do not confuse taking remedial action to mitigate or treat a risk with making the repairs to a failed system itself. Mitigating the risk is something you aim to do before a failure occurs, not after! Such remediation measures might therefore include the following: Designing acceptable levels of redundancy into systems so that when components or elements fail, it does not cause critical business processes to halt or behave in harmful ways Designing acceptable fail-safe or graceful degradation features into systems so that when something fails, a cascade of failures leading to a disaster cannot occur Identifying acceptable amounts of downtime (or service disruption levels) and using these times to dictate design for services that detect and identify the failure, correct it, and restore full service to normal levels Pre-positioning backup or alternate operations capabilities so that critical business functions can go on (perhaps at a reduced capacity or quality) Identifying acceptable amounts of time by which all systems and processes must be restored to normal levels of performance, throughput, quality, or other measures of merit

Accept

his risk treatment strategy means that you simply decide to do nothing about the risk. You recognize it is there, but you make a conscious decision to do nothing differently to reduce the likelihood of occurrence or the prospects of negative impact. This is known as being self-insuring—you assume that what you save on paying risk treatment costs (or insurance premiums) will exceed the annual loss expectancy over the number of years you choose to self-insure or accept this risk.

Integrated information risk management

integrated information risk management is about protecting what's important to the organization. It's about what to protect and why; risk mitigation addresses how.

Gap Analysis

ven the most well-designed information system will have gaps—places where the functions performed by one element of the system do not quite meet the expectations or needs of the next element in line in a process chain. Several different kinds of activities can generate data and insight that feed into a gap analysis: Review and analysis of systems requirements, design, and implementation documentation Software source code inspection (manual or automated) Review of software testing procedures and results Inspections, audits, and reviews of procedures, facilities, logs, and other documentation, including configuration management or change control systems and logs Penetration testing Interviews with end users, customers, managers, as well as bystanders at the workplace

Administrative elements (Risk Management)

Administrative elements are the policies, procedures, training, and expectations that we spell out for the humans in the organization to follow. These are typically the first level at which legal and regulatory constraints or directives become a part of the way the organization functions.

Which of the following means that the information as a set is reliable, complete, and correct, and has been created, modified, or used only by people and processes that we trust? This task contains the radio buttons and checkboxes for options. The shortcut keys to perform this task are A to H and alt+1 to alt+9. A Availability B Integrity C Privacy D Confidentiality

B

As the IT security director, Paul does not have anybody looking at systems monitoring or event logging data. Which set of responsibilities is Paul in violation of? This task contains the radio buttons and checkboxes for options. The shortcut keys to perform this task are A to H and alt+1 to alt+9. A Integrity B Due diligence C Due care D Availability

B Paul is violating the responsibilities of due diligence. The fact that systems monitoring and event data is collected at all indicates that Paul or his staff determined it was a necessary part of keeping the organization's information systems secure—they took (due) care of those responsibilities. But by not reviewing the data to verify proper systems behavior and use, or to look for potential intrusions or compromises, Paul has not been diligent. Integrity and availability do not relate to the given scenario.

John works as the chief information security officer for a medium-sized chemical processing firm. Which of the following groups of people would not be stakeholders in the ongoing operation of this business? This task contains the radio buttons and checkboxes for options. The shortcut keys to perform this task are A to H and alt+1 to alt+9. A Vendors, customers, and others who do business with John's company B Businesses in the immediate neighborhood of John's company C State and local tax authorities D The employees of the company

C All other groups have a valid personal or financial interest in the success and safe operation of the company; a major chemical spill or a fire producing toxic smoke, for example, could directly injure them or damage their property. Although state and local tax authorities might also suffer a loss of revenues in such circumstances, they are not involved with the company or its operation in any way.

How do you turn data into knowledge? This task contains the radio buttons and checkboxes for options. The shortcut keys to perform this task are A to H and alt+1 to alt+9. A You have to listen to the data to see what it's telling you, and then you'll know. B You apply data smoothing and machine learning techniques, and the decision rules this produces are called knowledge. C You use lots of data to observe general ideas and then test those ideas with more data you observe until you can finally make broad, general conclusions. These conclusions are what are called knowledge. D These are both names for the same concepts, so no action is required.

C You use lots of data to observe general ideas and then test those ideas with more data you observe until you can finally make broad, general conclusions. These conclusions are called knowledge. The hierarchy of data to knowledge represents the results of taking the lower-level input (i.e., data) and processing it with business logic that uses other information you've already learned or processed so that you now have something more informative, useful, or valuable.

Jayne discovers that someone in the company's HR department has been modifying employee performance appraisals. If done without proper authorization, this would be what kind of violation? This task contains the radio buttons and checkboxes for options. The shortcut keys to perform this task are A to H and alt+1 to alt+9. A Availability B Privacy C Integrity D Confidentiality

C e correctness or wholeness of the data may have been violated, inflating some employees' ratings while deflating others. This violates the presumed integrity of the appraisal data. Presumably, HR staff have legitimate reasons to access the data, and even enter or change it, so it is not a confidentiality violation; since the systems are designed to store such data and make it available for authorized use, privacy has not been violated. Appraisals have not been removed, so there are no availability issues.

Domain 3: Risk Identification, Monitoring, and Analysis

Domain 3: Risk Identification, Monitoring, and Analysis: Risk identification is the review, analysis, and implementation of processes essential to the identification, measurement, and control of loss associated with unplanned adverse events. Monitoring and analysis are determining system implementation and access in accordance with defined IT criteria. This involves collecting information for identification of, and response to, security breaches or events, such as: 3.1 Understand the risk management process 3.2 Perform security assessment activities 3.3 Operate and maintain monitoring systems (e.g., continuous monitoring) 3.4 Analyze monitoring results

Domain 4: Incident Response and Recovery

Domain 4: Incident Response and Recovery: "The show must go on" is a well-known saying that means even if there are problems or difficulties, an event or activity must continue. Incident response and recovery ensures the work of the organization will continue. In this domain, the SSCP gains an understanding of how to handle incidents using consistent, applied approaches like business continuity planning (BCP) and disaster recovery planning (DRP). These approaches are utilized to mitigate damages, recover business operations, and avoid critical business interruption: 4.1 Support incident lifecycle 4.2 Understand and support forensic investigations 4.3 Understand and support business continuity plan (BCP) and disaster recovery plan (DRP) activities

Domain 5: Cryptography

Domain 5: Cryptography: The protection of information using techniques that ensure its integrity, confidentiality, authenticity, and nonrepudiation, and the recovery of encrypted information in its original form: 5.1 Understand fundamental concepts of cryptography 5.2 Understand reasons and requirements for cryptography 5.2 Understand and support secure protocols 5.2 Understand public key infrastructure (PKI) systems

Domain 6: Network and Communications Security

Domain 6: Network and Communications Security: The network structure, transmission methods and techniques, transport formats, and security measures used to operate both private and public communication networks: 6.1 Understand and apply fundamental concepts of networking 6.2 Understand network attacks and countermeasures (e.g., DDoS, man-in-the-middle, DNS poisoning) 6.3 Manage network access controls 6.4 Manage network security 6.5 Operate and configure network-based security devices 6.6 Operate and configure wireless technologies (e.g., Bluetooth, NFC, Wi-Fi)

Domain 7: Systems and Application Security:

Domain 7: Systems and Application Security: Countermeasures and prevention techniques for dealing with viruses, worms, logic bombs, Trojan horses, and other related forms of intentionally created damaging code: 7.1 Identify and analyze malicious code and activity 7.2 Implement and operate endpoint device security 7.3 Operate and configure cloud security 7.4 Operate and secure virtual environments

What are MAO, MTO and MTPOD

MAO( Maximum acceptable outage)- is a business process that cannot be performed without causing intolerable disruption or damage to the business. MTO (Maximum Tolerable outage) is the process in which the organization's key products or services are made unavailable or cannot be delivered before its impact is deemed as unacceptable. MTPOD (Maximum tolerable period of disruption) is the longest time that systems can be inoperable before any intolerable disruption or damage done to the business.

Information Risk Impact Assessment

Personally identifying information (PII): Loss or compromise can cause customers to take their business elsewhere and can lead to criminal and civil penalties for the organization and its owners, stakeholders, leaders, and employees. Company financial data, and price and cost information: Loss or compromise can lead to loss of business, to investors withdrawing their funds, or to loss of business opportunities as vendors and partners go elsewhere. Can also result in civil and criminal penalties. Details about internal business processes: Loss could lead to failures of business processes to function correctly; compromise could lead to loss of competitive advantage, as others in the marketplace learn how to do your business better. Risk management information: Loss or compromise could lead to insurance policies being canceled or premiums being increased, as insurers conclude that the organization cannot adequately fulfill its due diligence responsibilities.

Privacy: In Law, in Practice, in Information Systems

Public law enforces these principles. Laws such as the Fourth and Fifth Amendments to the U.S. Constitution, for example, address the first three, whereas the Privacy Act of 1974 created restrictions on how the government could share with others what it knew about its citizens (and even limited sharing of such information within government). Medical codes of practice and the laws that reflect them encourage data sharing to help health professionals detect a potential new disease epidemic, but they also require that personally identifiable information in the clinical data be removed or anonymized to protect individual patients. The European Union has enacted a series of policies and laws designed to protect individual privacy as businesses and governments exchange data about people, transactions, and themselves. The latest of these, General Data Protection Regulation 2016/679 (GDPR), is a law that applies to all persons, businesses, or organizations doing anything involving the data related to an EU person. The GDPR's requirements meant that by May 2018, businesses had to change the ways that they collected, used, stored, and shared information about anyone who contacted them (such as by browsing to their website); they also had to notify such users about the changes and gain their informed consent to such use. Many news and infotainment sites hosted in the United States could not serve EU persons until they implemented changes to become GDPR compliant

Public places

Public places are areas or spaces in which anyone and everyone can see, hear, or notice the presence of other people, and observe what they are doing, intentionally or unintentionally. There is little to no degree of control as to who can be in a public place. A city park is a public place.

At a job interview, Fred is asked by the interviewer about activities, pictures, and statements he's made by posting things on his Facebook and LinkedIn pages. This question by the interviewer: This task contains the radio buttons and checkboxes for options. The shortcut keys to perform this task are A to H and alt+1 to alt+9. A doesn't worry Fred, as he took those pages down yesterday and closed those accounts. B is a violation of Fred's right to privacy, as those posts were done on Fred's private pages. C doesn't worry Fred, as the conversation with the interviewer is confidential. D is a legitimate one, since these pages are published by Fred, and therefore they are speech he has made in public places

d The question by the interviewer is a legitimate one, since these pages are published by Fred, and therefore they are speech he has made in public places. What we say and do in public places is, by definition, visible to anyone who wants to watch or listen. Publishing a letter or a book, or writing on a publicly visible social media page is also considered public speech. We have no reasonable expectation of privacy in social media—we have no basis on which to assume that by posting something on our private pages, others whom we've invited to those pages will not forward that information on to someone else.

business impact analysis (BIA)

he BIA is a consolidated statement of how different risks could impact the prioritized goals and objectives of an organization.The BIA reflects a combination of due care and due diligence in that it combines "how we do business" with "how we know how well we're doing it." You must recognize one more important requirement at this point: to be effective, a BIA must be kept up to date. The BIA must reflect today's set of concerns, priorities, assets, and processes; it must reflect today's understanding of threats and vulnerabilities. Outdated information in a BIA could at best lead to wasted expenditures and efforts on risk mitigation; at worst, it could lead to failures to mitigate, prevent, or contain risks that could lead to serious damage, injury, or death, or possibly put the organization out of business completely.

risk register

risk register, a central repository or knowledge bank of the risks that have been identified in its business and business process systems. This register should be a living document, constantly refreshed as the company moves from risk identification through mitigation to the "new normal" of operations after instituting risk controls or countermeasures. As an internal document, a company's risk register is a compendium of its weaknesses and should be considered as closely held, confidential, proprietary business information. It provides a would-be attacker, competitors, or a disgruntled employee with powerful insight into ways that the company might be vulnerable to attacks.

system requirements specification (SRS),

which is a formal document used to capture high-level statements of function, purpose, and intent. An SRS also contains important system-level constraints. It guides or directs analysts and developers as they design, build, test, deploy, and maintain an information; it also drives end-user training activities.


Kaugnay na mga set ng pag-aaral

unit 1 Formatted Bulleted and Number List

View Set

19th Century Science & Technology

View Set

Social A 4 - Attitudes and Behaviour

View Set