CISSP Information Security and Risk Management (Set 1)

Réussis tes devoirs et examens dès maintenant avec Quizwiz!

Acceptable Use Policy

(Included in the End-User Document) an outline of the access privileges, rules for behavior, and any possible consequence of breaking rules when dealing with network resources... also provides suggestions about the personal items that are brought into the workplace

Types of Preventative Controls

- Administrative Controls - Technical Controls - Physical Controls

Responsibilities of the Change Control Analyst Role

- Approving or rejecting change requests - Analyzing the impact of changes on security, interoperability, performance, and productivity - Ensuring that changes do not lead to vulnerabilities - Testing all changes before they are rolled out

What are the processes involved in the Security Management Cycle?

- Assess the risks and determine the needs to deal with them - Monitor and evaluate the systems and practices involved - Promote awareness - Implement policies and controls intended to address the risks and needs first defined

Responsibilities of the System Owner Role

- Assessing systems for vulnerabilities - Ensuring that proper security measures are adopted (necessary controls, password management, remote access controls, operating system configurations, etc) - Reporting security incidents to the incident response team and data owner

Responsibilities of the Data Steward Role

- Categorizing data based on the data-classification scheme - Classifying critical data effectively to meet contingencies - Defining validation rules for correct data input - Ensuring the training of data users - Understanding the uses and risks associated with data in order to provide appropriate data access permissions

Responsibilities of the Security Administrator Role

- Configuring security access controls according to data environments - Creating or deleting system user accounts and issuing passwords - Assigning access control privileges - Implementing and testing security software and patches

What are examples of Physical Controls?

- Controlling individual access into the facility and different departments - Locking systems and removing unnecessary floppy or CD-ROM drives - Protecting the perimeter of the facility - Monitoring for intrusion - Environmental controls

Responsibilities of the Data Owner Role

- Deciding upon the classification of data - Reviewing data and changing classification based on changing business needs - Ensuring the implementation of security controls - Determining access rights, security, and backup requirements for data - Approving any disclosure activities - Acting on security violation notifications

Responsibilities of the Process Owner Role

- Defining data requirements and improving data quality for business processes - Defining, improving, and monitoring processes to make the processes effective - Resolving the data issues related to complex processes and the processes associated with different application types

Responsibilities of the Security Steering Committee

- Defining the acceptable risk level for the organization - Developing security objectives and strategies - Determining priorities of security initiatives based on business needs - Reviewing risk assessment and auditing reports - Monitoring the business impact of security risks - Reviewing major security breaches and incidents - Approving any major changes to the security policy and program - Clearly defining a mission statement

Responsibilities of the Data Analyst Role

- Designing data structures and data models in compliance with business objectives - Designing the physical database structure - Helping the data owner develop data architectures - Recording metadata to manage databases

Responsibilities of the Auditor Role

- Determining if the controls that have been implemented by the administration for either technical or physical attributes have reached, and comply with, the security objectives that are either required for the organization by legislation or that have been deemed necessary by the governance of the organization. - Ensuring that an evaluation (internal or external audits) of an organization is as comprehensive, objective, and unbiased as possible

What are examples of Administrative Controls?

- Developing and publishing policies, standards, procedures, and guidelines - Risk Management - Personnel Screening - Conducting security-awareness training - Implementing change control procedures

Responsibilities of the Application Owner

- Dictating who can and cannot access their applications (subject to staying in compliance with the company's security policies) - Ensuring the security of a business unit's applications (testing, patching, performing change control on the programs, and making sure the right controls are in place to provide protection)

Responsibilities of the Solution Provider Role

- Ensuring that applications and data work together to meet business needs - Giving technical requirements to improve the process

Responsibilities of the Audit Committee

- Ensuring the integrity of the company's financial statements and other financial information provided to stockholders and others - Managing the company's system of internal controls - Setting up the engagement and performance of independent auditors - Ensuring compliance with legal requirements and company policies regarding ethical conduct

What are examples of Technical Controls (also called Logical controls)?

- Implementing and maintaining access control mechanisms - Password and resource management - Identification and authentication methods - Security devices - Configuration of the infrastructure

Responsibilities of the Supervisor Role

- Informing the security administration for revoking the user IDs of terminated employees - Informing the administration about the transfer or suspension of an employee - Reporting security violation incidents - Receiving and assigning user IDs and initial passwords to new employees - Ensuring that the user ID and account information of an employee are synchronized - Educating the employees about the security policies they are accountable for

Benefits of Separation of Duties

- Introduces transparency in an organization, making it clear who does what in a situation - Ensures that no individual is solely responsible for a critical task, preventing collusion and reducing the possibility of mistakes - Restricts access to information by job role, helping to prevent computer crimes

Examples of Strategic Planning Organizational Security Goals

- Make sure risks are properly understood and addressed - Ensure compliance with laws and regulations - Integrate security responsibilities throughout the organization - Create a maturity model to allow for continual improvement - Use security as a business achievement to attract more customers

Responsibilities of the Security Analyst Role

- Not part of the implementation team for security (works at a more strategic level) - Helps develop policies, standards, and guidelines, as well as set various baselines - Helps define the security program elements and follows through to ensure the elements are being carried out and practiced properly

What are the three components of a security framework?

- People: deals with roles and responsibilities, skills and training, organizations, attitudes, and culture - Technology: includes applications, tools, hardware, and software - Processes: includes procedures, standards, metrics, and performance monitoring

Examples of Operational Planning Organizational Security Goals

- Perform security risk assessment - Do not allow security changes to decrease productivity - Maintain and implement controls - Continually scan for vulnerabilities and roll out patches - Track compliance with policies

Responsibilities of the Data Custodian Role

- Protecting information from unauthorized access and modifications (ensuring integrity) - Performing backups or restoring data according to the requirements specified by the organization - Monitoring information systems to ensure compliance with company policies and standards - Providing stewards with reports about information system usage

What does, the global organization, the OECD stand for?

Organisation for Economic Co-operation and Development

What is the main difference between a policy and a standard?

Policies state measures (like royal decrees) without providing solutions to implement those measures... Standards define solutions to implement the measures stated in the policy

Informative Policies

Policies that aren't enforceable and are meant for informational purposes only... they have no ramifications if not complied with but can be regulated. Ex: an Employee Counseling program helps employees by providing information that could be useful to them, but the employees don't have to follow the advice

Advisory Policies

Policies that define the behavioral requirements of employees and state ramifications in case of noncompliance... Ex: employees shouldn't sell customer's SSNs to shady people: if they do, they are fired

Regulatory Policies

Policies that include laws, bills, and regulations, specific to a type of industry, which are enforced to meet compliance with local, state, and federal laws

What was the problem in the past with the board of directors that was the cause of a lot of corporate scandals like Enron, WorldCom, Tyco International, Adelphia, and Global Crossing?

Too many people who held board of director positions looked the other way regarding corporate fraud and mismanagement or depended too much on executive feedback instead of finding the truth about their company's health themselves.

Operational goals

Short-term or daily goals.

What are the issues for U.S. organizations when exchanging data with European entities?

Since Europe has always had tighter control over protecting privacy information than the U.S. and other parts of the world, U.S. organizations need to adhere to "safe harbor" requirements, which outline how privacy data must be protected in transit. Global organizations also have to follow OECD guidelines and transborder information flow rules or they can be fined or sued, or their business can be disrupted.

What does the Auditor do in general?

The Auditor's function is to provide a method for ensuring independently that management and shareholders of an organization can rely upon the appropriateness of security objectives as well as the information they are being provided with regarding the status of the organization as a whole.

Who, in a company, is responsible for informing stakeholders (creditors, analysts, employees, management, investors) of the firm's financial condition and health?

The CEO and CFO

What does the Change Control Analyst do in general?

The Change Control Analyst takes care of all the changes that take place in the organization's network, systems, or software and makes sure that all changes are safe

What does the Data Analyst do in general?

The Data Analyst ensures that an organization's data is properly structured and comprehensible (Ex: payroll info shouldn't be mixed with inventory info, the purchasing dept needs a lot of values in monetary terms, and the inventory system needs a standardized naming scheme.)

What is an Data Custodian?

normally an IT employee who is responsible for the security and maintenance of the information provided to them by stewards

Threat Agent

the entity that takes advantage of a vulnerability (Ex: an intruder accessing the network through a port on the firewall, a process accessing data in a way that violates the security policy, a tornado wiping out a facility, or an employee making an unintentional mistake that could exponse confidential information or destory a file's integrity

Security Management

the foundation of a corporation's security program... includes risk management, information security policies, procedures, standards, guidelines, baselines, information classification, security organization, and security education.

What are the different roles associated with an individual group?

- Senior Management (Board of Directors, CEO, CFO, CIO, CPO, CSO, CISO) - Committees (Security Steering Committee & Audit Committee) - Data Owner, Data Custodian, System Owner - Security Administrator, Security Analyst - Application Owner, Supervisor (User Manager), Change Control Analyst, Data Analyst, Process Owner, Solution Provider, Product Line Manager, Auditor - User

Responsibilities of the Product Line Manager Role

- Translating business requirements into product requirements - Evaluating the need for product enhancement - Planning and implementing new releases - Ensuring that products comply with license agreements - Monitoring production performance per business objectives - Analyzing product usage and the technology required for product usage

What is the Security Program Life Cycle?

1. Plan and Organize 2. Implement 3. Operate and Maintain 4. Monitor and Evaluate See page 69 for specifics

Bottom-up approach

Development of security programs without support and guidance from the management (usually not very effective or broad enough)

What percent of his time should an IRM team leader spend in this role?

50 to 70%

What does the Supervisor do in general?

A Supervisor, also called the user manager, holds the complete responsibility of employee activities and the assets used by the employees. The supervisor also takes care of nonemployee activities and the company assets used by these individuals.

End-User Document

A document created by management that lists all the schemes, rules, and policies related to security and behavior that a new hire is expected to abide by. It also explains what the employee can expect. Ex: Employee can expect his/her healthcare insurance to be paid for by the company... the company expects the employee to abide by its sexual harassment policy

Duty of Care

A duty that the security officer performs when drafting the security management program... it ensures that the organization is responsible for taking care of its employees and resources by developing and implementing security policies, procedures, and standards

Duty of Loyalty

A duty that the security officer performs when drafting the security management program... it ensures that the senior management of an organization does not reveal or use the organization's protected information for personal gain

Corporate Opportunity

A legal concept that requires an individual not to divulge any company information related to mergers, acquisitions, or patents for personal gain

Duty of Fairness

A legal concept that requires an individual to act without any bias in any situation related to a conflict of interest

Safeguard

A software configuration, hardware, or procedure that eliminates a vulnerability or reduces the risk of a threat agent from being able to exploit a vulnerability.

Value of Countermeasure

ALE (without countermeasure) - Cost (safeguard) - ALE (with countermeasure)

Why is it difficult now for companies to find candidates to fill the board of directors positions?

After the financial fiascos of the early 2000s, the SEC placed more requirements and potential penalties on the board for publicly-traded companies. The Sarbanes-Oxley Act made the board personally responsible and liable if the corporation does not properly maintain an internal corporate governance framework, and/or if financials reported to the SEC are incorrect. They can be personally fined or thrown in jail.

Top-down approach

An approach in which the initiation, support, and direction for a project come from top management and work their way down through middle management and then to staff members.

Conflict of Interest

An individual is required to report any incident that conflicts with the company's interests

Threat

Any potential danger that a vulnerability will be exploited by a threat agent

How has the Sarbanes-Oxley Act (SOX) been welcomed?

As a testiment to the need for stricter financial governance SOX-type laws have been subsequently enacted in Japan, Germany, France, Italy, Australia, India, South African, and Turkey. Debate continues over the perceived benefits and costs of SOX. Opponents of the bill claim it has reduced America's international competitive edge against foreign financial service providers, saying SOX has introduced an overly complex regulatory environment into U.S. financial markets. Proponents of the measure say that SOX has been a "godsend" for improving the confidence of fund managers and other investors with regard to the veracity of corporate financial statements.

Baseline

Baselines define the minimum level of security measures required by an organization to protect itself from internal and external threats. Baselines are established before standards are developed and they provide platform-specific implementations for the standards

Why join a company's board of directors?

Board members often receive remunerations amounting to hundreds of thousands of dollars per year since they often sit on the boards of several companies. Inside directors are usually not paid for sitting on a board, but the duty is instead considered part of their larger job description. Outside directors are usually paid for their services. These remunerations vary between corporations, but usually consist of a yearly or monthly salary, additional compensation for each meeting attended, stock options, and various other benefits... it's also to satisfy personal pride and ego.

Guidelines

General statements that recommend actions to be followed in case a standard does not apply

What is the main difference between a standard and a guideline?

Guidelines are general approaches while standards are specific mandatory activities

Strategic goals

Long-term goals that are broad, general statements of intent. Operational and tactical goals support strategic goals and all are a part of a planning horizon.

Tactical goals

Midterm goals which may be milestones to accomplish within a project or specific projects to accomplish in a year.

What does the Process Owner do in general?

The Process Owner ensures that all processes in an organization are well defined to meet business needs

What does the Product Line Manager do in general?

The Product Line Manager ensures that all products meet the business requirements of the organization

What does the Solution Provider do in general?

The Solution Provider works with the business managers, data owners, and senior management to develop and deploy solutions for improving business processes or solving problems

What does the System Owner do in general?

The System Owner incorporates security considerations into applications, purchase decisions, and projects

Why is the CISO position commonly referred to as the "sacrificial lamb"?

The business unit owners should technically be the owners of risk, not the security department, however, too many organizations don't extend the responsibility of risk out to those units, and it lands on the CISO.

Information Asset

The complete body of information in an organization.

Safeguard Effectiveness

The percentage degree to which a safeguard can be characterized as an effective risk-reducing measure.

Uncertainty

The percentage of confidence less than complete confidence in the value of any element of the risk assessment.

Responsibilities of the User Role

The user is any person who uses data for performing job-related activities. The user is responsible for protecting the data used by her by adhering to the security policies and maintaining the confidentiality, integrity, and availability of data

What is the Sarbanes-Oxley Act (SOX)?

a United States federal law enacted on July 30, 2002, which set new or enhanced standards for all U.S. public company boards, management and public accounting firms. The act contains 11 titles, or sections, ranging from additional corporate board responsibilities to criminal penalties, and requires the SEC to implement rulings on requirements to comply with the law. It created a new, quasi-public agency, the Public Company Accounting Oversight Board, or PCAOB, charged with overseeing, regulating, inspecting and disciplining accounting firms in their roles as auditors of public companies. The act also covers issues such as auditor independence, corporate governance, internal control assessment, and enhanced financial disclosure.

Security Steering Committee

a committee responsible for making decisions on tactical and strategic security issues within the enterprise as a whole... it should not be tied to one or more business units and should be made up of people from all over the organization. The CEO should head it and the CFO, CIO, department managers, and the chief internal auditor should be on it.

Audit Committee

a committee that should be appointed by the board of directors to help it review and evaluate the company's internal operations, internal audit system, and the transparency and accuracy of financial reporting so the company's investors, customers, and creditors have continued confidence in the organization. Its role has shifted from just overseeing, monitoring, and advising company management to enforcing and ensuring accountability on the part of all individuals involved

Board of Directors (Board of Trustees)

a group of individuals who are elected by the shareholders of a corporation to oversee the fulfillment of the corporation's charter. Their goal is to ensure the shareholders' interests are being protected and that the corporation is being run properly. They are supposed to be unbiased and independent. They are responsible for setting the organization's strategy and risk appetite. They receive their input from executives and the assurance (auditing) committee.

Due Care

a legal term and concept used to help determine liability in a court of law... if someone is practicing due care, they are acting responsibly and will have a lower probability of being found negligent and liable if something bad takes place

Chief Privacy Officer (CPO)

a newer position that is responsible for ensuring that customer, company, and employee data are kept safe, which keeps the company out of criminal and civil courts and out of the headlines. This person is usually an attorney and is directly involved with setting policies on how data are collected, protected, and given out to third parties... an organization is responsible for knowing how its suppliers, partners, and other third parties are protecting its information, so this role is very important. He/she often reports to the CSO.

What is an Data Steward?

a senior business manager who is responsible for the creation, maintenance, and performance of information systems related to specific business units

Vulnerability

a software, hardware, procedural, or human weakness that may provide an attacker the open door he is looking for to enter a computer or network and have unauthorized access to resources within the environment... a vulnerability characterizes the absence or weakness of a safeguard that could be exploited (Ex: a service running on a server, unpatched applications or operating system software, unrestricted model dial-in acces, an open port on a firewall, etc)

Exposure

an instance of being exposed to losses from a threat agent... a vulnerability exposes an organization to possible damages

Overall Goal of the Information Risk Management (IRM) Team

ensure the company is protected in the most cost-effective manner... ways they can accomplish this are on page 75

Risk Analysis

identifies a company's assets, discovers the threats that put them at risk, and estimates the possible damage and potential loss a company could endure if any of these threats were to become real... this information is used to help management construct a budget with the necessary funds to protect the recognized assets from their identified threats and develop applicable security policies that provide direction for security activities.

Security Through Obscurity

reliance on confusion to provide security. Setting up confusing or "tricky" countermeasures is a simple example of an attempt at security through obscurity. More complicated examples: putting a spare key under a doormat in case you are locked out of the house

Chief Financial Officer (CFO)

the individual responsible for the corporation's account and financial activities, and the overall financial structure of the organization. This person is responsible for determining what the company's financial needs will be and how to finance those needs. He/she must create and maintain the company's capital structure, which is the proper mix of equity, credit, cash, and debt financing. This person oversees forecasting and budgeting and the processes of submitting quarterly and annual financial statements to the SEC and stakeholders.

Chief Security Officer (CSO)

the individual responsible for understanding the risks that the company faces and for mitigating these risks to an acceptable level. He/she is responsible for understanding the organization's business drivers and for creating and maintaining a security program that facilitates these drivers, along with providing security compliance with regulations and laws, and any customer expectations of contractual obligations. It is his/her job to ensure that business is not disrupted in any way due to security issues... it extends beyond IT and reaches into business processes, legal issues, operational issues, revenue generation, reputation protection, and risk management.

Chief Information Officer (CIO)

the individual who reports to the CEO or CFO and is responsible for the strategic use and management of information systems and technology within the organization. The position has become more strategic and less operational, requiring the individual to sit at the corporate table more often. His/her responsibilities have extended to working with the CEO and other management on business-process management, revenue generation, and how business strategy can be accomplished with the company's underlying technology. He/she is bridging techno-land and business-land and should have a good background in both fields.

Chief Executive Officer (CEO)

the individual with the day-to-day management responsibilities of an organization. This person is often the chairperson of the board of directors and is the highest ranking officer in the company. He/she oversees the company finances, strategic planning, and operations from a high level. He/she is usually seen as the visionary for the company and is responsible for developing and modifying the company's business plan, setting budgets, forming partnerships, deciding on what markets to enter, what product lines to develop, how the company will differentiate itself, and so on. This person can delegate tasks, but NOW not necessarily responsibility, which means that in general, they are spending more money on security than ever before.

Risk

the likelihood of a threat agent taking advantage of a vulnerability and the corresponding business impact... risk ties the vulnerability, threat, and likelihood of exploitation to the resulting business impact

Information Risk Management (IRM)

the process of identifying and assessing risk, reducing it to an acceptable level, and implementing the right mechanisms to maintain that level

Corrective controls

these controls involve measures designed to detect and rectify an unwanted event, which helps in eliminating its recurrence. An example of a corrective control is the frequent updation of anti-virus software.

Preventive Controls

these controls prohibit actions that violate company policies or that increase risk to system resources. Examples of preventive controls include separation of duties and encryption of data.

Recovery Controls

these controls restore a system or its operation to normal if an incident occurs that compromises the integrity or availability of the computing system. Fault tolerant systems, RAID, and resending lost or corrupted messages are some examples of implementing recovery controls.

Detective Controls

these controls use practices, processes, and tools to identify and react to security violations. These controls include audit trails, integrity checks, and violation reports.

Directive Controls

these controls usually include company policies and guidelines that advise employees of their expected behavior when interacting with the company's resources. Some of the directive controls include legislation, authorized use policies, and anti-viral software standards.

Total Risk

threats x vulnerability x asset group

What is the objective of security and a security program?

to protect the company and its assets

Residual Risk

total risk x controls gap

Data Owner

usually a senior executive within the management group of the company who is in charge of a specific business unit, and who is ultimately responsible for the protection and use of a specific subset of information. This person has due care responsibilities and thus will be held responsible for any negligent act that results in the corruption or disclosure of the data. He/she delegates responsibility of the day-to-day maintenance of the data protection mechanisms to the data custodian.


Ensembles d'études connexes

NUR 168: CHAPTER 41: SELF CONCEPT

View Set

8.2 Las profesiones con descripciónes

View Set

A&P ALL CHAPTERS REVIEW QUESTIONS (Clinical application & critical thinking)

View Set