ITN 260 SEC+ TestOut Chapter 3 Studying
What type of policy is a recommendation to use when a specific standard or procedure does not exist?
Guideline
Any type of research or design documents should be retained for how long?
Indefinitely
What is the primary goal of continuity planning?
Maintaining business operations with reduced or restricted infrastructure capabilities and/or resources
What is the most effective way to improve or enforce security in any environment?
Providing user awareness training
What is transferring risk?
Purchasing insurance to protect the asset or "laying off" the risk to another individual or organization
When disposing of DVD-RW storage discs that have been used to archive files for your latest development project, what method should you use to best prevent data extraction from the discs?
Shred/destroy them
What is Risk?
The likelihood of a vulnerability being exploited
Per most Data Retention Policies, how long are employee files kept before deletion?
one year
Data Retention Policies typically describe procedures for:
-Archiving information -Destroying information when the retention limit is reached -Handling information involved in litigation
What are two characteristics that are important when designing an SLA?
-Clear and detailed descriptions of penalties if the level of service is not provided -Detailed provider responsibilities for all continuity and disaster recovery mechanisms
What is an acceptable use policy?
-Defines how company resources are used -Sets expectations for privacy -Defines all monitoring activities -Communicates all monitoring activities -Applies monitoring to all employees -Complies with legal requirements for privacy -Sets expectations for internet and email activities
What are the important US Laws that you should be familiar with?
-HIPAA -Sarabnes-oxley act (SARBOX) -Gramm-Leach-Bliley Act (GLBA) -Patriot Act -Individual State Mandates -Children's Online Privacy Protection Act (COPPA)
Describe the process of threat identification
-Identify external threats -Identify internal threats -Identify natural threats such as fires or broken water pipes -Identify possible disasters such as tornadoes, hurricanes, or floods
What is a privacy policy?
-Outlines how private information is secured -Outlines how PII is used
List and describe the two general risk assessment methods
-Quantitative Analysis; assigns real numbers to the costs of damages and countermeasures. It also assigns concrete probability percentages to risk occurrence. -Qualitative Anaylsis; uses scenarios to identify risks and responses. Qualitative risk analysis is more speculative and based on opinion, resulting in relative costs or rankings.
What are the benefits of a Data Retention Policy?
-Reduces discovery request cost -Minimizes discovery request exposure -Lowers hardware and software requirements for storing data -Minimizes "clutter"
What are four types of documents that you need to be aware of in Chapter 3?
-Regulation -Procedure -Baseline -Guideline
What should a BCP do?
-identifies and prioritizes critical functions -calculates recovery timeframes -identifies, plans, including resource dependencies, response options, etc. -Specifies procedures for security of unharmed assets -Identifies procedures for the salvage of damaged assets -Identifies BCP team members who are responsible for implementation of the plan -Should be tested on a regular basis through tabletop or medium exercises
Describe the process of Asset identification
-identify the organizations resources -determine the worth of that resource to the organization.
What should a BIA do?
-identify threats that can affect processes/assets -Identifies mission-essential functions -identifies critical systems -Establishes maximum down time the corporation can survive without the affected process/asset -Establishes RPO, RTO, MTBF, and MTTR -Estimates tangible (financial loss) and intangible (e.g, loss of reputation or customer trust) impacts on the organization
What decisions about alternate site locations should be made in the event of a disaster and should be included in your DRP?
-maintain adequate geographic distance between primary and secondary sites -site locations can have legal implications, especially when data is stored in multiple countries. -Decide whether the backup server will be "hot" or "cold" -alternate business practices and processes need to be defined based on the decision of utilizing a "hot" site or a "cold" site
What should a DRP do?
-plans for resumption of applications, data, hardware, communications, and other IT infrastructure in case of disaster -attempts to take into consideration every failure possible -plans for converting operations to alternate processing sites in case of disaster -Plans for converting back to the original site after the disaster has concluded -Disaster recovery exercises (such as fire drills)
What are the five basic steps of security management policies?
1) Assess the risk 2) create a policy 3) Implement the policy 4) Train the organization on the policy 5) Audit the plan to make sure it is working
Development of a BCP manual to document and track progress of the BCP should include what steps?
1) analysis 2) solution design 3) implementation 4) testing and organization acceptance 5) maintenance
What steps should you take when creating a data retention policy?
1) identify the types of data used 2) define how long to retain each data type 3) explain how data will be destroyed 4) define the policy in a clearly written document
How long do most Data Retention Policies specify to keep employee tax information?
4 years, to comply with the IRS
How long do most Data Retention Policies specify to keep corporate tax information?
7 years, to comply with the IRS
Per most Data Retention Policies, how long are e-mails kept on file before being deleted?
90 days
Describe a baseline
A baseline dictates the settings and security mechanisms that must be imposed on a system in order to comply with required security standards.
Describe a Code Escrow Agreement
A code escrow agreement is documentation of the storage and conditions of release of source code. For example, a code escrow agreement could specify that you can obtain the source code from a vendor if the vendor went out of business
What is a "cold" site?
A cold site is something like an empty warehouse or office building where necessary hardware and software can be moved or installed in the event that a main site experiences a disaster. This is not as advantageous as a hot site but is much less expensive.
Describe configuration management
A configuration management policy provides a structured approach to securing company assets and making changes.
Describe a guideline
A guideline is a recommendation for use when a specific standard of procedure does not exist. Guidelines are considered non-compulsory and flexible.
Describe a security policy
A high level overview of the corporate security program. It documents security-related policies, practices, and procedures. Is usually written by the security professionals and endorsed by senior management.
What is a "hot" site?
A hot site is set up with servers and workstations that have almost immediate access to data that is continuously replicated from the main site.
What is a countermeasure?
A means of mitigating the potential risk
What is a threat vector?
A path or means that an attacker can use to compromise the security of a system
What is a tangible asset?
A physical item such as a computer, etc.
Define Business Continuity Plan
A plan for recovering and restoring critical functions after a catastrophic disaster or extended disruption
Define DRP (Disaster Recovery Plan)
A plan for resumption of applications, data access, hardware, communications, and other IT infrastructure in case of disaster.
What might you find in a code of ethics?
A set of rules or standards to help users act ethically in various situations. It's impossible for a code of ethics to account for every situation; therefor it outlines principles of ethical behavior that can be used in various situations.
What is Cost-Benefit analysis?
A systematic approach to calculating and comparing the benefits and costs of a course of action in a given situation
Define CBF (Critical Business Functions)
Activities that are vital to your organization's survival and to the resumption of business operations.
Describe the process of vulnerability evaluation
After identify the possible sources of threats, you should identify vulnerabilities of your own system. -Software, OS, and hardware vulnerabilities -Lax physical security -Weak policies and procedures; such as as poor password policy.
Describe the process of risk response
After you have identified the risks and their associated costs, you can determine how to best respond to the risk(s).
What is the Sensitivity vs Risk Method?
An asset prioritization method that uses a chart to qualify the value of an asset based on sensitivity and risk
What is the Comparative method?
An asset prioritization method that uses a ranking based on an arbitrary scale that is compatible with the organization's industry
What is the Delphi method?
An asset prioritization method that uses an anonymous survey to determine the value of an asset
Describe an authorized access policy
An authorized access policy documents access control to company resources and information. This policy specifies who is allowed to access the carious systems of the organization
What is ALE?
Annual loss expectancy. SLE x ARO Estimates the annual loss resulting from an incident.
What is an ARO?
Annualized rate of occurrence. Identifies how often in a single year the successful threat attack will occur.
What does the California Database Security Breach Act specify?
Any agency or person that does business in the State of California must inform California residents within 48 hours if a database breach or other security breach occurs in which personal data was stolen or is believed to be stolen. Other states have adopted similar acts, so it is important to be aware of the laws of the state in which you are doing business.
What does GLBA specify?
Applies to private information held at financial institutions, and it has 2 functions: 1) Requires banks and other financial institutions to alert its customers to its privacy policies. 2) All PII within a financial institution has to be protected.
Is a file server with data considered a tangible asset or an intangible asset?
Both. -The server itself is tangible -The data on the server is intangible
You plan to implement a new security device on your network. Which of the following policies outlines the process you should follow before implementing that device?
Change Management Policy
What is risk acceptance?
Choosing to do nothing. For example, you might decide that the cost associated with a threat is acceptable or that the cost associated with protecting an asset is unnacceptable.
You have recently discovered that a network attack has compromised your database server. The attacker may have stolen customer credit card numbers. After stopping the attack and implementing new security measures, what might you be legally required to do next?
Contact your customers to let them know about the security breach
To determine the value of the company assets, an anonymous survey was used to collect the opinions of all senior and mid-level managers. Which asset valuation method was used?
Delphi Method
Describe the process of risk assessment
Determine which threats identified are relevant and pressing to the organization and then attaching a potential cost that can be expected if that threat materializes.
When you inform an employee that they are being terminated, what is the most important activity?
Disabling their network access
What is distributive allocation?
Distributive Allocation responds to risk by spreading it through redundancy and high availability techniques such as clustering, load balancing, and redundant storage arrays.
Describe the patriot act of 2001
Enables law enforcement agencies the authority to request information from public or private organizations through the authority of a court order or subpoena.
Change control should be used to oversee and manage changes of what aspect of an organization?
Every aspect; from the physical environment, to IT hardware/software, and personnel and policies
What does COPPA specify?
It requires organizations that provide online services designed for children below the age of 13 to obtain parental consent prior to collecting a child's personal information and using it.In addition, COPPA specifies that websites can not require more information than considered reasonable.
When is a BCP or DRP design and development actually completed?
Never. BCP and DRP developments are never complete as they need constant improvements and updates.
Your company has developed and implemented countermeasures for the greatest risks to their assets. However, there is still some risk left. What is the remaining risk called?
Residual Risk
What is not an appropriate response to a risk discovered during a risk analysis?
Risk Denial
What does SARBOX specify?
SARBOX requires publicly traded companies to adhere to very stringent reporting requirements and implement strong controls on electronic financial reporting systems. It also specifies that organizations have to keep information for a certain period of time.
What is SLE?
Single Loss Expectancy. The amount of loss expected for any single successful threat attack on any given asset.
You have decided to test one part of your current BCP with two other database professionals. Which type of BCP test would this be considered?
Tabletop exercise
What does HIPPA specify?
That all healthcare organizations and professionals must protect the healthcare data that they maintain. They must provide policies and procedures to protect this information no matter the storage medium (i.e, paper or digital.)
Describe risk management
The forecasting and evaluation of risks together with the identification of procedures to avoid or minimize their impact
Define BIA (Business Impact Analysis)
The identification and prioritization of Critical Business Functions, a calculation of a timeframe for recovering them, and estimation of the tangible and intangible impact on the organization.
What is threat probability?
The likelihood that a particular threat will occur that exploits a specific vulnerability
What is Exposure Factor?
The percentage of the asset lost because of a successful threat attack.
What is Residual Risk?
The portion of risk that remains after the implementation of a countermeasure
What is Risk Assessment?
The practice of determining which threats identified are relevant and pressing to the organization and then attaching a potential cost that can be expected if the identified threat occurs
What is exposure?
The vulnerability to losses from a threat agent
When conducting a risk assessment, how is the Annualized Rate of Occurence (ARO) calculated?
Through historical data provided by insurance companies and crime statistics
What is the purpose of a password policy?
To detail the requirements for passwords in an organization.
What is the primary purpose of source code escrow?
To obtain change rights over software after a vendor goes out of business
When would choosing to do nothing about an identified risk be acceptable?
When the cost of protecting the asset is greater than the potential loss
Describe a procedure
A procedure is a step-by-step process that outlines how to implement a specific action. The design of a procedure is guided by goals defined in a policy, but go beyond the policy by identifying specific steps that are to be implemented.
Define Succession Planning
A process for identifying and developing internal people with the potential to fill key positions within the organization at some point in the future.
Describe a regulation
A regulation is a requirement published by a government or other licensing body that must be followed.
What is an intangible asset?
A resource that has value and may be saleable even though it is not physical or material. Intangible assets are typically more challenging to identify and evaluate.
What is an Asset?
A resource that has value to an organization
What is the Asset Classification method?
An asset prioritization method that identifies the appropriate value and protection levels by grouping similar assets and comparing the valuation of different classifications
In business continuity planning, what is the primary focus of "Scope?"
Business Processes
As a BCP or DRP plan evolves over time, what is the most important task to perform when rolling out a new version of the plan?
Collect and destroy all copies of the old plan(s)
How long should you keep information on contracts and SLAs?
Five years
When recovering from a disaster, which services should you stabilize first?
Mission-critical or essential services
If an organization shows sufficient due care, which burden is eliminated in the event of a security breach?
Negligence
What is risk deterrence?
The process of making threat agents aware of the consequence they face if they choose to attack the asset. This could include posting warnings on login pages to indicate prosecution policies.
What is Loss?
The real damage to an asset that reduces its confidentiality, integrity, or availability.
What is risk rejection or risk denial?
choosing not to respond to a risk even though the risk is not at an acceptable level.
