CISSP-1-Security-And-Risk-Management

Risk Reduction

Implement a countermeasure to alter or reduce risk

BCP Documentation

1) Continuity Planning Goals 2) Statement of Importance 3) Statement of Priorities 4) Statement of Organizational Responsibility 5) Statement of Urgency and Timing 6) Risk Assessment 7) Risk Acceptance/Mitigation 8) Vital Records Program 9) Emergency-Response Guidelines 10) Maintenance 11) Testing and Exercises

Three Control Types One Should Always Have

1) Corrective 2) Detective 3) Preventative

NIST SP 800-34 7 Steps

1) Develop the continuity planning policy statement 2) Conduct the business impact analysis 3) Identify preventive controls 4) Create contingency strategies 5) Develop an information system contingency plan 6) Ensure plan testing, training and exercises 7) Ensure plan maintenance

Authorization Categories

1) Discretionary Access Control 2) Mandatory Access Control 3) Role-based Access Control

Qualitative Risk Reasons

1) Does not require a lot of numeric data 2) Results more descriptive than measurable 3) Easier to perform if time is short 4) Recommended for less experience assessors

Thread Modeling

1) Focused on assets 2) Focused on attackers 3) Focused on software

Chain of Evidence / Chain of Custody

1) General description of the evidence 2) Time and date the evidence was collected 3) Exact location the evidence was collected from 4) Name of the person collecting the evidence 5) Relevant circumstances surrounding the collection The chain can never be broken

IAAAA

1) Identification 2) Authentication 3) Authorization 4) Auditing 5) Accounting

Risk Analysis Goals

1) Identify assets and their values 2) Identify vulnerabilities and threats 3) Quantify the probability and business impact of these potential threats 4) Provide an economic balance between the impact of the threat and the cost of the countermeasure

Object

A passive entity such as data on a system

Tangible Asset

A physical asset such as a computer

Office of Management and Budget Circular A-130 (OMD)

A program developed to meet information resource management requirements for the federal government Requires that a review of security controls for each government application be performed at least every three years

Copyright

A type of intellectual property that protects the form of "expression" of some artistic resource but not in the manner of how it was created Prevents against unauthorized copying Artist - Lifetime + 70 years Corporations - 95 to 120 years Can include software programs If multiple artists then 70 year after the death of the last artist

Seclusion

"Storing" something in an out-of-way manner

Annual Cost of Safeguard (ACS)

(ALE1 - ALE2) - THIS

MTD - Urgent

1 day

MTD - Important

3 days

MTD - Nonessential

30 days

MTD - Normal

7 days

Statutory

A type of financial damage in civil/tort law Prescribe by law which can be awarded to the victim even if the victim incurred no actual loss or injury

Compensatory

A type of financial damage in civil/tort law Provide the victim with a financial award in the effort to compensate for the loss or injury incurred as a direct result of the wrong doing

Maximum Tolerable Outage (MTO)

Another name for MTD

Security Professional

Assigned to a trained and experienced network, systems, and security engineer who is responsible for following the directives mandated by senior management The security professional has the functional responsibility for security, including writing the security policy and implementing it

BCP Review

At least once a year

BCP vs. DRP

BCP comes and if it fails then DRP steps in the fill the gaps

Security Controls Development Examples

COBIT 5 COSO Internal Control Integrated Framework NIST SP 800-53

Shared Authority

Ensures that no single user can take illegal action on their own authority

Piracy

Focuses on infringement of a copyright

Patent Requirements

Invention must be new, patentable only if they are original ideas Invention must be useful; it must actually work and accomplish some sort of task Invention must not be obvious

Quantitative Decision Making

Involves the use of numbers and formulas to reach a decision This type of data often expresses options in terms of the dollar value to the business AV, MTD, RTO

Virtualized Browsers

Isolation of a Web-browsing application from the operating system (OS) used to access it Protects against malware

Privacy

Keeping information confidential that is personally identifiable or that might cause harm, embarrassment or disgrace to someone if revealed

Material Evidence

Must be related to the case at hand

Competent Evidence

Must have been obtained legally

Risk Management Frameworks

NIST 800-30, FRAP, OCTAVE are examples of these Note: Nist drinks fraps and listens to octaves on 800 AM KRIS

Prescreening

One of the best preventative controls against future insider attacks when hiring someone new Limit the amount of information in background checks and interviews needed for job role

Council of Europe (CoE) Convention on Cybercrime

One of the first international treaties attempting to create a standard international response to cybercrime including creating a framework to determine jurisdiction and extradition

Least Privilege

Only authorized entities have access to information on a need-to-know basis

OECD - Accountability

Organizations should be accountable for complying with measures that support the previous principles

Financial Risk Calculation

P * M = C (P) Probability of harm (M) Magnitude of harm (C) Cost of prevention

Security Awareness Training

Performed to "modify" employees' behavior and attitude toward security

OECD - Data Quality

Personal data should be kept complete and current and be relevant to the purposes for which it is being used

Detection and Identification

Phase 1 of incident response 1) Look for abnormal or suspicious behavior 2) Under the radar stuff found in logs and detection systems

Response and Reporting

Phase 2 of incident response 1) Isolation and containment - Always treat as if legal will get involve - Don't power system down or anything else that may destroy the evidence 2) Gathering evidence - Collect the equipment and software for the investigation - voluntarily surrender it, subpoena or search warrant 3) Analysis and reporting - fact-based, not opinion - management readable

Recovery and Remediation

Phase 3 of incident response 1) Restoration 2) Lessons learned (post mortem)

Warez

Pirated software

Data Hiding

Preventing data from being discovered or accessed by a subject Often a key element in security controls as well as in programming

Color of Law

Private citizens carry out actions or investigations on behalf of law enforcement They may be considered agents of law enforcement

Safeguards

Proactive controls Should reduce ARO

ISC^2 Code of Ethics Canon 3

Provide diligent and competent service to principals (employers)

Corroborative Evidence

Provides additional support for a fact that might have called into question

Countermeasures

Reactive controls

Security Administrator

Responsible for providing adequate physical and logical security for IS programs, data and equipment

Risk Identification

Step 2 of BIA A qualitative in approach to find both natural and manmade risks

Uncertainty Level

The inverse of confidence level

BCP Initiation Phase

The phase to get managements support, developing the scope of the plan and securing funding and resources for BCP

Continuity of Operations Plan (COOP)

The plan for continuing to do business until the IT infrastructure can be restored Hint: Chickens in coops can still lay eggs without IT

Business Resumption Plan (BRP)

The plan to move from the disaster recovery site back to your business environment or back to normal operations

Recovery Point Objective (RPO)

The point in time to which data must be restored in order to successfully resume processing This is the organization's definition of acceptable data loss

Risk Transfer

The practice of passing/sharing the risk in question to another entity such as an insurance company

Military and Intelligence Attack

To obtain secret and restricted information from military or law enforcement sources

NIST SP 800-30

U.S. standard for conducting risk assessments for IT systems Hint: 3rd r0ck form the sun is a risky place to live

FIPS 199 and FIPS 200

U.S. standards that establishes security categories of information systems as mandated by FISMA

Expert Opinion

Witness may offer an expert opinion based on the other facts presented and their personal knowledge of the field

Directive Access Control

deployed to direct, confine, or control the actions of subjects to force or encourage compliance with security policies Examples include security policy requirements or criteria, posted notifications, escape route exit signs, monitoring, supervision, and procedures

Tactical Plan

is a midterm plan developed to provide more details on accomplishing the goals set forth in the strategic plan or can be crafted ad-hoc based upon unpredicted events Typically useful for about a year and often prescribes and schedules the tasks necessary to accomplish organizational goals Examples are project plans, acquisition plans, hiring plans, budget plans, maintenance plans, support plans, and system development plans

Job Responsibilities

the specific work tasks an employee is required to perform on a regular basis, including access they need to do perform a task

RFC 1087

IAB created request to define activities as unethical or unacceptable on the Internet

One-on-One Meeting

A technique to perform a qualitative risk analysis

NIST SP 800-37 Steps

1) Categorize information system 2) Select security controls 3) Implement security controls 4) Assess security controls 5) Authorize information system 6) Monitor security controls

Investigation Types

1) Civil (preponderance of the evidence) 2) Criminal (beyond a reasonable doubt) 3) Operational (internal) 4) Regulatory (government)

Quantitative Risk Reasons

1) Require numerical data 2) Provide results that are measurable 3) More difficult to perform and require more time than qualitative risk assessment 4) Recommended for experienced assessors

Quantitative Attributes

1) Requires more complex calculations 2) Is easier to automate and evaluate 3) Used in risk management performance tracking 4) Allows for cost/benefit analysis 5) Uses independently verifiable and objective metrics

Qualitative Attribtutes

1) Requires no calculations 2) Involves high degree of guesswork 3) Provides general areas and indications of risks 4) Provides the opinions of the individuals who know the process best

IAB Bad Practices

1) Seeks to gain unauthorized access to the resources of the Internet 2) Disrupts the intended use of the Internet 3) Wastes resources (people, capacity, computer) through such actions 4) Destroys the integrity of computer-based information 5) Compromises the privacy of users

Information Security Management System (ISMS)

A coherent set of policies, processes and systems to manage risks to information assets as outlined in ISO/IEC 27001

Intellectual Property Types

1) Industrial (patents, trademarks, trade secrets) 2) Copyrighted (literary/artistic works)

Directive

A control type designed to specify acceptable rules of behavior within an organization

Nonrepudiation

A user cannot deny have performed a transaction and must have authentication and integrity to enforce it

Prudent Man Rule

Acting responsibly and cautiously as a prudent person would from a liability perspective

Threat Event

An accidental or intentional exploitation of a vulnerability

Authorization

Defining the allows and denials of resource and object access for a specific identity

DAD

Disclosure, Alteration, Destruction

Conclusive Evidence

Evidence that is incontrovertible like DNA

Payment Card Industry Data Security Standard (PCI DSS)

A standard created by credit card companies that applies to any entity that processes, transmits, stores or accepts credit card data Varying levels of compliance and penalties exist but this is NOT A LAW, but voluntary (if entities want to be able to use the credit card company services) 12 control objectives broken down into 6 requirements categories

Risk Management Framework (RMF)

A structured process that allows to identify and assess risk, reduce it to an acceptable level and ensure that it remains at that level 1) Categorize 2) Select 3) Implement 4) Assess 5) Authorize 6) Monitor

Split Knowledge

A variation of separation of duties In this case each person knows parts of the information and not all (like half of a lock combination)

Dual Control

A variation of separation of duties In this case two or more people are required to perform an action like turning keys to launch a missile

Disaster Recovery Plan (DRP)

A plan for recovering from an IT disaster and having the IT infrastructure back in operation Usually very IT focused where everyone is scrambling to get all critical systems back online

Data Disclosure

A breach for which it was confirmed that data was actually disclosed (not just exposed) to an unauthorized party

Fair Use

A copyright limitation that allow one to make a copy of copyrighted material for personal use Libraries and other non-profit entities may fall under this category too

First Sale

A copyright limitation that gives one the legal right to sell copyrighted material even though they are not the copyright holders

Control

A countermeasure or safeguard to mitigate risk

Computer-Targeted Crime

A crime where a computer is the victim such as a DoS or malware victim The computer is attacked by something

Computer-Assisted Crime

A crime where a computer is used as a tool to break the law such as enabling the commission of a crime The computer is attacking something

Uniform Computer Information Transactions Act (UCITA)

A federal law designed for adoption by each of the 50 states to provide a common framework for the conduct of computer-related business transactions Provides a framework for the enforcement of shrink-wrap and click-wrap agreements by federal and state governments

Risk Rejection / Risk Deny

A final but unacceptable possible response to risk is to reject or ignore risk Denying that a risk exists and hoping that it will never be realized are not valid or prudent due-care responses to risk

Pretexting

A form of social engineering in which an individual lies to obtain privileged data

Authorization to Operate (ATO)

A formal declaration by a Designated Approving Authority (DAA) that authorizes operation of a Business Product and explicitly accepts the risk to agency operations

Committee of Sponsoring Organization (COSO)

A framework created to deal with fraudulent financial activities - "a model for corporate governance" Covers non-IT items as well such as company culture, financial accounting principles ... 17 internal control principles grouped into 5 internal control components that cover these major areas: 1) Control Environment 2) Risk Assessment 3) Control Activities 4) Information and Communication 5) Monitoring Activities Hint: COrporate SOciety

Control Objectives for Information and Related Technology (COBIT)

A framework for business governance and management by explicitly tying stakeholder drivers to stakeholder needs to organization goals to IT goals - "a model for IT governance" ... the above is described as "cascading" goals Based on five principles w/a checklist approach Derived from COSO and used for security compliance during audits in the civilian world

Security Goverance

A framework that allows the security goals of an organization to be set and expressed by senior management, communicated throughout the different levels of the organization Think of it as adding several points of responsibility, accountability, compliance and oversight with the existing security program in place

Sarbanes-Oxely Act of 2002 (SOX)

A law enacted in response to the financial scandals to protect shareholders and the general public from accounting errors and fraudulent practices Regulatory compliance mandated standards for financial reporting of publicly traded companies Based on the COSO model e.g., Enron, Black "SOX" scandaal

Religious Law System

A legal system based on religious beliefs where lawmakers/scholars attempt to discover the truth of law in religious text

Customary Legal System

A legal system based on traditions and customs where personal conduct and behavior are enforced

Mixed Law System

A legal system that combines two or more legal systems such as civil, common, religious and customary

End User License Agreement (EULA)

A licensing agreement that specify conditions and restrictions for a software program

Fail-Safe

A mode that allows a system to continue to function in a degraded mode e.g., A door is unlocked when power is removed

Fail-Secure

A mode where the system defaults to locked/protected state

Reciprocal Agreement

A mutual agreement in which two organizations agree to provide resources to each other in case of a disaster Contract is non-binding and difficult to enforce

Computer Ethics Institute

A non-profit organization that works to help advance technology by ethical means

Closed Architecture

A not-so preferred approach to black box approach to design in which security is through obscurity

Bottom-Up Approach

A not-so-preferred security practice in the organization that starts with IT working its way up to top management

Nonpracticing Entity (NPE)

A patent troll who obtains a patent, but not to protect it nor produce it, but to aggressively go after others who invent something similar

MTD - Critical

ASAP

Enterprise Architecture

An architecture that addresses the structure of an organization

System Architecture

An architecture that addresses the structure of software and computing components

Security Enterprise Architecture (SEA)

An architecture that allows how the security components from the ISMS will be integrated into the layers of the organization

Denial of Service (DoS)

An attack that attempts to prevent authorized use of a resource This can be done through flaw exploitation, connection overloading or traffic flooding

Elevation of Privilege

An attack where a limited user account is transformed into an account with greater privileges, powers and access

Financial Attack

Any type of computer attack that involves money

Safeguard / Countermeasure

Anything that removes or reduces a vulnerability or protects against one or more specific threats Should reduce ARO

Dilution

Occurs when someone uses a famous trademark in a manner that blurs or tarnishes it Diminishes the capacity of a famous trademark to identify and distinguish goods or services, regardless of the presence or absence

Regulatory Policy

Required whenever industry or legal standards are applicable to your organization Discusses the regulations that must be followed and outlines the procedures that should be used to elicit compliance

Communications Assistance for Law Enforcement Act (CALEA) of 1994

Requires all communications carriers to make wiretaps possible for law enforcement with an appropriate court order, regardless of the technology in use

European Union Privacy Law

Requires that all processing of personal data meet one of the following criteria: 1) Consent 2) Contract 3) Legal obligation 4) Vital interest of the data subject 5) Balance between the interests of the data holder and the interests of the data subject

Data Custodian / Data Steward

Responsible for storing and safeguarding the data and include IS personnel such as system analyst and computer operators Include IS personnel such as system analysis and computer operators

Data Custodian

Responsible for the day-to-day tasks of performing and testing backups, validating data integrity, deploying security solutions and managing data storage based on classification

Accounting / Accountability

Reviewing log files to check for compliance and violations in order to hold subjects accountable for their actions

4th Amendment

Right of people to be secure in their persons, houses, papers and effects against unreasonable searches and seizures

Secondary Risk

Risk event that comes as a result of another risk response Fix one problem to cause another Damned if you do and damned if you don't

Risk Monitoring

Risk is forever

Intellectual Property Organization (WIPO)

Run by UN to protect intellectual property

Job Description

SOC-2 and ISO 27001 require that it be defined and up-to-date annually

Delayed Loss

Secondary in nature and takes place well after a threat agent exploited after vulnerability

Risk Assessment

The method of identifying vulnerabilities and threats and assessing the possible impacts to determine where to implement security controls Here we gather the data

Return on Investment (ROI)

The money saved after safeguard implementation ALE (before) - ALE (after) If positive then it's "worth" doing otherwise consider risk avoidance

Risk Management (RM)

The process of identifying and assessing risk, reducing it to an acceptable level and ensuring it remains at that level

RMF - Implement

The security controls and describe how the controls are employed within the information system and its environment of operation

RMF - Assess

The security controls using appropriate assessment procedures to determine the extent to which the controls are implemented correctly, operating as intended and producing the desired outcome with respect to meeting the security requirements for the system

Microsoft STRIDE

Used for threat modeling Normally focused on application threats 1) Spoofing 2) Tampering 3) Repudiation 4) Information Disclosure 5) Denial of Service (Dos) 6) Elevation of Privilege

Abstraction

Used to collect similar elements into groups, classes or roles that are assigned security controls, restrictions or permissions as a collective Adds efficiency to carrying out a security plan

Nondisclosure Agreement (NDA)

Used to protect the confidential information within an organization from being disclosed by a former employee

Contractual License Agreement

Uses a written contract between the software vendor and the customer, outlining the responsibilities of each These agreements are commonly found for high-priced and/ or highly specialized software packages

Typosquatting

Very close spelling of well-known product Not illegal but it's what you do with site

Security Effectiveness

Deals with metrics, meeting SLA requirements, achieving ROI, setting baselines, etc. to provide management with a balanced scorecard system

Deterrent Access Control

Deployed to discourage violation of security policies THIS and preventive controls are similar, but THIS often depend on individuals deciding not to take an unwanted action on their own

Compensating Access Control

Deployed to provide various options to other existing controls to aid in enforcement and support of security policies THIS can be any controls used in addition to, or in place of, another control

Internet Architecture Board (IAB) Unacceptable Use

(a) seeks to gain unauthorized access to the resources of the Internet (b) disrupts the intended use of the Internet, (c) wastes resources (people, capacity, computer) through such actions, (d) destroys the integrity of computer-based information, and/or (e) compromises the privacy of users.

ISC^2 Code of Ethics Preamble

- The safety and welfare of society and the common good, duty to our principals, and to each other requires that we adhere, and be seen to adhere, to the highest ethical standards of behavior - Therefore, strict adherence to this Code is a condition of certification

Attack Tree

A conceptual diagrams showing how an asset, or target, might be attacked usually created while doing threat modeling

Corrective

A control type that attempts to get a system back to normal by fixing components after an incident has occurred

Control Categories

1) Administrative/Soft 2) Physical 3) Technical/Logical

Security Policy Categories

1) Advisory 2) Informative 3) Regulatory

Qualitative Risk Analysis Methods

1) Brainstorming 2) Delphi technique 3) Storyboarding 4) Focus groups 5) Surveys Questionnaires 6) Checklists 7) One-on-one meetings 8) Interview

PCI DSS Requirement Categories

1) Build and Maintain a Secure Network and Systems 2) Protect Cardholder Data 3) Maintain a Vulnerability Management Program 4) Implement Strong Access Control Measures 5) Regularly Monitor and Test Networks 6) Maintain an Information Security Policy

Risk Management Framework (RMF) Steps

1) Categorize 2) Select 3) Implement 4) Assess 5) Authorize 6) Monitor Hint: CSI A AM

OECD Principles

1) Collection Limitation 2) Data Quality 3) Purpose Specification 4) Use Limitation 5) Security Safeguards 6) Openness 7) Individual Participation 8) Accountability

Functional Control Types

1) Compensating 2) Corrective 3) Detective 4) Deterrent 5) Preventative 6) Recovery 7) Directive

Computer Crime Categories

1) Computer-Targeted 2) Computer-Assisted 3) Computer-Incidental Attacks: 1) Military and intelligence 2) Business 3) Financial (phone phreaking) 4) Financial 5) Grudge 6) Thrill

Integrity Types

1) Data 2) System

Safe Harbor Principles

1) Data Integrity 2) Enforcement 3) Access 4) Choice 5) Onward Transfer 6) Notice 7) Security Hint: DEACONS safely harbor sinners

Incident Response Process

1) Detection and Identification 2) Response and Reporting - Isolation and containment - Gathering evidence - Analysis and reporting 3) Recovery and Remediation - Restoration - Lessons learned Hint: A DI responds and reports about his recovery and remediation

Data Classification Program Steps

1) Identify the custodian, and define their responsibilities 2) Specify the evaluation criteria of how the information will be classified and labeled 3) Classify and label each resource. (The owner conducts this step, but a supervisor should review it) 4) Document any exceptions to the classification policy that are discovered, and integrate them into the evaluation criteria 5) Select the security controls that will be applied to each classification level to provide the necessary level of protection 6) Specify the procedures for declassifying resources and the procedures for transferring custody of a resource to an external entity 7) Create an enterprise-wide awareness program to instruct all personnel about the classification system.

Employee Termination

1) Inform the person that they are relieved of their job 2) Request the return of all access badges, keys, and company equipment 3) Disable the person's electronic access to all aspects of the organization 4) Remind the person about the NDA obligations 5) Escort the person off the premises

Capability Maturity Model Integration (CMMI) Levels

1) Initial 2) Managed 3) Defined 4) Quantitatively Managed 5) Optimizing Hint: "I'm DQ Optimizing" my "cmminon" ice cream cone

BCP Activities

1) Initiate project 2) Assign responsibilities 3) Define continuity policy statement 4) Perform business impact analysis 5) Identify preventative controls 6) Create recovery strategies 7) Develop BCP and DRP documents 8) Test plans 9) Maintain plans

PCI DSS Requirements

1) Install and maintain a firewall configuration to protect cardholder data 2) Do not use vendor-supplied defaults for system passwords and other security parameters 3) Protect stored cardholder data 4) Encrypt transmission of cardholder data across open, public networks 5) Protect all systems against malware and regularly update antivirus software or programs 6) Develop and maintain secure systems and applications 7) Restrict access to cardholder data by business need-to-know 8) Identify and authenticate access to system components 9) Restrict physical access to cardholder data 10) Track and monitor all access to network resources and cardholder data 11) Regularly test security systems and processes 12) Maintain a policy that addresses information security for all personnel

Quantitative Risk Analysis Steps

1) Inventory assets, and assign an asset value 2) Research each asset and produce a list of all possible threats of each individual asset. For each listed threat, calculate the exposure factor (EF) and single loss expectancy (SLE) 3) Perform a threat analysis to calculate the likelihood of each threat being realized within a single year— that is, the annualized rate of occurrence (ARO) 4) Derive the overall loss potential per threat by calculating the annualized loss expectancy (ALE) 5) Research countermeasures for each threat, and then calculate the changes to ARO and ALE based on an applied countermeasure 6) Perform a cost/ benefit analysis of each countermeasure for each threat for each asset and select the most appropriate response to each threat AV -> EF -> SLE -> ARO -> ALE -> Cost/Benefit analysis of countermeasure

Security Policy Types

1) Issue-specific 2) Organizational-specific 3) System-specific

COBIT 5

1) Meeting Stakeholder Needs 2) Covering the Enterprise End-to-End 3) Applying a Single, Integrated Framework 4) Enabling a Holistic Approach 5) Separating Governance From Management

COBIT Principles

1) Meeting stakeholder needs 2) Covering the enterprise end-to-end 3) Applying a single integrated framework 4) Enabling a holistic approach 5) Separating governance from management Hint: MC-AES

Quantitative Risk Analysis Goals

1) Monetary values assigned to assets 2) Comprehensive list of all possible and significant threats 3) Probability of the occurrence rate of each threat 4) Loss potential the company can endure per threat in a 12-month time span 5) Recommended controls

Trademark Requirements

1) Must not be confusingly similar to another trademark 2) Should not be descriptive of the goods and services that you will offer For example, "Mike's Software Company" would not be a good trademark candidate because it describes the product produced by the company

EU Data Protection Directive

1) Notify individuals how their personal data is collected and used 2) Allowing individuals to opt out of sharing their personal data with third parties 3) Granting individuals the right to choose to opt into sharing the most sensitive personal data as opposed to being opted in automatically 4) Providing reasonable protections for personal data Hint: NAG (P)rivacy

Recovery Planning Steps

1) Perform BIA 2) Develop recovery strategy 3) Develop recovery plan 4) Testing 5) Maintaining

The Life Cycle of Any Process

1) Plan and Organize 2) Implement 3) Operate and Maintain 4) Monitor and Evaluate

NIST SP 800-30 Steps

1) Prepare the assessment 2) Conduct the assessment a: Identify threat sources and events b: Identify vulnerabilities and pre-disposing conditions c: Determine likelihood of occurance d: Determine magnitude of impact e: Determine risk 3) Communicate results 4) Maintain assessment

Integrity

1) Preventing unauthorized subjects from making modifications 2) Preventing authorized subjects from making unauthorized modifications, such as mistakes 3) Maintaining the internal and external consistency of objects so that their data is a correct and true reflection of the real world and any relationship with any child, peer, or parent object is valid, consistent and verifiable

HIPAA Three Rules

1) Privacy 2) Security 3) Breach Notification

BCP Steps

1) Project scope and planning 2) Business impact assessment (BIA) 3) Continuity planning 4) Approval and implementation

ISC^2 Code of Ethics Canons

1) Protect society, the commonwealth (nation), and the infrastructure 2) Act honorably, honestly, justly, responsibly, and legally 3) Provide diligent and competent service to principals (employers) 4) Advance and protect the profession Hint: PAPA, protect actors to provide advancement Hint: This is the order of importance so always choose the highest (1 is highest, 4 is lowest)

Security Policy Contents

1) Purpose 2) Scope 3) Responsibilities 4) Compliance

Risk Response Types

1) Reduce 2) Assign 3) Accept 4) Reject

Admissible Evidence

1) Relevant (make more probable than without) 2) Material (related to the case) 3) Competent (obtained legally)

Change Management Process

1) Request 2) Review 3) Approve/Reject 4) Schedule/Implement 5) Document

European Union Privacy Law Rights

1) Right to access the data 2) Right to know the data's source 3) Right to correct inaccurate data 4) Right to withhold consent to process data in some situations 5) Right of legal action should these rights be violated

BIA Steps

1) Select individuals to interview for data gathering 2) Create data-gathering techniques (surveys, questionnaires, qualitative and quantitative) 3) Identify the company's critical business functions 4) Identify the resources these functions depend upon 5) Calculate how long these functions can survive without these resources 6) Identify vulnerabilities and threats to these functions 7) Calculate the risk for each different business function 8) Document findings and report them to management

CIRT Team Members

1) Senior management 2) IT folks 3) Legal representatives 4) Public affairs/communication folks 4) Engineers system/network

IAB 10 Commandments

1) Thou shalt not use a computer to harm other people 2) Thou shalt not interfere with other people's computer work 3) Thou shalt not snoop around in other people's computer files 4) Thou shalt not use a computer to steal 5) Thou shalt not use a computer to bear false withness 6) Thou shalt not copy proprietary software for which you have not paid 7) Thou shalt not use other people's computer resources without authorization or proper compensation 8) Thou shalt not appropriate other people's intellectual output 9) Thou shalt think about the social consequences of the program you are writing or the system you are designing 10) Thou shalt always use a computer in ways that ensure consideration and respect for your fellow humans

Threat Model Components

1) Trust Boundaries 2) Data Flow Paths 3) Input Points 4) Privileged Operations 5) Details about Security Stance and Approach

Safeguard Value

= ALE before safeguard - ALE after implementing the safeguard - annual cost of safeguard (ACS) (ALE1 - ALE2) - ACS If value is negative then the safeguard is not a financially responsible choice

Detective

A control type that helps identify an incident's activities and potentially an intruder

Recovery

A control type aimed to get systems back to normal before/during an attack e.g., disaster recovery site, data backups, high availability

Ministry of Defense Architecture Framework (MoDAF)

A British DoD EAF based on DoDAF The crux of the framework is to get data in the right format to right people as soon as possible

NIST SP 800-39

A U.S. standard that provides guidelines for "managing risk" to organizational operations and assets Organizational Tier Business Process Tier Information Process Tier

Preventative

A control type that is intended to avoid an incident from occurring

Deterrent

A control type that is intended to discourage a potential attacker

National Information Infrastructure Protection Act of 1996

A CFAA amendment 1) Broadens CFAA to cover computer systems used in international commerce in addition to systems used in interstate commerce 2) Extends similar protections to portions of the national infrastructure other than computing systems, such as railroads, gas pipelines, electric power grids and telecommunications circuits 3) Treats any intentional or reckless act that causes damage to critical portions of the national infrastructure as a felony

Personal Information Protection and Electronic Documents Act (PIPEDA)

A Canadian law that sets the ground rules how private sector organizations collect, uses and disclose personal data

Department of Defense Architecture Framework (DoDAF)

A DoD EAF Provides a foundational framework for developing and representing architecture descriptions that ensure a common denominator for understanding, comparing and integrating architectures across organizational, joint and multinational boundaries Focus is on command, control, communications, computers, intelligence, surveillance and reconnaissance systems and processes Ensures that all systems, processes and work in a concerted effort to accomplish its mission

The Open-Group Architecture Framework (TOGAF)

A DoD-derived EAF Provides an approach to design, implement and govern the following enterprise information architecture types: 1) Business 2) Data 3) Application 4) Technology Uses an iterative and cyclic process that allows requirements to be continuously reviewed/updated Uses architecture development mode (ADM) Hint: Airforce snake eats its own toe (circular)

Sherwood Applied Business Security Architecture (SABSA)

A EAF Similar to the Zachman Framework in terms of using a matrix of interrogatives but uses layers Each layer decreases in abstraction and increases in detail moving from policy to practical implementation of technology Both a framework and methodology that can be constantly monitored and improved over time Hint: Zachman likes SALSA

Safe Harbor - Data Integrity

A Safe Harbor Principle Data must be relevant and reliable for the purpose it was collected for

Safe Harbor - Access

A Safe Harbor Principle Individuals must be able to access information held about them and correct or delete it if it is inaccurate

Safe Harbor - Notice

A Safe Harbor Principle Individuals must be informed that their data is being collected and about how it will be used

Safe Harbor - Choice

A Safe Harbor Principle Individuals must have the ability to opt out of the collection and forward transfer of the data to third parties

Safe Harbor - Security

A Safe Harbor Principle Reasonable efforts must be made to prevent loss of collected information

Safe Harbor - Enforcement

A Safe Harbor Principle There must be effective means of enforcing these rules

Safe Harbor - Onward Transfer

A Safe Harbor Principle Transfers of data to third parties may only occur to other organizations that follow adequate data protection principles

NIST SP 800-34

A U.S. standard for continuity planning for federal information systems Hint: 3 + 4 + ... is continuity

NIST SP 800-55

A U.S. standard that provide guidance on how "metrics" can be used to measure success of a ISMS ISO/IEC 27004 is the international counterpart Hint: Sum is 10 which is best performance

NIST SP 800-37

A U.S. standard that provide guidelines for applying the risk management framework to federal information systems to include conducting the activities of security categorization, security control selection and implementation, security control assessment, information system authorization and security control monitoring

Emergency Change Advisory Board (ECAB)

A change policy type Does not require formal testing or change advisory board (CAB) approval ITIL

Operationally Critical Threat, Asset and Vulnerability Evaluation (OCTAVE)

A commercial risk assessment methodology intended to be used in situations where people "internally" manage and direct the risk evaluation for IT security Insiders f properly trained can make the best decision when it comes to understanding risks from "ALL" assets Carnegie Mellon University Hint: The 8 intervals "inside" two notes sing "risky" business

Reasonable Expectation of Privacy (REP)

A company should protect itself legally when monitoring employees through policy, constant reminders (computer banners) and regular training Employees can be asked to sign a waiver to waive their expectation to privacy in the workplace Forth Amendment considerations

Zombie

A compromised computer used in a botnet IRC is often used as a communication tool

Computer Incidental Crime

A crime where a computer just happens to be there during a the commission of a crime but not as the primary vehicle The computer is not attacked nor is attacking but may be used for storage of illegal material or secondary in act of a crime (like making a video of the crime)

Employment Agreement

A document outlines the rules and restrictions of the organization, the security policy, the acceptable use and activities policies, details of the job description, violations and consequences and the length of time the position is to be filled by the employee

Memorandum of Understanding (MOU)

A document specifying an agreement between two entities in "broad terms" Often seen in government, as government agencies that typically cannot have contracts with each other

Memorandum of Agreement (MOA)

A document specifying an agreement between two entities in "detail" Often seen in government, as government agencies that typically cannot have contracts with each other

Control Objectives for Informational and Related Technology (COBIT)

A documented set of best IT security practices crafted by the Information Systems Audit and Control Association (ISACA) It prescribes goals and requirements for security controls and encourages the mapping of IT security ideals to business objectives A security concept infrastructure used to organize the complex security solutions of companies Five key principles for governance and management of enterprise

Asset Valuation

A dollar value assigned to an asset based on actual cost and nonmonetary expenses

The Economic Espionage Act of 1996

A law designed to curtail industrial espionage particularly when such activities benefits a foreign entity 1) Anyone found guilty of stealing trade secrets from a U.S. corporation with the intention of benefiting a foreign government or agent may be fined up to $ 500,000 and imprisoned for up to 15 years. 2) Anyone found guilty of stealing trade secrets under other circumstances may be fined up to $250,000 and imprisoned for up to 10 years

Electronic Communications Privacy Act (ECPA)

A law enacted to provide protection of electronic communications against warrantless wiretapping Prohibits the interception or disclosure of electronic communication and defines those situations in which disclosure is legal

Health Insurance Portability and Accountability Act (HIPAA)

A law enacted to put strict privacy and security rules for PHI data used by health insurers, providers and clearinghouse (claims) agencies Requires risk analysis along with administrative, physical and technical safeguards Privacy, security and breach notification

Children's Online Privacy Protection Act of 1998 (COPPA)

A law focused on websites that cater to children or knowingly collect information from children 1) Websites must have a privacy notice that clearly states the types of information they collect and what it's used for, including whether any information is disclosed to third parties 2) Parents must be provided with the opportunity to review any information collected from their children and permanently delete it from the site's records 3) Parents must give verifiable consent to the collection of information about children younger than the age of 13 prior to any such collection

Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH)

A law that address the privacy and security concerns associated with health records Enacted as part of the American Recovery and Reinvestment Act Requires reporting of data breaches with 60 days It added stricter penalties and fines to strengthen criminal enforcement of HIPAA

The Computer Fraud and Abuse Act of 1986 (CFAA)

A law that covers crimes against "federal interest" computer systems like unauthorized access, destroying or damaging equipment An amendment to CCCA that goes beyond just federal computers, it added federal interest and financial computers as well 1) Any computer used exclusively by the U.S. government Any computer used exclusively by a financial institution 2) Any computer used by the government or a financial institution when the offense impedes the ability of the government or institution to use that system 3) Any combination of computers used to commit an offense when they are not all located in the same state

Federal Privacy Act of 1974

A law that establishes a code of fair information practices that governs the collection, maintenance, use and dissemination of information about individuals that is maintained in systems of records by federal agencies Social Security Administration, Census Bureau, IRS, Bureau of Labor Statistics

Digital Millennium Copyright Act (DMCA)

A law that makes it illegal to create products that circumvent copyright protection mechanisms Up to $ 1,000,000 and 10 years in prison for repeat offenders Non-profits/libraries are exempt

Electronic Communications Privacy Act of 1986 (ECPA)

A law that makes it illegal to monitor wire/electronic/oral communications without permission

U.S. Family Education Rights and Privacy Act (FERPA)

A law that protects the privacy of student education records It applies to all schools that receive funds under an applicable program of the U.S. Department of Education

Economic Espionage Act of 1996

A law that provides penalties for people who steal trade secrets, intellectual property (IP) and PII/IP Harsher penalties for individuals who know the trade secret will benefit a foreign government

Federal Information Security Management Act of 2002 (FISMA)

A law that requires every federal agency to create, document and implement an agency-wide security program to provide protection for the information and systems that support the operations and assets of the agency including those contracted externally Requires annual audits with results sent to the Office of Management and Budget (OMB) for review Security awareness training Periodic testing Policies and procedures and reporting Uses NIST SP 800-53 checklist

Gramm-Leach Bliley Act of 1999 (GLBA)

A law that requires protection of the confidentiality and integrity of consumer financial information Requires financial institutions to develop privacy notices and give customers the option to prohibit financial institutions from sharing their information to non-affiliated third parties Requires security plans and criminalizes pretexting (phishing) and also notification of data misuses Bael II version pertains to international banking

The Computer Security Act of 1987

A law that requires the federal government agencies to baseline computer security: 1) To give NIST the responsibility for developing standards and guidelines for federal computer systems. -- getting help from NSA NSA classified / NIST unclassified 2) To provide for the enactment of such standards and guidelines 3) To require the establishment of security plans by all operators of federal computer systems that contain sensitive information 4) To require mandatory periodic training for all people involved in management, use, or operation of federal computer systems

The Federal Privacy Act of 1974

A law that severely limits the ability of federal government agencies to disclose private information to other persons or agencies without the prior written consent of the affected individual Agencies maintain only the records that are necessary for conducting their business and that they destroy those records when they are no longer needed for a legitimate function of government Written permission required

Due Diligence

A legal liability concept that requires an organization to continually review its practices to ensure that protection requirements are met An entity's liability is its legal responsibility for any action or lack of action that puts the entity or any other entity at risk Practicing THIS can help an entity create a defense against negligence, which means that an entity is held responsible for an action or inaction that resulted in harm to another entity or individual Doing everything within one's power to prevent a bad thing from happening e.g., Setting appropriate policies, researching the threats and incorporating them into a risk management plan and ensuring audits happen at the right times Hint: Think of the word "knowing"

Best Evidence Rule

A legal principle that holds an "original" copy of a document as superior evidence If not original then it is called "secondary" evidence

Common Law System

A legal system based on previous interpretations of laws or precedence Used in the U.S./U.K. Broken down into criminal, civil/tort and administrative/regulatory laws Hint: The English Queen makes laws for her "commoners"

Strategic Plan

A long-term, stable plan that defines the organization's security purpose Useful for about five years and maintained and updated annually

Qualitative Risk Matrix

A matrix that consists of likelihood vs. consequences (impact) Multiple team members enter what they think the values should be

Annual Rate of Occurrence (ARO)

A measure of the estimated frequency of occurrence for a threat or event for each year e.g., If occurrence is once for every 10 years the the value would be 1/10 = 0.1

Single Loss Expectancy (SLE)

A measure of the loss incurred from a single realized threat or event, expressed in dollars = AV * EF

Exposure Factor (EF)

A measure of the negative effect or impact that a realized threat or event would have on a specific asset, expressed as a percentage

Failure Modes and Effect Analysis (FMEA)

A method for determining functions, identifying functional failures and assessing the causes of failures and the failure effects through a structured process Goal is to identify where something is most likely going to break then do something/nothing about it

Fault Tree Analysis

A method to identify failures that can take place within more complex environments and systems Similar to attack trees but for failure analysis

Key Performance Indicator (KPI)

A metric to verify an organization is following accepted best practices or guidelines

Baseline

A minimum level of security

Business Continuity Plan (BCP)

A plan that contains strategy documents that provide detailed procedures that ensure critical business functions are maintained and that help minimize losses of life, operations and systems Much broad scope than DRP Needs senior management support, prioritization, annual review, etc. A CORRECTIVE Control

Baselines

A point in time that is used as a comparison for future changes thus providing for a consistent reference point Could be technical or non-technical Tactical and Mandatory

Issue-specific Security Policy

A policy that covers things like security related to e-mail and should be "technology and solution independent" Acceptable Use Policy (AUP) Email Privacy Also called a functional policy

BCP Policy

A policy that supplies the framework for and governance of designing and building the BCP effort which includes scope, mission statement, principles, guidelines and standards

Clean Desk Policy

A policy that tells users to clean their workspace before they leave to ensure that sensitive material is not left unprotected

System-specific Security Policy

A policy type that are specific to actual computers, networks, databases and applications

Organizational-specific Security Policy

A policy type where management establishes how a security program will be set up, lays out the program's goals assigns responsibilities, shows the strategic and tactical value of security and outlines how enforcement should be carried out Must also address laws, regulations and liability issues Reviewed on a regular basis Also called a master security policy

The Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act of 2001 (USA PATRIOT Act)

A post 9/11 law that some argue eroded the constitutional rights of U.S. citizens particularly in rights of privacy and illegal search and seizure once protected by the fourth amendment in the effort to foil acts of terrorism

Top-Down Approach

A preferred security practice in the organization that starts with top management working its way down through the ranks

Open Design

A preferred transparent approach to design which allows for peer review

Awareness

A prerequisite to security training is bring security to the forefront and make it a recognized entity for users

Department of Veterans Affairs Information Security Protection Act

A privacy law that applies to the VA after a breach of millions of veterans' records

Six Sigma

A process improvement methodology by using statistical methods of measuring operation efficiency, reducing variation, defects and waste

Capability Maturity Model Integration (CMMI)

A process used to determine the maturity of an organization's processes using 5 levels Each maturity level with this model represents an evolutionary stage More heavily used in the security world than Six Sigma and ITIL Carnegie Mellon University

Delphi Technique

A qualitative risk analysis method An anonymous feedback-and-response process used to enable a group to reach an anonymous consensus Its primary purpose is to elicit honest and uninfluenced responses from all participants The participants are usually gathered into a single meeting room To each request for feedback, each participant writes down their response on paper anonymously The results are compiled and presented to the group for evaluation. The process is repeated until a consensus is reached

Facilitated Risk Analysis Process (FRAP)

A qualitative risk assessment methodology that focuses only on the systems that really need assessing to reduce costs and time obligations Keeps assessments focused, tight on single assets Qualitative approach first then if risk is high enough follow it with a quantitative analysis Hint: Nautical meaning is to bind something tightly with a "simple" knot to reduce "risk"

Quantitative Risk Analysis

A risk analysis methodology that attempts to assign numeric/monetary values to components A pure one is usually not possible due some degree of uncertainty Could depend on qualitative analysis AV/EF/SLE/ARO/ALE/TCO/ROI

Qualitative Risk Analysis

A risk analysis methodology that attempts to assign subjective values to components like low/medium/high Uses severity vs. likelihood matrices

Central Computing and Telecommunications Agency Risk Analyses and Management Mode (CRAMM)

A risk assessment methodology from the U.K. that works in three stages using automated tools from Siemens: 1) Define objectives 2) Assess Risks 3) Identify Countermeasures Hint: "Cramming" too many sweets in your mouth "risks" cavities

DREAD

A risk assessment/threat model previously used by Microsoft Damage - how bad would an attack be? Reproducibility - how easy is it to reproduce the attack? Exploitability - how much work is it to launch the attack? Affected users - how many people will be impacted? Discoverability - how easy is it to discover the threat?

Civil Law System

A rule-based, codified legal system not based on precedence Used in most other places in the world except US/UK Lower courts are NOT compelled to follow the decisions made by higher courts

Information Technology Infrastructure Library (ITIL)

A set of detailed "best practices for IT service management (ITSM)" that focuses on aligning IT services with the needs of business A customizable framework that provides the goals and necessary activities to reach objectives via a continual process improvement paradigm Normally "internal" to the organization where SLAs are established between departments

Operational Plan

A short-term, highly detailed plan based on the strategic and tactical plans Valid or useful only for a short time, maybe monthly or quarterly to retain compliance with tactical plans Operational plans must be updated often (such as monthly or quarterly) to retain compliance with tactical plans Examples are resource allotments, budgetary requirements, staffing assignments, scheduling, and step-by-step or implementation procedures

Risk Management

A systematic process for identifying, analyzing, evaluating, remedying and monitoring risk

Business Impact Analysis (BIA)

A systematic process performed at the beginning of BCP to identify the areas that would suffer the greatest financial or operational loss in the event of a disaster or disruption It identifies the company's critical systems needed for survival and estimates the outage time that can be tolerated as a result of the event

BCP Committee

A team that comprises of people who are familiar with different departments within the company such as business units, senior management, IT, security, communications and legal

Risk Analysis Team

A team that includes individuals from key departments to ensure that all of the threats are identified and address Includes management, technical and legal personnel

Reduction Analysis

A technique used reduce the number of attacks and threats to consider This is usually done to simplify the number of attack trees used when threat modeling Also known as decomposing

Mean Time Between Failures (MTBF)

A time determination for how long a piece of IT infrastructure will continue to work before it fails

Mean Time to Repair (MTTR)

A time determination for how long it will take to get a piece of hardware/software repaired and back on-line

Punitive

A type of financial damage in civil/tort law Punish an individual or organization in an attempt to discourage a particularly egregious violation where the compensatory or statutory damages along would not act as a deterrent

Criminal Law

A type of law that addresses behavior that is considered harmful to society, like murder, and that society is the victim Punishment can lead to incarceration and/or monetary fines Must prove guilt "beyond a reasonable doubt" - innocent until proven guilty

Civil/Tort Law

A type of law that addresses wrongful acts committed against an individual or business, either willfully or negligently, resulting in damage, loss, injury, or death Punishment can be compensatory, punitive or statutory damages. NEVER incarceration Must prove "liability" with "a preponderance of evidence"

Administrative/Regulatory Law

A type of law that are regulatory in nature and usually enacted by government agencies Punishment can be incarceration and/or financial Must prove guilt as "more likely than not"

Vulnerability

A weakness in a system that allows a threat source to compromise its security

Scenario

A written description of a single major threat. The description focuses on how a threat would be instigated and what effects its occurrence could have on the organization, the IT infrastructure, and specific assets

Information Security Officer (ISO)

Accountable for ensuring the protection of all of the business information assets from intentional and unintentional loss, disclosure, alteration, destruction and unavailability

ISC^2 Code of Ethics Canon 2

Act honorably, honestly, justly, responsibly, and legally

Compliance

Actions that ensure behavior that complies with established rules

ISC^2 Code of Ethics Canon 4

Advance and protect the profession

Policy Types

Advisory Informative Issue Regulatory System

Paperwork Reduction Act of 1995

Agencies obtain Office of Management and Budget (OMB) approval before requesting most types of information from the public

Risk Acceptance

Allow the risk to exists and acceptance the consequences Most often when cost of mitigation is more than asset value and avoidance is not an option

Government Information Security Reform Act (GISRA) of 2000

Amended the Paperwork Reduction Act to implement additional information security policies and procedures To provide a comprehensive framework for establishing and ensuring the effectiveness of controls over information resources that support federal operations and assets Places the burden of maintaining the security and integrity of government information and information systems squarely on the shoulders of individual agency leaders and more ...

Total Risk

Amount of risk without implementing mitigation What will it cost me if I do nothing?

Zachman Framework

An EAF 2 Dimensional Matrix that uses 6 interrogatives with different viewpoints Cols - What/How/Where/When/Who/Why Rows- CEO/Janitor/IT Dude/Security Peep Hint: Bachman Turnover Drive was not the "Who"

Intangible Assets

An abstract asset such as source code, data, etc.

Subject

An active entity such as a user/process on a data system

Mandatory Vacations

An administrative detective control that can be used to uncover fraudulent activities by forcing employees to take vacations

Rotation of Duties

An administrative detective control to can be used to uncover fraudulent activities moving employees form position to another within the company

Safe Harbor

An agreement between the United States Department of Commerce and the European Union that regulated the way that U.S. companies could export and handle the personal data of European citizen Data Integrity, Enforcement, Access, Choice, Onward Transfer, Notice, Security Hint: DEACONS safely harbor sinners

Interconnection Security Agreement (ISA)

An agreement specifying technical requirements between organizations connecting systems and exchanging data designed to support the MOU/MOA

Cross-training

An alternative to job rotation In both cases, workers learn the responsibilities and tasks of multiple job positions Here the workers are just prepared to perform the other job positions; they are not rotated through them on a regular basis

Computer Abuse Amendments Act of 1994

An amendment to CFAA 1) Outlawed the creation of any type of malicious code that might cause damage to a computer system 2) Modified the CFAA to cover any computer used in interstate commerce rather than just "federal interest" computer systems 3) Allowed for the imprisonment of offenders, regardless of whether they actually intended to cause damage 4) Provided legal authority for the victims of computer crime to pursue civil action to gain injunctive relief and compensation for damages

Strength, Weaknesses, Opportunities, Threats (SWOT)

An analysis tool to identify an organization's strengths and weaknesses as well as broader opportunities and threats

Cost/Benefit Analysis

An analysis used when choosing a security control for a given risk The benefit must outweigh the cost (ALE Before) - (ALE After) - (Annual Cost of Safeguard) = Net value of safeguard to the company

Threat Agent

An entity that takes advantage of a vulnerability

Incident

An event that has a negative outcome affecting the confidentiality, integrity, or availability of an organization's data 1) Scanning 2) Compromises 3) Malicious code 4) Denial of service Report to legal folks if a violation of law including disclosure of sensitive data

Recovery Access Control

An extension of corrective controls but have more advanced or complex abilities Examples include backups and restores, fault-tolerant drive systems, system imaging, server clustering, antivirus software, and database or virtual machine shadowing.

Breach

An incident that results in the disclosure or potential exposure of data the occurrence of a security mechanism being bypassed or thwarted by a threat agent. When a breach is combined with an attack, a penetration, or intrusion, can result

Opt-in Agreement

An information sharing agreement that prevents an entity from sharing a user's information by default The organization must get your approval Privacy advocates prefer THIS where the user would have to do something in order have their data used

Opt-out Agreement

An information sharing agreement that requires a user to act in order to prevent an entity from sharing that user's information User MUST act to opt-out Usually uncheck a checkbox Disallows information to be resold

RMF - Select

An initial set of baseline security controls for the information system based on the security categorization, tailoring and supplementing the security control baseline as needed

Exploit

An instance of compromise Occurs when a vulnerability is taken advantage of by an attacker

Statement of Auditing Standards 70 (SAS)

An internal controls audit carried out by a third-party auditing organization

ISO/IEC 22301

An international standard for business continuity management (BCM)

Threat

Any potential danger that is associated with the exploitation of a vulnerability Someone or something will identify a specific vulnerability and use it against the company or individual

ISO/IEC 27000

An international standard on how to develop and maintain an ISMS within an organization Provides an overview and introduction of the entire ISMS standards and a glossary of words Adopted from the British Standard 7799

ISO/IEC 27003

An international standard on providing "implementation guidance" for ISMS Hint: It takes "3" to "implement" an IT crowd

ISO/IEC 27031

An international standard that describe the concepts and principles of information and communication technology (ICT) readiness

ISO/IEC 27004

An international standard that provide guidance on how "metrics" can be used to measure success of a ISMS NIST SP 800-55 is the U.S. counterpart Hint: four-eyes can read these things

ISO/IEC 27002

An international standard that provides best practice recommendations on information security controls for use by those responsible for initiating, implementing or maintaining information security management systems (ISMS) to support CIA Replaced ISO/IEC 17799 which replaced BS 7799

ISO 27799

An international standard that provides directives on protecting personal health information Hint: Jerry had bad health in 77 and Prince after 1999

ISO/IEC 27001

An international standard that provides for the establishment, implementation, control and improvement of the information management system (ISMS) Uses the Plan, Do, Check, Act (PDCA) methodology

ISO/IEC 27005

An international standard that provides guidance for a "risk management" framework Hint: High 5'ing dirty hands is a bacteria risk

ISO/IEC 27006

An international standard to provide guidance for auditing and certifying ISMS Hint: Mark of the beast to pass audit

Uses the Plan, Do, Check, Act (PDCA)

An iterative four-step management method used in business for the control and continual improvement of processes and products

Security Policy

An overall general statement produced by senior management that dictates what role security plays within the organization Annually reviewed and should be kept confidential from outsiders Strategic and Mandatory Should be reviewed in case of security breach

Threat Exposure

Another name for vulnerability

Event

Any occurrence that takes place during a certain period of time, but which may or may not warrant as a security incident

Single Points of Failure (SPOF)

Any single input to a process that, if missing, would cause the process or several processes to be unable to function

Business Continuity Planning (BCP)

Assessing the risks to organizational processes and creating policies, plans and procedures to minimize the impact those risks might have on the organization if they were to occur Used to maintain the continuous operation of a business in the event of an emergency situation If the continuity is broken, then business processes have stopped and the organization is in disaster mode; thus, disaster recovery planning (DRP) takes over 1) Project scope and planning 2) Business impact assessment (BIA) 3) Continuity planning 4) Approval and implementation

Data Owner

Assigned to the person who is responsible for classifying information for placement and protection within the security solution Typically a high-level manager who is ultimately responsible for data protection

Collusion

At least two people are working together to cause some type of destruction or fraud

Noncompete Agreement (NCA)

Attempts to prevent an employee with special knowledge of secrets from one organization from working in a competing organization in order to prevent that second organization from benefiting from the worker's special knowledge of secrets

AAA

Authentication, authorization, accountability and identification

Arms Export Control Act of 1976

Authorizes the President to designate those items that shall be considered as defense articles and defense services and control their import and the export

Employment Candidate Screening

Based on the sensitivity and classification defined by the job description The sensitivity and classification of a specific position is dependent on the level of harm that could be caused by accidental or intentional violations of security by a person in the position

Strategic Alignment

Both business drivers and regulatory/legal requirements are being met by a security enterprise architecture

Thrill Attack

Bragging rights and pride of conquering a secure system

COBIT Principle 3

COBIT Principle #? Applying a single integrated framework

COBIT Principle 2

COBIT Principle #? Covering the enterprise end-to-end

COBIT Principle 4

COBIT Principle #? Enabling a holistic approach

COBIT Principle 1

COBIT Principle #? Meeting stakeholder needs

COBIT Principle 5

COBIT Principle #? Separating governance from management

Process Management Development Examples

Capability Maturity Model Integration (CMMI) ITIL Six Sigma

Identification

Claiming an identity when attempting to access a secure area or system

OECD - Collection Limitation

Collection of personal data should be limited, obtained by lawful and fair means and with the knowledge of the subject

CIA

Confidentiality, Integrity and Availability

Secondary Evidence

Consists of copies of original documents, oral descriptions and computer-generated logs

Hearsay Evidence

Constitutes second-hand evidence Computer logs of a crime would be consider this unless legally authenticated in some way

Click-through License Agreement

Contract terms are either written on the software box or included in the software documentation During the installation process, you are required to click a button indicating that you have read the terms of the agreement and agree to abide by them

Compensating

Controls that substitute for the loss of primary controls and mitigate risk down to an acceptable level A control type that provides an alternate solution to one that is either impossible or too expensive to implement

Electronic Discovery (eDiscovery)

Describes a standard process for conducting eDiscovery with nine steps 1) Information Governance 2) Identification 3) Preservation 4) Collection 5) Processing 6) Review 7) Analysis 8) Production 9) Presentation

Personal Files

Not considered an asset at an organization

Terrorist Attack

Damaging the ability to communicate and respond to a physical attack

Service Organization Control (SOC)

Designed to help service organizations that provide services to other entities, build trust and confidence in the service performed and controls related to the services through a report by an independent auditing firm Should your organization trust this cloud service to do due diligence like you AICPA Reports come in three formats: 1) SOC-1 2) SOC-2 (test results) 3) SOC-3 (public)

OECD - Openness

Developments, practices and policies regarding personal data should be openly communicated. In addition, subjects should be able to easily establish the existence and nature of personal data, its use, and the identity and usual residence of the organization in possession of that data

Grudge Attack

Disclosing embarrassing personal information Launching a virus on an organization's system Sending inappropriate email with a spoofed origination address of the victim organization

Advisory Policy

Discusses behaviors and activities that are acceptable and defines consequences of violations Explains senior management's desires for security and compliance within an organization

Enterprise Architecture Development Examples

DoDAF MoDAF SABSA Model TOGAF Zachman Framework

DRM Responsibilities for ISPs

Does not hold ISP liable for the "transitory activities" if these conditions are met: 1) The transmission must be initiated by a person other than the provider 2) The transmission, routing, provision of connections, or copying must be carried out by an automated technical process without selection of material by the service provider 3) The service provider must not determine the recipients of the material 4) Any intermediate copies must not ordinarily be accessible to anyone other than anticipated recipients, and must not be retained for longer than reasonably necessary 5) The material must be transmitted with no modification to its content Cache and logs also exempt but they must be removed quickly upon notification

BCP Documentation (Justification)

Ensures that BCP personnel have a written continuity document to reference in the event of an emergency, even if senior BCP team members are not present to guide the effort Provides a historical record of the BCP process that will be useful to future personnel seeking to both understand the reasoning behind various procedures and implement necessary changes in the plan Forces the team members to commit their thoughts to paper

Governance

Ensures the business focuses on core activities, clarifies who in the organization has the authority to make decisions, determines accountability for actions and responsibility for outcomes and addresses how expected performance will be evaluated

Testimonial Evidence

Evidence consisting of the testimony of a witness, either verbal testimony in court or written testimony in a recorded deposition Witnesses must take an oath agreeing to tell the truth, and they must have personal knowledge on which their testimony is based Cannot be based on hearsay

Comprehensive Crime Control Act of 1984 (CCCA)

Exclusively covers computer crimes that crossed state boundaries to avoid infringing on states' rights and treading on thin constitutional ice 1) Access classified information or financial information in a federal system without authorization or in excess of authorized privileges 2) Access a computer used exclusively by the federal government without authorization 3) Use a federal computer to perpetrate a fraud (unless the only object of the fraud was to gain use of the computer itself) 4) Cause malicious damage to a federal computer system in excess of $ 1,000 5) Modify medical records in a computer when doing so impairs or may impair the examination, diagnosis, treatment, or medical care of an individual 6) Traffic in computer passwords if the trafficking affects interstate commerce or involves a federal computer system

Wassenaar Arrangement

Export controls for "Conventional Arms and Dual-Use Goods and Technologies" which includes cryptography and computers Established to contribute to regional and international security and stability by promoting transparency and greater responsibility in transfers of conventional arms and dual-use goods and technologies, thus preventing destabilizing accumulations Post Cold War agreement w/41 countries

Economic and Protection of Proprietary Information Act of 1996

Extends the definition of property to include proprietary economic information so that the theft of this information can be considered industrial or corporate espionage This changed the legal definition of theft so that it was no longer restricted by physical constraints

Preventive Access Control

Fences, locks, biometrics, mantraps, lighting, alarm systems, separation of duties, job rotation, data classification, penetration testing, access-control methods, encryption, auditing, presence of security cameras or CCTV, smartcards, callback procedures, security policies, security-awareness training, antivirus software, firewalls, and intrusion prevention systems (IPSs)

Pareto Principle (80:20 rule)

Fix the biggest risks first since 80% of the consequences stem from 20% of the causes

PII Examples

Full name (if not common), national Id number, IP address (in some cases), vehicle registration plate number, driver's license number, biometrics, credit card numbers, digital identity, birthday Less enforced: first or last name, address, age, gender, race, school, workplace, criminal record, grades, salary, job title

Blueprints

Functional definitions for the integration of technology into business processes

Relevant Evidence

Has any tendency to make a fact more or less probable than it would be without the evidence

Criticality

How important something is to the organization's mission The higher the level, the more likely the need to maintain the confidentiality of the information High levels are essential to the operation or function of an organization

Recovery Time Objective (RTO)

How quickly you need to have that application's information available after downtime has occurred The time period after a disaster that a system can remain online before business fails This is the organization's definition of the acceptable amount of time an IT system can be off-line THIS value should always be less than MTD

Risk Governance vs. Risk Management

In regards to "risk", __________ is what needs to be accomplished and __________ say how it will be done

Alternative System

In the event that it's not feasible to harden a facility against a risk, your BCP should identify alternate sites where business activities can resume immediately (or at least in a period of time that's shorter than the maximum tolerable downtime for all affected critical business functions)

Documentary Evidence

Includes any written items brought into court to prove a fact at hand and must also be authenticated Should follow best evidence and parol evidence rules

RMF - Authorize

Information system operation based on a determination of the risk to organizational operations and assets, individuals, other organizations, and the Nation resulting from the operation of the information system and the decision that this risk is acceptable

Intellectual Property

Intangible property that is created as the result of a creative act

Isolation

Keeping something separate from others

Behavior Modification

Learning on behalf of the user usually through training and awareness

Advanced Persistent Threat (APT)

Long term attack consisting of multiple vectors usually carried out by organized crime or governments

FIPS 199 Security Classifications

Low Medium High

Identity Theft and Assumption Deterrence Act

Makes identity theft a crime against the person whose identity was stolen and provides severe criminal penalties (up to a 15-year prison term and/ or a $ 250,000 fine) for anyone found guilty of violating this law

Hardening Provisions

Mechanisms and procedures that can be put in place to protect your "existing facilities" against the risks defined in the strategy development phase This might include steps as simple as patching a leaky roof or as complex as installing reinforced hurricane shutters and fireproof walls

Corrective Access Control

Modifies the environment to return systems to normal after an unwanted or unauthorized activity has occurred It attempts to correct any problems that occurred as a result of a security incident Rebooting, quarantine a virus, etc.

RMF - Monitor

Monitor the security controls in the information system on an ongoing basis including assessing control effectiveness, documenting changes to the system or its environment of operation, conducting security impact analyses of the associated changes, and reporting the security state of the system to designated organizational officials

Education

More detailed endeavor in which students/users learn much more than they actually need to know to perform their work tasks Often associated with users pursuing certification or seeking job promotion

Hacktivist

Motivated by political beliefs and thrill seeking

NIST SP 800-34 Step 2

NIST SP 800-34 Step #? Conduct the business impact analysis (BIA) Identify critical functions and systems and allow the organization to prioritize them based on necessity Identify vulnerabilities and threats and calculate risks

NIST SP 800-34 Step 4

NIST SP 800-34 Step #? Create contingency strategies Formulate methods to ensure systems and critical functions can be brought online quickly

NIST SP 800-34 Step 5

NIST SP 800-34 Step #? Develop an information system contingency plan Write procedures and guidelines for how the organization can still stay functional in a crippled state

NIST SP 800-34 Step 1

NIST SP 800-34 Step #? Develop the continuity planning policy statement Write a policy that provides the guidance necessary to develop a BCP and that assigns the authority to the necessary roles to carry out these tasks

NIST SP 800-34 Step 7

NIST SP 800-34 Step #? Ensure plan maintenance Put in place steps to ensure the BCP is a living document that is updated regularly

NIST SP 800-34 Step 6

NIST SP 800-34 Step #? Ensure plan testing, training and exercises Test the plan to identify deficiencies in the BCP and conduct training to properly prepare individuals on their expected tasks

NIST SP 800-34 Step 3

NIST SP 800-34 Step #? Identify preventive controls Once threats are recognized, identify and implement controls and countermeasures to reduce the organization's risk level in an economical manner

Risk Management Framework Examples

NIST SP 800-37 ISO 31000:2009 ISACA Risk IT COSO

OECD - Use Limitation

Only with the consent of the subject or by the authority of law should personal data be disclosed, made available, or used for purposes other than those previously stated

Defense-in-Depth Security Controls

Physical -> Logical/Technical -> Admin -> ASSET

ISC^2 Code of Ethics Canon 1

Protect society, the commonwealth (nation), and the infrastructure

1991 US Federal Sentencing Guidelines

Provided punishment guidelines to help federal judges interpret computer crime laws 1) Formalized the prudent man rule, which requires senior executives to take personal responsibility for ensuring the due care that ordinary, prudent individuals would exercise in the same situation 2) Allowed organizations and executives to minimize punishment for infractions by demonstrating that they used due diligence in the conduct of their information security duties 3) Three burdens of proof for negligence a) The person accused of negligence must have a legally recognized obligation b) The person must have failed to comply with recognized standards c) There must be a causal relationship between the act of negligence and subsequent damages

Informative Policy

Provides support, research, or background information relevant to the specific elements of the overall policy

System Development Management

Provides technical support for hardware and software environment by developing, installing and operating the requested system

Information Systems Risk Management (ISRM) Policy

Provides the foundation and direction for the organization's security risk management process and procedures and should address all issues of information security

Authentication

Proving that you are that identity

OECD - Security Safeguards

Reasonable safeguards should be put in place to protect personal data against risks such as loss, unauthorized access, modification and disclosure

Auditing

Recording a log of events and activities related to the system and subjects

NIST SP 800-53

Security and Privacy Controls for Federal Information Systems and Organization Provides a catalog of security controls for all U.S. federal IT systems except those for national security and checklist for FISMA auditors Technical, management and operational Hint: # of rosary beads ... better run through them all to be compliant above

Process Enhancement

Security enablement should also be viewed as an opportunity to make things better in regards to the process that it is trying to protect

Detective Access Control

Security guards, motion detectors, recording and reviewing of events captured by security cameras or CCTV, job rotation, mandatory vacations, audit trails, honeypots or honeynets, IDSs, violation reports, supervision and reviews of users, and incident investigations

Business Enablement

Security should not get in the way of business process, but should be implemented to better enable them

System Integrity

Seeks to protect a system such as an OS from unauthorized modifcation

Data Integrity

Seeks to protection information from unauthorized modification

Circumstantial Evidence

Serves to establish the events related to particular points or other evidence

Discretion

Shown by a person when choosing to control disclosure of something An act of decision where an operator can influence or control disclosure in order to minimize harm or damage

Freeware

Software that is publicly available free and charge and can be used, copied, studied, modified and redistributed without restriction

Shareware/Trialware

Software that vendors use to market their product based on a free, trail version in hopes that once the trail ends the users will buy it

Exposure

Something being susceptible to asset loss because of a threat; there is the possibility that a vulnerability can or will be exploited by a threat agent or event Doesn't mean that a realized threat (an event that results in loss) is actually occurring

Trade Secret

Something that is proprietary to a company and important for its survival and profitability Use of NDAs and other protective measures

Real Evidence

Something that is tangible or physical object such as a knife or bloody glove

Asset

Something the provides value (usually in dollars) to an organization whether tangible or intangible Anything within an environment that should be protected

Project Scope and Planning

Step 1 of BCP 1) Structured analysis of the business's organization from a crisis planning point of view 2) The creation of a BCP team with the approval of senior management 3) An assessment of the resources available to participate in business continuity activities 4) An analysis of the legal and regulatory landscape that governs an organization's response to a catastrophic event

Business Organization Analysis

Step 1 of BCP's Project Scope and Planning 1) Operational departments that are responsible for the core services the business provides to its clients 2) Critical support services, such as the information technology (IT) department, plant maintenance department, and other groups responsible for the upkeep of systems that support the operational departments 3) Senior executives and other key individuals essential for the ongoing viability of the organization First, provides the groundwork necessary to help identify potential members of the BCP team Second, it provides the foundation for the remainder of the BCP process

Identify Priorities

Step 1 of BIA A great way to divide the workload of this process among the team members is to assign each participant responsibility for drawing up a prioritized list that covers the business functions for which their department is responsible This helps to define the qualitative metrics first before moving onto quantitative

Strategy Development

Step 1 of Continuity Planning Determines which risks require mitigation and the level of resources that will be committed to each mitigation task Bridges the gap between business impact assessment and continuity planning by analyzing the prioritized list of risks developed during the BIA and determining which risks will be addressed by the BCP

Spoofing

Step 1 of STRIDE An attack with the goal of gaining access to a target system through the use of a falsified identity wit the goal to bypass authorization

Business Impact Assessment (BIA)

Step 2 of BCP Identifies the resources that are critical to an organization's ongoing viability and the threats posed to those resources Assesses the likelihood that each threat will actually occur and the impact those occurrences will have on the business 1) Identify Priorities 2) Risk Identification 3) Likelihood Assessment 4) Impact Assessment 5) Resource Prioritization

BCP Team Selection

Step 2 of BCP's Project Scope and Planning Picking the right members of a BCP team 1) Representatives from each of the organization's departments responsible for the core services performed by the business 2) Representatives from the key support departments identified by the organizational analysis 3) IT representatives with technical expertise in areas covered by the BCP 4) Security representatives with knowledge of the BCP process 5) Legal representatives familiar with corporate legal, regulatory, and contractual responsibilities 6) Representatives from senior management

Provisions and processes

Step 2 of Continuity Planning The BCP team designs the specific procedures and mechanisms that will mitigate the risks deemed unacceptable during the strategy development stage Three categories of assets must be protected: 1) People 2) Buildings/Facilities 3) Infrastructure

Tampering

Step 2 of STRIDE Any action resulting in the unauthorized changes or manipulation of data, whether in transit or in storage Used to falsify communications or alter static information Such attacks are a violation of integrity as well as availability

Continuity planning

Step 3 of BCP Focuses on developing and implementing a continuity strategy to minimize the impact realized risks might have on protected assets 1) Strategy development 2) Provisions and processes 3) Plan approval 4) Plan implementation 5) Training and education

Resource Requirements

Step 3 of BCP's Project Scope and Planning What are the needed resources to support BCP? 1) BCP Development - The BCP team will require resources to perform the four steps of the BCP process 2) BCP Testing, Training and Maintenance - Hardware and software will be needed here 3) BCP Implementation - The actual stuff that will be needed to fight a disaster from pencils to labor

Likelihood Assessment

Step 3 of BIA Identifies the likelihood that each risk will occur Usually express as ARO

Plan Approval

Step 3 of Continuity Planning Attempt to have the plan endorsed by the top executive in your business— the chief executive officer, chairman, president or similar business leader

Repudiation

Step 3 of STRIDE The ability for a user or attacker to deny having performed an action or activity Often attackers engage in THIS in order to maintain plausible deniability so as not to be held accountable for their actions Can also result in innocent third parties being blamed for security violations

Approval and Implementation

Step 4 of BCP Critical to get top-level management endorsement of the plan

Impact Assessment

Step 4 of BIA Analyze the data gathered during risk identification and likelihood assessment and attempt to determine what impact each one of the identified risks would have on the business if it were to occur SLE, ALE

Plan Implementation

Step 4 of Continuity Planning The BCP team should get together and develop an implementation schedule that utilizes the resources dedicated to the program to achieve the stated process and provision goals in as prompt a manner as possible given the scope of the modifications and the organizational climate

Information Disclosure

Step 4 of STRIDE The revelation or distribution of private, confidential or controlled information to external or unauthorized entities This could include customer identity information, financial information or proprietary business operation details

Resource Prioritzation

Step 5 of BIA Create a list of all the risks you analyzed during the BIA process and sort them in descending order according to the ALE computed during the impact assessment phase Provides you with a prioritized list of the risks that you should address Here both qualitative and quantitative lists will need to be merged

Training and Education

Step 5 of Continuity Planning All personnel who will be involved in the plan (either directly or indirectly) should receive some sort of training on the overall plan and their individual responsibilities Everyone in the organization should receive at least a plan overview briefing to provide them with the confidence that business leaders have considered the possible risks posed to continued operation of the business and have put a plan in place to mitigate the impact on the organization should business be disrupted

Procedures

Step-by-step instructions that should be performed to achieve a certain goal Tactical and Mandatory

OECD - Individual Participation

Subjects should be able to find out whether an organization has their personal information and what that information is, to correct erroneous data and to challenge denied requests to do so

OECD - Purpose Specification

Subjects should be notified of the reason for the collection of their personal information at the time that it is collected and organizations should only use it for that state purpose

Guidelines

Suggestions/recommendations Tactical and Not Mandatory

Confidentiality

Supports the principle of "least privilege" by providing that only authorized individuals, processes, or systems should have access to information on a need-to-know basis

Cloud Service License Agreement

Take click-through agreements to the extreme. Most cloud services do not require any form of written agreement and simply flash legal terms on the screen for review In some cases, they may simply provide a link to legal terms and a check box for users to confirm that they read and agree to the terms

Qualitative Decision Making

Takes non-numerical factors, such as emotions, investor/ customer confidence, workforce stability and other concerns into account This type of data often results in categories of prioritization (such as high, medium, and low)

Due Care

Taking the precautions that a reasonable and competent person would take A legal liability concept that defines the minimum level of information protection that business must achieve Means by which an entity can ensure that its business practices are practices that any reasonable individual would consider prudent and appropriate The process of measuring business practices against the judgement of any reasonable individual is also know as the Prudent Man Rule An entity's liability is its legal responsibility for any "action or lack" of action that puts the entity or any other entity at risk e.g., Someone who ignores a security warning and clicks through a malicious website would not be practicing this but instead "culpable negligence" Hint: Caring for the kid

Business Attack

Targets proprietary information stored on a civilian organization's system

Training

Teaching employees to perform their work tasks and to comply with the security policy Awareness if the prerequisite to THIS

Direct Evidence

Testimony provided by a witness regarding what they actually experienced through their five senses

Copyright Directive

The EU's version of the Digital Millennium Copyright Act (DMCA)

Chain of Custody

The PRIMARY goal is to ensure that it will be admissible in court 1) Who obtained the evidence 2) What was the evidence 3) Where and when the evidence was obtained 4) Who secured the evidence 5) Who had control or possession of the evidence

Risk Avoidance

The act of eliminating/terminating the process that creates the risk Must be legal to do so

Concealment

The act of hiding or preventing disclosure Often viewed as a means of cover, obfuscation or distraction

Outsourcing

The act of hiring/contracting an outside company to do something for the company You are still ultimately responsible for the risk SLA, Audits (SAS 70), Onsite Inspections (due diligence)

Risk Mitigation

The act of implementing safeguards/controls to reduce risk to an acceptable level

Secrecy

The act of keeping something a secret or preventing the disclosure of information

Residual Risk

The amount of risk left over after a risk response the risk that management has chosen to accept rather than mitigate Too expensive to eliminate all risk in many cases

Defense in Depth

The coordinated use of multiple security countermeasures to protect the integrity of the information assets in an enterprise. "Castle Approach" usually done in a "serial" fashion

Internet Architecture Board (IAB)

The coordinating committee for Internet design, engineering and management and responsible for the architectural oversight of the Internet Engineering Task Force (IETF), Internet Standards Process oversight and appeal and editor of Requests for Comments (RFCs) Access to and use of the Internet is a privilege and should be treated as such by all users of the systems See RFC 1087

Annual Loss Expectancy (ALE)

The cost of a loss per year SLE * ARO

Control Gap

The difference between total risk and residual risk

Attack

The exploitation of a vulnerability by a threat agent In other words, an attack is any intentional attempt to exploit a vulnerability of an organization's security infrastructure to cause damage, loss, or disclosure of assets

Total Cost in Ownership (TCO)

The financial estimate of the direct and indirect costs of a product or system

California Senate Bill 1386

The first privacy breach notification law that requires any organization that suffers a breach that involves the personal data of a California resident to report the breach to that resident

American Institute of Certified Public Accountants (AICPA)

The group that standardized the Service Organization Control (SOC) audits

Business Continuity Management (BCM)

The holistic, overreaching management process that covers all aspects of both BCP and DRP thus allowing the organization to perform business operations under various conditions

RMF - Categorize

The information system and the information processed, stored and transmitted by that system based on an impact analysis

Business Continuity Coordinator

The leader for the BCP team who will oversee the development, implementation and testing of the business continuity and disaster recovery plans

Risk

The likelihood that a threat will exploit a vulnerability and the corresponding business impact = threat * vulnerability * asset value

Maximum Tolerable Downtime (MTD)

The maximum length of time a business function can be inoperable without causing irreparable harm to the business

Risk Analysis

The method of doing qualitative and quantitative analysis once the risk assessment completes so management can prioritize and allocate resources to protect assets accordingly The process by which the goals of risk management are achieved Here we analyze the data

Annualized Rate of Occurrence (ARO)

The number of times a business expects to experience a given disaster each year If a earthquake is predicted to occur one every 30 years then THIS will be 1/30

Gross Negligence

The opposite of due care which could result in negative legal liability

Enterprise Architecture Frameworks (EAF)

The practice of organizing and documenting a company's IT assets to enhance planning, management and security Zachman, TOGAF, DoDAF, MoDAF, SABSA

Documentation Review

The process of reading the exchanged materials and verifying them against standards and expectations Typically performed before any on-site inspection takes place

Enterprise Security Architecture (ESA) Framework

The processes used to plan, allocate and control information security resources

Patent

The protection (monopoly) of an invention Valid for 20 years from initial file date which then become publicly available The STRONGEST form of intellectual property protection Must be novel, unique and not obvious

Trademark

The protection of a distinguishing name, logo or symbol that represents a product brand or business (TM) is unregistered and (R) is registered (but protected either way) at USPTO Intent to use is an advantage for (R) Initial term is 10 years and can renew forever

Sensitivity

The quality of information, which could cause harm or damage if disclosed Maintaining confidentiality helps to prevent harm or damage

Third-party Governance

The system of oversight that may be mandated by law, regulation, industry standards, contractual obligation or licensing requirements Focuses on verifying compliance with stated security objectives, requirements, regulations, and contractual obligations

Alteration

The unauthorized modification of data and is the opposite of integrity

Disclosure

The unauthorized release of data and is the opposite of confidentiality

Standards

These lay out specific steps or processes required to meet a certain requirement and give policy its support and reinforcement in direction Usually very technical Tactical and Mandatory

Senior Management Role

These people are ultimately responsible for security within the organization through policy

SOC-2

This AICPA report contains the auditor testing and results

SOC-1

This AICPA report covers only internal controls over financial reporting Simplest of the three

SOC-3

This AICPA report provides the highest level of certification and assurance of operational excellence that a data center can receive Provides a system description and the auditor's opinion

Confidence Level

This is the degree you have confidence in when estimating the value of something during risk analysis Expressed as a percentage

Economic Co-operation and Development (OECD)

This organization created the Guidelines on the Protection of Privacy and Transborder Flows of Personal Data Primarily focused global organizations moving data across country boundaries securely by following a set of principles

Separation of Duties

This preventative security practice that ensures one individual cannot complete a critical task alone - others are required Creates a system of checks and balances Avoids conflicts of interest e.g., The nuke codes and keys

Postmortem Review

This should be conducted within a week of a security incident by CIRTs

Cybersquatting

URL that someone else wants

Asset Value (AV)

What something is worth in currency

Loss Potential

What the company would lose if a threat agent actually exploited a vulnerability Immediate damage

Parol Evidence

When an agreement between parties is put into written form, the written document is assumed to contain ALL of the terms of the agreement and no verbal agreements may modify the written agreement

Enticement

When law enforcement makes the conditions for commission of a crime favorable where someone had the intent to break the law in the first place

Entrapment

When law enforcement persuades someone to commit a crime when they had no intention to commit it in the first place

Psychological Acceptability

When talking about security controls where users may think it is too complicated or intrusive to the point that they will not use it

CMMI Level 3

Which CMMI level #? Defined Processes characterized for the organization and is proactive

CMMI Level 1

Which CMMI level #? Initial Process unpredictable, poorly controlled and reactive

CMMI Level 2

Which CMMI level #? Managed Processes characterized for projects and is often reactive

CMMI Level 5

Which CMMI level #? Optimizing Focus on process improvement

CMMI Level 4

Which CMMI level #? Quantitatively Managed Processes measured and controlled

SWOT - Strengths

Which SWOT category? Characteristics of the project team that give it an advantage over others

SWOT - Weaknesses

Which SWOT category? Characteristics that place the team at a disadvantage relative to others

SWOT - Threats

Which SWOT category? Elements that could contribute to the project's failure

SWOT - Opportunities

Which SWOT category? Elements that could contribute to the project's succss

Shrink-wrap License Agreement

Written on the outside of the software packaging Commonly include a clause stating that you acknowledge agreement to the terms of the contract simply by breaking the shrink-wrap seal on the package

Confidential vs. Private Data

__________ and __________ data in a commercial business/private sector classification scheme both require roughly the same level of security protection The real difference between the two labels is that __________ data is company data whereas __________ data is data related to individuals, such as medical data

Interview vs. Interrogation

__________ involves open questions to gather information while __________ involves closed-ended questions with a specific and adversarial goal in mind -- when in doubt contact legal