Module 5: Risk Management
role-based training
Specialized training that is customized to the specific role that an employee holds in the organization. Related jobs like writing code testing product Users need to be aware of their roles
Hot and cold aisles
The aisles in a server room or data center that circulate cold air into the systems and hot air out of them. Usually, the systems and cabinets are supported by a raised floor. When placing servers in a server rack make sure that servers air intake toward the cold aisle
Mean Time to Repair (MTTR)
The average time required to repair a single resource or function when a disaster or other disruption occurs. Describes the average amount of time it takes to get a device fixed and back online.
Single Loss Expectancy (SLE)
The expected monetary loss every time a risk occurs. SLE= AV x EF. ASSET VALUE EXPOSURE FACTOR
Annualized Loss Expectancy (ALE)
The expected monetary loss that can be expected for an asset due to a risk over a one-year period. ALE = SLE X ARO
Deterrent control type
Use of operational mgmt and technical controls Personnel guards like a fence-opera Openly displaying security policies to emphasize leak implications-management Giving access to selective systems, technical
Mandatory Vacations
When an organization requires that an employee take a certain amount of days of vacation consecutively. Allows for company to audit transactions or employees work
Single Points of Failure
When the failure in a single component of a system can cause a system to fail or be seriously degraded Part of a system which if it fails will stop the entire system from working Eg. front end web servers that is connected to several distributed databases serversv An admin is assigned several tasks critical to continuity
Residual Risk
the risk that remains after management implements internal controls or some other response to risk. Risk left over after a detailed security plan
Mean Time Between Failures (MTBF)
A measurement of error occurrences that can be tracked over time to indicate the quality of a system. Measures product reliability. Usually given in units of hours, the higher the MTBF the more reliable
Exit interview
A meeting of a departing employee with the employee's supervisor and/or a human resource specialist to discuss the employee's reasons for leaving. Allows company to figure out why employees left. Allows company to see what project person is working on. Gives you a opportunity to figure out next steps for role that is being left like if there is someone able to fill the role
Clean desk policy
An organizational policy that specifies employees must inspect their work areas and ensure that all classified information, documents, and materials are secured at the end of every work day. Helps prevent mission critical documents from being lost Prevents passwords potentially being lost and used to break into systems
Track man hours
Combined with surveillance to give accurate analysis Can be compared with witness interviews Discrepancy logged in work hours can be tracked
Memorandum of Agreement (MOA)
General areas of conditional agreement between two or more parties Documents the exchange of services Not legally enforceable Shows that both parties are on same page.
Technical control types something your implement
Least Privilege implementations Identification and authentication Access control Audit and accountability System and communication protection
It security framework
Series of documented processes that are used to define policies and procedures for the implementation and ongoing management of security controls in an enterprise environment j
Retention Policy
Set down rules for how different kinds of information are retained
Risk Transference
Shifting the consequence of a risk and responsibility for its management to a third party
Memorandum of Understanding (MOU)
A document executed between two parties that defines some form of agreement. More like loose agreements May not have strict agreements or guidelines
Security policy
A document that outlines procedures regarding physical security, and the protection of data, research and development, and customer information. Creating a security policy should be first step in creating a security policy baseline
legal hold
A court order to preserve data for the purposes of an investigation. Upon receipt of a legal hold notification, a company is required to activate a defensible policy for the preservation of the data.
disaster recovery plan
A detailed process for recovering information or an IT system in the event of a catastrophic disaster such as a fire or flood Make sure it's being tested to make sure it actually works. Allows you t know what tweaks to make
Service Level Agreement (SLA)
A negotiated agreement between the customer and the vendor. The SLA may specify the levels of availability, serviceability, performance, operation, or other commitment requirements. End to end traffic performance guarantee made by a service provider to a customer Guarantees certain amount of system uptime to a client as well as service details Also guarantees levels of performance
System administrator
A person who is responsible for managing computers, networks, servers, and other computing resources for an organization or group.
Incident Response Plan
A plan that an organization uses to categorize a security threat, determine the cause, preserve any evidence, and also get the systems back online so the organization can resume business. Handle in ways that limit damage and reduces recovery time
Acceptable Use Policy (AUP)
A policy that defines the actions users may perform while accessing systems and networking equipment. Defines how to use certain types of data
Acceptable Use Policy (AUP)
A policy that defines the actions users may perform while accessing systems and networking equipment. Employees sign this type of policy that describes the proper methods and use of network systems Like company instructing employee what sites they can browse Helps restrict ways network is used
Risk Avoidance
A risk response strategy whereby the project team acts to eliminate the threat or protect the project from its impact. Risk management that involves taking steps to remove a hazard engage in alternative activity
Control Objectives for Information and Related Technology (COBIT)
A security and control framework that allows 1) management to benchmark the security and control practices of IT environments, 2) users of IT services to be assured that adequate security and control exist, and 3) auditors to substantiate their internal control opinions and advise on IT security and control matters COBIT divides IT into 4 sections Plan and organize Acquire and implement Deliver and support Monitor and evaluate
Incident Response
A set of procedures that an investigator goes by when examining a computer security incident.incodent response is part of incident management
impact assessment
AST step of risk assessment. It's when you determine potential monetary costs related to a threat. Provide info on how to deal with risk
California SB 1386
Act requires business to immediately disclose breaches of security
Interconnection Security Agreement (ISA)
An agreement between parties to establish procedures for mutual cooperation and coordination between them with respect to security requirements associated with their joint project. Detailed document that's defined the technique details of how two different company it networks will be connected together. Two companies using credit card info
supply chain assessment
An assessment of the processes by which organizations receive necessary goods and services from third parties. The trustworthiness of any supply chain that your business is using is important to keep in mind
Privacy Impact Assessment (PIA)
An assessment that determines the impact on the privacy of the individuals whose data is being stored, and ensures that the organization has sufficient security controls applied to be within compliance of applicable laws or standards. May be hard to asses until leak becomes public but conducting assessment can help minimize potential impact on safety finance and reputation
redundant power supply
An enclosure that contains two complete power supplies, the second of which turns on when the first fails.
Business Impact Analysis (BIA)
An exercise that determines the impact of losing the support of any resource to an organization, establishes the escalation of that loss over time, identifies the minimum resources needed to recover, and prioritizes the recovery of processes and supporting systems. Recovery point objective. Defines a business goal for systems restoration and acceptable data loss Recovery time objective defines goal for acceptable downtime Hot backups if there is low time threshold
data sensitivity labeling
Applying the correct category to data to ensure proper data handling. Confidential data Highly sensible data intended for limited specific use by a workgroup department or group of individuals Explicit authorization by data steward is needed to access. Need to know basis Public data Data should be classified as public when the unauthorized disclosure alteration or destruction of that data would result in little or no rush to company Examples are press releases course information and research publications Still needs some level of control to prevent unauthorized modification Private data should be classified as private when unauthorized disclosure alteration or destruction of thats data results in moderate level of risk Reasonable levels of security controls should be applied to protect. Data that is not classified as public or confidential is private. Proprietary data Internally generated data associated with a company Data associated with a firm to safeguard from a competitor Something copy-written or has nda Personable identification information
Incremental backup
Backup of all data that has changed since last normal or incremental backup Clears archive bit. Faster backups per night
Differential backup
Backup of data that has changed since last normal or incremental backup Does not clear archive bit. Don't tell system they have been backed up
Line up conditioner
Cleans yo electrical signals and smooths them out.
Normal or full backup
Clears the archive bit telling windows they've been backed up.
Incident types
Compromised computing resources System account compromises. User account compromised Email based abuse Unsolicited commercial email Phishing emails. Spam Copyright infringement Network and resource abuses Network scanning activity Denial of service attacks Resource musconfiguration Open proxy serves Misusedi licensed resources vulnerable configuration
Operational controls something you're doing
Day to day stuff Include Personnel security Physical and environmental protection Contingency planning Configuration management Maintenance System and information integrity Media protection Incident response Awareness and training
Due diligence
Ensuring that IT infrastructure risks are known and managed. Organization spends time assessing risk and vulnerability
Cyber Incident response teams
Incident response team responsible for responding to security breaches viruses and other incidents Should include experts who can guide executives Normally operates in conjunction with other enterprise groups such as site security public relations and disaster recovery teams Should be able to escalate when incident is serious and is not being easily solved and CIRT has exhausted means within its own authority Effective responses requires preparation Preparation is education of users and IT staff of the importance of updated security measures and trains them to respond to computer and network security incidents quickly and correctly Identification is when response team is activated to decide whether a particular event is in fact a security incident Containment is when team determines how far problem has spread and contains it by disconnecting all affected systems and devices Eradication is when yeah investigates to discover origin of incident and has it removed Recovery is data and software systems restored from clean back up files. Systems are monitored for any sign of weakness Lesson learned when teM analyses the incident and how it was handled making recommendations
Administrative controls
Incorporate methods mandated by organizational policies or other like assessment job rotations, segregated duties, mandatory vacations
Data owner
Individuals, normally managers or directors, who have responsibility .for the integrity, accurate reporting and use of computerized data. Important to have data in question protected and only give access to those with proper credentials
HVAC
Industry shorthand term for "heating, ventilating, and air-conditioning
Information assurance
Is another name for risk management When referring to hardware and software. It assess resources and determines the cost and threats associated with them.
incident management
Is defined as the monitoring and detection security on a computer network and the execution of proper response to that event
Privacy Threshold Assessment
Part of a business impact assessment (BIA) that is used to determine if a system contains personally identifiable information (PII), whether a privacy impact assessment is required, and if any other privacy requirements apply to the IT system.
Secure disposal of computers
Sanitizer computer media Use a certified wipe application
Risk Aviodance
Not carrying out a proposed plan because the risk factor too much
Detectives control type
Operational Giving personnel guards monitoring surveillanceand recording video Management Personnel review and screenings Technical Having intrusion prevention and detection in place for relevant systems
Corrective control types
Operational Making sure aspects any contingency planning are maintained such as emergency power physical backups Management Updating personnel on the attack and retraining to deal with what they missed review contingency planning Technical Having back up protected and accessible to ensure quick recovery
Preventative control types
Operational is having a security guard Management regularly running risk assessment employee training Technical Having anti malware on system
Incident response manager
Overseas abs prioritizes actions during detection analysis and containment of an incident
Phases of Incident Response
Preparation is education of users and IT staff of the importance of updated security measures and trains them to respond to computer and network security incidents quickly and correctly Identification is when response team is activated to decide whether a particular event is in fact a security incident Containment is when team determines how far problem has spread and contains it by disconnecting all affected systems and devices Eradication is when yeah investigates to discover origin of incident and has it removed Recovery is data and software systems restored from clean back up files. Systems are monitored for any sign of weakness Lesson learned when teM analyses the incident and how it was handled making recommendations
Personal Management
Process of acquiring, training, developing, motivating, and appraising a sufficient quantity or qualified employees to preform necessary activities Background check is the process of looking of looking up an individual criminal commercial and financial history Outlines potential risks with hiring people
Data destruction
Process of destroying data stored on tapes hard disks and other electronic media Data destruction software needs to be used. Degaussing destroys data on disks by destroying it encrypting hard drive then delete data then destroying hard drive
Change Management
Process of requesting determine attainability planning implementing and evaluation of changes to a system When changing updating system make sure roll back procedures are in place in Case changes crash or are unstable
Data preservation
Processes that must occur to ensure information potentially relevant to pending litigation retains its authentic integrity
disaster recovery plan
Reactive plan that gets activated when disaster strikes Drop plans is at multiple offsite locations. Distance size essential Hot site is an active duplicate of original site with full computer systems as well as near complete backups of user data Cold site is the most inexpensive type of backup site. Simply lease on an empty building in event of disaster Warm site is mix of hot and cold site. Will have backups on hand but they may not be complete and may be several days old Lagos implications are going to factor to consider especially when using third part site
Continuity of Operations Plan (COOP)
Refers to the us government disaster recovery plan Described as restoringvmission essential functions at an alternate site and performing function for up to 30 days Mean time to restore is a metric deterring effectiveness Having alternate processing site is important for continuity as it allows operations to continue at another location Having alternate business practices are good to have in place for these situations
Chief Privacy Officer (CPO)
Responsible for ensuring the ethical and legal use of information Responsible for privacy of the data on organization Being able to use business strategy and procedures and apply it to business Organize plans and lastly looking at privacy program Looking at what we can do if someone breaches and what is done after breach
Control Types
Technical controls (logica): controls audit and journal integrity validations like authentication and file system permission. Access control list nothing that physically exists Mgmt controls like personnel screening separation of duties rotation of duties and least Privilege Operational control deals with day to day procedures. Mechanisms that include physical and environmental protection. Privileged entry commands change control Mgmt hardware controls Deterrent controls reduce likelihood of attacking Preventative control protect vulnerabilities reduce the impact of attack's or prevent attacks success Detective control detect an attack and may activate corrective controls. Corrective controls reduce impact of an attack
Due care
The mitigation action that an organization takes to defend against the risks that have been uncovered during due diligence. Happens after an attacking is identified. Assess severity of attack contain attack stop from harming performance
Order of Volatility
The order in which volatile data should be recovered from various storage locations and devices following a security incident. VolAtility can be thought of as amount of time you have to collect certain data before that window of opportunity is gone. CRSH CPU CACHE RAM Swap Hard drive
Data Custodian
The person/role within the organization who usually manages the data on a day-to-day basis on behalf of the data owner/controller. Ensures Access to data is authorized and controlled Technical process sustain data integrity Technical controls safeguard data Change management practices are applied Data content can be audited
Separation of Duties
The practice of requiring that processes should be divided between two or more individuals. Person can administer file and folder permission and someone in charge of auditing
Due Process
The principle that an organization must respect and safeguard the rights of its personnel
Annualized Rate of Occurrence (ARO)
The probability that a risk will occur in a particular year. Given by insurance companies
Purging
The removal of sensitive data from a system or storage device with the intent that the data cannot be reconstructed by any known technique. Also known as sanitizing
clearing
The removal of sensitive data from storage devices in such a way that there is assurance that the data may not be reconstructed using normal system functions or software file/data recovery utilities. Can be recoverable with certain techniques
mitigation control strategy
The risk control strategy that attempts to reduce the impact of a successful attack through planning and preparation
Management controls if it's a policy
Types include Security policy Risk assessment Planning System and services acquisition Certification accreditation and security assessment
Security analysts
Work directly with the affected network to research the time location and details of an incident Triage analysts filter out false positives and watch for intrusions Forensic analysts recover key artifacts and maintain integrity of evidence to ensure sound investigation Threat researcher complement security analysts by providing intelligence and context of an incident They comb the Internet to find things that may have been deportees externally
Identification of critical systems
You're looking for key components of business to ensure quick recovery from incident. Knowing which critical system is compromised will help for recovery Critical to ensure that physical assets are operating in order to acres non tangible assets
key escrow
a control procedure whereby a trusted party is given a copy of a key used to encrypt database data One master key able to decrypt other keys on system
job rotation
a job enrichment strategy that involves moving employees from one job to another Helps detect insider threat Can be paired with separation of duties Allows you to have more people that know how to use technology Continuity of operations
Non-Disclosure Agreement (NDA)
a legal contract between at least two parties that outlines confidential material, knowledge, or information that the parties wish to share with one another for certain purposes but wish to restrict access to or by third parties
single point of failure
a part of a system that, if it fails, will stop the entire system from working. Can be bypassed through redundancy
Risk Acceptance
a strategy in which the organization accepts the potential risk, continues to operate with no controls, and absorbs any damages that occur Publisher has discovered a design flaw
chain of custody
a written record of all people who have had possession of an item of evidence Needs to be documented to preserve evidence Established upon evidence retrieval
business partnership agreement
agreement between two business partners that establishes the conditions of the partner relationship "BPA"
uninterruptible power supply (UPS)
an alternative power supply device that protects against the loss of power and fluctuations in the power level by using battery power to enable the system to operate long enough to back up critical data and safely shut down Measured in watts Laser printers and portable heater cooler not to be plugged in Rd 232 ports and advanced software for communications with pc abs servers Cost size technology need to be considered Key parameters include clamping speed how fast it can react and clamping voltage what voltage to drop right before ups kicks in Protects against power surge
FM 200 System
does not remove the oxygen from the air. Chemical reaction and heat removal. Should be connected to HVAC system. In the event of fire when co2 is released you don't want HVAC system blowing air in the room.
Risk Reduction
finding ways to lower your chance of incurring a loss. budgeting and it resources dictate level of risk reduction
Business Continuity Planning
outlines procedures for keeping an organization operational in the event of a natural disaster or network attack Removing single points of failure Business continuity planning and testing making sure day to day testing Disaster recovery It contingency planning Succession planning
Privacy Policy
policy that indicates what kind of information a website will take from you and what they intend to do with it Might sell data to marketing firms
Sarbanes-Oxley Act of 2002 Sox
requires that the CEO and CFO of large companies that have publicly traded stock personally certify that financial reports made to the SEC comply with SEC rules and that info in the reports are accurate.
Data steward
responsible for ensuring the policies and procedures are implemented across the organization and acts as a liaison between the MIS department and the business Person responsible for the management and fitness of data elements both content and metadata Data steward have a specialist role that incorporates processes
Standard Operating Procedures (SOPs)
specific sets of written instructions about how to perform a certain aspect of a task Used for business t give workers organized list of to dis or how to run operations Gives set of things to improve on by changing things on list to improve production Protects company against employees not complying to policy or industry regulation.
computer forensics
the scientific collection, examination, authentication, preservation, and analysis of data held on or retrieved from computer storage media in such a way that the information can be used as evidence in a court of law Doing analysis on hard disk: Attach a read only drive connector Hash the hard dish (take fingerprint) Capture an image onto a new disk for analysis Hash the image you just made and compare hash the original hard drive again to make sure you didn't alter it DCFLDD. Doing for data acquisition Obtain and review network traffic logs will help point to suspicious activity Capture video from surveillance footage. Helps identifying and confirming persons that are present Take screenshot before and after incidents. Helps to determine potential problems and is used for keeping records Recording time offsets can help to initially notify you that something is up
Technical controls
use technology to reduce vulnerabilities; (identification and authentication, logical access control, audit and accountability, encryption, IDS, firewall)