WGU, Information Security and Assurance (C725), SET II

The six major elements of quantitative risk analysis

1. (AV) Assign Asset Value 2. (EF) Caluculate Exposure Factor 3. (SLE) Calculate single loss expectancy 4. (ARO) Asses the annualized rate of occurance 5. (ALE) Derive the annualized loss expectancy 6. Perform Cost Benefit Analysis

A security control that involves policies and procedures defined by an organization's security policy and other regulations or requirements. Examples include policies, procedures, hiring practices, background checks, data classifications and labeling, security awareness and training efforts, vacation history, reports and reviews, work supervision, personnel controls, and testing.

Administrative controls a.k.a. Management controls

The __________ is the expected frequency with which a specific threat or risk will occur (that is, become realized) within a single year. The __________ can range from a value of 0.0 (zero), indicating that the threat or risk will never be realized, to a very large number, indicating that the threat or risk occurs often. Calculating the __________ can be complicated. It can be derived from historical records, statistical analysis, or guesswork. __________ calculation is also known as probability determination. The __________ for some threats or risks is calculated by multiplying the likelihood of a single occurrence by the number of users who could initiate the threat.

Annualized Rate of Occurrence For example: The ARO of an earthquake in Tulsa may be .00001, whereas the ARO of an earthquake in San Francisco may be .03 (for a 6.7+ magnitude), or you can compare the ARO of an earthquake in Tulsa of .00001 to the ARO of an email virus in an office in Tulsa of 10,000,000.

An ________ is anything within an environment that should be protected. It is anything used in a business process or task. It can be a computer file, a network service, a system resource, a process, a program, a product, an IT infrastructure, a database, a hardware device, furniture, product recipes/formulas, intellectual property, personnel, software, facilities, and so on.

Asset

Businesses and agencies need this standard to help determine how much security is needed for appropriate protection. A rule of thumb states that one should never spend more on security than the value of the asset being protected. Benefits to this standard: Data confidentiality, integrity, and availability are improved because appropriate controls are used throughout the enterprise. Protection mechanisms are maximized. A process exists to review the values of company business data. Decision quality increases because the quality of the data upon which the decision is being made has been improved.

Asset and Data Classification

A dollar value assigned to an asset based on actual cost and nonmonetary expenses. These can include costs to develop, maintain, administer, advertise, support, repair, and replace an asset; they can also include more elusive values, such as public confidence, industry support, productivity enhancement, knowledge equity, and ownership benefits.

Asset valuation

An _______ is the exploitation of a vulnerability by a threat agent. In other words, it is any intentional attempt to exploit a vulnerability of an organization's security infrastructure to cause damage, loss, or disclosure of assets. It can also be viewed as any violation or failure to adhere to an organization's security policy.

Attack

Which of the following would be defined as an absence or weakness of a safeguard that could be exploited? A. A threat B. A vulnerability C. A risk D. An exposure

B. A vulnerability

Which of the following statements best describes IT security measures? A. IT security measures should be complex. B. IT security measures should be tailored to meet organizational security goals. C. IT security measures should make sure that every asset of the organization is well protected. D. IT security measures should not be developed in a layered fashion.

B. IT security measures should be tailored to meet organizational security goals. Explanation: IT Security Measures (Controls) are risk reducing acts (goals) that detect, prevent, or minimize loss associated with the occurrence of a specified threat or category of threats.

A _______ is the occurrence of a security mechanism being bypassed or thwarted by a threat agent. When a _________ is combined with an attack, a penetration, or intrusion, can result.

Breach

A common taxonomy classification for commercial businesses in which can be described as information employees and other insiders need to perform their duties. This can include company directories (address books, email addresses, and so forth), invoice information, department budget information, internal policies, and so forth.

Business sensitive or business confidential

Which of the following should not be addressed by employee termination practices? A. Removal of the employee from active payroll files B .Return of access badges C .Employee bonding to protect against losses due to theft D .Deletion of assigned logon ID and passwords to prohibit system access

C .Employee bonding to protect against losses due to theft Explanation: Policies, standards, procedures and practices issued by human resources should address internal information security processes and functions. These documents should address pre-employment screening and background checks, processes for handling employee termination, creation and revocation of employee accounts, email and voice mail forwarding after departure, lock keys and safe combination changes, system password changes, and company property collections upon departure (for badges, credit cards, and so forth).

ALE before safeguard - ALE after implementing the safeguard - annual cost ofsafeguard (ACS) = value of the safeguard to the company

Calculating Safeguard Cost/Benefit

A job title: Establishes and maintains security and risk-management programs for information resources.

Chief information security officer (CISO)

A job title: Provide technical facilities, data processing, and other support services to owners and users of information resources.

Custodians of information resources

A common taxonomy classification for commercial businesses in which information that identifies individual customers of the business or institution and can include their purchase activity, account-specific information, credit card numbers, social security numbers (when needed), grades or course information (in the case of a university), or any other information considered personally identifiable information (PII) that dictates need-to-know or least privilege controls to ensure confidentiality and integrity.

Customer confidential

Which of the following choices is not part of a security policy? A. A definition of overall steps of information security and the importance of security B. A statement of management intent, supporting the goals and principles of information security C. A definition of general and specific responsibilities for information security management D. A description of specific technologies used in the field of information security regulations

D. A description of specific technologies used in the field of information security regulations Policies are the most crucial element in a corporate information security infrastructure and must be considered long before security technology is acquired and deployed.

In the decomposition process, the movement of data between locations

Data Flow Paths

The __________ is simply an anonymous feedback-and-response process used to enable a group to reach an anonymous consensus. Its primary purpose is to elicit honest and uninfluenced responses from all participants.

Delphi Technique

In the decomposition process, the declaration of the security policy, security foundations, and security assumptions

Details about Security Stance and Approach

Investigate the means by which datasets and documentation are exchanged as well as the formal processes by which they perform assessments and reviews.

Document Exchange and Review

The process of reading the exchanged materials and verifying them against standards and expectations. This review is typically performed before any on-site inspection takes place. If the exchanged documentation is sufficient and meets expectations (or at least requirements), then an on-site review will be able to focus on compliance with the stated documentation.

Documentation review

Being susceptible to asset loss because of a threat

Exposure

The __________ represents the percentage of loss that an organization would experience if a specific asset were violated by a realized risk. The __________ can also be called the loss potential. In most cases, a realized risk does not result in the total loss of an asset. The __________ simply indicates the expected overall asset value loss because of a single realized risk. The __________ is usually small for assets that are easily replaceable, such as hardware. It can be very large for assets that are irreplaceable or proprietary, such as product designs or a database of customers. The __________ is expressed as a percentage.

Exposure Factor

- Cost of purchase, development, and licensing - Cost of implementation and customization - Cost of annual operation, maintenance, administration, and so on - Cost of annual repairs and upgrades - Productivity improvement or loss- Changes to environment - Cost of testing and evaluation

Factors involved in calculating the value of a countermeasure

A job title: Maintains policies and procedures that provide for security and risk management of information resources.

Information resources manager

A job title: Directs policies and procedures designed to protect information resources (identifies vulnerabilities, develops security awareness program, and so forth).

Information resources security officer

In the decomposition process, locations where external input is received

Input Points

A job title: Conduct periodic risk-based reviews of information resources security policies and procedures.

Internal auditors

This policy addresses specific issues of concern to the organization. These issues could be regulatory in nature—for example, the Payment Card Industry (PCI) data security standard, Sarbanes-Oxley (SOX), or the Gramm-Leach-Bliley Act (GLBA), to name a few.

Issue-specific policy

Visit the site of the organization to interview personnel and observe their operating habits.

On-Site Assessment

A job title: Have the responsibility of carrying out the program that uses the resources. This does not imply personal ownership. These individuals might be regarded as program managers or delegates for the owner.

Owners of information resources

A _____________ is the condition in which a threat agent has gained access to an organization's infrastructure through the circumvention of security controls and is able to directly imperil assets.

Penetration

A security control that involves physical mechanisms deployed to prevent, monitor, or detect direct contact with systems or areas within a facility. Examples include guards, fences, motion detectors, locked doors, sealed windows, lights, cable protection, laptop locks, badges, swipe cards, guard dogs, video cameras, mantraps, and alarms

Physical controls

In the decomposition process, any activity that requires greater privileges than of a standard user account or process, typically required to make system changes or alter security

Privileged Operations

Step-by-step instructions on how to perform a specific security activity (configure a firewall, install an operating system, and others)Regulations

Procedures

Request copies of their security policies, processes/procedures, and documentation of incidents and responses for review.

Process/Policy Review

This policy establishes the overall approach to computer security (as a computer security framework). This policy adds detail to the program by describing the elements and organization of the program and department that will carry out the security mission.

Program-framework policy

This policy is used for creating a management-sponsored computer security program. This policy, at the highest level, might prescribe the need for information security and can delegate the creation and management of the program to a role within the IT department. Think of this as the mission statement for the IT security program.

Program-level policy

A common taxonomy classification for commercial businesses that is intended for public dissemination. This might include marketing content on a website, direct mail inserts, directories of contact information, published annual reports, and so forth.

Public information

__________ analysis is more scenario based than it is calculator based. Rather than assigning exact dollar figures to possible losses, you rank threats on a scale to evaluate their risks, costs, and effects.

Qualitative Risk Analysis The process of performing qualitative risk analysis involves judgment, intuition, and experience. You can use many techniques to perform qualitative risk analysis: Brainstorming Delphi technique Storyboarding Focus groups Surveys Questionnaires Checklists One-on-one meetings Interviews

A type of risk analysis that assigns subjective and intangible values to the loss of an asset.

Qualitative risk analysis

A type of risk analysis that assigns real dollar figures to the loss of an asset.

Quantitative risk analysis

A security control that is an extension of corrective controls but have more advanced or complex abilities.Examples of _______ _______ include backups and restores, fault-tolerant drive systems, system imaging, server clustering, antivirus software, and database or virtual machine shadowing.

Recovery controls

After determining the potential attack concepts, the next step in threat modeling is to perform ______________ analysis. ______________ analysis is also known as decomposing the application, system, or environment. The purpose of this task is to gain a greater understanding of the logic of the product as well as its interactions with external elements.Also known as decomposing the application

Reduction analysis Whether an application, a system, or an entire environment, it needs to be divided into smaller containers or compartments. Those might be subroutines, modules, or objects if you're focusing on software, computers, or operating systems; they might be protocols if you're focusing on systems or networks; or they might be departments, tasks, and networks if you're focusing on an entire business infrastructure. Each identified sub-element should be evaluated in order to understand inputs, processing, security, data management, storage, and outputs.

Laws passed by regulators and lawmakers

Regulations

Once countermeasures are implemented, the risk that remains is known as _______ ______. The risk that management has chosen to accept rather than mitigate.

Residual risk total risk - controls gap = residual risk

Reduce or mitigateAssign or transferAcceptDeterAvoidReject or ignore

Responses to risk

The possibility or likelihood that a threat will exploit a vulnerability to cause harm to an asset

Risk

The result after a cost/benefit analysis shows countermeasure costs would outweigh the possible cost of loss due to a risk. It also means that management has agreed to accept the consequences and the loss if the risk is realized.

Risk Acceptance

The process by which the goals of risk management are achieved.

Risk Analysis

The placement of the cost of loss a risk represents onto another entity or organization. Purchasing insurance and outsourcing are common forms of _______ ________.

Risk Assignment a.k.a Risk Transferring

The process of selecting alternate options or activities that have less associated risk than the default, common, expedient, or cheap option. For example, choosing to fly to a destination instead of driving to it is a form of _______ _______. Another example is to locate a business in Arizona instead of Florida to avoid hurricanes.

Risk Avoidance

The process of implementing deterrents to would-be violators of security and policy. Some examples include implementation of auditing, security cameras, security guards, instructional signage, warning banners, motion detectors, strong authentication, and making it known that the organization is willing to cooperate with authorities and prosecute those who participate in cybercrime.

Risk Deterrence

The implementation of safeguards and countermeasures to eliminate vulnerabilities or block threats. Picking the most cost-effective or beneficial countermeasure is part of risk management, but it is not an element of risk assessment.

Risk Mitigation

A final but unacceptable possible response to risk is to reject risk or ignore risk. Denying that a risk exists and hoping that it will never be realized are not valid or prudent due-care responses to risk.

Risk Rejection

A key task to perform at the conclusion of a risk analysis.

Risk reporting

Security controls, or countermeasures that remove or reduce a vulnerability or protects against one or more specific threats. It can be installing a software patch, making a configuration change, hiring security guards, altering the infrastructure, modifying processes, improving the security policy, training personnel more effectively, electrifying a perimeter fence, installing lights, and so on. It is any action or product that reduces risk through the elimination or lessening of a threat or a vulnerability anywhere within an organization.

Safeguards

A __________ is a written description of a single major threat. The description focuses on how a threat would be instigated and what effects its occurrence could have on the organization, the IT infrastructure, and specific assets. Generally, the __________ are limited to one page of text to keep them manageable.

Scenario

This is the collection of practices related to supporting, defining, and directing the security efforts of an organization. This is closely related to and often intertwined with corporate and IT governance.

Security governance

The EF is needed to calculate the __________. The __________ is the cost associated with a single realized risk against a specific asset. It indicates the exact amount of loss an organization would experience if an asset were harmed by a specific threat occurring.

Single Loss Expectancy (SLE)

Topic-specific (standards) and system-specific (baselines) documents that describe overall requirements for security

Standards and baselines

A step in the quantitative risk analysis.Inventory assets, and assign a value (asset value, or AV). (Asset value is detailed further in a later section of this lesson named "Asset Valuation.")

Step 1. Inventory assets and assign a value

A step in the quantitative risk analysis.Research each asset, and produce a list of all possible threats of each individual asset. For each listed threat, calculate the exposure factor (EF) and single loss expectancy (SLE).

Step 2. Research each asset

Perform a threat analysis to calculate the likelihood of each threat being realized within a single year—that is, the annualized rate of occurrence (ARO).

Step 3. Perform a threat analysis

A step in the quantitative risk analysis.Derive the overall loss potential per threat by calculating the annualized loss expectancy (ALE).

Step 4. Derive the overall loss

A step in the quantitative risk analysis.Research countermeasures for each threat, and then calculate the changes to ARO and ALE based on an applied countermeasure.

Step 5. Research countermeasures

A step in the quantitative risk analysis.Perform a cost/benefit analysis of each countermeasure for each threat for each asset. Select the most appropriate response to each threat.

Step 6. Perform a cost/benefit analysis

This policy focuses on policy issues that management has decided for a specific system.

System-specific policy

A security control that involves the hardware or software mechanisms used to manage access and to provide protection for resources and systems. Examples include authentication methods (such as usernames, passwords, smartcards, and biometrics), encryption, constrained interfaces, access control lists, protocols, firewalls, routers, intrusion detection systems (IDSs), and clipping levels.

Technical control a.k.a logical control

A job title: Provide technical support for security of information resources.

Technical managers (network and system administrators)

Trust Boundaries, Data Flow Paths, Input Points, Privileged Operations, Details about Security Stance and Approach

The Five Key Concepts in the Decomposition process.

Step 1. Inventory assets and assign a value Step 2. Research each asset Step 3. Perform a threat analysis Step 4. Derive the overall loss Step 5. Research countermeasures Step 6. Perform a cost/benefit analysis

The six major steps or phases in quantitative risk analysis

Having an independent third-party auditor, as defined by the American Institute of Certified Public Accountants (AICPA), can provide an unbiased review of an entity's security infrastructure, based on Service Organization Control (SOC) (SOC) reports. Statement on Standards for Attestation Engagements (SSAE) is a regulation that defines how service organizations report on their compliance using the various SOC reports. The SSAE 16 version of the regulation, effective June 15, 2011, was replaced by SSAE 18 as of May 1, 2017. The SOC1 and SOC2 auditing frameworks are worth considering for the purpose of a security assessment. The SOC1 audit focuses on a description of security mechanisms to assess their suitability. The SOC2 audit focuses on implemented security controls in relation to availability, security, integrity, privacy, and confidentiality. For more on SOC audits, see AICPA.For all acquisitions, establish minimum security requirements. These should be modeled from your existing security policy. The security requirements for new hardware, software, or services should always meet or exceed the security of your existing infrastructure. When working with an external service, be sure to review any service-level agreement (SLA) to ensure that security is a prescribed component of the contracted services. This could include customization of service-level requirements for your specific needs.

Third-Party Audit

This is the system of oversight that may be mandated by law, regulation, industry standards, contractual obligation, or licensing requirements. The actual method of governance may vary, but it generally involves an outside investigator or auditor. These auditors might be designated by a governing body or might be consultants hired by the target organization.

Third-party governance

Any potential occurrence that may cause an undesirable or unwanted outcome for an organization or for a specific asset.They are any action or inaction that could cause damage, destruction, alteration, loss, or disclosure of assets or that could block access to or prevent maintenance of assets. They can be large or small and result in large or small consequences. They can be intentional or accidental. They can originate from people, organizations, hardware, networks, structures, or nature.

Threats

The amount of risk an organization would face if no safeguards were implemented. threats vulnerabilities asset value = total risk

Total risk

A common taxonomy classification for commercial businesses in which information that is severely restricted and protected through more strict need-to-know controls than customer confidential information. Some examples of this type of information include the recipe for Coca-Cola, employee disciplinary actions, pre-released financial statement information, or proprietary secrets that offer a competitive advantage to the business.

Trade secret

T or F Common taxonomy for commercial businesses might provide for the following classes:Public information, Business sensitive or business confidential, Customer confidential, Trade secret

True

T or F Computer security policies come in four types.

True

T or F Most qualitative risk analysis methodologies make use of interrelated elements: Threats Vulnerabilities Controls

True

T or F Risk = threat * vulnerability

True

T or F The annual costs of safeguards should not exceed the expected annual cost of asset loss

True

T or F Two basic types of risk analysis exist: quantitative and qualitative.

True

T or F The ALE is calculated using the following formula: ALE = single loss expectancy (SLE) * annualized rate of occurrence (ARO) Or more simply: ALE = SLE * ARO

True For example, if the SLE of an asset is $90,000 and the ARO for a specific threat (such as total power loss) is .5, then the ALE is $45,000. On the other hand, if the ARO for a specific threat (such as compromised user account) is 15, then the ALE would be $1,350,000.-

T or F The SLE is calculated using the following formula: SLE = asset value (AV) * exposure factor (EF) or more simply: SLE = AV * EF

True For example: The SLE is expressed in a dollar value. For example, if an asset is valued at $200,000 and it has an EF of 45 percent for a specific threat, then the SLE of the threat for that asset is $90,000.

T or F The six-step RMF includes security categorization, security control selection, security control implementation, security control assessment, information system authorization, and security control monitoring.

True The RMF promotes the concept of near real-time risk management and ongoing information system authorization through the implementation of robust continuous monitoring processes, provides senior leaders the necessary information to make cost-effective, risk-based decisions with regard to the organizational information systems supporting their core missions and business functions, and integrates information security into the enterprise architecture and systems development lifecycle (SDLC).

T or F When evaluating a third party for your security integration, you should consider the following processes:On-Site Assessment, Document Exchange and Review, Process/Policy Review, Third-Party Audit

True When engaging third-party assessment and monitoring services, keep in mind that the external entity needs to show security-mindedness in their business operations. If an external organization is unable to manage their own internal operations on a secure basis, how can they provide reliable security management functions for yours?

In the decomposition process, any location where the level of trust or security changes.

Trust Boundaries

The weakness in an asset or the absence or the weakness of a safeguard or countermeasure.

Vulnerability

A risk analysis answers what three fundamental questions?

What am I trying to protect? What is threatening my system? How much time, effort, and money am I willing to spend?

A security control that is deployed to provide various options to other existing controls to aid in enforcement and support of security policies.

compensation control

A security control that modifies the environment to return systems to normal after an unwanted or unauthorized activity has occurred. It attempts to correct any problems that occurred as a result of a security incident. _______ _______ can be simple, such as terminating malicious activity or rebooting a system.

corrective control

A security control that is deployed to discover or detect unwanted or unauthorized activity. _______ _______ operate after the fact and can discover the activity only after it has occurred.

detective control

A security control that is deployed to discourage violation of security policies. They often depend on individuals deciding not to take an unwanted action.

deterrent control

A security control that is deployed to direct, confine, or control the actions of subjects to force or encourage compliance with security policies.Examples of _______ _______ include security policy requirements or criteria, posted notifications, escape route exit signs, monitoring, supervision, and procedures.

directive control

A security control that is deployed to thwart or stop unwanted or unauthorized activity from occurring.

preventive control

A guideline or recipe for how risk is to be assessed, resolved, and monitored.

risk framework

The formal evaluation of a security infrastructure's individual mechanisms against a baseline or reliability expectation.

security control assessment (SCA)

The concept that most computers, devices, networks, and systems are not built by a single entity.

supply chain