5. Risk Management

Ace your homework & exams now with Quizwiz!

Incident Response Procedures

-notification -escalation -reporting -system isolation -forensic analysis -evidence handling

Security procedures

-outline a step by step process for an activity -may require compliance, depending upon the circumstances

Incident Response Process

-preparation -identification -containment -eradication -recovery -lesson learned

Security Guidelines

-provide advice to the organization -follow best practices from industry -suggest optional practices: not mandatory

Security Standards

-provide specific details of security controls -derive their authority from policies -follow a less rigorous approval process -require compliance form all employees

Security Policies

-provide the foundation for a security program -are written carefully over a long period of time -require compliance from all employees -are approved at the highest levels of the organization

Warm sites

-stocked with all necessary equipment and data -not maintained in a parallel fashion -similar in expense to hot sites -available in hours or days

Classification Levels Military

-top secret -secret -confidential -unclassified

Documentary Evidence Rules

1. Authentication rule Documents must be authentication by testimony 2. Best evidence rule Original documents are superior to copies 3. Parol evidence rule written contracts are assumed to be the entire agreement

Business Impact analysis BIA

Identifies and prioritizes risks

Risk Assessment

Identify and prioritize risk

Incremental Backups

Include all data modified since the last full or incremental backup

Redundant Array of Inexpensive Disks RAID

Instead of using one large disk to store data, one can use many smaller disks (because they are cheaper). An approach to using many low-cost drives as a group to improve performance, yet also provides a degree of redundancy that makes the chance of data loss remote.

Criminal Investigations

Look into possible crimes -involve the possibility of fines and jail time -use the beyond a reasonable doubt standard of evidence

Operational Investigations

Look into technology issues -seek to resolve technology issues -restore normal operations as quickly as possible -use very low standards of evidence -involve root cause analysis

Fault Tolerance FT

Makes a single system resilient against technical failures

Recovery Time Objective RTO

Maximum amount of time that it souls take to recover a service after a disaster

Recovery Point Objectives RPO

Maximum time period from which data may be lost in the wake of a disaster

Defense in Depth

Multiple controls for one objective.

Separation of Duties

No individual should possess two permissions that, in combination, allow them to perform a highly sensitive action.

What technology is commonly used for Big Data datasets? PostreSQL NoSQL MySQL SQL Server

NoSQL

Annualized Rate of Occurrence ARO

Number of times a risk is expected to occur each year

GAPP principle 5 Use, Retention, and Disposal

Organization should only collect and use personal information for disclosed purposes and they should dispose of the data securely as soon as it is no longer needed for the disclosed purpose.

GAPP principle 7 Disclosure to Third Parties

Organization should only share information with third parties if that sharing is consistent with the purposes disclosed in privacy notices and they have the consent of the individual to share that information.

GAPP principle 1 Management

Organizations handing private information should have polices, procedures, and governance structures in place to protect privacy.

GAPP principle 6 Access

Organizations should provide data subjects with the ability to review and update their personal information.

GAPP principle 8 Security

The organization must secure private information against unauthorized access, either physically or logically

GAPP principle 3 Choice and Consent

The organization should inform data subjects of their options regarding the data they own and get consent from those individuals for the collection, storage, use, and sharing of that information

GAPP principle 4 Collection

The organization should only collect personal information for purpose disclosed in their privacy notices.

Service Level Agreement SLA

a written contract between the vendor and the customer that describes the conditions of service and penalties the vendor will incur for failure to maintain the agreed-upon service levels.

Acceptance use policy AUP

defines proper system usage or the rule of behavior for employees when using information technology system

Data Disposal Policies

describes proper techniques for destroying data that is no longer needed by the organization

Deterrent Controls

designed to discourage attack attempts (fence, burglar alarms)

Corrective Controls

designed to help an organization recover from an incident backups

Preventive controls

designed to stop attacks that are in progress

Physical controls

deter, detect, or prevent unauthorized physical access to a facility

Clean Desk Policy

directs users to keep their areas organized and free of papers. The primary goal is to reduce threats of security incidents by ensuring the protection of sensitive data.

Server logs are an example of _____ evidence. testimonial expert opinion real documentary

documentary

Exposure Factor EF

expected % of damage to an asset

Annualized Loss Expectancy ALE

expected dollar loss from a risk in any given year SLE * ARO = ALE

Single Loss Expentancy SLE

expected dollar loss if risk occurs one time AV * EF + SLE

Memorandum of understanding MOU and Memorandum of agreement MOA

expresses an understanding between two or more parties indicating their intention to work together towards a common goal.

Threat

external force jeopardizing security

Compensating controls

fill gaps left when you are unable to implement other required controls.

Mandatory Vacation

force privilege users to take one or two weeks of consecutive cation annually

Which element of the security policy framework includes suggestions that are not mandatory? policies guidelines standards procedures

guidelines

Data Steward

handles the day-to-day data governance activities. They are delegated responsibility by data owner.

Protected Health Information PHI

health records about an individual patient

What type of control are we using if we supplement a single firewall with a second standby firewall ready to assume responsibility if the primary firewall fails? component redundancy load balancing high availability clustering

high availability

What type of disaster recovery site is able to be activated most quickly in the event of a disruption? hot site warm site lukewarm site cold site

hot site

Full Backups

include a complete copy of all data

Differential Backups

include all data modified since the last full backup

What type of backup includes only those files that have changed since the most recent full or incremental backup? full incremental partial differential

incremental

Which one of the following is not one of the GAPP principles? collection management integrity notice

integrity

Separation of duty

is a principle that prevents any single person or entity from being able to complete all the functions of a critical or sensitive process. It designed to prevent fraud, theft, and errors.

Privilege Aggregation

jeopardized least privileges Privilege sprawl

What security principle prevents against an individual having excess security rights? separation of duties mandatory vacations job rotation least privilege

least privileged

Memorandum of Understanding MOU

letter written to document aspects of the relationship. Also known as Memorandum of Agreement MOA

What two factors are used to evaluate a risk? frequency and likelihood criticality and likelihood impact and criticality likelihood and impact

likelihood and impact

Need to know

limits information access

Least Privileged

limits system permissions

Replacement cost technique

looks at current supplier prices to determine the actual cost of replacing an asset in the current market and then uses that cost as the asset's value.

Administrative controls

management processes that we put in place improve enterprise security

Which evidence source should be collected first when considering the order of volatility? temporary files process information logs memory contents

memory content

Wireshark Monitors Networks

network packet capture

Asset Value AV

the dollar value of an asset -original cost -depreciate cost -replacement cost

GAPP principle 10 Monitoring and Enforcement

the organization should have a program in place to monitor compliance with its privacy policies and provide a dispute resolution mechanism

GAPP principle 9 Quality

the organization should take reasonable steps to ensure that the private information they maintain is accurate, complete, and relevant

Pulverizing

the process of physically destroying media to sanitize it, such as with a sledge hammer.

Volatility

the relative permanence of a piece of evidence: evidence that may not last long is more volatile than more permanent sources of evidence.

Which one of the following is not a commonly-used business classification level? Internal Highly Sensitive Top Secret Sensitive

top secret

Technical controls

use of technology to achieve security controls objectives

Risk assessment: Quantitative

uses objective numeric rating to evaluate risk likelihood and impact (usually in terms of dollars)

Risk assessment: Qualitative

uses subjective rating to evaluate risk likelihood and impact Low, medium, high

Degaussing

very powerful electronic magnet. Passing a disk through a degassing field renders the data on tape and magnetic disk drives unreadable.

What type of technology prevents a forensic examiner from accidentally corrupting evidence while creating an image of a disk? sealed container hashing evidence log write blocker

write blocker

Business Partners Agreement BPA

written agreement that details the relationship between business partners, including their obligations towards the partnership.

Risk Deterrence

takes actions that dissuade a threat from exploiting a vulnerability

Hot site

-fully operated data centers -stocked with equipment and data -available at a moment's notice -very expensive

Classification Levels Business

-highly sensitive -sensitive -internal -public

Compliance Obligations

-laws -regulations -standards

Preemployment Screening

-criminal records checks -sex offender registry -reference checks -education and employment verification -credit checks

Cold sites

-empty data centers -stocked with equipment, network, and environmental controls -relatively inexpensive -operational in weeks or months

Information security Policy

-designation of individual responsible for security -description of security roles and responsibilities -authority for creation of security standards -authority for incident response -process for policy exceptions and violations

Acceptable Use Policy

-also known as responsible use policy -describe how individuals may use information systems -prohibits illegal activity -describes what personal use is permitted.

Order of Volatility

1. Network traffic 2. Memory contents 3. system and process data 4. files 5. Logs

Incident Response Program Components

1. Policy and plan documentation 2. Procedures for incident handling 3. Guidelines for communicating externally 4. Structure and staffing model for the team 5. Description of relationship with other groups

What is the minimum number of disks required to perform RAID level 5? 1 2 4 3

3

grandfather-father-son (GFS)

A common backup rotation scheme that uses three levels of backups.

Risk Register

A document that contains results of various risk management processes, often displayed in a table or spreadsheet format

Risk Avoidance

A risk response strategy whereby the project team acts to eliminate the threat or protect the project from its impact. (move the data center to non flood zone)

Once an organization complies with GAPP, best practice says they should collect as much information as possible to provide good service, provided that they remain GAPP compliant. TRUE FALSE

False

What is the correct formula for computing the annualized loss expectancy? ALE = EF * SLE * ARO ALE = AV - SLE ALE = ARO * AV ALE = SLE * ARO

ALE = SLE * ARO

Business partnership agreement BPA

Agreement between partners

GAPP Developers

American Institute of Certified Public Accountants AICPA Canadian Institute of Chartered Accountants CICA Information System Audit and Control Association ISACA Institute of Internal Auditors IIA

Interconnection Security Agreement (ISA)

An agreement between parties intended to minimize security risks for data transmitted across a network. Normally provides details on connection security parameters as the encryption standards and transfer protocols

Mean Time to Repair MTTR

Average time to require to return a repairable component to service

Which one of the following individuals would not normally be found on the incident response team? CEO human resources staff legal counsel information security professional

CEO

Documentary Evidence

Consists of written information

GAPP principle 2 Notice

Data subjects should receive notice that their information is being collected and used, as well as access to the privacy polices and procedures followed by the organization.

RAID 5

Disk striping with parity, RAID 5, uses three or more disks to store data and parity information. (requires three or more)

Service Level Requirements SLR

Document specific requirements that a customer has about any aspect of a vendor's service performance.

Lessons Learned

Provides incident responders with an opportunity to reflect on the incident response efforts and offers feedback that will improve the organization's response to future incidents

RAID Mirroring

RAID 1 stores the same data on two different disks (requires two disks)

What disaster recovery metric provides the targeted amount of time to restore a service after a failure? MTO RPO RTO TLS

RTO

Risk Mitigation

Reduce the likelihood or impact of the risk.

Twp Person Control

Requires the authorization of two separate individuals to carry out a sensitive action: also know as dual control. Missile launch

Job Rotation

Rotate users in and out of position with sensitive responsibilities

What type of agreement is used to define availability requirements for an IT service that an organization is purchasing from a vendor? SLA MOU ISA BPA

SLA

Security Incident and event Management SIEM

Security solution that collects information from diverse sources analyzes it for signs of security incidents, and retains it for later use.

Software Forensics: Malware Origins

Software forensics may be used to identify the author of malicious software found on a system

Software forensics may be used to identify the origin of malware. TRUE FALSE

T

The chain of custody must be updated EVERY time someone handles a piece of evidence. TRUE FALSE

T

High Availability HA

Uses multiple systems to protect against service failure

Vulnerability

Weaknesses in security control (missing patches, promiscuous firewalls, firewalls misconfigurations)

Risk Acceptance

accepts the risk without taking future actions.

Parallel tests

activate the disaster recovery facility but do not switch operations there.

Data Castodian

actually store and process information and are often IT staff members

Service Level Agreement SLA

agreement between a company and a vendor that stipulates performance expectations, such as minimum up time and maximum downtime levels.

Pulping

an additional step taken after shredding paper. It reduces the shredded paper to mash or puree

Regulatory Investigations

are conducted by the govenrment

Security controls

are the procedures and mechanisms that an organization puts in place to manage security risks.

What goal of security is enhanced by a strong business continuity program? confidentiality non-repudiation integrity availability

availability

Mean Time to Failure MTTF

average time a nonrepairable component will last

Mean Time Between Failures MTBF

average time gap between failures of a repairable component

Data Owners

business leaders with overall responsibility for data. They set policies and guidelines for their data sets

Job Rotation

concept that has employees rotate through different jobs to learn the processes and procedures in each job.

Real Evidence

consists of tangible objects

Testimonial Evidence

consists of witness statements 1.direct evidence - witness provides evidence based upon his or her own observations 2. expert opinion expert witness draws conclusions based upon other evidence

During an incident response, what is the highest priority of first responders? restoring operations identifying the root cause containing the damage collecting evidence

containing the damage

After Action Report AAR

create a formal record of a disaster recovery DR or business continuity BC event.

Data in Motion

data being sent over a network between two systems

Data Sovereignty

data is subject to the law of the jurisdiction where it's stored.

What data security role is normally filled by a senior-level official who bears overall responsibility for the data? data custodian data guardian data owner data steward

data owner

Data at Rest

data stored for later use on a hard drive, USB device, magnetic tape, cloud service, or other data storage environment

Which category of security control focuses on the processes that we put in place to manage technology in a secure manner? technical controls management controls administrative controls operational controls

operational control

What type of investigation would typically be launched in response to a report of high network latency? criminal civil operational regulatory

oprerational

Three of these choices are data elements found in NetFlow data. Which is not? packet contents amount of data transferred source address destination address

packet content

Which one of the following disaster recovery tests involves the actual activation of the DR site? parallel test simulation walk-through read-through

parallel tests

Privacy Policy

policy that indicates what kind of information a website will take from you and what they intend to do with it

Risk management

process of systematically analyzing potential responses to each risk and implementing strategies to control those risks appropriately.

During what phase of ediscovery does an organization share information with the other side? collection analysis preservation production

production

NetFlow Summarizes Traffic

providing high-level information 1. telephone bill numbers called timestamp, call duration 2. NetFlow Data IP addresses and ports Timestamps amount of data transferred

Personally Identifiable Information PII

records that may be associated with a specific individual

Civil Investigations

resolve disputes between parties -do not involve the possibility of fines and jail time -use the preponderance of the evidence standard

Purchasing an insurance policy is an example of which risk management strategy? risk acceptance risk mitigation risk transference risk deterrence

risk transference

Threat intelligence

shares the risk information by joining a threat intelligence consortium or purchasing a threat intelligence service

Transferring Risk

shifts the impact of a risk to another organization (insurance policy)

Software Forensics : Intellectual Property

software forensics may be used to resolve intellectual property disputes between two parties

Threat vector

specific method that threats use to exploit a vulnerability ( hacker tool kit, social engineering, physical intrusion, or any number of hacking techniques)

Interconnection security agreement ISA

specifies technical and security requirements for planning, establishing, maintaining, and disconnecting a secure connection between two or more entitles.

Data Retention Policies

specifies the minimum and /or maximum periods that an organization will retain different data elements


Related study sets

Vocab list two - antonyms and synonyms

View Set

Biochemistry Learning Curve Chapter 5.1, 5.2

View Set

Personal and Community Health Chapters 3 & 4

View Set

Chapter 57: Drugs Affecting Gastrointestinal Secretions

View Set