CISSP Chapter 1: Security and Risk Management

Ace your homework & exams now with Quizwiz!

Formula for Residual Risk is what?

(Threats X Vulnerability X Asset Value) X Controls Gap

What are the three TYPES of controls?

1. Administrative 2. Technical 3. Physical

Six major steps in the RMF process

1. Categorize the Information System 2. Select Security Controls 3. Implement Security Controls 4. Assess Security Controls 5. Authorize the Information System 6. Monitor Security Controls

There are five categories of Administrative, Technical, and Physical controls. What are they?

1. Deterrent 2. Preventive 3. Detective 4. Corrective 5. Recovery

Four main goals of Risk Analysis

1. Identify assets and assign values 2. Identify vulnerabilities and threats 3. Quantify the impact of potential threats 4. Provide an economic balance between the impact of Risk and cost of safeguard

What seven things does FISMA require?

1. Inventory of Systems 2. Categorize by Risk Level 3. Security Controls 4. Risk Assessment 5. Systems Security Plan 6. Certification & Accreditation 7. Continuous Monitoring

Three things a BCP provide:

1. Procedures for emergency responses. 2. Extended backup operations. 3. Post-disaster recovery

Baseline

A measure of how a system operates normally, considered A MINIMUM LEVEL OF SECURITY. Provides a reference for administrators to compare deviations from normal.

Security Policy

A statement by management dictating the role SECURITY plays in the organization.

OCTAVE

A team-oriented risk management methodology that employs workshops and is commonly used in the commercial sector.

If you want to understand business risks, which is the most appropriate standard to use?

AS/NZS 4360

SABSA

An example of a SECURITY Enterprise Architecture Framework

Single Loss Expectancy * Annualized Rate of Occurrence = ?

Annualized Loss Expectancy

Preventive: Physical

Badges, Dogs, Guards, and Fences are this type of Control mechanism.

Why is it impossible to conduct purely quantitative risk analysis?

Because qualitative items cannot be quantified with precision.

PIPEDA

Canadian law that protects personal data, requires obtaining consent when collecting, using, or disclosing PI, collecting PI by lawful means, and having clear PI policies.

Rotation of Duties is considered which category of control?

Detective

Standards

Documents that outline rules that are compulsory in nature and support security policies.

If your budget is limited and you want to focus your assessment on an individual system or process, which is the most appropriate standard to use?

Facilitated Risk Analysis Process (FRAP)

If you really want to dig down into the details of security flaws and effects, which two standards would be best to use?

Failure Modes and Effects Analysis or Fault Tree Analysis

Transferred, avoided, reduced, or accepted

Four ways of handling risk.

Internet Architecture Board (IAB)

Group that issues ethics-related statements concerning the use of the Internet, and is the coordinating committee for Internet design, engineering, and management.

IF you want to deploy an organization-wide risk management program and integrate it into your security program, which two standards would be most useful?

ISO/IEC 27005 or OCTAVE

With ISO/IEC 27004:2009

International Standard that assesses the effectiveness of an Information Security Management System and the controls that make up the security program.

ISO/IEC 22301

International standard for Business Continuity Management.

ISO/IEC 27001

International standard that describes HOW to build a security program.

ISO/IEC 27031:2011

International standard that describes the concepts and principles of information and communication technology readiness for Business continuity.

Religious Law

Laws are derived from religious beliefs in this system.

Common Law

Made up of criminal, civil, and administrative laws.

If you want to focus on IT security risks during assessment, which standard would be best to use?

NIST SP 800-30

Preventive: Technical

Passwords, biometrics, encryption, antivirus software, access control lists, firewalls, IDPS, and smart cards are all this type of control mechanism.

Preventive: Administrative

Policies, effective hiring practices, background checks, and data classification/labeling are this type of control mechanism.

Separation of Duties is considered which category of control?

Preventive

HITECH

Promotes the adoption and meaningful use of health information. Lists four categories of violations that reflect increasing levels of culpability and penalty amounts for violations and states that DATA LOSS MUST BE REPORTED TO HHS WITHIN 60 DAYS. Corrects HIPAA issues.

Trade Secrets

Proprietary to a company, often information that provides a competitive edge.

GLBA (Graham Leach Bliley Act)

REQUIRES: Giving customers option to opt out of having their information shared with third parties. Financial Privacy Rules that inform customers of how their data is used. Safeguards Rules: Written rules on how client's info is protected. Safeguards against social engineering attempts Must inform federal regulators, law enforcement, and customers if a breach is discovered.

Guidelines

Recommendations and general approaches that provide advice and flexibility.

FISMA

Requires federal agencies to create, document, and implement an agency-wide security program to protect information and systems used by that agency.

NIST SP 800-55

Standard for performance measurement in information security.

NIST SP 800-53

Standard that uses the following CONTROL categories: Technical, Management, and Operational.

Procedures

Step-by-step instructions that should be followed to achieve a task.

HIPAA

Storage, use, transmission of personal medical data, this covers how security should be managed for any facility that deals with medical information, warns of steep penalties for noncompliance, BUT DOES NOT REQUIRE NOTIFICATION WHEN DATA LOSS OCCURS.

Security Governance

The general term for a framework that provides oversight, accountability, and compliance.

Executive Committment and Support

The most critical elements in developing a JCP are...

Business Continuity Management

The overarching approach to managing all aspects of BCP and DRP.

Enterprise Architecture Frameworks

These are used to DEVELOP architectures for specific stakeholders and present information in views, AND are used to build individual architectures that best map to individual organizational needs and business drivers,

Quantitative Risk Analysis

This attempts to assign monetary values components within the analysis.

Business Continuity Plan

This contains strategy documents that provide detailed procedures to ensure critical business functions are maintained and help minimize loss of life, operations, and systems.

Corrective

This control functionality fixes components or systems after an incident.

Detective

This control functionality helps identify an incident's activities.

Deterrent

This control functionality is meant to discourage an attacker.

Preventive

This control functionality is used to avoid an incident from occurring.

Recovery

This control functionality is used to bring the environment back to regular operations.

Compensating

This control functionality provides an alternative measure of control.

The Zachman Framework

This is an early Enterprise Architecture Framework, generic in nature, and uses a two-dimensional model (What, How, Where, Who, When, and Why) intersecting with different perspectives (Executives, Business Managers, System Architects, Engineers, Technicians, and Enterprise-wide)

Total Risk is calculated how?

Threats x vulnerability x asset value

True or False: plans should be prepared by the people who will carry them out?

True

Criminal Law

Type of law dealing with individual conduct that violates government laws developed to protect the public. Punishment can range from fines to imprisonment to death.

Administrative Law

Type of law that covers standards of performance or conduct expected by government agencies from companies, industries, and officials.

Civil Law

Types of laws that deals with wrongs committed against individuals or companies that result in injury or damages. No prison, but requires financial restitution.

Civil Law

Uses prewritten rules not based on precedence.

Customary Law

Uses regional traditions and customs as the foundations of the laws. Usually mixed with another type of legal system.

Cost, Functionality, and Effectiveness

When choosing the right safeguard to reduce a specific risk, what three things must be considered in addition to performing a Cost Benefit Analysis?


Related study sets

A&P - Chapter 11 Sections 11.1 - 11.2

View Set

Macroeconomics Chapter 8 University of Iowa

View Set

Chapter #2 - Measures of Central Tendency

View Set

U.S history- Chapters 10&11 civil war and reconstruction review

View Set