Module 5: Risk Management

Ace your homework & exams now with Quizwiz!

role-based training

Specialized training that is customized to the specific role that an employee holds in the organization. Related jobs like writing code testing product Users need to be aware of their roles

Hot and cold aisles

The aisles in a server room or data center that circulate cold air into the systems and hot air out of them. Usually, the systems and cabinets are supported by a raised floor. When placing servers in a server rack make sure that servers air intake toward the cold aisle

Mean Time to Repair (MTTR)

The average time required to repair a single resource or function when a disaster or other disruption occurs. Describes the average amount of time it takes to get a device fixed and back online.

Single Loss Expectancy (SLE)

The expected monetary loss every time a risk occurs. SLE= AV x EF. ASSET VALUE EXPOSURE FACTOR

Annualized Loss Expectancy (ALE)

The expected monetary loss that can be expected for an asset due to a risk over a one-year period. ALE = SLE X ARO

Deterrent control type

Use of operational mgmt and technical controls Personnel guards like a fence-opera Openly displaying security policies to emphasize leak implications-management Giving access to selective systems, technical

Mandatory Vacations

When an organization requires that an employee take a certain amount of days of vacation consecutively. Allows for company to audit transactions or employees work

Single Points of Failure

When the failure in a single component of a system can cause a system to fail or be seriously degraded Part of a system which if it fails will stop the entire system from working Eg. front end web servers that is connected to several distributed databases serversv An admin is assigned several tasks critical to continuity

Residual Risk

the risk that remains after management implements internal controls or some other response to risk. Risk left over after a detailed security plan

Mean Time Between Failures (MTBF)

A measurement of error occurrences that can be tracked over time to indicate the quality of a system. Measures product reliability. Usually given in units of hours, the higher the MTBF the more reliable

Exit interview

A meeting of a departing employee with the employee's supervisor and/or a human resource specialist to discuss the employee's reasons for leaving. Allows company to figure out why employees left. Allows company to see what project person is working on. Gives you a opportunity to figure out next steps for role that is being left like if there is someone able to fill the role

Clean desk policy

An organizational policy that specifies employees must inspect their work areas and ensure that all classified information, documents, and materials are secured at the end of every work day. Helps prevent mission critical documents from being lost Prevents passwords potentially being lost and used to break into systems

Track man hours

Combined with surveillance to give accurate analysis Can be compared with witness interviews Discrepancy logged in work hours can be tracked

Memorandum of Agreement (MOA)

General areas of conditional agreement between two or more parties Documents the exchange of services Not legally enforceable Shows that both parties are on same page.

Technical control types something your implement

Least Privilege implementations Identification and authentication Access control Audit and accountability System and communication protection

It security framework

Series of documented processes that are used to define policies and procedures for the implementation and ongoing management of security controls in an enterprise environment j

Retention Policy

Set down rules for how different kinds of information are retained

Risk Transference

Shifting the consequence of a risk and responsibility for its management to a third party

Memorandum of Understanding (MOU)

A document executed between two parties that defines some form of agreement. More like loose agreements May not have strict agreements or guidelines

Security policy

A document that outlines procedures regarding physical security, and the protection of data, research and development, and customer information. Creating a security policy should be first step in creating a security policy baseline

legal hold

A court order to preserve data for the purposes of an investigation. Upon receipt of a legal hold notification, a company is required to activate a defensible policy for the preservation of the data.

disaster recovery plan

A detailed process for recovering information or an IT system in the event of a catastrophic disaster such as a fire or flood Make sure it's being tested to make sure it actually works. Allows you t know what tweaks to make

Service Level Agreement (SLA)

A negotiated agreement between the customer and the vendor. The SLA may specify the levels of availability, serviceability, performance, operation, or other commitment requirements. End to end traffic performance guarantee made by a service provider to a customer Guarantees certain amount of system uptime to a client as well as service details Also guarantees levels of performance

System administrator

A person who is responsible for managing computers, networks, servers, and other computing resources for an organization or group.

Incident Response Plan

A plan that an organization uses to categorize a security threat, determine the cause, preserve any evidence, and also get the systems back online so the organization can resume business. Handle in ways that limit damage and reduces recovery time

Acceptable Use Policy (AUP)

A policy that defines the actions users may perform while accessing systems and networking equipment. Defines how to use certain types of data

Acceptable Use Policy (AUP)

A policy that defines the actions users may perform while accessing systems and networking equipment. Employees sign this type of policy that describes the proper methods and use of network systems Like company instructing employee what sites they can browse Helps restrict ways network is used

Risk Avoidance

A risk response strategy whereby the project team acts to eliminate the threat or protect the project from its impact. Risk management that involves taking steps to remove a hazard engage in alternative activity

Control Objectives for Information and Related Technology (COBIT)

A security and control framework that allows 1) management to benchmark the security and control practices of IT environments, 2) users of IT services to be assured that adequate security and control exist, and 3) auditors to substantiate their internal control opinions and advise on IT security and control matters COBIT divides IT into 4 sections Plan and organize Acquire and implement Deliver and support Monitor and evaluate

Incident Response

A set of procedures that an investigator goes by when examining a computer security incident.incodent response is part of incident management

impact assessment

AST step of risk assessment. It's when you determine potential monetary costs related to a threat. Provide info on how to deal with risk

California SB 1386

Act requires business to immediately disclose breaches of security

Interconnection Security Agreement (ISA)

An agreement between parties to establish procedures for mutual cooperation and coordination between them with respect to security requirements associated with their joint project. Detailed document that's defined the technique details of how two different company it networks will be connected together. Two companies using credit card info

supply chain assessment

An assessment of the processes by which organizations receive necessary goods and services from third parties. The trustworthiness of any supply chain that your business is using is important to keep in mind

Privacy Impact Assessment (PIA)

An assessment that determines the impact on the privacy of the individuals whose data is being stored, and ensures that the organization has sufficient security controls applied to be within compliance of applicable laws or standards. May be hard to asses until leak becomes public but conducting assessment can help minimize potential impact on safety finance and reputation

redundant power supply

An enclosure that contains two complete power supplies, the second of which turns on when the first fails.

Business Impact Analysis (BIA)

An exercise that determines the impact of losing the support of any resource to an organization, establishes the escalation of that loss over time, identifies the minimum resources needed to recover, and prioritizes the recovery of processes and supporting systems. Recovery point objective. Defines a business goal for systems restoration and acceptable data loss Recovery time objective defines goal for acceptable downtime Hot backups if there is low time threshold

data sensitivity labeling

Applying the correct category to data to ensure proper data handling. Confidential data Highly sensible data intended for limited specific use by a workgroup department or group of individuals Explicit authorization by data steward is needed to access. Need to know basis Public data Data should be classified as public when the unauthorized disclosure alteration or destruction of that data would result in little or no rush to company Examples are press releases course information and research publications Still needs some level of control to prevent unauthorized modification Private data should be classified as private when unauthorized disclosure alteration or destruction of thats data results in moderate level of risk Reasonable levels of security controls should be applied to protect. Data that is not classified as public or confidential is private. Proprietary data Internally generated data associated with a company Data associated with a firm to safeguard from a competitor Something copy-written or has nda Personable identification information

Incremental backup

Backup of all data that has changed since last normal or incremental backup Clears archive bit. Faster backups per night

Differential backup

Backup of data that has changed since last normal or incremental backup Does not clear archive bit. Don't tell system they have been backed up

Line up conditioner

Cleans yo electrical signals and smooths them out.

Normal or full backup

Clears the archive bit telling windows they've been backed up.

Incident types

Compromised computing resources System account compromises. User account compromised Email based abuse Unsolicited commercial email Phishing emails. Spam Copyright infringement Network and resource abuses Network scanning activity Denial of service attacks Resource musconfiguration Open proxy serves Misusedi licensed resources vulnerable configuration

Operational controls something you're doing

Day to day stuff Include Personnel security Physical and environmental protection Contingency planning Configuration management Maintenance System and information integrity Media protection Incident response Awareness and training

Due diligence

Ensuring that IT infrastructure risks are known and managed. Organization spends time assessing risk and vulnerability

Cyber Incident response teams

Incident response team responsible for responding to security breaches viruses and other incidents Should include experts who can guide executives Normally operates in conjunction with other enterprise groups such as site security public relations and disaster recovery teams Should be able to escalate when incident is serious and is not being easily solved and CIRT has exhausted means within its own authority Effective responses requires preparation Preparation is education of users and IT staff of the importance of updated security measures and trains them to respond to computer and network security incidents quickly and correctly Identification is when response team is activated to decide whether a particular event is in fact a security incident Containment is when team determines how far problem has spread and contains it by disconnecting all affected systems and devices Eradication is when yeah investigates to discover origin of incident and has it removed Recovery is data and software systems restored from clean back up files. Systems are monitored for any sign of weakness Lesson learned when teM analyses the incident and how it was handled making recommendations

Administrative controls

Incorporate methods mandated by organizational policies or other like assessment job rotations, segregated duties, mandatory vacations

Data owner

Individuals, normally managers or directors, who have responsibility .for the integrity, accurate reporting and use of computerized data. Important to have data in question protected and only give access to those with proper credentials

HVAC

Industry shorthand term for "heating, ventilating, and air-conditioning

Information assurance

Is another name for risk management When referring to hardware and software. It assess resources and determines the cost and threats associated with them.

incident management

Is defined as the monitoring and detection security on a computer network and the execution of proper response to that event

Privacy Threshold Assessment

Part of a business impact assessment (BIA) that is used to determine if a system contains personally identifiable information (PII), whether a privacy impact assessment is required, and if any other privacy requirements apply to the IT system.

Secure disposal of computers

Sanitizer computer media Use a certified wipe application

Risk Aviodance

Not carrying out a proposed plan because the risk factor too much

Detectives control type

Operational Giving personnel guards monitoring surveillanceand recording video Management Personnel review and screenings Technical Having intrusion prevention and detection in place for relevant systems

Corrective control types

Operational Making sure aspects any contingency planning are maintained such as emergency power physical backups Management Updating personnel on the attack and retraining to deal with what they missed review contingency planning Technical Having back up protected and accessible to ensure quick recovery

Preventative control types

Operational is having a security guard Management regularly running risk assessment employee training Technical Having anti malware on system

Incident response manager

Overseas abs prioritizes actions during detection analysis and containment of an incident

Phases of Incident Response

Preparation is education of users and IT staff of the importance of updated security measures and trains them to respond to computer and network security incidents quickly and correctly Identification is when response team is activated to decide whether a particular event is in fact a security incident Containment is when team determines how far problem has spread and contains it by disconnecting all affected systems and devices Eradication is when yeah investigates to discover origin of incident and has it removed Recovery is data and software systems restored from clean back up files. Systems are monitored for any sign of weakness Lesson learned when teM analyses the incident and how it was handled making recommendations

Personal Management

Process of acquiring, training, developing, motivating, and appraising a sufficient quantity or qualified employees to preform necessary activities Background check is the process of looking of looking up an individual criminal commercial and financial history Outlines potential risks with hiring people

Data destruction

Process of destroying data stored on tapes hard disks and other electronic media Data destruction software needs to be used. Degaussing destroys data on disks by destroying it encrypting hard drive then delete data then destroying hard drive

Change Management

Process of requesting determine attainability planning implementing and evaluation of changes to a system When changing updating system make sure roll back procedures are in place in Case changes crash or are unstable

Data preservation

Processes that must occur to ensure information potentially relevant to pending litigation retains its authentic integrity

disaster recovery plan

Reactive plan that gets activated when disaster strikes Drop plans is at multiple offsite locations. Distance size essential Hot site is an active duplicate of original site with full computer systems as well as near complete backups of user data Cold site is the most inexpensive type of backup site. Simply lease on an empty building in event of disaster Warm site is mix of hot and cold site. Will have backups on hand but they may not be complete and may be several days old Lagos implications are going to factor to consider especially when using third part site

Continuity of Operations Plan (COOP)

Refers to the us government disaster recovery plan Described as restoringvmission essential functions at an alternate site and performing function for up to 30 days Mean time to restore is a metric deterring effectiveness Having alternate processing site is important for continuity as it allows operations to continue at another location Having alternate business practices are good to have in place for these situations

Chief Privacy Officer (CPO)

Responsible for ensuring the ethical and legal use of information Responsible for privacy of the data on organization Being able to use business strategy and procedures and apply it to business Organize plans and lastly looking at privacy program Looking at what we can do if someone breaches and what is done after breach

Control Types

Technical controls (logica): controls audit and journal integrity validations like authentication and file system permission. Access control list nothing that physically exists Mgmt controls like personnel screening separation of duties rotation of duties and least Privilege Operational control deals with day to day procedures. Mechanisms that include physical and environmental protection. Privileged entry commands change control Mgmt hardware controls Deterrent controls reduce likelihood of attacking Preventative control protect vulnerabilities reduce the impact of attack's or prevent attacks success Detective control detect an attack and may activate corrective controls. Corrective controls reduce impact of an attack

Due care

The mitigation action that an organization takes to defend against the risks that have been uncovered during due diligence. Happens after an attacking is identified. Assess severity of attack contain attack stop from harming performance

Order of Volatility

The order in which volatile data should be recovered from various storage locations and devices following a security incident. VolAtility can be thought of as amount of time you have to collect certain data before that window of opportunity is gone. CRSH CPU CACHE RAM Swap Hard drive

Data Custodian

The person/role within the organization who usually manages the data on a day-to-day basis on behalf of the data owner/controller. Ensures Access to data is authorized and controlled Technical process sustain data integrity Technical controls safeguard data Change management practices are applied Data content can be audited

Separation of Duties

The practice of requiring that processes should be divided between two or more individuals. Person can administer file and folder permission and someone in charge of auditing

Due Process

The principle that an organization must respect and safeguard the rights of its personnel

Annualized Rate of Occurrence (ARO)

The probability that a risk will occur in a particular year. Given by insurance companies

Purging

The removal of sensitive data from a system or storage device with the intent that the data cannot be reconstructed by any known technique. Also known as sanitizing

clearing

The removal of sensitive data from storage devices in such a way that there is assurance that the data may not be reconstructed using normal system functions or software file/data recovery utilities. Can be recoverable with certain techniques

mitigation control strategy

The risk control strategy that attempts to reduce the impact of a successful attack through planning and preparation

Management controls if it's a policy

Types include Security policy Risk assessment Planning System and services acquisition Certification accreditation and security assessment

Security analysts

Work directly with the affected network to research the time location and details of an incident Triage analysts filter out false positives and watch for intrusions Forensic analysts recover key artifacts and maintain integrity of evidence to ensure sound investigation Threat researcher complement security analysts by providing intelligence and context of an incident They comb the Internet to find things that may have been deportees externally

Identification of critical systems

You're looking for key components of business to ensure quick recovery from incident. Knowing which critical system is compromised will help for recovery Critical to ensure that physical assets are operating in order to acres non tangible assets

key escrow

a control procedure whereby a trusted party is given a copy of a key used to encrypt database data One master key able to decrypt other keys on system

job rotation

a job enrichment strategy that involves moving employees from one job to another Helps detect insider threat Can be paired with separation of duties Allows you to have more people that know how to use technology Continuity of operations

Non-Disclosure Agreement (NDA)

a legal contract between at least two parties that outlines confidential material, knowledge, or information that the parties wish to share with one another for certain purposes but wish to restrict access to or by third parties

single point of failure

a part of a system that, if it fails, will stop the entire system from working. Can be bypassed through redundancy

Risk Acceptance

a strategy in which the organization accepts the potential risk, continues to operate with no controls, and absorbs any damages that occur Publisher has discovered a design flaw

chain of custody

a written record of all people who have had possession of an item of evidence Needs to be documented to preserve evidence Established upon evidence retrieval

business partnership agreement

agreement between two business partners that establishes the conditions of the partner relationship "BPA"

uninterruptible power supply (UPS)

an alternative power supply device that protects against the loss of power and fluctuations in the power level by using battery power to enable the system to operate long enough to back up critical data and safely shut down Measured in watts Laser printers and portable heater cooler not to be plugged in Rd 232 ports and advanced software for communications with pc abs servers Cost size technology need to be considered Key parameters include clamping speed how fast it can react and clamping voltage what voltage to drop right before ups kicks in Protects against power surge

FM 200 System

does not remove the oxygen from the air. Chemical reaction and heat removal. Should be connected to HVAC system. In the event of fire when co2 is released you don't want HVAC system blowing air in the room.

Risk Reduction

finding ways to lower your chance of incurring a loss. budgeting and it resources dictate level of risk reduction

Business Continuity Planning

outlines procedures for keeping an organization operational in the event of a natural disaster or network attack Removing single points of failure Business continuity planning and testing making sure day to day testing Disaster recovery It contingency planning Succession planning

Privacy Policy

policy that indicates what kind of information a website will take from you and what they intend to do with it Might sell data to marketing firms

Sarbanes-Oxley Act of 2002 Sox

requires that the CEO and CFO of large companies that have publicly traded stock personally certify that financial reports made to the SEC comply with SEC rules and that info in the reports are accurate.

Data steward

responsible for ensuring the policies and procedures are implemented across the organization and acts as a liaison between the MIS department and the business Person responsible for the management and fitness of data elements both content and metadata Data steward have a specialist role that incorporates processes

Standard Operating Procedures (SOPs)

specific sets of written instructions about how to perform a certain aspect of a task Used for business t give workers organized list of to dis or how to run operations Gives set of things to improve on by changing things on list to improve production Protects company against employees not complying to policy or industry regulation.

computer forensics

the scientific collection, examination, authentication, preservation, and analysis of data held on or retrieved from computer storage media in such a way that the information can be used as evidence in a court of law Doing analysis on hard disk: Attach a read only drive connector Hash the hard dish (take fingerprint) Capture an image onto a new disk for analysis Hash the image you just made and compare hash the original hard drive again to make sure you didn't alter it DCFLDD. Doing for data acquisition Obtain and review network traffic logs will help point to suspicious activity Capture video from surveillance footage. Helps identifying and confirming persons that are present Take screenshot before and after incidents. Helps to determine potential problems and is used for keeping records Recording time offsets can help to initially notify you that something is up

Technical controls

use technology to reduce vulnerabilities; (identification and authentication, logical access control, audit and accountability, encryption, IDS, firewall)


Related study sets

Psych 3420 Prelim 1, Psych 3420 prelim 2, Psych 3420 Final

View Set

TEXT: McCulloch v. Maryland, Part II

View Set

LaCharity Chapter 7: Cardiovascular Problems

View Set

3MA114 - Management pro informatiky a statistiky

View Set

Nutrition 330 Study Questions 1-7

View Set

Unit 5: Lesson 5.1, Lesson 5.2, Lesson 5.3

View Set

Political Associations before INC

View Set

International Blaw Exam 3 Quiz Question

View Set

FRA 3 - UNDERSTANDING INCOME STATEMENTS

View Set