Term
| What are the three types of security controls? |
|
Definition
| Administrative Controls, Logical (or Technical) Controls, and Physical Controls |
|
|
Term
| What are some examples of Administrative Controls? |
|
Definition
| Publishing policies, standards, procedures, and guidelines, personnel screening, risk management, change controls, and security awareness training |
|
|
Term
| What are some examples of Technical (or Logical) Controls? |
|
Definition
| This is SOFTWARE - infrastructure configuration, access control mechanisms, network security devices, identification and authentication methods, password and resource management |
|
|
Term
| What are some examples of Physical Controls? |
|
Definition
| Fences, locking down hardware (no floppys), controlling access to buildings and rooms, monitoring intrusions, and environmental controls. |
|
|
Term
| The Planning Horizon defines what three types of goals, and what are their scopes? |
|
Definition
Operational Goals = daily tasks
Tactical Goals = mid-term
Strategic Goals = long-term |
|
|
Term
|
Definition
| A framework of goals and a set of best practices. It defines WHAT is to be achieved. |
|
|
Term
| What are the four domains of CobiT? |
|
Definition
Plan and Organize
Acquire and Implement
Deliver and Support
Monitor and Evaluate |
|
|
Term
| Who developed CobiT and from what? |
|
Definition
| The ISACA and the ITGI, from the COSO. |
|
|
Term
| What is the most common set of security standards called, and what was it derived from? |
|
Definition
| ISO 17799. Derived from the BS-7799-I(II), that became the ISO/IEC 27002(1) |
|
|
Term
| What security standards deal with controls? |
|
Definition
| BS 7799-I and ISO/IEC 27002 |
|
|
Term
| What security standards deal with how to develop a security program? |
|
Definition
| BS 7799-II and ISO/IEC 27001 |
|
|
Term
| What standard protects personal health information? |
|
Definition
|
|
Term
| What NIST standard establishes risk Assesment procedures? |
|
Definition
|
|
Term
| What NIST standard esablishes HIPAA (health care) Assesment standards? |
|
Definition
|
|
Term
| What Risk Assesment methodology was created by Carnegie Mellon University's Software Engineering Institute, and what does it intend? |
|
Definition
| OCTAVE, states that people within the company are better suited to identify, manage, and direct their own security measures. |
|
|
Term
| What does FRAP stand for and what is it used for? |
|
Definition
| Facilitated Risk Analysis Process, and it is a risk assessment methodology. |
|
|
Term
| Who Publishes FIPS, and what does it stand for, and who has to approve them? |
|
Definition
| Federal Information Processing Standards, published by NIST (National Institute of Standards and Technology, approved by the Secretary of Commerce. |
|
|
Term
| What is SLE and what is the formula to find it? |
|
Definition
| Single Loss Expectancy, AV (Asset Value) x EF (Exposure Factor) = SLE |
|
|
Term
| What is ALE and what is the formula to find it? |
|
Definition
| Annual Loss Expectancy, SLE (Single Loss Expectancy) x ARO (Annual Rate of Occurance) = ALE |
|
|
Term
| What is the formula to calculate Total Risk and Residual Risk? |
|
Definition
(Threats x Vulnerability x Asset Value) = Total Risk.
(Threats x Vulnerability x Asset Value) x Control Gaps = Residual Risk |
|
|
Term
|
Definition
| It is an anonymous group decision method used for QuaLitative Risk Analysis. |
|
|
Term
| What are the 3 types of security policies? |
|
Definition
| Regulatory, Advisory, and Informative |
|
|
Term
| What is a Regulatory Security Policy? |
|
Definition
| Industry specific policies that ensure an organization is following specific industry standards. (i.e. HIPAA) |
|
|
Term
| What is a Advisory Security Policy? |
|
Definition
| Tells employees what is acceptable and not acceptable behavior, and the ramifications. |
|
|
Term
| What is a Informative Security Policy? |
|
Definition
| It teaches and informs individuals about specific issues relevant to the company. |
|
|
Term
| What is baseline security? |
|
Definition
| the minimum level of security required |
|
|
Term
| What does Due Diligence mean? |
|
Definition
| simple answer - Do Detect |
|
|
Term
|
Definition
| simple answer - Do Correct |
|
|
Term
| What are some industry tools to stop collusion? |
|
Definition
| Separation of duties (Split knowledge and dual control), rotation of duties, and mandatory vacation |
|
|
Term
| What are the 4 military classification levels and give a definition of each. |
|
Definition
Unclass - no damage if published (a manual)
SBU - no major damage if published (medical data)
Secret - Serious damage to national security
TS - Grave damage to national security. |
|
|
Term
| what are the 4 civilian classification levels and explain them. |
|
Definition
Public - Disclosure not welcome
Sensitive - requires special precautions
Private - medical information
Confidential - trade secrets, source code |
|
|
Term
| In the world of security, who is ultimately responsible? |
|
Definition
|
|
Term
| In regard to a security program, what is better - top-down, or bottom-up, and why? |
|
Definition
| Top-down, because it has management buy-in. |
|
|
Term
| What is another term for data owner? |
|
Definition
|
|
Term
| Who is responsible for assigning classifications to information and dictating how is should be protected? |
|
Definition
| the Information owner (Data owner). |
|
|
Term
|
Definition
| The absence or weakness of a safeguard that could be exploited. |
|
|
Term
|
Definition
| Any potential danger to information or systems. |
|
|
Term
|
Definition
| The likelihood of a threat taking advantage of a vulnerability. |
|
|
Term
|
Definition
| An instance of being exposed to losses from a threat agent. (an incident) |
|
|
Term
| Define a Countermeasure or Safeguard. |
|
Definition
| things put in place to mitigate a potential risk. |
|
|
Term
| What is the full-circle relationship of security components? |
|
Definition
| A Threat, exploits a Vulnerability, that leads to Risk, that can damage an Asset, and cause an Exposure, that can be mitigated by a Safeguard/CM, that directly affects a threat agent, who gives rise to a Threat... |
|
|
Term
| What does CobiT define and what does ITIL provide? |
|
Definition
| CobiT defines IT Goals, ITIL provides the steps to achieve them. |
|
|
Term
| What is security governance? |
|
Definition
| All of the tools, personnel, and business processes necessary to ensure that security implemented meets the organization's specific needs. |
|
|
Term
| What are security bleuprints? |
|
Definition
| important tools to identify, develop, and design, security requirements for specific business needs. |
|
|
Term
| What is Information Risk Management? |
|
Definition
| The PROCESS of identifying and assessing risk, reducing it to an acceptable level, and implementing mechanisms to maintain that level. |
|
|
Term
| What is the overall goal of the Risk Management Team? |
|
Definition
| To ensure the company is protected in the most cost-effective manner. |
|
|
Term
| What is the most important goal of the Risk Management Team IRT the IRM policy? |
|
Definition
| That senior management has established a risk acceptance level. |
|
|
Term
| What are the four goals of Risk Analysis? |
|
Definition
1. ID assets and their value
2. ID Vulnerabilities and threats
3. Quantify the probability and business impact of the threats
4. Provide an economic balance between the impact of the threat and the cost of the countermeasures. |
|
|
Term
| What questions must a risk analysis team ask? |
|
Definition
| What event could occur (threat event)? What is the impact (risk)? How often could it happen (frequency)? What level of confidence do we have in the first 3 questions (certainty)? |
|
|
Term
| What is FMEA and what does it do? |
|
Definition
| Failure Modes and Effect Analysis - tells you how much can go wrong. |
|
|
Term
| What does a fault tree apply to? |
|
Definition
|
|
Term
| What is the difference between Quantitative and Qualitative Risk? |
|
Definition
Quan - deals with dollar values
Qual - deals with abstract values (1-10). |
|
|
Term
| Once it is discovered, what 4 options can you do with risk. |
|
Definition
| Reduce, transfer, accept, avoid |
|
|
Term
| What are SLE, ALE, EF, and ARO |
|
Definition
| Single Loss Expectancy, Annual Loss Expectancy, Exposure Factor (how much in-percent of something would be lost to a threat), and Annual Rate of Occurance. |
|
|
Term
| What are other names for Qualitative Risk Analysis? |
|
Definition
| Scenario-based, Subjective, Best-Effort, Intuitive. |
|
|
Term
| What is the formula for Cost/Benefit Analysis? |
|
Definition
| (ALE before) - (ALE after) - (Annual cost of safeguard) = value of safeguard. |
|
|
Term
| What is the first step in developing a security program? |
|
Definition
|
|
Term
| What is the difference between a security policy, and an organizational security policy? |
|
Definition
SP - A high level document that is broad in nature.
OSP - states how a program will be set up, along with its goals, roles, responsibilities, and enforcement. |
|
|
Term
| What are safe harbor requirements? |
|
Definition
| rules for exchanging privacy information between the US and Europe. |
|
|
Term
| What is the OECD and what is it used for? |
|
Definition
| the Organization for Economic Co-operation and Development guidelines. Used to protect transborder information flows. |
|
|
Term
| What is the difference between a data owner and data custodian? |
|
Definition
Owner - responsible for the protection and use of information.
Cust - responsible for maintaining and protecting data. |
|
|
