CISSP Information Security and Risk Management (Set 1) – Flashcards
Unlock all answers in this set
Unlock answersquestion
What is the objective of security and a security program?
answer
to protect the company and its assets
question
Security Management
answer
the foundation of a corporation's security program... includes risk management, information security policies, procedures, standards, guidelines, baselines, information classification, security organization, and security education.
question
What are the processes involved in the Security Management Cycle?
answer
- Assess the risks and determine the needs to deal with them - Monitor and evaluate the systems and practices involved - Promote awareness - Implement policies and controls intended to address the risks and needs first defined
question
Risk Analysis
answer
identifies a company's assets, discovers the threats that put them at risk, and estimates the possible damage and potential loss a company could endure if any of these threats were to become real... this information is used to help management construct a budget with the necessary funds to protect the recognized assets from their identified threats and develop applicable security policies that provide direction for security activities.
question
Directive Controls
answer
these controls usually include company policies and guidelines that advise employees of their expected behavior when interacting with the company's resources. Some of the directive controls include legislation, authorized use policies, and anti-viral software standards.
question
Preventive Controls
answer
these controls prohibit actions that violate company policies or that increase risk to system resources. Examples of preventive controls include separation of duties and encryption of data.
question
Detective Controls
answer
these controls use practices, processes, and tools to identify and react to security violations. These controls include audit trails, integrity checks, and violation reports.
question
Corrective controls
answer
these controls involve measures designed to detect and rectify an unwanted event, which helps in eliminating its recurrence. An example of a corrective control is the frequent updation of anti-virus software.
question
Recovery Controls
answer
these controls restore a system or its operation to normal if an incident occurs that compromises the integrity or availability of the computing system. Fault tolerant systems, RAID, and resending lost or corrupted messages are some examples of implementing recovery controls.
question
Types of Preventative Controls
answer
- Administrative Controls - Technical Controls - Physical Controls
question
Information Asset
answer
The complete body of information in an organization.
question
Bottom-up approach
answer
Development of security programs without support and guidance from the management (usually not very effective or broad enough)
question
Top-down approach
answer
An approach in which the initiation, support, and direction for a project come from top management and work their way down through middle management and then to staff members.
question
Strategic goals
answer
Long-term goals that are broad, general statements of intent. Operational and tactical goals support strategic goals and all are a part of a planning horizon.
question
Examples of Strategic Planning Organizational Security Goals
answer
- Make sure risks are properly understood and addressed - Ensure compliance with laws and regulations - Integrate security responsibilities throughout the organization - Create a maturity model to allow for continual improvement - Use security as a business achievement to attract more customers
question
Tactical goals
answer
Midterm goals which may be milestones to accomplish within a project or specific projects to accomplish in a year.
question
Operational goals
answer
Short-term or daily goals.
question
Examples of Operational Planning Organizational Security Goals
answer
- Perform security risk assessment - Do not allow security changes to decrease productivity - Maintain and implement controls - Continually scan for vulnerabilities and roll out patches - Track compliance with policies
question
Vulnerability
answer
a software, hardware, procedural, or human weakness that may provide an attacker the open door he is looking for to enter a computer or network and have unauthorized access to resources within the environment... a vulnerability characterizes the absence or weakness of a safeguard that could be exploited (Ex: a service running on a server, unpatched applications or operating system software, unrestricted model dial-in acces, an open port on a firewall, etc)
question
Threat
answer
Any potential danger that a vulnerability will be exploited by a threat agent
question
Threat Agent
answer
the entity that takes advantage of a vulnerability (Ex: an intruder accessing the network through a port on the firewall, a process accessing data in a way that violates the security policy, a tornado wiping out a facility, or an employee making an unintentional mistake that could exponse confidential information or destory a file's integrity
question
Risk
answer
the likelihood of a threat agent taking advantage of a vulnerability and the corresponding business impact... risk ties the vulnerability, threat, and likelihood of exploitation to the resulting business impact
question
Exposure
answer
an instance of being exposed to losses from a threat agent... a vulnerability exposes an organization to possible damages
question
Safeguard
answer
A software configuration, hardware, or procedure that eliminates a vulnerability or reduces the risk of a threat agent from being able to exploit a vulnerability.
question
Safeguard Effectiveness
answer
The percentage degree to which a safeguard can be characterized as an effective risk-reducing measure.
question
Uncertainty
answer
The percentage of confidence less than complete confidence in the value of any element of the risk assessment.
question
Duty of Loyalty
answer
A duty that the security officer performs when drafting the security management program... it ensures that the senior management of an organization does not reveal or use the organization's protected information for personal gain
question
Due Care
answer
a legal term and concept used to help determine liability in a court of law... if someone is practicing due care, they are acting responsibly and will have a lower probability of being found negligent and liable if something bad takes place
question
Duty of Care
answer
A duty that the security officer performs when drafting the security management program... it ensures that the organization is responsible for taking care of its employees and resources by developing and implementing security policies, procedures, and standards
question
Conflict of Interest
answer
An individual is required to report any incident that conflicts with the company's interests
question
Duty of Fairness
answer
A legal concept that requires an individual to act without any bias in any situation related to a conflict of interest
question
Corporate Opportunity
answer
A legal concept that requires an individual not to divulge any company information related to mergers, acquisitions, or patents for personal gain
question
Advisory Policies
answer
Policies that define the behavioral requirements of employees and state ramifications in case of noncompliance... Ex: employees shouldn't sell customer's SSNs to shady people: if they do, they are fired
question
Informative Policies
answer
Policies that aren't enforceable and are meant for informational purposes only... they have no ramifications if not complied with but can be regulated. Ex: an Employee Counseling program helps employees by providing information that could be useful to them, but the employees don't have to follow the advice
question
Regulatory Policies
answer
Policies that include laws, bills, and regulations, specific to a type of industry, which are enforced to meet compliance with local, state, and federal laws
question
What is the main difference between a policy and a standard?
answer
Policies state measures (like royal decrees) without providing solutions to implement those measures... Standards define solutions to implement the measures stated in the policy
question
Baseline
answer
Baselines define the minimum level of security measures required by an organization to protect itself from internal and external threats. Baselines are established before standards are developed and they provide platform-specific implementations for the standards
question
Guidelines
answer
General statements that recommend actions to be followed in case a standard does not apply
question
What is the main difference between a standard and a guideline?
answer
Guidelines are general approaches while standards are specific mandatory activities
question
What are the three components of a security framework?
answer
- People: deals with roles and responsibilities, skills and training, organizations, attitudes, and culture - Technology: includes applications, tools, hardware, and software - Processes: includes procedures, standards, metrics, and performance monitoring
question
End-User Document
answer
A document created by management that lists all the schemes, rules, and policies related to security and behavior that a new hire is expected to abide by. It also explains what the employee can expect. Ex: Employee can expect his/her healthcare insurance to be paid for by the company... the company expects the employee to abide by its sexual harassment policy
question
Acceptable Use Policy
answer
(Included in the End-User Document) an outline of the access privileges, rules for behavior, and any possible consequence of breaking rules when dealing with network resources... also provides suggestions about the personal items that are brought into the workplace
question
Benefits of Separation of Duties
answer
- Introduces transparency in an organization, making it clear who does what in a situation - Ensures that no individual is solely responsible for a critical task, preventing collusion and reducing the possibility of mistakes - Restricts access to information by job role, helping to prevent computer crimes
question
Value of Countermeasure
answer
ALE (without countermeasure) - Cost (safeguard) - ALE (with countermeasure)
question
Total Risk
answer
threats x vulnerability x asset group
question
Residual Risk
answer
total risk x controls gap
question
Information Risk Management (IRM)
answer
the process of identifying and assessing risk, reducing it to an acceptable level, and implementing the right mechanisms to maintain that level
question
Overall Goal of the Information Risk Management (IRM) Team
answer
ensure the company is protected in the most cost-effective manner... ways they can accomplish this are on page 75
question
What percent of his time should an IRM team leader spend in this role?
answer
50 to 70%
question
What are the different roles associated with an individual group?
answer
- Senior Management (Board of Directors, CEO, CFO, CIO, CPO, CSO, CISO) - Committees (Security Steering Committee & Audit Committee) - Data Owner, Data Custodian, System Owner - Security Administrator, Security Analyst - Application Owner, Supervisor (User Manager), Change Control Analyst, Data Analyst, Process Owner, Solution Provider, Product Line Manager, Auditor - User
question
Board of Directors (Board of Trustees)
answer
a group of individuals who are elected by the shareholders of a corporation to oversee the fulfillment of the corporation's charter. Their goal is to ensure the shareholders' interests are being protected and that the corporation is being run properly. They are supposed to be unbiased and independent. They are responsible for setting the organization's strategy and risk appetite. They receive their input from executives and the assurance (auditing) committee.
question
What was the problem in the past with the board of directors that was the cause of a lot of corporate scandals like Enron, WorldCom, Tyco International, Adelphia, and Global Crossing?
answer
Too many people who held board of director positions looked the other way regarding corporate fraud and mismanagement or depended too much on executive feedback instead of finding the truth about their company's health themselves.
question
Why join a company's board of directors?
answer
Board members often receive remunerations amounting to hundreds of thousands of dollars per year since they often sit on the boards of several companies. Inside directors are usually not paid for sitting on a board, but the duty is instead considered part of their larger job description. Outside directors are usually paid for their services. These remunerations vary between corporations, but usually consist of a yearly or monthly salary, additional compensation for each meeting attended, stock options, and various other benefits... it's also to satisfy personal pride and ego.
question
Why is it difficult now for companies to find candidates to fill the board of directors positions?
answer
After the financial fiascos of the early 2000s, the SEC placed more requirements and potential penalties on the board for publicly-traded companies. The Sarbanes-Oxley Act made the board personally responsible and liable if the corporation does not properly maintain an internal corporate governance framework, and/or if financials reported to the SEC are incorrect. They can be personally fined or thrown in jail.
question
What is the Sarbanes-Oxley Act (SOX)?
answer
a United States federal law enacted on July 30, 2002, which set new or enhanced standards for all U.S. public company boards, management and public accounting firms. The act contains 11 titles, or sections, ranging from additional corporate board responsibilities to criminal penalties, and requires the SEC to implement rulings on requirements to comply with the law. It created a new, quasi-public agency, the Public Company Accounting Oversight Board, or PCAOB, charged with overseeing, regulating, inspecting and disciplining accounting firms in their roles as auditors of public companies. The act also covers issues such as auditor independence, corporate governance, internal control assessment, and enhanced financial disclosure.
question
How has the Sarbanes-Oxley Act (SOX) been welcomed?
answer
As a testiment to the need for stricter financial governance SOX-type laws have been subsequently enacted in Japan, Germany, France, Italy, Australia, India, South African, and Turkey. Debate continues over the perceived benefits and costs of SOX. Opponents of the bill claim it has reduced America's international competitive edge against foreign financial service providers, saying SOX has introduced an overly complex regulatory environment into U.S. financial markets. Proponents of the measure say that SOX has been a "godsend" for improving the confidence of fund managers and other investors with regard to the veracity of corporate financial statements.
question
Chief Executive Officer (CEO)
answer
the individual with the day-to-day management responsibilities of an organization. This person is often the chairperson of the board of directors and is the highest ranking officer in the company. He/she oversees the company finances, strategic planning, and operations from a high level. He/she is usually seen as the visionary for the company and is responsible for developing and modifying the company's business plan, setting budgets, forming partnerships, deciding on what markets to enter, what product lines to develop, how the company will differentiate itself, and so on. This person can delegate tasks, but NOW not necessarily responsibility, which means that in general, they are spending more money on security than ever before.
question
Chief Financial Officer (CFO)
answer
the individual responsible for the corporation's account and financial activities, and the overall financial structure of the organization. This person is responsible for determining what the company's financial needs will be and how to finance those needs. He/she must create and maintain the company's capital structure, which is the proper mix of equity, credit, cash, and debt financing. This person oversees forecasting and budgeting and the processes of submitting quarterly and annual financial statements to the SEC and stakeholders.
question
Who, in a company, is responsible for informing stakeholders (creditors, analysts, employees, management, investors) of the firm's financial condition and health?
answer
The CEO and CFO
question
Chief Information Officer (CIO)
answer
the individual who reports to the CEO or CFO and is responsible for the strategic use and management of information systems and technology within the organization. The position has become more strategic and less operational, requiring the individual to sit at the corporate table more often. His/her responsibilities have extended to working with the CEO and other management on business-process management, revenue generation, and how business strategy can be accomplished with the company's underlying technology. He/she is bridging techno-land and business-land and should have a good background in both fields.
question
Chief Security Officer (CSO)
answer
the individual responsible for understanding the risks that the company faces and for mitigating these risks to an acceptable level. He/she is responsible for understanding the organization's business drivers and for creating and maintaining a security program that facilitates these drivers, along with providing security compliance with regulations and laws, and any customer expectations of contractual obligations. It is his/her job to ensure that business is not disrupted in any way due to security issues... it extends beyond IT and reaches into business processes, legal issues, operational issues, revenue generation, reputation protection, and risk management.
question
Chief Privacy Officer (CPO)
answer
a newer position that is responsible for ensuring that customer, company, and employee data are kept safe, which keeps the company out of criminal and civil courts and out of the headlines. This person is usually an attorney and is directly involved with setting policies on how data are collected, protected, and given out to third parties... an organization is responsible for knowing how its suppliers, partners, and other third parties are protecting its information, so this role is very important. He/she often reports to the CSO.
question
Security Steering Committee
answer
a committee responsible for making decisions on tactical and strategic security issues within the enterprise as a whole... it should not be tied to one or more business units and should be made up of people from all over the organization. The CEO should head it and the CFO, CIO, department managers, and the chief internal auditor should be on it.
question
Responsibilities of the Security Steering Committee
answer
- Defining the acceptable risk level for the organization - Developing security objectives and strategies - Determining priorities of security initiatives based on business needs - Reviewing risk assessment and auditing reports - Monitoring the business impact of security risks - Reviewing major security breaches and incidents - Approving any major changes to the security policy and program - Clearly defining a mission statement
question
Audit Committee
answer
a committee that should be appointed by the board of directors to help it review and evaluate the company's internal operations, internal audit system, and the transparency and accuracy of financial reporting so the company's investors, customers, and creditors have continued confidence in the organization. Its role has shifted from just overseeing, monitoring, and advising company management to enforcing and ensuring accountability on the part of all individuals involved
question
Responsibilities of the Audit Committee
answer
- Ensuring the integrity of the company's financial statements and other financial information provided to stockholders and others - Managing the company's system of internal controls - Setting up the engagement and performance of independent auditors - Ensuring compliance with legal requirements and company policies regarding ethical conduct
question
Data Owner
answer
usually a senior executive within the management group of the company who is in charge of a specific business unit, and who is ultimately responsible for the protection and use of a specific subset of information. This person has due care responsibilities and thus will be held responsible for any negligent act that results in the corruption or disclosure of the data. He/she delegates responsibility of the day-to-day maintenance of the data protection mechanisms to the data custodian.
question
Responsibilities of the Data Owner Role
answer
- Deciding upon the classification of data - Reviewing data and changing classification based on changing business needs - Ensuring the implementation of security controls - Determining access rights, security, and backup requirements for data - Approving any disclosure activities - Acting on security violation notifications
question
What is an Data Steward?
answer
a senior business manager who is responsible for the creation, maintenance, and performance of information systems related to specific business units
question
Responsibilities of the Data Steward Role
answer
- Categorizing data based on the data-classification scheme - Classifying critical data effectively to meet contingencies - Defining validation rules for correct data input - Ensuring the training of data users - Understanding the uses and risks associated with data in order to provide appropriate data access permissions
question
What is an Data Custodian?
answer
normally an IT employee who is responsible for the security and maintenance of the information provided to them by stewards
question
Responsibilities of the Data Custodian Role
answer
- Protecting information from unauthorized access and modifications (ensuring integrity) - Performing backups or restoring data according to the requirements specified by the organization - Monitoring information systems to ensure compliance with company policies and standards - Providing stewards with reports about information system usage
question
What does the System Owner do in general?
answer
The System Owner incorporates security considerations into applications, purchase decisions, and projects
question
Responsibilities of the System Owner Role
answer
- Assessing systems for vulnerabilities - Ensuring that proper security measures are adopted (necessary controls, password management, remote access controls, operating system configurations, etc) - Reporting security incidents to the incident response team and data owner
question
Responsibilities of the Security Administrator Role
answer
- Configuring security access controls according to data environments - Creating or deleting system user accounts and issuing passwords - Assigning access control privileges - Implementing and testing security software and patches
question
Responsibilities of the Security Analyst Role
answer
- Not part of the implementation team for security (works at a more strategic level) - Helps develop policies, standards, and guidelines, as well as set various baselines - Helps define the security program elements and follows through to ensure the elements are being carried out and practiced properly
question
Responsibilities of the Application Owner
answer
- Dictating who can and cannot access their applications (subject to staying in compliance with the company's security policies) - Ensuring the security of a business unit's applications (testing, patching, performing change control on the programs, and making sure the right controls are in place to provide protection)
question
What does the Supervisor do in general?
answer
A Supervisor, also called the user manager, holds the complete responsibility of employee activities and the assets used by the employees. The supervisor also takes care of nonemployee activities and the company assets used by these individuals.
question
Responsibilities of the Supervisor Role
answer
- Informing the security administration for revoking the user IDs of terminated employees - Informing the administration about the transfer or suspension of an employee - Reporting security violation incidents - Receiving and assigning user IDs and initial passwords to new employees - Ensuring that the user ID and account information of an employee are synchronized - Educating the employees about the security policies they are accountable for
question
What does the Change Control Analyst do in general?
answer
The Change Control Analyst takes care of all the changes that take place in the organization's network, systems, or software and makes sure that all changes are safe
question
Responsibilities of the Change Control Analyst Role
answer
- Approving or rejecting change requests - Analyzing the impact of changes on security, interoperability, performance, and productivity - Ensuring that changes do not lead to vulnerabilities - Testing all changes before they are rolled out
question
What does the Data Analyst do in general?
answer
The Data Analyst ensures that an organization's data is properly structured and comprehensible (Ex: payroll info shouldn't be mixed with inventory info, the purchasing dept needs a lot of values in monetary terms, and the inventory system needs a standardized naming scheme.)
question
Responsibilities of the Data Analyst Role
answer
- Designing data structures and data models in compliance with business objectives - Designing the physical database structure - Helping the data owner develop data architectures - Recording metadata to manage databases
question
What does the Process Owner do in general?
answer
The Process Owner ensures that all processes in an organization are well defined to meet business needs
question
Responsibilities of the Process Owner Role
answer
- Defining data requirements and improving data quality for business processes - Defining, improving, and monitoring processes to make the processes effective - Resolving the data issues related to complex processes and the processes associated with different application types
question
What does the Solution Provider do in general?
answer
The Solution Provider works with the business managers, data owners, and senior management to develop and deploy solutions for improving business processes or solving problems
question
Responsibilities of the Solution Provider Role
answer
- Ensuring that applications and data work together to meet business needs - Giving technical requirements to improve the process
question
Responsibilities of the User Role
answer
The user is any person who uses data for performing job-related activities. The user is responsible for protecting the data used by her by adhering to the security policies and maintaining the confidentiality, integrity, and availability of data
question
What does the Product Line Manager do in general?
answer
The Product Line Manager ensures that all products meet the business requirements of the organization
question
Responsibilities of the Product Line Manager Role
answer
- Translating business requirements into product requirements - Evaluating the need for product enhancement - Planning and implementing new releases - Ensuring that products comply with license agreements - Monitoring production performance per business objectives - Analyzing product usage and the technology required for product usage
question
What does the Auditor do in general?
answer
The Auditor's function is to provide a method for ensuring independently that management and shareholders of an organization can rely upon the appropriateness of security objectives as well as the information they are being provided with regarding the status of the organization as a whole.
question
Responsibilities of the Auditor Role
answer
- Determining if the controls that have been implemented by the administration for either technical or physical attributes have reached, and comply with, the security objectives that are either required for the organization by legislation or that have been deemed necessary by the governance of the organization. - Ensuring that an evaluation (internal or external audits) of an organization is as comprehensive, objective, and unbiased as possible
question
Why is the CISO position commonly referred to as the "sacrificial lamb"?
answer
The business unit owners should technically be the owners of risk, not the security department, however, too many organizations don't extend the responsibility of risk out to those units, and it lands on the CISO.
question
What are the issues for U.S. organizations when exchanging data with European entities?
answer
Since Europe has always had tighter control over protecting privacy information than the U.S. and other parts of the world, U.S. organizations need to adhere to "safe harbor" requirements, which outline how privacy data must be protected in transit. Global organizations also have to follow OECD guidelines and transborder information flow rules or they can be fined or sued, or their business can be disrupted.
question
What does, the global organization, the OECD stand for?
answer
Organisation for Economic Co-operation and Development
question
What is the Security Program Life Cycle?
answer
1. Plan and Organize 2. Implement 3. Operate and Maintain 4. Monitor and Evaluate See page 69 for specifics
question
What are examples of Administrative Controls?
answer
- Developing and publishing policies, standards, procedures, and guidelines - Risk Management - Personnel Screening - Conducting security-awareness training - Implementing change control procedures
question
What are examples of Technical Controls (also called Logical controls)?
answer
- Implementing and maintaining access control mechanisms - Password and resource management - Identification and authentication methods - Security devices - Configuration of the infrastructure
question
What are examples of Physical Controls?
answer
- Controlling individual access into the facility and different departments - Locking systems and removing unnecessary floppy or CD-ROM drives - Protecting the perimeter of the facility - Monitoring for intrusion - Environmental controls
question
Security Through Obscurity
answer
reliance on confusion to provide security. Setting up confusing or "tricky" countermeasures is a simple example of an attempt at security through obscurity. More complicated examples: putting a spare key under a doormat in case you are locked out of the house
question
What are some examples of potentially damaging IT security ideas that can result from taking a security-by-obscurity approach?
answer
- Flaws cannot be exploited if they are not common knowledge - Compiled code is more secure than open-source code because people can't see the code - Moving HTTP traffic to port 8088 will provide enough protection - Developing personal encryption algorithms will stop the crackers - If we all wear Elvis costumers, no one can pick us out to conduct social engineering attacks
question
What is Kerckhoff's principle?
answer
No algorithm should be kept secret; only the key should be the secret component (assume that the attacker can figure out your algorithm and its logic, so ensure that the key, which the attacker would need to make the algorithm decode sensitive data, is properly protected)