Busy. Please wait.
or

show password
Forgot Password?

Don't have an account?  Sign up 
or

Username is available taken
show password

why


Make sure to remember your password. If you forget it there is no way for StudyStack to send you a reset link. You would need to create a new account.
We do not share your email address with others. It is only used to allow you to reset your password. For details read our Privacy Policy and Terms of Service.


Already a StudyStack user? Log In

Reset Password
Enter the associated with your account, and we'll email you a link to reset your password.
Don't know
Know
remaining cards
Save
0:01
To flip the current card, click it or press the Spacebar key.  To move the current card to one of the three colored boxes, click on the box.  You may also press the UP ARROW key to move the card to the "Know" box, the DOWN ARROW key to move the card to the "Don't know" box, or the RIGHT ARROW key to move the card to the Remaining box.  You may also click on the card displayed in any of the three boxes to bring that card back to the center.

Pass complete!

"Know" box contains:
Time elapsed:
Retries:
restart all cards
share
Embed Code - If you would like this activity on your web page, copy the script below and paste it into your web page.

  Normal Size     Small Size show me how

CISSP 1

Information security Governance and Riskmanagement

TermDefinition
Fundamental Principle of Security Objectives: -Availability -Integrity -Confidentiality
Availabilty Reliability and timely access to data/resources to authorized users.
Integrity Assurance of accuracy and reliability of systems/information & prevention of unauthorized access.
Confidentiality Ensures necessary level of secrecy is enforced at each level of data processing & prevents unauthorized disclosure
Shoulder surfing Viewing information in unauthorized manner by looking over the shoulder of someone else
Social Engineering Gaining unauthorized access by tricking someone in divulging sensitive information
Vulnerability Lack of countermeasure or weakness in a countermeasure
Threat Potential danger associated with the exploitation of a vulnerability
Threat agent Entity that takes advantage of a vulnerability
Risk Likelihood of a threat agent exploiting a vulnerability and the corresponding business impact
Exposure Instance of being exposed to losses
Control or countermeasure Safeguard that is put in place to reduce a risk
Control Types 1. Administrative / Management 2. Technical / Logical 3. Physical / Operational All the above controls are preventive in nature
Functionalities of control types Preventive-avoid an incdnt frm ocurin{Deterrent-to discrge a potntial attker} [Corrective-fixes compnts aftr an incdnt occurd] (Detective-ident incdnts activity/potential intruder) Recovery-brng bak 2 reglr oprtn Compensating-ctrls tat giv altrnt msre
Defense in depth Implementation of multiple control types & functionalities so that successful penetration and compromise is difficult to attain
Security through obscurity Placing door key under doormat
British standard 7799 ( BS 7799 ) - Developed by UK in 1995 published by British standards Institution. - Part 1 control objectives and range of controls to meet those objectives - Part 2 Outlines how security program (ISMS) can be implemented and maintained
BS 7799 coverage 1.IS policy for org 2.Creation IS infrastructure 3.Asset classification & control 4.Personal security 5.Physical & envi security 6.Communication and ops mgmnt 7.Access ctrl 8.Syst dev n maintenance 9.Business continuity mgmnt 10.Compliance
ISO/IEC 27000 Origin ISO & IEC worked together on top of BS7799 launchin a global standard as ISO\IEC 27000. International standard on how to develop and maintain ISMS.
ISO/IEC 27000 Overview and vocabulary
ISO/IEC 27001 ISMS requirements
ISO/IEC 27002 Code of practice for ISM
ISO/IEC 27003 Guideline for ISMS implementation
ISO/IEC 27004 Guideline for ISM measurement and metrics framework
ISO/IEC 27005 Guideline for IS risk management
ISO/IEC 27006 Guidelines for bodies providing audit and certification of ISMS
ISO/IEC 27011 ISM guidelines for telecommunications industry
ISO/IEC 27031 Guideline for IT business continuity
ISO/IEC 27033-1 Guideline for network security
ISO/IEC 27799 Guideline for ISM in health industry
ISO/IEC 27007 Guideline for ISMS auditing
ISO/IEC 27013 Guideline for integrated implementation of of ISO/IEC 27000-1 and ISO/IEC 27001
ISO/IEC 27014 Guideline for IS governance
ISO/IEC 27015 ISM guidelines for finance and insurance
ISO 27000 series methods It follows plan-do-check-act cycle Plan-establishing objectives & making plans Do-implementation of plan Check-measuring results against objectives Act-correction & improvement to better achieve success
Enterprise Architecture development 1. Zachman 2. TOGAF-The open group architecture framework Military oriented arch framework 3. DODAF-Department of defense arch framework 4. MODAF-Ministry of defense arch framework
Zachman enterprise architecture Created by John Zachman in 1980s and is based on classical business architecture that contains rules that governs a ordered set of people
Zachman Framework Its 2 dimensional & holds 6 basic communication elements. What,How,Where,Where,Who,When & Why intersecting with different view points Planner,Owner,Designer,Builder,Implementer & Worker The Goal is to look the same organization frm different views
TOGAF Origin from US DOD Framework Design,Implement and Govern TOGAF is a framework that can be used to develope -Business Arch -Data Arch -Application Arch -Technology Arch TOGAF is used to create individual arch through the use of Arch Dev Method(ADM)
DoDAF When US military purchases tech products and defense sys, enterprise arch framework docs must be created based on DodAF stds to illustrate how they will integrate with the existing syst. It focus is on cmd,ctrl,commun,comp,intel,surveil,reconnaissance
MODAF Brit std based on DoDAF. Focus To get data in the right format to the right people ASAP.
Choosing right architecture framework 1. Need to findout who the stakeholders are and what information they need from the architecture. 2. The architecture needs to represent the company in the most useful manner to the people who need to understand it the best.
Enterprise security architecture Eg.SABSA Model -Subset of Enterp Arch -Reason for dev is to align security efforts with business practices in a standardized and cost effective manner. -Besides security this type of arch allows to achieve interoperability,integration,ease-of-use,stdzn & governance
How do you know if an organization doesnt have an enterprise security architecture If u get "YES" for most of the below 1.Does security takes place in Silos throughout the Org? 2.Is there continual disconnect btw Sr.Mgmnt & security staff? 3. Are redundant products purchased for diff depts for overlapping needs? 4.Stovepipe solutns?
Successful Enterprises architecture should have ? Strategic alignment - means business drivers,regulatory and legal requirements are met Process enhancement - while rolling out security thr is high chance for improving productivity Business enablement - Security should help the Org thrive by supp Busin Security effectiveness - deals with metrics, meeting SLA, ROI, meeting set baselines and providing management a dashboard or scorecard
Enterprise vs System architecture Enterprise Architecture Addresses the system of an organization System Architecture Addresses the structure of software and computers
Security controls developement Objectives of the controls to be implemented to accomplish the goals of security program and enterprise architecture CoBiT NIST 800-53
CoBiT Control Objectives for Information and related technology Is a framework and control objectives developed by ISACA and IT Governance Institute (ITGI). It defines goals to properly manage IT and to ensure it is aligned to business needs CoBiT was derived from COSO. CoBiT has four Domains Plan and organize Acquire and Implement Deliver and support Monitor and evaluate
NIST 800-53 National Institute of standards and technology NIST s one of the developed standard is Special Publication 800-53.This outlines the controls that agencies need to put in place to be compliant with Federal Information Security Act 2002
CoBiT vs SP 800-53 IS auditors in use commercial sector follow CoBiT for their checklist approach to evaluate Org s compliancy with business oriented regulations Government auditors use SP 800-53 as their "Checklist" approach for ensuring that government agencies are compliant with government oriented regulations
COSO Committee of sponsoring organization COSO Framework Control Environment Risk Assessment Control activities Information and communication Monitoring CoBiT - IT governance COSO - corporate governance
Sarbanes Oxley Act (SOX) 2002 US federal law that could send executives to jail if its was discovered that their company was submitting fraudulent accounting findings to the Security Exchange Commission For a company to be SOX compliant it has to follow COSO model. Companies commonly implement ISO/IEC 27000 standards and CoBiT to help construct and maintain COSO structure
Process Management development ITIL, Six sigma and CMMI It allows Organization to construct and improve business, IT and security processes in a structured and controlled manner
ITIL Information Technology Information Library. Its a de facto standard for best practices for IT service management It focuses more towards internal SLA between the IT department and the "Custromers" it serves
Six sigma It is a process improvement methodology. Was developed by Motorolo with the goal of identifying and removing defects from mgmt process. The maturity of the process is described by sigma rating which indicates the the % of defects that process contains
Total quality management Its goal is to improve process quality by using statistical methods of measuring operations efficiency and reducing variation, defects and waste
CMMI Capability maturity model Used in Org to help layout a pathway of how incremental improvement can take place. The crux of CMMI is to develop structured steps that can be followed so an Org can evolve from one level to another and constantly improve processes & security posture The only way we can improve is Where we are starting from Where we need to go and the steps we need to take in between
Blueprint It will layout the security solutions,processes and components the organization uses to match its business and security needs
Information Security Governance flow Description (Two storey) - ISO/IEC 27000 Architecture (Foundation,walls) - Security Architecture framework Blueprints ( Doors,window types) Control Objectives (wiring,construction material)
Information Risk Management Process of identifying and assessing risk and reducing it to an acceptable level and implementing mechanisms to maintain that level
Risk assessment Tool for risk management,is a method of identifying vulnerabilities and threats and assessing the possible impact to determine where to implement security controls
Risk analysis goals -Identify assets and their value for Organization -Identify vulnerabilities and threats -Quantify the probability and impact of these potential threats -Provide an economic balance between the impact of the threat and cost of the counter measure Used to ensure security is cost effective,relevant,timely and responsive to threats
Loss potential Value that the company looses when threat agent exploits a vulnerability
Delayed loss Delayed loss may include company's reputation, loss of market share etc
Risk assessment methodologies 1. NIST's SP 800-30 2. FRAP - Facilitated risk analysis process 3. OCTAVE - Operational critical threat asset and vulnerability evaluation 4. AS/NZS 4360 5. ISO/IEC 27005 6. CRAMM - Central computing and telecom Agency Risk Analysis and Mgmnt method
NIST risk management methodology SP 800-30 It focuses mainly on computer sys and IT security issues. It does not cover large Org threat types like natural disaster, success planning, environmental issue
FRAP Risk assessment method Facilitated risk analysis process. It focus only on the system that really need assessing to reduce cost and time obligation Developed by Thomas Peltier. Doesn't provide ALE values. The criticalities are determined by team member experience
OCTAVE Risk assessment method Operational.Created by Carnegie Mellon University's software engineering institute. Relies on the idea that people working in these environment best understand what is needed and what kind of risk they are facing
FRAP vs OCTAVE FRAP - would be used to assess an application or system OCTAVE - would be used to assess all systems, applications and business process within an Org
ISO/IEC 27005 International standard for how risk management should be carried out based on ISMS
FMEA Failure mode effect analysis. It is a method for determining functions, identifying function failures and assessing the cause of failure and their failure effects through a structured process. It is not useful in discovering complex failure modes that may be involved in multiple systems or subsystems
Fault tree analysis Useful approach in identifying failures that can take place in more complex system. First an undesired effect is taken as the root or top event of the tree logic. Then each situation that has the potential to cause that failure is added to the tree. Common failures explored through fault tree analysis 1. False alarm 2. Insufficient error handling 3. Sequencing or order 4. Incorrect timing outputs 5. Valid but not expected outputs
CRAMM Central computing and telecommunications agency risk analysis and management method Its not a unique methodology but it has everything in an automated format (Automated tools sold by SIEMENS) Automated tools contain Questionnaires, asset dependency modelling, assessment formula and compliancy reporting.
Risk assessment approaches 1. Quantitative - is used to assign monetary and numeric values to all elements 2. Qualitative - It is more of opinion or scenario based and uses rating system to relay the risk levels criticality. Qualitative techniques - Judgement, best practice, intuition and experience. Examples qualitative technique to gather data is delphi, brainstorming, storyboarding, focusgroups, surveys,questions, checklist, 1to1 meeting and interviews
SLE Vs ALE Equations used in quantitative risk analysis. SLE = Asset value x Exposure factor ALE = SLE x ARO SLE - single loss expectency ALE = Annual loss expectency ARO = Annualized rate of occurance
Uncertainity in Risk analysis Lack of confidence in an estimate. Capturing the degree of uncertainity is important as it helps management decisions
Delphi Technique Part of qualitative analysis. Its a group decision method used to ensure that each member gives an honest opinion of what he thinks the result of a particular threat will be.
Cost/benefit analysis Its used in protection mechanism to check cost effectiveness of a control measure. Cost Benefit Value of safegaurd=(ALE before safegaurd)-(ALE after safegaurd)-(safegaurd value)
Residual risk The risk that a company faces if it chooses not to have a safegaurd {Total risk = Threat x vulnerability x asset value} [Residual risk = (Threat x vulnerability x asset value) x control gap] Residual risk = Total risk - countermeasures
Risk handling Transfer it, avoid it, reduce/mitigate it or accept it
Policy functionality types / Policy categories Requlatory - this type of policy ensures that the Org is following stds set by industry regulations. Advisory - This type of policy strongly advices employees as to which types of behaviors/activities should and shouldn't take place in an Org. 3. Informative - this type of policy informs employees of certain topics. Its not an enforceable policy rather it teaches individuals about specific issues relevant to the company.
Standards refers to mandatory activities/actions or rules
Baselines Refers to a point in time that is used for future reference
Guidelines Recommended actions and operational guides to users
Procedures They're step by step tasks that should be performed to achieve a certain goal
Policy High level document that outlines senior managements security directives
Policy Types Organizational, Issue specific and system specific
Information classification levels 1.Top secret, 2.Secret, 3.Confidential, 4.Private, 5.Sensitive, 6.Sensitive but unclassified, 7.Public, 8.Unclassified
Data classification procedures 1.Define classification levels, 2.Specify the criteria that will determine how data are classified, 3.Identify data owners who will be responsible for classifying data, 4.Identify data custodian who will be responsible for maintg data and its security lvl 5.Indicate security ctrls reqd for each classification, 6.Doc any excep in prev classification, 7.indicate process for transfer of custody from data owner, 8.Proced for periodical review, 9.proced for declassifyin data,10.Integrate security awareness prgm
Audit committee Should be appointd by board of directors to help it review nd evaluate the comp's internal operations, internal audit system and the transparency and accuracy of financial reporting so the comp's investors, customers nd creditors have continued confidence
Data owner Individual responsible for protection and classification of a specific data set
Data Custodian Individual responsible for implementing and maintaining security controls to meet security requirements outlined by data owner
Separation of duties Preventive administrative control used to ensure one person cannot carryout a critical task alone
Collusion Two or more people working together to make fraud. This happens in separation of duties.
Rotation of duties Detective administrative controls that helps us find the potential fraudulent activities by rotating the responsibilities
Mandatory vacation Detective administrative controls that helps us find the potential fraudulent activities by sending away a person on leave for a period of time
Security Governance is a framework that allows for security goals of an org to be set & expressed by Sr.Mgmnt, communicated throughout the diff levels, grant power to entities needed to implement & enforce security & provide a way to verify performance of security activities
Metrics Measurement activities need to provide quantifiable performance based data that is repeatable, reliable and produces results that are meaningful ISO 27004:27009 metric system can be followed if needed to be certified by ISO27000 and NIST 800-55 should be followed by governmental oriented companies
SABSA What Why How When Where Who Sherwood Applied Business Security Architecture. Similar to Zachman framework. It is a layered model,with its first layer defining business requirements from a security perspective.Each layer decreases in abstraction and increases in detail. SABSA is a framework and methodology.It provides a lifecycle model so that the architecture can be constantly monitored and improved.
Created by: karthiis4u