Information security Governance and Riskmanagement
Quiz yourself by thinking what should be in
each of the black spaces below before clicking
on it to display the answer.
Help!
|
|
|
||||||
|---|---|---|---|---|---|---|---|---|
| Fundamental Principle of Security | Objectives: -Availability -Integrity -Confidentiality | show 🗑
|
||||||
| Availabilty | Reliability and timely access to data/resources to authorized users. | show 🗑
|
||||||
| show | Assurance of accuracy and reliability of systems/information & prevention of unauthorized access. |
🗑
|
||||||
| Confidentiality | Ensures necessary level of secrecy is enforced at each level of data processing & prevents unauthorized disclosure | show 🗑
|
||||||
| Shoulder surfing | Viewing information in unauthorized manner by looking over the shoulder of someone else | show 🗑
|
||||||
| Social Engineering | show |
🗑
|
||||||
| Vulnerability | show |
🗑
|
||||||
| Threat | Potential danger associated with the exploitation of a vulnerability | show 🗑
|
||||||
| show | Entity that takes advantage of a vulnerability |
🗑
|
||||||
| Risk | show |
🗑
|
||||||
| Exposure | Instance of being exposed to losses | show 🗑
|
||||||
| Control or countermeasure | Safeguard that is put in place to reduce a risk | show 🗑
|
||||||
| Control Types | show |
🗑
|
||||||
| Functionalities of control types | Preventive-avoid an incdnt frm ocurin{Deterrent-to discrge a potntial attker} [Corrective-fixes compnts aftr an incdnt occurd] (Detective-ident incdnts activity/potential intruder) Recovery-brng bak 2 reglr oprtn Compensating-ctrls tat giv altrnt msre | show 🗑
|
||||||
| Defense in depth | Implementation of multiple control types & functionalities so that successful penetration and compromise is difficult to attain | show 🗑
|
||||||
| Security through obscurity | show |
🗑
|
||||||
| British standard 7799 ( BS 7799 ) | - Developed by UK in 1995 published by British standards Institution. - Part 1 control objectives and range of controls to meet those objectives - Part 2 Outlines how security program (ISMS) can be implemented and maintained | show 🗑
|
||||||
| BS 7799 coverage | show |
🗑
|
||||||
| show | ISO & IEC worked together on top of BS7799 launchin a global standard as ISO\IEC 27000. International standard on how to develop and maintain ISMS. |
🗑
|
||||||
| ISO/IEC 27000 | show |
🗑
|
||||||
| ISO/IEC 27001 | ISMS requirements | show 🗑
|
||||||
| ISO/IEC 27002 | Code of practice for ISM | show 🗑
|
||||||
| show | Guideline for ISMS implementation |
🗑
|
||||||
| ISO/IEC 27004 | Guideline for ISM measurement and metrics framework | show 🗑
|
||||||
| ISO/IEC 27005 | Guideline for IS risk management | show 🗑
|
||||||
| show | Guidelines for bodies providing audit and certification of ISMS |
🗑
|
||||||
| ISO/IEC 27011 | show |
🗑
|
||||||
| show | Guideline for IT business continuity |
🗑
|
||||||
| ISO/IEC 27033-1 | Guideline for network security | show 🗑
|
||||||
| ISO/IEC 27799 | Guideline for ISM in health industry | show 🗑
|
||||||
| show | Guideline for ISMS auditing |
🗑
|
||||||
| ISO/IEC 27013 | Guideline for integrated implementation of of ISO/IEC 27000-1 and ISO/IEC 27001 | show 🗑
|
||||||
| ISO/IEC 27014 | Guideline for IS governance | show 🗑
|
||||||
| ISO/IEC 27015 | show |
🗑
|
||||||
| ISO 27000 series methods | It follows plan-do-check-act cycle Plan-establishing objectives & making plans Do-implementation of plan Check-measuring results against objectives Act-correction & improvement to better achieve success | show 🗑
|
||||||
| show | 1. Zachman 2. TOGAF-The open group architecture framework Military oriented arch framework 3. DODAF-Department of defense arch framework 4. MODAF-Ministry of defense arch framework |
🗑
|
||||||
| show | Created by John Zachman in 1980s and is based on classical business architecture that contains rules that governs a ordered set of people |
🗑
|
||||||
| show | Its 2 dimensional & holds 6 basic communication elements. What,How,Where,Where,Who,When & Why intersecting with different view points Planner,Owner,Designer,Builder,Implementer & Worker The Goal is to look the same organization frm different views |
🗑
|
||||||
| TOGAF | Origin from US DOD Framework Design,Implement and Govern TOGAF is a framework that can be used to develope -Business Arch -Data Arch -Application Arch -Technology Arch TOGAF is used to create individual arch through the use of Arch Dev Method(ADM) | show 🗑
|
||||||
| DoDAF | show |
🗑
|
||||||
| MODAF | Brit std based on DoDAF. Focus To get data in the right format to the right people ASAP. | show 🗑
|
||||||
| Choosing right architecture framework | 1. Need to findout who the stakeholders are and what information they need from the architecture. 2. The architecture needs to represent the company in the most useful manner to the people who need to understand it the best. | show 🗑
|
||||||
| Enterprise security architecture Eg.SABSA Model | -Subset of Enterp Arch -Reason for dev is to align security efforts with business practices in a standardized and cost effective manner. -Besides security this type of arch allows to achieve interoperability,integration,ease-of-use,stdzn & governance | show 🗑
|
||||||
| How do you know if an organization doesnt have an enterprise security architecture | show |
🗑
|
||||||
| Successful Enterprises architecture should have ? | show | Security effectiveness - deals with metrics, meeting SLA, ROI, meeting set baselines and providing management a dashboard or scorecard
🗑
|
||||||
| show | Enterprise Architecture Addresses the system of an organization System Architecture Addresses the structure of software and computers |
🗑
|
||||||
| Security controls developement | Objectives of the controls to be implemented to accomplish the goals of security program and enterprise architecture | show 🗑
|
||||||
| CoBiT Control Objectives for Information and related technology | show | CoBiT was derived from COSO.
CoBiT has four Domains
Plan and organize
Acquire and Implement
Deliver and support
Monitor and evaluate
🗑
|
||||||
| NIST 800-53 National Institute of standards and technology | show |
🗑
|
||||||
| CoBiT vs SP 800-53 | IS auditors in use commercial sector follow CoBiT for their checklist approach to evaluate Org s compliancy with business oriented regulations | show 🗑
|
||||||
| COSO Committee of sponsoring organization | show | CoBiT - IT governance
COSO - corporate governance
🗑
|
||||||
| Sarbanes Oxley Act (SOX) 2002 | show | For a company to be SOX compliant it has to follow COSO model.
Companies commonly implement ISO/IEC 27000 standards and CoBiT to help construct and maintain COSO structure
🗑
|
||||||
| Process Management development | ITIL, Six sigma and CMMI It allows Organization to construct and improve business, IT and security processes in a structured and controlled manner | show 🗑
|
||||||
| ITIL | show | It focuses more towards internal SLA between the IT department and the "Custromers" it serves
🗑
|
||||||
| Six sigma | It is a process improvement methodology. Was developed by Motorolo with the goal of identifying and removing defects from mgmt process. The maturity of the process is described by sigma rating which indicates the the % of defects that process contains | show 🗑
|
||||||
| show | Its goal is to improve process quality by using statistical methods of measuring operations efficiency and reducing variation, defects and waste |
🗑
|
||||||
| show | Used in Org to help layout a pathway of how incremental improvement can take place. The crux of CMMI is to develop structured steps that can be followed so an Org can evolve from one level to another and constantly improve processes & security posture | The only way we can improve is
Where we are starting from
Where we need to go and
the steps we need to take in between
🗑
|
||||||
| Blueprint | It will layout the security solutions,processes and components the organization uses to match its business and security needs | show 🗑
|
||||||
| Information Security Governance flow | show |
🗑
|
||||||
| Information Risk Management | Process of identifying and assessing risk and reducing it to an acceptable level and implementing mechanisms to maintain that level | show 🗑
|
||||||
| show | Tool for risk management,is a method of identifying vulnerabilities and threats and assessing the possible impact to determine where to implement security controls |
🗑
|
||||||
| show | goals -Identify assets and their value for Organization -Identify vulnerabilities and threats -Quantify the probability and impact of these potential threats -Provide an economic balance between the impact of the threat and cost of the counter measure | Used to ensure security is cost effective,relevant,timely and responsive to threats
🗑
|
||||||
| show | Value that the company looses when threat agent exploits a vulnerability |
🗑
|
||||||
| Delayed loss | show |
🗑
|
||||||
| Risk assessment methodologies | 1. NIST's SP 800-30 2. FRAP - Facilitated risk analysis process 3. OCTAVE - Operational critical threat asset and vulnerability evaluation 4. AS/NZS 4360 5. ISO/IEC 27005 6. CRAMM - Central computing and telecom Agency Risk Analysis and Mgmnt method | show 🗑
|
||||||
| NIST risk management methodology | show |
🗑
|
||||||
| FRAP | Risk assessment method Facilitated risk analysis process. It focus only on the system that really need assessing to reduce cost and time obligation | show 🗑
|
||||||
| OCTAVE | show | Relies on the idea that people working in these environment best understand what is needed and what kind of risk they are facing
🗑
|
||||||
| FRAP vs OCTAVE | show |
🗑
|
||||||
| show | International standard for how risk management should be carried out based on ISMS |
🗑
|
||||||
| FMEA | show | It is not useful in discovering complex failure modes that may be involved in multiple systems or subsystems
🗑
|
||||||
| Fault tree analysis | Useful approach in identifying failures that can take place in more complex system. First an undesired effect is taken as the root or top event of the tree logic. Then each situation that has the potential to cause that failure is added to the tree. | show 🗑
|
||||||
| CRAMM Central computing and telecommunications agency risk analysis and management method | show | Automated tools contain
Questionnaires, asset dependency modelling, assessment formula and compliancy reporting.
🗑
|
||||||
| Risk assessment approaches | show | Qualitative techniques - Judgement, best practice, intuition and experience. Examples qualitative technique to gather data is delphi, brainstorming, storyboarding, focusgroups, surveys,questions, checklist, 1to1 meeting and interviews
🗑
|
||||||
| SLE Vs ALE | show | SLE - single loss expectency
ALE = Annual loss expectency
ARO = Annualized rate of occurance
🗑
|
||||||
| show | Lack of confidence in an estimate. Capturing the degree of uncertainity is important as it helps management decisions |
🗑
|
||||||
| Delphi Technique | Part of qualitative analysis. Its a group decision method used to ensure that each member gives an honest opinion of what he thinks the result of a particular threat will be. | show 🗑
|
||||||
| show | Its used in protection mechanism to check cost effectiveness of a control measure. | Cost Benefit
Value of safegaurd=(ALE before safegaurd)-(ALE after safegaurd)-(safegaurd value)
🗑
|
||||||
| show | The risk that a company faces if it chooses not to have a safegaurd | {Total risk = Threat x vulnerability x asset value}
[Residual risk = (Threat x vulnerability x asset value) x control gap]
Residual risk = Total risk - countermeasures
🗑
|
||||||
| Risk handling | show |
🗑
|
||||||
| show | Requlatory - this type of policy ensures that the Org is following stds set by industry regulations. Advisory - This type of policy strongly advices employees as to which types of behaviors/activities should and shouldn't take place in an Org. | 3. Informative - this type of policy informs employees of certain topics. Its not an enforceable policy rather it teaches individuals about specific issues relevant to the company.
🗑
|
||||||
| show | refers to mandatory activities/actions or rules |
🗑
|
||||||
| Baselines | Refers to a point in time that is used for future reference | show 🗑
|
||||||
| Guidelines | Recommended actions and operational guides to users | show 🗑
|
||||||
| Procedures | They're step by step tasks that should be performed to achieve a certain goal | show 🗑
|
||||||
| Policy | show |
🗑
|
||||||
| Policy Types | show |
🗑
|
||||||
| Information classification levels | 1.Top secret, 2.Secret, 3.Confidential, 4.Private, 5.Sensitive, 6.Sensitive but unclassified, 7.Public, 8.Unclassified | show 🗑
|
||||||
| Data classification procedures | 1.Define classification levels, 2.Specify the criteria that will determine how data are classified, 3.Identify data owners who will be responsible for classifying data, 4.Identify data custodian who will be responsible for maintg data and its security lvl | show 🗑
|
||||||
| show | Should be appointd by board of directors to help it review nd evaluate the comp's internal operations, internal audit system and the transparency and accuracy of financial reporting so the comp's investors, customers nd creditors have continued confidence |
🗑
|
||||||
| Data owner | Individual responsible for protection and classification of a specific data set | show 🗑
|
||||||
| Data Custodian | show |
🗑
|
||||||
| Separation of duties | Preventive administrative control used to ensure one person cannot carryout a critical task alone | show 🗑
|
||||||
| show | Two or more people working together to make fraud. This happens in separation of duties. |
🗑
|
||||||
| Rotation of duties | show |
🗑
|
||||||
| Mandatory vacation | Detective administrative controls that helps us find the potential fraudulent activities by sending away a person on leave for a period of time | show 🗑
|
||||||
| show | is a framework that allows for security goals of an org to be set & expressed by Sr.Mgmnt, communicated throughout the diff levels, grant power to entities needed to implement & enforce security & provide a way to verify performance of security activities |
🗑
|
||||||
| show | Measurement activities need to provide quantifiable performance based data that is repeatable, reliable and produces results that are meaningful | ISO 27004:27009 metric system can be followed if needed to be certified by ISO27000 and NIST 800-55 should be followed by governmental oriented companies
🗑
|
||||||
| SABSA What Why How When Where Who | Sherwood Applied Business Security Architecture. Similar to Zachman framework. It is a layered model,with its first layer defining business requirements from a security perspective.Each layer decreases in abstraction and increases in detail. | show 🗑
|
Review the information in the table. When you are ready to quiz yourself you can hide individual columns or the entire table. Then you can click on the empty cells to reveal the answer. Try to recall what will be displayed before clicking the empty cell.
To hide a column, click on the column name.
To hide the entire table, click on the "Hide All" button.
You may also shuffle the rows of the table by clicking on the "Shuffle" button.
Or sort by any of the columns using the down arrow next to any column heading.
If you know all the data on any row, you can temporarily remove it by tapping the trash can to the right of the row.
To hide a column, click on the column name.
To hide the entire table, click on the "Hide All" button.
You may also shuffle the rows of the table by clicking on the "Shuffle" button.
Or sort by any of the columns using the down arrow next to any column heading.
If you know all the data on any row, you can temporarily remove it by tapping the trash can to the right of the row.
Embed Code - If you would like this activity on your web page, copy the script below and paste it into your web page.
Normal Size Small Size show me how
Normal Size Small Size show me how
Created by:
karthiis4u
Popular Engineering sets