2.2 Risk Mitigation Planning, Strategies and Controls

Description

Given a scenario, execute risk mitigation planning, strategies and controls.
DJ Perrone
Flashcards by DJ Perrone, updated more than 1 year ago
DJ Perrone
Created by DJ Perrone over 6 years ago
36
2

Resource summary

Question Answer
What is the CIA triangle? - Confidentiality - Integrity - Availability
In reference to the CIA triangle, what is confidentiality? Ensuring data is protected from unauthorized disclosure.
What are some examples of some controls to increase confidentiality? - Encryption - Stenography - ACL
In reference to the CIA triangle, what is integrity? Ensuring the data has not changed in any way and that the data is accurate and reliable.
What are some examples of some controls to increase integrity? - Digital Signatures - Checksums - Hashes
In reference to the CIA triangle, what is availability? Ensuring the data is accessible when and where it is needed.
What are some examples of some controls to increase availability? - Load balancing - Hot Sites - RAID
What is FIPS 199? - Federal Information Processing Standard - Defines standards for security categorization of federal info systems.
In reference to the CIA Tenets, what is a LOW impact for Confidentiality? Unauthorized disclosure will have limited adverse effects on the org.
In reference to the CIA Tenets, what is a MODERATE impact for Confidentiality? Unauthorized disclosure will have serious adverse effects on the org.
In reference to the CIA Tenets, what is a HIGH impact for Confidentiality? Unauthorized disclosure will have severe adverse effects on the org.
In reference to the CIA Tenets, what is a LOW impact for Integrity? Unauthorized modification will have limited adverse effects on the org.
In reference to the CIA Tenets, what is a MODERATE impact for Integrity? Unauthorized modification will have serious adverse effects on the org.
In reference to the CIA Tenets, what is a HIGH impact for Integrity? Unauthorized modification will have severe adverse effects on the org.
In reference to the CIA Tenets, what is a LOW impact for Availability? Unavailability will have limited adverse effects on the org.
In reference to the CIA Tenets, what is a MODERATE impact for Availability? Unavailability will have serious adverse effects on the org.
In reference to the CIA Tenets, what is a HIGH impact for Availability? Unavailability will have severe adverse effects on the org.
What are the 4 common Commercial Business Classifications? - Confidential - Private - Sensitive - Public
When is data exempt from FOIA? - When the data is classified confidential.
What is information life cycle? Procedures in place for retention and destruction of data.
What are the 7 main categories of access controls? - Compensative - Corrective - Detective - Deterrent - Directive - Preventative - Recovery
In reference to access controls, what is the compensative category? What are some examples? - In place to substitute for primary access control to act as a way to mitigate risks. - Two signatures before release, two keys to open box
In reference to access controls, what is the corrective category? What are some examples? - In place to reduce the effect of an attack. Fixes and restores the entity. - Installing fire extinguishers, new firewall rules, restoring to previous server image
In reference to access controls, what is the detective category? What are some examples? - In place to detect an attack while it's occurring to alert personnel. - Examples are motion detectors, IDS, logs, and job rotation. - Useful during an event.
In reference to access controls, what is the deterrent category? What are some examples? - In place to deter or discourage an attacker. - Examples are user ID and authentication, fences and NDA's.
In reference to access controls, what is the directive category? What are some examples? - Specify acceptable practice within an org. - Examples are Acceptable Use Policy (AUP)
In reference to access controls, what is the preventive category? What are some examples? - Prevent an attack from occurring. - Controls are locks, badges, encryption, IPS's, security awareness training.
In reference to access controls, what is the recovery category? What are some examples? - Recovering a system after an attack. Primary goal is restoring resources. - Examples are disaster recovery plans, data backups and offsite facilities.
What are types of access controls? - Administrative (management) - Logical (technical) - Physical
What is an administrative (management) control? Implemented to administer the org assets and personnel. Includes security policy, procedure standards, baselines est. by management. - Soft controls.
What is a logical (technical) control? Controlling software or hardware to restrict access. Examples are firewalls, IDS, IPS, encryption and auditing and monitoring. - Most technical controls fall into the preventive category.
What is a physical control? Implemented to protect an org facilities and personnel. Should take priority over all else.
What is STRM? Security Requirement Traceability Matrix
In reference to FIPS 199, what is an SC? Security Category Expresses the three tenets with their values for an organizational entity
How do you calculate the SC? SC(Information Type) ={(confidentiality, impact), (integrity, impact), (availability, impact)}
What is another name for the FIPS 199 nomenclature to calculate the SC? Aggregate CIA score
The following are examples of what? - Reckless/untrained employee - Partner - Disgruntled Employee - Internal/government spy - Vendor - Thief Internal Actors
The following are examples of what? - Anarchist - Competitor - Corrupt Government Official - Data miner - Government Cyber Warrior - Terrorist External Actor
Internal/External actors are divided in to what sub-categories? - Hostile - Non-hostile
What criteria is used to analyze threat actors? - Skill Level - Resources - Limits - Visibility - Objective - Outcome
What tool is used in risk management to identify vulnerabilities and threats? Risk assessment
What are the 4 main goals of risk assessment? - ID assets and asset value - ID vulnerabilities and threats - Calculate threat probability and business impact - Balance threat impact with countermeasure cost.
What does SLE stand for? Single Loss Expectancy
What is SLE? The monetary impact of each threat occurrence. SLE = AV * EF AV = Asset Value EF = Exposure Value
What is EV? Exposure Value The percent value or functionality of an asset that will be lost when a threat occurs.
What does ALE stand for? Annualized Loss Expectancy
What is ALE? The expected risk factor of an annual threat event.
What is ARO? Annualized Rate of Occurence
How do you calculate the ALE? ALE = SLE * ARO
What is ARO? Annualized Rate of Occurrence The estimate of how often a given threat might occur annually.
What is payback? Comparing ALE against the expected savings as a result of an investment.
What is NPV? Net Present Value Considers that money spent today is worth more than savings realized tomorrow.
How do you calculate the NPV? Divide yearly savings by the discount rate. NPV = 2500/(1.1) = 2272.73 Multiply the 1.1 to the power of years.
What are the 4 strategies for risk reduction? - Avoid - Transfer - Mitigate - Accept
What are 6 steps of risk management IAW NIST SP 800-30? - Identify the assets and their value - Identify threats - Identify vulnerabilities - Determine likelihood - Identify impact - Determine risk (likelihood + impact)
What is residual risk? residual risk = total risk - countermeasures
What is SABSA? Sherwood Applied Business Security Architecture
What are the 6 layers of the SABSA framework matrix? - Operational - Component - Physical - Logical - Conceptual - Contexual
What are the NIST SP 800-53 control families for the technical class? - Access Control (AC) - Audit and Accountability (AU) - Identification and Authentication (IA) - System and Communications Protection (SC)
What are the NIST SP 800-53 control families for the operational class? - Awareness and Training (AT) - Configuration Management (CM) - Contingency Planning (CP) - Incident Response (IR) - Maintenance (MA) - Media Protection (MP) - System and Information Integrity (SI)
What are the NIST SP 800-53 control families for the management class? - Security Assessment and Authorization (CA) - Planning (PL) - Program Management (PM) - Risk Assessment (RA) - System and Services Acquisition (SA)
What is a BCP? Business Continuity Plan - Lists and prioritizes the services needed for business restoration.
What is defined in the NIST Special Publication 800-34 (Rev 1) Business continuity steps
What are the steps listed in SP 800-34 R1 for business continuity? - Develop contigency planning policy - Conduct business impact analysis (BIA) - Identify preventive controls - Create recovery strategies - Develop business continuity plan (BCP) - Test, train and exercise - Maintain the plan
What are the different time frames between strategic plans and tactical plans? Strategic Plans: 3-5 or more years Tactical Plans: 6-18 months
Show full summary Hide full summary

Similar

Risk Analysis & HACCP
Florence Edwards
Mussolini's Economic Policies 1925-1940
Eva Clifton
Domain II: Action Planning
Maxia Webb
Hitler's Rise to Power ( in date order )
Tamara Lancaster
Families and Households - Key Policies and Dates
amylouise98
Total Quality Management (TQM)
Charmaynetay
Wartime Policies - Nazi Germany AS.
Laurahad
CCNA Security 210-260 Section 1 Network Attack Fundamentals
Jacob Gratton
AS Level History - Economic development and policies in Germany (1)
Ben C
APD Policies and Procedures Refresher Exam
Schmidtdude
4.1 Business Unit Collaboration
DJ Perrone