Why Teams call analytics are critical to your entire business
D1 security and risk management v1.62
1.
2. The “Security and Risk Management” domain of the Certified
Information Systems Security Professional (CISSP) Common
Body of Knowledge (CBK) addresses the following main topics :
The frameworks and policies, concepts, principles, structures, and
standards used to establish criteria for the protection of information
assets
Assess the effectiveness of that protection.
Understand issues of governance, organizational behavior.
Create security awareness education and training plans.
Domain Introduction
3. G
P
lob
a
al
rK
t
n
1
owledge
f>
Understand and apply concepts of
confidentiality, integrity, and availability.
Apply security governance principles
Compliance
Understand Legal and Regulatory
issues pertaining to Information Security
in a global context
Understand Professional Ethics
Develop and Implement Security Policy
Standards Procedures and Baselines
Understand Business Continuity
Requirements
Contribute to Personnel Security
Policies
4. Key Area
A Understand and apply concepts of confidentiality, integrity, and availability.
B Apply security governance principles
C Compliance
D Understand Legal and Regulatory issues pertaining to Information Security in a
global context
E Understand Professional Ethics
F Develop and Implement Security Policy Standards Procedures and Baselines
G Understand Business Continuity Requirements
H Contribute to Personnel Security Policies
I Understand and apply Risk Management Concepts
J Understand and apply Threat Modelling
K Integrate Security-Risk considerations into Acquisitions Practice
L Establish and Manage Information SecurityAwareness,Education and Training
Domain Objectives
5. There are several main objectives of a security program, but the
main three principles in all programs are confidentiality integrity
and availability.
These are referred to as the CIA Triad.
The level of security required to accomplish these principles
differs per company.
Because each has its own unique combination of business and
security goals and requirements.
All security controls, mechanisms, and safeguards are
implemented to provide one or more of these principles,
All risks, threats, and vulnerabilities are measured for their
potential capability to compromise one or all of the CIA
principles.
The CIA Triad
6. Confidentiality: Ensures that information is not compromised
or shared amongst unauthorized participants.
• While data is at rest
• On servers, mail boxes, client
• While data is in transit
Local area network traffic
machines
Confidentiality
Wide area network traffic
Integrity Availability
Confidentiality
7. Integrity: Ensures that data is not damaged or
modified while either in transit or storage.
Protects against both malicious intentional damage and
accidental damage by authorized users
Ensures data
information
is consistent and is a true reflection of real
Confidentiality
Integrity Availability
Integrity
8. Availability: Ensures that information is always available
the time authorized users need it.
Availability controls protect against
Accidental loss – Poor backup procedures
at
Natural Disasters – Fires Floods hurricanes.
Deliberate loss – Hacker action
Confidentiality
Integrity Availability
Availability
9. Key Area
A Understand and apply concepts of confidentiality, integrity, and availability.
B Apply security governance principles
C Compliance
D Understand Legal and Regulatory issues pertaining to Information Security in a
global context
E Understand Professional Ethics
F Develop and Implement Security Policy Standards Procedures and Baselines
G Understand Business Continuity Requirements
H Contribute to Personnel Security Policies
I Understand and apply Risk Management Concepts
J Understand and apply Threat Modelling
K Integrate Security-Risk considerations into Acquisitions Practice
L Establish and Manage Information SecurityAwareness,Education and Training
Domain Objectives
10. Information security management practices protect the
assets of the organization.
Controls are used to protect vulnerabilities from threats
so reduce risk through the implementation of…
Administrative, T
echnical/logical , Physical controls
Information assets must be managed to reduce the risk
loss to
Confidentiality Availability and Integrity
and
of
Failure to protect the organization from Loss Destruction or
unexpected alteration can seriously impact business
viability. Resulting in losses
Finance, operational productivity and reputation.
Understand and Align the security
function
11. In a business the risk posture is a changing shifting entity
which needs to be tracked for significant changes to
exposure during major transformational activities in the
modern organization.
The
and
The
security professional needs to understand the nature
activities of the business in which he/she is operating.
next slide outlines some common organizational
activities which the security professional
and interface with in order to provide full
business.
should understand
value to the
Organizational Processes
12. When organizations combine for whatever reason, either
friendly or hostile, the security professional must be aware
of the following points
There will be additional data types needing protection
New staff and roles will need incorporating into the
awareness program
Disgruntled employees may arise from redundancy programs
caused by the take-over
Merging systems may create vulnerabilities
External business partners need review and assessment
security controls around their data
Acquisitions and Mergers
13. This is the selling off all or part of an organization.
Understandably a tense time for existing staff.
Of particular concern should be…
Data loss and leakage from departing staff
New threats from discharged employees
Need to revise and refresh policies standards
and guidelines.
System interconnections changing.
procedures
Unused service ports no longer needing
firewalls
to be open on
Divestitures and Spinoffs
14. The modern business organization is subjected to both Legal
and Industry specific regulation.
These regulatory bodies can have a large impact on the
operational capability of the business in the marketplace.
T
o ensure compliance with these regulatory requirements most
businesses will employ a governance committee
These are responsible for the staffing and running of an
organizational governance board
It is important that the infosec professional interfaces with the
governance comittee in order to..
Inform the board of the importance of Information Security and Risk
management
Ensure that the security function is informed of changing business
activities which could impact the security vulnerability of the
organisation.
Governance comittees
15. End User
Executive management
Security Officer Infosec
Professional
Data/Info/Business owners
Data/Info Custodian
Info systems Auditors Business
continuity planner Infosys/Info
T
ech Professionals Security
administrator
Network/systems administrator
Security Roles and Responsibilities
16. Senior Manager Ultimately responsibility for security
Info Sec officer Functionally responsibility for security
Owner Determines data classification
Custodian Preserves CIA for the data
User/Operator Performs in accordance with policies.AUP = Acceptable
Use Policy
Identifies gap between policy and reality
Auditor
ROLE DESCRIPTION
Key Information Management Roles and
Responsibilities
17. Information security is an enormous task when viewed
a starting point.
It makes common sense to leverage industry
recommended methods to create a structured
from
Information Security Management System
Choosing an established framework…
Enables effective governance
Helps align infosec with business goals
Standard process and approach
Enable structured audit and assessment
Comply with external requirements
ISMS
Why use a Control Framework
18. ISO 270001 270002
COBIT
NIST
ITIL
SP 800
Some well known frameworks
19. •
•
•
•
Information Security Framework
Requirements and guidelines for development of an
ISMS (Information
Risk Management
Security Management System)
a key component of ISMS
standards
Part of ISO 27000 Series of security
ISO 27001/27002
21. ISO 27002 Security Control Domains
Risk Assessment and Treatment
Security Policy
Organizing Information Security
Asset Management
Human Resources Security
Physical and Environmental Security
Communications and Operations Management
Access Control
Information Systems Acquisition, Development and
Maintenance
Information Security Incident Management
Business Continuity Management
Compliance
ISO 27002 – Security Control Domains
22. COBIT Guidelines:
Have been around since mid 1990s
Are considered de facto standard
Consists of Six components:
for auditors today
1.
2.
3.
4.
5.
6.
Executive summary
Framework
Control objective
Control practices
Management guidelines
Audit guidelines
Control Objectives for Information and
related Technology
23. ITIL the IT Infrastructure Library
34 books published by British Government between
and 1992 to improve IT service management
Creates a framework for best practices of IT core
1989
operational
Change,
Includes
processes
release and configuration management
IT Financial Management
Perhaps ITIL’s main contribution is showing how controls
can be implemented for IT service management processes
ITIL
24. NIST Special Publication 800-53 is part of the Special Publication 800-
series that reports on the Information Technology Laboratory’s (ITL)
research, guidelines, and outreach efforts in information system
security, and on ITL’s activity with industry, government, and academic
organizations.
NIST Special Publication 800-53 covers the steps in the Risk
Management Framework that address security control selection for
federal information systems in accordance with the security
requirements in Federal Information Processing Standard (FIPS) 200.
This includes selecting an initial set of baseline security controls based
on a FIPS 199 worst-case impact analysis, tailoring the baseline
security controls, and supplementing the security controls based on an
organizational assessment of risk.[3]
NIST SP 800 53
25. The security rules cover 17 areas including access control, incident
response, business continuity, and disaster recoverability.
A key part of the certification and accreditation process for federal
information systems is selecting and implementing a subset of the
controls (safeguards) from the Security Control Catalog (NIST 800-53,
Appendix F) . NIST provides guidance for this
These controls are the management, operational, and technical
safeguards (or countermeasures) prescribed for an information system
to protect the confidentiality, integrity, and availability of the system
and its information.
Scoping
and
T
ailoring
NIST Security Control Catalog
26. Framework Strengths Focus
COBIT Strong mappings IT Governance
Support of ISACA Audit
Availability
ISO 27001/27002 GlobalAcceptance Information Security
Certification Management System
ITIL IT Service IT Service
Management Management
Certification
NIST 800-53 Detailed, granular Customised
Tiered controls Control Framework
Free Guidance
Frameworks Compared
27. Due diligence is similar to due care except that
taken before an event
A pre-emptive measure
Avoid harm to a person or property
Due diligence supports and enables Due Care
Examples are
Background Checks
Credit card checks on business partners
Penetration testing firewalls
Due Diligence is “KNOWING WHAT IS RIGHT”
it is care
Due diligence (Knowing what is right)
28. •
•
•
•
Due care is an important topic to understand.
It is a legal term used to describe the care a “reasonable
person” would take in a certain circumstance
It defines an organization or a persons legal duty
Lack of due care is often considered negligence
• Background checks of employees Credit checks of business
partners Information system security assessments Risk
assessments of physical security systems Penetration tests of
firewalls Contingency testing of backup systems Threat intelligence
services
• Due Care is “DOING THE RIGHT THING”
Due Care (Doing the right thing)
29. Key Area
A Understand and apply concepts of confidentiality, integrity, and availability.
B Apply security governance principles
C Compliance
D Understand Legal and Regulatory issues pertaining to Information Security in a
global context
E Understand Professional Ethics
F Develop and Implement Security Policy Standards Procedures and Baselines
G Understand Business Continuity Requirements
H Contribute to Personnel Security Policies
I Understand and apply Risk Management Concepts
J Understand and apply Threat Modelling
K Integrate Security-Risk considerations into Acquisitions Practice
L Establish and Manage Information SecurityAwareness,Education and Training
Domain Objectives
30. Organizations operate in strictly regulated environments
Legal and regulatory bodies demand compliance.
Laws and regulations such as these must inform the Risk
and Governance management of the organization
There will be specific sets of actions to be met to achieve
compliance
Best addressed through the organization’s Security
Standards Guidelines Procedures and baselines
Policy
Legislative and Regulatory Compliance
31. • Privacy laws present particular challenges to organisations
•
•
Many high profile breaches of privacy hit the press
Indiscrete emailing is not illegal and does not remove a
right to privacy
• The European Data Protection Directive allows for
processing of personal data under specific circumstances…
•
•
When processing
When processing
subject
is necessary for legal action
is required to protect the life of the
•
•
When
When
public
the subject has provided personal consent
the processing comes under the scope of “the
interest”
Privacy requirements
32. Key Area
A Understand and apply concepts of confidentiality, integrity, and availability.
B Apply security governance principles
C Compliance
D Understand Legal and Regulatory issues pertaining to Information Security
in a global context
E Understand Professional Ethics
F Develop and Implement Security Policy Standards Procedures and Baselines
G Understand Business Continuity Requirements
H Contribute to Personnel Security Policies
I Understand and apply Risk Management Concepts
J Understand and apply Threat Modelling
K Integrate Security-Risk considerations into Acquisitions Practice
L Establish and Manage Information SecurityAwareness,Education and Training
Domain Objectives
33. Intellectual property is that which results
creative processes of one’s mind.
Forms of intellectual property include:
from intellectual,
Trademarks and
Patents
Copyrights
service marks
Trade secrets
What Is Intellectual Property? (IP)
34. Definition:
A trademark is a distinctive mark, motto, device, or
implement that a manufacturer stamps, prints, or otherwise
affixes to the goods it produces so that they may be
identified in the market and their origins made known.
Trademark Infringement:
Trademark infringement occurs when one uses the
protected trademark, service mark, or trade name of
another without permission when marketing goods or
services.
Trademarks
35. Definition:
A grant from the government that gives an inventor the
exclusive right to make, use, and sell an invention for a
specified period.
Patent infringement:
Occurs when one uses or sells another’s patented design,
product, or process without the patent owner’s permission.
Patents
36. Definition:
An intangible property right granted by law to the author or
originator of a literary or artistic production of a specified
types.
Copyright Infringement
Occurs whenever the form or expression of an idea is
copied without the permission of the copyright holder.
Copyright
37. Definition:
Any formula, pattern, device, or compilation of information
that give a business an advantage over competitors who
not know the information or processes.
Duration of Protection:
In most jurisdictions indefinitely,
do
as long
secrets
as the party adequately
from disclosures.
protects his or her trade
Trade Secret
38. International protection for intellectual property exists under
various international agreements, including:
Berne Convention (1886) - every country that has signed
the convention must recognize copyrights granted to authors
in all others.
TRIPS (Trade-Related Aspects of Intellectual Property
Rights) Agreement - An International agreement
administered by the World Trade Organization (WTO) that
sets down minimum standards for many forms of
of
intellectual
property (IP) regulation
Members
as applied to nationals other WTO
International Protection for IP
39. DRM is a set of access controls
Digital rights management (DRM) is a class of technologies
that are used by hardware manufacturers, publishers,
copyright holders, and individuals with the intent to
control the use of digital content and devices after
purchase.
First generation DRM intention was to control copying
Second generation intention to control execute view
copying works or devices
Digital Rights Management DRM
40. Depending on the initial location and destination of
sale of some software products the sale and
distribution of some software products it may be either
illegal or closely controlled
The Wassenaar arrangement, for example, places
controls on the distribution and dissemination of dual
use goods and technologies
This definition includes cryptographic products
May be only exported to some countries
capabilities ie shorter key strength
with reduced
Import Export controls
41. There is a concern about the flow of data through
internationally located servers.
Different countries have differing policies with regards to
ownership and access to data
Information Security professionals must acquaint
themselves with the routing taken by the corporate data
flow
Depending on the country which the data flows
Jurisdiction and rights to privacy may become at risk
Trans Border Data Flow
42. Every individual has an expectation of privacy.
Varies by Culture and Nation.
Danger point is monitoring individual’s activities.
In most instances communication about the organization’s
privacy policies is key to ensuring privacy related
complaints are minimized.
Many organizations place conspicuous signs that state
CCTV or other types of monitoring are being conducted in
an area.
Ensure all such monitoring is done within the laws of the
local jurisdiction.
Clear with legal team.
Privacy
43. In the modern connected internet age there is an increasing
concern about personal privacy.
Identity theft
Shopping/browsing patterns
There is an obligation to protect a citizen’s personal information
No single international law
Makes this a minefield
Privacy is the rights and obligations of individuals and
organizations with regards to the collection, use , retention and
disclosure of personal information.
What is personal information ?
Information about or on an individual…definition varies.
The best practice available is the OECD guidelines…
Privacy
44. Collection Limitation Principle
There should be limits to the collection of personal data and any such data
should be obtained by lawful and fair means and, where appropriate, with
the knowledge or consent of the data subject.
Data Quality Principle
Personal data should be relevant to the purposes for which they are to be
used, and, to the extent necessary for those purposes, should be accurate,
complete and kept up-to-date.
Purpose Specification Principle
The purposes for which personal data are collected should be specified not
later than at the time of data collection and the subsequent use limited to
the fulfilment of those purposes or such others as are not incompatible with
those purposes and as are specified on each occasion of change of
purpose.
Organization for Economic Cooperation and
Development 8 Privacy Guidelines
45. OECD Guidelines continued...
Use Limitation Principle
Personal data should not be disclosed, made available or otherwise used
for purposes other than those specified in accordance with Paragraph 9
except:
a) with the consent of the data subject; or
b) by the authority of law.
Security Safeguards Principle
Personal data should be protected by reasonable security safeguards
against such risks as loss or unauthorised access, destruction, use,
modification or disclosure of data.
Openness Principle
There should be a general policy of openness about developments,
practices and policies with respect to personal data. Means should be
readily available of establishing the existence and nature of personal data,
and the main purposes of their use, as well as the identity and usual
residence of the data controller.
46. OECD Guidelines continued
Individual Participation Principle
An individual should have the right:
a) to obtain from a data controller, or otherwise, confirmation of whether or
not the data controller has data relating to him;
b) to have communicated to him, data relating to him
i) within a reasonable time;
ii) at a charge, if any, that is not excessive;
iii) in a reasonable manner; and
iv) in a form that is readily intelligible to him;
c) to be given reasons if a request made under subparagraphs (a) and (b)
is denied, and to be able to challenge such denial; and
d) to challenge data relating to him and, if the challenge is successful to
have the data erased, rectified, completed or amended.
Accountability Principle
A data controller should be accountable for complying with measures which
give effect to the principles stated above.
47. Problem – the root cause issue that gives rise to
successive incidents
Lack of adequate virus checker.
Incident – A security event that compromises the integrity,
confidentiality, or availability of an information asset.
Virus infection
Breach – An incident that results in the disclosure or
potential exposure of data.
Data Disclosure – A breach
data was actually disclosed
unauthorized party.
for which it was confirmed
(not just exposed) to an
that
Data Breach Terminology
48. Key Area
A Understand and apply concepts of confidentiality, integrity, and availability.
B Apply security governance principles
C Compliance
D Understand Legal and Regulatory issues pertaining to Information Security in a
global context
E Understand Professional Ethics
F Develop and Implement Security Policy Standards Procedures and Baselines
G Understand Business Continuity Requirements
H Contribute to Personnel Security Policies
I Understand and apply Risk Management Concepts
J Understand and apply Threat Modelling
K Integrate Security-Risk considerations into Acquisitions Practice
L Establish and Manage Information SecurityAwareness,Education and Training
Domain Objectives
49. ISC2 code of ethics – the mandatory canons:
Protect society, the commonwealth, and the
Act honorably, honestly, justly, responsibly,
and legally
Provide diligent and competent
service to principles
infrastructure
Advance and protect the profession
ISC2 Code of Ethics
50. Ethics and the Internet RFC 1087
Defines the following as unethical:
Seeking unauthorized access to Internet
Destroying integrity of information
Disrupting Internet use
Wasting resources
Compromising privacy of users
resources
Practicing negligence in Internet experiments
Internet Architecture Board
51. Domain Objectives
Key Area
A Understand and apply concepts of confidentiality, integrity, and availability.
B Apply security governance principles
C Compliance
D Understand Legal and Regulatory issues pertaining to Information Security in a
global context
E Understand Professional Ethics
F Develop and Implement Security Policy Standards Procedures and
Baselines
G Understand Business Continuity Requirements
H Contribute to Personnel Security Policies
I Understand and apply Risk Management Concepts
J Understand and apply Threat Modelling
K Integrate Security-Risk considerations into Acquisitions Practice
L Establish and Manage Information SecurityAwareness,Education and Training
53. Security policy − general statement:
Produced by senior management
Dictates what
Organizational:
Laws
Regulations
Liabilities
Issue-specific
System-specific
role security plays within an organization
Strategic Goals and Security Policy
54. Regulatory Policies
Ensure that organization
specific industry or law.
is following the standards by a
Advisory Policies
Strongly suggest certain types of behavior and activities.
Informative
Inform about some topics, is not an enforceable policy but
is intention is educational.
3 Security Policy Categories
55. Organizational security policy - provides scope and
direction for all future security activities within the
organization and
States the amount of risk the
to accept. (Risk Appetite)
Defines
How the security progam will
The goals of the program.
Assigns responsibilities.
senior management is willing
be set up.
Declares the strategic and tactical value of security.
Describes how enforcement should be carried out.
Organizational Security Policy
56. System policies includes policy
Computing systems
Networks,
Application
Data.
an approved software list.
for:
how
how
.
to configure firewalls.
databases have to be protected.
System-specific policy
57. Standards refer to mandatory activities, actions, rules, or
regulations.
Standards can give a policy its support and reinforcement in
direction.
Standards could be internal, or externally mandated (government
laws and regulations).
Organizational security standards may specify how hardware and
software products are to be used.
They can also be used to indicate expected user behavior.
They provide a means to ensure that specific technology,
applications, parameters, and procedures are implemented
uniform manner across the organization.
in a
Standards
58. Provide definitions for the minimum security level
necessary throughout the organization,
Example
All workstations configured to C2 level
C2.
access control
See ITSEC Orange Book for
Baselines
59. Procedures
Tasks detailed step by step to achieve certain goal.
Procedures spell out how the policy, standards, and
guidelines will actually be implemented.
Guidelines
Recommended actions and operations to the staff and
users when a specific standard doesn't apply.
Guidelines are flexible.
Guidelines and Procedures
60. Key Area
A Understand and apply concepts of confidentiality, integrity, and availability.
B Apply security governance principles
C Compliance
D Understand Legal and Regulatory issues pertaining to Information Security in a
global context
E Understand Professional Ethics
F Develop and Implement Security Policy Standards Procedures and Baselines
G Understand Business Continuity Requirements
H Contribute to Personnel Security Policies
I Understand and apply Risk Management Concepts
J Understand and apply Threat Modelling
K Integrate Security-Risk considerations into Acquisitions Practice
L Establish and Manage Information SecurityAwareness,Education and Training
Domain Objectives
61. Business continuity planning and Disaster Recovery
Planning are split across two domains of the CIB.
Security and Risk management
Security Operations.
I have decided to give a brief but essential introduction to
the three main outputs of the Business Impact Assessment
BIA here.
We will do a more detailed coverage of the entire Business
Continuity and Disaster Recovery Planning processes in
the Security Operations Domain.
The Business Impact Analysis
62. The first step in building the Business Continuity (BC)
program is project initiation and management.
During this phase, the following activities will occur:
Obtain senior management support to go forward with the project
Define a project scope, the objectives to be achieved, and the
planning assumptions
Estimate the project resources needed to be successful, both
human resources and financial resources
Define a timeline and major deliverables of the project In this
phase,
The program will be managed like a project, and a project manager
should be assigned to coordinate the team’s activities.
Project Initiation and Management
63. Before the project can start, it must have committed senior
management support.
Without that support, the project will fail.
To convince leadership that the organization needs to build an
enterprise-wide Business Continuity Plan BC and DR
Disaster Recovery Plan the planner needs to help them
understand the risk they are accepting by not having one and
the potential cost to the organization if a disaster were to occur.
The risks to the organization are found in three areas:
Financial (how much money the organization stands to lose),
Reputational (how negatively the organization will be
perceived by its customers and its shareholders),
Regulatory (fines or penalties incurred, lawsuits filed against
them).
Senior Leadership Support
64. The next step in the planning process is to have the
planning team perform a BIA.
The BIA will help the company decide what needs to be
recovered, and how quickly.
To help determine the appropriate prioritization. Mission
functions are typically
Critical,
Essential,
Supporting, and
Nonessential
designated with terms such as:-
Conducting the Business Impact Analysis
(BIA)
65. Organizations do not hire staff to perform nonessential
tasks.
Every function has a purpose, but some are more time
sensitive than others.
A bank that has suffered a building fire could easily stop its
marketing campaign but would not be able to stop check
processing and deposits made by its customers. The
organization needs to look at every function in this same
light.
How long can the company not perform this function
without causing significant financial losses, significant
customer unhappiness or losses, or significant penalties
fines from regulators or lawsuits?
or
Identify and Prioritize Critical Organization
Functions
66. All organizational functions and the technology that
supports them need to be classified based on their
recovery priority.
Recovery time frames for organizational operations are
driven by the consequences of not performing the function.
The consequences may be the result of contractual
commitments not met resulting in fines or lawsuits, lost
goodwill with customers, etc.
The planner will need to define for the planning team what
a low, medium, or high impact is in that organization in
each of the impact areas, as well as the time before impact
is realized.
Estimate Recovery Time Frames
67. All applications, need to be classified as to their time
sensitivity for recovery
Even if those applications do not support organization
functions that are time sensitive.
For applications, this is commonly referred to as Recovery
Time Objective (RTO) or Maximum Tolerable Downtime
(MTD).
This is the amount of time the organization can function
without that application before significant impact occurs.
Determine Maximum Tolerable Downtime
68. That is the end of our brief introduction to the BIA
We will complete a more thorough examination of BCP
DR processes in the Security Operations Domain
Remember for now the three main outputs of a BIA are
useful for many other processes across the day to day
business operations.
Those three outputs are :-
Criticality Prioritization
and
Maximum Estimated Downtime
Essential resource requirements to support the critical
business functions identified in the criticality
Prioritization.
BIA Benefits
69. Domain Objectives
Key Area
A Understand and apply concepts of confidentiality, integrity, and availability.
B Apply security governance principles
C Compliance
D Understand Legal and Regulatory issues pertaining to Information Security in a
global context
E Understand Professional Ethics
F Develop and Implement Security Policy Standards Procedures and Baselines
G Understand Business Continuity Requirements
H Contribute to Personnel Security Policies
I Understand and apply Risk Management Concepts
J Understand and apply Threat Modelling
K Integrate Security-Risk considerations into Acquisitions Practice
L Establish and Manage Information SecurityAwareness,Education and Training
70. The main effort here is the work of HR.
The important aspect for security is to identify those with
unsuitable past actions who may be applying for sensitive
positions.
Job Descriptions should be well written and provide the
basis for further conversation with the candidate at
interview.
Role Based
improve the
Access Control (RBAC) can simplify and
allocation of access to new employees
Employment candidates
71. Usually signed by the employee on
employment.
Purpose to protect the organization
employed.
Examples
the first day of
while the individual is
Non Disclosure Agreements
Acceptable Use Policy
Code of Conduct.
Employment Agreements and policies
72. Two type of terminations occur.
Friendly
Use a standard set of procedures from HR dept.
Cover exit interviews , return of keys, closure of accounts, removal
of access rights etc.
Exit interview should include a conversation about the continued
responsibility for confidentiality of company
Unfriendly
Need to be handled carefully.
Individual cases require different techniques.
Beware of malicious actions.
information.
Employment termination process
73. Business partners and other third parties often bring personnel into an
organization.
The organization must ensure controls are in place to prevent the loss
of sensitive information
Also mitigate any damage these individuals could intentionally or
unintentionally perform to an organization.
There are several approaches to take depending on the nature of the
relationship between the vendor and the organization.
If the third party is infrequently on site or accessing systems but has
administrative access, consider:
Escorting the individual while on site to monitor activities.
Virtually monitoring the employee with screen sharing technology
Recording all actions performed.
Vendor, Consultant, and Contractor
Controls
74. If the third party is on site for a more permanent basis and has
administrative access, consider:
Performing a background investigation and determining if
any suitability issues arise.
Virtually monitoring the employee with screen sharing
technology and recording all actions performed.
Ensuring an appropriate non-disclosure agreement with
specific sanctions has been signed by the individual
the individual’s organization if applicable.
Ensuring the third party identifies who the specified
personnel gaining access are and verifying their
identification upon access
and
Vendor, Consultant, and Contractor
Controls
75. Part 1 - Classwork
Global Knowledge f>
Practice Questions
Exercises
Discussions
76. Spend 15 minutes reviewing
Skim read
Make notes
the work we just covered.
Mind map or Written
learn
Absorb don’t
Private Review
77. Having reviewed the materials now think like an examiner
and chose two topics you would write a test question on.
If you have time create those questions to try on your in
class colleagues.
Create 2 Practice questions
78. Here are 5 Practice questions on this topic.
Remember never take more than 10 at a time.
Remember the principle of testing for exam preparation is
to identify
Your task
Filling the
gaps in your knowledge.
then is to fill the gap before you move
gap
on.
Research the correct answer
Make notes on it either on
Mind map onto your XMIND knowledge
Hand written notes
dump
Lets try some questions
79. Which of the following steps should be performed first
business impact analysis (BIA)?
in a
A. Identify all business units within an organization
B. Evaluate
C. Estimate
D. Evaluate
the
the
the
impact of disruptive events
Recovery Time Objectives (RTO)
criticality of business functions
Question 1
80. Answer: A is correct
The four cyclical steps in the BIA process are:
Gathering information;
Performing a vulnerability assessment;
Analyzing the information
Documenting the results and presenting the
recommendations.
The initial step of the BIA is identifying which business units
are critical to continuing an acceptable level of operations.
To do this the team will need to identify ALL business units
within the organization
Q1 Answer
81. Why must senior management endorse a security policy?
A. So that they will accept ownership for security within
the organization.
B. So that employees will follow the policy directives.
C. So that external bodies will recognize the
organizations commitment to security.
D. So that they can be held legally accountable.
Question 2
82. Answer: A
Explanation: Upper management is legally accountable
External organizations answer is not really to pertinent
Employees need to be bound to the policy regardless of who
signs it but it gives validity.
Ownership is the correct answer in this statement. Here is a
reference. "Fundamentally important to any security program's
success us the senior management's high-level statement of
commitment to the information security policy process and a
senior management's understanding of how important security
controls and protections are to the enterprise's continuity. “
Answer 2
83. Which of the following describes elements that create
reliability and stability in networks and systems and which
assures that connectivity
A. Availability
B. Acceptability
C. Confidentiality
D. Integrity
is accessible when needed?
Question 3
84. Correct answer is A
Wiki says…
Availability
For any information system to serve its purpose, the information must be
available when it is needed.
This means that the computing systems used to store and process the
information, the security controls used to protect it, and the communication
channels used to access it must be functioning correctly.
High availability systems aim to remain available at all times, preventing
service disruptions due to power outages, hardware failures, and system
upgrades.
Ensuring availability also involves preventing denial-of-service attacks,
such as a flood of incoming messages to the target system essentially
forcing it to shut down.[18]
Answer 3
85. What are the three main outputs of a Business Impact
Assessment
A. Criticality Prioritization, Minimum Estimated
Essential resource requirements
Downtime,
B. Criticality Prioritization, Mean Time To Repair, Essential
Contact List
C. Critical Personnel Contact List, Maximum Estimated
Downtime, Essential resource requirements
D. Criticality Prioritization, Maximum Estimated
Essential resource requirements
Downtime,
Question 4
86. Answer D is correct
There are several benefits
whole information security
main outputs.
of a BIA which are useful across the
process but these three are the
Criticality Prioritization
Maximum Estimated Downtime,
Essential resource requirements
Answer 4
87. Which answer correctly describes a Trade Mark ?
A. An intangible property right granted by law to the author or originator of
a literary or artistic production of a specified types.
B. Any formula, pattern, device, or compilation of information that give a
business an advantage over competitors who do not know the information
or processes
C. A grant from the government that gives an inventor the exclusive right
make, use, and sell an invention for a specified period.
D. A distinctive mark, motto, device, or implement that a manufacturer
stamps, prints, or otherwise affixes to the goods it produces
to
Question 5
88. The correct answer is D
A trademark is A distinctive mark, motto, device, or implement
that a manufacturer stamps, prints, or otherwise
goods it produces.
affixes to the
BONUS Question
What do the other answers describe
A.
?
B.
C.
Answer 5
89. G
P
lob
a
al
rK
t
n
2
owledge
f>
Understand and apply Risk
Management Concepts
Understand and apply Threat
Modelling
Integrate Security-Risk
considerations into Acquisitions
Practice
Establish and Manage Information
Security Awareness,Education
and Training
90. Key Area
A Understand and apply concepts of confidentiality, integrity, and availability.
B Apply security governance principles
C Compliance
D Understand Legal and Regulatory issues pertaining to Information Security in a
global context
E Understand Professional Ethics
F Develop and Implement Security Policy Standards Procedures and Baselines
G Understand Business Continuity Requirements
H Contribute to Personnel Security Policies
I Understand and apply Risk Management Concepts
J Understand and apply Threat Modelling
K Integrate Security-Risk considerations into Acquisitions Practice
L Establish and Manage Information SecurityAwareness,Education and Training
Domain Objectives
91. Accurate Risk Analysis is a critical skill for an information
security professional.
Risk decisions dictate which safeguards we deploy to
protect our assets, and the amount of money and
resources we spend doing so
Risk analysis
92. Controls Protect
Assets Assets
All assets have
Vulnerabilities V
Controls
Reduce V
Controls
Controls
Reduce
R
V x T = R
Vulnerabilities are exposed to
Threats T
exposed Threats create
Risk R
Vulnerabilities
RISK
which are
Assets Vulnerabilities Threats and Controls
93. Assets :- are the valuable resources you are trying to
protect ,
People, buildings, property. Intellectual property etc.
The value or criticality of the asset dictates the safeguards
you deploy.
A threat is a potentially harmful occurrence, such as
Natural Threats :- Earthquake, Flood, Fire
Technical Threats :-
worm like Conficker
Power outage, or a network-based
Human Threats :-
employee
Malicious activity by a disgruntled ex-
The Risk Triad
Assets Vulnerabilities and Threats
94. A vulnerability is a weakness that allows a threat to cause
harm.
Examples of vulnerabilities are
Buildings that are not
A data center without
A Microsoft Windows
built to withstand earthquakes,
proper backup power
XP system that has not been
patched in a few years.
Or if it automatically runs software on a USB token
when inserted.
A Linux system has no vulnerability to Conficker and
therefore runs no risk from it.
The Risk Triad
Assets Vulnerabilities and Threats
95. NIST SP 800-30, Risk Management Guide for Information
Technology Systems describes a very useful Risk
Analysis process
A Risk Analysis Process
96. Step 1 System Characterization
Describes the scope of the risk management effort and the
systems that will be analyzed. Threat Identification and
Vulnerability Identification,
Steps 2 and 3, Threat and Vulnerability
Identify the threats and vulnerabilities required to determine
risks using the formula
“Risk = Threat × Vulnerability”
The NIST Risk Analysis Steps 1,2,3
97. Step 4a, Control Analysis,
Analyses the security controls (safeguards) already in
place or currently planned to mitigate risk.
Steps 4b, Likelihood Determination and Impact Analysis,
Identify important risks (especially those with high
likelihood and high impact/consequence)
I = Impact of
Occurrence
P = Probability of occurrence
High impact
Low likelihood
High impact
High likelihood
Low impact
Low likelihood
Low impact
High likelihood
The NIST Risk Analysis Step 4
98. Step 5 – Countermeasure Recommendations. Once the
previous steps
to recommend
formalised risk
have been completed you are in a position
controls based on
analysis process.
the results of a
Selection criteria include
Product costs
Design/planning costs
Implementation costs
Environment modifications
Compatibility with other countermeasures
Repair, replace, or update costs
Operating support costs
Effects on productivity
The NIST Risk Analysis Step 5
99. Step 6 – Document results
Report back to the Senior Management and Sponsors on
the findings.
The NIST Risk Analysis Step 6
100. Quantitative and Qualitative Risk Analysis are
two methods for analysing risk.
Quantitative Risk Analysis uses hard metrics, such
as cost.
Qualitative Risk Analysis uses
values and estimations.
Quantitative is more objective;
Qualitative is more subjective.
simple approximate
Qualitative and Quantitative
Risk Analysis methods
101. Real numbers assigned:
Costs of countermeasures
Amount of damage that can take place
Popular metric for management decisions
Concrete percentages calculated
Purely quantitative risk analysis is difficult:
There will always be a factor of attempting
dollar values to every conceivable threat.
to assign
Quantitative Risk Analysis
102. The main steps of quantitative risk analysis include:
1.
2.
3.
4.
Assign value to information assets
Estimate potential risk
Perform threat analysis
Derive the overall loss potential
per risk
Choose remedial measures
5.
6. Reduce, assign, or accept the risk
Quantitative Risk Analysis Steps
103. Single Loss Expectation
SLE = asset value x exposure
Exposure factor
EF = percentage of asset loss
threat
Annual Loss Expectation
ALE = SLE x ARO
Annual Rate of Occurance
factor
caused by identified
ARO = estimated frequency
a year
a threat will occur within
Quantitative Risk Analysis Terms
104. As an example I have a vehicle with a value of $5000
If it is in a crash the expected damage to the vehicle would
be 20%
Thankfully that kind of crash only occurs once in 4 years.
Calculate the amount of insurance I should take.
Asset Value AV = 5000
Exposure factor EF = 20% (0.2)
Single Loss Expectancy = 5000 x .2 = $1000
Annualized Rate of Occurance = .25 (once in 4 years)
Annual Loss expectation = SLE x ARO = $250
I need driving lessons…
Quantitative Risk Analysis (cont.)
105. Generally expected:
Assigned monetary values
List of possible and significant threats
Probability of the occurrence rate
Loss potential that company can endure over a year
Recommended safeguards, countermeasures, and actions
Difficulties of Qualitative analysis
It is hard to place a capital amount on every threa
Insurance and historical records may help but that is only a
start.
Results of Quantitative Risk Analysis
106. Is scenario based:
One scenario is examined and assessed for each critical or major
threat to an IT asset.
Examines the asset, the threat, and the exposure or potential for loss
that would occur if the threat were realized on the IT asset
Requires the risk analysis team to ask, “What if?” regarding specific
threat conditions on IT assets
Purpose: Provide a consistent and subjective assessment of the risk to
specific IT assets
Risk analysis team task: Develop real scenarios that describe a threat
and potential losses to organizational assets:
No dollar amounts are assigned
Qualitative Risk Analysis
107. risk
risk
risk
risk
Example of a ranking matrix: P x I
Likelihood of occurrence
A Frequent
Failure
probability
increases
High risk High risk
Very high
risk
Very high
risk
Very high
B Probable
Medium
risk High risk High risk
Very high
risk
Very high
C Occasional Low risk
Medium
risk High risk
Very high
risk
Very high
D Remote Low risk Low risk
Medium
risk High risk
Very high
E Improbable Low risk Low risk
Medium
risk High risk High risk
1 2 3 4 5
Negligible Marginal Important Critical Catastrophic
Consequence or impact increases
Qualitative Risk Exposure Scoring
108. Property Quantitative Qualitative
Financial hard costs
Can be automated
Little guesswork
No complex calculations
Low volume of information required
Short time and easier work load
Easy to communicate results
Quantitative vs. Qualitative Comparison
109. Acceptable risk:
Minimum acceptable risk that an organization is willing to
take
Residual risk:
Risk remaining after security controls and countermeasures
have been implemented
Risk management:
Process of reducing risk to IT assets by identifying and
eliminating threats
Risk analysis:
Process of identifying the severity of potential risks and
vulnerabilities, and assigning a priority
Some more Risk Terms to remember.
110. Total Risk before the application of controls is shown as
Threats x vulnerability x asset value = total risk
The residual Risk is the risk left after the application of the
control. Remember no control completely eliminates risk
there will be a control gap.
so
(Threats x vulnerability x asset value ) x control gap =
Residual Risk
Some other Risk Formulas
111. Acceptable ways to deal with risk include:
Accept:
Organization believes the benefits outweigh
loss
Transfer:
Insurance, outsourcing
Mitigate (Reduce):
the potential
Choose remedial measures
Countermeasure selections
to counteract each risk
Choosing How to Deal with Risk
112. There are three main Control types
Technical/Logical controls :- Firewalls, IDS,
Biometric Access Control Devices
Administrative controls – Security Policy. Job
rotation, Seperation of Duties
Physical Controls :- Fences,
Supression Systems
Lighting, Fire
The three main control types
113. There are seven categories of control.
Directive Deterrent Preventative Compensating Detective Corrective Recovery
Access control categories
114. controls
Low
Medium
High
Planning Establish defences Incident Discover/react Adjust/regroup
Deterrent
controls
Recovery
Preventative
controls
Detective
controls
Corrective
controls
Compensating
controls
Directive controls
Access control impact / incident timeline
115. Directive Controls
Are designed to provide personnel with guidance about the
expectation of behaviour within the organization’s security
environment
Provide guidelines
Apply to internal staff and external visitors and contractors
Deterrent controls
As it says on the tin ! Should act as a deterrent to threats and
attacks.
Typically designed so that the effort to circumvent the control is
greater than the value percieved in breaking it
Pre-incident Control Categories
116. Preventative Controls.
These attempt so stop an event from occurring. For example
change management controls.
Prevent changes to systems and procedures from
accidentally reducing the availability and security of the
system
Compensating controls
These are used when the existing controls do not
adequately meet the requirement described in the
policy
security
Pre incident controls continued….
117. Detective Controls.
Provide notification to appropriate personnel if the detective
preventative and deterrent controls have not denied an attack
They tell you something has happened and are the first part of
the post incident timeline
Corrective controls.
For example a Cisco Intrusion detection system may dynamically
alter the access control list on a border router in response to
some warning from the detective controls.
Recovery controls
Once the security related event is over it is necessary to return
the system to “Normal Operations”
Post incident controls
118. •Controls are deployed in combinations of category and function.
•This chart shows some example control combinations
and Monitoring
Server
depth (layers)
Attribute Directive Deterrent Preventive Detective Corrective Recovery Compensating
Administrative Policy AUP
User
Registration
Review
violation
reports
Reassignment
or Termination
Incident
Response
Plan
Supervision
Technical
Config
standards
Warning
Banner
Password
based login
Anti-virus
Reboot or
restart
Backups
Redundant
Physical
Authorised
personel
only signs
Electric
Fence
Sign
8-ft Fence
Motion
Detector
Fire
Extinguisher
Restoration
of Backups
Defense in
Some Example Control Combinations
119. Key Area
A Understand and apply concepts of confidentiality, integrity, and availability.
B Apply security governance principles
C Compliance
D Understand Legal and Regulatory issues pertaining to Information Security in a
global context
E Understand Professional Ethics
F Develop and Implement Security Policy Standards Procedures and Baselines
G Understand Business Continuity Requirements
H Contribute to Personnel Security Policies
I Understand and apply Risk Management Concepts
J Understand and apply Threat Modelling
K Integrate Security-Risk considerations into Acquisitions Practice
L Establish and Manage Information SecurityAwareness,Education and Training
Domain Objectives
120. Threat modelling enables informed decision making about
application security risk.
Threat modelling produces a prioritised list of security
improvements to the concept, requirements, design, or
implementation of a system or application.
As part of the design phase of the Software Development
Life Cycle (SDLC), threat modelling allows software
architects to identify and mitigate potential security issues
early, reducing the total cost of development.
Threat modelling is a procedure
Application/ Internet Security by
vulnerabilities and then defining
for optimizing Network/
identifying objectives and
countermeasures to
prevent, or mitigate the effects of, threats to the system.
Threat Modelling
121. Step Description
Assessment Scope Identify critical assets to protect. Closely related with BIA
priorities.
Identify Threat
Agents and
possible attacks
Identify the Who or What wants to attack .
Consider insiders outsiders malicious or accidental threat
agents
Understand
Existing
Countermeasures
Do an audit of what is currently in place
Is it effective ?
Identify exploitable
vulnerabilities
Look for vulnerabilities that impact on the BIA critical path
Prioritize identified
risks
Threat modelling operates on priorities
Cannot protect everything. Residual risk needs justification
Identify
Countermeasures
to reduce risk
Use the information gathered to complete the defence posture
by deploying countermeasures against prioritised
vulnerabilities.
Threat modelling process.
122. Once threat modelling is complete the Security Architect
Security Practitioner and Security Professional should work
together to to deploy the most appropriate technologies
and processes to remediate threat.
There is of course no correct answer to which processes
and procedures.
Everything depends on the output of the threat model.
Typical technologies include
IDS/IPS, Firewalls, Access control biometrics…..etc
Technologies & Processes to Remediate
Threats
123. Key Area
A Understand and apply concepts of confidentiality, integrity, and availability.
B Apply security governance principles
C Compliance
D Understand Legal and Regulatory issues pertaining to Information Security in a
global context
E Understand Professional Ethics
F Develop and Implement Security Policy Standards Procedures and Baselines
G Understand Business Continuity Requirements
H Contribute to Personnel Security Policies
I Understand and apply Risk Management Concepts
J Understand and apply Threat Modelling
K Integrate Security-Risk considerations into Acquisitions Practice
L Establish and Manage Information SecurityAwareness,Education and Training
Domain Objectives
124. Supply chain risks are usually referring to tangible property
exposures.
Fires, Natural disasters.
Information and communication technologies are also
vulnerable to failure and loss both accidental and
malicious.
It is part of the challenge for the modern Security
Professional to analyse and understand
organizations supply chains
In particular for critical systems
the risks to his/her
Acquisition Supply Chain Risks
125. Institute baseline cybersecurity requirements as a
of contract award for appropriate acquisitions.
Address cybersecurity through relevant training.
Develop common cybersecurity definitions for the
acquisitions process
Institute an acquisition cyber risk strategy.
condition
Include a requirement to purchase from Original Equipment
Manufacturers OEMs , their trusted sources and authorised
resellers
Increase organisational accountability for cyber risk
management
Acquisition Security Best Practices
126. Security professionals should be included in any
agreements for hardware software and cloud services from
a third party.
Organizations should be cautious about the jurisdiction and
regulations pertinent to the third party involved and their
own partners and suppliers
Particular care must be taken both with the due diligence
before any binding supply chain agreement is made.
Third party Assessments
127. The Due diligence should include a combination of
On Site Assessments of the
Document exchanges.
Process and Policy review.
The security professional should become involved in all
three of these activities to ensure that the supplier is
following an acceptable formal security control framework
within its own organisation.
Exchanging documentation and reviewing processes and
policy to ensure there is an understanding of the potential
risks involved in the transaction.
Third Party Acquisitions Due Diligence
128. During the requirements gathering phase of a
project.
Best practices use a Statement of Requirements
document covering
A
A
A
succinct requirement specification for management.
statement of key objectives.
description of the environment in which the system
will operate.
Background information and references
Information on major design constraints.
Minimum security requirements
129. Two useful document in the due diligence process.
Ensuring these are well formed complete and non-
contradictory will greatly reduce risk in third party
acquisitions
SLR contains the description of the expected
the client viewpoint.
SLA Is an agreement between the third party
customer documenting
The IT service
Service Level Targets
service from
and the
Responsibilities of both supplier and customer
Service level requirements SLR and
Service Level Agreement SLA
130. Domain Objectives
Key Area
A Understand and apply concepts of confidentiality, integrity, and availability.
B Apply security governance principles
C Compliance
D Understand Legal and Regulatory issues pertaining to Information Security in a
global context
E Understand Professional Ethics
F Develop and Implement Security Policy Standards Procedures and Baselines
G Understand Business Continuity Requirements
H Contribute to Personnel Security Policies
I Understand and apply Risk Management Concepts
J Understand and apply Threat Modelling
K Integrate Security-Risk considerations into Acquisitions Practice
L Establish and Manage Information Security Awareness,Education and
Training
131. Most organizations perceive value in promoting an
awareness of security within their environments.
Security awareness addresses the why of policy.
If end-users understand the why, they are more apt to
follow the policy.
Generally, people follow policy more consistently if
they understand why policy exists and how to comply.
Security awareness can be defined as helping establish
an understanding of the importance and how to comply
with security policies within the organization.
Security Education, Training, and
Awareness Policies - Awareness
132. Security is a broad discipline, and as such, there are
topics that could be covered by security awareness
training.
Topics that can be investigated within the security
awareness curriculum include:
Corporate security policies
The organization’s security program
many
Regulatory compliance requirements for the organization
Social engineering Business continuity Disaster recovery
Emergency management,
Security incident response
Data classification…..and lots of others !
Training Topics
133. Security Job Training assists personnel with the
development of their skill sets relative to performance of
security functions within their roles.
A typical security curriculum will include specialty training
for individuals performing specialized roles within the
organization, such as those in IT, accounting, and others.
Within these business units, more specialized training will
occur.
For example, in the IT area, it would be advisable for
network staff responsible for maintenance and
monitoring of the firewalls, intrusion detection/
prevention systems, and syslog servers
Security Job Training
134. It is important to track performance relative to security for
the purposes of both enforcement and enhancement of
security initiatives under way.
It is also important for the organization to ensure that users
acknowledge their security responsibilities by
Signing off after each class that they have heard and
understand the material and
Agreeing to be bound by the organization’s security program,
policies, procedures, plans, and initiatives.
Measurement can include periodic walk-throughs of
business unit organizations, periodic quizzes to keep staff
up to date, and so on.
Security Training Performance Metrics
135. Part 2 - Classwork
Global Knowledge f>
Practice Questions
Exercises
Discussions
136. When is it acceptable to
risk?
A. Never. Good security
B. When political issues
being addressed.
not take action on an identified
addresses and reduces all risks.
prevent this type of risk from
C. When the necessary countermeasure
D. When the cost of the countermeasure
value of the asset and potential loss.
is complex.
outweighs the
Question 1
137. Answer D
Companies may decide to live with specific risks they are
faced with if the cost of trying to protect themselves would
be greater than the potential loss if the threat were to
become real.
Countermeasures are usually complex to adegree, and
there are almost always political issues surrounding
different risks,but these are not reasons to not implement
a countermeasure.
Answer 1
138. Which best describes a quantitative risk analysis?
A. Scenario-based analysis to research different security
threats
B. A method used to apply severity levels to potential
loss, probability of loss, and risks
C. A method that assigns monetary values to components
in the risk assessment
D. A method that is based on gut feelings and opinions
Question 2
139. Answer C.
A quantitative risk analysis assigns monetary values and
percentages to the different components within the
assessment.
A qualitative analysis uses opinions of individuals and
rating system to gauge the severity level of different
threats and the benefits of specific countermeasures.
a
Answer 2
140. Why is a truly quantitative risk analysis not possible to
achieve?
A. It is possible, which is why it is used.
B. It assigns severity levels. Thus, it is hard to translate
into monetary values.
C. It is dealing with purely quantitative elements.
D. Quantitative measures must be applied to qualitative
elements.
Question 3
141. Answer D.
During a risk analysis, the team is trying to properly
predict the future and all the risks that future may bring.
is somewhat of a subjective exercise and requires
educated guessing.
It is very hard to properly predict that a flood will
It
take place once in ten years and cost a company up
$40,000 in damages but this is what a quantitative
analysis tries to accomplish.
to
Answer 3
142. Which best describes the purpose of the ALE calculation?
A.
B.
C.
D.
Quantifies the security level of the environment
Estimates the loss possible for a countermeasure
Quantifies the cost/benefit result
Estimates the loss potential of a threat in a span of a
year
Question 4
143. Answer D.
The ALE calculation estimates the potential loss that can
affect one asset from a specific threat within a one-year
time span.
This value is used to calculate the amount of money that
should be earmarked
this threat.
to protect this asset from
Answer 4
144. How do you calculate residual risk?
A.
B.
C.
D.
Threats risks asset value
(Threats asset value vulnerability) risks
SLE frequency = ALE
(Threats vulnerability asset value) controls gap
Question 5
145. Answer D.
The equation is more conceptual than practical. It is hard
to assign a number to a vulnerability and a threat
individually.
This equation enables you to look at the potential loss of
a specific asset and look at the controls gap (what the
specific countermeasure cannot protect against). What is
left is the residual risk.
Residual risk is what is left over after a countermeasure is
implemented.
Answer 5