Download CISM Exam WIth 100% correct answers Graded A+ and more Exams Cybercrime, Cybersecurity and Data Privacy in PDF only on Docsity!
CISM Exam
Information Security Governance Structure - Governance ensures that stakeholder needs, conditions, and options are evaluated to determined balanced, agreed upon enterprise objectives to be achieved. Business Alignment involves: - Mission, Goals/Objectives, and Strategy What does Information Security governance provide? - Objectives, Strategy, Policy, Processes, Controls, Metrics/Reporting Key results of an effective security governance program: - Increased Trust & Improved Reputation ISACA Definition of Risk Appetite: - The level of risk that an organization is willing to accept while in pursuit of its mission, strategy, and objectives, and before action is needed to treat the risk. ISACA Definition of Risk Capacity: - The objective amount of loss that an organization can tolerate without its continued existence being called into question ISACA Definition of Risk Profile: - Documents the types, amounts and priority of information risk that an organization finds acceptable and unacceptable. This profile is developed collaboratively with numerous stakeholders throughout the organization, including data and process owners, enterprise risk management, internal and external audit, legal, compliance, & privacy. Mature Organizations Will: - Develop and publish a statement of risk tolerance or appetite that expresses risk tolerance levels throughout the business What do we really need to have a handle on?: - Technology Architecture People Process Information Security governance is most effective when: - Every person in the organization knows what is expected of them. RACI Charts: -
Charts that show Responsibility, Accountability, Consultation, and Informed roles for project stakeholders Variations of RACI Model: - Participant, Accountable, Review Required, Input Required, Sign off Required (PARIS) Perform, Accountable, Control, Support, Informed (PACSI) Board of Directors Principle 1 - Approach Cybersecurity as enterprise wide issue, rather than just IT issue. Board of Directors Principle 2 - Understand legal implications associated with cyber risk. Board of Directors Principle 3 - Boards should have adequate access to cyber expertise and allow ample time to discuss cyber topics during board meetings. Board of Directors Principle 4 - Boards should set the expectation that management will establish an enterprise-wide cyber-risk management framework with adequate staffing and budget. Board of Directors Principle 5 - Board management discussions about cyber risk should include identification of which risks to avoid, which to accept, and which to mitigate or transfer through insurance, as well as specific plans associated with each approach. Security Steering Committee - Consisting of stakeholders from many (if not all) of the organizations business units, departments, functions, and principal locations. Steering Committee Responsibilities - Risk treatment deliberation and recommendation Discussion and coordination of IT and security projects Review of recent risk assessments Discussion of new laws, regulations, and requirements Review of recent security incidents Function Definition: - In the case of business applications and services, asset owners determine which functions will be available, how they will work, and how they will support business processes. Process Definition: -
The purpose of the enabling and support DI is the enablement and support of business processes by technology BMIS (Human Factors) - The purpose of the human factors DI is the interaction between people and information systems. Zachman Framework v3 - Is a schema the intersection between two historical classifications that been in use for literally thousands of years. The first is the fundamentals of communication found in primitive interrogatives: What, how, when who, where and why. 6x6 Matrix COBIT - Control objectives for Information and Related Technologies (COBIT) is an IT Management Framework: -Plan and Organize -Acquire and Implement -Deliver and Support -Monitor and Evaluate ISO/IEC 38500 - Governance of IT for the Organization ITIL/ISO/IEC 20000: - Known as the IT Infrastructure Library, ITIL is a framework of processes for IT service delivery and IT Service Management. HIPAA: - Health Insurance Portability and Accountability Act, established requirements for the protection of electronic protected health information (EPHI) NIST SP 800-53: - Security and Privacy Controls for Federal Information Systems and Organizations. Required for all U.S. government information systems. NIST CSF: - Risk based life-cycle methodology for assessing risk, enacting controls, and measuring control effectiveness. CIS/CSC 20: - Critical Security Controls (CSC) Framework Policy: - Security policy can be thought of as an organization's governing rules with regard to the protection of important assets (as well as personnel safety).
Standards: - An organizations security standards describe in details the methods, techniques, technologies, specifications, brands, and configurations to be used throughout the organization. Guidelines: - Written for personnel who need a little extra guidance on how to adhere to policies. Processes / Procedures: - The relevance, accuracy, and the thoroughness of process and procedure documents are indicators of maturity and commitment to a solid security program. Business Impact Analysis (BIA) - Used to identify an organizations business processes, the inter dependencies between processes, the resources required for process operation, and the impact on the organization if any business process is incapacitated for a time. CORNERSTONE OF BCDR PROGRAM CMMI for Development (Maturity Model) - Level 1: Initial Level 2: Repeatable Level 3: Defined Level 4: Managed Level 5: Optimized Accountability - Willingness to take credit and blame for actions. Responsibility - the state or fact of having a duty to deal with something or of having control over someone. Risk Management Strategy - Designed to identify all credible risks and reduce them to a level that is acceptable to the organization. Risk Awareness: - Goal is to ensure that business leaders and decision makers are aware of the idea that all business decisions have a risk component and that many decisions have implications on information risk. Facility Risk Assessment Process (FRAP): - -Brainstorming session to identify threats -Assigning impact and probability scores to each threat
- Addresses issues such as data access, relevant legal requirements, stewardship and custodial duties, data acquisition. Vulnerability - Weakness in a system that permits an attack to successfully compromise a target system. Types of Vulnerabilities - -Configuration fault -Design fault -Known un-patched weakness -Undisclosed un-patched weakness -Undiscovered weakness Asset Value (AV) - The value of an asset, which is usually the asset's replacement value. Exposure Factor (EF) - The financial loss that results from the realization of a threat, expressed as a percentage of the assets total value. Single Loss Expectancy (SLE): - Represents the financial loss when a threat scenario occurs on time. SLE is defined as AV x EF. Annualized Rate of Occurrence (ARO): - An estimate of the number of times that a threat will occur in a year. Like EF and SLE, ARO will vary by threat. Annualized Loss Expectancy (ALE): - This is the expected annualized loss of asset value due to threat realization. ALE is defined as SLE x ARO. ALE is based upon the verifiable values AV, EF, and SLE, but because ARO is only an estimate, ALE is only as good as ARO. OCTAVE Alegro: - Operationally Critical Threat Asset and Vulnerability Evaluation Delphi Method: - Questionnaires are distributed to a panel of experts in two or more rounds. A facilitator will anonymize the responses and distribute them to experts. Objective is for the experts to converge on the most important risk and mitigation strategies. Event Tree Analysis (ETA) - - Derives from the fault tree analysis method, ETA is a logic modeling technique for analysis of success and failure outcomes given a specific event scenarios
Fault Tree Analysis (FTA) - A logical modeling technical used to diagram all the consequences for a given event scenario. FTA begins with a specific scenarios and proceeds forward in time with all possible consequences. Monte Carlo Analysis - Begins with a given system with inputs, where the inputs are constrained to minimum and maximum values. Operational Risk: - Defined as the risk of loss resulting from failed controls, processes, and systems; internal and external events; and other occurrences that impact business operations and threaten an organizations survival. Goals of BIA: -
- Determine Criticality
- Estimate Maximum Downtime
- Evaluate Internal and External Resource Requirements BIA Process Steps: -
- Gather Requirements / information
- Vulnerability Assessment
- Risk Analysis a. Quantitative - ALE = SLE x ARO b. Qualitative - Low Medium High
- Communicate Findings - Audience Relevancy Criticality Analysis (CA) - ONLY once all the BIA information has been collected and charted, can the criticality analysis (CA) be performed. Maximum Allowable Downtime (MAD) / Maximum Tolerable Downtime (MTD): - A (theoretical) period of time, measured from the onset of a disaster, after which the organizations survival is at risk. Maximum Tolerable Outage (MTO): - A measure of maximum time that an organization can tolerate operating in recovery mode. Recovery Point Objective (RPO): - The point in time you can recovery to in the event of a disaster. You can walk away from this much data once this number is determined. Service Delivery Objective (SDO): - Defined as the level of quality of service that is required after an event, as compared to normal business operations.
Security Audit: - A more formal and more rigorous examination of one or more controls, processes, or systems. This usually requires the presentation of evidence of control design and effectiveness where a review does not. Operational Audit: - An examination of IT Controls, security controls, or business controls to determined control existence and effectiveness. Integrated Audit: - Combines an operational audit and a financial audit in order for the auditor to gain a complete understanding of the entire environments integrity. IS Audit: - A detailed examination of most or all of an information systems (IS) departments operations. An IS audit looks at IT governance to determine whether IT is aligned to overall organization goals and objectives. Audit Methodology Methodology: - -Audit Subject -Audit Objective -Type of Audit -Audit Scope - Needs a time span to be applied to the audit subject to ensure we examine the right things AND the right timeline -Pre-audit planning -Statement of Work (SOW) - describes the audit purpose, scope, duration, and costs -Audit procedures -Audit Communication plan -Report preparation & wrap up -Post Audit Follow-up Judgmental Sampling (non-statistical sampling): - Selection of samples based on establish criteria such as risk or materiality Attribute Sampling: - Used to study the characteristics of a given population to answer the question of how many. A specific attribute is selected and the samples are examined to see how many items have the characteristic and how many do not. Variable Sampling: - Used to statistically determine the characteristic of a given population to answer the question "how much". Stop-or-go Sampling: - Used to permit sampling to stop at the earliest possible time
Discovery Sampling: - Used when an auditor is trying to find at least one exception in a population. Stratified Sampling: - The event population will be divided into classes, or strata, based upon the value of one of the attribute. Then samples are selected from each class, and results are developed from each class or combined into a single result. Control Self Assessment (CSA): - A methodology used by an organization to INTERNALLY review key business objectives, risks related to eacheiving these objectives, and the key controls designed to manage those risks. CSA Life Cycle: -
- Identify and assess risks Security Manager and Internal Auditor should be involved
- Identify and assess controls
- Develop questionnaire or conduct workshop
- Analyze completed questionnaires or assess workshop
- Control remediation
- Awareness training What is a Common Vulnerability Scoring System (CVSS) : - An open framework that is used to provide a common methodology for scoring vulnerabilities. Network Address Translation (NAT): - Converts internal IP addresses in packet headers into public IP addresses for transmission over the WAN. Stateful NAT - Use of mapping database that maps the internal client request and the WAN Service being requested. Static NAT: - internal client is assigned a permanent mapping to a specific public IP address Dynamic NAT: - Rotates the internal clients among several public IP addresses to facilitate multiple clients communicating through the NAT server. OSI Model - Application, Presentation, Session, Transport, Network, Data Link, Physical
Capability Table: - subject focused, as opposed to an Access Control List (ACL) which is object focused. Steps of Access Control (IAAA) - -Identify and Authenticate -Determine whether access is authorized -Grant or deny access based on user identity -Monitor and record access AAA - Authentication, Authorization, and Accounting Radius - Provides AAA services between network access servers and an authentication server. TACACS+ - Open source solution for TACACS and XTACACS. Separates AAA processes, allow them to be hosted separately if necessary. Encrypts all authentication information. Diameter - Uses TCP port 3368 or Stream Control Transmission Protocol (SCTP) port
- Supports Ipsec and TLS. X.500 - LDAP X.400 - Active Directory standard (Email) Kerckhoff's Principle: - A cryptosystem should be secure even if everything about the system , except the key, is public knowledge. Boolean Mathematics - defines the rules used for bytes & bits that make up information Zero Knowledge Proof: - ability to prove your knowledge of a fact to a Third party WITHOUT revealing that fact to the third party (SHOW BUT DON'T TELL). One Time Pad (Vernam Ciphers) -
Only TRULY UNBREAKABLE Cryptosystem but only if implemented correctly. Null Cipher - used in cases where the use of encryption is not necessary but yet the fact that no encryption is needed must be configured in order for the system to work. Transposition Ciphers - rely on concealing the message through the transposing of or interchanging the order of the letters. Running Key Cipher - the key is repeated (or runs) for the same length as the plaintext input. Key Clustering: - different encryption keys generate the same cipher text from the same plaintext. Synchronous: - Encryption and decryption request is performed immediately Symmetric Key Algorithms: - are SINGLE KEY !!! - We call that key the PRIVATE KEY | SECRET KEY | SHARED KEY!!! Asymmetric Key Algorithms: - are DOUBLE KEY! Different key to encrypt and decrypt the message. Public and Private KEY PAIR (VERY SLOW as compared to Symmetric) Formula for Encryption Keys Needed - n(n-1)/2 = keys (n=Participants) Symmetric Algorithms to Remember - ( DES | 3-DES | IDEA | Blowfish | Skipjack | AES) Diffie Hellman Algorithm: - A key exchange algorithm used to enable two users to exchange or negotiate a secret symmetric key that will be used for message encryption. RC-4: - NOT A BLOCK : Most widely used stream cipher, being deployed, for example in WEP and SSL/TLS. RC4 uses variable length keys ranging from 8 - 2048 bits (1 to 256 bytes). Secure Hashing Algorithm (SHA) -
developed to address the need of financial institutions to transmit securities and funds securely using an electronic medium. Key Wrapping and Key Encrypting Keys (KEK) - KEKs are used as part of key distribution or key exchange. The process of using KEK to protect session keys is called key wrapping. Key wrapping uses symmetric ciphers to securely encrypt a plaintext key along with any associated integrity information and data. Used to protect session keys in untrusted storage. Secure Multipurpose Internet Email Extension (S/MIME) - authentication and confidentiality protection through the use of public key cryptography and digital signatures. x.509 digital certificates are used for authentication Mime Object Security Services (MOSS) - Authentication confidentiality, indetrgirty & non repudiation. Uses Message Digest 2 (MD2) and MD5 , RSA Public Key and Data Encryption Standard (DES) for authentication and encryption. Privacy Enhanced Mail (PEM): - Authentication, confidentiality, integrity, and non repudiation. Uses RSA, DES & x. Domain Keys identified Mail (DKIM) - Assertion that an email was sent by an organization via means of domain name verification. Pretty Good Privacy (PGP): - Asymmetric Key system using a variety of algorithms including RSA and IDEA Digital rights Management (DRM) - using software to encrypt data and then apply stringent protections to only allow authorized users to interact with data Digital Rights Management Examples - Movies Music E-book Video games Documents High Bandwidth digital content protection (HDCP) - Content sent over HDMI Authentication Header (AH): - Authentication, integrity and non repudiation
Internet Security Association And Key Management Protocol (ISAKMP): - Provides security support in IPSec by negotiating, establishing, modifying, and deleting Security Associations (SA's). Security Associations (SA's): - Negotiated by ISAKMP during the initialization of an IPSec session. It represents a simplex connection or a one way transmission agreement. Static DLP: - Used to scan unstructured data storage systems for sensitive information. Can be effective at discovery sensitive data that personnel copy to file servers. Dynamic DLP: - Used to detect and even block the movement of sensitive data. Users may be warned of the activity they are undertaking, or their actions may be blocked. Gate Process: - each step of the process undergoes formal review and approval before the next step is allowed to begin. The Committee of Sponsoring Organizations of the Treadway Commission (COSO): - A private sector organization that provides though leadership through the development of frameworks and guidance on enterprise risk management, internal control, and fraud deterrence. North American Electrical Reliability Corporation (NERC): - develops standards for use by elected utilities in most of North American. Include power generation and distribution including security. Dwell Time: - The period of time that elapses between the start of an incident and the moment the organization is aware of it. Electronic Discovery Model (9 Steps): - -Information Governance: Ensures information is well organized -Identification: located information covered by a discovery request -Preservation: protects discoverable information against deletion and/or alteration -Collection: gathers information centrally for use in the discovery process -Processing: screens collected information to filter out unnecessary information prior to review -Review: Examination of remaining information to determine what information needs to be provided to comply with the discover request, and which information may be protected -Analysis: deep inspection of content & context of the information -Production: Places information into form that can be shared.
backed up. Once the backup is complete, the archive bit on ALL files is reset and turned off (set to 0) Differential Backup - captures only the changes made since the last full backup, not since the last differential backup. This requires more storage space, but ensures an easier, more reliable restore. All files with their archive bit enabled are backed up, but the archive bit IS NOT reset once files are backed up. First In, First Out (FIFO) - specifies that the oldest available backup tape is the next one to be used. Grandfather-Father-Son - The most common backup media rotation scheme, creating a hierarchical set of backup media that provides for greater retention of backed-up data. In the most common form of this scheme, full backups are performed once per week, and incremental or differential backups are performed daily. Towers of Hanoi - A complex backup media rotation scheme that provides for more lengthy retention of some backup media by using a cycle of exponential retention periods instead of a large number of tape Service Bureaus: - A company that leases computer time via contract. Can be on-site or remote. Electronic Vaulting: - database backups are moved to a remote site using a bulk transfer capability. Remote site can be dedicated facility or co-location. Remote Journaling - quicker version of electronic vaulting, using bulk transfers of data, but more frequently. Focus is on copying and transferring the transaction log files instead of the entire database. Power Issues: - Spike: Quick instance of increase in volume Sag: a quick instance of a decrease in voltage Surge: An increase in power that is prolonged. Brownout: A decrease in power that is prolonged Transients: Noise on the power lines. RAID 0: -
Writes files in stripes across multiple disks without the use of parity information. This technique allows for fast reading and writing to disk since all the disks can be accessed in parallel. Not possible to recover from hard drive failure. RAID 1 (drive mirroring): - duplicates all disk writes from one disk to another to create two identical drives. This mirroring may even happen between drives on different hard drive controllers (which is called duplexing). RAID 3: - Required three or more drives to implement. Striping of data like in RAID 0, with redundancy in the form of a dedicated parity drive. Parity information is written to a dedicated disk. If one disk fails, then the information on the parity disk can be used to reconstruct the drive. RAID 4: - Very similar to RAID 3. The main different is the method for sharing data. Data is divided into blocks (16, 32, 64, 128kb) and written across the disks similarly to RAID 0. RAID 5: - Also requires three or more drives to implement. The big difference is how parity information is stored. Rather than using a dedicated parity drive, data and parity information is striped together across all drives. Most popular level and can tolerate the loss of any drive since the parity information on the other drives can be used to reconstruct data from the lost ones. RAID 6: - This is an extension of RAID 5. where two parity blocks are used to instead of a single parity block. Can withstand the failure of any two disks in the array instead of a single disk. RAID 1+0 (RAID 10): - Configured as two or more mirrors in a stripe. Read Through / Desk Check (DR Test): - Copies of the plan are distributed to the members of the team for review so that basic facts and details can be validated. Simulation (DR Test): - Cost and complexity are increased, as simulations require planning and coordination. These include a pretend disaster. Parallel (DR Test): -
