CISSP - Certified Information Systems Security Professional Study Guide, 2nd Edition (2004)

transferring risk. Accepting risk means the management has evaluated the cost/benefit analysis of possible safeguards and has determined that the cost of the countermeasure greatly outweighs the possible cost of loss due to a risk. It also means that management has agreed to accept the consequences and the loss if the risk is realized.

Be able to explain total risk, residual risk, and controls gap. Total risk is the amount of risk an organization would face if no safeguards were implemented. To calculate total risk, use the formula threats * vulnerabilities * asset value = total risk. Residual risk is the risk that management has chosen to accept rather than mitigate. The difference between total risk and residual risk is known as the controls gap. The controls gap is the amount of risk that is reduced by implementing safeguards. To calculate residual risk, use the formula total risk – controls gap = residual risk.

Know how to implement security awareness training. Before actual training can take place, awareness of security as a recognized entity must be created for users. Once this is accomplished, training, or teaching employees to perform their work tasks and to comply with the security policy, can begin. All new employees require some level of training so they will be able to comply with all standards, guidelines, and procedures mandated by the security policy. Education is a more detailed endeavor in which students/users learn much more than they actually need to know to perform their work tasks. Education is most often associated with users pursuing certification or seeking job promotion.

Understand security management planning. Security management is based on three types of plans: strategic, tactical, and operational. A strategic plan is a long-term plan that is fairly stable. It defines the organization’s goals, mission, and objectives. The tactical plan is a midterm plan developed to provide more details on accomplishing the goals set forth in the strategic plan. Operational plans are short-term and highly detailed plans based on the strategic and tactical plans.

172 Chapter 6 Asset Value, Policies, and Roles

Review Questions

1.Which of the following is the weakest element in any security solution?

A.Software products

B.Internet connections

C.Security policies

D.Humans

2.When seeking to hire new employees, what is the first step?

A.Create a job description.

B.Set position classification.

C.Screen candidates.

D.Request resumes.

3.What is the primary purpose of an exit interview?

A.To return the exiting employee’s personal belongings

B.To review the nondisclosure agreement

C.To evaluate the exiting employee’s performance

D.To cancel the exiting employee’s network access accounts

4.When an employee is to be terminated, which of the following should be done?

A.Inform the employee a few hours before they are officially terminated.

B.Disable the employee’s network access just before they are informed of the termination.

C.Send out a broadcast e-mail informing everyone that a specific employee is to be terminated.

D.Wait until you and the employee are the only people remaining in the building before announcing the termination.

5.Who is liable for failing to perform prudent due care?

A.Security professionals

B.Data custodian

C.Auditor

D.Senior management

6.Which of the following is a document that defines the scope of security needed by an organization, lists the assets that need protection, and discusses the extent to which security solutions should go to provide the necessary protection?

A.Security policy

B.Standard

C.Guideline

D.Procedure

7.Which of the following policies is required when industry or legal standards are applicable to your organization?

A.Advisory

B.Regulatory

C.Baseline

D.Informative

8.Which of the following is not an element of the risk analysis process?

A.Analyzing an environment for risks

B.Creating a cost/benefit report for safeguards to present to upper management

C.Selecting appropriate safeguards and implementing them

D.Evaluating each risk as to its likelihood of occurring and cost of the resulting damage

9.Which of the following would not be considered an asset in a risk analysis?

A.A development process

B.An IT infrastructure

C.A proprietary system resource

D.Users’ personal files

10.Which of the following represents accidental exploitations of vulnerabilities?

A.Threat events

B.Risks

C.Threat agents

D.Breaches

11.When a safeguard or a countermeasure is not present or is not sufficient, what is created?

A.Vulnerability

B.Exposure

C.Risk

D.Penetration

174 Chapter 6 Asset Value, Policies, and Roles

12.Which of the following is not a valid definition for risk?

A.An assessment of probability, possibility, or chance

B.Anything that removes a vulnerability or protects against one or more specific threats

C.Risk = threat + vulnerability

D.Every instance of exposure

13.When evaluating safeguards, what is the rule that should be followed in most cases?

A.Expected annual cost of asset loss should not exceed the annual costs of safeguards.

B.Annual costs of safeguards should equal the value of the asset.

C.Annual costs of safeguards should not exceed the expected annual cost of asset loss.

D.Annual costs of safeguards should not exceed 10 percent of the security budget.

14.How is single loss expectancy (SLE) calculated?

A.Threat + vulnerability

B.Asset value ($) * exposure factor

C.Annualized rate of occurrence * vulnerability

D.Annualized rate of occurrence * asset value * exposure factor

15.How is the value of a safeguard to a company calculated?

A.ALE before safeguard – ALE after implementing the safeguard – annual cost of safeguard

B.ALE before safeguard * ARO of safeguard

C.ALE after implementing safeguard + annual cost of safeguard – controls gap

D.Total risk – controls gap

16.What security control is directly focused on preventing collusion?

A.Principle of least privilege

B.Job descriptions

C.Separation of duties

D.Qualitative risk analysis

17.Which security role is responsible for assigning the sensitivity label to objects?

A.Users

B.Data owner

C.Senior management

D.Data custodian

18.When you are attempting to install a new security mechanism for which there is not a detailed step-by-step guide on how to implement that specific product, which element of the security policy should you turn to?

A.Policies

B.Procedures

C.Standards

D.Guidelines

19.While performing a risk analysis, you identify a threat of fire and a vulnerability because there are no fire extinguishers. Based on this information, which of the following is a possible risk?

A.Virus infection

B.Damage to equipment

C.System malfunction

D.Unauthorized access to confidential information

20.You’ve performed a basic quantitative risk analysis on a specific threat/vulnerability/risk relation. You select a possible countermeasure. When re-performing the calculations, which of the following factors will change?

A.Exposure factor

B.Single loss expectancy

C.Asset value

D.Annualized rate of occurrence

176 Chapter 6 Asset Value, Policies, and Roles

Answers to Review Questions

1.D. Regardless of the specifics of a security solution, humans are the weakest element.

2.A. The first step in hiring new employees is to create a job description. Without a job description, there is no consensus on what type of individual needs to be found and hired.

3.B. The primary purpose of an exit interview is to review the nondisclosure agreement (NDA).

4.B. You should remove or disable the employee’s network user account immediately before or at the same time they are informed of their termination.

5.D. Senior management is liable for failing to perform prudent due care.

6.A. The document that defines the scope of an organization’s security requirements is called a security policy. The policy lists the assets to be protected and discusses the extent to which security solutions should go to provide the necessary protection.

7.B. A regulatory policy is required when industry or legal standards are applicable to your organization. This policy discusses the rules that must be followed and outlines the procedures that should be used to elicit compliance.

8.C. Risk analysis includes analyzing an environment for risks, evaluating each risk as to its likelihood of occurring and the cost of the damage it would cause, assessing the cost of various countermeasures for each risk, and creating a cost/benefit report for safeguards to present to upper management.

Selecting safeguards is a task of upper management based on the results of risk analysis. It is a task that falls under risk management, but it is not part of the risk analysis process.

9.D. The personal files of users are not assets of the organization and thus not considered in a risk analysis.

10.A. Threat events are accidental exploitations of vulnerabilities.

11.A. A vulnerability is the absence or weakness of a safeguard or countermeasure.

12.B. Anything that removes a vulnerability or protects against one or more specific threats is considered a safeguard or a countermeasure, not a risk.

13.C. The annual costs of safeguards should not exceed the expected annual cost of asset loss.

14.B. SLE is calculated using the formula SLE = asset value ($) * exposure factor.

15.A. The value of a safeguard to an organization is calculated by ALE before safeguard – ALE after implementing the safeguard – annual cost of safeguard.

16.C. The likelihood that a coworker will be willing to collaborate on an illegal or abusive scheme is reduced due to the higher risk of detection created by the combination of separation of duties, restricted job responsibilities, and job rotation.

17.B. The data owner is responsible for assigning the sensitivity label to new objects and resources.

18.D. If no detailed step-by-step instructions or procedures exist, then turn to the guidelines for general principles to follow for the installation.

19.B. The threat of a fire and the vulnerability of a lack of fire extinguishers leads to the risk of damage to equipment.

20.D. A countermeasure directly affects the annualized rate of occurrence, primarily because the countermeasure is designed to prevent the occurrence of the risk, thus reducing its frequency per year.

All too often, security administrators are unaware of system vulnerabilities caused by applications with security flaws (either intentional or unintentional). Security professionals often have a

background in system administration and don’t have an in-depth understanding of the application development process, and therefore of application security. This can be a critical error. As you will learn in Chapter 14, “Auditing and Monitoring,” organization insiders (i.e., employees, contractors, and trusted visitors) are the most likely candidates to commit computer crimes. Security administrators must be aware of all threats to ensure that adequate checks and balances exist to protect against a malicious insider or application vulnerability.

This chapter examines some of the common threats applications pose to both traditional and distributed computing environments. Next, we explore how to protect data. Finally, we take a look at some of the systems development controls that can help ensure the accuracy, reliability, and integrity of internal application development processes.

Application Issues

As technology marches on, application environments are becoming much more complex than they were in the days of simple stand-alone DOS systems running precompiled code. Organizations are now faced with challenges that arise from connecting their systems to networks of all shapes and sizes (from the office LAN to the global Internet) as well as from distributed computing environments. These challenges come in the form of malicious code threats such as mobile code objects, viruses, worms and denial of service attacks. In this section, we’ll take a brief look at a few of these issues.

Local/Nondistributed Environment

In a traditional, nondistributed computing environment, individual computer systems store and execute programs to perform functions for the local user. Such tasks generally involve networked applications that provide access to remote resources, such as web servers and remote file servers, as well as other interactive networked activities, such as the transmission and reception of electronic mail. The key characteristic of a nondistributed system is that all user-executed code is stored on the local machine (or on a file system accessible to that machine, such as a file server on the machine’s LAN) and executed using processors on that machine.

The threats that face local/nondistributed computing environments are some of the more common malicious code objects that you are most likely already familiar with, at least in