1
Q
Challenges business face
A
- Security
- Aligning IT with business objectives
- Managing Complexity
- Regulatory Compliance
- Cost/Value
2
Q
What is GRC?
A
GRC is a set of process and procedures that helps organization to achieve the business objective, address uncertainty and act of integrity.
- It is also a strategy used to help organization to manage the organization’s overall governance, enterprise risk management, and compliance with regulation
3
Q
What is the aim of GRC?
A
To protect the corporate assets
4
Q
What is the purpose of Risk?
A
It is to ensure that the correct controls are being use and functioning
Identifying the potential threats in the system and taking measures to it. Act of making decisions about the loss that a company is willing to accept.
Risk management:
Risk: Potential loss/harm
Control: Safeguard
Type: Organization/Third Party
5
Q
What is the purpose of Governance?
A
It is to set the rules and ensure that the IT objective and operations is aligned to the business objective
It also refers to the strategies and policy that implemented by the organization to ensure that the IT systems are aligned to the business goal
6
Q
What is the purpose of Compliance?
A
Adhering to legal and regulatory standard applicable to the organization’s IT system.
Confirming with the stated requirement:
1. Set up internal policies
2. Through extrinsic requirement
Ensure that the controls are being adhere to on an ongoing basis to reduce the risk and increase the adherence to the governance intended by the organization
7
Q
What is the purpose of GRC
A
It is to provide a structured framework for managing security efforts and aligns cybersecurity strategies with business objective
8
Q
How does GRC help the industry?
A
It helps to identify, access and mitigate the risk and ensure compliance with regulations and industry standard that helps to promote accountability and transparency in cybersecurity practices
9
Q
Steps to compliance
A
Adapt: Adapt to compliance framework
Audit: External and internal security audit
Monitor: Monitoring system/process changes
10
Q
8 functions
A
- Organize and oversee
- Define outcomes, commitment, roles and responsibility - Access and align
- Identify, analyze and optimize the risk mitigation - Prevent and promote
- Define code of conduct and policies - Detect and discern
- Define hotline and notification - Respond and resolve
- Perform internal review and investigation - Monitor and measure
- Define context monitoring - Inform and integrate
- Define and perform information management and documentation - Context and culture
- Define and incorporate internal and external business context
11
Q
What are the 9 important laws and regulations for different industry?
A
- Finance: SOX [Sarbanes-Oxley Act of 2002]
- HIPAA Privacy Rules
- HIPAA Security Rules
- CCoP [Cybersecurity Code of Practice]
- Credit Card: PCI DSS
- PDPA [Personal Data Protection Act]
- Computer misuse and cybersecurity act
- Banking Act
- IM8
12
Q
What is the difference between HIPAA Privacy Rule and HIPAA Security Rule?
A
HIPAA privacy rule helps to limit the use and disclosure of sensitive Personal Health Information(PHI).
While HIPAA Security rule helps to establish a national standard to protect individual’s electronic personal information that is created, received, used or maintained by a covered organization.
It requires appropriate administrative, physical and technical safeguard to ensure the confidentiality, integrity and security of the electronic PHI
13
Q
What are the 6 steps of PCI DSS?
A
- Build and maintain a secure network and system
- Protect cardholder information
- Maintain a vulnerability management program
- Implement strong access control measure
- Regularly monitor and test network
- Maintain an information security policy
14
Q
What is the purpose of information security governance
A
It is to provides
- strategic direction
- ensure that objectives are achieved
- manages risk appropriately
- using organizational resources responsibly
- monitors success and failure of the enterprise security programme
15
Q
What does information security governance consist of?
A
- Leadership
- Organization structure
- Processes/Procedures
16
Q
What does Corporate Governance include?
A
- Information Security Governance
- Information Technology Governance
17
Q
What does Governance do?
A
It is to provide assurance that:
1. Information governance strategies are aligned with and support business objectives
- Consistent with applicable laws and regulations through adherence of policies and internal controls
- Provide assignment of responsibility to manage risk
18
Q
What are the benefits of governance?
A
- Increase in share value for organization that practice good governance
- Increased predictability and reduced uncertainty in business operations
- Assurance of effective information security policy and policy compliance
- Accountability for safeguarding information during critical business activities
19
Q
What are the outcomes with effective ISG?
A
- Strategic alignment
- Risk management
- Value delivery
- Performance measurement
- Resource management
- Integration
20
Q
Explain more on Strategic Alignment
A
Align business strategy to support the business objectives
21
Q
Explain more on Risk management
A
The execution of appropriate measures to mitigate the IS risk and reduce the potential impact on information to acceptable level
22
Q
Explain more on Value delivery
A
Optimization of IS investment to support the business objectives
23
Q
Explain more on Performance Measurement
A
Monitoring and reporting IS processes to ensure that objectives are reached
24
Q
Explain more on Resource Management
A
Usage of IS knowledge and infrastructure effectively and efficiently
25
Explain more on Integration
Having all relevant assurance factors integrated to ensure that processes operates as intended from end to end
26
Challenges without senior management buy-in and support for security activities
It can be difficult to achieve the level of security required to adequately address risks
27
What are the roles required at different levels of organization for effective information security governance?
1. The Board of Director
2. Executive management
3. Security Steering Committee
4. Chief Information Security Officer
28
What does the Board of Director do?
Establish the tone of risk appetite and risk management within the organization
29
What does the Executive Management do?
Institute processes and integrate security with business objectives
30
What does the Security Steering Committee do?
It is represented by the senior representative of the main operational and administrative functions in the organization
- Review and advise whether security initiatives meets with business objectives
- Provide input on security policies
- Identify risk, issues
31
What does the Chief Information Security Officer do?
1. Conduct risk assessment
2, Developing security policies
32
What is the purpose of cybersecurity framework?
It is to help enterprise, frameworks have been developed to support rapid and effective deployment of security governance infrastructure
33
What are the essential considerations to decide if a project should proceed or not?
1. Value proposition
2. Cost-Benefit Analysis of moving forward project
3. Sufficient details to describe the justification of the project
4. A formal presentation is widely used techniques to secure management commitment and support
34
Establish framework should consists of?
1. Comprehensive security strategy that linked with business objectives
2. Security policies that address each aspect of strategy, controls and regulations
3. A complete sets of standard for each policy to ensure that procedures and guidelines are comply with policy
4. Security organization structure with sufficient authority and adequate resources
35
What does a framework provide?
It provides the basis for the development of a cost-effective information security programme that support organization's goal
36
Examples of Governance Framework
1. Committee of Sponsoring Organization of Threadway Commission (COSO)
2. Control Objective for information and related Technology (COBIT)
3. ISO 27001/2:2005
4. IT Infrastructure Library
37
What is COSO?
Committee of Sponsoring Organizations of the Threadway Commission
- Internal controls. Procoess affected by entity board of director, management and other personnel.
1. Provides effectiveness and efficiency of operations
2. Reliability of financial reporting
3. Compliance with laws and regulations
38
What is COBIT (Control Objective for information and Technology)
It is an IT management framework t help business develop, organize and implement strategies around information management and governance
39
What are the 5 principles that are essential for effective management and governance for enterprise IT
1. Meeting stakeholders need
2. Covering the enterprise end to end
3. Applying a single integrated network
4. Enabling a holistic approach
5. Separating governance from management
40
What are the 2 family in ISO?
ISO 27001
ISO 27002
41
What is ISO 27001 and 27002 respectively?
ISO 27001 specifies requirements for implementing, monitoring, operating, maintaining, reviewing and improving the information security management system of an organization
ISO 27002 provides best practice recommendations on information security controls for use by those responsible for initiating, implementing and maintaining ISMS
42
What is ISO in general?
It provides best practices recommendations on information security management
43
What is the purpose of ITIL?
It is a set of detailed practices for IT service management (ITSM) that focuses on aligning IT services with the needs of business.
44
What is risk management?
It is to identify risk, access the risk and taking steps to controls risk to its acceptable level
45
What are the 3 categories is risk management? Explain further
1. Risk Identification
- Process of examining and documenting the current IT security situation
2. Risk Assessment
- Determining the extent to which organization's assets are exposed
3. Risk Control
- Applying controls to reduce the risk to an organization's data and information security
46
What is the objectives of Risk Management?
Enable organizations to accomplish it mission by providing:
1. Better securing IT systems that store, process and transmit organization's information/data
2. Enable management to make well-informed risk management decision to justify the expenditures
3. Assisting management in authorizing IT system on the basis of the supporting document
47
What are the 9 steps in NIST
1. System Characterization
2. Threat identification
3. Vulnerability identification
4. Control analysis
5. Likelihood determination
6. Impact analysis
7. Risk determination
8. Control recommendation
9. Report documentation
48
What are the approach to Risk Identification?
Know yourself: Identify, examine and understand information and system currently in place
Know your enemy: Identify, examine and understand threats that organization faces.
49
What are the Risk Identification process?
1. Identifying
- Organization's asset
2. Classifying
- Into different useful groups
3. Prioritizing
- By their overall importance
50
What are the components of Risk Identification?
1. Plan & organize the process
2. Categorize system components
3. Inventory and categorize assets
4. Classify and prioritize assets
5. Identify and prioritize threats
6. Specify assets vulnerabilities
51
Explain Plan & Organize process
1. Follow the project management policies
2. Process must be planned out
- Periodic deliverables
- Reviews
- Presentation to management
52
Explain Inventory and categories assets
1. Iterative process
2. Begins with identification of assets, including all element of all organization's system:
- People
- Procedure
- Data/information
- Software
- Hardware
- Networking
This steps should be done without pre-judging the value of each assets
53
Explain Classify and Prioritize Assets
1. Information classification must be reviewed periodically
Data classification scheme:
Private
Public
Restricted/Confidential
54
Explain Specify Assets Vulnerability
Once threats are prioritize, each assets should be reviewed against each threats to create a specfic list of vulnerabilities.
The review leads to the creation of list of vulnerabilities that remain potential risk to organization
54
Explain Identify and prioritize vulnerabilities
It is to make process less unwieldy, each steps in threat identification and vulnerability process is managed separately and then coordinated at the end
55
What is TVA Worksheet
Threat and vulnerability assessment worksheet
56
What is the use of TVA worksheet?
This provides a convenient method of examining the exposure threats.
57
What is Risk Assessment?
- It is to determine the extent of the potential threat and the risk associated with an IT system.
- Evaluate the relative risk for each vulnerability
- Assign risk rating or score to each information assets
58
What is the goal of risk assessment?
To create a method for evaluating the relative risk of each listed vulnerability
59
What is Control Analysis?
To analyze control that have been implemented
- To minimize the likelihood of a threat's exercising a system vulnerability
60
What are the control method?
1. Technical control
2. Non-Technical control
61
What is the difference between technical control and non-technical controls?
1. Technical controls
- Safeguards that are incorporated into computer hardware, software or firmware
2. Non-Technical controls
- Management and operational controls
62
What are the controls categories?
1. Preventive Controls
2. Detective Controls
63
What are the difference between Preventive and Detective Controls?
1. Preventive Controls
- Inhibit attempt to violate security policy
2. Detective Controls
- Warn of violation or attempted violation of security policy
64
What is the purpose of Control Analysis Technique?
Security requirement checklist to help in analyzing controls in an efficient and systematic manner
65
What do we need to consider in Likelihood Determination?
1. Threat source and capability
2. Nature of the vulnerability
3. Existence and effectiveness of current controls
66
Provide the definition for each likelihood level
1. High
- The threat source is highly motivated and sufficiently capable, and controls to prevent the vulnerability are ineffective
2. Medium
- The threat source is motivated and capable, but controls are in place that may block successful exercise of the vulnerability
3. Low
- The threat source lacks motivation or capability, or controls are in place to prevent, or significantly block the vulnerability from running.
67
Explain what is Impact analysis?
It is to determine the adverse impact resulting from a successful threat exercise of vulnerability .
The responsibility of the system and information owner to determine the impact level for their own system and information
Appropriate approach is to interview the system and information owner
68
Explain what is the purpose of risk determination
To access the level of risk to the IT system
69
What can Risk Determination be expressed as a function of?
1. The likelihood of a given threat-source's attempting to exercise a given vulnerability
2. The magnitude of the impact should a threat source successfully exercise the vulnerability
3. The adequacy of planned security controls for reducing or eliminating risk
70
What is the formula to calculate Risk?
Risk = (Likelihood x value(impact)) - Risk under control + Uncertainty
71
What is the goal of Risk Determination?
It is to:
1. Identify information assets and their vulnerabilities
2. To rank them according to the need for preparation
72
What is a RVR Worksheet?
Ranked Vulnerability Risk worksheets
73
What is inside the RVR Worksheet?
1. A wealth of factual information about the assets
2. The threats they face
3. Information about the controls that are already in place
Asset
Asset impact
Vulnerability likelihood
Risk-rating factor
74
What is the purpose of RVR worksheet?
It is an initial working documents for the next step in the risk management process
- Accessing and controlling the risk
75
What are the details in Risk Assessment?
1. Threat sources
2. Vulnerabilities identified
3. Risk Assessed
4. Recommended controls provided
76
What is the purpose of risk assessment?
To help senior management to make decisions on:
1. Policy
2. Procedural
3. Budget
4. System operational and management changes
77
Why is Risk assessment is a systematic approach?
It is to ensure that the senior management can understand the risk and allocate resources to reduce and correct potential losses
78
What is Risk Control?
It is to identify possible control to reduce the level of risk to IT system and its data to acceptable level
Cost-benefit analysis should be conducted for the proposed recommended controls
79
Factors to consider under risk control
1. Effectiveness of recommended option
2. Legislation and regulation
3. Organizational policy
4. Operational impact
5. Safety and reliability
80
What are the general categories of control?
1. Policies
2. Programmes
3. Technologies
81
Name the strategies of controls
1. Avoidance/Defense
2. Transference
3. Mitigation
4. Acceptance
5. Termination
82
Explain what is Avoidance/Defense
It is a proactive strategy that involves eliminating specific risk by avoiding activities
Common method of risk avoidance:
1. Application policy
2. Training Education
3. Applying Technology
83
Give example of Avoidance/Defense
1. Providing security awareness training to prevent phishing attack
2. Enforcing strong password and MFA policies to prevent account compromise
84
Explain what is Transference
Transfer risk to another organization experienced in dealing with those risks
85
Give example of Transference
1. Purchasing cyber insurance to transfer financial impact of data breaches
2. Using third party of SOC for 24/7 security monitoring
86
Explain what is Mitigation
Minimizing the likelihood of a cyber threat occurring or reducing its potential impact through proactive measures
Approach could include:
1. Incident Response Plan (IRP)
2. Disaster Recovery Plan (DRP)
3. Business Continuity Plan (BCP)
87
Give example of Mitigation
1. Deploying firewalls, IDS/IPS, and endpoint protection
2. Regularly patch management to reduce vulnerability exploitation
88
Explain what is Acceptance
Acknowledging and accepting a risk without taking additional measures to mitigate it.
89
What needs to be done to move on to Acceptance?
1. Determined the level of risk
2. Assessed the probability of attack
3. Estimated the potential damage that could occur from these attacks
4. Perform cost-benefit analysis
5. Evaluated controls using each appropriate type of feasibility
6. Decided that the particular function, service did not justify the cost of protection
90
Give example of Acceptance
Accepting the risk of a low-impact phishing attack on non-critical systems
91
Explain what is Termination
Completely eliminating a risk by discontinuing the activity
92
Give example of Termination
1. Shutting down an insecure web application
2. Ending support for unsupported operating systems
93
What is Quantitative assessment
The act of performing/using actual value/estimates
- Cost Benefit Analysis
94
What is Qualitative assessment
The completion of steps using evaluation process base on characteristics, using non-numerical measures
95
What is Cost Benefit Analysis?
It is to evaluate the worth of assets to be protected and the loss of assets if they compromised
96
What is the benefits of Cost Benefit Analysis?
Organization realizes using controls to prevent losses from a vulnerability
97
List the items that affect cost of control
1. Cost of development or acquisition
2. Training fee
3. Implementation lost
4. Service cost
5. Cost maintenance
98
How to calculate SLE?
SLE = Asset value x Exposure Factor
99
How to calculate ALE?
ALE = SLE x ARO
100
How to calculate CBA?
CBA = ALE(Prior) - ALE(Post) - ACS
101
What is benchmark?
It is an alternative approach to risk management.
It is the process of seeking out, studying, and adopting practices used by other organization
102
What is best practices?
It is a security efforts that provide a superior level of information protection
103
What is due care?
When adopting levels of security for a legal defense
- Organization shows it has done what any prudent organization would do in similar circumstances
104
Problems with benchmarking and best practices
1. No 2 organization are identical
2. Best Practices are moving targets
3. Organization don't communicate/talk to each other
CGRC Common Test
flashcards
Decks in class (2)
# Cards
