LEGAL REG AND CONTRACTUAL REQUIREMENTS

 The first action after finding noncompliance with particular standards should be to determine
the risk to the enterprise and the potential impact (for both compliance and security risk).
 Disclose how information is used.
 Local laws prevail.
 The board of directors and senior management are ultimately responsible for ensuring
regulations are appropriately addressed
 Legal and regulatory requirements should be assessed based on the extent and nature of
enforcement, the probability of enforcement action and sanctions, and the impact of
noncompliance or partial compliance balanced against the costs of compliance.

STRATEGIC PLANNING
 nformation security exists to address risk to the enterprise that may impede achievement of its
objectives. Organizational risk will be the most persuasive argument for management
commitment and support.
 Feasibility and whether the value proposition makes sense will be major considerations for
whether a project will proceed.
 Without management support, the program will never be able to establish a charter that will
allow it to function within the environment. All the other choices follow the charter.
 Risk analysis quantifies risk to prioritize risk responses.
 The annual loss expectancy is the monetary loss that can be expected for an asset due to a risk
over a one-year period but does nothing to prioritize controls.
 Cost-benefit analysis is performed to ensure that the cost of a safeguard does not outweigh its
benefit and that the best safeguard is provided for the cost of implementation.
 An impact analysis is a study to prioritize the criticality of information resources for the
enterprise based on costs (or consequences) of adverse events. In an impact analysis, threats to
assets are identified and potential business losses determined for different time periods. This
assessment is used to justify the extent of safeguards that are required and determine recovery
time frames. This analysis is the basis for establishing the recovery strategy.
 A controls applicability statement identifies which risk controls are applied but is not directly
related to performance or maturity assessments.
 The process performance and capabilities approach provides a more detailed perspective of
maturity levels and serves essentially the same purpose.
 Probabilistic risk assessment provides quantitative results of probability and magnitude of risk; it
is not related to assessment of performance or capabilities.
 Factor analysis of information risk is an approach to assessing risk that does not address
performance.
 A business case is defined as documentation of the rationale for making a business investment,
used both to support a business decision on whether to proceed with the investment and as an
operational tool to support management of the investment through its full economic life cycle.

ORGANIZATIONAL STRUCTURE, ROLES AND RESPONSIBILITIES

 The data custodian is responsible for handling and operational management of information in
alignment with the data classification.
 The database administrator is responsible not for data classification but for the technical
administration of the database and for handling requirements that apply to data in storage and
transit in accordance with the requirements for each classification level.
 The information security officer has oversight of the overall data classification and handling
process to ensure conformance with enterprise policies and standards. managing the
information security risk management plan by involving various asset and risk owners to identify
and implement appropriate responses.
 The data owner has responsibility for data classification and to ensure consistency with the
enterprise’s classification criteria. determine the level of controls deemed necessary to secure
data and the applications that store or process the data.
 Total cost of ownership may be requested by management and may be provided in an
addendum to a given purchase request, but it is not usually included in an annual budget.
 Baseline comparisons (cost comparisons with other companies or industries) may be useful in
developing a budget or providing justification in an internal review for an individual purchase but
usually do not need to be included in the request for budget approval.
 The primary purpose of the information security program is to provide protection to information
assets and it must be aligned with the business’s strategy and objectives.
 The primary objective for integration of information security governance into all business
functions and activities is to address operational risk.
 eploying complex security initiatives and integrating a range of diverse projects and activities
would be more easily managed with the overview and relationships provided by a security
architecture.

INFOSEC STRATEGY DEVELOPMENT

 A set of security objectives supported by processes, methods, tools and techniques constitutes a
security strategy.
 The information security manager is responsible for developing a security strategy based on
business objectives with the inputs from business process owners.
 Reviewing the security strategy is the responsibility of a steering committee or top management.
 When establishing an information security program, conducting a risk assessment is key to
identifying the needs of the enterprise and developing a security strategy.
 A gap analysis would be used after the desired state of security and the current state are
determined to assess what needs to be done to fill the gap.
 Scope > risk assessment > gap analysis
 Management support > define strategy

INFO GOVERNANCE FRAMEWORKS AND STANDARDS

 A BSC is most effective for evaluating the degree to which information security objectives are
being met.
 Standards set the allowable boundaries for procedures to ensure they comply with the intent of
policies.
 Procedures will not indicate the appropriateness of control mechanisms.
 Governance ensures that business objectives are achieved by evaluating stakeholder needs,
conditions and options; setting direction through prioritization and decision-making; and
monitoring performance, compliance and progress against plans.

RISK TREATMENT/RISK RESPONSE OPTIONS

 Risk Treatment/Mitigation - risk acceptance, risk avoidance, risk limitation, and risk transference
 Risk tolerance is the acceptable level of variation that management is willing to allow for any
particular risk as the enterprise pursues its objectives.
 Exposure is the quantified potential for loss that may occur due to an adverse event, calculated
as the product of probability and magnitude (impact). Because probability is itself a function of
threat and vulnerability, exposure takes into account all three of the other factors and, if known,
is the most important consideration.
 Risk that exceeds organizational appetite but lies within tolerable levels is not risk the enterprise
wants to accept. When there is concern that the impact has been underestimated, senior
management may prefer to mitigate the risk to acceptable levels rather than unintentionally
accept risk whose impact ends up exceeding the tolerance.
 Examples of containment defenses are awareness, training and physical security defenses.
 Detection defenses include logging, monitoring, measuring, auditing, detecting viruses and
intrusion.
 Examples of reaction defenses are incident response, policy and procedure change, and control
enhancement.
 Examples of recovery defenses are backups and restorations, failover and remote sites, and
business continuity plans and disaster recovery plans.

RISK MONITORING AND REPORTING

 The most essential attribute is that a KRI should be predictive and indicate that a risk is
developing or changing to show that investigation is needed to determine the nature and extent
of a risk.
 Effective risk management serves to reduce the incidence of significant adverse impacts on an
enterprise either by addressing threats, mitigating exposure, or reducing vulnerability or impact.
 Lag indicators provide information about the performance of controls after control execution.
Noncompliance of controls indicates elevation in risk levels. Timely reporting of noncompliance
helps risk owners in decision-making.

VULNERABILITY AND CONTROL DEFICIENCY ANALYSIS

 Cross-site request forgery (XSRF) is related to an authentication mechanism, not to redirection.
 XSRF exploits inadequate authentication mechanisms in web applications that rely only on
elements such as cookies when performing a transaction. It is a type of website attack in which
unauthorized commands are transmitted from a trusted user.
 A non-legitimate license key is related to intellectual property rights, not to XSRF vulnerability.
 Attackers who exploit flawed cryptographic Secure Sockets Layer implementations and short key
lengths can sniff network traffic and crack keys to gain unauthorized access to information. This
has little to do with cross-site scripting vulnerabilities.
 Threat assessments evaluate the type, scope and nature of events or actions that can result in
adverse consequences; identification is made of the threats that exist against enterprise assets.
 The main goal of threat analysis is to understand how the enterprise is positioned in the threat
landscape. Threat analysis also supports decisions to prioritize control activities to mitigate the
most critical risk. Threat analysis is an important factor in calculating risk value.
 Intrinsic risk is the result of underlying internal and external factors that are not readily subject
to controls.
 Systemic risk refers to the collapse of an entire system as a result of the risk imposed by system
interdependencies.