Class 1

Security and Risk Management

 GRC Summary

Governance Risk Management Compliance

Leadership, organizational Process of identifying factors Process of ensuring

structure, and processes that that could damage or conformity to governing
protect information. disclose information, and directives such as rules,
managing mitigation and policy, and law.
budget.
 ISO/IEC 2700 Series
Series Number Main Goal

27001 How to establish and maintain an information security management

system (ISMS), which is a systematic approach to managing sensitive
information.
27002 Further describes ways to develop and formalize a security program.

27003 Focuses on implementation of that security program.

27004 Focuses on metrics and ways to track the effectiveness of the

security program.

27005 Focuses on risk management.

Security Policy Documents
 Documents Summary
Document and Definition Example Applicability

Policy: High-level, strategic document that Protect CIA of PII through encryption. Mandatory
establishes an organization’s information security
program and how it fits into larger business
objectives.
Procedure: Step-by-step guide for accomplishing a Enroll in PKI. Register company’s digital Mandatory
task. Low-level, specific. certificates with CA. Exchange public keys as
appropriate and encrypt data.

Standard: Describes specific use of technology, Triple Data Encryption Algorithm (3DES). Mandatory
often applies to hardware and software.

Guideline: Recommendations; advice. To create a strong password, make it at least 12 Discretionary

characters long and use symbols and numbers.

Baseline: Provide a starting point; a minimum for Consult Center for Internet Security baselines on Discretionary
implementing a safeguard. encryption.
 Risk Management Cycle
Assets
Which protects Which are endangered by

Safeguards Threats

Mitigated by That exploit

Risk Vulnerabilities

Which is Resulting in
Exposure
 Quantitative v Qualitative

Quantitative Qualitative

Objective, but equations can be Subjective opinion

difficult

Focused on numbers and Can be used as initial

financial figures assessment

Data allows for further analysis Identify areas for immediate

security improvements
Facilitates the decision making of
countermeasures that also have
financial costs associated with Used when numbers not avaliable
them
 BCP Components
• Business organization analysis- who has a stake in the BCP?
• Select BCP Team and then have them do another business organization analysis
SCOPE

• Identify business priorities

• Identify risks
• Perform likelihood and impact assessments
BIA
• Prioritize resources

• Develop strategy to continue business in face of incidents

• Design procedures and mechanisms to address risk
CONTINUITY

• Gain leadership approval (should be an easy process if leadership is involved from the beginning)
APPROVAL
Review Quiz
1. You are a newly hired security analyst at a large hospital. The healthcare
industry is new to you and you are undergoing HIPAA training. Because you
work for a healthcare provider, what will be your main goal as a security
analyst?
A. Maintaining the confidentiality of Protected Health Information.
B. Maintaining the confidentiality of Personally Identifiable Information.
C. Maintaining the integrity of Protected Health Information.
D. Maintaining the integrity of Personally Identifiable Information.
Review Quiz
1. You are a newly hired security analyst at a large hospital. The healthcare
industry is new to you and you are undergoing HIPAA training. Because you
work for a healthcare provider, what will be your main goal as a security
analyst?
A. Maintaining the confidentiality of Protected Health Information.
B. Maintaining the confidentiality of Personally Identifiable Information.
C. Maintaining the integrity of Protected Health Information.
D. Maintaining the integrity of Personally Identifiable Information.

Answer: A, Maintaining the confidentiality of Protected Health Information.

Explanation: Maintaining the confidentiality of Protected Health Information would be primary goal for a security
analyst at a hospital. The Health Insurance Portability and Accountability Act is primarily concerned with the privacy
or confidentiality of medical records. Personally Identifiable Information is similar to Protected Health Information
but HIPAA focuses on the medical or health information. Integrity would be a focus on making sure the records are
accurate and not corrupted which may be a secondary goal of the analyst.
Review Quiz
2. Your security team has discovered an attacker that has been stealing sensitive
documents from your organization’s servers. Law enforcement has been
contacted and was able to find and apprehend the suspect. Under which type
of law could the attacker be prosecuted?
A. Civil Law
B. Administrative Law
C. Criminal Law
D. Religious Law
Review Quiz
2. Your security team has discovered an attacker that has been stealing sensitive
documents from your organization’s servers. Law enforcement has been
contacted and was able to find and apprehend the suspect. Under which type
of law could the attacker be prosecuted?
A. Civil Law
B. Administrative Law
C. Criminal Law
D. Religious Law

Answer: C, Criminal Law.

Explanation: Criminal Law generally involves law enforcement and prison time as punishment. Civil Law does not
usually involve law enforcement and is often settled monetarily. Administrative Law deals with ensuring the
government functions correctly. Religious Law is based on principles and codes taught be a religion.
Review Quiz
3. A security engineer works for a defense contractor and has been tasked with
ensuring all intellectual property is encrypted and secured. She’s first making
a list of all intellectual property at her company. Which item below would not
be considered intellectual property?
A. The formula for a proprietary paint blend that has radar absorbing properties.
B. A contract to provide professional services to the federal government.
C. The algorithm used for managing their supply chain efficiency.
D. Blueprints for a scramjet the company is developing.
Review Quiz
3. A security engineer works for a defense contractor and has been tasked with
ensuring all intellectual property is encrypted and secured. She’s first making
a list of all intellectual property at her company. Which item below would not
be considered intellectual property?
A. The formula for a proprietary paint blend that has radar absorbing properties.
B. A contract to provide professional services to the federal government.
C. The algorithm used for managing their supply chain efficiency.
D. Blueprints for a scramjet the company is developing.

Answer: B, A contract to provide professional services to the federal government.

Explanation: A contract to provide professional services to the federal government would be public and is not an
intangible asset. The three other answers are all intangible assets that would be considered Intellectual Property.
Review Quiz
4. A newly appointed security director has been given the directive to enhance
the privacy of customer information. Which control does not enhance the
privacy of customer data?
A. Frequently review and audit security controls to ensure that they are functioning properly.
B. Authenticate any user who accesses personally identifiable information.
C. Customers must agree to the company’s privacy policy before submitting data.
D. All databases that house customer data will be encrypted.
Review Quiz
4. A newly appointed security director has been given the directive to enhance
the privacy of customer information. Which control does not enhance the
privacy of customer data?
A. Frequently review and audit security controls to ensure that they are functioning properly.
B. Authenticate any user who accesses personally identifiable information.
C. Customers must agree to the company’s privacy policy before submitting data.
D. All databases that house customer data will be encrypted.

Answer: C, Customers must agree to the company's privacy policy.

Explanation: Agreements are a good idea, but lack enforcement. In addition, customers are not the only ones in
charge of their privacy. Those security professionals who manage their private information must be committed to
security as well.
Audit reviews, encryption, and strong authentication/authorization are important security controls.
Review Quiz
5. In most states, businesses must notify individuals of a breach unless a
person’s name was stored unencrypted with only which of the following?
A. Social Security Number
B. Driver’s License Number
C. Address
D. Credit Card Number
Review Quiz
5. In most states, businesses must notify individuals of a breach unless a
person’s name was stored unencrypted with only which of the following?
A. Social Security Number
B. Driver’s License Number
C. Address
D. Credit Card Number

Answer: C, Address.
Explanation: If only a person’s name and address were unencrypted and involved with a breach, a business would not
be subject to notifying the person. Any of the other options, in unencrypted, would be subject to notifying the
individual.
Review Quiz
6. Which of the following would be the most important factor for a successful IT
security program in an organization?
A. Security policies are custom written for the organization, all employees are annually trained, and all
agree to the security policies.
B. Strong support from the Chief Information Security Officer and other senior leadership.
C. The newest Anti-Virus, Firewalls and Intrusion Prevention Systems are all installed with the latest
updates.
D. A highly skilled threat management team that proactively scans for vulnerabilities.
Review Quiz
6. Which of the following would be the most important factor for a successful IT
security program in an organization?
A. Security policies are custom written for the organization, all employees are annually trained, and all
agree to the security policies.
B. Strong support from the Chief Information Security Officer and other senior leadership.
C. The newest Anti-Virus, Firewalls and Intrusion Prevention Systems are all installed with the latest
updates.
D. A highly skilled threat management team that proactively scans for vulnerabilities.

Answer: B, Strong support from the Chief Information Security Officer and other senior leadership.
Explanation: Strong support from senior leadership is always the most critical factor to the success of any IT security
program. The other answers are great things to have, but without leadership to support the personnel, policies and
technical controls, the program won’t receive the attention and monetary backing it requires.
Review Quiz
7. Your company is purchasing a new timekeeping system. The software will
need to be installed on servers in your virtual infrastructure. What is an
example of providing due care for the new timekeeping system?
A. Perform a risk assessment on the timekeeping software prior to being implemented.
B. Have the legal department review and approve the contracts before signing.
C. Hire a third party company to perform a penetration test on the timekeeping system before the go-live.
D. Ensure the servers stay patched after the timekeeping software is installed.
Review Quiz
7. Your company is purchasing a new timekeeping system. The software will
need to be installed on servers in your virtual infrastructure. What is an
example of providing due care for the new timekeeping system?
A. Perform a risk assessment on the timekeeping software prior to being implemented.
B. Have the legal department review and approve the contracts before signing.
C. Hire a third party company to perform a penetration test on the timekeeping system before the go-live.
D. Ensure the servers stay patched after the timekeeping software is installed.

Answer: D, Ensure the servers stay patched after the timekeeping software is installed.
Explanation: Due care primarily takes place after a system has been implemented. Keeping a server patched is a good
example of due care, while a risk assessment, penetration test, and contract review are examples of due diligence.
Review Quiz
8. Which of the following represents the greatest risk during an acquisition or
merger?
A. Redundancies caused by overlapping operational positions during the merger.
B. Conflicts in security policies between the two organizations.
C. Acquired data that needs more protection than outlined in the existing security program.
D. Employees whose positions are eliminated as a result of the organizational change.
Review Quiz
8. Which of the following represents the greatest risk during an acquisition or
merger?
A. Redundancies caused by overlapping operational positions during the merger.
B. Conflicts in security policies between the two organizations.
C. Acquired data that needs more protection than outlined in the existing security program.
D. Employees whose positions are eliminated as a result of the organizational change.

Answer: D. Employees whose positions are eliminated as a result of the organizational change.
Explanation: Oftentimes, during the acquisition or merger between organizations, the revocation of former employees’
accounts is not properly managed/implemented. This increases the risk of a disgruntled employee remotely accessing
the internal system of the organization. An example of this is the Maroochy Water Services incident in 2000.