SBOLC SECURITY FUNDAMENTALS
NIST - Answer- National Institute of Standards and Technology
What is the NIST Risk Management Framework (RMF)? - Answer- -Overall
framework for the U.S. federal government to manage
organizational risk throughout the system development life cycle
-Focuses on security control selection, deployment, and auditing
using a seven-step model
-Includes certification and accreditation
Clean Desk Policy - Answer- Secure sensitive items when not in use
Principle of least privilege management - Answer- Just what you need to do your job
Mandatory vacations - Answer- -best way to uncover fraud
-part of onboarding procedures
Job Rotation (rotation of duties) - Answer- -Identify or uncover fraud
-Cross training / Experience for employees
Separation of Duties - Answer- Partitions responsibilities to minimize abuse or fraud
Hiring and Termination Policy Elements - Answer- -Background checks
-Social media analysis
-Onboarding procedures (NDA/AUP/Sign for equipment)
-Offboarding procedures (NDA/Return of equipment)
-Exit interview
-Non-disclosure Agreement (NDA)
AUP - Answer- Acceptable Use Policy
EOL - Answer- End of Life
EOS - Answer- End of Service
MOA - Answer- Memorandum of Agreement
-A legally binding written document between multiple parties on a
project detailing how they will work together to achieve
agreed-upon goals and objectives.
MOU - Answer- Memorandum of Understanding
-A less formal agreement of mutual goals between two or more
organizations with a focus on partitioning of responsibilities
BPA - Answer- Business Partners Agreement
,-A written agreement defining the general relationship between
business partners with a focus on financial matters
Information Lifecycle Model - Answer- -Creation
-Processing
-Dissemination
-Usage
-Storage
-Disposal
Generic Information Classifications - Answer- -Low
-Medium
-High
Military Information Classifications - Answer- -Unclassified
-Confidential
-Secret
-Top Secret
Business Information Classifications - Answer- -Public
-Private
-Proprietary
-Confidential
Types of Protected Information - Answer- -Personally Identifiable Information (PII)
-Personal/Protected Health Information (PHI)
-Financial Information
-Government Data
-Customer Data
Risk Management - Answer- The process of identifying, monitoring, and reducing
risk to an acceptable level.
Risk Analysis - Answer- -Threat (the potential to cause harm to an asset)
-Vulnerability (a flaw or hole in the security posture)
-Exploit (a method or technique used to manipulate a faw)
-Safeguard (a mitigation security control)
Risk Management Strategies - Answer- -Acceptance: Have an established plan of
action
-Avoidance: Removing the activity that creates risk
-Transference: Offloading the risk to an external party
, -Mitigation: Reducing risk by installing security control, safeguard, or
countermeasures
Types of RIsk - Answer- -Externally-Derived Risk
-Internally-Derived Risk
-Legacy Systems
-Multiparty Involvement
-Intellectual Property Theft
-Software Compliance/Licensing Issues
-Inherent Risk
-Residual Risk
Qualitative Risk Assessment - Answer- Based on human opinion or judgment
derived from interviews, surveys, benchmarking, scenario-based exercise, lessons
learned analysis, or cross-function workshops
Advantages of Qualitative Risk Assessment - Answer- -Impact is easily understood
-Can provide rich information beyond financial impacts, such as impact on perceived
safety, health, or reputation
Disadvantages of Qualitative Risk Assessment - Answer- -Prone to inaccuracy or
exaggeration
-Limited usefulness towards cost-benefit analysis
Quantitative Risk Assessment - Answer- -Requires numerical values or both impact
and likelihood using data from a variety of sources
-Can be used to support cost-benefit analysis calculations
Advantages to Quantitative Risk Assessment - Answer- -Supports cost-benefit
analysis of risk response options
-Allows computation of necessary capital to achieve a business goal
Disadvantages to Quantitative RIsk Assessment - Answer- -Use of numbers may
imply greater precision than what truly exists
-Requires concrete units of measure that may cause obscure, or infrequent risk
from being recognized
Single Loss Expectancy (SLE) - Answer- SLE = Asset Value (AV) x Exposure Factor
(EF%)
Annualized Loss Expectancy (ALE) - Answer- ALE = SLE x Annual Rate of
Occurrence (ARO)
Scenario: a building is worth $1,000,000, and a fire breaks out, consuming 70% of
the building. A fire occurs about once every 7 years in this geographical area. What
is the SLE, and what is the ALE? - Answer- -SLE = 1,000,000 x 70% =700,000
-ALE = 700,000 x 1/7 = 700,000/7 = 100,000
NIST - Answer- National Institute of Standards and Technology
What is the NIST Risk Management Framework (RMF)? - Answer- -Overall
framework for the U.S. federal government to manage
organizational risk throughout the system development life cycle
-Focuses on security control selection, deployment, and auditing
using a seven-step model
-Includes certification and accreditation
Clean Desk Policy - Answer- Secure sensitive items when not in use
Principle of least privilege management - Answer- Just what you need to do your job
Mandatory vacations - Answer- -best way to uncover fraud
-part of onboarding procedures
Job Rotation (rotation of duties) - Answer- -Identify or uncover fraud
-Cross training / Experience for employees
Separation of Duties - Answer- Partitions responsibilities to minimize abuse or fraud
Hiring and Termination Policy Elements - Answer- -Background checks
-Social media analysis
-Onboarding procedures (NDA/AUP/Sign for equipment)
-Offboarding procedures (NDA/Return of equipment)
-Exit interview
-Non-disclosure Agreement (NDA)
AUP - Answer- Acceptable Use Policy
EOL - Answer- End of Life
EOS - Answer- End of Service
MOA - Answer- Memorandum of Agreement
-A legally binding written document between multiple parties on a
project detailing how they will work together to achieve
agreed-upon goals and objectives.
MOU - Answer- Memorandum of Understanding
-A less formal agreement of mutual goals between two or more
organizations with a focus on partitioning of responsibilities
BPA - Answer- Business Partners Agreement
,-A written agreement defining the general relationship between
business partners with a focus on financial matters
Information Lifecycle Model - Answer- -Creation
-Processing
-Dissemination
-Usage
-Storage
-Disposal
Generic Information Classifications - Answer- -Low
-Medium
-High
Military Information Classifications - Answer- -Unclassified
-Confidential
-Secret
-Top Secret
Business Information Classifications - Answer- -Public
-Private
-Proprietary
-Confidential
Types of Protected Information - Answer- -Personally Identifiable Information (PII)
-Personal/Protected Health Information (PHI)
-Financial Information
-Government Data
-Customer Data
Risk Management - Answer- The process of identifying, monitoring, and reducing
risk to an acceptable level.
Risk Analysis - Answer- -Threat (the potential to cause harm to an asset)
-Vulnerability (a flaw or hole in the security posture)
-Exploit (a method or technique used to manipulate a faw)
-Safeguard (a mitigation security control)
Risk Management Strategies - Answer- -Acceptance: Have an established plan of
action
-Avoidance: Removing the activity that creates risk
-Transference: Offloading the risk to an external party
, -Mitigation: Reducing risk by installing security control, safeguard, or
countermeasures
Types of RIsk - Answer- -Externally-Derived Risk
-Internally-Derived Risk
-Legacy Systems
-Multiparty Involvement
-Intellectual Property Theft
-Software Compliance/Licensing Issues
-Inherent Risk
-Residual Risk
Qualitative Risk Assessment - Answer- Based on human opinion or judgment
derived from interviews, surveys, benchmarking, scenario-based exercise, lessons
learned analysis, or cross-function workshops
Advantages of Qualitative Risk Assessment - Answer- -Impact is easily understood
-Can provide rich information beyond financial impacts, such as impact on perceived
safety, health, or reputation
Disadvantages of Qualitative Risk Assessment - Answer- -Prone to inaccuracy or
exaggeration
-Limited usefulness towards cost-benefit analysis
Quantitative Risk Assessment - Answer- -Requires numerical values or both impact
and likelihood using data from a variety of sources
-Can be used to support cost-benefit analysis calculations
Advantages to Quantitative Risk Assessment - Answer- -Supports cost-benefit
analysis of risk response options
-Allows computation of necessary capital to achieve a business goal
Disadvantages to Quantitative RIsk Assessment - Answer- -Use of numbers may
imply greater precision than what truly exists
-Requires concrete units of measure that may cause obscure, or infrequent risk
from being recognized
Single Loss Expectancy (SLE) - Answer- SLE = Asset Value (AV) x Exposure Factor
(EF%)
Annualized Loss Expectancy (ALE) - Answer- ALE = SLE x Annual Rate of
Occurrence (ARO)
Scenario: a building is worth $1,000,000, and a fire breaks out, consuming 70% of
the building. A fire occurs about once every 7 years in this geographical area. What
is the SLE, and what is the ALE? - Answer- -SLE = 1,000,000 x 70% =700,000
-ALE = 700,000 x 1/7 = 700,000/7 = 100,000
