O-K-State MSIS 4253 - MSIS 4253, (SP18), Exam 1 Focus list (1) (4 pages)

MSIS 4253 Exam 1 Focus List Spring 2018 1 System characterization items hardware software information sensitivity etc 2 Types of threats and vulnerabilities a Threats natural human made environmental b Vulnerabilities weakness in the system or the people that use it 3 Classes of security controls managerial operational technical a Managerial assessments planning acquisition program management b Operational training configuration contingency planning incident resonse maintenance physical protection c Technical access control audit and accountability identification and authentication system and communication protection 4 Common Controls a Security controls that are inheritable by one or more organizational information systems b Ex Contingency planning controls incident response controls security training and awareness controls personnel security controls physical and environmental protection controls intrusion detection controls 5 Hybrid or System specific controls a Security controls not designated as common controls b System specific controls are the primary responsibility of information system owners and their respective authorizing officials c Hybrid controls may also serve as templates for further control refinement 6 Relationships with external service providers a Services implemented outside of the authorization boundaries established by the organization for its information systems b Joint ventures business partnerships outsourcing arrangements licensing agreements supply chain exchanges 7 Scoping guidance Literally review the slide that covers scoping guidance NIST SP 80053 Chapter 3 8 Security Considerations there are many a Common control related considerations b Security objective related considerations c System component allocation related considerations d Technology related considerations e Physical infrastructure related considerations f Operations environmental related considerations g Scalability related considerations h Public access related considerations 9 Compensating security controls a A management operational or technical control employed by an organization in lieu of a recommended security control in the low moderate or high baselines that provides an equivalent or comparable level or protection for an information system and the information processed stored or transmitted by that system 10 Organization Defined Security Control Parameters a After the application of scoping guidance and selection of compensating security controls organizations review the list of security controls for assignment and selection operations and determine the appropriate organization defined values for the identified parameters Values for organization define parameters are adhered to unless more restrictive values are prescribed by applicable federal laws executive orders directive policies standards guidelines or regulations 11 Supplementing the Tailored Baseline a Requirements Definition the organization acquires specific and credible threat information or makes a reasonable assumption about the activities of adversaries with certain capabilities or attack potential e g skill levels expertise available resources Often used in new system development b Gap Analysis begins with an organizational assessment of its current security capability or level of cyber preparedness From the initial security capability assessment the organization determines the types of threats it can reasonably expect to address Often used when dealing with legacy systems 12 Monitoring Security Controls a Events that trigger security review i An incident results in a breach to the information system ii A newly identified credible information system related threat iii Significant changes to the configuration of the information system iv Significant changes to the organizational risk management strategy b Required Responses i Reconfirm the security category and impact level of the information system ii Assess the current security state of the information system and the risk iii Plan for and initiate any necessary corrective actions iv Consider reauthorizing the information system 13 Information security measures a Definition i Are used to facilitate decision making and improve performatnce and accountability through the collection analysis and reporting of relevant performance related data b Benefits c Types of measures i Implementation ii Effectiveness Efficiency iii Impact 14 Data Management Concerns with respect to measures 15 Information Security Measurement Program Scope 16 Measures and the SDLC 17 Legislative drivers of Security controls a FISMA b GPRA c Others 18 Federal Enterprise Architecture 19 Measures development process phases 20 Stakeholders in measures development 21 The three measurable aspects of information security 22 Sources that may contain information from which measures data can be generated 23 POA Ms spell it out know what it does 24 Feedback Within the Measures Development Process 25 Information Security Measurement Implementation 26 Phases of Information Security Measurement Implementation 27 SDLC phases and Information Security a Control gates b Security Activities 28 SDLC and Service oriented architecture issues 29 Data Center or IT Facility Development These are the short essay questions that will be on the exam 1 List the steps in a risk assessment as outlines in NIST SP 800 30 there are nine 2 Briefly describe how you would go about conducting a cost benefit analysis CBA for a control for which you want top management to give you funding include any data or types of figures you would use Establish a potential loss Probability of this loss Risk Likelihood x Impact How much is this loss Annualized Loss Expectancy ALE Value calculated from the annual rate of occurrence ARO and the cost or impact of a single loss or single loss expectancy SLE ALE ARO SLE This tells us the expected annual loss ARO how many times in a year Research facts and figures Insurance suggests fire occur once in 25 years 1 25 04 SLE Asset value AV x Exposure Factor EF EF is the potential percentage loss Entire bldg loss 100 2 3 bldg loss 66 0 AV tangible value of asset given depreiation Building 36000000 EF 5 SLE 36000000 5 18000000 not including cost of lost data ALE 18000000 04 720000 Wanna mitigate this risk by adding controls Insurance and fire suppression system CBA 1000000 for the new system over a period of 10 years 1000000 1 100000 insurance 60000 controls cost 160000 per year for 10 years 720000 160000