1: Security and Risk Management
2: Asset Security
3: Security Architecture and Engineering
4: Communication and Network Security
5: Identity and Access Management
6: Security Assessment and Testing
7: Security Operations
8: Software Development Security

1: Security and Risk Management

#1 Q:What's the relationship between COBIT and ITIL?

A: The Control Objectives for Information and related Technology (COBIT) is a framework developed by ISACA (formerly the Information Systems Audit and Control Association) and the IT Governance Institute (ITGI). It defines goals for the controls that should be used to properly manage IT and to ensure IT maps to business needs, not specifically just security needs. The Information Technology Infrastructure Library (ITIL) is the de facto standard of best practices for IT service management. A customizable framework, ITIL provides the goals, the general activities necessary to achieve these goals, and the input and output values for each process required to meet these determined goals. In essence, COBIT addresses “what is to be achieved,” and ITIL addresses “how to achieve it.”

#2 Q:The Organisation for Economic Co-operation and Development is?

A: Almost every country has its own rules pertaining to what constitutes private data and how it should be protected. As the digital and information age came upon us, these different laws started to negatively affect business and international trade. Thus, the Organisation for Economic Co-operation and Development (OECD) developed guidelines for various countries so that data is properly protected and everyone follows the same rules.


A: The Control Objectives for Information and related Technology (COBIT) is a framework that defines goals for the controls that should be used to properly manage IT and ensure that IT maps to business needs. It is an international open standard that provides requirements for the control and security of sensitive data and a reference framework.

#4 Q:ISO?

A: The International Organization for Standardization (ISO) is an international standard-setting body consisting of representatives from national standards organizations. Its objective is to establish global standardizations. For example, some standards address quality control, and others address assurance and security.

#5 Q:(threats × vulnerability × asset value) × controls gap = ?

A: Countermeasures are implemented to reduce overall risk to an acceptable level. However, no system or environment is 100 percent secure, and with every countermeasure some risk remains. The leftover risk after countermeasures are implemented is called residual risk. Residual risk differs from total risk, which is the risk companies face when they choose not to implement any countermeasures. While the total risk can be determined by calculating threats × vulnerability × asset value = total risk, residual risk can be determined by calculating (threats × vulnerability × asset value) × controls gap = residual risk. The controls gap is the amount of protection the control cannot provide.

#6 Q:In the CMMI model what is the proper sequence of the levels?

A: Capability Maturity Model Integration (CMMI) is an organizational development model for process improvement developed by Carnegie Mellon. While organizations know that they need to constantly make their security programs better, it is not always easy to accomplish because “better” is a vague and nonquantifiable concept. The only way we can really improve is to know where we are starting from, where we need to go, and the steps we need to take in between. This is how the security industry uses the CMMI model. A security program starts at Level 1 and is chaotic in nature. Processes are not predictable, and the security team is reactive to issues that arise—not proactive. The model uses the following maturity levels: Initial, Repeatable, Defined, Quantitatively Managed, Optimizing.

#7 Q:Which committee is responsible fordefining an acceptable level of risk for the organization, reviewing risk assessment andaudit reports, and approving significant changes to security policies and programs?

A: The steering committee, which is responsible for making decisions on tactical and strategic security issues within the enterprise. The committee should consist of individuals from throughout the organization and meet at least quarterly. In addition to the responsibilities listed in the question, the security steering committee is responsible for establishing a clearly defined vision statement that works with and supports the organizational intent of the business. It should provide support for the goals of availability, integrity, and confidentiality as they pertain to the organization’s business objectives. This vision statement should, in turn, be supported by a mission statement that provides support and definition to the processes that will apply to the organization and allow it to reach its business goals

#8 Q:What's the focus of OCTAVE?

A: OCTAVE focuses on IT threats and information security risks. OCTAVE is meant to be used in situations where people manage and direct the risk evaluation for information security within their organization. The organization’s employees are given the power to determine the best approach for evaluating security.

#9 Q:I can't seem to remember the details of AS/NZS 4360 :(

A: AS/NZS 4360 can be used to analyze security risks, it was not created for that purpose. It takes a much broader approach to risk management than other risk assessment methodologies, such as NIST and OCTAVE, which focus on IT threats and information security risks. AS/NZS 4360 can be used to understand a company’s financial, capital, human safety, and business decisions risks.

#10 Q:Should all security activity takes place within the security department.

A: Heck no. If all security activity takes place within the security department, then security is working within a silo and is not integrated throughout the organization. In a company with a security governance program, security responsibilities permeate the entire organization, from executive management down the chain of command. A common scenario would be executive management holding business unit managers responsible for carrying out risk management activities for their specific business units. In addition, employees are held accountable for any security breaches they participate in, either maliciously or accidentally.

#11 Q:False or false? Qualitative risk analysis approach does assign monetary values to components and losses.

A: A qualitative risk analysis approach does not assign monetary values to components and losses. Instead, qualitative methods walk through different scenarios of risk possibilities and rank the seriousness of the threats and the validity of the different possible countermeasures based on opinions. Qualitative analysis techniques include judgment, best practices, intuition, and experience.

#12 Q:COSO?

A: The Committee of Sponsoring Organizations of the Treadway Commission (COSO) was formed in 1985 to provide sponsorship for the National Commission on Fraudulent Financial Reporting, an organization that studies deceptive financial reports and what elements lead to them. The acronym COSO refers to a model for corporate governance that addresses IT at a strategic level, company culture, financial accounting principles, and more

#13 Q:Is security governance a squid?

A: As of 2019, security governance is not a squid. Security governance is a set of responsibilities and practices exercised by the board and executive management of an organization with the goal of providing strategic direction, ensuring that objectives are achieved, ascertaining that risks are managed appropriately, and verifying that the organization’s resources are used responsibly. An organization with a security governance program in place has a board of directors that understands the importance of security and is aware of the organization’s security performance and breaches.

#14 Q:Is security governance a coherent system of integrated securitycomponents that includes products, personnel, training, processes, etc.?

A: Correct. An organization with a security governance program in place is likely to purchase and deploy security products, managed services, and consultants in an informed manner. They are also constantly reviewed to ensure they are cost effective

#15 Q:Here's an easy one: Briefly tell me about ISO/IEC 27005. *Bonus points: Tell me about 27002.

A: The ISO/IEC 27005 standard is the guideline for information security risk management. ISO/IEC 27005 is an international standard for how risk management should be carried out in the framework of an ISMS.
ISO/IEC 27002 provides best practicerecommendations and guidelines as they pertain to initiating, implementing, or maintaining an ISMS.

#16 Q:What's SABSA?

A: Sherwood Applied Business Security Architecture (SABSA) is a model and methodology for the development of information security enterprise architectures. Since it is a framework, this means it provides a structure for individual architectures to be built from. Since it is a methodology also, this means it provides the processes to follow to build and maintain this architecture.

#17 Q:How the heck does The NIST organization define best practices for creating continuity plans?

A: NIST outlines seven steps in its Special Publication 800-34 Rev 1, “Continuity Planning Guide for Federal Information Systems”:
develop the continuity planning policy statement;
conduct the business impact analysis;
identify preventive controls;
create contingency strategies;
develop an information system contingency plan;
ensure plan testing, training, and exercises;
and ensure plan maintainence.

Conducting a business impact analysis involves identifying critical functions and systems and allowing the organization to prioritize them based on necessity. It also includes identifying vulnerabilities and threats and calculating risks.

#18 Q:Are parallel and full-interruption tests a part of a BIA?

A: A business impact analysis (BIA) is considered a functional analysis, in which a team collects data through interviews and documentary sources; documents business functions, activities, and transactions; develops a hierarchy of business functions; and finally applies a classification scheme to indicate each individual function’s criticality level. Parallel and full-interruption tests are not part of a BIA. These tests are carried out to ensure the continued validity of a business continuity plan, since environments continually change. A parallel test is done to ensure that specific systems can actually perform adequately at the alternate offsite facility, while a full-interruption test involves shutting down the original site and resuming operations and processing at the alternate site.

#19 Q:What does the BCP comittee document as part of a BIA?

A: The BCP(Business Continuity Plan) committee documents business functions as part of a BIA. Business activities and transactions must also be documented. This information is obtained from the department managers and specific employees who are interviewed or surveyed. Once the information is documented, the BCP committee can conduct an analysis to determine which processes, devices, or operational activities are the most critical.

#20 Q:What is the first step of a BIA?

A: The first step in a business impact analysis (BIA) is creating data-gathering techniques. The BCP committee can use surveys, questionnaires, and interviews to gather information from key personnel about how different tasks get accomplished within the organization, whether it’s a process, transaction, or service, along with any relevant dependencies. Process flow diagrams should be built from this data, which will be used throughout the BIA and plan development stages.

#21 Q:How should the BCP comittee calculate the risk of each business function?

A: To calculate the risk of each business function, qualitative and quantitative impact information should be gathered and properly analyzed and interpreted. Upon completion of the data analysis, it should be reviewed with the most knowledgeable people within the company to ensure that the findings are appropriate and describe the real risks and impacts the organization faces. This will help flush out any additional data points not originally obtained and will give a fuller understanding of all the possible business impacts.

#22 Q:In a business impact analysis, what happens after the data collection phase?

A: Upon completion of the data collection phase, the BCP committee conducts an analysis to establish which processes, devices, or operational activities are critical. If a system stands on its own, doesn’t affect other systems, and is of low criticality, then it can be classified as a tier-two or tier-three recovery step. This means these resources will not be dealt with during the recovery stages until the most critical (tier one) resources are up and running.

#23 Q:Does security governance require performance measurement andoversight mechanisms?

A: Dang, you're good. An organization with a security governance program in place continually reviews its processes, including security, with the goal of continued improvement. On the other hand, an organization that lacks a security governance program is likely to march forward without analyzing its performance and therefore repeatedly makes similar mistakes.

#24 Q:Real quick-ECPA and CFAA are?

A: The Electronic Communications Privacy Act, or ECPA, restricts the government interception of communications and stored information.
The Computer Fraud and Abuse Act, or CFAA, is a criminal law that makes it a federal offense to engage in many types of hacking activity.

#25 Q:What does CMMI stand for and what are the levels?

A: Capability Maturity Model Integration (CMMI) is a process improvement approach that is used to help organizations improve their performance. The CMMI model may also be used as a framework for appraising the process maturity of the organization. The levels used in CMMI are Level 1–Initial, Level 2–Managed, Level 3–Defined, Level 4–Quantitatively Managed, and Level 5–Optimizing.

#26 Q:How can you keep business continuity plans up-to-date?

A: One of the simplest and most cost-effective and process-efficient ways to keep a plan up to date is to incorporate it within the change management process of the organization. When you think about it, it makes a lot of sense. Where do you document new applications, equipment, or services? Where do you document updates and patches? Your change management process should be updated to incorporate fields and triggers that alert the BCP team when a significant change will occur and should provide a means to update the recovery documentation.
Other measures that can help ensure that the BCP remains current include the performance of regular drills that use the plan, including the plan’s maintenance in personnel evaluations, and making business continuity a part of every business decision.

#27 Q:The most critical part of establishing and maintaining a current continuity plan is management support. Therefore, a business case must be made to obtain this support. Tell me a 'lil about a business case.

A: The business case may include current vulnerabilities, regulatory and legal obligations, the current status of recovery plans, and recommendations. Management is commonly most concerned with cost/benefit issues, so preliminary numbers can be gathered and potential losses estimated. The decision of how a company should recover is a business decision and should always be treated as such.

#28 Q:Does organizaing and crating relevant documentation take place toward the end of the disaster recovery and contingency planning process?

A: Yes indeed. Organizing and creating relevant documentation takes place toward the end of the disaster recovery and contingency planning process. Procedures need to be documented because when they are actually needed, it will most likely be a chaotic and frantic atmosphere with a demanding time schedule. The documentation may need to include information on how to install images, configure operating systems and servers, and properly install utilities and proprietary software. Other documentation could include a calling tree and contact information for specific vendors, emergency agencies, offsite facilities, etc.

#29 Q:Please tell me about the reconstitution phase of a business continuity plan if you don't mind.

A: When it is time for the company to move back into its original site or a new site, the company is ready to enter into the reconstitution phase. A company is not out of an emergency state until it is back in operation at the original primary site or a new site that was constructed to replace the primary site, because the company is always vulnerable while operating in a backup facility. Many logistical issues need to be considered as to when a company must return from the alternate site to the original site. Some of these issues include ensuring the safety of the employees, ensuring proper communications and connectivity methods are working, and properly testing the new environment. Once the coordinator, management, and salvage team sign off on the readiness of the facility, the salvage team should back up data from the alternate site and restore it within the new facility, carefully terminate contingency operations, and securely transport equipment and personnel to the new facility. Q: A: Q: A: Q: A: Q: A: Q: A: Q: A: Q: A: Q: A: Q: A: Q: A: Q: A: Q: A: Q: A: Q: A: Q: A: Q: A: Q: A: Q: A: Q: A: Q: A: Q: A: Q: A: Q: A: Q: A: Q: A: Q: A: Q: A: Q: A: Q: A: Q: A: Q: A: Q: A: Q: A: Q: A: Q: A: