Operations Security: Identifying Critical Information

Questions and Answers

What is the initial step in the operations security process?

• Implementation of security measures
• Identification of critical information assets (correct)
• Analysis of threats
• Assessment of financial impact

What is the primary goal of identifying critical information assets?

• To protect all information assets from exposure
• To identify the most critical information assets that need protection (correct)
• To analyze the threats to all information assets
• To identify all potential information assets

What is an example of a critical information asset for a soft drink company?

• Financial reports
• Secret recipe (correct)
• Employee salaries
• Marketing strategy

What is the purpose of analyzing threats in the operations security process?

To assess the potential harm caused by exposure (C)

What is a potential threat to a software company's critical information asset?

Exposure to attackers and competitors (A)

What is the outcome of identifying critical information assets and analyzing threats?

Implementation of security measures (D)

What is the primary goal of security awareness training in an organization?

To minimize risk and prevent the loss of sensitive information (A)

What percentage of security breaches are attributed to human error?

More than 90% (D)

What is the main reason for protecting data in an organization?

To maintain customer trust and reputation (B)

Which of the following is NOT a core item in security awareness efforts?

Cloud storage (C)

What is the purpose of compliance with laws and regulations governing data?

One of the costs of doing business (B)

What was the vulnerability in the source code example?

Poor set of security controls (A)

What does an effective awareness training program address?

Cybersecurity mistakes in both the physical world and email and web usage (B)

What is the primary goal of implementing countermeasures in the source code example?

To remove the vulnerability (C)

What is the main idea behind Haas' First Law of operations security?

Develop an awareness of threats (D)

What is the purpose of Haas' Second Law of operations security?

To determine critical information (B)

What is the relationship between Haas' Laws and the operations security process?

They map directly to the steps in the process (B)

What is the overall reference of Haas' Third Law of operations security?

The necessity of the operations security process (D)

What can be a consequence of not being in compliance with certain regulations?

Fines and in some cases jail (C)

What does analysis of vulnerabilities focus on?

Determining how processes interact with information assets (A)

What is a potential threat to revenue if an attacker gains access to the source code?

The attacker could develop a utility to generate legitimate license keys (A)

Why is it necessary to provide users with reoccurring training on data security?

To protect sensitive information and prevent data breaches (D)

Why is it a vulnerability if the security controls on the source code are not strict?

It allows unauthorized users to access, copy, or alter the source code (D)

What is the purpose of analyzing the vulnerabilities in the protections of information assets?

To identify weaknesses in the protections to improve security (D)

What could an attacker do with the source code if they gain access to it?

Copy, tamper with, or delete the source code (A)

What is a common issue with companies that have annual training on data security?

Low retention rates and little behavior modification (C)

What is a potential consequence of a vulnerability in the source code protection?

Accidental alteration of the source code during maintenance (B)

What is a technical control that can be enforced to ensure users handle passwords appropriately?

Implementing password strength requirements (C)

What is the purpose of presenting users with reoccurring training on data security?

To communicate the need for data security to users (C)

What is an example of a password that meets common password strength requirements?

P@ssw0rd (D)

Flashcards are hidden until you start studying

Study Notes

Identification of Critical Information

• Identify most critical, relevant information assets that need protection
• Examples: secret recipe for a soft drink company, source code for an application vendor, attack timetable for a military operation

Analysis of Threats

• Identify potential harm or financial impact of critical information being exposed
• Determine who might exploit the exposure
• Examples: source code exposure to attackers and competitors, financial loss due to software piracy

Analysis of Vulnerabilities

• Identify weaknesses that can be used to harm us
• Analyze processes that interact with critical information assets
• Examples: lack of strict security controls on source code, vulnerability to unauthorized access, alteration, or deletion

Security Awareness

• Crucial to ongoing security of organizations
• Core items: protecting data, passwords, social engineering, network usage, malware, personal equipment, clean desk, and policy knowledge
• Human error involved in over 90% of security breaches

Protecting Data

• Numerous laws and regulations govern data, such as PCI-DSS, HIPAA, and FERPA
• Compliance with laws and regulations is a cost of doing business
• Protecting data is essential for reputation and customer retention

Application of Countermeasures

• Identify threats and vulnerabilities, then mitigate vulnerabilities
• Examples: stronger access controls and policy for handling source code, reducing risk of exposure

Haas' Laws of Operations Security

• First law: develop awareness of actual and potential threats to critical data
• Second law: evaluate information assets and determine critical information
• Third law: necessity of the operations security process to prevent data breaches and penalties