Reading...
Play button
Play button
Use LEFT and RIGHT arrow keys to navigate between flashcards;
Use UP and DOWN arrow keys to flip the card;
H to show hint;
A reads text to speech;
45 Cards in this Set
- Front
- Back
|
IT Governance
|
a collection of top-down activities intended to control the IT organization from a strategic perspective to ensure that the IT organization supports the business.
- policy, priorities, standards, vendor management, program and project management |
|
|
COBIT
|
Control Objectives for Information and related Technoloy
|
|
|
ISO 27001
|
well-known international standard for top-down information security management
|
|
|
ITIL
|
IT Infrastructure Library.
ITIL is a framework process for IT service delivery |
|
|
ISO 38500
|
an international standard on corporate governance of information technology, suitable for small and large organizations in the public or private sector
|
|
|
The Balanced Scorecard (BSC)
|
management tool that is used to measure the performance and effectiveness of an organization.
key measurements: financial, customer, internal process, innovation and learning |
|
|
The Standard IT Balanced Scorecard (IT-BSC)
|
can be used to specifically measure IT organization performance and results.
key measurements: business contribution, user, operational excellence, innovation |
|
|
Security governance
|
The collection of management activities that establishes key roles and responsibilities, identifies and treats risks to key assets, and measures key security processes.
May be included on its own, or can be included into IT governance. main roles: board of directors, steering committee, Chief information security officer (CISO), management, all employees. |
|
|
Enterprise Architecture (EA)
|
Both a business function and technical model.
- Business function: the establishment of an EA consists of activities that ensure that important business needs are met by IT systems. - Construction of a model that is used to map business functions into the IT environment and IT systems in increasing levels of detail so that IT professionals can more easily understand the organization's technology architecture at any level. |
|
|
The Zachman Model
|
- Dominant Enterprise Architecture (EA) standard today
- IT systems and environments are described at a high, functional level, and then in increasing detail, encompassing systems, databases, applications, networks, and so on. - The model allows an organization to peer into cross-sections on an IT environment that supports business processes, but it does not convey the relationship between IT systems. |
|
|
Data Flow Diagrams (DFDs)
|
- Frequently used to illustrate the flow of information between IT applications
- Can begin as a high-level diagram, where the labels of information flows are expressed in business terms. - DFDs permit nontechnical business executives to easily understand the various IT applications and relations between them |
|
|
Strategic planning
|
Activities used to develop and refine long term plans and objectives.
- The ability to provide the capability and capacity for IT services that will match the levels on and the types of business activities that the organization expects to achieve at certain points in the future. |
|
|
IT steering committee
|
A body of senior managers or executives that discusses high level and long-term issues in the organization.
- The committee's mission objectives, roles, and responsibilities should be formally defined in a written charter. |
|
|
Policy
|
A statement that specifies what must be done (or not to be done) in an organization. They should not state how something must be done (or not done). It usually defines who is responsible for monitoring and enforcing it.
|
|
|
Policies, processes, procedures, and standards
|
- Define IT organizational behavior and uses of technology.
- They are part of the written record that defines how the IT organization performs the services that support the organization. |
|
|
Information security policy
|
A statement that defines how an organization will classify and protect its important assets.
|
|
|
Privacy policy
|
A policy statement that defines how an organization will protect, manage, and handle private information.
|
|
|
Data classification policy
|
A policy that defines sensitivity levels and handling procedures for information.
|
|
|
System classification policy
|
A policy that specifies specific levels of security for systems storing classified information
|
|
|
Site classification policy
|
A policy that defines sensitivity levels, security controls, and security procedures for information processing sites and work centers.
|
|
|
Access control policy
|
A statement that defines the policy for the granting, review, and revocation of access to systems and work areas.
|
|
|
process/procedure
|
- A collection of one or more procedures used to perform a business function
- A written sequence of instructions to complete a task. |
|
|
Standard
|
A statement that defines the technologies, protocols, suppliers, and methods used by an IT organization
|
|
|
Risk management
|
The management activities used to identify, analyze, and treat risks
|
|
|
Charter
|
a formal document that defines and describes a business program, and becomes part of the organization's record
|
|
|
Risk analysis
|
- The process of identifying and studying risks in an organization
- A risk consists of the intersection of threats, vulnerabilities, and impact Risk is described by the formula; Risk = Probability x Impact |
|
|
Threat
|
an event, if realized, would bring harm to an asset
|
|
|
Vulnerability
|
a weakness or absence of a protective control that makes the probability of one or more threats more likely
|
|
|
Vulnerability Analysis
|
an examination of an asset in order to discover weaknesses that could lead to a higher-than-normal rate of occurrence or potency of a threat.
|
|
|
Qualitative Risk Analysis
|
An in-depth examination of in-scope assets with a detailed study of threats (and their probability of occurrence), vulnerabilities (and their severity), and statements of impact.
|
|
|
Quantitative Risk Analysis
|
A risk analysis approach that uses numeric methods to measure risk
|
|
|
Asset value (AV)
|
the value of the asset, which is usually (but not necessarily) the asset's replacement value
|
|
|
Exposure factor (EF)
|
This is the financial loss that results from the realization of a threat, expressed as a percentage of the assets total value. It will vary by threat.
|
|
|
Single loss expectancy (SLE)
|
This value represents the financial loss when a threat is realized one time.
It will vary by threat. Defined as AV x EF |
|
|
Annualized rate of occurrence (ARO)
|
This is an estimate of the number of times that a threat will occur per year. It will vary by threat.
|
|
|
baselined
|
the existing asset, threats, and controls have been analyzed to understand the threats as they exist right now
|
|
|
Disaster Recovery Planning (DRP) and Business Continuity Planning (BCP)
|
Both utilize risk analysis to identify risks that are related to application resilience and the impact of disasters
|
|
|
High-impact events
|
These events, which may be significant enough to threaten the very viability of the organization, require risk treatment that belongs in the categories of business continuity planning and disaster recovery planning.
|
|
|
Risk treatment
|
The decision to manage an identified risk. The available choices are mitigate risk, avoid risk, transfer the risk, or accept the risk
|
|
|
Risk mitigation
|
the risk treatment option involving implementation of a solution that will reduce an identified risk
|
|
|
Risk trasnfer
|
The risk treatment option involving the act of transferring risk to an other party, such as an insurance company
|
|
|
Risk avoidance
|
The risk treatment option involving a cessation of the activity that introduces identified risk
|
|
|
Risk acceptance
|
The risk treatment option where management chooses to accept the risk as-is
|
|
|
Residual risk
|
the risk that remains after being reduced through other risk treatment options
|
|
|
Insourcing
|
the practice of hiring employees for long-term work
|
