Study your flashcards anywhere!

Download the official Cram app for free >

  • Shuffle
    Toggle On
    Toggle Off
  • Alphabetize
    Toggle On
    Toggle Off
  • Front First
    Toggle On
    Toggle Off
  • Both Sides
    Toggle On
    Toggle Off
  • Read
    Toggle On
    Toggle Off
Reading...
Front

How to study your flashcards.

Right/Left arrow keys: Navigate between flashcards.right arrow keyleft arrow key

Up/Down arrow keys: Flip the card between the front and back.down keyup key

H key: Show hint (3rd side).h key

A key: Read text to speech.a key

image

Play button

image

Play button

image

Progress

1/42

Click to flip

42 Cards in this Set

  • Front
  • Back
CIA triad.
Confidentiality, integrity, availability

or

Disclosure, alteration, destruction
Ensures that private information remains protected from unauthorized disclosure.
Confidentiality
Ensures that data isn't modified in an unintended manner either through accidental modification by authorized individuals or malicious modification by any individual authorized or unauthorized.
Integrity
Ensures that data is always available for the use of authorized individuals.
Availability
The means by which users make an identity claim to the system.
Identification
The means by which the system validates the users identity.
Authentication
The systems ability to determine which activities may be permitted to an identified and authenticated user.
Authorization
The systems ability to determine the actions of users within the system and attribute those actions to individually identifiable users.
Accountability
The inability of the sender of a message to refute sending the message.
Non-repudiation
The users level of confidence that their data is safe from unauthorized disclosure.
Privacy
Five main government classification levels.
Unclassified, sensitive but unclassified, confidential, secret, top secret
Five main industry classification levels.
Public, internal, confidential, restricted, highly restricted
Four criteria for determining classification levels.
Value to the organization, age and useful life of the information, ability of an outsider to independently develop the same information, the potential harm to the organization
Every resource and user is associated with one of an ordered set of classes. Resources of a particular class may only be accessed by those whose associated class is as high or higher than that of the resource.
Lattice model
Defines relationships between objects and subjects. Subjects are allowed write access to objects as the same or higher level as the subject, read access to objects at the same or higher level as the subject, read access to objects at the same or lower level, and read/write access only to those objects at the same level.
Bell Lapadula
Four levels of security management hierarchy documents.
Policies, standards, guidelines, procedures
Broad statements about the organizations commitment to information security and the goals of the program. Mandatory.
Policies
Provide specific technical requirements for security mechanisms. Mandatory.
Standards
General guidance in areas of information security where formal policies and standards don't exist. Not mandatory.
Guidelines.
Step by step instructions for performing specific security related tasks.
Procedures
A formal mechanism for responding to any incident that appears to be a violation of a security policy, standard, guideline, or procedure that threatens the overall information security of the organization.
Computer incident response team (CIRT)
Potential harm or loss to a system; the probability that a threat will materialize.
Risk
A resource, process, product, system, etc...
Asset
Any event that causes an undesirable impact on an organization.
Threat
Absence of a safeguard.
Vulnerability
Asset, threat, and vulnerability,
Risk management (RM) triple
A technical means to exploit a vulnerability.
Exploit
Percentage loss a realized threat would have on an asset.
Exposure factor (EF)
Loss from a single threat
Single loss expectancy (SLE) SLE = asset value($) x EF
Estimated frequency at which a threat is expected to occur.
Annualized rate of occurrence (ARO)
The total of SLE multiplied by the ARO.
Annualized loss expectancy (ALE). ALE=SLE x ARO
Control or countermeasure to reduce risk associated with a threat.
Safeguard
Two types of risk analysis.
Qualitative, quantitative
Type of risk assessment that assigns an objective dollar cost to an asset.
Quantitative
Type of risk assessment that assigns intangible values to data loss and other issues that are not pure hard costs.
Qualitative
Four risk management techniques.
Mitigate, avoid, accept, transfer
Risk management technique that puts controls in place to reduce the risk to the organization.
Mitigate
Risk management technique that changes the organizations activities to completely avoid the risk.
Avoid
Risk management technique that acknowledges the risk and takes no action whatsoever.
Accept
Risk management technique that places the burden of the risk on someone else.
Transfer
Five elements of a security awareness training program.
Initial training, recurring training, retraining, remedial training, security reminders
Four levels of security awareness.
Security awareness, security training, security education, security certification