Study your flashcards anywhere!

Download the official Cram app for free >

  • Shuffle
    Toggle On
    Toggle Off
  • Alphabetize
    Toggle On
    Toggle Off
  • Front First
    Toggle On
    Toggle Off
  • Both Sides
    Toggle On
    Toggle Off
  • Read
    Toggle On
    Toggle Off

How to study your flashcards.

Right/Left arrow keys: Navigate between flashcards.right arrow keyleft arrow key

Up/Down arrow keys: Flip the card between the front and back.down keyup key

H key: Show hint (3rd side).h key

A key: Read text to speech.a key


Play button


Play button




Click to flip

31 Cards in this Set

  • Front
  • Back
Any item of value(hardware, software, time, personnel)
A time when any part of the organization is available for attack
Likelihood that a threat will occur
Any bad incident occurring on the informatoin or systems of an organization.
Any software, hardware, personnel, policy, etc, that provides a window into the organization
Top Down Approach
a process for constructing sound organizational security. Desired Security, Security Policy, then System Configuration Development and Implementation
Organizational Security Model
Bottom layer represents total desired security. All other layers are dependent upon the needs of the organization. Each lower layer must support those layers on top of it.
List the 3 Security Goal Categories and their terms?
1. Organizational - short term(daily operations)
2. Strategic - Long term(overall integration of security)
3. Tactical - Medium term(security issues that require more than a day's efort to accomplish.
Information Classification
Determining the type and security level of data
Unathorized access would have negative effects on the organization.(software code, trade secrets, source code) Used by private business and government
Unauthorized access would have negative effects on the organization.(personnel records, customer information) Used by private business
Unathorized access could result in loss of competitive edge. Used by private business
Unathorized access, whil unwanted, would not cause negative effects on the organization. Used by private business
Unathorized access would have negative effects on the country. (military plans, satellite images) Used by government
Unauthorized access would have minimal negative effects on the organization. (financial data of non-public org., project proposals) Used by a private business
Top Secret
Unauthorized access would have extremely negative effects on the country. (espionage) Used by the government.
List 4 Classification Attributes
1. Age - length of time the data has existed.
2. Association - The relationship the data has with personal information or privacy laws.
3. Life Span - Length of time the data is useful.
4. Value - The worth of the data to the company or its competitive edge.
Required to follow any rules determined by the owner and custodian on data use, security, and access
Determines the classification level of the data. Assigns the custodian. Responsible for the data. Typically senior-level management.
Maintains the data. Handles backups and re-creating of data in the event of a loss.
Security Policy
Foundation for the creation and implementation of security programs
Step-by-step instructions. Most basic level of a security policy.
Recommendations on how to achieve an outcome. They are flexible and do not have to be followed. 2nd level of a security policy
Information on how to consistently employ technology. 3rd level of a security policy
Details the minimum acceptable level of performance on a specified subject. 3rd level of a security policy.
What are the 3 security policy types?
1. Advisory - commonly used for indicating how to handle private documentation and money.
2. Informative - Often used on instructional instruments.
3. Regulatory - Commonly used for health care and financial organizations
Risk Analysis Process
1. Determine assets
2. Identify Risks
3. Estimate possible damage
4. Determine methods for handling risks
Quantitative Risk Analysis
Actual figures to the risk. Includes the Annualized Rate of Occurrence (ARO) adn the Annualized Loss Expectancy(ALE)
Qualitative Risk Analysis
Uses scenarios and a ranking system to determing risks and their likelihood.
Safeguard Selection Criteria
Means for determining which assets should receive protection. Includes Cost, Operations, Accessibility, Recovery, and Documentation
What are the 4 phases to Security Certification and Accreditation?
1. Initiation
2. Certification
3. Accreditation
4. Monitoring