• Shuffle
    Toggle On
    Toggle Off
  • Alphabetize
    Toggle On
    Toggle Off
  • Front First
    Toggle On
    Toggle Off
  • Both Sides
    Toggle On
    Toggle Off
  • Read
    Toggle On
    Toggle Off
Reading...
Front

Card Range To Study

through

image

Play button

image

Play button

image

Progress

1/65

Click to flip

Use LEFT and RIGHT arrow keys to navigate between flashcards;

Use UP and DOWN arrow keys to flip the card;

H to show hint;

A reads text to speech;

65 Cards in this Set

  • Front
  • Back
A _________ is the absence of a safeguard (in other words, it is a weakness) that can be exploited.
vulnerability
A __________ is the possibility that someone or something would exploit a vulnerability, intentionally or accidentally, and cause harm to an asset.
threat
A __________ is the probability of a threat agent exploiting a vulnerability and the loss potential from that action.
risk
Reducing __________ and/or threats reduces risks.
vulnerabilities
An _________ is an instance of being expose to losses from a threat.
exposure
A __________ also called a safeguard, mitigates risk.
countermeasure
If someone is practicing __________, they are acting responsibly and will have a lower probability of being found negligent and liable if a security breach takes place.
due care
Security management has become more important over the years because networks have evolved from __________ environments to ___________ environments.
centralized environments to distributed environments
The objectives of security are to provide __________, ___________, and ___________ protection to data and resources.
availability, integrity, and confidentiality
____________ planning is long term, ___________ planning is midterm, and __________ planning is day to day These make up a planning horizon.
strategic is long-term
tactical is mid-term
operational is day-to-day
__________ is a comprehensive set of controls comprising best practices in information security and provides guidelines on how to set up and maintain security programs.
ISO/IEC 27002

(formerly ISO 17799 part 1)
Security components can be _________ (firewalls, encryption, and access control lists) or _________ (security policy, procedures, and compliance enforcement.
technical and non-technical
__________ should include tangible assets (facilities and hardware) and intangible assets (corporate data and reputation).
asset identification
__________, which means to understand and document the scope of the project, must be done before a __________ is performed.
project sizing, risk analysis
_________ is a degree of confidence that a certain security level is being provided.
assurance
_________ is a framework that defines goals for the controls that should be used to properly manage IT and to ensure that IT maps to business needs.
CobiT
__________ is broken down into four domains; Plan and Organize, Acquire and Implement, Deliver and Support, and Monitor and Evaluate.
CobiT
_________ is the standard for the establishment, implementation, control, and improvement for the Information Security Management System.
ISO/IEC 27001
__________ should work from the top down (from senior management down to the staff).
Security management
_________ is the set of responsibilities and practices exercised by the board and executive management with the goal of providing strategic direction, ensuring that objectives are achieved, ascertaining that risks are managed appropriately, and verifying that the enterprise's resources are used responsibly.
Governance
Which security model a company should chose depends on the type of _________ its critical missions, and its objectives.
business
The _________ is an international organization that helps different governments come together and tackle the economic, social, and governance challenges of a globalized economy.
OECD
__________ can be transferred, avoided, reduced, or accepted
Risk
An example of risk __________ is when a company buys insurance.
transference
Risk can be transferred, avoided, reduced, or _________.
accepted
Ways to reduce risk include improving security procedures and implementing _________.
safeguards
Threats x vulnerability x asset value = ___________
total risk
(Threats x vulnerability x asset value) x controls gap = __________
residual risk
The main goals of __________ are the following: identify assets and assign values to them, identify vulnerabilities and threats, quantify the impact of potential threats, and provide an economic balance between the impact of the risk and the cost of the safeguards.
risk analysis
Information risk management (IRM) is the _________ of identifying, assessing, and reducing risk to an acceptable level and implementing the right mechanisms to maintain that level or risk.
process
_________ and __________ is a method for determining functions, identifying functional failures, and assessing the causes of failure and their failure effects through a structured process.
Failure Modes and Effect Analysis (FMEA)
A __________ analysis is a useful approach to detect failures that can take place within complex environments and systems.
fault tree
A __________ risk analysis attempts to assign monetary values to components within the analysis.
quantitative
A purely _________ risk analysis is not possible because qualitative items cannot be quantified with precision.
quantitative risk
Capturing the degree of _________ when carrying out a risk analysis is important, because it indicates the level of confidence the team and management should have in the resulting figures.
uncertainty
When determining the ________ of information, the following issues must be considered: the cost to acquire and develop data; the cost to maintain and protect data; the value of the data to owners, users, and adversaries; the cost of replacement if the data is lost; the price others are willing to pay for the data; lost opportunities; and the usefulness of the data.
value
___________ tools reduce the amount of manual work involved in the analysis. They can be used to estimate future expected losses and calculate the benefits of different security measures.
Automated risk analysis tools
__________ is the amount that could be lost if a specific threat agent exploited a vulnerability.
Single loss expectancy (SLE)
Single loss expectancy x frequency per year = _________
annualized loss expectancy

(SLE x ARO = ALE)
_________ risk analysis uses judgement and intuition instead of numbers.
qualitative
_________ risk analysis involves people with the requisite experience and education evaluating threat scenarios and rating the probability, potential loss, and severity of each threat based on their personal experience.
qualitative
The ________ technique is a group decision method where each group member can communicate anonymously.
Delphi
When choosing the right _________ to reduce a specific risk, the cost, functionality, and effectiveness must be evaluated and a cost/benefit analysis performed.
safeguard
A __________ is a statement by management dictating the role security plays in the organization.
security policy
_________ are detailed step-by-step actions that should be followed to achieve a certain task.
Procedures
A _________ specifies how hardware and software are to be used and are compulsory.
standard
A _________ is a minimum level of security.
baseline
________ are recommendations and general approaches that provide advice and flexibility.
guidelines
_________ and ________ are controls used to detect fraud.
Job rotation and mandatory vacations
___________ ensures no single person has total control over an activity or task.
Separation of duties
____________ and dual control are two aspects of separation of duties.
Split knowledge
Data is _________ to assign priorities to data and ensure the appropriate level of protection is provided.
classified
__________ specify the classification of data.
Data owners
Security has __________ requirements, which define the expected behavior from a product or system, and assurance requirements, which establish confidence in the implemented products or systems overall.
functional
The __________ program should be integrated with current business objectives and goals.
security
_________ must define the scope and purpose of security management, provide support, appoint a security team, delegate responsibility, and review the team's finding.s
Managment
The _________ team should include individuals from different departments within the organization, not just technical personnel.
risk management
A _________ rating would be expressed in high, medium, or low, or on a scale of 1 to 5 or 1 to 10.
qualitative
A __________ result would be expressed in dollar amounts and percentages.
quantitative
Safeguards should default to __________, and have fail-safe defaults and override capabilities.
least privilege
Safeguards should be imposed __________ so everyone have the same restrictions and functionality.
uniformly
A key element during the initial security planning process is to define ______________.
reporting relationships
The __________ is responsible for maintaining and protecting data.
data custodian (information custodian) or data owner
A security analyst works at the __________ level and helps develop policies, standards, and guidelines, and also sets various baselines.
strategic
___________ are responsible for dictating who can and cannot access their applications, as well as the level of protection these applications provide for the data they process and for the company.
Application owners