Use LEFT and RIGHT arrow keys to navigate between flashcards;
Use UP and DOWN arrow keys to flip the card;
H to show hint;
A reads text to speech;
45 Cards in this Set
- Front
- Back
Criticality v Sensitivity in the sense of data classification
|
sneisitivity is commensurate with losses org would sustain if revealed; criticality is indicator of how the loss would impact fundamental business processes of the org
|
|
Data sensitivity levels in commercial sector
|
"Confidential, prviate, sensitive, public"
|
|
Data sensitivity labels in government sector
|
"Top secret, secret, confidential, sensitive but unclassified, unclassified"
|
|
Criteria for data classification
|
"Conditions, Elements, Limitations, Procedures"
|
|
Considerations during security labeling
|
"usefulness of data, value of data, age, effects of data on security"
|
|
Privacy v Security
|
Security leads to privacy; privacy refers to the amount of control an individual ca expect to have as it relates to release of their personal info
|
|
CSO and CPO positions
|
CSO has broader responsibility than CISO because their concerned with organizational risk; CPO is chief privacy officer and is concerned with preventing disclosure of data
|
|
Data Owner responsibility
|
responsible for classifying data and authorizing controls
|
|
data custodian
|
"responsible for backing up data, implementing controls, performing integrity checks, restoring data, maintaing activity records, etc."
|
|
system owner
|
"responsible for ensuring proper security controls on owned systems; have to manage vulnerabilities on their systems, etc.; might be the same person as the data owner"
|
|
security administrator
|
"responsible for implementing specific security network devices and software in the enterprise; this person might also handle account provisioning, patch mgmt, and password issuance"
|
|
TPM
|
Trusted Platform Module
|
|
3 States of Data
|
"At rest, in-use, in transit"
|
|
Definition of Configuration Management
|
"The process of identifying and documenting hardware components, software, and the associated settings'"
|
|
Example contents of a configuration management document
|
"Make, Model, MAC, Serial#, OS/Firmware, BIOS or passwords"
|
|
Distinction between QA and QC
|
QA procedures maintain quality throughout all development stages while QC occurs at the end of the production cycle
|
|
Data Standards Examples
|
"Agreements on format, representation, definition, structuring, etc. All leads to more efficient management"
|
|
Media Viability Controls
|
"Marking, handling, storage"
|
|
Data Remanance
|
Data that is left over after we purge a disk
|
|
FIPS
|
Federal Information Processing Standards
|
|
3 fundamentals of data retention policies
|
"What do we keep, how long, and where do we keep it?"
|
|
e-discovery
|
process of producing for a ccourt all electronically stored information pertinent to a legal proceeding
|
|
side channel attack example
|
analyzing how a processor changes during encryption to determine the type of algo in use
|
|
3 Types of DLP approaches
|
"Network, Endpoint, Hybrid"
|
|
Misuse Case
|
describe the actions of a threat actor rather than a legitimate user
|
|
CCCA of 1984
|
"Precursor to 86 CFAA; this idetnfied a number of crimes, which include some ocmputer crimes"
|
|
Computer Security Act of '87
|
Mandated baseline security requirements for federal info systems; led to formation of NIST
|
|
Prudent Man Rule
|
Would a theoretical prudent man do this? Also relates to executives being personally liable for info sec negligence |
|
1994 CFAA Amendments
|
Basically broadened the jurisdiction so that it was no longer JUST federal and financial info systems
|
|
GISRA
|
"Government information security act- Amendment to late 90's paperwork reduction act, which placed some controls on agency in the areas of, say, collecting more data or adding processes"
|
|
FISMA
|
Tasked NIST with developing some infosec requirements for federal agencies
|
|
4 Types of License agreements
|
"Contractual, Shrink-wrap, click-through, cloud service"
|
|
Privacy Act of '74
|
Limits ability of feds to disclose personal data
|
|
Fourth Amendment
|
Constitutional right to privacy
|
|
ECPA
|
Electronic Communications Privacy Act of '74 - prohibits any interception of transmissions
|
|
CALEA
|
Comm Assist for Law Enforc. - requires comm carriers to make wiretaps possible
|
|
COPPA
|
Childrens Online Privacy Protection Act of 98
|
|
PHI
|
Protected Health Information
|
|
Clearing v purging
|
clearing will write a bit pattern over the disk space once; purging provides higher assurance by performing the operation multiple times
|
|
Bitlocker
|
"Microsofts disk encryption method, which uses AES on the TPM"
|
|
Blowfish
|
symmetric algo with variable key sizes between 32 and 448 bits
|
|
Safe Harbor
|
set of STANDARDS companies must comply with if they transfer data/work with EU companies
|
|
ISMS Definition
|
"a coherent set of policies, processes, and systems to manage risks to information assets. Outlined in ISO 27001"
|
|
ISMS v enterprise security architecture
|
"Enterprise Security architecture is a subset of business architecture and focuses on strategically aligning security initiatives throughout processes, systems, etc. ESA should tie in strategic alignment, business enablement, rpcoess enhancement, and security effectiveness."
|
|
STRIDE
|
"Microsoft threat categorization scheme - Spoofing, Tampering, Repudiation, Information Disclosure, DoS, Escalation of Privledge"
|