Reading...
Play button
Play button
Use LEFT and RIGHT arrow keys to navigate between flashcards;
Use UP and DOWN arrow keys to flip the card;
H to show hint;
A reads text to speech;
28 Cards in this Set
- Front
- Back
|
What act, passed by the 107th Congress, recognized the importance of information security to the economic and national security interests of the United States?
|
The E-Government Act of 2002 (Public Law 107-347)
|
|
|
What does FISMA stand for?
|
Federal Information Security Management Act (of 2002)
|
|
|
What does FIPS stand for?
|
Federal Information Processing Standards
|
|
|
What does NIST stand for?
|
National Institute of Standards and Technology
|
|
|
(T/F) NIST 199 establishes security categories for information, but NOT for information systems.
|
False: NIST 199 establishes security categories for BOTH information AND information systems.
|
|
|
Security categories are used in conjunction with what information in assessing the risk of an organization?
|
Security categories are used in conjunction with vulnerability and threat information in assessing the risk to an organization.
|
|
|
What is defined as "The unauthorized disclosure of information"?
|
The Loss of Confidentiality
|
|
|
The loss of ________ is the unauthorized modification or destruction of information
|
Integrity
|
|
|
How is loss of Availability defined?
|
The disruption o f access to or use of information or an information system
|
|
|
What is the potential impact on an organization of the loss of confidentiality, integrity, or availability could be expected to have a limited adverse effect on organizational operations, assets, or people?
|
Low
|
|
|
If the loss of confidentiality, integrity, or availability could be expected to have a serious adverse effect on organizational operations, organizational assets, or individuals, then the potential Impact is ______
|
Moderate
|
|
|
The potential impact is High if ________________________
|
The loss of confidentiality, integrity, or availability could be expected to have a severe or catastrophic adverse effect on organizational operations organizational assets or individuals.
|
|
|
Define "Executive Agency"
|
An executive department specified in 5 U.S.C., SEC. 101; a military department specified in 5 U.S.C., SEC. 102; an independent establishment as defined in 5 U.S.C., SEC. 104(1); and a wholly owned Government corporation fully subject to the provisions of 31 U.S.C., CHAPTER 91. [41 U.S.C., SEC. 403]
|
|
|
Define "Federal Information System"
|
An information system used or operated by an executive agency, by a contractor of an executive agency, or by another organization on behalf of an executive agency. [40 U.S.C., SEC. 11331]
|
|
|
Define "Information"
|
An instance of an information type.
|
|
|
Define "Information Resources"
|
Information and related resources, such as personnel, equipment, funds, and information technology. [44 U.S.C., SEC. 3502]
|
|
|
The protection of information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide confidentiality, integrity, and availability.
|
INFORMATION SECURITY
|
|
|
A discrete set of information resources organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of information
|
INFORMATION SYSTEM
|
|
|
INFORMATION TYPE
|
A specific category of information (e.g., privacy, medical, proprietary, financial, investigative, contractor sensitive, security management), defined by an organization, or in some instances, by a specific law, Executive Order, directive, policy, or regulation
|
|
|
Guarding against improper information modification or destruction, and includes ensuring information non-repudiation and authenticity
|
INTEGRITY
|
|
|
The characterization of information or an information system based on an assessment of the potential impact that a loss of confidentiality, integrity, or availability of such information or information system would have on organizational operations, organizational assets, or individuals
|
SECURITY CATEGORY
|
|
|
SECURITY CONTROLS
|
The management, operational, and technical controls (i.e., safeguards or countermeasures) prescribed for an information system to protect the confidentiality, integrity, and availability of the system and its information.
|
|
|
SECURITY OBJECTIVES
|
Confidentiality, integrity, and availability.
|
|
|
What is an information system considered to be if all three security objectives are LOW (L-L-L)?
|
A Low Impact System
|
|
|
What is an information system considered to be if at least one of the objectives is Moderate and none of the objectives is greater than Moderate (L-L-M, L-M-M, L-M-L, M-M-L, M-L-L, M-M-M)?
|
A Moderate Impact System
|
|
|
(T/F) The determination of information system impact levels MUST be accomplished prior to the consideration of minimum security requirements and the selection of appropriate security controls for those information systems
|
TRUE
|
|
|
How many security- related areas with regard to protecting confidentiality, integrity and availability are covered by "The Minimum Security Requirements"?
|
Seventeed
|
|
|
What are the seventeen areas covered by "The Minimum Security Requirements"?
|
Access Control (AC)
Awareness and Training (AT) Audit and Accountability (AU) Certification, Accreditation, and Security Assessments (CA) Configuration Management (CM) Identification and Authentication (IA) Incident Response (IR) Maintenance (MA) Media Protection (MP) Physical and Environmental Protection (PE) Planning (PL) Personnel Security (PS) Risk Assessment (RA) System and Services Acquisition (SA) System and Communications Protection (SC) System and Information Integrity (SI) |
