Reading...
Play button
Play button
Use LEFT and RIGHT arrow keys to navigate between flashcards;
Use UP and DOWN arrow keys to flip the card;
H to show hint;
A reads text to speech;
49 Cards in this Set
- Front
- Back
|
Four Canons of the ISC2 Code of Ethics
|
1. Protect society, the commonwealth, and the infrastructure.
2. Act honorably, hosestly, justly, responsibly and legally. 3. Provide diligent and competent service to principals 4. Advance and protect the profession. |
|
|
Which canon would be breached by not reporting the witness of code violations?
|
Canon IV: Advance and protect the profession.
|
|
|
Main job of IS security professionals
|
Evaluate risks against our critical assets and deploy safeguards to mitigate those risks.
|
|
|
Two keys to talking with C-Level execs (2 acronyms)
|
TCO - Total Cost of Ownership
1) Cost of the product 2) Yearly vendor charges 3) Staff costs for implementation, etc. ROI - Return on Investment Learning to talk effectively with executives is key to doing this job successfully. |
|
|
10 Domains of the Common Body of Knowledge (CBK)
|
1) Security Management Practices.
2) Access Control Systems 3) Telecommunications and Network Security 4) Cryptography 5) Security Architecture and Models 6) Security Operations 7) Software Development Security 8) Business Continuity and Disaster Recovery 9) Law, Investigation and Ethics 10) Physical Security |
|
|
Cornerstone Information Security Concepts (The 3 Pillars)
|
Confidentiality - Seeks to prevent unauthorized read access to data.
Integrity - Seeks to prevent unauthorized modification of information. Availability - Ensures that information is available when needed. |
|
|
The opposite of the CIA Triad
|
(D) Disclosure
(A) Alteration (D) Destruction |
|
|
What does AAA stand for, and what is the missing (I) component
|
1) Authentication
-Goes with Identification which is your login ID -Authentication is your password 2) Authorization -Those parts of the system that you are authorized to view/edit 3) Accountability -Logging, auditing and possibly disciplining for breach of rights to info. |
|
|
Nonrepudiation
|
A user cannot deny having performed a transaction. It combines authentication and integrity.
|
|
|
Least Privilege
|
The old "...what you need, nothing more - nothing less..."
|
|
|
Defense-in-Depth
|
Layered defenses. Multiple controls used to reduce risk.
|
|
|
Assets
|
Valuable resources that you are trying to protect
|
|
|
"Mathmatical Equation" to determine Risk
|
Risk=Threat x Vulnerability
Assign a number to both threat and vulnerability (5 point scale?)... Keep your scale consistent. |
|
|
Annualized Loss Expectancy (ALE)
|
A calculation that allows you to determine the annual cost of a loss due to a risk.
|
|
|
Exposure Factor (EF)
|
The percentage of the the value an asset lost due to an incident
|
|
|
Single Loss Expectancy (SLE)
|
The cost of a single loss. SLE is a calculated by AV x EF.
|
|
|
Annual Rate of Occurrence (ARO)
|
The number of losses you suffer per year.
|
|
|
Annualized Loss Expectancy (ALE)
|
Your yearly cost due to risk. Calculated by SLE x ARO
|
|
|
Risk Mitigation
|
Lowering the risks
|
|
|
Transfer the Risk
|
Such as with Insurance
|
|
|
Avoiding the risk
|
If the project has high risks that do not appear to have a chance of mitigation, then avoidance may be the best option
|
|
|
Difference between Quantitative and Qualitative Risk Analysis
|
Quantitative deals with hard metrics to measure risks (Quantitative = Quantity), while Qualitative deals with subjective analysis.
ALE is a Quantitative approach while the Risk Analysis Matrix is a Qualitative approach. |
|
|
NIST's 9 Step Risk Analysis
|
1) System Characterization: The scope of the systems being analyzed.
2) Threat Identification: What is the likelihood of the event. 3) Vulnerability Identification: What areas are weakest on the system. 4) Control Analysis: What is in place to aid in mitigation of risks for this risk. 5) Likelihood Determination: 6) Impact Analysis: 7) Risk Determination: Calculated by #2 (Threat) x #3 (Vulnerability) 8) Control Recommendations: Can be determined after analysis of the 7 other areas (above). 9) Results Documentation: Documentation of the Control Recommendations |
|
|
Policies (Include the 4 basic components)
|
High level documents that are directives that must be followed.
1) Purpose -The need for the policy 2) Scope -What/who is covered by the policy 3) Responsibilities -Who is responsible for what 4) Compliance -How to judge how well the policies are working, and what to do if they are not followed. |
|
|
Procedures
|
Step by Step guide for accomplishing a task. Very low level compared with policies.
|
|
|
Standards
|
Hardware and Software specific which are the benchmarks for buying new products for use in the company.
|
|
|
Guidelines
|
Discretionary, and do not HAVE to be followed
|
|
|
Baselines
|
Baselines mark the minimum level to acihieve. Such as "the baseline security for PC's is a screen saver that requires loving. You can achieve more, but you can't achieve less.
|
|
|
Primary Information Security Roles (4 levels)
|
Senior Management: Creates the information security program.
Data Owner (Information owner or Business Owner): Management Employee responsible for ensuring that specific data is protected. Custodian: Responsible for hands on protection of data (such as performing backups). User: Must follow policies and procedures to ensure that data (including their usernames/pws are kept safe). |
|
|
PII
|
Personal Identifiable Information
|
|
|
Due Care
|
Also called the prudent man rule. Doing what a reasonable person would do.
|
|
|
Due Diligence
|
Following steps to ensure that due care is followed.
|
|
|
Gross Negligence
|
The opposite of due care.
|
|
|
Best Practice
|
The consensus of the best way of completing due care and due diligence
|
|
|
NIST
|
National Institute of Standards and Technology
|
|
|
Issues with Outsourcing and Offshoring
|
Outsourcing is using a third party to provide IT services, while offshoring is outsourcing overseas. This can create issues with privacy with regards to the data, since they do not necessarily have to follow regulatory mandates (such as HIPAA).
|
|
|
Auditing and Control Frameworks
|
You can use control frameworks to assist in Auditing which ensures that you are following the policies that you have established
|
|
|
OCTAVE
|
Operationally Critical Threat, Asset, and Vulnerability Evaluation.
|
|
|
Three phases of OCTAVE
|
1) ID's staff knowledge, assets and threats
2) ID's vulnerabilities and evaluates safeguards 3) Conducts the Risk Analysis and develops the risk mitigation strategy |
|
|
ISO 27001 and 27002 (need to do further research on these)
|
.
|
|
|
COBIT
|
Control Objectives for Information and related Technology: Control framework for aiding best practices within an organization.
|
|
|
ITIL
|
Information Technology Infrastructure Library: Control framework for best practices
|
|
|
DoS Attack
|
Denial of Service Attack (affects Availability)
|
|
|
Total value of the system you are trying to protect (name and acronym)
|
Asset Value (AV)
|
|
|
Amount of money you expect to lose per year for a given risk (name and acronym).
Also, how is it calculated? |
Annual Loss Expectancy (ALE)
Calculated by SLE x ARO |
|
|
What is the percentage of loss expected from a given event (name and acronym)?
|
Exposure Factor (EF)
|
|
|
What is the cost of an isolated event called (name and acronym)?
|
Single Loss Expectancy (SLE)
|
|
|
How many times per year do you expect an event to occur (name and acronym)?
|
Annual Rate of Occurrence (ARO)
|
|
|
What is the acronym and name of the "real cost " of an item? What goes into figuring this amount?
|
Total Cost of Ownership (TCO)
1. Cost of item 2. Service agreement cost 3. Man hours to maintain |
