Use LEFT and RIGHT arrow keys to navigate between flashcards;
Use UP and DOWN arrow keys to flip the card;
H to show hint;
A reads text to speech;
93 Cards in this Set
- Front
- Back
Information Security Program |
Used to describe the structure and organization of the effort that strives to contain the risks to the information assets of the organization |
|
1) Functions by non technology business units |
Legal and training |
|
2) Functions performed by IT groups outside the InfoSec area of management |
Systems Security administration Network security administration Centralized authentication |
|
3) Functions performed within the InfoSec department as customer service |
Risk assessment Systems testing Incident response Planning Measurement Vulnerability Assessment |
|
4)Functions performed with InfoSec departments as a compliance enforcement |
Policy Compliance/audit Risk management |
|
Chief Information Security Officer (CSO or CISO) |
responsible for the assessment, management, and implementation of the program that secures the organization's information. |
|
Security Manager |
Accountable for the day-to-day operations |
|
Security Administrators and Analysts |
Hybrid of a security technician and a security manager |
|
Security Technicians |
Qualified individuals who configure firewalls and implement security software |
|
Security Staffers and Watch standers |
Perform routine watch standing or administrative activities. Watch intrusion consoles, monitor e-mail accounts. |
|
Security Consultants |
independent expert in InfoSec, used when the decision to outsource aspects of the security program |
|
Security Offices and Investigators |
Physical security officers and investigators, guards |
|
Help Desk Personnel |
Helps identify potential problems and helps minor issues |
|
Security education, training, and awareness (SETA) |
responsibility of the CISO and is designed to reduce the incidence of accidental security breaches -can improve employee behavior - can inform members of the org about where to report violations of policy -enable the org to hold employees accountable for their actions |
|
Security Training |
Seeks to train members of the org how they should react and respond when encountered with a threat. (workshops, formal training) |
|
Security Education |
seeks to educate members of the org as to why the org has prepared and why they react the way they do when a threat occurs. (background reading, seminars) |
|
Security Awareness |
Seeks to teach members of the org what security is and what should they do in some situations. (posters, media videos) |
|
Seven Steps for implementing training |
1) Identify Program scope, goals, and objectives 2) Identify training staff 3)Identify target audience 4) Motivate Management and employees 5)Administer the program 6)Maintain the program 7) Evaluate the program |
|
Training delivery method |
one-one-one - informal, personal training with a trainer on-the-job - learn while working Web seminars- watch a presentation on their computer |
|
Due Care versus Due Diligence |
Due care- the conduct a reasonable person would do in a particular situation Due diligence- the process where a person gathers facts to make an informed choice on a matter |
|
Awareness Components |
Videos Posters Lectures and conferences |
|
Framework |
outline of a blueprint that defines policies and procedures |
|
Bluepritn |
sets out the model to be followed in the creation of the design and the implementation of security controls, including infosec policies, security, education and training programs. |
|
Security Model |
A generic blueprint offered by a service organization |
|
Access Control models |
regulate the admission of users into trusted ares of the organization |
|
Least Privilege |
members of the org can access the minimum amount of information for the minimum amount of time necessary to perform their duties |
|
Need-to-know |
limits a user's access to the specific information required to perform the currently assigned task |
|
Separation of duties |
requires the task be split up in a way that more than one individual is responsible for their completion |
|
Categories of Access control Deterrent- |
discourages or deters an incipient accident |
|
Categories of Access control
Preventative |
helps an organization avoid an incident |
|
Categories of Access control Detective |
Detects or identifies an incident or threat when it occurs |
|
Categories of Access control Corrective |
remedies a circumstance or mitigates damage done during an incident |
|
Categories of access control Recovery |
restores operating conditions back to normal |
|
Categories of access control
Compensating |
resolves shortcomings |
|
NIST approach to categorize controls based on operation impact on the org |
management-controls that cover security process that are designed by security planners, integrated into orgs management practices, and routinely used by security admins |
|
NIST approach to categorize controls based on operation impact on the org |
Operational- controls that deal with operation functions of security that have been integrated into the repeatable process |
|
NIST approach to categorize controls based on operation impact on the org |
Technical- controls that support the tactical portion of a security program and have been implemented into the repeatable process |
|
Mandatory Access Controls |
required and is structured and coordinated within a data classification scheme that rates each collection of information as well as each user. The ratings are often referred to a classification level. |
|
Data Classification model |
Unclassified- generally free for distribution to the public |
|
Data classification model- |
Sensitive but unclassified data-any information of which the loss, misuse, or unauthorized access to, or modification of, might adversely affect U.S. national interests |
|
Data Classification model |
Confidential data- any information or material the unauthorized disclosure of which reasonably could be expected to cause serious damage to the national security |
|
Data Classification model |
Secret data- any information or material the unauthorized disclosure of which reasonably could be expected to cause serious damage to the national security. |
|
Data classification model- |
top secret data- any information that unauthorized disclosure could be expected to cause exceptionally grave damage to the national security. |
|
Compartmentalization |
the restriction of information to the fewest possible people public for official use only sensitive classified |
|
Security Clearance |
each user of information asset is assigned an authorization level, that level identifies the level of information classification he or she can access |
|
Dumpster diving |
could potentially be a threat to the disposal of sensitive information when a person(s) searches through recycling bins to find information there |
|
Lattice-based access control |
assigns user a matrix of authorizations for particular areas of access |
|
Capabilities table |
the row of attributes associated with a particular user |
|
Non discretionary controls |
are determined by a central authority in the org and can be based on roles(role-based controls) or tasks(task-based controls) |
|
role-based controls |
controls are tied to the role that a particular user performs in an organization |
|
Task-based controls |
are tied to a particular assignment of responsibility |
|
Discretionary access controls |
are implemented at the discretion or option of the data user |
|
Content-dependent access controls |
access to a specific set of information may be dependent on its content |
|
Constrained user interfaces |
some systems are designed specifically to restrict what information an individual user can access |
|
Temporal(time-based) isolation |
access to information is limited by a time of day constraint |
|
Trusted computer system evaluation criteria (TCSEC) |
defines the criteria for assessing the access controls in a computer system |
|
Trusted computing base (TCB) |
the combination of all hardware, firmware, and software responsible for enforcing the security policy |
|
Reference monitor- |
the piece of the system that manages access controls, mediates all access to objects by subjects |
|
covert channels |
unauthorized or unlimited method of communications hidden inside a computer system |
|
Storage channels |
which communicate by modifying a stored object |
|
Timing channels |
transmit information by managing the relative timing of events |
|
information technology system evaluation criteria |
an international set of criteria for evaluating computer sytems |
|
common criteria for information technology security evaluation |
an international standard for computer security certification |
|
Bell-LaPadula confidentiality model |
is a model of an automated system that is able to manipulate its state or status over time |
|
Biba Integrity model |
based on the premise that higher levels of integrity are more worthy of trust than lower ones |
|
Clark-Wilson integrity model |
based on principles of change control rather than integrity levels |
|
Graham-Denning Access control model |
set of objects, set of subjects, a sets of rights. subjects composed of a process and a domain. The domain is the set of constraints controlling how subjects may access objects. |
|
Harrison-Ruzzo-Ullman model |
Defines a method to allow changes to access rights and the addition and removal of subjects and objects |
|
Brewer-Nash Model (Chinese Wall) |
designed to prevent a conflict of interest between to parties |
|
NIST security model |
available at no charge and they have been available for some time |
|
Benchmarking |
The paths taken by organization similar to the one whose plan you're developing |
|
Due care versus Due diligence |
Due care- the conduct a reasonable person would do in a particular situation Due diligence- The process where a person gathers facts to make an informed choice on a matter |
|
Baseline and Baselining |
Baseline- an assessment of the performance of some action or process Baselining- is the process of measuring against an established internal value or standard |
|
InfoSec performance management |
is the process of designing, implementing, and managing the use of the collected data elements to determine effectiveness of overall security program. |
|
Performance measurements |
are the data points or the trends computed from such measurements may indicate the effectiveness of security countermeasures or controls |
|
Organizations use three types of measurements |
determine the effectiveness of execution of infosec policy determine the effectiveness and or efficiency of the delivery of infosec services assess the impact of an incidnet |
|
information security metrics |
generally describe any statistical analysis technique on performance |
|
Certification |
a comprehensive assessment of both technical and nontechnical protection strategies for a particular system. |
|
Risk management |
is the process of discovering and assessing the risks to an organization's operations and determining how those risks can be controlled or mitigated |
|
Risk analysis |
is the identification and assessment of levels of risk in an organization |
|
Risk identification |
begins with the self-examination. Managers identify the organization's information, assets, classify and categorize them into useful groups, and prioritize them by their overall importance. |
|
Thread identification |
assessing potential weakness in each information asset |
|
Risk Assessment |
assigns a risk rating or score to each vulnerability |
|
Qualitative Risk assessment |
using categories instead of specific values to determine risk |
|
Residual risk |
the risk that remains even after the existing control has been applied |
|
program |
are activities performed within the organization to improve security (SETA) |
|
Questions to ask when assessing values for information assets |
which information asset is the most critical to the success of the organization which information asset generates the most revenue which information asset generates the highest profitability which information asset is the most expensive to replace which information asset is the most expensive to protect which information asset's compromise or loss would be the most embarrassing or cause the greatest liability |
|
Identifying and prioritize threats and threat agents |
Which threats present a danger to this org's information assets in its current environment? Which threats represent the gravest danger to the organizations information assets? |
|
TVA worksheet |
Worksheet that shows threats and assets and allows you to clearly see how expensive the threat is towards the assets |
|
Likelihood |
the overall rating a numerical value on a defined scaled on the probability that a specific vulnerability will be exploited |
|
assessing potential loss questions |
which threats present a danger to this org's current assets in its current environment? which threats represent the gravest danger to the org's information assets? how much would it cost to recover from a successful attack? which threats would require the greatest expenditure to prevent? |
|
Access controls |
specifically address the admission of users into a trusted area of the organization |
|
When documenting the results of a risk assessment you need |
asset asset impact vulnerability vulnerability likelihood risk rating factor |