Use LEFT and RIGHT arrow keys to navigate between flashcards;
Use UP and DOWN arrow keys to flip the card;
H to show hint;
A reads text to speech;
55 Cards in this Set
- Front
- Back
*Audit |
It assures the integrity of the security solution
|
|
Audit Conclusion |
When the audit report is reviewed with auditee’s upper management prior to release |
|
Audit Criteria |
A set of predefined controls to be audited |
|
Audit Documentation |
Audit activities at each stage are documented |
|
Audit Reporting |
Audit manager assumes the responsibility for audit reporting |
|
Auditee |
The organization being audited |
|
Checklist |
Checklist for performing the audit against different factors |
|
Client Organization |
Organization that mandates the audit |
|
*Compliance |
Meeting the standards |
|
*Confidentiality |
Keeping practices and procedures between the company and client private (not the same thing as the information security property in subsequent chapters) |
|
Contracts |
Agreements between the company and customer |
|
*Control Objective |
These are focused behaviors with observable outcomes |
|
*Corrective Action |
Documented action against perceived risk/threat |
|
*Cost Benefit |
Analyses the pros and cons of an action |
|
*Countermeasures |
They are steps that will be taken to mitigate a given risk |
|
*Estimate of the Consequences |
Harm caused against a threat |
|
Evidence |
Obtained by conducting interviews |
|
Event Logs |
Audit records are kept in event logs that are automatically maintained by the system |
|
*Follow-up |
A follow-up is another audit to confirm compliance |
|
**Gaps |
They are identified risks between ideal practice and the current operation |
|
Impartiality |
Objective, non-biased opinion |
|
Internal Audit |
The organization performs the audit within their own organization with their own people |
|
Interviews |
They are conducted to gather evidence |
|
*Latent Threat |
A possible threat that only becomes active at a later time if one of the conditions changes |
|
Laws and Regulations |
These are the structure with which a company must be in compliance |
|
Lead Auditor |
The person who has the sole authority for the auditing process |
|
**Likelihood |
The certainty of risk |
|
Noncompliances |
Areas where a plan is not fulfilling a law or regulation |
|
Nonconformances |
It is another term for noncompliances |
|
Operational Security Analysis |
It leads to the deployment of a concrete security solution |
|
*Preventative Measures |
The strategy to reduce the likelihood of a risk occurrence |
|
*Process Entropy |
It is the natural tendency for any organized system to degrade over time due to the changing conditions |
|
*Probability of Occurrence |
A percentage indicating the likelihood of occurrence |
|
Proof of Compliance |
It is the audit evidence document |
|
Quantitative Factors |
Numerically measurable risk factors |
|
*Reactive Measures |
The strategy to respond effectively if a risk becomes a direct threat |
|
***Risk |
It is a possibility of a threat |
|
**Risk Analysis |
The process by which the risk is understood |
|
Risk Analysis Report |
It is an operational response by identifying those threats that have to be managed |
|
***Risk Assessment |
It is an operational process by which risks are identified and characterized |
|
***Risk Estimation |
Determines the probability and impact of threats |
|
*Risk Evaluation |
It is a function that is used to decide about the nature of emerging threats |
|
Risk Identification |
Documenting the characteristics of vulnerabilities |
|
**Risk Management |
It ensures effective and up-to-date alignment between identified threats and the countermeasures deployed to mitigate them |
|
***Risk Mitigation |
It determines how the risk will be handled
|
|
Risk Mitigation Report |
It is the mechanism for communicating information about how risk is handled |
|
*Risk Tolerance |
It is the minimum level of protection that management can reasonably afford in its day-to-day operations |
|
*Risk Transfer |
It specifies how any foreseen impact can be reallocated so that the loss is not permanent or catastrophic |
|
*Scope of the Assessment |
It should include the entire set of organizational and technical issues |
|
*Standards |
Gap analysis must be based on universal standards such as ISO 27000, NIST, GASSP or COBIT |
|
Third Party Work |
Risk management plan must include work performed by entities outside the organization |
|
***Threat |
A way of exploiting known weakness in an organization |
|
Threat Picture |
It is a comprehensive understanding of all threats |
|
***Vulnerability |
Perceived weakness in an organization can be exploited |
|
**Weakness |
A part of a system that can be exploited |