Reading...
Play button
Play button
Use LEFT and RIGHT arrow keys to navigate between flashcards;
Use UP and DOWN arrow keys to flip the card;
H to show hint;
A reads text to speech;
51 Cards in this Set
- Front
- Back
|
Information security
|
is to preserve Confidentiality, Integrity, and Availability (CIA) of organizational assets
|
|
|
Risk management
|
is to identify the threats and vulnerabilities that could impact the information security and devise suitable controls to mitigate these risks
|
|
|
Asset classification
|
a process that is used to group assets based on their types (for example, physical, hardware, software, paper document, and so on) and classify them based on sensitivity (for example, Confidential, Private, Public, and so on
|
|
|
Risk assessment
|
a process that determines the quantitative (for example, monetary value) or qualitative (for example, high, medium, low) risk value based on the type, sensitiveness, and the value of the asset
|
|
|
SO/IEC 27001:2005
|
an Information Security Management System (ISMS) standard that can be used as a reference point for the security management program in the organization.
|
|
|
Policies
|
specify the management views, intent, and support. Adherence to policy requires implementation of suitable controls. For example, access policies specify the management intent to control the access to the assets. Firewall or access card systems (smart card) are examples of such controls.
|
|
|
Guidelines
|
specify the rules or acceptable methods for implementing a policy. For example, if a firewall policy states that all incoming/ outgoing traffic should be filtered to allow only authorized connections, then guidelines specify the rules and acceptable methods to be followed. For example, Generally Accepted Principles and Practices for Securing Information Technology Systems of NIST Special Publication 800-14 is a guideline document.
|
|
|
Standard
|
a reference point. For example, ISO/IEC 27001:2005 is an Information Security Management System (ISMS) standard that can be used as a reference point for the security management program in the organization.
|
|
|
Procedures
|
support policies, guidelines, and standards. Procedures are step-by-step instructions to implement a policy, guideline, or a standard. The aim of a procedure is to achieve the desired goal through a sequence of steps.
|
|
|
What is the weakest link in an information security chain
|
Humans
|
|
|
Risk management practices
|
include analysis and assessment, and mitigation techniques such as reduction, moving, transferring, and avoiding risks.
Tools to identify, rate, and reduce risk to specific resources |
|
|
Risk
|
based on the probability of a threat exploiting a vulnerability and the resulting impact on the specific resource or asset.
|
|
|
Risk analysis & assessment
|
a process that helps in identifying the risk, rating the risks and the controls are used for reducing the risks
|
|
|
Information security management
|
characterized as preserving Confidentiality, Integrity and Availability (CIA) of information and related assets
|
|
|
The tenets of information security
|
The CIA Triad:
Confidentiality Integrity Availability |
|
|
Confidentiality
|
to ensure that the information is not disclosed to unauthorized entities
|
|
|
Integrity
|
to maintain the consistency of the information internally as well as externally. This is to prevent unauthorized modification by authorized entities.
|
|
|
Availability
|
to ensure that information is available to authorized entities as and when required
|
|
|
Identification
|
an entity identifying itself to the system. A common example is a username and password combination. By providing the credentials an entity is establishing its identity to the system. This concept is used in access control systems.
|
|
|
Authentication
|
When the identity information is received, the system has the ability to validate and reconcile the information provided by the entity in terms of its identity. This ability is known as authentication
|
|
|
Authorization
|
this process determines the level of access allowed; controls access to resources based on the entity's rights and permissions
|
|
|
Accountability.
|
The activity of monitoring an entity's behavior in the system. Access logs and audit trails are some of the examples of this activity.
|
|
|
Privacy
|
the level of confidentiality requirement information determines the actions that can be performed on the information. Whether the information can be copied, printed, or forwarded to third parties, and so on
|
|
|
Risk
|
a function of probability of a security event happening and the consequence of such an event; characterized by threats and vulnerabilities
|
|
|
Threat
|
an event that could compromise the information security by causing loss or damage to the assets. For example, a hurricane is a threat.
|
|
|
Vulnerability
|
a hole or weakness in the system. For example, not having hurricane-proof infrastructure is vulnerability.
|
|
|
A security control:
|
a defined activity or a mechanism that is designed to ensure information security all times. Ensuring information security means preserving CIA of information assets
|
|
|
Management Controls
|
characterized to state the views of the management and its position on particular topics.
Information security policy is a management control policy wherein the management provides its views as well as support and direction for security. |
|
|
Administrative Controls
|
used to implement management controls (policies).
Procedures, guidelines, and standards are administrative controls that support the policies. |
|
|
Technical Controls
|
used to support the management and administrative controls by technical means.
Firewall, Intrusion Detection Systems, Intrusion Prevention Systems, anti-spam, anti phishing, antivirus, and so on are examples of technical controls. |
|
|
Preventative controls
|
are to prevent security violations. Examples include vulnerability assessment and patch management
|
|
|
Corrective controls
|
are to ensure that a successful attack may not have an adverse impact on the systems. For example, isolating affected systems, switching over to alternative network, and so on
|
|
|
Detective controls
|
are to detect a security violation, such as intrusion in time, so as to apply a countermeasure. Intrusion detection systems work as detective controls
|
|
|
Deterrent controls
|
are to deter an attack. These controls are devised to increase the work factor required for an unauthorized access or attack. High rise walls, cameras, barbed fences, entry point with two-point checks and dogs are some of the deterrent controls from the physical security perspective.
|
|
|
Work factor
|
is the amount of time or effort required to accomplish an attack. The greater the factor, the greater the difficulty
|
|
|
NIST Special Publication 800-14
|
Generally Accepted Principles and Practices for Securing Information Technology Systems, it elaborates the concept of System Security Life Cycle. There are five phases in this life cycle, which are as follows:
Initiation phase: To express and document the need Development/acquisition phase: Design and development, purchasing as well as programming are accomplished here Implementation phase: Testing and installation of the systems Operation/ maintenance phase: As the name implies, the systems are operated and modified as per the requirements Disposal phase: Retiring obsolete systems along with secure disposal are accomplished here |
|
|
ISO/IEC 27002
|
(Code of practice for information security): This standard provides a list of best practices an organization can adopt for security management. These best practices are grouped under 11 security domains. This standard was earlier known as ISO/IEC 17799.
|
|
|
ISO/IEC 27001
|
This standard specifies the management framework required for information security, and is a certifiable standard in the sense that an organization can seek certification against this standard for the information security management systems. This standard was earlier known as BS7799
|
|
|
ISO/IEC 27000
|
two important standards for Information Security Management Systems (ISMS):
ISO/IEC 27001 ISO/IEC 27002 |
|
|
Security Posture
|
Includes three components. First is policies, procedures, and guidelines. Second is security awareness and training. The third is risk management. These three define an organization's security initiatives and program which in turn define the security posture
|
|
|
Classification criteria
|
Information assets are generally classified based on their value, age, useful life, and personnel association based on privacy requirements
|
|
|
Owner
|
The owner of the information is responsible for its protection. The owner plays the role of determining the classification level, periodical review, and delegation
|
|
|
Custodian
|
A custodian is the one delegated by the owner to maintain the information. A custodian's role includes backup and restoration of the information and maintaining the records
|
|
|
User
|
A user is the person who uses the information. A user may be an employee, an operator, or any third party. The role of a user is to exercise due care while handling the information by following the operating procedures. The user is responsible for using the information only for authorized purposes
|
|
|
Classification Types in Government
|
Top Secret information will cause exceptional/grave damage to national security if disclosed to unauthorized entities. Level 5
Secret information which is disclosed without authorization has the potential to cause serious damage to national security. Level 3 Confidential information could cause certain damage to national security when disclosed to unauthorized entities. Level 3 classification. Sensitive but unclassified information may not cause damage to national security. Unclassified information does not compromise confidentiality and its disclosure will not have adverse impacts. This information is neither confidential nor classified. |
|
|
Classification Types in Private Sector
|
Confidential is used to denote that the information is to be used strictly within the organization. Its unauthorized disclosure will be a liability. Level 4.
Private is applicable to personnel information and should be used strictly within the organization. The compromise or unauthorized disclosure will adversely affect the organization. Level 3 classification. Sensitive is a classification used to ensure higher confidentiality and integrity requirements of the information asset. Public is an information classification applicable to all the information that can be disclosed to everyone. However, unauthorized modifications are not allowed. Lowest level of classification |
|
|
Which of the following is a correct description of Information Security?
A. Information security is protection of confidentiality, integrity and availability B. Information security is disclosure of confidentiality, integrity and availability C. Information security is preservation of confidentiality, integrity and availability D. Information security is prevention of confidentiality, integrity and availability |
c. Information security is preservation of confidentiality, integrity and availability
|
|
|
The system's ability to validate and reconcile the information provided by the entity in terms of its identity is known as _____.
A. authorization B. authentication C. identification D. privacy |
b. authentication
|
|
|
Which one of the following is used to show the management's intent to provide direction and support for information security?
a. Security policy b. Security procedure c. Security awareness d. Security guideline |
a. Security policy
|
|
|
Which one of the following phase comes as the fourth phase in the logical order pertaining to the system security life cycle?
a. Implementation phase b. Disposal phase c. Operation/ maintenance phase d. Development/acquisition phase |
c. Operation/ maintenance phase
|
|
|
Which one of the following is a common type of classification in Government as well as private/public sector organizations?
a. Top Secret b. Confidential c. Unclassified d. Public |
b. Confidential
|
