Reading...
Play button
Play button
Use LEFT and RIGHT arrow keys to navigate between flashcards;
Use UP and DOWN arrow keys to flip the card;
H to show hint;
A reads text to speech;
14 Cards in this Set
- Front
- Back
|
Give four Infrastructure Security Blueprint methodologies
|
COBIT
ITIL ISO 2700 COSO |
|
|
Nine Steps to NIST SP800 - 30
Risk Assessment |
1. System Characterisation
2. Threat Identification 3. Vulnerability Assessment 4. Control Analysis 5. Likelihood determination 6. Impact Anaylsis 7. Risk Determination 8. Control requirements 9. Results determination |
|
|
Explain SLE
|
SLE = AV (£) x EF (%)
AV (Asset Value) EF (Exposure Factor) |
|
|
Four risk management options
|
Acceptance
Mitigation Transference Avoidance |
|
|
Teleology and Deontology
|
Teleology -
- Ethics in terms of goals, purposes, or ends - End justifies the means - All's well that ends well Deontology - - Ethical behavior is a duty - The method is the focus - It's not if you win, it's how you play the game |
|
|
(ISC)2 principles
|
Protect society, the commonwealth, and the infrastructure
Act honourably, legally, justly and responsibly Provide dilligent and competant service to principles Advance and protect the profession |
|
|
Levels of Security Planning
|
Strategic - 3 -5 yrs executive activity
Tactical - Periodic / Functional activity with mid-term focus (annnual) Operational - Real time action plans, activity related |
|
|
Standards
|
Define specific products and mechanisms to be used to support policy. Also identify laws and regulations (rules) to abide by.
|
|
|
Procedures
|
Define step by step required actions to implement standards and baselines
|
|
|
Key Roles:
Senior Executive Information System Security Professionals Asset/ Process Owners Custodians Auditors Users |
SE -Establishes goals, publishes, endorses and supports policy
ISSP - Designs, implements and manages security program A/P O - Sets level of protection and user access conditions C - Ensures availability, integrity and security of assets A - Independently measure accordance with policy O - Held accountable for following policy and procedure |
|
|
What is the principle goal of Risk Management...
|
The principal goal of Risk Management process should be to protect the organization and its ability to perform their mission, not just its IT assets.
|
|
|
What is risk?
|
Risk is a function of the likelihood of a given
of a threat exercising a particular potential vulnerability, and the resulting impact of that adverse event on the organization. |
|
|
Security Risk Assessment Steps
|
IdentifyAssets
Assign/Determine Ownership Categorize/Classify Assets Identify Threats to those assets Identify vulnerabilities Review existing security measures Measure, Analyze and Assess Overall Risks Determine Acceptable Residual Risks Recommend Treatments and document findings Obtain management review and approval |
|
|
Internet Architecture Board (IAB) RFC 1087
|
- Seeks to gain unauthorized access to Internet resources
- Disrupts the intended use of the Internet - Wastes resources (people, capacity, computer) through such actions - Destroys the integrity of computer-based information - Compromises the privacy of users Involves negligence in the conduct of Internet-wide experiments |
