Reading...
Play button
Play button
Use LEFT and RIGHT arrow keys to navigate between flashcards;
Use UP and DOWN arrow keys to flip the card;
H to show hint;
A reads text to speech;
105 Cards in this Set
- Front
- Back
|
An email virus
|
?
|
|
|
A methodology and the probability of success
|
?
|
|
|
The physical design
|
?
|
|
|
The issues necessary to protect the tangible items, objects, or areas of an organization from unauthorized access and misuse
|
?
|
|
|
The _________ model and 6 general phases
|
Waterfall; Conception, Initiation, Analysis, Design, Construction, Testing, Production/Implementation, and Maintenance
|
|
|
Individuals with the primary responsibility for administering the systems that house the information used by the organization
|
System administrator
|
|
|
Having ownership or control of some object or item
|
possession
|
|
|
Phase 1 of the SecSDLC
|
The investigation phase of the SecSDLC begins with a directive from upper management, dictating the process, outcomes, and goals of the project, as well as its budget and other constraints. Frequently, this phase begins with an enterprise information security policy, which outlines the implementation of a security program within the organization. Teams of responsible managers, employees, and contractors are organized; problems are analyzed; and the scope of the project, as well as specific goals and objectives, and any additional constraints not covered in the program policy, are defined. Finally, an organizational feasibility analysis is performed to determine whether the organization has the resources and commitment necessary to conduct a successful security analysis and design.
|
|
|
Human error or failure
|
Largest security risk
|
|
|
Denial-of-service attacks
|
an attack in which a coordinated stream of requests is launched against a target from many locations at the same time.
|
|
|
The shoulder looking technique
|
This technique is used in public or semipublic settings when individuals gather information they are not authorized to have by looking another individual's shoulder or viewing the information from a distance
|
|
|
Online vandalism
|
the act of committing vandalism through access to Internet
|
|
|
Software programs
|
?
|
|
|
The attacker sends a large number of connection or information requests to a target
|
denial-of-service attack
|
|
|
A computer virus
|
?
|
|
|
Worms
|
?
|
|
|
HIPAA
|
This act gives the right to privacy to individuals under 18, but at or above 12. The provider must have a signed disclosure from the affected before giving out any information on provided health care to anyone, including parents.
|
|
|
A policy and a law
|
?
|
|
|
Ethics
|
?
|
|
|
The Privacy of Customer Information Section of the common carrier regulation
|
?
|
|
|
Laws to counter threats from computer related acts and offenses
|
Computer Fraud and Abuse Act
|
|
|
Stiffer penalties for prosecution of terrorist crimes
|
?
|
|
|
Family law, commercial law, and labor law
|
?
|
|
|
The requirements for a policy
|
Dissemination, Review, Comprehension, Compliance, Uniform enforcement
|
|
|
Once the threats have been identified
|
?
|
|
|
Examples of exceptionally grave damage
|
Top Secret
|
|
|
One problem with benchmarking
|
unreliable
|
|
|
Phases of risk management
|
Identification, Analysis, Control, Transfer, Review
|
|
|
Classification scheme
|
?
|
|
|
_________ feasibility addresses user acceptance and support
|
?
|
|
|
The relative importance of each asset
|
?
|
|
|
Access controls
|
?
|
|
|
Every policy should contain provisions for...
|
?
|
|
|
Security policies
|
?
|
|
|
Management controls
|
?
|
|
|
The mission, vision, and direction of the organization
|
?
|
|
|
An outline of the overall information security strategy for the organization
|
?
|
|
|
A buffer against outside attacks
|
?
|
|
|
Policies and an expiration date
|
?
|
|
|
Electronic vaulting
|
transfer of data by electronic means to a backup site
|
|
|
A packet's content
|
?
|
|
|
A content filter
|
?
|
|
|
Physical design
|
?
|
|
|
The restrictions most commonly implemented in packet filtering firewalls
|
?
|
|
|
The application gateway
|
?
|
|
|
Telnet protocol packets
|
?
|
|
|
The circuit gateway firewall
|
?
|
|
|
Firewall use
|
?
|
|
|
A passive response
|
?
|
|
|
Intrusion detection
|
?
|
|
|
Services using the TCP/IP port
|
?
|
|
|
_____ is an event that triggers alarms
|
?
|
|
|
A specifically configured connection on a network device that is capable of viewing all of the traffic that moves through the entire device
|
?
|
|
|
TCP session
|
?
|
|
|
The process of attracting attention to a system by placing tantalizing bits of information in key locations
|
?
|
|
|
IDPS
|
?
|
|
|
The most common hybrid system
|
?
|
|
|
Popular cryptosystems
|
?
|
|
|
A key is....
|
?
|
|
|
The entire range of values that can possibly be used to construct an individual key
|
?
|
|
|
A one-way hash value that is encrypted with a symmetric key
|
?
|
|
|
The _______ protocol provides system to system authentication and data integrity verification, but...
|
?
|
|
|
The process of making and using codes to secure the transmission of information
|
?
|
|
|
Encryptions
|
?
|
|
|
Consulting in the area of physical security
|
?
|
|
|
For laptops there are burglar alarms
|
?
|
|
|
True online UPS
|
?
|
|
|
Most guards have clear _____ that
|
?
|
|
|
Electronic monitoring
|
?
|
|
|
The locks
|
?
|
|
|
A small enclosure that has an entry point and a different exit point
|
?
|
|
|
Physical loss
|
?
|
|
|
An information security department or program of its own
|
?
|
|
|
The primary drawback to the direct changeover approach
|
?
|
|
|
A trained project CEO
|
?
|
|
|
If the task is to write firewall specifications
|
?
|
|
|
The best approach to security project implementation
|
?
|
|
|
A process to resolve potential conflict and disruption that uncoordinated change can introduce
|
?
|
|
|
The tasks or action steps that come before the specific task at hand
|
?
|
|
|
The process of change
|
?
|
|
|
The staff of information security teams
|
?
|
|
|
The position of security technician
|
?
|
|
|
SCP
|
?
|
|
|
Many information security professionals enter the field from
|
?
|
|
|
A certification program
|
?
|
|
|
The biometrics and PKI
|
?
|
|
|
Accountability for the day-to-day operation of the information security program
|
?
|
|
|
When an employee prepares to leave an organization
|
?
|
|
|
Policies can be considered enforceable even if
|
?
|
|
|
Configuration management
|
?
|
|
|
Documentation procedures
|
?
|
|
|
When the amount of data stored on a particular hard drive averages 30-40% of available capacity for a prolonged period
|
?
|
|
|
A maintenance model such as the ISO model
|
?
|
|
|
Security personnel
|
?
|
|
|
The administration of changes in the strategy, operation, or components of the information security program
|
?
|
|
|
_______ enables organizations to charge their internal departments for system
|
?
|
|
|
When the memory usage associated with a particular CPU-based system averages
|
?
|
|
|
Information security management system
|
?
|
|
|
The baseline of systems and services
|
?
|
|
|
Configuration management
|
?
|
|
|
Phase 2 of SecSDLC
|
Analysis
In the analysis phase, the documents from the investigation phase are studied. The development team conducts a preliminary analysis of existing security policies or programs, along with that of documented current threats and associated controls. This phase also includes an analysis of relevant legal issues that could affect the design of the security solution. Increasingly, privacy laws have become a major consideration when making decisions about information systems that manage personal information. Recently, many states have implemented legislation making certain computer-related activities illegal. A detailed understanding of these issues is vital. The risk management task also begins in this stage. Risk management is the process of identifying, assessing, and evaluating the levels of risk facing the organization, specifically the threats to the organization’s security and to the information stored and processed by the organization. |
|
|
Phase 3 of SecSDLC
|
The logical design phase creates and develops the blueprints for information security, and examines and implements key policies that influence later decisions. Also at this stage, the team plans the incident response actions to be taken in the event of partial or catastrophic loss. The planning answers the following questions:
- Continuity planning: How will business continue in the event of a loss? - Incident response:What steps are taken when an attack occurs? - Disaster recovery:What must be done to recover information and vital systems immediately after a disastrous event? Next, a feasibility analysis determines whether or not the project should be continued or be outsourced. |
|
|
Phase 4 of SecSDLC
|
In the physical design phase, the information security technology needed to support the blueprint outlined in the logical design is evaluated, alternative solutions generated, and a final design agreed upon. The information security blueprint may be revisited to keep it in line with the changes needed when the physical design is completed. Criteria for determining the definition of successful solutions are also prepared during this phase. Included at this time are the designs for physical security measures to support the proposed technological solutions. At the end of this phase, a feasibility study should determine the readiness of the organization for the proposed project, and then the champion and sponsors are presented with the design. At this time, all parties involved have a chance to approve the project before implementation begins.
|
|
|
Phase 5 of SecSDLC
|
The implementation phase in of SecSDLC is also similar to that of the traditional SDLC. The security solutions are acquired (made or bought), tested, implemented, and tested again. Personnel issues are evaluated, and specific training and education programs conducted. Finally, the entire tested package is presented to upper management for final approval.
|
|
|
Phase 6 of SecSDLC
|
The maintenance and change phase, though last, is perhaps most important, given the current ever-changing threat environment. Today’s information security systems need constant monitoring, testing,modification, updating, and repairing. Traditional applications systems developed within the framework of the traditional SDLC are not designed to anticipate a vicious attack that would require some degree of application reconstruction. In information security, the battle for stable, reliable systems is a defensive one. Often, repairing damage and restoring information is a constant effort against an unseen adversary. As new threats emerge and old threats evolve, the information security profile of an organization requires constant adaptation to prevent threats from successfully penetrating sensitive data. This constant vigilance and security can be compared to that of a fortress where threats from outside as well as from within must be constantly monitored and checked with continuously new a
|
