Reading...
Play button
Play button
Use LEFT and RIGHT arrow keys to navigate between flashcards;
Use UP and DOWN arrow keys to flip the card;
H to show hint;
A reads text to speech;
58 Cards in this Set
- Front
- Back
|
The four types of access that may be granted to a database are ___________, __________, __________, and ________ (CRUD), and also represent the four types of security breaches that may occur in systems.
|
create
read update delete |
|
|
Successful ___________ control procedures should record the state of a system, then examine, verify, and correct the recorded states
|
auditing
|
|
|
While security controls often concentrate on the prevention of intentional security breaches, most breaches are _______________.
|
accidental
|
|
|
Application controls address the ____________ of a failure.
|
prevention
|
|
|
Audit controls address the _______________ of a failure (i.e., audit controls attempt to determine if the application controls are adequate).
|
detection
|
|
|
Controls which are used at the analysis and design stages of the systems life cycle as a tool to understand and document other control points within a system re called ______________ controls
|
modeling
|
|
|
Good ____________ controls not only answer what are the functions of a system and how those functions are being accomplished, the controls address the question of why the system is performing those particular functions.
|
documentation
|
|
|
Name a model used for assessing the security engineering aspects of the target organization.
|
The SSE-CMM architecture is designed to enable a determination of a security engineering organization’s process maturity across the breadth of security engineering.
|
|
|
The building of infrastructure and corporate culture that establishes methods, practices, and procedures is called ______________.
|
Institutionalization
|
|
|
A(n) _________ practice should be applied across the life cycle of the enterprise, and should not specify a particular method or tool.
|
base
|
|
|
Auditing
|
One of the most fundamental control structures, it verifies that a system is performing the functions that it should. Two Forms: the record of changes of state of a system; a systematic process that examines and verifies a system (system is evaluated to determine if it is functioning correctly.
|
|
|
Control structures
|
The main tools used to minimize/prevent the three types of system failures. classified into four categories: auditing, application controls, modeling controls and documentation controls
|
|
|
SSE-CMM (System Security Engineering Capability Maturity Model)
|
Model that guides improvement in the practice of security engineering through small incremental steps thereby developing a culture of continuous process improvement. The model is also a means of providing a structured approach for identifying and designing a range of controls.
|
|
|
All security breaches, without exception, are the result of a system failure and falls into one of three categories. The three categories are:
|
1. Failure to perform a function that should have been executed.
2. Performance of a function that should not have been executed. 3. Performance of a function that produced an incorrect result. So in effect its either - Didn't do, Did but shouldn't have or Did it and got the wrong answer. |
|
|
What are the three essential components of risk management?
|
risk assessment
risk mitigation risk evaluation. |
|
|
Risk assessment considers _______ to be a function of the likelihood of a given threat resulting in certain __________________.
|
risk
vulnerabilities |
|
|
What essential Information Security Principles do the following interview questions address?
What is the potential business impact if the information were disclosed? What are the effects on the organization if the information is not reliable? To what extent can the system downtime be tolerated? |
They address the security principles associated with system characterization, namely operation information that relates to the functional requirements of the system, the stakeholders of the system, and security policies and architectures governing the IT system.
|
|
|
An indication of impending danger or harm is called a ________________.
|
threat
|
|
|
A weakness that can be accidentally triggered or intentionally exploited is called a ____________.
|
vulnerability
|
|
|
In attempts to identify all sorts of threats, it is useful to consider them as being ____________ or _____________.
|
Intentional
Unintentional |
|
|
The three elements in calculating the likelihood that any vulnerability will be exercised include source of the threat, the nature of the vulnerability and the ______________ of the controls.
|
effectiveness
|
|
|
The three essential components of risk management are _________________, _______________, and ________________.
(Components of Risk Mgmt) |
risk assessment
risk mitigation risk evaluation |
|
|
A critical aspect of risk assessment is to determine the _____________ of the IT system.
|
scope
|
|
|
An assessment of the ______________ security environment is also essential. This is often overlooked and emphasis is placed on technical controls.
|
physical
|
|
|
The level of risk for a particular threat or vulnerability can be expressed as a function of:
* The ____________of a given threat exercising the vulnerability * The ____________ of the impact of the threat * The ____________ of planned or existing security controls |
likelihood
magnitude adequacy |
|
|
Vulnerabilities which usually result from inadequate supervision, negligent persons, and natural disasters such as fires and floods are classified as ______________ vulnerabilities.
|
physical
|
|
|
Risk ___________ involves the process of prioritizing, evaluating, and implementing appropriate controls.`
|
Mitigation
|
|
|
In dealing with risks and identifying controls, what three options may be considered?
|
Do nothing.
Risk prevention Risk recognition |
|
|
Security of informal systems is no more than ensuring that the __________ of the belief systems stays intact.
|
integrity
|
|
|
In terms of managing information system security, it is important that we focus our attention on maintaining the _____________, ______________and ______________of the people.
|
behavior
values integrity |
|
|
A sign is a result of a mental connection between a(n) _________-_____________ and the content.
|
sign-vehicle
|
|
|
Relationship between a sign and a concept is ________________.
|
causal
|
|
|
Relationship between a(n) _____________ and a(n) _______________ is grounded in reality.
|
thought
referent |
|
|
The relation between a concept and a sign, besides other influences, is significantly impacted by ___________ and ___________________ factors.
|
social
psychological |
|
|
Underlying the _____________ messages are attitudes that people might have.
|
silent
|
|
|
Changes in an organization are usually the starting point for __________________ in an existing security culture.
|
disruptions
|
|
|
The management of information system security connotes the management of integrity of _____________.
|
operations
|
|
|
There is a(n) ___________ - ____________ relationship between an antagonistic behavior, breakdown in communication, and a possible security breach.
|
cause-effect
|
|
|
ISO 17799
|
One of the main IS security standards and it presents a comprehensive set of controls and best practices that all organizations should adopt.
|
|
|
Pragmatics
|
the term used to describe the context of activity, the characteristics of the people and the prevalent acts of communication
|
|
|
Security of informal systems is no more than ensuring that the _________________ of the belief systems stays intact.
|
integrity
|
|
|
In terms of managing information system security, it is important that we focus our attention on maintaining the _______________, _______________, and ________________ of the people.
|
behavior
values integrity |
|
|
A sign is a result of a mental connection between a(n) ________________ and the content.
|
sign-vehicle
|
|
|
Relationship between a(n) _____________ and a(n) ______________ is grounded in reality.
|
thought
referrant |
|
|
The relation between a concept and a sign, besides other influences, is significantly impacted by _____________ and ______________ factors.
|
social
psychological |
|
|
Underlying the ______________ messages are attitudes that people might have.
|
silent
|
|
|
Changes in an organization are usually the starting point for ________________ in an existing security culture.
|
disruptions
|
|
|
The management of information system security connotes the management of integrity of ____________________.
|
communications
|
|
|
There is a(n) ______________ _______________ relationship between an antagonistic behavior, breakdown in communications and a possible security breach.
|
cause-effect
|
|
|
Noncompliance with security policy results in inadequate training programs, which in turn questions the _______________ of the operations and the _______________ of the people.
|
integrity
competence |
|
|
Lack of competence in managing security is a serious threat, resulting in security being considered as a(n) __________________.
|
afterthought
|
|
|
Corporate Governance
|
refers to the system by which corporations are directed and controlled. The governance structure specifies the distribution of rights and responsibilities among different participants in the corporation and specifies the rules and procedures for making decisions in corporate affairs.
|
|
|
Security breach
|
unauthorized access to data and applications. An act from outside an organization that bypasses or contravenes security policies, practices, or procedures.
|
|
|
Security Culture
|
the totality of patterns of behavior in an organization that contribute to ensure protection of information resources of all kings in a firm. (guards the integrity of the org)
|
|
|
COBRA (COst estimation, Benchmarking, and Risk Assessment)
|
utilizes both expert knowledge (experienced estimators) and quantitative project data in a limited amount)
|
|
|
HIPPA - (Health Insurance Portability and Accountability Act)
|
Primary purpose was to improve Medicare and the Socal Security Act as well as the efficiency and effectiveness of the healthcare system through the development of a health information system with established standards and requirements for the elec transmission of health information. mandates a set of rules to assure the confidentiality of any patient related information. What many people failed to realize when this act was instituted, was that it included oral or spoken information as well.
|
|
|
Information Security
|
The practice of defending information from unauthorized access, use, disclosure, disruption, modification, perusal, inspection, recording or destruction.
|
|
|
SOX - Sarbanes-Oxley Act)
|
The Act provides rules, regulations and standards that businesses must comply with and that result in disclosure, documentation, and storage of corporate documentation. Aimed at strengthening corporate governance of enterprise financial practices
|
