Reading...
Play button
Play button
Use LEFT and RIGHT arrow keys to navigate between flashcards;
Use UP and DOWN arrow keys to flip the card;
H to show hint;
A reads text to speech;
26 Cards in this Set
- Front
- Back
|
• A vulnerability is the absence of a safeguard (in other words, it is a weakness) that can be exploited.
|
• A threat is the possibility that someone or something would exploit a vulnerability, intentionally or accidentally, and cause harm to an asset.
|
|
|
• A risk is the probability of a threat agent exploiting a vulnerability and the loss potential from that action.
|
• Reducing vulnerabilities and/or threats reduces risk.
|
|
|
• An exposure is an instance of being exposed to losses from a threat.
|
• A countermeasure, also called a safeguard, mitigates the risk.
|
|
|
• A countermeasure can be an application, software configuration, hardware, or procedure.
|
• If someone is practicing due care, they are acting responsibly and will have a lower probability of being found negligent and liable if a security breach takes place.
|
|
|
• Security management has become more important over the years because networks have evolved from centralized environments to distributed environments.
|
• The objectives of security are to provide availability, integrity, and confidentiality protection to data and resources.
|
|
|
• Strategic planning is long term, tactical planning is midterm, and operational planning is day to day. These make up a planning horizon.
|
• ISO/IEC 27002 (formerly ISO 17799 Part 1) is a comprehensive set of controls comprising best practices in information security and provides guidelines
on how to set up and maintain security programs. |
|
|
• Security components can be technical (firewalls, encryption, and access control lists) or nontechnical (security policy, procedures, and compliance
enforcement). |
• Asset identification should include tangible assets (facilities and hardware)
and intangible assets (corporate data and reputation). |
|
|
• Project sizing, which means to understand and document the scope of the
project, must be done before a risk analysis is performed. |
• Assurance is a degree of confidence that a certain security level is being
provided. |
|
|
• CobiT is a framework that defines goals for the controls that should be used to
properly manage IT and to ensure that IT maps to business needs. |
• CobiT is broken down into four domains; Plan and Organize, Acquire and
Implement, Deliver and Support, and Monitor and Evaluate. |
|
|
• ISO/IEC 27001 is the standard for the establishment, implementation,
control, and improvement of the Information Security Management System. |
• Security management should work from the top down (from senior
management down to the staff). |
|
|
• Governance is the set of responsibilities and practices exercised by the board
and executive management with the goal of providing strategic direction, ensuring that objectives are achieved, ascertaining that risks are managed appropriately, and verifying that the enterprise’s resources are used responsibly. |
• Which security model a company should choose depends on the type of
business, its critical missions, and its objectives. |
|
|
• The OECD is an international organization that helps different governments
come together and tackle the economic, social, and governance challenges of a globalized economy. |
• Risk can be transferred, avoided, reduced, or accepted.
|
|
|
• An example of risk transference is when a company buys insurance.
|
• Ways to reduce risk include improving security procedures and implementing
safeguards. |
|
|
• (Threats × vulnerability × asset value) × controls gap = residual risk
|
• Threats × vulnerability × asset value = total risk
|
|
|
• The main goals of risk analysis are the following: identify assets and assign
values to them, identify vulnerabilities and threats, quantify the impact of potential threats, and provide an economic balance between the impact of the risk and the cost of the safeguards. |
• Information risk management (IRM) is the process of identifying, assessing,
and reducing risk to an acceptable level and implementing the right mechanisms to maintain that level of risk. |
|
|
• Failure Modes and Effect Analysis (FMEA) is a method for determining
functions, identifying functional failures, and assessing the causes of failure and their failure effects through a structured process. |
• A fault tree analysis is a useful approach to detect failures that can take place
within complex environments and systems. |
|
|
• A quantitative risk analysis attempts to assign monetary values to components
within the analysis. |
• A purely quantitative risk analysis is not possible because qualitative items
cannot be quantified with precision. |
|
|
• Capturing the degree of uncertainty when carrying out a risk analysis
is important, because it indicates the level of confidence the team and management should have in the resulting figures. |
• When determining the value of information, the following issues must be
considered: the cost to acquire and develop data; the cost to maintain and protect data; the value of the data to owners, users, and adversaries; the cost of replacement if the data is lost; the price others are willing to pay for the data; lost opportunities; and the usefulness of the data, |
|
|
• Automated risk analysis tools reduce the amount of manual work involved in
the analysis. They can be used to estimate future expected losses and calculate the benefits of different security measures. |
• Single loss expectancy (SLE) is the amount that could be lost if a specific
threat agent exploited a vulnerability. |
|
|
• Single loss expectancy × frequency per year = annualized loss expectancy
(SLE × ARO = ALE). |
• Qualitative risk analysis uses judgment and intuition instead of numbers.
|
|
|
• Qualitative risk analysis involves people with the requisite experience and
education evaluating threat scenarios and rating the probability, potential loss, and severity of each threat based on their personal experience. |
• The Delphi technique is a group decision method where each group member
can communicate anonymously. |
|
|
• When choosing the right safeguard to reduce a specific risk, the cost,
functionality, and effectiveness must be evaluated and a cost/benefit analysis performed. |
• A security policy is a statement by management dictating the role security
plays in the organization. |
|
|
• Procedures are detailed step-by-step actions that should be followed to achieve
a certain task. |
• A standard specifies how hardware and software are to be used. Standards are
compulsory. |
|
|
• A baseline is a minimum level of security.
|
• Guidelines are recommendations and general approaches that provide advice
and flexibility. |
|
|
• Job rotation is a control to detect fraud.
|
• Mandatory vacations are a control type that can help detect fraudulent
activities. |
|
|
• Separation of duties ensures no single person has total control over an activity
or task. |
• CobiT is a framework that defines goals for the controls that should be used to
properly manage IT and to ensure that IT maps to business needs. |
