Use LEFT and RIGHT arrow keys to navigate between flashcards;
Use UP and DOWN arrow keys to flip the card;
H to show hint;
A reads text to speech;
38 Cards in this Set
- Front
- Back
- 3rd side (hint)
Confidentiality |
Ensures information is not made available or disclosed to unauthorised individuals or processes. |
Not for unauthorised |
|
Integrity |
The property of safeguarding the accuracy and completeness of assets. |
Safeguarding accuracy |
|
Availability |
The property that information is accessible and usable on demand to authorised entities |
Accessible and usable on demand |
|
Security Policy |
A high level statement of the security objectives and principles of an organisation. |
Security objectives and principles |
|
A role |
Is a participant with specific tasks to perform. Roles in a procedure must be assigned to an individual person prior to performing the procedure |
Specific tasks for individuals |
|
Control |
Are measures put in place to address specific security risks |
measures to reduce specific risk |
|
Security Risk Assessment |
Is a process designed to identify, analyse and evaluate the risks to an organisations information assets. |
Identify threats to assets |
|
Information security |
The preservation of confidentiality, integrity and availability of information assets. |
preservation CIA of assets |
|
Information security management |
is the set of processes, procedures and people who seek to ensure information security. |
processes and procedures and people |
|
Information security management system (ISMS) |
Consists of all the resources and activities collectively managed by an organisation in the pursuit of protecting its information assets. |
Resources an organisation uses to protect its assets |
|
ISO/IEC 27000 |
Defines terminology and gives the ISO/IEC view of an ISMS. It is used to manage information security risks and controls within an organisation. |
Defines terminology and sets out view of what an ISMS is |
|
ISO/IEC 27001 |
Is a framework for security management and the key standard which defines what an organisation must do to claim compliance with the ISO/IEC 27000 series |
Defines what an organisation must do for compliance |
|
ISO/IEC 27002 |
Provides a catalogue of security controls and gives guidance on their use. |
catalogue of controls and guidance on use |
|
ISO/IEC 27003 |
Provides guidance on the IMPLEMENTATION of an ISMS |
guidance on implementation |
|
ISO/IEC 27004 |
Provides guidance on how to measure the effectiveness of an ISMS and the associated controls. |
measure effectiveness |
|
ISO/IEC 27005 |
Standard concerned with risk management |
risk management |
|
ISO/IEC 27007/8 |
Standards relating to auditing an ISMS. |
audit |
|
Information security risk management |
Process of managing risks i.e. identifying and assessing risks with the goal of reducing the risks to acceptable levels. |
managing risks, identify and assess to reduce risks |
|
Information security risk management areas |
Consists of six major areas Context establishment Risk identification Risk analysis Risk evaluation Risk treatment Risk acceptance |
ContIdAnEvaTrAc |
|
Fundamental principles given in ISO/IEC 27000 for the design and implementation of an ISMS. 1of 9 |
Awareness of the need for information security
|
awareness of the need for security |
|
Fundamental principles given in ISO/IEC 27000 for the design and implementation of an ISMS 2 of 9 |
Assignment of responsibility |
assign responsibility |
|
Fundamental principles given in ISO/IEC 27000 for the design and implementation of an ISMS 3 of 9 |
Incorporating management commitment and the interest of stakeholders |
commitment from management |
|
Fundamental principles given in ISO/IEC 27000 for the design and implementation of an ISMS 4 of 9 |
Enhancing societal values |
enhance values |
|
Fundamental principles given in ISO/IEC 27000 for the design and implementation of an ISMS 5 of 9 |
Risk assessments determining appropriate controls to reach acceptable levels of risk |
RA for appropriate controls |
|
Fundamental principles given in ISO/IEC 27000 for the design and implementation of an ISMS 6 of 9 |
Security incorporated as an essential element of information networks and systems. |
incorporate security as essential element |
|
Fundamental principles given in ISO/IEC 27000 for the design and implementation of an ISMS 7 of 9 |
Active prevention and detection of information security incidents |
active prevention and detection |
|
Fundamental principles given in ISO/IEC 27000 for the design and implementation of an ISMS 8 of 9 |
Ensuring a comprehensive approach to information security management |
ensurer comprehensive approach |
|
Fundamental principles given in ISO/IEC 27000 for the design and implementation of an ISMS 9 of 9 |
Continual reassessment of information security and making of modifications as necessary. |
continual reassessment |
|
ISO/IEC 27005 clauses |
Context Establishment Risk Identity Risk Analysis Risk Evaluation Risk Treatment Risk Acceptance |
ContIdAnEvaTrAc |
|
ISO/IEC 27001 clauses |
Context of the organisation Leadership Planning Support Operation Performance Evaluation Improvement |
ConLePlaSupOpPEvalIm |
|
Types of control |
Eliminate - Risk Avoidance Reduce - Risk Reduction Transfer - Risk Transfer Accept - Risk Acceptance |
4 types EliReTrAc |
|
Describe a real world security breach |
Uber - Personal info of 57m usr and 600k drivers exposed. -Hackers obtained user/pwd details of AWS account - Github -Paid $100,000 to destroy data -valuation drop frm $68-$48m |
57m usrs/600k drivers - aws/github |
|
Security Culture
|
Culture that impacts the security of an organisation, both in positive and negative ways. |
generally accepted behaviours in an organisation |
|
Security-conscious culture |
Lead must come from the top management. Will reduce number of incidents |
reduce security incidents. |
|
Acceptable use policy |
Also known as end user code of practice defines the standards for the use of info and communication systems by employees. |
end user code of practice, that defines how employees should use company's systems. |
|
Segregation of duties |
the concept that 1 person may not perform the duties of more than one role where there may be conflict of interests. |
Separate roles to avoid conflict of interests. |
|
Audit |
Provides third party assurance to stakeholders that the subject matter is free from material misstatements |
free from material misstatements |
|
Business continuity
|
Is the ability of an organisation to maintain essential functions during, as well as after, a disaster has occurred. |
Business recover, during after.. disaster |