Use LEFT and RIGHT arrow keys to navigate between flashcards;
Use UP and DOWN arrow keys to flip the card;
H to show hint;
A reads text to speech;
35 Cards in this Set
- Front
- Back
Enterprise-wide Security Program |
consists of technologies, procedures, and processes |
|
Availability / Integrity / Confidentiality |
All security controls, mechanisms, and safeguards are implemented to provide one or more of these protection types, and all risks, threats, and vulnerabilities are measured for their potential capability to compromise one or all of the AIC principles. |
|
Availability |
protection ensures reliability and timely access to data and resources to authorized indviduals |
|
Integrity |
Upheld when the assurance of the accuracy and reliability of information and systems is provided and any unauthorized modification is prevented |
|
Confidentiality |
Ensures that the necessary level of secrecy is enforced at each junction of data processing and prevents unauthorized disclosure. |
|
Balanced Security Availability |
Redundant array of inexpensive disks (RAID) Clustering Load Balancing Redundant data and power lines Software and data backups Disk shadowing Co-location and off-site facilities Roll-back functions Fail-over configurations |
|
Integrity |
Hashing (data integrity) Configuration management (system integrity) Change control (process integrity) Access control (physical and technical) Software digital signing Transmission CRC functions |
|
Confidentiality |
Encryption for data at rest (whole disk, database encryption) Encryption for data in transit (IPSec, SSL, PPTP, SSH) Access control (physical and technical) |
|
Vulnerability |
Vulnerability - is a lack of a countermeasure or a weakness in a countermeasure that is in place. May be a service running on a server, unpatched applications or operating systems, an unrestricted wireless access point, an open port on a firewall, lax physical security that allows anyone to enter a server room, or unenforced password management on servers or workstations. |
|
Threat |
any potential danger that is associated with the exploitation of a vulnerability. The threat is that someone, or something, will identify a specific vulnerability and use it against the company or individual. The entity that takes advantage of a vulnerability is referred to as the threat agent. |
|
Risk |
Is the likelihood of a threat agent exploiting a vulnerability and the corresponding business impact. If a firewall has several ports open, there is a higher likelihood that an intruder will use one to access the network in an unauthorized method. |
|
Exposure |
An instance of being exposed to losses. A vulnerability exposes an organization to possible damages |
|
Control |
A countermeasure put into place to mitigate (reduce) the potential risk. A countermeasure may be a software configuration, a hardware device, or a procedure to exploit a vulnerability. |
|
Countermeasure |
Applying the right countermeasure can eliminate the vulnerability and exposure and thus reduce risk. The organization cannot eliminate the threat agent, but it can protect itself and prevent this threat agent from exploiting vulnerabilities within the environment. |
|
Control types |
Controls are put into place to reduce the risk an organization faces, and they come in three main flavors: Administrative / Technical / & Physical |
|
Administrative Controls |
Commonly referred to as "soft controls" because they are more management-oriented |
|
Technical Controls |
Aka logical controls / are software and hardware components, as in firewalls, IDS, encryption, identification and facility, personnel, and resources |
|
Physical Controls |
protect facility, personnel, and resources |
|
Defense in Depth |
Coordinated use of multiple security controls in a layered approach A multilayered defense system minimizes the probability of successful penetration and compromise because an attacker would have to get through several different types of protection mechanisms before he/she gained access to the critical assets |
|
Different functionalities of security controls are: |
Preventive, detective, corrective, deterrent, recovery, and compensating |
|
Deterent |
Intended to discourage a potential attacker |
|
Preventive |
Intended to to avoid an incident from occuring |
|
Corrective |
Fixes components or systems after and incident has occured |
|
Recovery |
Intended to bring the environment back to regular operations |
|
Detective |
Helps identify an incident's activities and potentially an intruder |
|
Compensating |
Controls that provide an alternative measure of control |
|
British Standard 7799 (BS7799) |
Developed in 1995 by the UK government's Department of Trade and Industry and published by the British Standards Institution. Need to expand and globally standardize BS7799 was identified, and this task was taken on by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC). These two organizations worked together to build on top of what was provided by BS7799 and launch the new version as a global standard, known as the ISO/IEC 27000 |
|
ISO/IEC 27000 Series |
Serves as industry best practices for the management of security controls in a holistic manner within organizations around the world. |
|
TOGAF |
The Open Group Architecture Framework provides an approach to design, implement, and govern an enterprise information architecture Business Architecture Data Architecture Applications Architecture Technology Architecture |
|
ADM |
Architecture Development Method - allows requirements to be continuously reviewed and the individual architectures updated as needed. |
|
Enterprise Security Architecture |
is a subset of an enterprise architecture and defines the information security strategy that consists of layers of solutions, processes, and procedures and the way they are linked across an enterprise strategically, tactically, and operationally. The main reason to develop an enterprise security architecture is to ensure that security efforts align with business practices in a standardized and cost effective manner. |
|
ISMS |
Outlines the controls that need to put into place (risk management, vulnerability management, BCP, data protection, auditing, configuration management, physical security, etc.) and provides direction on how those controls should be managed throughout their life cycle. Specifies the pieces and parts that need to be put into place to provide a holistic security program for the organization overall and how to properly take care of those pieces and parts. |
|
Enterprise Security Architecture |
Illustrates how these components are to be integrated into the different layers of the current business environment. The security components of the ISMS have to be interwoven throughout the business environment and not sliced within individual company departments |
|
Enterprise vs System Architectures |
An enterprise architecture addressed the structure of an organization. A system architecture addresses the structure of software and computing components. Organizational vs System |
|
COSO vs COBIT |
Committee of Sponsoring Organizations (COSO) of the Treadway Commission in 1985 to deal with fraudulent financial activities and reporting. COSO is a model for corporate governance / strategic and Cobit is a model for IT governance / operational SOX comes from COSO - Sarbanes-Oxley Act of 2002 |