Study your flashcards anywhere!

Download the official Cram app for free >

  • Shuffle
    Toggle On
    Toggle Off
  • Alphabetize
    Toggle On
    Toggle Off
  • Front First
    Toggle On
    Toggle Off
  • Both Sides
    Toggle On
    Toggle Off
  • Read
    Toggle On
    Toggle Off

How to study your flashcards.

Right/Left arrow keys: Navigate between flashcards.right arrow keyleft arrow key

Up/Down arrow keys: Flip the card between the front and back.down keyup key

H key: Show hint (3rd side).h key

A key: Read text to speech.a key


Play button


Play button




Click to flip

87 Cards in this Set

  • Front
  • Back
Sensitivity labels are used to find the level of data ___________ in the development of security models?
What is Discretionary Access Control (DAC)

A system that enables the owner of the resource to specify which Subjects can access it.

_______ is management decisions, primarily pushed from higher in the organization (broader vision), wise oversight, direction & control, strategic (long term) direction.


What is the PCI Security Standards Council

An open global forum for the ongoing development, enhancement, storage, dissemination and implementation of security standards for account data protection. (made the PCI-DSS credit card standard)

Also known as the "Public Company Accounting Reform and Investor Protection Act" (in the Senate) and "Corporate and Auditing Accountability and Responsibility Act" (in the House)
The Sarbanes–Oxley Act of 2002 commonly called Sarbanes–Oxley, Sarbox or SOX

A _____________ is an overall general statement produced by senior management (or a selected policy board or committee) that dictates what role security plays within the organization.

security policy

What are the 3 types of security policies?

- Regulatory: ensures that organization follows standards set by specific industry regulations (HIPAA, GLBA,SOX, PCI-DSS, etc.)

- Advisory: strongly advises employees as to whichtypes of behaviors and activities should and shouldn't take place in the organization

- Informative: informs employees of certain topics.It is not an enforceable policy, but rather one that teaches individualsabout specific issues relevant to the company

Which (CIA) security function is supported by Encryption, Auditing, Hashing, and Digital Signatures?


Which (CIA) security function is supported by Redundancy, Virtualization, Cloud Computing, Incident Response Plans, and Disaster Recovery?

Availability (and reliability)

When two (or more) physical disks are paired together in a type of RAID configuration to backup information or create multiple synchronous data sets, it is called _______.

Disk mirroring or shadowing

This process is by which multiple smaller disks are made to look like one large disk.

Disk striping

__________ clearly documents senior management's directives toward the role that security plays within the organization.

The Security Policy

Who determines the security classification / sensitivity and access?

System or Data Owner

Who administers, maintains, and protects data and backs up data sets or systems?

Data Custodian (Responsible for Daily Operation)

In the IT field, what is the appropriate chain-of-command?

A top-down approach: Senior Mgmt directs Middle Management and they direct Staff.

What is GAISP?

Generally Accepted Information Security Principles: if security stats with a solid foundation and develops over time with understood goals and objectives, a company should not need to make drastic changes. (old standard)

___________ means tested for current compliance.


This model was created by the Software Engineering Institute. It was original use to rate the quality of software developers. Helps to improve an organization's processes used to develop software and describes what is needed for a development organization to be successful.

CMMI (Capability Maturity Model Integration (best practices))

What common control framework has an emphasis on IT services and IT service management?

IT Infrastructure Library (ITIL)

Control objectives for IT Governance is known as?

COBIT (Controls for IT regulatory compliance)

What common control framework is the ISO/IEC Joint Standard ISM for governance management requirements?

ISO/IEC 27001 (Governance)

What common control framework is the ISO/IEC Joint Standard ISM for defining information security controls?

ISO/IEC 27002 (Controls)

What refers to your degree of legal responsibility as an intermediary defendant in a business to business tort lawsuit?

Downstream Liability

What is a model for corporate governance, not IT governance, and has to do with Money?

(Committee of Sponsoring Organizations)

What are the 4 elements of the COBIT model?

Organization Design/Strategy, People, Process, Technology

What defines a minimum acceptable level of security?


What are Guidelines?

Recommended best practices to follow (not mandatory)

What describes how long systems can be down before affecting the mission?

MTD - Maximum Tolerable Downtime

Who is the executive in charge of IT?

CIO (Chief Information Officer)

Who in an organization is focused on IT and IT Risk Management?

CISO (Chief Information Security Officer)

What is PCI-DSS?

Payment Card Data Security (Payment Card Industry (PCI) Data Security Standard)

What common control framework is the ISO/IEC Joint Standard ISM for 27001, 27002, 27003, 27004 and 27799?

- 27001: IT Governance

- 27002: Controls

- 27003: Implementation

- 27004: Measurement

- 27799: Health (using 27002)

What is the "Plan, Do, Check, Act (PDCA) model?


What open standard of Information Security infrastructure development is a life cycle model focused on risks?

SABSA (Sherwood Applied Business Security Architecture)

_____________ is defined as the likelihood of occurrence of threat and the corresponding loss or negative business outcomes.


______________ is a process that helps in identifying the risk, rating the risks and the controls that are used for reducing the risks.

Risk analysis and assessment

_________________ is the process of analyzing all business functions and inter-dependencies then evaluates the effect that specific disaster scenarios may have upon them.

Business Impact Analysis (BIA)

_______________ is the overall systematic team approach to analyzing risk and implementing controls to minimize loss.

Risk Management

Define Due Diligence and Due Care

- Due Diligence: Due diligence is the act of gathering the necessary information so the best decision-making activities can take place

- Due Care: Due care pertains to acting responsibly and “doing the right thing.”

Culpable (wrongful) ________ is often used to prove liability


__________ states that a person should perform duties that prudent (sensible) people would exercise in similar circumstances to protect assets

U.S. Prudent Person Rule (from1830)

What Law (2002) pertains to accurate corporate accountability with regards to financial recordkeeping

Sarbanes-Oxley (SOX)

Regarding US Legal and regulatory compliance:

__________ pertains to banking consumer privacy and information disclosure.

Gramm-Leach-Bliley (GLB)

What is the HIPAA Security Rule?

Requires reasonable and appropriate safeguards to ensure the CIA of electronic protected Health information?

(vice the privacy rule - protect PII)

What financial privacy law mandates a set of both internal procedures and independent audits to ensure accurate financial disclosure by public companies?

U.S. Sarbanes-Oxley Act of 2002 or SOX or $OX

What law protects kids' data under 13 years of age?

U.S. Children's Online Privacy Protection Act (COPPA)

What law protects students' data?

FERPA (Family Educational Rights and Privacy Act)

People have a reasonable expectation of privacy, based on ________?

4th Amendment

Define: Event, Incident, Breach, Data Disclosure

- Event: Something of note

- Incident: Negative impact

- Breach: Unauthorized access

- Data Disclosure: Confirmed loss of control (disclosed data/information)

This type of law defines regulatory standards (mandatory regulations) for the performance and conduct of public bodies, including private companies and Federal Agencies.

Administrative Laws

This type of law deals with legal suits over wrongs against individuals or companies that result in damages or loss.

Civil or Tort Law

This type of law deals with crimes against society

Criminal Law

These laws protect products of the mind from privacy and license violations.

Intellectual property law

____________ Indicators help an organization define and measure progress toward organizational goals.

Key Performance Indicators (KPI) also known as Key Success Indicators (KSI)

Describe the differences in these crimes: computer-targeted, computer assisted, computer incidental

Targeted: computer is the victim

Assisted: PC is the tool to conduct the crime

Incidental: a computer is used, but not attacked or attacking (such as storing illegal files)

What are the 3 intellectual property laws?

- Copyright: Music, movies, paintings (lifetime of author plus 70 yrs, 75 yrs for businesses)

- Trade Secrets: confidential business secrets

- Trademark: unique design or phrase (10yrs + 10 Yrs)

Versus intellectual property (intangible), what protects tangible property?

Patents (not intellectual property) (good for 20 yrs)

What is the Wassenaar Arrangement regarding encryption?

Allows for the transportation of laptops with encryption software for personal use in many (but not all) countries.

What is "Safe Harbor" regarding international data flow?

Permits U.S. based organizations to certify themselves as properly handling private data belonging to European Citizens?

What is Trans-border Data Flow?

The flow of electronic data across political boundaries, such as between states or countries.

What are the 4 ISC2 code of ethics canons in order of importance and priority? (priority order is for conflicts of interest)

Hint: Advance, Provide, Act, Protect

1. Protect society, the commonwealth (nation), and the infrastructure

2. Act honorably, honestly, justly, responsibly, and legally

3. Provide diligent and competent service to principals (employers)

4. Advance and protect the profession

What is the difference between laws, ethics, and policies?
- Laws: Rules/regulations made by gov that require/prohibit certain behavior in a society
- Ethics: defines socially accepted behavior (peers)
- Policies: rules for employees in a workplace

Law - enforced by gov, ethics/policies frowned upon, but not enforced

What are Standards?

compulsory rules that dictate how hardware and software are to be used and the expected behavior of employees? (Binding/mandatory)

What is a minimum level of security that is required throughout an organization? (Binding/mandatory)


What are detailed step-by-step actions to be taken to achieve a specific tasks. (Binding/mandatory)


What are recommended actions and operational guides for users and staff members where standards do not apply? (non-Binding/non-mandatory)


What are the three cornerstones of ITIL (still holds true today)

Technology, processes, and people

NIST, OCTAVE, CRAMM, SOMAP, and VAR (Value at Risk Quantile measurement) are all ____________ models.

Risk assessment and management models

In NIST Risk Assessment (and other generic plans) what is the appropriate first step?

Identify the purpose (and scope) of the assessment
In NIST Risk Assessment (and other generic plans) what is the appropriate second step?

Identify threats, events, and vulnerabilities

Calculation of ALE

Asset Value (AV)

Exposure Factor (EF %)

Single Loss Expectancy (SLE)

Annualized Loss Expectancy (ALE)

Annualized Rate of Occurrence (ARO)

Bldg worth $200K EF = 50% ALE = every 5 yrs

How to calculate?

AV = $200K, EF% = .50

SLE = $100K

ARO = 5

ALE = $20K


Don't spend more than $20K/year in countermeasures against this risk.

AV * EF (%) = ____
SLE * ARO = ____



What is residual risk?

Total Risk - security controls = control gaps (or residual risk)

What is total risk?

any risk that exists before controls

What is accepted risk?

A risk the company chooses to live with without any implemented countermeasures.

What is Threat * Vulnerability * Asset Value?

Total Risk

What are the RMF 6 steps? (also good for holistic view of risk management)

Moniker: "Cat Sat on It's Assets All Morning"

1. Categorize

2. Select

3. Implement

4. Assess

5. Authorize and Certification

6. Monitor (ongoing)

What are the RMF 7 common control categories?


Directive (Tell - no smoking)

Deterrent (Fine if smoking)

Preventative (Take away cigarettes)

Compensatory (Smoking area)

Detective (Smoke Detector)

Corrective (Return to original baseline)

Recovery (Restoration)

What are the 4 RMF common control types?


- Administrative Controls (policies, procedures, audits, etc.)

- Physical Controls (protects physical facility)

- Logical/Technical Controls (digitally restrict access)

- Regulatory/Compliance Controls (mandated by law)

The 7 common control categories and 4 common control types of RMF are mutually...

inclusive (on both lists)

- multiple categories

- only one type

______________ provides a structure for informed decision making about risk management.

Threat Modeling

What do the letters of the STRIDE Threat Modeling acronym cover?

Threat modeling:




Information Disclosure

Denial of Service

Elevation of Privilege

Training is what type of control?


What are the 4 COBIT Domains?





(NOT Maintain/Certify)

what is the difference between COSO and Sorbanes Oxley? (SOX)

COSO is a governing framework

SOX is a law that requires compliance with COSO framework and holds executives legally accountable.

What is the Delphi Technique?

A group decision method where each group member can communicate anonymously.

What is risk avoidance?

Change an activity that is causing risk.