Use LEFT and RIGHT arrow keys to navigate between flashcards;
Use UP and DOWN arrow keys to flip the card;
H to show hint;
A reads text to speech;
87 Cards in this Set
- Front
- Back
Sensitivity labels are used to find the level of data ___________ in the development of security models?
|
classification
|
|
What is Discretionary Access Control (DAC)
|
A system that enables the owner of the resource to specify which Subjects can access it. |
|
_______ is management decisions, primarily pushed from higher in the organization (broader vision), wise oversight, direction & control, strategic (long term) direction. |
Governance |
|
What is the PCI Security Standards Council |
An open global forum for the ongoing development, enhancement, storage, dissemination and implementation of security standards for account data protection. (made the PCI-DSS credit card standard) |
|
Also known as the "Public Company Accounting Reform and Investor Protection Act" (in the Senate) and "Corporate and Auditing Accountability and Responsibility Act" (in the House)
|
The Sarbanes–Oxley Act of 2002 commonly called Sarbanes–Oxley, Sarbox or SOX
|
|
A _____________ is an overall general statement produced by senior management (or a selected policy board or committee) that dictates what role security plays within the organization. |
security policy |
|
What are the 3 types of security policies? |
- Regulatory: ensures that organization follows standards set by specific industry regulations (HIPAA, GLBA,SOX, PCI-DSS, etc.) - Advisory: strongly advises employees as to whichtypes of behaviors and activities should and shouldn't take place in the organization - Informative: informs employees of certain topics.It is not an enforceable policy, but rather one that teaches individualsabout specific issues relevant to the company |
|
Which (CIA) security function is supported by Encryption, Auditing, Hashing, and Digital Signatures? |
Integrity |
|
Which (CIA) security function is supported by Redundancy, Virtualization, Cloud Computing, Incident Response Plans, and Disaster Recovery? |
Availability (and reliability) |
|
When two (or more) physical disks are paired together in a type of RAID configuration to backup information or create multiple synchronous data sets, it is called _______. |
Disk mirroring or shadowing
|
|
This process is by which multiple smaller disks are made to look like one large disk. |
Disk striping |
|
__________ clearly documents senior management's directives toward the role that security plays within the organization. |
The Security Policy |
|
Who determines the security classification / sensitivity and access?
|
System or Data Owner |
|
Who administers, maintains, and protects data and backs up data sets or systems? |
Data Custodian (Responsible for Daily Operation) |
|
In the IT field, what is the appropriate chain-of-command? |
A top-down approach: Senior Mgmt directs Middle Management and they direct Staff. |
|
What is GAISP? |
Generally Accepted Information Security Principles: if security stats with a solid foundation and develops over time with understood goals and objectives, a company should not need to make drastic changes. (old standard)
|
|
___________ means tested for current compliance. |
Certification |
|
This model was created by the Software Engineering Institute. It was original use to rate the quality of software developers. Helps to improve an organization's processes used to develop software and describes what is needed for a development organization to be successful. |
CMMI (Capability Maturity Model Integration (best practices)) |
|
What common control framework has an emphasis on IT services and IT service management? |
IT Infrastructure Library (ITIL) |
|
Control objectives for IT Governance is known as? |
COBIT (Controls for IT regulatory compliance) |
|
What common control framework is the ISO/IEC Joint Standard ISM for governance management requirements? |
ISO/IEC 27001 (Governance) |
|
What common control framework is the ISO/IEC Joint Standard ISM for defining information security controls? |
ISO/IEC 27002 (Controls) |
|
What refers to your degree of legal responsibility as an intermediary defendant in a business to business tort lawsuit? |
Downstream Liability |
|
What is a model for corporate governance, not IT governance, and has to do with Money? |
COSO or CO$O
(Committee of Sponsoring Organizations) |
|
What are the 4 elements of the COBIT model? |
Organization Design/Strategy, People, Process, Technology |
|
What defines a minimum acceptable level of security? |
Baselines
|
|
What are Guidelines? |
Recommended best practices to follow (not mandatory) |
|
What describes how long systems can be down before affecting the mission? |
MTD - Maximum Tolerable Downtime |
|
Who is the executive in charge of IT? |
CIO (Chief Information Officer) |
|
Who in an organization is focused on IT and IT Risk Management? |
CISO (Chief Information Security Officer) |
|
What is PCI-DSS? |
Payment Card Data Security (Payment Card Industry (PCI) Data Security Standard) |
|
What common control framework is the ISO/IEC Joint Standard ISM for 27001, 27002, 27003, 27004 and 27799?
|
- 27001: IT Governance - 27002: Controls - 27003: Implementation - 27004: Measurement - 27799: Health (using 27002) |
|
What is the "Plan, Do, Check, Act (PDCA) model? |
COBIT |
|
What open standard of Information Security infrastructure development is a life cycle model focused on risks? |
SABSA (Sherwood Applied Business Security Architecture) |
|
_____________ is defined as the likelihood of occurrence of threat and the corresponding loss or negative business outcomes. |
Risk |
|
______________ is a process that helps in identifying the risk, rating the risks and the controls that are used for reducing the risks. |
Risk analysis and assessment |
|
_________________ is the process of analyzing all business functions and inter-dependencies then evaluates the effect that specific disaster scenarios may have upon them. |
Business Impact Analysis (BIA) |
|
_______________ is the overall systematic team approach to analyzing risk and implementing controls to minimize loss. |
Risk Management |
|
Define Due Diligence and Due Care |
- Due Diligence: Due diligence is the act of gathering the necessary information so the best decision-making activities can take place - Due Care: Due care pertains to acting responsibly and “doing the right thing.” |
|
Culpable (wrongful) ________ is often used to prove liability |
negligence |
|
__________ states that a person should perform duties that prudent (sensible) people would exercise in similar circumstances to protect assets |
U.S. Prudent Person Rule (from1830) |
|
What Law (2002) pertains to accurate corporate accountability with regards to financial recordkeeping |
Sarbanes-Oxley (SOX)
|
|
Regarding US Legal and regulatory compliance: __________ pertains to banking consumer privacy and information disclosure. |
Gramm-Leach-Bliley (GLB) |
|
What is the HIPAA Security Rule? |
Requires reasonable and appropriate safeguards to ensure the CIA of electronic protected Health information?
|
|
What financial privacy law mandates a set of both internal procedures and independent audits to ensure accurate financial disclosure by public companies? |
U.S. Sarbanes-Oxley Act of 2002 or SOX or $OX |
|
What law protects kids' data under 13 years of age? |
U.S. Children's Online Privacy Protection Act (COPPA) |
|
What law protects students' data? |
FERPA (Family Educational Rights and Privacy Act) |
|
People have a reasonable expectation of privacy, based on ________? |
4th Amendment
|
|
Define: Event, Incident, Breach, Data Disclosure |
- Event: Something of note - Incident: Negative impact - Breach: Unauthorized access - Data Disclosure: Confirmed loss of control (disclosed data/information) |
|
This type of law defines regulatory standards (mandatory regulations) for the performance and conduct of public bodies, including private companies and Federal Agencies. |
Administrative Laws |
|
This type of law deals with legal suits over wrongs against individuals or companies that result in damages or loss. |
Civil or Tort Law |
|
This type of law deals with crimes against society |
Criminal Law |
|
These laws protect products of the mind from privacy and license violations. |
Intellectual property law |
|
____________ Indicators help an organization define and measure progress toward organizational goals. |
Key Performance Indicators (KPI) also known as Key Success Indicators (KSI) |
|
Describe the differences in these crimes: computer-targeted, computer assisted, computer incidental |
Targeted: computer is the victim Assisted: PC is the tool to conduct the crime Incidental: a computer is used, but not attacked or attacking (such as storing illegal files) |
|
What are the 3 intellectual property laws? |
- Copyright: Music, movies, paintings (lifetime of author plus 70 yrs, 75 yrs for businesses) - Trade Secrets: confidential business secrets - Trademark: unique design or phrase (10yrs + 10 Yrs) |
|
Versus intellectual property (intangible), what protects tangible property? |
Patents (not intellectual property) (good for 20 yrs) |
|
What is the Wassenaar Arrangement regarding encryption? |
Allows for the transportation of laptops with encryption software for personal use in many (but not all) countries. |
|
What is "Safe Harbor" regarding international data flow? |
Permits U.S. based organizations to certify themselves as properly handling private data belonging to European Citizens? |
|
What is Trans-border Data Flow? |
The flow of electronic data across political boundaries, such as between states or countries. |
|
What are the 4 ISC2 code of ethics canons in order of importance and priority? (priority order is for conflicts of interest) Hint: Advance, Provide, Act, Protect |
1. Protect society, the commonwealth (nation), and the infrastructure 2. Act honorably, honestly, justly, responsibly, and legally 3. Provide diligent and competent service to principals (employers) 4. Advance and protect the profession |
|
What is the difference between laws, ethics, and policies?
|
- Laws: Rules/regulations made by gov that require/prohibit certain behavior in a society
- Ethics: defines socially accepted behavior (peers) - Policies: rules for employees in a workplace Law - enforced by gov, ethics/policies frowned upon, but not enforced |
|
What are Standards? |
compulsory rules that dictate how hardware and software are to be used and the expected behavior of employees? (Binding/mandatory) |
|
What is a minimum level of security that is required throughout an organization? (Binding/mandatory) |
Baseline |
|
What are detailed step-by-step actions to be taken to achieve a specific tasks. (Binding/mandatory) |
Procedures |
|
What are recommended actions and operational guides for users and staff members where standards do not apply? (non-Binding/non-mandatory) |
Guidelines |
|
What are the three cornerstones of ITIL (still holds true today) |
Technology, processes, and people |
|
NIST, OCTAVE, CRAMM, SOMAP, and VAR (Value at Risk Quantile measurement) are all ____________ models. |
Risk assessment and management models
|
|
In NIST Risk Assessment (and other generic plans) what is the appropriate first step? |
Identify the purpose (and scope) of the assessment
|
|
In NIST Risk Assessment (and other generic plans) what is the appropriate second step?
|
Identify threats, events, and vulnerabilities |
|
Calculation of ALE Asset Value (AV) Exposure Factor (EF %) Single Loss Expectancy (SLE) Annualized Loss Expectancy (ALE) Annualized Rate of Occurrence (ARO) Bldg worth $200K EF = 50% ALE = every 5 yrs How to calculate? |
AV = $200K, EF% = .50 SLE = $100K ARO = 5 ALE = $20K AV * EF = SLE SLE * ARO = ALE Don't spend more than $20K/year in countermeasures against this risk. |
|
AV * EF (%) = ____
And SLE * ARO = ____ |
SLE ALE |
|
What is residual risk? |
Total Risk - security controls = control gaps (or residual risk) |
|
What is total risk? |
any risk that exists before controls |
|
What is accepted risk? |
A risk the company chooses to live with without any implemented countermeasures. |
|
What is Threat * Vulnerability * Asset Value? |
Total Risk
|
|
What are the RMF 6 steps? (also good for holistic view of risk management) Moniker: "Cat Sat on It's Assets All Morning" |
1. Categorize 2. Select 3. Implement 4. Assess 5. Authorize and Certification 6. Monitor (ongoing) |
|
What are the RMF 7 common control categories? DDPCDCR |
Directive (Tell - no smoking) Deterrent (Fine if smoking) Preventative (Take away cigarettes) Compensatory (Smoking area) Detective (Smoke Detector) Corrective (Return to original baseline) Recovery (Restoration) |
|
What are the 4 RMF common control types? APLR |
- Administrative Controls (policies, procedures, audits, etc.) - Physical Controls (protects physical facility) - Logical/Technical Controls (digitally restrict access) - Regulatory/Compliance Controls (mandated by law) |
|
The 7 common control categories and 4 common control types of RMF are mutually... |
inclusive (on both lists) - multiple categories - only one type |
|
______________ provides a structure for informed decision making about risk management. |
Threat Modeling |
|
What do the letters of the STRIDE Threat Modeling acronym cover? |
Threat modeling: Spoofing Tampering Repudiation Information Disclosure Denial of Service Elevation of Privilege |
|
Training is what type of control? |
Administrative |
|
What are the 4 COBIT Domains? |
Plan/Organize Acquire/Implement Deliver/Support Monitor/Evaluate (NOT Maintain/Certify) |
|
what is the difference between COSO and Sorbanes Oxley? (SOX) |
COSO is a governing framework SOX is a law that requires compliance with COSO framework and holds executives legally accountable. |
|
What is the Delphi Technique? |
A group decision method where each group member can communicate anonymously. |
|
What is risk avoidance? |
Change an activity that is causing risk. |