Reading...
Play button
Play button
Use LEFT and RIGHT arrow keys to navigate between flashcards;
Use UP and DOWN arrow keys to flip the card;
H to show hint;
A reads text to speech;
22 Cards in this Set
- Front
- Back
|
What is the purpose of functional requirements evaluation?
|
Functional requirements evaluation determines if the solution carries out the required tasks.
|
|
|
What is the purpose of assurance requirements evaluation?
|
Assurance requirements evaluation determines the level of protection provided by this solution.
|
|
|
In what order should the security concepts be evaluated?
|
1. Threat
2. Exposure 3. Vulnerability 4. Countermeasures (safeguards) 5. Risk |
|
|
What are the three types (areas) of security planning
|
Strategic
Tactical Operational |
|
|
What primary activities comprise risk management?
|
Risk assessment
Risk mitigation |
|
|
What underlying activity, along with risk assessment and risk mitigation, comprises risk management?
|
Uncertainty analysis
|
|
|
What are the goals of risk analysis?
|
1. Identify assets and their values
2. Identify vulnerabilities and threats 3. Quantify the probability and business impact of these potential threats 4.Provide an economic balance between the impact of the threat and the cost of the countermeasure. |
|
|
The major objective of system configuration management is which of the following?
System maintenance System stability System operations System tracking |
System stability
|
|
|
The preliminary steps to security planning
|
Establish objectives
List planning assumptions Determine alternate courses of action |
|
|
The necessary steps to help protect the company and its resources from possible risks have been taken
|
Due Care
(Do Correct) |
|
|
Computer security should be first and foremost ...
|
cost-effective
|
|
|
Activities that make sure that the protection mechanisms are continually maintained and operational
|
Due Diligence
(Do Detect) |
|
|
Category of the following controls:
• Policy and procedures • Personnel controls • Supervisory structure • Security-awareness training • Testing |
Administrative
|
|
|
Category of the following controls:
• Network segregation • Perimeter security • Computer controls • Work area separation • Data backups • Cabling |
Physical
|
|
|
Category of the following controls:
• System access • Network architecture • Network access • Encryption and protocols • Control zone • Auditing |
Technical
|
|
|
Examination of threat sources against system vulnerabilities to determine the threats for a particular system in a particular operational environment
|
Threat analysis
|
|
|
Process of identifying the risks to system security and determining the probability of occurrence, the resulting impact, and the additional safeguards that mitigate this impact.
|
Risk analysis
(risk assessment) |
|
|
Ongoing process of assessing the risk to mission/business as part of a risk-based approach used to determine adequate security for a system by analyzing the threats and vulnerabilities and selecting appropriate, cost-effective controls to achieve and maintain an acceptable level or risk.
|
Risk management
|
|
|
Three key things that must be considered for the planning and implementation of access control mechanisms
|
Threats to the system
System's vulnerability to these threats Risk that the threats may materialize |
|
|
Which of the following tasks may be performed by the same person:
1. System development and change management 2. System development and systems maintenance 3. Security administration and change management 4. Computer operations and system development |
System development and systems maintenance
|
|
|
preventive, detective, or corrective
|
Risk mitigation and risk reduction controls
|
|
|
Responsible for ensuring that proper controls are in place to address integrity, confidentiality, and availability of IT systems and data
|
System and information owners
|
