Use LEFT and RIGHT arrow keys to navigate between flashcards;
Use UP and DOWN arrow keys to flip the card;
H to show hint;
A reads text to speech;
67 Cards in this Set
- Front
- Back
- 3rd side (hint)
What are the Objectives of Security? |
To provide confidentiality, integrity, and availability protection to data and resources.
Prevent, detect, and deter unauthorized Disclosure, Alteration, and Denial of access |
CIA
|
|
Alternative map to CIA
|
DAD
Disclosure / Alteration / Destruction (access denial) Map to CIA: confidentiality = disclosure integrity = alteration availability = destruction |
|
|
Name the four Canons of the CISSP?
|
-Protect Society, Common Wealth, and the Infrastructure.
-Act Honorably, Honestly , Justly, Responsibly & Legally. -Provide diligent and competent Service. -Advance and Protect the Profession. |
In priority order
|
|
What are the three Phases of Security Planning?
|
1. Strategic
2. Tactical 3. Operational |
|
|
Who provides Policy and how does it effect every day activity?
|
Senior Management Provide Policy (Broad in Scope).
Mid Level Management Provide Standards. Team leads provide Baselines, Procedures, and Guidelines. |
|
|
Cole: 7 Step Data Classification Process @ 10:44 Part B
|
1.
7. |
|
|
What does ISO 27001 provide?
|
A best practices guide for Information Security Management.
|
|
|
Name SIX Enterprise Level Architecture Processes?
|
TQM - Is about Planning.
ITIL = Managing Quality. COBIT = Control Points. Six Sigma = Managing Skills and Disciplines. CMM/CMMI = Maturing Processes ISO = Standards |
|
|
Name two types of Qualitative Risk Analysis?
|
Spanning tree and ANZ 4360
|
|
|
What is ISO 17799 aka (27002-2005)?
|
Internationally recognized guidelines and general principles for initiating, implementing, maintaining, and improving information security management in an organization.
|
|
|
What is the Delphi technique?
|
Each person provides their individual anonymous opinion.
|
|
|
What do the COBIT (Control Objectives for Information and Related Technology) an COSO ( Committee of Sponsoring Organizations of the Treadway Commission) frameworks address?
|
What is to be achieved.
NOT how to achieve it. |
COSO is for corporate governance
COBIT is for IT governance (derived from COSO) |
|
How many objectives in the COBIT framework?
|
34 objectives achieved through ITIL processes
|
COBIT is the objective
ITIL is the process |
|
What are the 4 COBIT domains?
|
1) Plan & Organize
2) Acquire & Implement 3) Deliver & Support 4) Monitor & Evaluate |
Encompass 34 objectives
|
|
What is ITIL?
|
Information Technology Infrastructure Library
|
Framework for providing best services (practices) in IT Service Management
|
|
What are the 5 Service Management practices of ITIL?
|
1) Strategy
2) Design 3) Transition 4) Operation 5) Continual service improvement |
|
|
Name a few Risk Management models:
|
- AS/NZS 4360: 1st widely accepted
- Basel II: EU financial - FRAP: Qualitative approach - ISO/IEC 27005: International (extension of 27002) - NIST SP 800-30: U.S. developed (3 phases) - Octave: Developed by U.S. |
|
|
Risk analysis using a chart with numbers and letters that intersect - the intersection depicts a number/letter value that matches the level of risk. Impact vs Probability.
|
AS/NZS 4360 or AS/NZS ISO 31000:2009
Australian: AS New Zealand: NZ |
|
|
3 Phases on NIST SP 800-30
|
1) Risk Assessment
2) Controls Implementation 3) Ongoing Controls Evaluation |
|
|
3 types of policies
|
1) Regulatory
2) Advisory 3) Informative |
|
|
Define Regulatory policy
|
Follows specific industry regulations
|
HIPPA, SOX, PCI
|
|
Define Advisory policy
|
Strongly advises behaviors and activities; outlines possible ramifications
|
|
|
Define Informative policy
|
Teaches specific issues; not enforceable
|
|
|
Define Safe Harbor framework
|
Outlines how to move privacy data in and out of Europe
|
|
|
What is the Annualized Loss Expectancy (ALE) formula?
|
Single loss expectancy (SLE) * Annualized rate of occurrence (ARO) = ALE
|
|
|
What is an Information Security Management System (ISMS)?
|
A coherent set of policies, processes, and systems to manage risks to information assets as outlined in ISO\IEC 27001.
|
|
|
What is a System-specific policy?
|
Technical directives devised by management to protect individual systems. They can outline how a system should be accessed or how users should be trained on a specific system.
|
|
|
What is the absence of or a weakness in a control?
|
A vulnerability
|
|
|
What is a safeguard or control, mitigates the risk?
|
A countermeasure
|
|
|
What are the three types of controls?
|
administrative, technical, or physical
|
A / T / P
|
|
A Control can provide what types of protection?
|
Controls provide deterrent, preventive, detective, corrective, or recovery protection
|
DPDCR
|
|
What is the name of the control that is put into place because of financial or business functionality reasons?
|
A compensating control
|
Begins with Comp
|
|
What is a framework of control objectives and allows for IT governance?
|
CobiT
|
|
|
What is the standard for the establishment, implementation, control, and improvement of the information security management system?
|
ISO/IEC 27001
|
|
|
What ISO/IEC series were derived from BS 7799 and are international best practices on how to develop and maintain a security program?
|
ISO/IEC 27000
|
|
|
____ ____ ____ are used to develop architectures for specific stakeholders and present information in views.
|
Enterprise architecture frameworks
|
|
|
What is a coherent set of policies, processes, and systems to manage risks to information assets as outlined in ISO\IEC 27001?
|
An information security management system (ISMS)
|
|
|
What is a subset of business architecture and a way to describe current and future security processes, systems, and subunits to ensure strategic alignment?
|
Enterprise security architecture
|
|
|
_____ are functional definitions for the integration of technology into business processes?
|
Blueprints
|
Are needed to build a house
|
|
___ ___ ___ are used to build individual architectures that best map to individual organizational needs and business drivers?
|
Enterprise architecture frameworks
|
Three words first word start with E
|
|
______ is an enterprise architecture framework, and _____ is a security enterprise architecture framework.
|
Zachman is an enterprise architecture framework, and SABSA is a security enterprise architecture framework.
|
|
|
_____ is a governance model used to help prevent fraud within a corporate environment.
|
COSO
|
Kind of like the store costco
|
|
_____ is a set of best practices for IT service management.
|
ITIL
|
Had to take training on this at our work!
|
|
___ _____ is used to identify defects in processes so that the processes can be improved upon.
|
Six Sigma
|
Start with the number 6
|
|
____ is a maturity model that allows for processes to improve in an incremented and standard approach.Security enterprise architecture should tie in strategic alignment, business enablement, process enhancement, and security effectiveness.
|
CMMI
|
|
|
NIST ???-?? uses the following control categories: technical, management, and operational.
|
NIST 800-53
|
First three numbers is a toll free call. The seconds 2 numbers are the DNS port
|
|
------ is a team-oriented risk management methodology that employs workshops and is commonly used in the commercial sector.
|
OCTAVE
|
Think piano keys
|
|
Security management should work from the --- ---- (from senior management down to the staff).
|
top down
|
stuff rolls down hill
|
|
What does the following describe:
identify assets and assign values to them, identify vulnerabilities and threats, quantify the impact of potential threats, and provide an economic balance between the impact of the risk and the cost of the safeguards. |
The main goals of risk analysis
|
|
|
Probability of a threat agent exploiting a vulnerability and the loss potential from that action.
|
Risk
|
|
|
Name two methods of conducting a risk analysis?
|
Quantitative and Qualitative.
|
|
|
Risk analysis that uses hard measures such as dollars. Objective.
|
Quanti - tative
Calculate Qty of of asset protected |
|
|
Risk analysis that uses simple approximate values.
Subjective. |
Quali - tative
|
|
|
Risk Choices (4)
|
Risk can be:
- transferred (e.g. insurance) - reduced (mitigated) - accepted - avoided (need calculation of ALE and ROI) |
|
|
Total Cost of a mitigating safeguard.
|
Total Cost of Ownership (TCO)
|
|
|
Amount of money saved by implementing a safeguard.
|
Return on Investment (ROI)
|
|
|
Risk Avoidance
|
Calculate ALE (Annual Loss Expectancy) and ROI (Return on Investment)
If ALE > ROI then avoid risk; do not implement project. |
|
|
Potential harmful occurrence.
Possibility that someone or something would exploit a vulnerability, intentionally or accidentally, and cause harm to an asset |
Threat
|
|
|
Formula for Total risk
|
Total Risk = Threats × Vulnerability × Asset value
|
|
|
Formula for Residual Risk
|
Residual Risk = (Threats × vulnerability × asset value) × controls gap
|
|
|
Value of an Asset to be protected.
|
Asset Value: AV
|
|
|
The percentage (%) of loss of an asset due to an incident.
|
Exposure Factor (EF)
|
|
|
Cost of a single loss due to an incident.
|
SLE - Single Loss Expectancy
SLE = AV x EF AV: Asset Value EF: Exposure Factor (%) |
|
|
Number of losses experienced per year.
|
Annual Rate of Occurrence: ARO
|
|
|
Yearly cost due to a risk.
|
Annual Loss Expectancy: ALE
ALE = SLE x ARO SLE: Single Loss Expectancy Annual Rate Occurrence: ARO |
|
|
------- ----- --- ------ -------- (----) isa method for determining functions, identifying functional failures, and assessing the causes of failure and their failure effects through a structured process
|
Failure Modes and Effect Analysis (FMEA)
|
FMEA
|
|
A ----- ---- analysis is a useful approach to detect failures that can take place within complex environments and systems.
|
fault tree
|
|