Use LEFT and RIGHT arrow keys to navigate between flashcards;
Use UP and DOWN arrow keys to flip the card;
H to show hint;
A reads text to speech;
160 Cards in this Set
- Front
- Back
|
CONTROL TYPES |
Preventive Detective Corrective Deterrent Recovery Compensating |
|
|
CONTROL TYPES - Preventive |
Intended to avoid an incident from occurring |
|
|
CONTROL TYPES - Detective |
Helps identify an incident’s activities and potentially an intruder |
|
|
CONTROL TYPES - Corrective |
Fixes components or systemsafter an incident has occurred |
|
|
CONTROL TYPES - Deterrent |
Intended to discourage apotential attacker |
|
|
CONTROL TYPES - Recovery |
Intended to bring theenvironment back to regular operations |
|
|
CONTROL TYPES - Compensating |
Controls that provide analternative measure of control |
|
|
TYPES Of Preventive Control |
Administrative Physical Technical |
|
|
Types Of SECURITY FRAMEWORKS |
ISO/IEC 27000 series Zachman Framework TOGAF DoDAF MODAF SABSA COBIT NIST SP 800-53 COSO ITIL Six Sigma Capability Maturity ModelIntegration |
|
|
ISO/IEC 27000 Series |
Was developed in 1995 bythe United Kingdom government’s Department of Trade and Industry and publishedby the British Standards Institution. The standard outlined how an informationsecurity management system (ISMS) (aka security program) should be built andmaintained. |
|
|
ISO/IEC 27000 |
ISMS measurement - serves as industry bestpractices for the management of security controls in a holistic manner withinorganizations around the world. |
|
|
Zachman ArchitectureFramework |
This framework was developed in the 1980s and is based on the principles of classical business architecture that contain rules that govern an ordered set of relationships. One of these rules is that each row should describe the enterprise completely from that row’s perspective. (What, How, Where, Who,When, and Why). |
|
|
The Open Group ArchitectureFramework (TOGAF) |
Origins in the U.S.Department of Defense. It provides an approach to design, implement, and governan enterprise information architecture. This method is an iterativeand cyclic process that allows requirements to be continuously reviewed and the individual architectures updated as needed. |
|
|
Types of TOGAF |
• Business architecture • Dataarchitecture • Applicationsarchitecture • Technologyarchitecture |
|
|
Military-OrientedArchitecture Frameworks |
Developed by the BritishMOD is another recognized enterprise architecture framework based upon the DoDAF. The crux of the framework is to be able to get data in the right format to the right people as soon as possible. |
|
|
the Department ofDefense Architecture Framework (DoDAF) |
When the U.S. DoDpurchases technology products and weapon systems, enterprise architecturedocuments must be created based upon DoDAF standards to illustrate how theywill properly integrate into the current infrastructures. The focus of thearchitecture framework is on command, control, communications, computers,intelligence, surveillance, and reconnaissance systems and processes. |
|
|
Enterprise Security Architecture |
An enterprise security architecture is a subset of an enterprise architecture anddefines the information security strategy that consists of layers of solutions,processes, and procedures and the way they are linked across an enterprise strategically, tactically, and operationally. |
|
|
The main reason to developan enterprise security architecture? |
Ensure that security efforts align with business practices in a standardized and cost-effective manner. The architecture works at an abstraction level and provides a frame ofreference. |
|
|
Sherwood Applied BusinessSecurity Architecture (SABSA) |
Is a framework andmethodology for enterprise security architecture and service management. Sinceit is a framework, this means it provides a structure for individual architectures to be built from. |
|
|
SABSA provides what? |
life-cycle model so thatthe architecture can be constantly monitored and improved upon over time |
|
|
Whats is nedded to an enterprise security architecture to be successful in its development and implementation? |
strategic alignment business enablement process enhancement security effectiveness |
|
|
Strategic Alignment |
means the business driversand the regulatory and legal requirements are being met by the securityenterprise architecture |
|
|
Business Enablement |
means the core business processes are integrated into the security operating model—they are standards based and follow a risk tolerance criteria |
|
|
Process Enhancement |
The process enhancement piece can be quite beneficial to an organization if it takes advantage of this capability when it is presented to it. |
|
|
Security Effectiveness |
Security effectiveness deals with metrics, meeting service level agreement (SLA)requirements, achieving return on investment (ROI), meeting set baselines, andproviding management with a dashboard or balanced scorecard system. |
|
|
Control Objectives forInformation and related Technology (COBIT) |
A framework for governance and management. It helps organizationsoptimize the value of their IT by balancing resource utilization, risk levels,and realization of benefits. This is all done by explicitly tying stakeholder drivers to stakeholder needs to organizational goals toIT goals.
|
|
|
Five key principlesof COBIT |
1. Meeting stakeholder needs 2. Covering the enterprise end to end 3. Applying a single integrated framework 4. Enabling a holistic approach 5. Separating governance from management |
|
|
Everything in COBIT is ultimately linked to the stakeholders through a series of transforms called? |
cascading goals |
|
|
COBIT focused in what? |
it deals with all aspects of information technology, security only being one component. COBIT is a set of practices that can be followed to carry out IT governance, which requires proper security practices. |
|
|
The process focus of COBIT is illustrated by a process model that subdivides IT into four domains |
(Plan and Organize; Acquire and Implement; Deliver and Support; and Monitor and Evaluate) |
|
|
NIST |
The National Institute ofStandards and Technology (NIST) is a nonregulatory body of the U.S. Departmentof Commerce and its mission is “. . . to promote U.S. innovation and industrial competitiveness by advancing measurement science, standards, and technology in ways that enhance economic security and improve quality of life.” |
|
|
NIST SP 800-53 |
One of the standards thatNIST has been responsible for developing is called Special Publication 800-53,“Security and Privacy Controls for Federal Information Systems and Organizations |
|
|
Control Categories of NIST SP 800-53 |
The control categories (families) are the management, operational, and technical controls prescribed for an information system to protect the availability, integrity, and confidentiality of the system and its information. |
|
|
government auditors use what as their “checklist” approach for ensuring that government agencies are compliant with government-oriented regulations. |
NIST SP 800-53 |
|
|
COSO Internal Control—Integrated Framework |
sponsored the TreadwayCommission in 1985 to deal with fraudulent financial activities and reporting.The COSO IC framework, first released in 1992 and last updated in 2013,identifies 17 internal control principles that are grouped into five internal control components as listed here. |
|
|
Control Environment |
1. Demonstrates commitment to integrity andethical values 2. Exercises oversight responsibilities 3. Establishes structure, authority, andresponsibility 4. Demonstrates commitment to competence 5. Enforces accountability |
|
|
Risk Assessment |
6. Specifies suitable objectives 7. Identifies and analyzes risk 8. Assesses fraud risk 9. Identifies and analyzes significant change |
|
|
Control Activities |
10. Selects and develops control activities 11. Selects and develops general controls overtechnology 12. Deploys through policies and procedures |
|
|
Information and Communication |
13. Uses relevant, quality information 14. Communicates internally 15. Communicates externally |
|
|
Monitoring Activities |
16. Conducts ongoing and/or separate evaluations 17. Evaluates and communicates deficiencies |
|
|
COSO IC framework |
is a model for corporate governance,and COBIT is a model for IT governance. COSO IC deals more atthe strategic level, while COBIT focuses more at the operational level. COSO IC deals with non-IT items also, as in company culture, financial accounting principles, board of director responsibility, and internal communication structures. |
|
|
ITIL |
ITIL is the de facto standard of best practices for IT service management. ITIL is a customizable framework that is provided either in a set of books or in an online format. Itprovides the goals, the general activities necessary to achieve these goals,and the input and output values for each process required to meet these determined goals |
|
|
Six Sigma |
is a process improvement methodology. Its goal is to improve process quality by using statistical methods of measuring operation efficiency and reducing variation, defects, and waste. It allows for thedefects of security processes to be identified and improved upon. |
|
|
Capability Maturity Model Integration |
Created as a way to determine the maturity of an organization’s processes. This model is also used within organizations to help lay out a pathway of how incremental improvement can take place. The only way we can really improve is to know where we are starting from, where we need to go, and the steps we need to take in between. |
|
|
The crux of CMMI? |
is to develop structured steps that can be followed so an organization can evolve from one level to the next and constantly improve its processes and security posture |
|
|
Top-down Approach |
A security program should use a top-down approach, meaning that the initiation, support, and direction come from top management; work their way through middle management; and then reach staff members. Makes sure the people actually responsible for protecting the company’s assets (senior management)are driving the program |
|
|
Bottom-up Approach |
refers to a situation in which staff members (usually IT) try to develop a security program without getting proper management support and direction.is commonly less effective, not broad enough to address all security risks, and doomed to fail. |
|
|
The life cycle of anyprocess can be described in different ways. |
1. Plan and organize 2. Implement 3. Operate and maintain 4. Monitor and evaluate |
|
|
Plan and Organize |
• Establish management commitment. • Establish oversight steering committee. • Assess business drivers. • Develop a threat profile on the organization. • Carry out a risk assessment. • Develop security architectures at business, data, application, and infrastructure levels. • Identify solutions per architecture level. • Obtain management approval to move forward. |
|
|
Implement |
• Assign roles and responsibilities. • Developand implement security policies, procedures, standards, baselines, and guidelines. • Identify sensitive data at rest and in transit. • Implement the following blue prints: • Asset identification and management • Risk management |
|
|
Operate and Maintain |
• Follow procedures to ensure all baselines are met in each implemented blueprint. • Carry out internal and external audits. • Carry out tasks outlined per blueprint. • Manage SLAs per blueprint. |
|
|
Monitor and Evaluate |
• Review logs, audit results, collected metric values, and SLAs per blueprint. • Assess goal accomplishments per blueprint. • Carryout quarterly meetings with steering committees. • Develop improvement steps and integrate into the Plan and Organize phase. |
|
|
Types of Legal Systems |
Civil (Code) Law System Common Law System Customary Law System Religious Law System Mixed Law System |
|
|
Civil (Code) Law System |
Civil law system is rule-based law not precedence based. It is the most widespread legal system in the world and the most common legal system in Europe. |
|
|
Common Law System |
Reflects the community’s morals and expectations. The common law system is broken down into criminal, civil/tort, and administrative. |
|
|
Common Law - Criminal |
• Based on common law, statutory law, or a combination of both. • Addresses behavior that is considered harmful to society. • Punishment usually involves a loss of freedom, such as incarceration, or monetary fines. • Responsibilityis on the prosecution to prove guilt beyond a reasonable doubt (innocent untilproven guilty). |
|
|
Common Law - Civil/tort |
• Under civil law, the defendant owes a legal duty to the victim. In other words, the defendant is obligated to conform to a particular standard of conduct, usually set by what a “reasonable man of ordinary prudence” would do to prevent foresee able injury to the victim. |
|
|
Categories of civil law |
Intentional - assault Wrongs against property Wrongs against a person - car accidents Negligence - wrongful death Nuisance - trespassing Dignitary wrongs - invasion of privacy Economic wrongs - copyright infringement Strict liability - defects in product manufacturing |
|
|
Common Law - Administrative (regulatory) |
Laws and legal principle screated by administrative agencies to address a number of areas, including international trade, manufacturing, environment, and immigration. |
|
|
Customary Law System |
Deals mainly with personal conduct and patterns of behavior. Based on traditions and customs of the region. Restitution is commonly in the form of a monetary fine or service. |
|
|
Religious Law System |
Based on religious beliefsof the region. Law, in the religious sense, also includes codes of ethics and morality, which are up held and required by God. |
|
|
Mixed Law System |
Two or more legal systems are used together and apply cumulatively or interactively. |
|
|
civil law |
deals with wrongs against individuals or companies that result in damages or loss. This is referred to as tort law. Examples include trespassing, battery, negligence, and product liability. The punishment is usually an amount of money that the liable individual must pay the victim. |
|
|
Criminal law |
is used when an individual’s conduct violates the government laws, which have been developed to protect the public. Jail sentences are commonly the punishment for criminal law cases that result in conviction. |
|
|
Administrative/regulatory law |
deals with regulatory standards that regulate performance and conduct. Government agencies create these standards, which are usually applied to companies and individuals within those specific industries. |
|
|
INTELLECTUAL PROPERTY LAWS |
Trade Secret Copyright Trademark Patent |
|
|
Trade secret |
Trade secret law protects certain types of information or resources from unauthorized use or disclosure. For a company to have its resource qualify as a trade secret, the resource must provide the company with some type of competitive value or advantage. |
|
|
Copyright |
protects the right of the creator of an original work to control the public distribution, reproduction, display, and adaptation of that original work. The law covers many categories of work: pictorial, graphic, musical, dramatic, literary, pantomime, motion picture, sculptural, sound recording, and architectural. deals with how that invention is represented |
|
|
People are provided copyright protection for? |
life plus 50 years |
|
|
Trademark |
that it is used to protect a word, name, symbol, sound, shape, color, or combination of these. Companies cannot trademark a number or common word. |
|
|
Patent |
are given to individuals or companies to grant them legal ownership of, and enable them to exclude others from using or copying, the invention covered by the patent. The invention must be novel, useful, and not obvious—which means, for example, that a company could not patent air. |
|
|
Federal Privacy Act of 1974 |
An actual record is information about an individual’s education, medical history, financial history, criminal history, employment, and other similar types of information. Government agencies can maintain this type of information only if it is necessary and relevant to accomplishing the agency’s purpose. Dictates that an agency cannot disclose this information without written permission from the individual. |
|
|
Federal InformationSecurity Management Act (FISMA) |
requires every federalagency to create, document, and implement an agency-wide security program to provide protection for the information and information systems that support the operations and assets of the agency, including those provided or managed by another agency, contractor, or other source. |
|
|
Health Insurance Portability and Accountability Act (HIPAA) |
Provide national standards and procedures for the storage, use, and transmission of personal medical information and healthcare data. This regulation provides a framework and guidelines to ensure security, integrity, and privacy when handling confidential medical information. |
|
|
Health Information Technology for Economic and Clinical Health (HITECH) |
addresses the privacy and security concerns associated with the electronic transmission of health information, in part through several provisions that streng then the civil and criminal enforcement of the HIPAA rules. |
|
|
Gramm-Leach-Bliley Act (GLBA) |
also known as the Financial Services Modernization Act of 1999, requires financial institutions to develop privacy notices and give their customers the option to prohibit financial institutions from sharing their information with non affiliated third parties. |
|
|
Payment Card Industry Data Security Standard (PCI DSS) |
applies to any entity that processes, transmits, stores, or accepts credit card data. Varying levels of compliance and penalties exist and depend on the size of the customer and the volume of transactions. |
|
|
DATA BREACHES |
data breaches can be thought of as the opposite of privacy: data owners lose control of who has the ability to access their data. When an organization fails to properly protect the privacy of its customers’ data, it increases the likelihood of experiencing a data breach |
|
|
Security Policy |
is an overall general statement produced by senior management (or a selected policy board or committee) that dictates what role security plays within the organization. A security policy can be an organizational policy, an issue-specific policy, or asystem-specific policy. A policy needs to be technology and solution independent. It must outline the goals and missions,but not tie the organization to specific ways of accomplishing them. |
|
|
Types of Policies |
Regulatory Advisory Informative |
|
|
Regulatory Police |
This type of policy ensures that the organization is following standards set by specific industry regulations (HIPAA, GLBA, SOX, PCI DSS, etc.) |
|
|
Advisory Police |
This type of policy strongly advises employees as to which types of behaviors and activities should and should not take place within the organization. |
|
|
Informative Police |
This type of policy informs employees of certain topics. It is not an enforceable policy, but rather one that teaches individuals about specific issues relevant to the company |
|
|
Standards |
refer to mandatory activities, actions, or rules. Standards can give a policy its support and reinforcement in direction. They provide a means to ensure that specific technologies, applications, parameters, and procedures are implemented in a uniform (standardized) manner across the organization. |
|
|
Baselines |
refers to a point in timethat is used as a comparison for future changes. Once risks have been mitigated and security put in place, a baseline is formally reviewed and agreed upon,after which all further comparisons and development are measured against it. that are not technology oriented should be created and enforced within organizations as well. |
|
|
Guidelines |
are recommended actions and operational guides to users, IT staff, operations staff, and others when aspecific standard does not apply. They can also be used as a recommended way to achieve specific standards when those do apply. Guidelines can deal with the methodologies of technology, personnel, or physical security. |
|
|
Procedures |
are detailed step-by-steptasks that should be performed to achieve a certain goal. The steps can apply to users, IT staff, operations staff, security members, and others who may need to carry out specific tasks. |
|
|
RISK MANAGEMENT |
is the process of identifying and assessing risk, reducing it to an acceptable level, and ensuring it remains at that level. |
|
|
The following items touchon the major categories of risk |
Physical damage Human interaction Equipment malfunction Inside and outside attacks Misuse of data Loss of data Application error |
|
|
THREAT MODELING |
Is a process by which potential threats can be identified, enumerated, and prioritized – all from a hypothetical attacker’s point of view. The purpose of threat modeling is to provide defenders with a systematic analysis of the probable attacker’s profile, the most likely attack vectors, and the assets most desired by an attacker. |
|
|
Information can be... |
Data at rest Data in motion Data in use |
|
|
Data at rest |
Data is copied to a thumb drive and given to unauthorized parties by an insider,thus compromising its confidentiality. |
|
|
Data in motion |
Data is modified by an external actor intercepting it on the network and then relaying the altered version (known as a man-in-the-middle or MitM attack), thus compromising its integrity. |
|
|
Data in use |
Data is deleted by amalicious process exploiting a “time of check to time of use” (TOC/TOU) or“race condition” vulnerability, thus compromising its availability. |
|
|
RISK ASSESSMENT |
Is really a tool for risk management, is a method of identifying vulnerabilities and threats and assessing the possible impacts to determine where to implement security controls. |
|
|
Risk analysis |
Is used to ensure that security is cost effective, relevant, timely, and responsive to threats |
|
|
project sizing |
understand what assets and threats should be evaluated. |
|
|
A risk analysis has fourmain goals |
• Identify assets and their value to the organization. • Identify vulnerabilities and threats. • Quantifythe probability and business impact of these potential threats. • Provide an economic balance between the impact of the threat and the cost of the countermeasure |
|
|
A risk analysis helps what? |
integrate the security program objectives with the company’s business objectives and requirements. Themore the business and security objectives are in alignment, the more successful the two will be. |
|
|
Determining the value of assets may be useful to a company for a variety of reasons,including the following: |
• To perform effective cost/benefit analyses • To select specific countermeasures and safeguards • To determine the level of insurance coverage to purchase • Tounderstand what exactly is at risk • To comply with legal and regulatory requirements |
|
|
The following issues should be considered when assigning values to assets: |
• Cost to acquire or develop the asset • Cost to maintain and protect the asset • Value of the asset to owners and users • Value of the asset to adversaries • Price others are willing to pay for the asset • Cost to replace the asset if lost |
|
|
NIST SP 800-30 |
A guide for conducting risk assessments. It is specific to information systems threats and how they relate to information security risks. mainly focused on computer systems and IT security issues.
|
|
|
NIST SP 800-30 lays out the following steps: |
1. Prepare for the assessment. 2. Conduct the assessment: a. Identify threat sources and events. b. Identify vulnerabilities and predisposing conditions. c. Determine likelihood of occurrence. d. Determine magnitude of impact. e. Determine risk. 3. Communicate results. 4. Maintain assessment. |
|
|
FRAP - Facilitated Risk AnalysisProcess |
Focus only on the systems that really need assessing, to reduce costs and time obligations. It stresses prescreening activities so that the risk assessment steps are only carried out on the item(s) that needs it the most. is intended to be used to analyze one system, application, or business process at a time. |
|
|
OCTAVE - (Operationally Critical Threat, Asset, and Vulnerability Evaluation) |
Is intended to be used in situations where people manage and direct the risk evaluation for information security within their company. This places the people who work inside the organization in the power positions as being able to make the decisions regarding what is the best approach for evaluating the security of their organization. |
|
|
AS/NZS 4360 |
can be used to understand acompany’s financial, capital, human safety, and business decisions risks. Although it can be used to analyze security risks, it was not created specifically for this purpose. This risk methodology is more focused on the health of a company from a business point of view, not security. |
|
|
Failure Modes and Effect Analysis (FMEA) |
is a method for determining functions, identifying functional failures, and assessing the causes of failure and their failure effects through a structured process. FMEA is commonly used in product development and operational environments. The goal is to identify where something is most likely going to break and either fix the flaws that could cause this issue or implement controls to reduce the impact of the break. |
|
|
Quantitative risk analysis |
is used to assign monetary and numeric values to all elements of the risk analysis process. |
|
|
qualitative risk analysis |
uses a “softer” approach tothe data elements of a risk analysis. It does not quantify that data, which means that it does not assign numeric values to the data so that it can be used in equations. |
|
|
vulnerability assessments VS risk assessments |
A vulnerability assessment just finds the vulnerabilities (the holes). A risk assessment calculates the probabilityof the vulnerabilities being exploited and the associated business impact. |
|
|
Single loss expectancy (SLE) |
The SLE is a dollar amount that is assigned to a single event that represents the company’s potential loss amount if a specific threat were to take place. Asset Value × Exposure Factor (EF) = SLE |
|
|
exposure factor (EF) |
represents the percentage of loss a realized threat could have on a certain asset. |
|
|
ALE |
annual potential loss, since we develop and use our security budgets on an annual basis. SLE × Annualized Rate of Occurrence (ARO) = ALE |
|
|
annualized rate of occurrence (ARO) |
Is the value that represents the estimated frequency of a specific threat taking place within a 12-month time frame. . The range can be from 0.0(never) to 1.0 (once a year) to greater than 1 (several times a year) and anywhere in between. |
|
|
residual risk |
No system or environmentis 100 percent secure, which means there is always some risk left over to deal with. total risk – countermeasures = residual risk |
|
|
Total risk |
which is the risk a company faces if it chooses not to implement any type of safeguard. threats × vulnerability ×asset value = total risk |
|
|
Risk can be dealt with in four basic ways: |
transfer it, avoid it,reduce it, or accept it |
|
|
transfer the risk |
If a company decides thetotal risk is too high to gamble with, it can purchase insurance |
|
|
risk avoidance |
If a company decides to terminate the activity that is introducing the risk. To avoid the risk by eliminating the risk cause and/or consequence. |
|
|
accept the risk |
means the company understands the level of risk it is faced with, as well as the potential cost of damage, and decides to just live with it and not implement the countermeasure. |
|
|
Business continuity |
encompasses planning and preparation to ensure that an organization can continue to operate in case of serious incidents or disasters and is able to recover to an operational state within a reasonably short period. which involves keeping all essential aspects of a business functioning despite significant disruptive events |
|
|
DISASTER RECOVERY |
recovery is to minimize the effects of a disaster or disruption. Involves a set of policies and procedures to enable the recovery or continuation of vital technology infrastructure and systems following a natural or human-induced disaster. Disaster recovery focuses on the IT or technology systems supporting critical business functions. |
|
|
The goal of a disaster recovery plan (DRP) |
is to handle the disasterand its ramifications right after the disaster hits; the disaster recovery planis usually very information technology (IT) focused. plan is carried out wheneverything is still in emergency mode and everyone is scrambling to get allcritical systems back online. |
|
|
NIST SP 800-34 |
Continuity Planning Guidefor Federal Information Systems |
|
|
NIST SP 800-34 outlines the following steps |
- Develop the continuityplanning policy statement. - Conduct the business impact analysis (BIA). - Identify preventive controls - Create contingency strategies - Develop an informationsystem contingency plan - Ensure plan testing,training, and exercises - Ensure plan maintenance |
|
|
BCP Policy |
supplies the framework for and governance of designing and building the BCP effort. The policy helps the organization understand the importance of BCP by outlining the BCP’s purpose. It provides an overview of the principles of the organization and those behind BCP, and the context for how the BCP team will proceed. |
|
|
Four elements of BCP process |
a. Creating a detailed account of the work required b. Listing the resources to be used c. Defining the management practices to be employed d. Defining goals — established to keep every one on track and ensure that the efforts pay off in the end |
|
|
TheBCP committee must identify the threats to the company and map them to the following characteristics: |
• Maximum tolerable downtime and disruption for activities • Operational disruption and productivity • Financial considerations • Regulatory responsibilities • Reputation |
|
|
the most critical elementsin developing the BCP |
Executive commitment andsupport |
|
|
Business Impact Analysis (BIA) |
is performed at the beginning of business continuity planning to Identify what impact a disruptive event would have on the business — Impact may be financial (quantitative) or operational (qualitative). is considered a functional analysis, in which a team collects data through interviews and documentary sources; documents business functions, activities, and transactions. |
|
|
BIA Steps |
1. Select individuals to interview for data gathering. 2. Create data-gathering techniques (surveys, questionnaires, qualitative andquantitative approaches). 3. Identify the company’s critical business functions. 4. Identify the resources these functions depend upon. 5. Calculate how long these functions can survive without these resources. 6. Identify vulnerabilities and threats to these functions. 7. Calculate the risk for each different business function. 8. Document findings and report them to management. |
|
|
MTD (Maximum Tolerable Downtime) |
It is maximum delay businesses can tolerate and still remain viable. |
|
|
Plan Approval and Implementation |
a. Senior management must approve plan b. Test plan c. Regularly review plan and update |
|
|
fault tree analysis |
is a useful approach todetect failures that can take place within complex environments and systems. |
|
|
The Delphi technique |
is a group decision method where each group member can communicate anonymously. |
|
|
Job rotation |
is a detective administrative control to detect fraud. |
|
|
Separation of duties |
ensuresno single person has total control over a critical activity or task. It is apreventative administrative control. |
|
|
Split knowledge and dual control |
are two aspects of separation of duties. |
|
|
Personally identifiable information (PII) |
isa collection of identity-based data that can be used in identity theft and financial fraud, and thus must be highly protected. |
|
|
ISO/IEC 27004:2009 |
is an international standard for information security measurement management. |
|
|
NIST SP 800-55 |
is a standard for performance measurement for information security. |
|
|
Dual control |
Both operators are needed to complete a sensitive task. |
|
|
Least privilege |
Means that a system’s user should have the lowest level of rights and privileges necessary to perform their work and should only have them for the shortest length of time. |
|
|
Two-man control |
Two operators review and approve the work of each other, to provide accountability and to minimize fraud in highly sensitive or high-risk transactions. |
|
|
split knowledge |
two or more individuals are authorized and required to perform a duty or task. In the case of split knowledge, no one person knows or has all the details to perform a task- |
|
|
Due care
|
is doing what a reasonable person would do. It is sometimes called the “prudent man” rule. The term derives from “duty of care”: parents have a duty to care for their children, for example.
|
|
|
Due diligence
|
Due diligence is the management of due care.requires that an organization continually scrutinize their own practices to ensure that they are always meeting or exceeding the requirements for protection of assets and stakeholders.
|
|
|
Gross Negligence
|
Gross negligence is the opposite of due care. It is a legally important concept. If you suffer loss of PII, but can demonstrate due care in protecting the PII, you are on legally stronger ground, for example. If you cannot demonstrate due care (you were grossly negligent), you are in a much worse legal position.
|
|
|
Evidence
|
Evidence is one of the most important legal concepts for information security professionals to understand. Information security professionals are commonly involved in investigations, and often have to obtain or handle evidence during the investigation. Some types of evidence carry more weight than others
|
|
|
Real Evidence
|
The first, and most basic, category of evidence is that of real evidence. Real evidence consists of tangible or physical objects. A knife or bloody glove might constitute real evidence in some traditional criminal proceedings. However, with most computer incidents, real evidence is commonly made up of physical objects such as hard drives, DVDs, USB storage devices, or printed business records.
|
|
|
Direct Evidence
|
Direct evidence is testimony provided by a witness regarding what the witness actually experienced with her five senses. The witnesses must have experienced what they are testifying to, rather than have gained the knowledge indirectly through another person (hearsay, see below).
|
|
|
Circumstantial Evidence
|
is evidence which serves to establish the circumstances related to particular points or even other evidence. For instance, circumstantial evidence might support claims made regarding other evidence or the accuracy of other evidence. Circumstantial evidence provides details regarding circumstances that allow for assumptions to be made regarding other types of evidence.
|
|
|
Corroborative Evidence
|
In order to strengthen a particular fact or element of a case there might be a need for corroborative evidence. This type of evidence provides additional support for a fact that might have been called into question. This evidence does not establish a particular fact on its own, but rather provides additional support for other facts.
|
|
|
Hearsay evidence
|
constitutes second-hand evidence. As opposed to direct evidence, which someone has witnessed with her five senses, hearsay evidence involves indirect information. Hearsay evidence is normally considered inadmissible in court.
|
|
|
Best Evidence Rule
|
Courts prefer the best evidence possible. Original documents are preferred over copies: conclusive tangible objects are preferred over oral testimony. Recall that the five desirable criteria for evidence suggest that, where possible, evidence should be: relevant, authentic, accurate, complete, and convincing. The best evidence rule prefers evidence that meets these criteria.
|
|
|
Secondary Evidence
|
is a class of evidence common in cases involving computers. Secondary evidence consists of copies of original documents and oral descriptions. Computer-generated logs and documents might also constitute secondary rather than best evidence.
|
|
|
Evidence Integrity
|
Evidence must be reliable. It is common during forensic and incident response investigations to analyze digital media. It is critical to maintain the integrity of the data during the course of its acquisition and analysis. Checksums can ensure that no data changes occurred as a result of the acquisition and analysis
|
|
|
Chain of Custody
|
requires that once evidence is acquired, full documentation be maintained regarding the who, what, when and where related to the handling of said evidence. Initials and/or signatures on the chain of custody form indicate that the signers attest to the accuracy of the information concerning their role noted on the chain of custody form.The goal is to show that throughout the evidence lifecycle it is both known and documented how the evidence was handled.
|
|
|
Entrapment
|
Entrapment is when law enforcement, or an agent of law enforcement, persuades someone to commit a crime when the person otherwise had no intention to commit a crime. Entrapment can serve as a legal defense in a court of law, and, therefore, should be avoided if prosecution is a goal. A closely related concept is enticement.
|
|
|
Enticement
|
Enticement could still involve agents of law enforcement making the conditions for commission of a crime favorable, but the difference is that the person is determined to have already broken a law or is intent on doing so. The question as to whether the actions of law enforcement will constitute enticement or entrapment is ultimately up to a jury. Care should be taken to distinguish between these two terms.
|
