• Shuffle
    Toggle On
    Toggle Off
  • Alphabetize
    Toggle On
    Toggle Off
  • Front First
    Toggle On
    Toggle Off
  • Both Sides
    Toggle On
    Toggle Off
  • Read
    Toggle On
    Toggle Off
Reading...
Front

Card Range To Study

through

image

Play button

image

Play button

image

Progress

1/102

Click to flip

Use LEFT and RIGHT arrow keys to navigate between flashcards;

Use UP and DOWN arrow keys to flip the card;

H to show hint;

A reads text to speech;

102 Cards in this Set

  • Front
  • Back
what is meant by top-down approach
meaning that the initiation, support,and direction come from top management, work their way through middle management, and then reach staff members.
what is meant by top-down approach
meaning that the initiation, support,and direction come from top management, work their way through middle management, and then reach staff members.
What is meant by top-down approach?
meaning that the initiation, support, and direction come from top management, work their way through middle management, and then reach staff members.
What is meant by bottom-up approach?
Refers to situation in which the IT department tries to develop a security program without getting proper management support and direction. A bottom-up approach is usually less effective, not broad enough, and doomed to fail.
Define: Threat
A threat is any potential danger to information or systems. The threat is that someone,
or something, will identify a specific vulnerability and use it against the company
or individual. The entity that takes advantage of a vulnerability is referred to as a threat
agent.
Define: Vulnerability
A vulnerability is the absence of a safeguard (in other words, it is a weakness) that can be exploited. .software, hardware, procedural, or human weakness that may provide an attacker the open door he is looking for to enter a computer or network and have unauthorized access to resources within the environment.
Define: Risk
A risk is the probability of a threat agent exploiting a vulnerability and the loss
potential from that action.
How is risk reduced
By reducing vulnerabilities and/or threats
Define: exposure
An exposure is an instance of being exposed to losses from a threat agent. Vulnerability exposes an organization to possible damages. If password management is lax and password rules are not enforced, the company is exposed to the possibility of having users’ passwords captured and used in an unauthorized manner.
What is a countermeasure
A countermeasure, or safeguard, is put into place to mitigate the potential risk. A
countermeasure may be a software configuration, a hardware device, or a procedure
that eliminates a vulnerability or that reduces the likelihood a threat agent will be able to exploit a vulnerability.
What does the Kerckhoffs’ principle embody?
Kerckhoffs’ principle embodies the ideas against security through obscurity. Back in the 1880s, Mr. Kerckhoffs stated that no algorithm should be kept secret; only the key should be the secret component. His message is to assume that the attacker can figure out your algorithm and its logic, so ensure that the key is properly protected—which the attacker would need to make the algorithm decode sensitive data.
Why has security management become more important over the last few years
Because networks have evolved from centralized environments to distributed environments.
What is the object of security
To provide availability, integrity, and confidentiality protection to data and resources.
What are strategic goals/planning
Strategic planning is the plans that fall in line with the business and information technology goals. The goals of strategic planning have a longer or broader horizon and can extend out as far as five years. (Long term)
What are some of the goals that Strategic planning might include.
Make sure risks are properly understood and addressed.

Ensure compliance with laws and regulations.

Integrate security responsibilities throughout the organization.

Create a maturity model to allow for continual improvement.

Use security as a business achievement to attract more customers.
What is Tactical goals/planning
Tactical planning refers to the initiatives and other support that must be implemented to reach the broader goals that have been put forth by the strategic planning. In general, the tactical plans are shorter in length or have a shorter planning horizon than those of the strategic plans. (Midterm.)
What are Operational goals/planning
operational planning deals with very specific plans, their deadlines, and goals. This involves hard dates and timelines by which the goals of the plan should be completed, as well as specific directions in how they are to be completed. These goals tend to be more of a short-term or interim nature to mitigate risks until larger tactical
or strategic plans can be created and implemented. (Short-range)
What are examples of Operational goals/planning
Perform security risk assessment.
Do not allow security changes to decrease productivity.
Maintain and implement controls.
Continually scan for vulnerabilities and roll out patches.
Track compliance with policies.
What is planning horizon
Security works best if the company’s operational, tactical, and strategic goals are defined and work to support each other, which can be much harder than it sounds. Strategic planning is long term, tactical planning is midterm, and operational planning is day to day. because A company usually cannot implement all changes at once, and some changes are larger than others. Many times, certain changes cannot happen until other changes take place. all changes working together is a planning horizon.
Define the security framework Control Objectives for Information and related Technology (CobiT)
CobiT is a framework and set of best practices developed by the Information Systems Audit and Control Association (ISACA) and the IT Governance Institute (ITGI). It defines goals for the controls that should be used to properly manage IT and to ensure that IT maps to business needs. CobiT is a way to meet many of the COSO objectives, but only from the IT perspective. CobiT is a model for IT governance. CobiT focuses more at the operational level.
What are the four domains CobiT is broken down into?
Plan and Organize, Acquire and Implement, Deliver and Support, and Monitor and Evaluate.
What is ISO 17799
It is an internationally recognized Information Security Management (ISM) Standard that provides high-level conceptual recommendations on enterprise security. Derived from the de facto standard: British Standard 7799 (BS7799). It is made up of ten domains, which are very close to the CISSP Common Body of Knowledge (CBK).
What is ISO/IEC 27001?
Based on British Standard BS7799 Part 2, which is establishment, implementation, control, and improvement of the Information Security Management System
What is ISO/IEC 27002
Code of practice providing good practice advice on ISMS (previously known as ISO 17799), itself based on British Standard BS 7799 Part 1
What is ISO/IEC 27004
A standard for information security management measurements
What is ISO/IEC 27005
Designed to assist the satisfactory implementation of information security based on a risk management approach
What is ISO/IEC 27006
A guide to the certification/registration process
What is ISO/IEC 27799
A guide to illustrate how to protect personal health information
The ISO/IEC 27002 (formerly ISO 17799) contains what 10 domains:
Information security policy for the organization: Map of business objectives to security, management’s support, security goals, and responsibilities.

Creation of information security infrastructure: Create and maintain an organizational security structure through the use of a security forum, a security

Asset classification and control: Develop a security infrastructure to protect organizational assets through accountability and inventory, classification, and handling procedures.

Personnel security: Reduce risks that are inherent in human interaction by screening employees, defining roles and responsibilities, training employees properly, and documenting the ramifications of not meeting expectations.

Physical and environmental security: Protect the organization’s assets by properly choosing a facility location, erecting and maintaining a security perimeter, implementing access control, and protecting equipment.

Communications and operations management: Carry out operations security through operational procedures, proper change control, incident handling, separation of duties, capacity planning, network management, and media handling.
Access control: Control access to assets based on business requirements, user management, authentication methods, and monitoring.

System development and maintenance: Implement security in all phases of a system’s lifetime through development of security requirements, cryptography, integrity, and software development procedures.

Business continuity management: Counter disruptions of normal operations by using continuity planning and testing.

Compliance: Comply with regulatory, contractual, and statutory requirements by using technical controls, system audits, and legal awareness.
What does COSO deal with
COSO is a model for corporate governance. COSO deals with non-IT items also, as in company culture, financial accounting principles, board of director responsibility, and internal communication structures. Its main purpose is to help ensure fraudulent financial reporting cannot take place in an organization. COSO deals more at the strategic level while CobiT focuses more at the operational level.
How would you define Security governance
Security governance is a coherent system of integrated security components (products, personnel, training, processes, policies, and so on) that exist to ensure the organization survives and, hopefully, thrives. For there to be security governance, there must be something to govern. The collection of the controls that an organization must have in place is collectively referred to as a security program.
What is Information risk management
(IRM) is the process of identifying and assessing risk, reducing it to an acceptable level, and implementing the right mechanisms to maintain that level.
Define Risk analysis
Risk analysis is a tool for risk management, is a method of identifying vulnerabilities and threats and assessing the possible impacts to determine where to implement security safeguards. Risk analysis is used to ensure that security is cost-effective, relevant, timely, and responsive to threats.
What are the 4 goals of risk analysis :
Identify assets and their value to the organization.

Identify vulnerabilities and threats.

Quantify the probability and business impact of these potential threats.

Provide an economic balance between the impact of the threat and the cost of the countermeasure.
What are some things to consider when attempting to assign values to assets:
Cost to acquire or develop the asset
Cost to maintain and protect the asset
Value of the asset to owners and users
Value of the asset to adversaries
Value of intellectual property that went into developing the information
Price others are willing to pay for the asset
Cost to replace the asset if lost
Operational and production activities affected if the asset is unavailable
Liability issues if the asset is compromised
Usefulness and role of the asset in the organization
Define OCTAVE
(Operationally Critical Threat, Asset, and Vulnerability Evaluation) created by Carnegie Mellon University’s Software Engineering Institute. It is a methodology that is intended to be used in situations where people manage and direct the risk evaluation for information security within their company. This places the people that work inside the organization in the power positions as being able to make the decisions regarding what is the best approach for evaluating the security of their organization. This relies on the idea that the people working in these environments best understand what is needed and what kind of risks they are facing.
Define Failure Modes and Effect Analysis
(FMEA) is a method for determining functions, identifying functional failures, and assessing the causes of failure and their failure effects through a structured process. The application of this process to a chronic failure enables the determination of where exactly the failure is most likely to occur
Define FRAP
FRAP, which stands for Facilitated Risk Analysis Process. It is designed to explore a qualitative risk assessment process in a manner that allows for tests to be conducted on different aspects and variations of the methodology. The intent of this methodology is to provide an organization with the means of deciding what course and actions must be taken in specific circumstances to deal with various issues.
Why is six sigma important to security
Six Sigma is a process improvement methodology. It is the “new and improved” Total Quality Management (TQM) that hit the business sector in the 1980s. Its goal is to improve process quality by using statistical methods of
measuring operation efficiency and reducing variation, defects, and waste. Six Sigma is being used in the assurance industry in some instances to measure the success factors of different controls and procedures.
What is a fault tree analysis
A fault tree analysis usually proves to be a more useful approach to identifying failures that can take place within more complex environments and systems. Fault tree analysis follows this general process. First, an undesired effect is taken as the root or top event of a tree of logic. Then, each situation that has the potential to cause that effect is added to the tree as a series of logic expressions.
What are the two type of risk analysis
Quantitative Risk Analysis

Qualitative Risk Analysis
What are the Steps of a Risk Analysis
Step 1: Assign Value to Assets
Step 2: Estimate Potential Loss per Threat=SLE
Step 3: Perform a Threat Analysis =ARO
Step 4: Derive the Overall Annual Loss Potential per Threat =ALE
Step 5: Reduce, Transfer, Avoid, or Accept the Risk
What is a quantitative risk analysis
A quantitative risk analysis attempts to assign monetary values to components within the analysis. A purely quantitative risk analysis is not possible because qualitative items cannot be quantified with precision.
What is Single loss expectancy and what is the equation for it
The SLE is a dollar amount that is assigned to a single event that represents the company’s potential loss amount if
a specific threat were to take place:

asset value × exposure factor (EF) = SLE
what is annualized loss expectancy equation
(SLE × ARO = ALE).
What is annualized rate of occurrence (ARO)
The annualized rate of occurrence (ARO) is the value that represents the estimated frequency of a specific threat taking place within a one-year timeframe. The range can be from 0.0 (never) to 1.0 (once a year) to greater than one (several times a year) and anywhere in between. For example, if the probability of a flood taking place in Mesa,Arizona, is once in 1,000 years, the ARO value is 0.001.
What is a Qualitative risk analysis
Qualitative analysis techniques include judgment, best practices, intuition, and experience. Examples of qualitative techniques to gather data are Delphi, brainstorming, storyboarding, focus groups, surveys, questionnaires, checklists, one-on-one meetings, and interviews. The risk analysis team will determine the best technique for the threats that need to be assessed, as well as the culture of the company and individuals involved with the analysis.
Define the Delphi technique
The Delphi technique is a group decision method used to ensure that each member gives an honest opinion of what he or she thinks the result of a particular threat will be. This avoids a group of individuals feeling pressured to go along with others’ thought processes and enables them to participate in an independent and anonymous way.
Once a company knows the amount of total and residual risk it is faced with, it
must decide how to handle it. Risk can be dealt with in four basic ways: transfer it, rejectit, reduce it, or accept it define each.
transfer the risk: If a company decides the total or residual risk is too high to gamble with, it can purchase insurance, which would to the insurance company.

risk avoidance: a company decides to terminate the activity that is introducing the risk

risk mitigation, where the risk is decreased to a level considered acceptable enough to continue conducting business.

accept the risk, which means the company understands the level of risk it is faced with, as well as the potential cost of damage, and decides to just live with it and not implement the countermeasure.
What is a security policy?
A security policy captures senior management’s perspectives and directives on what role security should play within the company. Security policies are usually general and use broad terms so they can cover a wide range of items. A security policy can be an organizational policy, an issue-specific policy, or a system-specific policy
What is a issue-specific policy
An issue-specific policy, also called a functional implementing policy, addresses specific security issues that management feels need more detailed explanation and attention to make sure a comprehensive structure is built and all employees understand how they are to comply with these security issues. For example, an organization may choose to have an e-mail security policy that outlines what management can and cannot do with employees’ e-mail messages for monitoring purposes, that specifies which e-mail functionality employees can or cannot use, and that addresses specific privacy issues.
What is a organizational security policy
In an organizational security policy, management establishes how a security program will be set up, lays out the program’s goals, assigns responsibilities, shows the strategic and tactical value of security, and outlines how enforcement should be carried out. This policy must address relative laws, regulations, and liability issues, and how they are to be satisfied. The organizational security policy provides scope and direction for all future security activities within the organization. It also describesthe amount of risk senior management is willing to accept.
What is a system-specific policy
A system-specific policy presents the management’s decisions that are specific to the actual computers, networks, applications, and data. This type of policy may provide an approved software list, which contains a list of applications that may be installed on individual workstations. This policy may describe how databases are to be used and protected, how computers are to be locked down, and how firewalls, IDSs, and scanners are to be employed.
Policies generally fall into one of the following categories: Regulatory, Advisory and Informative define each.
Regulatory This type of policy ensures that the organization is following standards set by specific industry regulations. It is very detailed and specific to a type of industry. It is used in financial institutions, healthcare facilities, public utilities, and other government-regulated industries.

Advisory This type of policy strongly advises employees as to which types of behaviors and activities should and should not take place within the organization. It also outlines possible ramifications if employees do not comply with the established behaviors and activities. This policy type can be used, for example, to describe how to handle medical information or financial transactions, or how to process confidential information.

Informative This type of policy informs employees of certain topics. It is not an enforceable policy, but rather one that teaches individuals about specific issues relevant to the company. It could explain how the company interacts with partners, the company’s goals and mission, and a general reporting structure in different situations.
What are standards
Standards refer to mandatory activities, actions, or rules. Standards can give a policy its support and reinforcement in direction. Standards can be internal or can be externally mandated (government laws and regulations). These rules are usually compulsory within a company. They provide a means to ensure that specific technologies, applications, parameters, and procedures are implemented in a uniform manner across the organization.
What is a baseline
Baselines are used to define the minimum level of protection required. For example, a company may stipulate that all accounting systems must meet an Evaluation Assurance Level (EAL) 4 baseline. This means that only systems that have gone through the Common Criteria process and achieved this rating can be used in this department evaluation. Once the systems are properly configured, this is the necessary baseline.
What is a Guideline
Guidelines are recommendations and general approaches that provide advice and flexibility
What are procedures
Procedures are detailed step-by-step tasks that should be performed to achieve a certain goal. The steps can apply to users, IT staff, operations staff, security members, and others who may need to carry out specific tasks. Procedures spell out how the policy, standards, and guidelines will actually be implemented in an operating environment. Procedures are considered the lowest level in the policy chain because they are closest to the computers and users (compared to policies) and provide detailed steps for configuration and installation issues.
Define due diligence
Due diligence is the act of investigating and understanding the risks the company faces.
Define due care
due care shows that a company has taken responsibility for the activities that take place within the corporation and has taken the necessary steps to help protect the company, its resources, and employees from possible threats.
So, due diligence is understanding the current threats and risks, and due care is implementing countermeasures to provide protection from those threats.
Define the private business classification levels
Confidential= For use within the company only. • Data exempt from disclosure under the Freedom of Information Act or other laws and regulations. Unauthorized disclosure could seriously affect a company.

Private= Unauthorized disclosure could adversely affect personnel or the company and Personal information
for use within a company.

Sensitive= requires special precautions to ensure the integrity and confidentiality of the data by protecting it from unauthorized modification or deletion. It also Requires higher than normal assurance of accuracy and completeness.

Public= Disclosure is not welcome, but it would not cause an adverse impact to company or personnel.
Define the military classification levels
Top secret= If disclosed, it could cause grave damage to national security.

Secret= If disclosed, it could cause serious damage to national security.

Confidential= For use within the company only. • Data exempt from disclosure under the Freedom of Information Act or other laws and regulations. Unauthorized disclosure could seriously affect a company.

Sensitive but unclassified=Minor secret. If disclosed, it may not cause serious damage.

Unclassified=Data is not sensitive or classified.
Another commonly used classification set employed in the commercial sector is For official use only, Proprietary, Privileged, and Private describe each.
For official use only Financially sensitive
Proprietary Protects competitive edge
Privileged Ensures conformance with business standards and laws
Private Contains records about individuals
The military is concerned with keeping its information what?
Confidential
The private sector is concerned with what in concerns of it data?
Integrity and availability
What is safe harbor concerned with
Safe harbor outlines how any entity that is going to move privacy data to and from Europe must go about protecting it. Europe has always had tighter control over protecting privacy information than the United States and other parts of the world.
What are the objectives of the Organization for Economic Co-operation and Development (OECD)
The OECD is an international organization that helps different governments come together and tackle the economic, social, and governance challenges of a globalized economy. Thus, the OECD came up with guidelines for the various countries to follow so data are properly protected and everyone follows the same type of rules.
What is a security steering group
A security steering committee is responsible for making decisions on tactical and strategic security issues within the enterprise as a whole and should not be tied to one or more business units. The group should be made up of people from all over the organization so they can view risks and the effects of security decisions on individual departments and the organization as a whole.
What are the steps for creating a data classification program:
• Set the criteria for classifying the data.
• Determine the security controls that will be associated with the classification.
• Identify the data owner who will set the classification of the data.
• Document any exceptions that might be required for the security of this data.
• Determine how the custody of the data can be transferred.
• Create criteria for declassifying information.
• Add this information to the security awareness and training programs so users can understand their responsibilities in handling data at various classifications.
What is Senior Manager responsible for
Ultimately responsible for security of the organization and the protection of its assets.
What is the responsibility of the Security professional
Functionally responsible for security and carries out sensitive manager’s directives.
What is the responsibility of the Data Owner
Is usually a member of senior management and is primarily responsible for the protection and use of the data. Decides upon the classification of the data he is responsible for and alters these classifications if the business needs arise. Authorize user privileges .
What is the responsibility of the Data Custodian
Is given the responsibility of the maintenance and protection of the data. Run regular backups/restores and validity of them . Insuring data integrity and security (CIA), Maintaining records in accordance to classification, Applies user authorization
What is the responsibility of the User
Any individual who routinely uses the data for work-related tasks. Must have the necessary level of access to the data to perform the duties within her position and is responsible for following operational security procedures to ensure the data’s C/I/A to others.
What is Security Analyst responsibility
The security analyst role works at a higher, more strategic level than the previously
described roles and helps develop policies, standards, and guidelines, as well as set various baselines.
What is the responsibility of the Supervisor
The supervisor role, also called user manager, is ultimately responsible for all user activity and any assets created and owned by these users. For example, suppose Kathy is the supervisor of ten employees. Her responsibilities would include ensuring that these employees understand their responsibilities with respect to security, distributing initial passwords, making sure the employees’ account information is up-to-date, and informing the security administrator when an employee is fired, suspended, or transferred and approving new system user accounts
What is the responsibility of the System Owner
The system owner is responsible for one or more systems, each of which may hold
and process data owned by different data owners. A system owner is responsible for
integrating security considerations into application and system purchasing decisions
and development projects.
What is the responsibility of the Security Administrator
A security administrator’s tasks are many, and include creating new system user accounts, implementing new security software, testing security patches and components, and issuing new passwords.
What is the responsibility of the Application Owner
the application owner for each unit is responsible for the security of the unit’s applications. This includes testing, patching, performing change control on the programs, and making sure the right controls are in place to provide the necessary level of protection.
What is the responsibility of the Product Line Manager
The product line manager evaluates different products in the market, works with vendors, understands different options a company can take, and advises management and business units on the proper solutions needed to meet
their goals.
What is the responsibility of the Auditor
The auditor is brought in to an organization to determine if the controls that have been implemented by the administration for either technical or physical attributes have reached, and comply with, the security objectives
that are either required for the organization by legislation or that have been deemed necessary by the governance of the organization.
What is separation of duties
Separation of duties makes sure that one individual cannot complete a critical task by herself. Separation of duties may also reduce errors. If one person makes a mistake, there is a high probability that another person will catch and correct it.
What is collusion
Collusion means that at least two people are working together to cause some type of destruction or fraud. Separation of duties and job rotation combat collusion.
Why are people considered the weakest link in a security program
people are often the weakest link because personnel cause more serious and hard-to-detect security issues than hacker attacks, outside espionage, or equipment failure.
What are the necessity of Nondisclosure agreements
Nondisclosure agreements must be developed and signed by new employees to protect the company and its sensitive information if and when this employee leaves for one reason or another.
What are the importance of a good hiring practice
Depending on the position to be filled, a level of screening should be done by human
resources to ensure the company hires the right individual for the right job. Skills
should be tested and evaluated, and the caliber and character of the individual should
be examined. When a person is hired, he is bringing in his business skills and
whatever other baggage he carries. A company can reduce its heartache pertaining to
personnel by first conducting useful and careful hiring practices.
Why is rotation of duties important
No one person should stay in one position for a long time because they may end up having too much control over a segment of the business. Such total control could result in fraud, data modification, and misuse of resources.
What does mandatory vacations achieve
prevents fraud and allows for investigations
define split knowledge and dual control
Two variations of separation of duties. split knowledge, no one person knows or has all the details to perform a task. For example, two managers might be required to open a bank vault,with each only knowing part of the combination. In the case of dual control, two individuals are again authorized to perform a task, but both must be available and active in their participation to complete the task or mission.
The importance of security awareness training is what
A security-awareness program is typically created for at least three types of audiences: management, staff, and technical employees. Each type of awareness training must be geared toward the individual audience to ensure each group understands its particular responsibilities, liabilities, and expectations. Members of management would benefit the most from a short, focused security awareness orientation that discusses corporate assets and financial gains and losses pertaining to security. The technical departments must receive a different presentation that aligns more to their daily tasks. They should receive a more in-depth training to discuss technical configurations, incident handling, and recognizing different types of security compromises. The presentation given to staff members must demonstrate why security is important to the company and to them individually. The better they understand how insecure activities can negatively affect them, the more willing they will be to participate in preventing such activities. This presentation should have many examples of acceptable and unacceptable activities.
Security components can be technical or nontechnical give an example of each form
Technical= (firewalls, encryption, and access control lists)

Nontechnical=(security policy, procedures, and compliance enforcement).
When identifying assets what is important to keep in mind
Asset can be tangible assets (facilities and hardware) and intangible (corporate data and reputation).
What is meant by the term assurance?
Assurance is a degree of confidence that a certain security level is being provided.
What should a company consider when choosing a security model
a company choice should depends its the type of business, its critical missions, and its objectives.
What can automated risk analysis tools provide
Automated risk analysis tools reduce the amount of manual work involved in the analysis. They can be used to estimate future expected losses and calculate the benefits of different security measures.
When attempting to choose the right safe guard and counter measures what are some important consideration for choosing the safeguard
When choosing the right safeguard to reduce a specific risk, the cost, functionality, and effectiveness must be evaluated and a cost/benefit analysis performed.
What is a key element during the initial security planning phase
A key element during the initial security planning process is to define reporting relationships.
Security objectives of the CIA triad is what
Confidentiality:
Provides the ability to ensure that the necessary level of secrecy is enforced.

Integrity:
Is upheld when the assurance of accuracy and reliability of information and system is
provided and unauthorized modification of data is prevented.

Availability:
Prevents disruption of service of productivity.
What is Identification
user claimed identity, used for user access control
what is Authentication
testing of evidence of users identity
what is Accountability
determine actions to an individual person
what is Authorization
rights and permissions granted