Use LEFT and RIGHT arrow keys to navigate between flashcards;
Use UP and DOWN arrow keys to flip the card;
H to show hint;
A reads text to speech;
44 Cards in this Set
- Front
- Back
Vulnerability
|
-Absence of or weakness in control
|
|
Threat
|
possibility that someone or something would exploit a vuln., and cause harm to an asset
|
|
Risk
|
probability of a threat agent exploiting a vuln. and the loss potential from that action
-Can be transferred, avoided, reduced, or accepted |
|
Countermeasure
|
Safeguard/control
mitigates risk |
|
Controls
|
-admin, technical or physical
|
|
Controls functionality
|
deterrent, preventive, detective, corrective, recovery protection
|
|
Compensating control
|
-alternative
|
|
CobIT
|
framework of control objectives allows for IT governance
|
|
ISO/IEC 27001
|
-ISMS
|
|
Enterprise Architecture
|
-develope architectues for stakeholders and present info in views
-used to build individual archs that best map to individual orgs. needs and biz drivers |
|
ISMS
|
coherent set of policies, processes, and systems to manage risk to info assets, ISO/IEC 27001
|
|
Enterprise SECURITY architecture
|
subset of biz arch. and a way to describe current and future security processes, systems, subunits to ensure strategic alignment
-biz enablement, process enhancement, security effectiveness |
|
Blueprints
|
functional definitions for the integration of technology into biz processes
|
|
Zachman
|
-Enterprise Arch.
|
|
SABASA
|
-Security Enterprise Arch.
|
|
COSO
|
governance model used to help prevent FRAUD within a CORPORATE
|
|
ITIL
|
-Best practices
-IT service mgmt |
|
Six Sigma
|
-Process improvement
-ID defects |
|
CMMI
|
-Maturity
-process improvement -stair-step |
|
NIST 800-53
|
-Control Categories: Technical, Mgmt, operational
|
|
OCTAVE
|
-team oriented risk mgmt method
-Workshops -Commerical sector |
|
Total Risk
|
Threats x Vuln x asset value
|
|
Residual risk
|
(Threats x Vuln x asset value) x controls gap
|
|
Goals of risk analysis
|
-Id assets and assign values
-id vulns and threats -quantify impact -provide balance between impact and cost of safeguards |
|
FMEA
|
-Failure Modes and Effect Analysis
-Determine functions -Id functional failures -Cause of failure -Failure effects -Structured |
|
Fault tree analysis
|
-detect failures in complex environments and systems
|
|
Confidence level
|
-level of uncertainty
- |
|
ALE
|
SLE x ARO
|
|
Delphi technique
|
group decision method
-anonymous comm |
|
Security policy
|
statement by mgmt dictating the role security plays in the organization
|
|
Procedures
|
Step-by-step actions followed to achieve a certain task
|
|
Standards
|
-documents outlining rules
-compulsory in nature -support security policies |
|
Guidelines
|
recommendations and general approaches
-provide advice and flexibility |
|
Job rotation
|
detective/admin
-detect fraud |
|
Mandatory vacations
|
Detective/admin
-allows for investigation |
|
Separation of duties
|
-no single person w/ control
-preventive/admin -Split knowledge -Dual control |
|
Data owners
|
-Classify data
|
|
Data custodians
|
-implement and maintain controls to enforce classifications
|
|
MGMT
|
-define scope and purpose of Security mgmt
-provide support -appoint security team -delegate responsibility -review teams findings |
|
Risk mgmt team
|
-different departments
|
|
PII
|
Collection of id-based data that can be used in id-theft and financial fraud, thus must be highly protected
|
|
Security governance
|
-Framework providing oversight, accountability, and compliance
|
|
ISO/IEC 27004:2009
|
information security measurement management
|
|
NIST 800-55
|
-performance measurement for infosec
|