Use LEFT and RIGHT arrow keys to navigate between flashcards;
Use UP and DOWN arrow keys to flip the card;
H to show hint;
A reads text to speech;
87 Cards in this Set
- Front
- Back
|
The objectives of security are |
to provide availability, integrity, and confidentiality protection to data and resources. |
|
|
A vulnerability is |
a weakness in a system that allows a threat source to compromise its security. |
|
|
A threat is |
is the possibility that someone or something would exploit a vulnerability, either intentionally or accidentally, and cause harm to an asset. |
|
|
A risk is ... A countermeasure, also called a safeguard or control,... |
...the probability of a threat agent exploiting a vulnerability and the loss potential from that action. ...mitigates the risk. |
|
|
A control can be |
administrative, technical, or physical and can provide deterrent, preventive, detective, corrective, or recovery protection. |
|
|
A compensating control is |
an alternative control that is put into place because of financial or business functionality reasons. |
|
|
COBIT is |
a framework of control objectives and allows for IT governance. |
|
|
ISO/IEC 27001 is |
the standard for the establishment, implementation, control, and improvement of the information security management system. |
|
|
The ISO/IEC 27000 series were derived from ... and are ... |
...BS 7799 ...international best practices on how to develop and maintain a security program. |
|
|
Enterprise architecture frameworks are used to |
develop architectures for specific stakeholders and present information in views. |
|
|
An information security management system (ISMS) is |
a coherent set of policies, processes, and systems to manage risks to information assets as outlined in ISO\IEC 27001. |
|
|
Enterprise security architecture is |
a subset of business architecture and a way to describe current and future security processes, systems, and subunits to ensure strategic alignment. |
|
|
Blueprints are |
functional definitions for the integration of technology into business processes. |
|
|
Enterprise architecture frameworks are used to |
uild individual architectures that best map to individual organizational needs and business drivers. |
|
|
Zachman Framework is |
an enterprise architecture framework, and SABSA is a security enterprise architecture framework. |
|
|
COSO (...) is ... |
(Internal Control—Integrated Framework) is a governance model used to help prevent fraud within a corporate environment. |
|
|
ITIL is |
a set of best practices for IT service management. |
|
|
Six Sigma is used to |
to identify defects in processes so that the processes can be improved upon. |
|
|
CMMI is |
(Capability Maturity Model Integration) a maturity model that allows for processes to improve in an incremented and standard approach. |
|
|
Security enterprise architecture should tie i |
strategic alignment, business enablement, process enhancement, and security effectiveness. |
|
|
NIST SP 800-53 uses the following control categories: |
technical, management, and operational. |
|
|
Civil law system |
- Uses prewritten rules and is not based on precedent. - Is different from civil (tort) laws, which work under a common law system. |
|
|
Common law system |
Made up of criminal, civil, and administrative laws. |
|
|
Customary law system |
- Addresses mainly personal conduct and uses regional traditions and customs as the foundations of the laws. - Is usually mixed with another type of listed legal system rather than being the sole legal system used in a region. |
|
|
Religious law system |
Laws are derived from religious beliefs and address an individual’s religious responsibilities; commonly used in Muslim countries or regions. |
|
|
Mixed law system |
Uses two or more legal systems. |
|
|
Criminal law deals with |
an individual’s conduct that violates government laws developed to protect the public. |
|
|
Civil law deals with |
wrongs committed against individuals or companies that result in injury or damages. Civil law does not use prison time as a punishment, but usually requires financial restitution. |
|
|
Administrative, or regulatory, law covers |
standards of performance or conduct expected by government agencies from companies, industries, and certain officials. |
|
|
A patent |
grants ownership and enables that owner to legally enforce his rights to exclude others from using the invention covered by the patent. |
|
|
Copyright
|
protects the expression of ideas rather than the ideas themselves. |
|
|
Trademarks |
protect words, names, product shapes, symbols, colors, or a combination of these used to identify products or a company. These items are used to distinguish products from the competitors’ products. |
|
|
Trade secrets |
are deemed proprietary to a company and often include information that provides a competitive edge. The information is protected as long as the owner takes the necessary protective actions. |
|
|
Crime over the Internet has brought about |
jurisdiction problems for law enforcement and the courts. |
|
|
Privacy laws dictate |
that data collected by government agencies must be collected fairly and lawfully, must be used only for the purpose for which it was collected, must only be held for a reasonable amount of time, and must be accurate and timely. |
|
|
When choosing the right safeguard to reduce a specific risk, |
the cost, functionality, and effectiveness must be evaluated and a cost/benefit analysis performed. |
|
|
A security policy is a |
statement by management dictating the role security plays in the organization. |
|
|
Procedures are |
detailed step-by-step actions that should be followed to achieve a certain task. |
|
|
Standards are |
documents that outline rules that are compulsory in nature and support the organization’s security policies. |
|
|
A baseline is |
a minimum level of security. |
|
|
Guidelines are |
recommendations and general approaches that provide advice and flexibility. |
|
|
OCTAVE is a |
eam-oriented risk management methodology that employs workshops and is commonly used in the commercial sector. |
|
|
Security management should work from |
the top down (from senior management down to the staff). |
|
|
Risk can be |
transferred, avoided, reduced, or accepted. |
|
|
Total Risk Residual Risk |
Threats × vulnerability × asset value = total risk (Threats × vulnerability × asset value) × controls gap = residual risk |
|
|
The main goals of risk analysis are the following: |
- identify assets and assign values to them, - identify vulnerabilities and threats, - quantify the impact of potential threats - provide an economic balance between the impact of the risk and the cost of the safeguards |
|
|
Failure Modes and Effect Analysis (FMEA) is |
a method for determining functions, identifying functional failures, and assessing the causes of failure and their failure effects through a structured process. |
|
|
A fault tree analysis is |
a useful approach to detect failures that can take place within complex environments and systems. |
|
|
A quantitative risk analysis attempts to |
assign monetary values to components within the analysis |
|
|
A purely quantitative risk analysis is |
not possible because qualitative items cannot be quantified with precision. |
|
|
Capturing the degree of uncertainty when carrying out a risk analysis is important, because |
it indicates the level of confidence the team and management should have in the resulting figures. |
|
|
Automated risk analysis tools |
reduce the amount of manual work involved in the analysis. They can be used to estimate future expected losses and calculate the benefits of different security measures. |
|
|
ALE ARO ALE |
Single loss expectancy × frequency per year = annualized loss expectancy (SLE × ARO = ALE) |
|
|
Qualitative risk analysis uses |
judgment and intuition instead of numbers. |
|
|
Qualitative risk analysis involves |
people with the requisite experience and education evaluating threat scenarios and rating the probability, potential loss, and severity of each threat based on their personal experience. |
|
|
The Delphi technique is |
a group decision method where each group member can communicate anonymously. |
|
|
Job rotation is |
a detective administrative control to detect fraud. |
|
|
Mandatory vacations are |
a detective administrative control type that can help detect fraudulent activities. |
|
|
Separation of duties ensures |
no single person has total control over a critical activity or task. It is a preventive administrative control. |
|
|
Split knowledge and dual control are |
two aspects of separation of duties. |
|
|
Management must define ... of security management, ... |
...the scope and purpose ...provide support, appoint a security team, delegate responsibility, and review the team’s findings. |
|
|
The risk management team should includ |
individuals from different departments within the organization, not just technical personnel. |
|
|
Social engineering is |
a nontechnical attack carried out to manipulate a person into providing sensitive data to an unauthorized individual. |
|
|
Personally identifiable information (PII) is |
a collection of identity-based data that can be used in identity theft and financial fraud, and thus must be highly protected. |
|
|
A supply chain |
is a sequence of suppliers involved in delivering some product. |
|
|
A service level agreement (SLA) is |
a contractual agreement that states that a service provider guarantees a certain level of service. |
|
|
Security governance is |
a framework that provides oversight, accountability, and compliance. |
|
|
ISO/IEC 27004:2016 is |
an international standard for information security measurement management. |
|
|
NIST SP 800-55 is |
a standard for performance measurement for information security. |
|
|
usiness continuity management (BCM) is |
is the overarching approach to managing all aspects of BCP and DRP. |
|
|
A business continuity plan (BCP) contains |
trategy documents that provide detailed procedures that ensure critical business functions are maintained and that help minimize losses of life, operations, and systems. |
|
|
A BCP provides |
procedures for emergency responses, extended backup operations, and post-disaster recovery. |
|
|
A BCP should have |
an enterprise-wide reach, with individual organizational units each having its own detailed continuity and contingency plans. |
|
|
A BCP needs to |
prioritize critical applications and provide a sequence for efficient recovery. |
|
|
A BCP requires |
senior executive management support for initiating the plan and final approval. |
|
|
BCPs can quickly |
become outdated due to personnel turnover, reorganizations, and undocumented changes. |
|
|
...may be held liable if proper BCPs are not developed and used. |
Executives |
|
|
Threats can be |
natural, manmade, or technical. |
|
|
The steps of recovery planning include |
- initiating the project - performing business impact analyses - developing a recovery strategy - developing a recovery plan - implementing, testing, and maintaining the plan |
|
|
The project initiation phase of recovery planning involves |
- getting management support - developing the scope of the plan - securing funding and resources |
|
|
The business impact analysis (BIA) is |
one of the most important first steps in the planning development. Qualitative and quantitative data on the business impact of a disaster need to be gathered, analyzed, interpreted, and presented to management. |
|
|
... are the most critical elements in developing the BCP. |
Executive commitment and support |
|
|
A business case must be presented |
to gain executive support. This is done by explaining regulatory and legal requirements, exposing vulnerabilities, and providing solutions. |
|
|
Plans should be prepared by |
the people who will actually carry them out. |
|
|
The planning group should |
comprise representatives from all departments or organizational units. |
|
|
The BCP team should identify... Response to the disaster should... |
...the individuals who will interact with external players, such as the reporters, shareholders, customers, and civic officials. ...be done quickly and honestly, and should be consistent with any other organizational response. |
|
|
ISO/IEC 22301 ISO/IEC 27031:2011 |
...is the standard for business continuity management (BCM). ...describes the concepts and principles of information and communication technology (ICT) readiness for business continuity. |
