Use LEFT and RIGHT arrow keys to navigate between flashcards;
Use UP and DOWN arrow keys to flip the card;
H to show hint;
A reads text to speech;
52 Cards in this Set
- Front
- Back
are a special type of documented business rules for protecting information and the systems which store information; generally use broad terms so they cover a wide range of items
|
Information security policies
|
|
concept that all users at all times should run with as few privileges as possible, and also launch applications with as few privileges as possible
|
principle of least privilege
|
|
describes the restriction of data which is considered very sensitive; even if one has all the necessary official approvals (such as a security clearance) to access certain information, one would not be given access to such information
|
need to know
|
|
has as its primary objective the prevention of fraud and errors. This objective is achieved by disseminating the tasks and associated privileges for a specific business process among multiple users
|
Separation of duties
|
|
embodies all the detailed actions that personnel are required to follow
|
Procedures
|
|
responsible for providing reports to the senior management on the effectiveness of the security controls
|
Information systems security professionals
|
|
A state of uncertainty where some of the possibilities involve a loss, catastrophe, or other undesirable outcome
|
risk
|
|
DECIDE's how a company should approach security and what security measures should be implemented
|
Senior management
|
|
gives a detailed description of a number of important IT practices with comprehensive checklists, tasks and procedures that any IT organization can tailor to its needs
|
Information Technology Infrastructure Library (ITIL)
|
|
new international standard entitled: "Information technology - Security techniques - Information security management systems - Overview and vocabulary
|
ISO/IEC 27000
|
|
attainable certification; Information technology -- Security techniques -- Information security management systems -- Requirements
|
ISO/IEC 27001
|
|
code of practice; Information technology - Security techniques - Code of practice for information security management
|
ISO/IEC 27002
|
|
Health informatics -- Information security management in health using ISO/IEC 27002
|
ISO 27799
|
|
standard in the field of Business Continuity Management (BCM)
|
BS 25999
|
|
provides managers, auditors, and IT users with a set of generally accepted measures, indicators, processes and best practices to assist them in maximizing the benefits derived through the use of information technology and developing appropriate IT governance and control in a company
|
Control Objectives for Information and related Technology (COBIT)
|
|
Security blueprint which governs preventing fraud
|
COSO
|
|
the likelihood of a threat agent taking advantage of a vulnerability and the corresponding business impact
likelihood:impact |
Risk
|
|
Entity that can authorize or deny access to certain data
|
data owner
|
|
the process of certifying that a certain product has passed performance and quality assurance tests or qualification requirements stipulated in regulations such as a building code and nationally accredited test standards, or that it complies with a set of regulations governing quality and minimum performance requirements
|
certification
|
|
management formal approval of a product
|
accreditation
|
|
the benchmarks used to endure that a minimum level of security "configuration"
|
baselines
|
|
unlike standards, which mandate company policy, these are simply recommendations
|
guidelines
|
|
rules that must be followed; thus they are cumpolsory
|
standards
|
|
Action with a negative impact
|
Threat
|
|
Absence of control
|
Vulnerability
|
|
Resource, product, data
|
Asset
|
|
% of asset loss caused by threat
|
Exposure Factor
|
|
does this solution carry out the required tasks?
|
Functional requirement
|
|
provides confidence that security function is performing as expected; critical part of security program
|
Assurance requirements
|
|
two people perform the same action to complete a task
|
dual control
|
|
risk
|
liklihood and impact =
|
|
countermeasure in place and left over risk
|
residual risk
|
|
identifies and develops countermeasures
|
risk analysis
|
|
Protect society, the commonwealth, and the infrastructure. Act honorably, honestly, justly, responsibly, and legally. Provide diligent and competent service to principals. Advance and protect the profession
SOCIETY, ETHICS, SERVICE, PROFESSION |
Code of Ethics Canons
|
|
A teleological school of thought is one that holds all things to be designed for or directed toward a final result, that there is an inherent purpose or final cause for all that exists
|
Teleology
|
|
an approach to ethics that holds that acts are inherently good or evil, regardless of the consequences of the acts; we have a duty to do those things that are inherently good ("truth-telling" for example); while the ends or consequences of our actions are important, our obligation or duty is to take the right action, even if the consequences of a given act may be bad
|
deontology
|
|
RFC 1087, unethical and unacceptable to hack into system, Internet is a privleage not a right
|
Internet Architecture Board
|
|
the probability that a potential vulnerability be exercised within the construct of the associated threat environment
|
likelihood
|
|
replacement cost of IT facilities, properties, hardware software, documentationm supplies and IT Staff
|
tangible assets
|
|
are defined as identifiable non-monetary assets that cannot be seen, touched or physically measured, which are created through time and/or effort and that are identifiable as a separate asset
|
Intangible assets
|
|
a systematic, interactive forecasting method which relies on a panel of independent experts. The carefully selected experts answer questionnaires in two or more rounds
|
Delphi method
|
|
= Asset Value x Exposure Factor
|
Single Loss Expectancy (SLE)
|
|
represents estimated frequency in which threat will occur within one year
|
Annualized Rate of Occurrence (ARO)
|
|
= SLE x ARO
|
Annualized Loss Expectancy (ALE)
|
|
Relative measure of risk or asset value based on ranking or separation into descriptive categories such as low, medium, high; not important, important, very important; or on a scale from 1 to 10
|
Qualitative Risk Analysis
|
|
a procedure in operations management for analysis of potential failure modes within a system for classification by severity or determination of the effect of failures on the system
|
failure modes and effects analysis (FMEA)
|
|
a failure analysis in which an undesired state of a system is analyzed using boolean logic to combine a series of lower-level events. This analysis method is mainly used in the field of safety engineering to quantitatively determine the probability of a safety hazard
|
Fault tree analysis (FTA)
|
|
erect barriers to threat, improve procedures, alter the environment, install security control....RISK
|
Risk Reduction
|
|
get insurance, transfer cost of a loss to insurance
|
Risk Transference
|
|
Accept the risk, absorb loss
|
Risk Acceptance
|
|
in risk mitigation, to stop it
|
Avoidance
|
|
is an Information Assurance (IA) strategy in which multiple layers of defense are placed throughout an Information Technology (IT) system. It addresses security vulnerabilities in personnel, technology and operations for the duration of the system's lifecycle.
|
Defense in Depth
|