Chapter 3: Information security and risk management
Home > Flashcards > Print Preview
The flashcards below were created by user
on FreezingBlue Flashcards
. What would you like to do?
What are administrative controls?
These include the developing and publishing of policies, standards, procedures, and guidelines; risk management; the screening of personnel; conducting security-awareness training; and implementing change control procedures.
What are technical controls (or, logical controls)?
These consist of implementing and maintaiing access control mechanism, password and resource management, identification and authentication methods, security deivces, and the configuration of the infrastructure.
What are physical controls?
These entail controlling individual access into the facility and different departments, locking systems and removing unnecssary floppy or CD-ROM drives, protecting the perimeter of the facility, monitoring for intrusion, and environmental controls.
What is due care?
A legal term and concept used to help determine liability in a court of law. If someone is practicing due care, they are acting responsibly and will have a lower probability of being found negligent and liable if something bad takes place.
Define the AIC (or, CIA) triad?
Availability, integrity, and confidentiality
ensures reliability and timely access to data and resources to authorized individuals.
is upheld when the assurance of the accuracy and reliability of the information and system is provided, and any unauthorized modification is prevented.
What is a functional requirement?
An evaluation of a functional requirement answers the question "Does this solution carry out the required tasks?"
What is an assurance requirement?
Evaluting an assurance requirement answers the question "How sure are weo fht elevel of protection this solution provides?"
A vulnerability is a software, hardware, procedural, or human weakness that may provide an attacker the open door he is looking for to enter a computer or network and have unauthorized access to reources within the environment.
A threat is any potential danger to information or systems.
A risk ithe likelihood of a threat agent taking advantage of a vulnerability and the corresponding business impact.
An exposure is an instance of being exposed to losses from a threat agent. A vulnerability exposes an organization to possible damages.
Define a countermeasure or a safeguard.
A countermeasure, or safeguard, is put into place to mitigate the poential risk. A countermeasure may be a software configuration, a hardware device, or a procedure that elminates a vulnerability or that reduces the likelihood a threat agent will be able to exploit a vulnerability.
Order of evaluation for the previous terms?
Threat, exposure, vulnerability, countermeasures, and, lastly, risk.
Is security by obscurity a good security practice?
Daily goals are otherwise known as?
Long term goals are otherwise known as?
An approach to planning is called a?
CobiT is an acronym for?
Control Objectives for Information and related Technologies
CobiT was derived from the Committee of Sponsoring Organizations (COSO) framework. List the 5 components of COSO.
- Control environment
- Risk assessment
- Control activities
- Information and communication
How does CobiT/COSO differ from ITIL/ISO/IEC 27000
CobiT and COSO provide the "what is to be achieved," but not the "how to achieve it."
What is security governance?
All of the tools, personnel, and busines processes necessary to ensure that the security implemented meets the organization's specific needs.
What are security governance blueprints?
important tools to identify, develop, and design security requirements for specific business needs. A blueprint will lay out the security solutions, processes, and components the organiztion uses to match its security and business needs.
Define information risk management (IRM).
Information risk management is the process of identifying and assessing risk, reducing it to an acceptable level, and implementing the right mechnisms to maintain that level.
Fire, water, vandalism, power loss, natural disasters
Examples of physical damage
Accidental or intentional action or inaction that can disrupt productivity
Examples of human interaction
Failure of systems and peripheral devices.
Examples of equipment malfunction
Hacking, cracking, and attacking
Inside and outside attacks
Sharing trade secrets, fraud, espionage, and theft
Misuse of data
Intentional or unintentional loss of information through destructive means
Loss of data
Computation errors, input errors, and buffer overflows
What is risk analysis?
Risk analysis, which is really a tool for risk management, is a method of identifying vulnerabilities and threats and assessing the possible impacts to determine where to implement security safeguards.
Define a cost/benefit comparison.
Compares the annualized cost of safeguards to the potential cost of loss. Before an assessment and analysis is started, the team must carry out project sizing to understand what assets and threats should be evaluated.
Risks have loss potential and delayed loss. Explain the difference.
Loss potential is what the company woud lose if a threat agent were actually able to exploit a vulnerability. The loss may be corrupted data, destruction of systems and/or the facility, unauthorized disclosure of confidential information, a reduction in employee productivity, and son on. Delayed loss may include productivity over a period, damage to the company's reputation, reduced income to the company, accrued late penalties, extra expense to get the environment back to proper working conditions, the delayed collection from customers, and so forth.
What would you like to do?
Home > Flashcards > Print Preview