Chapter 3: Information security and risk management

Card Set Information

Chapter 3: Information security and risk management
2012-01-04 15:02:34
information security risk management

Information Security and Risk Management
Show Answers:

  1. What are administrative controls?
    These include the developing and publishing of policies, standards, procedures, and guidelines; risk management; the screening of personnel; conducting security-awareness training; and implementing change control procedures.
  2. What are technical controls (or, logical controls)?
    These consist of implementing and maintaiing access control mechanism, password and resource management, identification and authentication methods, security deivces, and the configuration of the infrastructure.
  3. What are physical controls?
    These entail controlling individual access into the facility and different departments, locking systems and removing unnecssary floppy or CD-ROM drives, protecting the perimeter of the facility, monitoring for intrusion, and environmental controls.
  4. What is due care?
    A legal term and concept used to help determine liability in a court of law. If someone is practicing due care, they are acting responsibly and will have a lower probability of being found negligent and liable if something bad takes place.
  5. Define the AIC (or, CIA) triad?
    Availability, integrity, and confidentiality
  6. Define availability.
    ensures reliability and timely access to data and resources to authorized individuals.
  7. Define integrity.
    is upheld when the assurance of the accuracy and reliability of the information and system is provided, and any unauthorized modification is prevented.
  8. What is a functional requirement?
    An evaluation of a functional requirement answers the question "Does this solution carry out the required tasks?"
  9. What is an assurance requirement?
    Evaluting an assurance requirement answers the question "How sure are weo fht elevel of protection this solution provides?"
  10. Define vulnerability.
    A vulnerability is a software, hardware, procedural, or human weakness that may provide an attacker the open door he is looking for to enter a computer or network and have unauthorized access to reources within the environment.
  11. Define threat.
    A threat is any potential danger to information or systems.
  12. Define risk.
    A risk ithe likelihood of a threat agent taking advantage of a vulnerability and the corresponding business impact.
  13. Define exposure.
    An exposure is an instance of being exposed to losses from a threat agent. A vulnerability exposes an organization to possible damages.
  14. Define a countermeasure or a safeguard.
    A countermeasure, or safeguard, is put into place to mitigate the poential risk. A countermeasure may be a software configuration, a hardware device, or a procedure that elminates a vulnerability or that reduces the likelihood a threat agent will be able to exploit a vulnerability.
  15. Order of evaluation for the previous terms?
    Threat, exposure, vulnerability, countermeasures, and, lastly, risk.
  16. Is security by obscurity a good security practice?
  17. Daily goals are otherwise known as?
    Operational goals
  18. Long term goals are otherwise known as?
    Tactical goals.
  19. An approach to planning is called a?
    planning horizon
  20. CobiT is an acronym for?
    Control Objectives for Information and related Technologies
  21. CobiT was derived from the Committee of Sponsoring Organizations (COSO) framework. List the 5 components of COSO.
    • Control environment
    • Risk assessment
    • Control activities
    • Information and communication
    • Monitoring
  22. How does CobiT/COSO differ from ITIL/ISO/IEC 27000
    CobiT and COSO provide the "what is to be achieved," but not the "how to achieve it."
  23. What is security governance?
    All of the tools, personnel, and busines processes necessary to ensure that the security implemented meets the organization's specific needs.
  24. What are security governance blueprints?
    important tools to identify, develop, and design security requirements for specific business needs. A blueprint will lay out the security solutions, processes, and components the organiztion uses to match its security and business needs.
  25. Define information risk management (IRM).
    Information risk management is the process of identifying and assessing risk, reducing it to an acceptable level, and implementing the right mechnisms to maintain that level.
  26. Fire, water, vandalism, power loss, natural disasters
    Examples of physical damage
  27. Accidental or intentional action or inaction that can disrupt productivity
    Examples of human interaction
  28. Failure of systems and peripheral devices.
    Examples of equipment malfunction
  29. Hacking, cracking, and attacking
    Inside and outside attacks
  30. Sharing trade secrets, fraud, espionage, and theft
    Misuse of data
  31. Intentional or unintentional loss of information through destructive means
    Loss of data
  32. Computation errors, input errors, and buffer overflows
    Application error
  33. What is risk analysis?
    Risk analysis, which is really a tool for risk management, is a method of identifying vulnerabilities and threats and assessing the possible impacts to determine where to implement security safeguards.
  34. Define a cost/benefit comparison.
    Compares the annualized cost of safeguards to the potential cost of loss. Before an assessment and analysis is started, the team must carry out project sizing to understand what assets and threats should be evaluated.
  35. Risks have loss potential and delayed loss. Explain the difference.
    Loss potential is what the company woud lose if a threat agent were actually able to exploit a vulnerability. The loss may be corrupted data, destruction of systems and/or the facility, unauthorized disclosure of confidential information, a reduction in employee productivity, and son on. Delayed loss may include productivity over a period, damage to the company's reputation, reduced income to the company, accrued late penalties, extra expense to get the environment back to proper working conditions, the delayed collection from customers, and so forth.