Principles of Info Security Chapter 4

Card Set Information

Author:
thesoulschamber
ID:
296453
Filename:
Principles of Info Security Chapter 4
Updated:
2015-02-21 22:09:10
Tags:
info security 6th edition chapter
Folders:
Principles of Info Security
Description:
Chapter 4
Show Answers:

Home > Flashcards > Print Preview

The flashcards below were created by user thesoulschamber on FreezingBlue Flashcards. What would you like to do?


  1. accept control strategy
    The choice to do nothing to protect a vulnerability and to accept the outcome of its exploitation.
  2. acquired value
    The value an asset gains over time within an organization.
  3. annualized cost of the safeguard (ACS)
    The total cost of owning and operating the specific control for each year of its expected operational life.
  4. annualized loss expectancy (ALE)
    The overall loss an organization could incur from the specified threat over the course of an entire year.
  5. annualized rate of occurence (ARO)
    The anticipated rate of occurrence of a loss from the specified threat over one year.
  6. asset valuation
    The process of assigning financial value or worth to each information asset.
  7. baseline
    A baseline is a “value or profile of a performance metric against which changes in the performance metric can be usefully compared.
  8. baselining
    The analysis of measures against established internal standards. In information security, baselining is the comparison of current security activities and events against the organization”s established expected levels of performance.
  9. behavioral feasibility
    Synonymous with operational feasibility. The examination of user acceptance and support, management acceptance and support, and the overall requirements of the organization”s stakeholders.
  10. benchmarking
    The process of seeking out and studying the practices used in other organizations that produce results you would like to duplicate in your organization.
  11. benefit
    The value that an organization recognizes by using controls to prevent losses associated with a specific vulnerability.
  12. best business practices
    Security efforts that seek to provide a superior level of performance in the protection of information are referred to as best business practices.
  13. best practices
    Synonymous with best business practices and recommended practices. Procedures that provide a superior level of security for an organization”s information.
  14. clean desk policy
    Rules that require each employee to secure all information in its appropriate storage container at the end of each day.
  15. competitive advantage
    The leverage gained by an organization that supplies superior products or services. Establishing a competitive business model, method, or technique allows an organization to provide a product or service that is superior to others in the marketplace.
  16. competitive disadvantage
    The leverage lost by an organization that supplies products or services perceived to be inferior to other organizations.
  17. cost avoidance
    The process of avoiding the financial impact of an incident by implementing a control.
  18. cost benefit analysis
    Synonymous with economic feasibility study. The comparison of the cost of protecting an asset with the worth of the asset or the costs of the compromise of an asset.
  19. data classification scheme
    A method of categorizing the levels of confidentiality of an organization”s data.
  20. defend control strategy
    The preferred risk control strategy which attempts to prevent the exploitation of vulnerabilities.
  21. due diligence
    The actions that demonstrate that an organization is diligent in ensuring that the implemented standards continue to provide the required level of protection.
  22. dumpster diving
    The retrieval of information from refuse that could prove embarrassing to the company or could compromise the security of information.
  23. economic feasibility study
    Synonymous with cost benefit analysis. The comparison of the cost of protecting an asset with the worth of the asset or the costs of the compromise of an asset.
  24. exposure factor (EF)
    An element of a formula for calculating the value associated with the most likely loss from an attack, or single loss expectancy (SLE).

    In SLE = asset value x exposure factor (EF), exposure factor equals the expected percentage of loss that would occur from a particular attack.
  25. field change order (FCO)
    An authorization issued by an organization for the repair, modification, or update of a piece of equipment.
  26. gold standard
    A subcategory within best practices consisting of practices that are typically viewed as “the best of the best.”
  27. intrinsic value
    The essential worth of an asset.
  28. likelihood
    The overall rating of the probability that a specific vulnerability within an organization will be successfully attacked.
  29. metrics-based measures
    Benchmarking comparisons based on numerical standards such as numbers of successful attacks; staff-hours spent on systems protection; dollars spent on protection; numbers of security personnel; estimated value in dollars of the information lost in successful attacks and loss in productivity hours associated with successful attacks.
  30. mitigate control strategy
    Attempts to reduce the impact caused by the exploitation of vulnerability through planning and preparation.
  31. need-to-know
    A category within a data classification structure that grants access to individuals based on the fact that they require the information to perform their jobs.
  32. operational feasibility
    Synonymous with behavioral feasibility. The examination of user acceptance and support, management acceptance and support, and the overall requirements of the organization”s stakeholders.
  33. organizational feasibility
    A comparison of how proposed information security alternatives contribute to the efficiency, effectiveness, and overall operation of an organization.
  34. performance gap
    The difference between an organization”s measures and those of others.
  35. political feasibility
    An analysis that defines what changes can and cannot occur within an organization based on the consensus and relationships between the communities of interest.
  36. process-based measures
    Benchmarking comparisons that are generally less focused on numbers and more strategic than metrics-based measures.
  37. qualitative assessment
    An evaluation process that is based on characteristics that do not use numerical measures.
  38. quantitative assessment
    The evaluation of an organization”s assets, estimated values, and formulas.
  39. recommended practices
    Security efforts that seek to provide a superior level of performance in the protection of information are referred to as best business practices.
  40. residual risk
    The risk that remains to an information asset after an existing control has been applied.
  41. risk appetite
    The quantity and nature of risk that organizations are willing to accept.
  42. risk assessment
    The analysis of a danger to assign a risk rating or score to an information asset.
  43. risk control
    The process of applying controls to reduce the risks to an organization”s data and information systems.
  44. risk identification
    The formal process of examining and documenting the security posture of an organization”s information technology and the risks it faces.
  45. risk management
    The process of identifying vulnerabilities in an organization”s information systems and taking carefully reasoned steps to ensure the confidentiality, integrity, and availability of all components in the organization”s information system.
  46. security clearance
    A level of authorization to classified material that an individual is granted after a formal evaluation process.
  47. single loss expectancy (SLE)
    The calculation of the value associated with the most likely loss from an attack.
  48. standard of due care
    A legal term that becomes relevant when organizations adopt levels of security for a legal defense and therefore might be required to show that they have done what any prudent organization would do in similar circumstances.
  49. technical feasibility
    An analysis that examines whether or not the organization has or can acquire the technology necessary to implement and support the proposed control.
  50. terminate control strategy
    Directs the organization to avoid those business activities that introduce uncontrollable risks.
  51. threat assessment
    The examination of a danger to assess its potential to impact an organization.

What would you like to do?

Home > Flashcards > Print Preview