Term
|
Definition
| methof of achieving an end |
|
|
Term
|
Definition
| management or procedure based on primarily on material interest |
|
|
Term
|
Definition
| something established by authority, custom, or general consent as a model or example |
|
|
Term
|
Definition
| the usual way for doing something |
|
|
Term
|
Definition
| a particular way of accomplishing something or of acting |
|
|
Term
|
Definition
| an indication or outline of policy or conduct |
|
|
Term
|
Definition
|
|
Term
|
Definition
| practices, procedures, and guidelines |
|
|
Term
| "information security is primarily a ____ problem, not a technical one" |
|
Definition
|
|
Term
|
Definition
de facto- not formally issued but adopted by practice
de jure - secturidy standards should be de jure |
|
|
Term
|
Definition
-issued by recognized authority
- should be formal(published writing)
- should include measures to determine compliance and enforcement measures |
|
|
Term
|
Definition
| National Institute of Standards and Technology |
|
|
Term
| NIST SP800-14 defines computer security policy as what? |
|
Definition
| policy is senior management's directives to cteate a computer security program, establish its goals, and assign responsibilities. |
|
|
Term
| NIST SP-800-14 describes 3 types of policy of IS |
|
Definition
Program
Issue-Specific
System-Specific
for each type, the policy should be: supplemented, visible, supported by management, and consistent |
|
|
Term
| what is System-specific policy |
|
Definition
| describes users' access rights for objects |
|
|
Term
| how to represent system-specific policy |
|
Definition
access matrix - model includes
-subjects - entities which could access objects
-objects - entities which could be accessed by subjects
-rights - type of access(read write execute0 |
|
|
Term
|
Definition
| living document - whcih means it is changed from time to time - not static or frozen |
|
|
Term
| cyclic model of frame works and blueprints are - |
|
Definition
| a continual process of refinement ex is NIST SP 800-26 |
|
|
Term
| 3 types of contingency plans |
|
Definition
- incident response
- disaster recovery
- business continuity |
|
|
Term
| incident response plan (IRP) |
|
Definition
| first level response, to events that are anticipated to occur accasionally |
|
|
Term
| disaster recovery plan (DRP) |
|
Definition
| if event is more serious than IRP then DRP is used |
|
|
Term
| business continuity plan (BCP) |
|
Definition
| if disaster recovery is not immediate BCP is used. |
|
|
Term
| Business impact analysis (BIA) |
|
Definition
| first set of activities in contingency planning |
|
|
