Term
|
Definition
Plan and Organize
Acquire and Implement
Deliver and Support
Monitor and Evaluate |
|
|
Term
| Four pillars of Trust services Framework |
|
Definition
confidentiality
privacy
process integrity
availabilty |
|
|
Term
| Top and bottom of Trust services framework |
|
Definition
Top: systems reliability
bottom: security |
|
|
Term
|
Definition
|
|
Term
|
Definition
| sensitive info is protected |
|
|
Term
|
Definition
| personal info is collected and used only w/ regulatory requirements and is protected |
|
|
Term
|
Definition
| data is processed carefully, completely and in a timely manner |
|
|
Term
|
Definition
| info is available to meet operational and contractual obligations |
|
|
Term
| Three fundamental security concepts |
|
Definition
1) security is a management issue not technological
2) Time based model of security P>C+D
3) Defense in Depth |
|
|
Term
|
Definition
Training
Authenication
Authorization
Physical Controls
Network Access/ Perimeter controls
device and software hardening |
|
|
Term
| Border Router and firewall |
|
Definition
| connects IS to internet and controls what info goes in and out of the system |
|
|
Term
|
Definition
| safezone for handling items before they pass into the companies system |
|
|
Term
|
Definition
Access restrictions
passwords
devices- smart cards iD badges
bio metrics- fingerprints
multifactor- combination of 2 or more
Device specific authentication |
|
|
Term
|
Definition
Restrict access within the system
Segregation of Duties |
|
|
Term
|
Definition
uses same key to encrypt and decrypt
faster but both parties need to know the secret key |
|
|
Term
|
Definition
Public and Private key
both and encrypt but only private can decrypt
allows for open sharing of public key |
|
|
Term
|
Definition
| creates digital certificate which grants access to info |
|
|
Term
|
Definition
| system of issuing pairs of public and private keys and corresponding digital certificates |
|
|
Term
|
Definition
| taking plain text and converting it into code |
|
|
Term
|
Definition
| electronic document created and digitally signed by trusted third party, certifies identity |
|
|
Term
| Three items sent in Bid Package |
|
Definition
Bid w/ symmetric key
Hash of Bid w/ NW private key
Symmetric Key w/ US public key |
|
|
Term
|
Definition
|
|
Term
| Types of Detective Controls |
|
Definition
Log Analysis
Intrusion detection systems
reporting to management
security testing |
|
|
Term
|
Definition
monitor activity and take corrective actions
must be timely |
|
|
Term
| Types of Security testing |
|
Definition
vulnerabilities scans
war dialing
penetration tests |
|
|
Term
|
Definition
| looks for weaknesses, identifies unused and unnecessary programming |
|
|
Term
|
Definition
| calling thousands of modems and looking for an idle one to take over and gain access |
|
|
Term
|
Definition
| authorized attempt to break into system |
|
|
Term
| Types of Corrective controls |
|
Definition
computer emergency response teams
CIO
Patch maangement |
|
|
Term
|
Definition
proprietary info of the company
internal policy protection |
|
|
Term
|
Definition
customer or 3rd party sensitive data
legal requirments to protect |
|
|
Term
| Ways to protect info and data |
|
Definition
Policies and Procedures
Categorize all data
Authentication and Authorization
Encrypt stored and transmitted data
Remove/ Disguise private data
Make info confidential/ restricted
Data loss prevention software
Restrict Physical Access
Proper Disposal |
|
|
Term
| Additional Privacy Considerations |
|
Definition
Understand legal requirements
choice and consent
disclosure of violations
restitution for damages |
|
|
Term
|
Definition
use as many checks and validations as possible
dont use paper
use real-time data entry |
|
|
Term
| Batch processing input controls |
|
Definition
sequence check
batch totals
error logs |
|
|
Term
| Real time data entry controls |
|
Definition
automatic entry data
prompting
preformatting
closed loop verification
transaction logs
error messages |
|
|
Term
|
Definition
Data matching
file labels
recalculate batch totals
crossfoot balance
write-protection mechanisms
concurrent update controls |
|
|
Term
|
Definition
user review
reconciliation procedures
external data reconciliation |
|
|
Term
|
Definition
hardware and software failures
disasters
human error
worms and viruses
DOS attacks and other sabotage |
|
|
Term
| Disaster Recovery Systems |
|
Definition
data backup procedures
provisions for access to replacement infrastructure
thorough documentation
periodic testing and training
adequate insurance |
|
|
