Term
What does information security mean? |
|
Definition
The term “information security” means protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide:
- Confidentiality - Integrity - Availability |
|
|
Term
What is a information security management system |
|
Definition
The information security management system is an organizational internal control process that controls the special risks associated with information within the organization. |
|
|
Term
What are the basic elements of an information system? |
|
Definition
The ISMS has the basic elements of any information system, such as hardware, databases, procedures, and reports. |
|
|
Term
Who manages the information security system and who do they report to? |
|
Definition
The information security system must be managed by a chief security officer (CSO). This individual should report directly to the board of directors in order to maintain complete independence. |
|
|
Term
What are the two different approaches of analyzing vulnerabilities and threats? |
|
Definition
Quantitative approach to risk assessment & Qualitative approach |
|
|
Term
What is the equation for the quantitative approach? |
|
Definition
Cost of an individual loss Likelihood of its occurrence |
|
|
Term
What are the 2 difficulties with the quantitative approach? |
|
Definition
1) Identifying the relevant costs per loss and the associated likelihoods can be difficult.
2) Estimating the likelihood of a given failure requires predicting the future, which is very difficult. |
|
|
Term
How does the qualitative approach analyze vulnerabilities and threats? |
|
Definition
The system’s vulnerabilities and threats are subjectively ranked in order of their contribution to the company’s total loss exposure. |
|
|
Term
What are the 7 loss expose areas examined by the qualitative approach? |
|
Definition
1) business interruption 2) loss of software 3) loss of data 4) loss of hardware 5) loss of facilities 6) loss of service and personnel 7) loss of reputation |
|
|
Term
What are vulnerabilities and threats? |
|
Definition
A vulnerability is a weakness in a system. A threat is a potential exploitation of a vulnerability. |
|
|
Term
What are the three groups of individuals that pose a threat to the Information System? |
|
Definition
1) Information systems personnel 2) Users 3) Intruders and hackers |
|
|
Term
Who 5 types of people are included in information systems personnel? |
|
Definition
1) computer maintenance persons 2) programmers 3) network operators 4) information systems administrative personnel 5) data control clerks |
|
|
Term
What are users and intruders/hackers in regards to an information system? |
|
Definition
Users are composed of heterogeneous groups of people. Their functional area does not lie in data processing or information technology.
An intruder or a hackers is anyone who accesses equipment, electronic data, files, or any kind of privileged information without proper authorization. |
|
|
Term
What do security and contingency plans do? |
|
Definition
Security measures focus on preventing and detecting threats.
Contingency plans focus on correcting the effects of threats. |
|
|
Term
What does information security mean? |
|
Definition
The term “information security” means protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide:
- Confidentiality - Integrity - Availability |
|
|
Term
What is a information security management system |
|
Definition
The information security management system is an organizational internal control process that controls the special risks associated with information within the organization. |
|
|
Term
What are the basic elements of an information system? |
|
Definition
The ISMS has the basic elements of any information system, such as hardware, databases, procedures, and reports. |
|
|
Term
Who manages the information security system and who do they report to? |
|
Definition
The information security system must be managed by a chief security officer (CSO). This individual should report directly to the board of directors in order to maintain complete independence. |
|
|
Term
What are the two different approaches of analyzing vulnerabilities and threats? |
|
Definition
Quantitative approach to risk assessment & Qualitative approach |
|
|
Term
What is the equation for the quantitative approach? |
|
Definition
Cost of an individual loss Likelihood of its occurrence |
|
|
Term
What are the 2 difficulties with the quantitative approach? |
|
Definition
1) Identifying the relevant costs per loss and the associated likelihoods can be difficult.
2) Estimating the likelihood of a given failure requires predicting the future, which is very difficult. |
|
|
Term
How does the qualitative approach analyze vulnerabilities and threats? |
|
Definition
The system’s vulnerabilities and threats are subjectively ranked in order of their contribution to the company’s total loss exposure. |
|
|
Term
What are the 7 loss expose areas examined by the qualitative approach? |
|
Definition
1) business interruption 2) loss of software 3) loss of data 4) loss of hardware 5) loss of facilities 6) loss of service and personnel 7) loss of reputation |
|
|
Term
What are vulnerabilities and threats? |
|
Definition
A vulnerability is a weakness in a system. A threat is a potential exploitation of a vulnerability. |
|
|
Term
What are the three groups of individuals that pose a threat to the Information System? |
|
Definition
1) Information systems personnel 2) Users 3) Intruders and hackers |
|
|
Term
Who 5 types of people are included in information systems personnel? |
|
Definition
1) computer maintenance persons 2) programmers 3) network operators 4) information systems administrative personnel 5) data control clerks |
|
|
Term
What are users and intruders/hackers in regards to an information system? |
|
Definition
Users are composed of heterogeneous groups of people. Their functional area does not lie in data processing or information technology.
An intruder or a hackers is anyone who accesses equipment, electronic data, files, or any kind of privileged information without proper authorization. |
|
|
Term
What do security and contingency plans do? |
|
Definition
Security measures focus on preventing and detecting threats.
Contingency plans focus on correcting the effects of threats. |
|
|
Term
What is the objective of Site-Access Controls? |
|
Definition
The objective of site-access controls is to physically separate unauthorized individuals from computer resources. |
|
|
Term
What do System-Access Controls do? |
|
Definition
These controls authenticate users by using such means as user IDs, passwords, IP addresses, and hardware devices.
It is often desirable to withhold “administrative rights” from individual PC users. |
|
|
Term
What do File-Access Controls do? |
|
Definition
The most fundamental file-access control is the establishment of authorization guidelines and procedures for accessing and altering files. |
|
|
Term
What are the three types of file backups? |
|
Definition
Full backups, Incremental backups, and Differential backups |
|
|
Term
Internet-related vulnerabilities may arise from which six areas? |
|
Definition
1) the operating system or its configuration 2)the Web server or its configuration 3) the private network and its configuration 4) various server and communications programs 5) cloud and grid computing 6) general security procedures |
|
|
Term
Why is Disaster risk management important? |
|
Definition
Disaster risk management is essential to ensure continuity of operations in the event of a catastrophe. |
|
|
Term
Who implements a disaster recovery plan? |
|
Definition
A disaster recovery plan must be implemented at the highest levels in the company. The first step in developing a disaster recovery plan should be obtaining the support of senior management and setting up a planning committee. |
|
|
Term
The design of the risk management plan should do what three things? |
|
Definition
1) Assess the company’s critical needs. 2) List priorities for recovery. 3) Establish recovery strategies and procedures. |
|
|
Term
What are the six things that set of recovery strategies should take into account? |
|
Definition
1) emergency response center 2) escalation procedures 3) alternate processing arrangements 4) personnel relocation and replacements plans 5) salvage plan 6) plan for testing and maintaining the system |
|
|