Term
| COBIT Framework: 7 key criteria that information provided to management must satisfy |
|
Definition
1. Effectiveness - information must be relevant and timely
2. Efficiency - the information must be produced in a cost-effective manner
3. Confidentiality - sensitive information must be protected from unauthorized disclosure
4. Integrity - the information must be accurate, complete, and valid
5. Availability - the information must be available whenever needed
6. Compliance - controls must ensure compliance with internal policies and with external legal and regulatory requirements
7. reliability - management must have access to appropriate information needed to conduct daily activities and to exercise its fiduciary and governance responsibilities |
|
|
Term
| COBIT: IT processes necessary to produce information that meet the 7 key criteria are grouped into four basic management activities (domains) |
|
Definition
1. Plan and organize
2. Acquire and Implement
3. Deliver and Support
4. Monitor and Evaluate |
|
|
Term
| Trust Services Framework: 5 categories of information systems controls that most directly pertain to systems reliability |
|
Definition
1. Security
2. Confidentiality
3. Privacy
4. Processing Integrity
5. Availability |
|
|
Term
| Two fundamental information security concepts |
|
Definition
1. Security is a management issue, not a technology issue
2. Defense-in-depth and the time-based model of information security |
|
|
Term
| Management's Role in information security |
|
Definition
1. Create and foster a pro-active "security-aware" environment
2. Inventory and value the organization's information resources
3. Assess risks and select a risk response
4. Develop and communicate security plans, policies, and procedures
5. Acquire and deploy information security technologies and products
6. Monitor and evaluate the effectiveness of the organization's information security program |
|
|
Term
| The idea of Defense-in-Depth |
|
Definition
| to employ multiple layers of controls in order to avoid having a single point of failure |
|
|
Term
| The goal of the time-based model of security; evaluation of three important variables |
|
Definition
employ a combination of detective and corrective controls that identify an information security incident early enough to prevent the loss or compromise of information
P = the time it takes an attacker to break through preventative controls
D = the time it takes to detect that an attack is in progress
C = the time it takes to respond to the attack
if P > D + C, security procedures are effective; otherwise, security is ineffective. |
|
|
Term
| Steps that criminals use to attack and organization's information system |
|
Definition
1. conduct reconnaissance
2. attempt social engineering
3. scan and map the target
4. research
5. execute the attack
6. cover tracks |
|
|
Term
| Preventative controls examples |
|
Definition
- training
- user access controls
- physical access controls
- network access controls
- device and software hardening controls |
|
|
Term
| Detective controls examples |
|
Definition
- log analysis
- intrusion detection systems
- security testing and audits
- managerial reports |
|
|
Term
| Corrective controls examples |
|
Definition
- computer incident response teams
- chief information security officer
- patch management |
|
|
Term
| 3 types of credentials can be used to verify a person's identity |
|
Definition
1. something they know, such as passwords or PINs
2. Something they have, such as smart cards or ID badges
3. Some physical characteristic (biometric identifier), such as their fingerprints or voice |
|
|
Term
| multifactor authentication |
|
Definition
| the use of two or all three authentication types in conjunction |
|
|
Term
| multimodal authentication |
|
Definition
| using multiple credentials of the same type |
|
|
Term
| access control matrix and the compatibility test |
|
Definition
| authorization controls are often implemented by creating an access control matrix. Then when an employee attempts to access particular information, the system performs a compatibility test the matches the user's authentication credentials against the access control matrix |
|
|
Term
|
Definition
| the device that connects an organization's information system to the internet |
|
|
Term
|
Definition
| either a special-purpose hardware device or software running on a general-purpose computer to prevent intrusion |
|
|
Term
|
Definition
| a separate network that permits controlled access from the internet to selected resources |
|
|
Term
| Transmission Control Protocol (TCP) |
|
Definition
| specifies the procedures for dividing files and documents into packets to be sent over the internet and the methods for reassembly of the original document or file at the destination |
|
|
Term
|
Definition
| specifies the structure of packets and how to route them to the proper destination |
|
|
Term
|
Definition
| a set of rules that determines which packets are allowed entry and which are dropped |
|
|
Term
|
Definition
| the screening of individual IP packets based solely on the contents of the source and/or destination fields in the IP packet header; usually performed by the border router |
|
|
Term
| stateful packet filtering |
|
Definition
| a process performed by a firewall that creates and maintains a table in memory that lists all established connections between the organization's computers and the internet. |
|
|
Term
|
Definition
| the process of examining the data contents of a packet |
|
|
Term
| intrusion prevention systems |
|
Definition
| systems that monitor patterns in the traffic flow, rather than only inspecting individual packets, to identify and automatically block attacks |
|
|
Term
| Remote Authentication Dial-In User Service (RADIUS) |
|
Definition
| a standard method of verifying the identify of users attempting to obtain dial-in access through a modem |
|
|
Term
|
Definition
| calls every telephone number assigned to the organization to identify those which are connected to modems |
|
|
Term
| Device and software hardening controls |
|
Definition
1. endpoint configuration
2. User account management
3. software design |
|
|
Term
|
Definition
| the process of modifying the default configuration of endpoints to eliminate unnecessary settings and services |
|
|
