Shared Flashcard Set

Details

CISSP - Information Security and Risk Management
Chapter 3, CISSP 5th ed
54
Computer Networking
Professional
01/25/2012

Additional Computer Networking Flashcards

 


 

Cards

Term
Define Administrative Controls
Definition

The development and publishing of policies, standards, procedures and guidelines (in that order); risk management, the screening of personnel; conducting security awareness training, and implementing "change control" poredures.

 

Ch 3. pg 49

Term
Define Technical Controls (Logical Controls)
Definition

These consist of implementing and maintaining access control mechanisms, password and resource management, identification, and authentication methods, security devices, and the configuration of the infrastructre.

 

Chapter 3, page 49

Term
Define Physical Controls
Definition

These entail controlling individual access to the facility and different departments, locking systems, and removing unnecessary floppy or CD-ROM drives, protecting the perimeter of the facility, monitoring for intrusion, and environmental controls (HVAC, etc.)

 

Chapter 3, page 49

Term
The _____________ has the corporate reponsibility for data protection and would be the one held liable for any negligence when it comes to protecting the company's information assets.
Definition

information owner (data owner)

 

Ch 3. page 49

Term
Security programs have several small and large objectives but, the three main principles in all programs are _____________, _____________, and _____________.
Definition

Availability, Integrity, and Confidentiality.

 

(The AIC Triad)

 

Chapter 3, page 51

Term
Ensuring reliability and timely access to data and resources to authorized individuals refers to which part of the AIC Triad?
Definition

Availability.

 

Chapter 3, page 51

Term
___________ ensures that the necessary level of secrecy is enforced at each junction of data processing and prevents unauthorized disclosure.
Definition

Confidentiality.

 

Chapter 3, page 53

Term
_____________ is upheld when the assurance of the accuracy and reliability of the information and systems is provided, and any unauthorized modification is prevented.
Definition

Integrity.

 

Ch 3, page 52

Term
Give some examples how attackers can thwart confidentiality mechanisms.
Definition

Network monitoring, shoulder surfing, stealing password files, and social engineering.

 

Ch 3, page 53.

Term
What is meant by the term "shoulder surfing"?
Definition

Shoulder surfing is when a person looks over the shoulder of another and watches their keystrokes or views data as it appears on a computer screen.

 

 Ch 3, page 53

Term
Define "Social Engineering."
Definition

 Social engineering is when one person tricks another person into sharing confidential information, i.e., posing as someone authorized to have access to that information.

 

 Ch 3, page 53

Term
What is the difference between Functional Requirements and Assurance Requirements?
Definition

Functional Requirements are primarily concerned with the solution carrying out "the required tasks."

 

Assurance Requirements deal directly with the "level of protecting the solution provides" and deals directly with encompassing all 3 components of the AIC Triad.

 

 Ch 3, page 53

Term
A _____________ is a software, hardware, procedural, or human weakness that may provide an attacker with an open door with which to exploit.
Definition

vulnerability

 

 

Ch 3, page 54

Term
A ____________ is any potential danger to information or systems.
Definition

threat.

 

 Ch 3, page 54

Term
What is a "threat agent"?
Definition

A threat agent is the entity that takes advantage of a vulnerability.

 

 Ch 3 pg 54

Term
A ________ is the likelihood of a threat agent taking advantage of a vulnerability and the corresponding business impact.
Definition

risk

 

Ch 3, page 54

Term
An instance of being exposed to to losses from a threat is defined as ____________.
Definition

Exposure.

 

Ch 3, pg 54

Term
A _______ or _________ is put into place to mitigate potential risk.
Definition

Safeguard or Countermeasure.

 

 Ch 3, page 54

Term
What 5 entities make up the Committe of Sponsoring Organization's (COSO) Framework?
Definition

1: Control Environment

2: Risk Assessment

3: Control Activities

4: Information and Communication

5: Monitoring.

 

Ch 3 pg 62

Term
What measurement standard does a company submit to in order to have their security program certified?
Definition

ISO 17799

 

Ch 3. pg 63

Term
if CobiT and COSO describe what security standards are to be achieved, what standard describes how to achieve it?
Definition

The Information Technology Infrastructure (ITIL) and the ISO/IEC 27000.

 

Ch 3. pg 65

Term
What is security governance?
Definition

Security governance is all of the tools, personnel, and business processes necessary to ensure that the security implemented meets the organizations needs.

 

Ch 3, page 67

Term
What are the four phases in the Security Program Development Life Cycle?
Definition

1: Plan and Organize

2: Implement

3: Operate and Maintain

4: Monitor and Evaluate.

 

Ch 3, page 68

Term
___________ are important tools to identify, develop, and design security requirements for specific business needs.
Definition

Blueprints.

 

Ch 3, pg 71

Term
_________________ is the process of identifying and assessing risk, reducing it to an acceptable level, and implementing the right mechinsms to maintain that level.
Definition

Information Risk Mangement (IRM)

 

Ch 3, page 73

Term
__________________ is a method of identifying vulnerabilities and threats and assessing the possible impacts to determing where to implement security safeguards.
Definition

Risk analysis

 

Ch 3, page 76

Term
Risk analysis provides _____/__________, which compares the annualized cost fo safeguards to the potential cost of loss.
Definition

cost / benefit comparison.

 

Ch 3  page 76

Term
When should a safeguard NOT be implemented?
Definition

A safeguard should not be implemented if the cost of the loss does not exceed the cost of the cost of the safeguard.

 

Ch 3, page 76

Term
What is project sizing?
Definition

Project sizing is the process of surveying and understanding what assets and threats need to be evaluated.

 

 Ch 3 page 76

Term
How is the actual cost of an asset calculated?
Definition

cost to acquire + cost to develop + cost to maintain = asset value

 

ch 3 pg 79

Term
What is loss potential?
Definition

Loss potential is what the company would lose if a threat agent were to actually exploit a vulnerability.

 

 Ch 3, pg 81

Term
What is Failure Modes and Effect Analysis (FMEA)?
Definition

FMEA is a method for determining functions, identifying functional failures, and assessing the causes of failure(s) and their effects through a structured process.

 

 Ch3 pg 83

Term

How many steps does Failure Modes and Effect Analysis have?

 

What are they?

Definition

Five.

 

1: Start with a block diagram of a system or control.

2. Consider what happens if each block of the diagram fails.

3: Draw up a table in which failures are paired with their effects and an evaluation of their effects.

4: Correct the design of the system, and adjust the table until the system is not known to have unacceptable problems.

5: Have several engineers review the failure modes and effects analysis.

 

 ch 3 pg 83

Term
There are two approaches to risk analysis, Quantitative and Qualitative. What does Quantitative Risk Analysis provide?
Definition

Quantitative Risk Analysis attempts to assign real and meaningful numbers to all elements of the risk analysis process. It also provides concrete probability percentages when determining the likelihood of threats.

 

Ch 3, pg 86

Term
What are the 5 steps to Risk Analysis?
Definition

1: Assign Value to the Assets

2: Estimate Potential Loss per Threat

3: Performa a Threat Analysis

4: Derive the Overall Annual Loss Potential Per Threat.

5: Reduce, Transfer, Avoid, or Accept the Risk

 

Ch 3, pg 88

Term

Define the following:

 

Risk Transfer

Risk Acceptance

Risk Avoidance

Definition

Risk Transfer: Shifting some of the weight of a potential loss to another entity. The most common form being buying insurance.

 

Risk Acceptance: Live with the risks and spend no additional money toward protection.

 

Risk Avoidance: Discontinue the activity that is causing the risk.

 

 Ch 3. pg 89

Term
What is the Single Loss Expentancy (SLE) Value?
Definition

The SLE is the dollar amount that is assigned to a single even that represents the company's potential loss amount if a specific threat were to take place.

 

Ch 3, pg 89

Term
What is Annualized Loss Expentancy?
Definition

ALE is the expected monetary loss that can be expected for an asset due to a risk over a one year period.

 

It is calculated thusly:

 

SLE x ARO = ALE

 

Ch 3, pg 89

Term
With respect to Quantitative Risk Analysis, what is Exposure Factor (EF)?
Definition

Exposure factor represents the percentage of loss a realized threat could have on a certain asset.

 

 Ch 3, pg 89

Term
What is Annualized Rate of Occcurance (ARO)?
Definition

ARO is the value that represents the estimated frequency of a specific threat taking place within a one calendar year time-frame.

 

 Ch 3, pg 89

Term
How is Single Loss Expentancy (SLE) calculated?
Definition

Asset Value x Exposure Factor (EF).

 

 Ch 3, pg 89

Term
What is Qualitative Risk Analysis?
Definition

Qualitative Risk Analysis does not assign number values to risk. Instead, this method walks through various scenarios and ranks the seriousness of the threat.

 

 Ch 3, pg 91

Term
What is the Delphi Technique?
Definition

The Delphi Technique is a group decision method used to ensure that each member gives an honest opinion of what he / she think the result of a particular threat will be.

 

ch3, pg 94

Term
What is residual risk?
Definition

Residual Risk is the risk remaining after countermeasures are in place and the risk management process has been implemented.

 

 ch 3 pg 100

Term
What is total risk?
Definition

The risk a company faces if it chooses not to implement any type of safeguard.

 

Ch 3. pg 100

Term
What is a policy?
Definition

A policy is an overall general statement by management.

 

 Ch 3, pg 103

Term
What is a standard?
Definition
A standard referes to manadtory activities, actions, or rules. Standards support policies and give direction.
Term
What is a baseline?
Definition

A baseline is a point in time that is used as a comparison for future changes.

 

 Ch 3, pg 107

Term
What is a guideline?
Definition

Guidelines are recommended actions and operational guides to users, etc. when a specific standard does not apply.

 

 Ch 3, pg 108

Term
What is a procedure?
Definition

Procedures are detailed step-by-step tasks that should be performed to achieve a certain goal.

 
 CH 3, pg 108

Term
What is the difference between Due Diligence  and Due Care?
Definition

Due Diligence is the act of investigating amd understanding the risks a company faces.

 

Due Care is the development and implementation of policies and procedures to aid in protecting the company, it's assets, and it's people from threats.

 

Ch 3, pg 110

Term
What are the commercial / business levels of information sensitivity from lowest to highest?
Definition

- Public

- Sensitive

- Private

- Confidential

 

 Ch 3 pg 113

Supporting users have an ad free experience!