Term
| Define Administrative Controls |
|
Definition
The development and publishing of policies, standards, procedures and guidelines (in that order); risk management, the screening of personnel; conducting security awareness training, and implementing "change control" poredures.
Ch 3. pg 49 |
|
|
Term
| Define Technical Controls (Logical Controls) |
|
Definition
These consist of implementing and maintaining access control mechanisms, password and resource management, identification, and authentication methods, security devices, and the configuration of the infrastructre.
Chapter 3, page 49 |
|
|
Term
|
Definition
These entail controlling individual access to the facility and different departments, locking systems, and removing unnecessary floppy or CD-ROM drives, protecting the perimeter of the facility, monitoring for intrusion, and environmental controls (HVAC, etc.)
Chapter 3, page 49 |
|
|
Term
| The _____________ has the corporate reponsibility for data protection and would be the one held liable for any negligence when it comes to protecting the company's information assets. |
|
Definition
information owner (data owner)
Ch 3. page 49 |
|
|
Term
| Security programs have several small and large objectives but, the three main principles in all programs are _____________, _____________, and _____________. |
|
Definition
Availability, Integrity, and Confidentiality.
(The AIC Triad)
Chapter 3, page 51 |
|
|
Term
| Ensuring reliability and timely access to data and resources to authorized individuals refers to which part of the AIC Triad? |
|
Definition
Availability.
Chapter 3, page 51 |
|
|
Term
| ___________ ensures that the necessary level of secrecy is enforced at each junction of data processing and prevents unauthorized disclosure. |
|
Definition
Confidentiality.
Chapter 3, page 53 |
|
|
Term
| _____________ is upheld when the assurance of the accuracy and reliability of the information and systems is provided, and any unauthorized modification is prevented. |
|
Definition
|
|
Term
| Give some examples how attackers can thwart confidentiality mechanisms. |
|
Definition
Network monitoring, shoulder surfing, stealing password files, and social engineering.
Ch 3, page 53. |
|
|
Term
| What is meant by the term "shoulder surfing"? |
|
Definition
Shoulder surfing is when a person looks over the shoulder of another and watches their keystrokes or views data as it appears on a computer screen.
Ch 3, page 53 |
|
|
Term
| Define "Social Engineering." |
|
Definition
Social engineering is when one person tricks another person into sharing confidential information, i.e., posing as someone authorized to have access to that information.
Ch 3, page 53 |
|
|
Term
| What is the difference between Functional Requirements and Assurance Requirements? |
|
Definition
Functional Requirements are primarily concerned with the solution carrying out "the required tasks."
Assurance Requirements deal directly with the "level of protecting the solution provides" and deals directly with encompassing all 3 components of the AIC Triad.
Ch 3, page 53 |
|
|
Term
| A _____________ is a software, hardware, procedural, or human weakness that may provide an attacker with an open door with which to exploit. |
|
Definition
vulnerability
Ch 3, page 54 |
|
|
Term
| A ____________ is any potential danger to information or systems. |
|
Definition
|
|
Term
| What is a "threat agent"? |
|
Definition
A threat agent is the entity that takes advantage of a vulnerability.
Ch 3 pg 54 |
|
|
Term
| A ________ is the likelihood of a threat agent taking advantage of a vulnerability and the corresponding business impact. |
|
Definition
|
|
Term
| An instance of being exposed to to losses from a threat is defined as ____________. |
|
Definition
|
|
Term
| A _______ or _________ is put into place to mitigate potential risk. |
|
Definition
Safeguard or Countermeasure.
Ch 3, page 54 |
|
|
Term
| What 5 entities make up the Committe of Sponsoring Organization's (COSO) Framework? |
|
Definition
1: Control Environment
2: Risk Assessment
3: Control Activities
4: Information and Communication
5: Monitoring.
Ch 3 pg 62 |
|
|
Term
| What measurement standard does a company submit to in order to have their security program certified? |
|
Definition
|
|
Term
| if CobiT and COSO describe what security standards are to be achieved, what standard describes how to achieve it? |
|
Definition
The Information Technology Infrastructure (ITIL) and the ISO/IEC 27000.
Ch 3. pg 65 |
|
|
Term
| What is security governance? |
|
Definition
Security governance is all of the tools, personnel, and business processes necessary to ensure that the security implemented meets the organizations needs.
Ch 3, page 67 |
|
|
Term
| What are the four phases in the Security Program Development Life Cycle? |
|
Definition
1: Plan and Organize
2: Implement
3: Operate and Maintain
4: Monitor and Evaluate.
Ch 3, page 68 |
|
|
Term
| ___________ are important tools to identify, develop, and design security requirements for specific business needs. |
|
Definition
|
|
Term
| _________________ is the process of identifying and assessing risk, reducing it to an acceptable level, and implementing the right mechinsms to maintain that level. |
|
Definition
Information Risk Mangement (IRM)
Ch 3, page 73 |
|
|
Term
| __________________ is a method of identifying vulnerabilities and threats and assessing the possible impacts to determing where to implement security safeguards. |
|
Definition
Risk analysis
Ch 3, page 76 |
|
|
Term
| Risk analysis provides _____/__________, which compares the annualized cost fo safeguards to the potential cost of loss. |
|
Definition
cost / benefit comparison.
Ch 3 page 76 |
|
|
Term
| When should a safeguard NOT be implemented? |
|
Definition
A safeguard should not be implemented if the cost of the loss does not exceed the cost of the cost of the safeguard.
Ch 3, page 76 |
|
|
Term
|
Definition
Project sizing is the process of surveying and understanding what assets and threats need to be evaluated.
Ch 3 page 76 |
|
|
Term
| How is the actual cost of an asset calculated? |
|
Definition
cost to acquire + cost to develop + cost to maintain = asset value
ch 3 pg 79 |
|
|
Term
|
Definition
Loss potential is what the company would lose if a threat agent were to actually exploit a vulnerability.
Ch 3, pg 81 |
|
|
Term
| What is Failure Modes and Effect Analysis (FMEA)? |
|
Definition
FMEA is a method for determining functions, identifying functional failures, and assessing the causes of failure(s) and their effects through a structured process.
Ch3 pg 83 |
|
|
Term
How many steps does Failure Modes and Effect Analysis have?
What are they? |
|
Definition
Five.
1: Start with a block diagram of a system or control.
2. Consider what happens if each block of the diagram fails.
3: Draw up a table in which failures are paired with their effects and an evaluation of their effects.
4: Correct the design of the system, and adjust the table until the system is not known to have unacceptable problems.
5: Have several engineers review the failure modes and effects analysis.
ch 3 pg 83 |
|
|
Term
| There are two approaches to risk analysis, Quantitative and Qualitative. What does Quantitative Risk Analysis provide? |
|
Definition
Quantitative Risk Analysis attempts to assign real and meaningful numbers to all elements of the risk analysis process. It also provides concrete probability percentages when determining the likelihood of threats.
Ch 3, pg 86 |
|
|
Term
| What are the 5 steps to Risk Analysis? |
|
Definition
1: Assign Value to the Assets
2: Estimate Potential Loss per Threat
3: Performa a Threat Analysis
4: Derive the Overall Annual Loss Potential Per Threat.
5: Reduce, Transfer, Avoid, or Accept the Risk
Ch 3, pg 88 |
|
|
Term
Define the following:
Risk Transfer
Risk Acceptance
Risk Avoidance |
|
Definition
Risk Transfer: Shifting some of the weight of a potential loss to another entity. The most common form being buying insurance.
Risk Acceptance: Live with the risks and spend no additional money toward protection.
Risk Avoidance: Discontinue the activity that is causing the risk.
Ch 3. pg 89 |
|
|
Term
| What is the Single Loss Expentancy (SLE) Value? |
|
Definition
The SLE is the dollar amount that is assigned to a single even that represents the company's potential loss amount if a specific threat were to take place.
Ch 3, pg 89 |
|
|
Term
| What is Annualized Loss Expentancy? |
|
Definition
ALE is the expected monetary loss that can be expected for an asset due to a risk over a one year period.
It is calculated thusly:
SLE x ARO = ALE
Ch 3, pg 89 |
|
|
Term
| With respect to Quantitative Risk Analysis, what is Exposure Factor (EF)? |
|
Definition
Exposure factor represents the percentage of loss a realized threat could have on a certain asset.
Ch 3, pg 89 |
|
|
Term
| What is Annualized Rate of Occcurance (ARO)? |
|
Definition
ARO is the value that represents the estimated frequency of a specific threat taking place within a one calendar year time-frame.
Ch 3, pg 89 |
|
|
Term
| How is Single Loss Expentancy (SLE) calculated? |
|
Definition
Asset Value x Exposure Factor (EF).
Ch 3, pg 89 |
|
|
Term
| What is Qualitative Risk Analysis? |
|
Definition
Qualitative Risk Analysis does not assign number values to risk. Instead, this method walks through various scenarios and ranks the seriousness of the threat.
Ch 3, pg 91 |
|
|
Term
| What is the Delphi Technique? |
|
Definition
The Delphi Technique is a group decision method used to ensure that each member gives an honest opinion of what he / she think the result of a particular threat will be.
ch3, pg 94 |
|
|
Term
|
Definition
Residual Risk is the risk remaining after countermeasures are in place and the risk management process has been implemented.
ch 3 pg 100 |
|
|
Term
|
Definition
The risk a company faces if it chooses not to implement any type of safeguard.
Ch 3. pg 100 |
|
|
Term
|
Definition
A policy is an overall general statement by management.
Ch 3, pg 103 |
|
|
Term
|
Definition
| A standard referes to manadtory activities, actions, or rules. Standards support policies and give direction. |
|
|
Term
|
Definition
A baseline is a point in time that is used as a comparison for future changes.
Ch 3, pg 107 |
|
|
Term
|
Definition
Guidelines are recommended actions and operational guides to users, etc. when a specific standard does not apply.
Ch 3, pg 108 |
|
|
Term
|
Definition
Procedures are detailed step-by-step tasks that should be performed to achieve a certain goal.
CH 3, pg 108 |
|
|
Term
| What is the difference between Due Diligence and Due Care? |
|
Definition
Due Diligence is the act of investigating amd understanding the risks a company faces.
Due Care is the development and implementation of policies and procedures to aid in protecting the company, it's assets, and it's people from threats.
Ch 3, pg 110 |
|
|
Term
| What are the commercial / business levels of information sensitivity from lowest to highest? |
|
Definition
- Public
- Sensitive
- Private
- Confidential
Ch 3 pg 113 |
|
|
