Term
(1) False Positive
(2) False Negative |
|
Definition
(1) An event that appears to be a risk but turns out not to be one.
(2) An event that does not appear to be a risk but turns out to be one. |
|
|
Term
|
Definition
| Risk classification: Action that affects the long-term goals of the organization. |
|
|
Term
|
Definition
| Risk classification: Following (or not following) a regulation or standard. |
|
|
Term
|
Definition
| Risk classification: Impact of financial decisions or market factors. |
|
|
Term
|
Definition
| Risk classification: Events that impact the daily business of the organization. |
|
|
Term
|
Definition
| Risk classification: Events that impact the daily business of the organization. |
|
|
Term
|
Definition
| Risk classification: Events that affect information technology systems. |
|
|
Term
|
Definition
| Risk classification: Actions related to the management of the organization. |
|
|
Term
(1) Preventative - Controls that prevent the loss or harm from occurring based on the risk.
(2) Detective - Controls that prevent the loss or harm from occurring based on the risk.
(3) Corrective - Controls that restore the system back to its prior state before a malicious event occurred. |
|
Definition
| Three elements of the simple risk model? |
|
|
Term
| Management Risk Control Type |
|
Definition
| Risk control type that is administrative in nature and consists of all the laws, regulations, policies, practices, and guidelines that govern the overall requirements and controls. |
|
|
Term
| Technical Risk Control Type |
|
Definition
| Risk control type that involves enforcing technology to control risk, such as antivirus software, firewalls, and encryption. |
|
|
Term
| Operational Risk Control Type |
|
Definition
| Risk control type that covers operational procedures to limit risk. |
|
|
Term
| Management Risk Control Type |
|
Definition
| Risk control type that is administrative in nature and consists of all the laws, regulations, policies, practices, and guidelines that govern the overall requirements and controls. |
|
|
Term
| Technical Risk Control Type |
|
Definition
| Risk control type that involves utilizing technology to control risk, such as antivirus software, firewalls, and encryption. |
|
|
Term
| Operational Risk Control Type |
|
Definition
| Risk control type that covers operational procedures to limit risk. |
|
|
Term
|
Definition
| A subject's access level over an object. |
|
|
Term
|
Definition
| The periodic review of a subject's privileges over an object. |
|
|
Term
|
Definition
| A methodology for making modifications and keeping track of those changes. |
|
|
Term
|
Definition
| The framework and functions required to enable incident response and incident handling within an organization. |
|
|
Term
| Qualitative Risk Calculation |
|
Definition
| Approach to risk calculation that uses an educated guess based on observation. |
|
|
Term
| Quantitative Risk Calculation |
|
Definition
| Approach to risk calculation that attempts to create hard numbers associated with the risk of an element in a system by using historical data. This calculates both the likelihood of a risk and the impact of a risk being successful. |
|
|
Term
| Mean Time Between Failure (MTBF) |
|
Definition
| Calculates the mean amount of time until a component fails completely and is irreparable, and therefore must be replaced. |
|
|
Term
| Mean Time To Recovery (MTTR) |
|
Definition
| Calculates the mean amount of time that it will take a device to recover from a failure to a working state. |
|
|
Term
| Mean Time To Failure (MTTF) |
|
Definition
| A basic measure of reliability for systems that cannot be repaired; or, the mean amount of time expected until the first failure of a piece of equipment. |
|
|
Term
|
Definition
| The number of expected failures per one billion hours of operation for the device. |
|
|
Term
| Annualized Rate Of Occurrence (ARO) |
|
Definition
| The likelihood of a risk occurring within one year. |
|
|
Term
| Single Loss Expectancy (SLE) |
|
Definition
| The expected monetary loss each time a risk occurs. |
|
|
Term
| Annualized Loss Expectancy (ALE) |
|
Definition
| The expected monetary loss that can be expected for an asset due to a risk over a one year period. |
|
|
Term
|
Definition
| Written document that states how an organization plans to protect the company’s information technology assets. |
|
|
Term
(1) Guideline
(2) Standard
(3) Policy |
|
Definition
Organizational rules:
(1) Collection of suggestions that should be implemented.
(2) Collection of requirements specific to the system or procedure that must be met by everyone.
(3) Specific requirements or rules that must be met. |
|
|
Term
|
Definition
| A systematic and methodical evaluation of the exposure of assets to attackers. |
|
|
Term
|
Definition
| The obligations that are imposed on owners and operators of assets to exercise reasonable care of the assets and take necessary precautions to protect them. |
|
|
Term
| Acceptable Use Policy (AUP) |
|
Definition
| Policy that defines the actions users may perform while accessing systems and networking equipment. |
|
|
Term
|
Definition
| Policy that outlines how an organization uses the personal information it collects. |
|
|
Term
|
Definition
| Policy that address the different aspects of how data should be handled within an organization. |
|
|
Term
(1) Data Storage Policy
(2) Data Retention Policy
(3) Data Wiping and Disposing Policy |
|
Definition
Data Policies:
(1) Policy that specifies data collection and storage procedures.
(2) Policy that outlines how to maintain information in the user’s possession for a predetermined length of time.
(3) Policy that addresses how and when data will be erased. |
|
|
Term
(1) Asset Identification
(2) Threat Identification
(3) Vulnerability Appraisal
(4) Risk Assessment
(5) Risk Mitigation |
|
Definition
| The steps of vulnerability assessment? |
|
|
Term
|
Definition
| Process used to predict what types of threats are most likely to occur and how to understand the attackers and their motivation. |
|
|
Term
|
Definition
| Determining the damage that would result from an attack and the likelihood that the vulnerability is a risk to the organization. |
|
|
Term
|
Definition
| The part of software code that can be executed by unauthorized users. |
|
|
Term
|
Definition
| The practice of disabling unused ports in order to reduce the number of threat vectors. |
|
|
Term
|
Definition
| The process of gathering information within a banner (a protocol message service containing information about that protocol, which is transmitted when a program connects to it). |
|
|
Term
|
Definition
| Generic term for any product that looks for network or system vulnerabilities. |
|
|
Term
|
Definition
| A decoy computer that is intentionally located in a limited security area, loaded with software and fake data files in order to appear authentic, and configured to have open vulnerabilities. The actual purpose of this computer is to lure in attackers in order to examine their attacks, or to distract them away from legitimate systems. |
|
|
Term
|
Definition
| A network of honeypot systems which functions as a honeypot, and is used to examine network security concerns. |
|
|
Term
|
Definition
| An automated software search for known security weaknesses. There are two types: intrusive (penetrative) and non-intrusive. |
|
|
Term
| Penetration Testing OR Pentesting |
|
Definition
| Vulnerability tests designed to exploit weaknesses found in vulnerable systems in order to document that information and report it to the organization. These are conducted by white hat hackers - independent contractors hired for ethical purposes. |
|
|
Term
(1) Black box
(2) White Box
(3) Grey Box |
|
Definition
Penetration tests:
(1) Test intended to mimic an outside attack, in which the tester has no prior knowledge of the network that is being tested.
(2) Test in which the tester has in-depth knowledge of the network being tested.
(3) Test in which the tester has only certain limited information about the network being tested. |
|
|
Term
|
Definition
| Combining systems and data with entities outside the organization. |
|
|
Term
|
Definition
| The attempt to limit as many security risks as possible in order to make the system or network more secure. |
|
|
Term
(1) Due Process
(2) Due Diligence |
|
Definition
(1) The principle of treating all accused persons in an equal fashion in the case that an employee is accused of a malicious action.
(2) Policy stating that any investigation into suspicious employee conduct will examine all material facts. |
|
|
