1. Sec and Risk Management / 2. Assets Flashcards

1
Q

military classification

A

unclassidied, confidential, secret, top secret

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

commercial classification

A

public, sensitive, confidential/private

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

policy components

A

procedures, guidelines, baselines, standards, policies

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

STRIDE

A

threat categorization scheme focused on application threats

spoofing
tampering
repudiation
information disclosure
DoS
elevation of privileges
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

DREAD

A

threat rating system used for threat priorization

damage potential
reproducibility
exploitability
affected users
discoverability
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

security management planning

A

strategic: long-term goals, missions
tactical: midterm, how to accomplish goals?
operational: short-term, highly detailed

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

quantitative risk analysis

A

Assign Asset Value AV
Calculate Exposure Factor EF
Calculate Single Loss Expectancy SLE=AVEF
Assess annualized rate of occurance ARO
Derive annualized loss expectancy ALE=SLE
ARO

Perform cost/benefit analysis of countermeasures (ALE1-ALE2-ACS) (annual cost of safeguard)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

qualitative risk analysis

A

brainstorming. delphi, surveys, checklists, interviews, meetings

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

delphi technique

A

anonymous feedback-and-response process to reach an anonymous consensus. Gives honest an uninfluenced responses. repeatet until consensus is found

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

risk assignment

A

assigning or transferring risk

insurance or outsourcing (SLA)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

risk acceptance

A

management has agreed to accept the consequences because of negative cost/benefit analysis of possible safeguards

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

risk

A

threatsvulnerabilitiesasses value= total risk (combination)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

residual risk

A

total risk-controls gap = residual risk

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

types of controls I

A

technical: hardware, software
administrative: policies, procedures
physical

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

types of controls II

A

deterrent: appeals to human decision not to….
preventive: blocks the action
detective: discovers after occurence
corrective: corrects problems (reboot, restore)
recovery: advanced correction: imaging, clustering…
directive: direct control of actions to force compliance (escape route signs, posted notifications)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

risk framework management

RFM

A
  1. categorize
  2. select
  3. implement
  4. assess
  5. authorize
  6. monitor
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

BCP steps

A
  1. project scope, planning
  2. business impact analysis
  3. continuity planning
  4. approva, implementation
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

BCP step 1

project scope and planning

A
  • business organization analysis builds foundation for BCP team selection
  • BCP team selection (representatives from each operational and support departments
  • face legal and regulatory requirements (due diligence, regulations, obligations to clients)
  • resource requirements (personal, time)
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

BCP step 2

business impact analysis BIA

A
  • identify priorities (threats and their relevance, MTD, MTO Maximum Tolerable Outage, RTO Recovery Time Objectve)
  • risk identification
  • likelihood assessment (ARO)
  • impact assessment (EF, SLE, ALE)
  • ressource priorization (to identified risks)
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

BCP step 3

continuity planning

A
  • strategy development ( which risks will be adressed? in accordance to priorization from step 2 and MTD)
  • provisions and processes (people first!)
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

BCP step 4

approval and implementation

A
  • approval by senior management
  • training, education
  • BCP documentation (written record for everyone affected
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

What is included in BCP documentation?

A

goals, statement of importance, statement of priorities and responsibility, risk acceptance/mitigation, emergency response guidelines, maintenance testing)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

law

A

common law:

criminal: murder, robbery
civil: business
administrative: government agencies

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

copyright

A

books, poems, songs
70 years after death

work for hire:
95 years after date of publication
120 years after date of creation

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
trademarks
names, slogans, logos TM without registration R after registration
26
patent
inventions | 20 years from request
27
trade secret
protects operating secrets no registration adequate controls, NDA required
28
software licensing | UCITA
- contractual license: written contract - shrink-wrap: on software package - click trough - cloud service license agreement: online click though
29
Computer Fraud and Abuse Act 1987
protects computer used by government or in interstate commerce
30
Computer Security Act 1987
- NIST is responsible for securing government systems - NSA is responsible for securing classified systems - NIST is responsible for developing standards - requires security plans by all operators of federal computer systems - requires training for all people involved in management and use of federal computers
31
DMCA Digital Millenium Copyright Act
- limits the liability of ISPs for the activities of their users - copyright protecting mechanisms placed in digital media - 1 Mio $ or up to 10 years for repeated offenders - in compliance with WIPO
32
export restrictions | wassenaar agreement
india, pakistan, afghanistan, cuba, north korea, sudan, syria
33
privacy in US constitutions
4th amendment
34
Health Information Tech for Economical und Clinical Health Act 2009 HITECH
- updates HIPAA - protected health information (PHI) processed by other firms are covered by HIPAA - data breaches must be notified to individuals, Secretary of Health and media
35
Safe Harbour
- directive to protect personal data processed by infosystems - organizations outside EU must apply these rules - department of commerce certifies businesses and offers them "safe harbour" notice: inform individuals about purpose of collecting data choice: opt-out onward transfer: transfer only to compliant organizations data integrity: data is allowed to use only for purpose declared befor access: individuals have the right to correct or delete if inacurate enforcement: implement mechanisms to ensure compiance with principles above
36
PCI-DSS
self regulated | compliant with sabanes-oaxley
37
PII
personalli identifiable information
38
PHI
protected health information
39
managing sensitive data
- labeling (identifies classification) - handling (secure transportation) - storing (encryption, loss prevention, physical) - destroying
40
destroying sensitive data
- erasing: delete op, data remains on drive - clearing: overwriting - purging: intense clearing - declassification : reuse in unclass. environment - sanitization: remote all data, purge or destroy media - degaussing: magnetic field - destruction: crushing, shredding, acid
41
data owner
senior management identifies classification, ensures labeling, ensures sec controls bases on classification, decides privileged and access rights
42
system owner
often same as data owner | responsible for system sec und system labeling
43
business/mission owner
own processes managed by IT | cost/profit oriented
44
data processors
processes data on behalf of the owner
45
administrators
assign permissions based on need to know
46
custodians
day to day routines, backup, storing
47
Baselines
provide minimum security standard listing of basic controls imaging
48
Scoping/Tailoring Baselines
Scoping: Select only the baselinses that meet requirements Tailoring: Modity baselines, so that they align with the mission of an organization
49
Policies, Standards, Guidelines, Procedures | PSGP
Policy: overview of an organizations security needs Standard: tactical documents, that define methods to accomplish the goals and overall direction defined by security policy Guideline: recommendations on how standards and baselines are implemented. operational guide Procedures: step-by-step how-to document to implement a specific security mechanism
50
Baseline
Mimimun level of security that every system must meet
51
Vulnerability
The weakness in an asset + the absence of a safeguard
52
Threat
Any potential occurence that could cause damage, disclosure oder loss
53
Breach
Security mechanism being bypassed by a threat agent
54
third party governance
mandadet by law, regulation, industry standard, licensing requirements
55
exigent circumstance doctrine
exception to search warrant because destruction of evidence is near
56
Tort law
civil law
57
downstream liabilities
Haftung bei intrusion and theft of data from customers or business partners
58
remanence
residual magnetization
59
due care due diligence negligence
due care is informal due diligence follows a process negligence is the opposite (Fahrlässigkeit)
60
attestation
the secutity practices of a service provider are reviewed by third party finally attested
61
compartmentilization
technical method for enforcing need to know
62
SSD erase
ATA Secure Erase or destruction | garbage collection by TRIM does not reliably destroy data
63
SRAM | DRAM
SRAM: fast, flipflop, expensive DRAM: capacitors, slow, cheap