2.0 Compliance and Operational Security Flashcards
What is Access Control?
Access control is the ability to permit or deny the privileges that users have when accessing resources on a network or computer.
What processes are included in access control?
What processes that are included in access control are Identification, Authentication, Authorization, and Auditing.
What is MAC?
Mandatory Access Control (MAC) uses labels or attributes for both users and objects.
What is DAC?
Discretionary Access Control (DAC) assigns access directly to users based on the discretion of the owner.
What is RBAC?
Role Based Access Control (RBAC) allows access based on a role in an organization, not individual users.
What is the principle of least privilege?
The principle of least privilege states that users or groups are given only the access they need to do their job and nothing more.
What is need to know?
Need to know describes the restriction of data that is highly sensitive.
What is separation of duties?
Separation of duties is the concept of having more than one person required to complete a task.
What is job rotation?
Job rotation is a technique where users are cross-trained in multiple job positions, and where responsibilities are regularly rotated between personnel.
What is defense-in-depth?
Defense-in-depth is an access control method which implements multiple access control methods instead of relaying on a single method?
What is creeping privileges?
Creeping privileges occurs when a user’s job position changes and their previous access privileges are not removed or modified.
What is a regulation?
A regulation is a requirement published by a government or other licensing body that must be followed.
What is a procedure?
A procedure is a step-by-step process outlining how to implement a specific action.
What is a baseline?
A baseline dictates the settings and security mechanisms that must be imposed on a system in order to comply with required security standards.
What is a guideline?
A guideline is a recommendation to use when a specific standard or procedure does not exist.
What is information classification?
Information classification is the process of determining how and what information will be disclosed to ensure an organization’s privacy requirements.
What is business continuity?
Business continuity is the activity performed by an organization to ensure that critical business functions will be available to customers, suppliers, regulators, and other entities that must have access to those functions.
What is a BCP?
A Business Continuity Plan (BCP) identifies appropriate disaster responses in order to maintain business operations during reduced or restricted infrastructure and resource capabilities.`
What is BIA?
Business Impact Analysis (BIA) focuses on the impact losses will have on the organization.
What is a DRP?
A Disaster Recovery Plan (DRP) identifies short-term actions to take to stop the incident and restore critical functions so the organization can continue to operate.
What is risk management?
Risk management is the process or identifying vulnerabilities and threats and deciding what countermeasures to take to reduce risks to an acceptable level.
What is a security incident?
A security incident is an event or series of events that are a result of a security policy violation that has adverse effects on a company’s ability to proceed with normal business.
What is an incident response?
An incident response is the action taken to deal with an incident during and after the incident.
What is social engineering?
Social engineering is an attack that exploits human nature by convincing someone to reveal information or perform an activity.