Brainscape's Knowledge GenomeTM

Browse over 1 million classes created by top students, professors, publishers, and experts.


See full index

Prueba 1 > ASIS CPP - Information Security > Flashcards

ASIS CPP - Information Security Flashcards

1
Q

Protecting Information

Information Categories

A

Sensitive and proprietary information

Privacy-protected data

Intellectual property

Intangible assets

Information defined under international, federal, and state laws governing trade secrets, patents, and copyrights

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Protecting Information

Basic principles of effective protection

A
  1. Classification and labeling
  2. Handling protocols to specify use, distribution, storage, security expectations, declassification, return, and destruction/disposal methodology
  3. Training
  4. Incident reporting and investigation
  5. Audit/compliance processes and special needs (disaster recovery)
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Protecting Information - Information Assets

What is the second most valuable resource after employee?

A

Corporate Knowledge

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Protecting Information - Information Assets

Intangible rights protecting commercially valuable products of intellect?

A

Intellectual Property Rights (IRR)

Trademark | Copyright | Patent | TradeSecrets | PublicityRights | MoralRights | Rights against unfair competition

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Protecting Information - Information Assets

Excludes others from making, using, offering for sale, or selling an invention for 20 years

A

Patents

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Protecting Information - Information Assets

The owner must take reasonable measures to keep the information secret

Must derive independent economic value, actual or potential, from not being generally known and not being readily ascertainable through proper means by the public

A

Trade Secret

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Protecting Information - Information Assets

For information to be considered a trade secret, the owner must be able to prove…

A
  1. The information added value or benefit to the owner
  2. The trade secret was specifically identified
  3. The owner provided a reasonable level of protection

A robust security program and strict protection measures clearly and consistently defined, communicated, and enforced

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Protecting Information - Information Assets

Patents vs. Trade secrets

A
  • An inventor may protect an invention by patenting it or by deeming it a trade secret
  • Patents require public disclosure and last only 20 years
  • A trade secret is not disclosed and may last indefinitely
  • Stealing a trade secret may violate criminal laws but there are no criminal laws regarding patent infringement
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Protecting Information - Information Assets

A proprietary right or other valid economic interest in data resulting from private investment

A

Proprietary Information

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Protecting Information - Information Assets

  • Protects the expression of ideas in literary, artistic, and musical works
  • Under international law, copyrights do not have to be registered to be protected
  • An author or copyright holder can formalize ownership through government registration, which may help in any later enforcement actions
A

Copyright

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Protecting Information - Information Assets

Name, phrase or other device used to identify and distinguish the services of a certain provider

A

Service Mark

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Protecting Information - Information Assets

Word, phrase, logo or other graphic symbol used by a manufacturer or seller to distinguish its product from others

Consists of words, names, symbols, devices, or images applied to products or used in connection with goods or services to identify their source

A

Trade Mark

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Protecting Information - Information Assets

It is intellectual property owner’s responsibility to understand and comply with the requirements related to protecting patent, trademark and copyrights in each relevant jurisdiction

A
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Protecting Information - Information Risk Assessment

A thorough and tailored risk assessment is the foundation for the development of an overall IAP strategy

A
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Protecting Information - Information Risk Assessment

The goal of risk management and the security program is…

A

to optimize risk, never to minimize it

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Protecting Information - Information Risk Assessment

In basic risk management, how much one should spend to prevent an information security incident equals the probability of the incident times its cost

A
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

Protecting Information - Information Risk Assessment

Too often there is an over-emphasis on dollar values as the only metric in a risk analysis

A
  • May discourage the consideration of non-tangible measures of factors that cannot be easily quantified
  • Qualitative risk analysis are sometimes more appropriate and should be considered in lieu of or in addition to quantitative analysis
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

Protecting Information - OPSEC

What was developed in the military to protect unclassified information that could reveal sensitive plans and operations?

A

A Protection Approach

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

Protecting Information - OPSEC

OPSEC calls for…

A

Viewing the big picture and identifying any protection gaps that remain despite current security measures

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

Protecting Information - OPSEC

OPSEC responds to the fact that small bits of information taken from several different sources can be combined to reveal sensitive information

A
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

Protecting Information - OPSEC

OPSEC or information risk management should be practiced in organizations of all sizes, but it is particularly valuable for smaller businesses that may not have a large security or IAP staff or a great deal of security resources

A
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

Protecting Information - OPSEC

A simple and systematic method of employing safeguards to protect critical information; the process includes five cyclical steps

A
  1. Identify assets (critical information
  2. Define the threat (collectors, capabilities, motivations)
  3. Assess vulnerabilities
  4. Analyze the risk (impact, priority, existing countermeasures, etc)
  5. Develop and implement countermeasures
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

Protecting Information - Information Threats

Categories of Information Threats

A

Intentional

Natural

Inadvertent

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

Protecting Information - Information Threats

Top business impacts of information loss…

A
  • Loss of company reputation/image/goodwill
  • Loss of competitive advantage in on product/service
  • Reduced projected/anticipated returns or profitability
  • Loss of core business technology or process
  • Loss of competitive advantage in multiple products/services
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Q

Protecting Information - Information Threats

Today information assets compromised are almost always impossible to recall or contain in terms of dissemination - They can be anywhere or everywhere in an instant

A
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
26
Q

Protecting Information - Information Threats

Perhaps the most frequently overlooked threats are inadvertent threats

A
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
27
Q

Protecting Information - Information Threats

Insider espionage is facilitated by…

A
  • Advanced information storage and retrieval results in easier access
  • A broader range of foreign buyers is more accessible than ever
  • International collaboration places more employees in strategic positions to work with foreign personnel
  • Opportunities to transfer information increase with increasing rates of foreign travel
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
28
Q

Protecting Information - Information Threats

Insider espionage ctd…

A
  • Abundant financial burdens for Americans make them more prone to compromise
  • Debts increased by easy access to gambling sources will make Americans more prone to compromise
  • Reduced loyalty between organizations and employees generates motivation
  • Ethnic ties produce opportunities and motivation in American employees
  • Commitment to the “global community” and common good motivates the desire to share information
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
29
Q

Protecting Information - Information Threats

A virtual threat (“ghost”) does one or more of three functions:

A
  1. Sends information to its control (owner of the threat software)
  2. Receives commands from its control
  3. Executes commands where it is installed
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
30
Q

Protecting Information - Information Vulnerabilities

Trade shows are a traditional venue for business and government intelligence collection

A
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
31
Q

Protecting Information - Information Vulnerabilities

Virtual threats take advantage of flaws, or vulnerabilities, in a complex source code

A
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
32
Q

Protecting Information - Information Vulnerabilities

One business activity that raises special risks to a company’s information is the establishment of relationships with other companies, domestically or internationally

(such as partnerships or outsourcing agreements)

A
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
33
Q

Protecting Information - Information Vulnerabilities

IT threats cannot manifest without a vulnerability to exploit, which are in five categories

A
  1. Vulnerabilities in the information systems infrastructure
  2. Vulnerabilities in people using the information systems infrastructure
  3. Vulnerabilities in people maintaining the information systems infrastructure
  4. Vulnerabilities in information systems management processes
  5. Executive and senior management vulnerabilities
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
34
Q

Protecting Information

Access control databases are vulnerable in two ways

A
  1. Administrative misconduct
  2. Attack from an outside connection (internet)
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
35
Q

Protecting Information

The physical access control network is generally made up of two parts

A
  1. The connection between the reader and a controller
  2. The TCP/IP network on which controllers talk to servers and users talk to servers
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
36
Q

Protecting Information

A legacy HID (Hughes identification device) card has two components

A
  1. The secret facility number, or facility code, which is not printed on the card but is known to the facility owner
  2. An identification number that is printed on the card
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
37
Q

Protecting Information

A tool called gecko, which can be built for $10 worth of parts, can give an intruder complete control over a door by compromising the Weigand text stream sent from the reader to the controller

A
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
38
Q

Information Protection Measures

A race of technology and methodology between the “good guys” and the “bad guys”, requiring an organization’s information systems management program be continually improved

A

Red Queen Effect

39
Q

Information Protection Measures

Because of their close interaction with employees every day, first and second-tier management are those individuals who exert the most influence over information security

A
40
Q

Information Protection Measures

Where does the responsibility ultimately lie for protecting information assets?

A

Leadership of an organization

41
Q

Information Protection Measures

Information protection measures must be sufficient to ensure…

A

Confidentiality

Accountability

Non-repudiation

Integrity

Recoverability

Availability

Auditability

42
Q

Information Protection Measures

The most effective IT security for information protection is a layered approach that integrates physical, procedural, and logical protection measures

A
43
Q

Information Protection Measures

3 different perspectives of Defense in Depth, or Layered Protection

A
  1. Increasing levels of trust for those who are given access to successive layers
  2. Different security technologies or measures that operate in concert
  3. Successive layers employed to delay, detect, and deter intruders
44
Q

Information Protection Measures

Personnel security plays a key role in IAP and includes things such as…

A
  • Due diligence investigations of potential partners
  • Standard pre-employment screening
  • Vetting of subcontractors, vendors, and consultants
45
Q

Information Protection Measures

Steps for protecting a business for espionage (according to the FBI)

A
  1. Recognize there is an insider and outsider threat to your company
  2. identify and evaluate trade secrets
  3. Implement a proactive plan for safeguarding trade secrets
  4. Secure physical and electronic versions of your trade secrets
  5. Confine intellectual knowledge on a “need-to-know” basis
46
Q

Information Protection Measures

Security awareness and training is one of the most cost-effective measures that can be employed to protect corporate and organizational information assets

A
47
Q

Information Protection Measures

The use of services, equipment and techniques designed to locate, identify and neutralize the effectiveness of electronic eavesdropping, wiretapping, bugging, etc…

A

Technical Surveillance Countermeasures (TSCM)

48
Q

Information Access Control

Benefits of an IAP program

A
  • Enhances fiduciary oversight, control, and stewardship of key intangible assets
  • Aligns information assets with business operations and the organization’s strategic vision
  • Allows more efficient allocation of traditional and IT security resources
  • Allows more timely pursuit of information asset compromises and intellectual property rights (IPR) violations
49
Q

Information Access Control

IAP Program benefits ctd…

A
  • Serves as leverage in negotiating coverage and premiums for intellectual property (IP) and information technology (IT) insurance
  • Provides consistency in regulatory reporting of intangible assets
  • Standardizes internal and external handling of intangible assets
  • Identifies key internal and external sources of intangible assets and intellectual capital
50
Q

Information Access Control

The first step in implementing an IAP is…?

A

To identify the information that may need to be labeled and protected

  • Helps narrow the scope of the information that requires protection
  • Focuses limited security resources where they are most needed
51
Q

Information Access Control

An employee’s access to information should be based on his or her current job function and a need-to-know basis, not on a position or management level

A
52
Q

Information Access Control

An organization’s leadership should consider both the

A
  • Categories of Information
  • Levels of Information
53
Q

Information Access Control

Levels of information may be determined by…?

A

Sensitivity

Criticality

Time which info. is pertinent

54
Q

Information Access Control

Most organizations use 2 - 4 levels of sensitivity marking, such as “confidential”, “restricted”, “limited”

A
55
Q

Information Access Control

Typical categories of information controls

A
  1. Approved for external release (unrestricted access)
  2. Internal (limited to employees and contractors)
  3. Confidential (limited by a specific need to know)
56
Q

Information Access Control

How should information of various classifications be stored?

A

Separately

57
Q

Information Access Control

Access to internal information should be restricted to company personnel or others who have signed a nondisclosure agreement

A
58
Q

Information Access Control

A central knowledge management system

A
  • Collects distributes and publicizes corporate data in a searchable, accessible format
  • Aids corporate departments by reducing redundant efforts and promoting knowledge sharing
  • Helps preserve knowledge if an employee leaves his or her position or the company
  • Can enable one department to learn from the processes, technologies, and ideas of another
59
Q

Information Access Control

A central knowledge management system ctd…

A
  • Can enable one department to learn from the processes, technologies, and ideas of another
  • Can be used to collect data that measure the productivity and performance of business units and individual employees
  • May create a security vulnerability
60
Q

Information protection policy and procedure

Effective information Asset Policy (IAP) requires

A
  • Leadership commitment, budgetary resources, depth of support
  • Dedicated department
  • Requirement to adhere to the policy
  • Continuous education and training
61
Q

Information protection policy and procedure

Information security policies should include, at a minimum…

A
  1. A definition of information security, its overall objectives and scope, and the importance of security as an enabling mechanism for information sharing
  2. A statement of management intent, supporting the goals and principles of information security
  3. A brief explanation of the security policies, principles, standards, and compliance requirements of particular importance to the organization
62
Q

Information protection policy and procedure

Physical security participation in the creation of the ISS policy is critical for 2 reasons

A
  1. ISS policies affect day-to-day physical security operations (both staff’s interaction with computers and security devices’ connections to and interaction with the network)
  2. ISS policy defines what types of devices are allowed on the network
63
Q

Information protection policy and procedure

Recovery…two primary elements of recovery are?

A
  1. To return to normal business operations as soon as possible
  2. To implement measures to prevent a recurrence of the problem
64
Q

Regulations and legal protection

Information owners must recognize legal protections are effective only if the owner is willing to pursue recourse

A
65
Q

Regulations and legal protection

The Gramm-Leach-Bliley Act

A

Regulates the use and disclosure of nonpublic Pll for those who obtain financial products or services from financial institutions

66
Q

Regulations and legal protection

  • Generally prohibits a financial institution from disclosing Pll to a nonaffiliated 3rd party, directly or indirectly, unless it has
A
  • Disclosed to the customer, in a clear and conspicuous manner, that the information may be disclosed to a third party
  • Has given the consumer an opportunity to direct that the information not be disclosed
  • Has described the manner in which the consumer can exercise the nondisclosure option
67
Q

Regulations and legal protection

HIPAA…Requires covered entities and business associates to do the following to protect health information

A
  1. Maintain a risk-driven information security management program based o administrative, technical, and physical controls
  2. Ensure the confidentiality, integrity, and availability of all electronic PHI created, received, maintained, or transmitted
  3. Protect against any reasonably anticipated threats or hazards to the security or integrity of PHI
  4. Protect against any reasonably anticipated uses or disclosures of PHI that are not permitted or otherwise required
68
Q

Regulations and legal protection

HIPPA ctd…

A
  1. Ensures compliance by its workforce
  2. Ensures compliance by third parties with who information is shared
69
Q

Regulations and legal protection

The Sarbanes-Oxly Law of 2002 (SOX)

A
  • Most significant new securities law since the SEC was created in 1934
  • Places substantial responsibilities on officers and directors of public companies
  • Imposes significant criminal penalties on CEO’s, CFO’s and others
  • Obligates public companies to publicly address information security practices
70
Q

Regulations and legal protection

SOX ctd…

A
  • Section 404 (most relevant to security) requires management develop, text, document, and monitor internal controls, disclosure controls, and procedures
  • Principles of corporate governance applied to public corporations have been extended to private companies through state laws or market forces
71
Q

Regulations and legal protection

The Red Flags Rule…Implements Sections 114 and 315 of the Fair and Accurate Credit Transaction (FACT) Act

A

The FTC requires each creditor holding an account with a reasonably foreseeable risk of ID theft, to develop and implement an Identity Theft Prevention Program

72
Q

Regulations and legal protection

Red Flags Rule ctd…

Red flags that must be identified, detected, and responded to include:

A
  • Alerts, notifications, or warnings from a consumer reporting agency
  • Suspicious documents
  • Suspicious personally identifying information, such as a suspicious address
  • Unusual use of - or suspicious activity relating to - a covered account
  • Notices from customers, victims, LE, or other businesses about possible ID theft in connection with covered accts.
73
Q

Regulations and Legal Protection

All successful IAP programs assign a specialist the responsibility of monitoring pending legislation and regulations related to the protection of information assets

A
74
Q

The impact of cybercrime

Often the loss of productivity is more costly than the cost of cleaning up from the virus attack

A
75
Q

The impact of cybercrime

The average cost to comply with state breach-disclosure laws now exceeds $200 per record

A
76
Q

The impact of cybercrime

Based on the expansion of cybercrime into organized crime, many believe the insider threat is no longer the cause of most IT losses

A
77
Q

Computer Basics

The first computer was built by…?

A

Alan Turning during WWII to decrypt the German Enigma code

78
Q

Computer Basics

Developed by Gordon Moore, co-founder of Intel, and states that the processing power of computers will double every eighteen months

A

Moore’s Law

79
Q

Computer Basics

A computer operates in two primary modes

A
  1. Stand-alone computing device
  2. Device that can communicate with other computers
80
Q

Computer Basics

3 logical points of control for a computer

A

Input

Programs

Communications stack

81
Q

Network Basics

The most common type of network connection is to the…?

A

Internet

82
Q

Network Basics

7 communication layers of the Open Systems Interconnect (OSI) model

A

Application

Presentation

Session

Transport

Network

Data link

Physical

83
Q

IT Security Terminology

IDS

IT Intrusion Detection Systems monitor for malicious programs and unauthorized changes to files and settings, monitor network traffic, and provide real-time alarms for network-based attacks

A
84
Q

IT Security Terminology

Sanitizing Media

A
  • Sanitizing: Removing data before the media is reused
  • Overwriting: Replacing data with meaningless data
  • Clearing: Eradicating data by overwriting or degaussing (laboratory techniques can recover “cleared” data)
  • Destroying: Physically damaging the media
85
Q
A
86
Q

IT Security Terminology

Logical network access control

A

The process by which users are identified and granted privileges to information, systems or resources

87
Q

IT Security Countermeasures

Categories of IT Countermeasures

A

Administrative

Technical

Physical

88
Q

IT Security Terminology

Where IT countermeasures are deployed

A
  • On the information systems infrastructure (technical)
  • Infrastructure management (administrative, technical, physical)
  • Executive and senior management (administrative, technical, physical)
  • Community-based (administrative, technical, physical)
89
Q

IT Security Terminology

Logical network access control

A

The process by which users are identified and granted privileges to information, systems or resources

90
Q

IT Security - Encryption

Obscuring the meaning of information by altering or encoding it so it can only be decoded by people for whom it is needed

A

Encryption

91
Q

Information Systems Security (ISS)

ISS Control Objectives

A

Protection

Detection

Recovery

Compliance

92
Q

Information Systems Security (ISS)

Three “threat agents” (categories of threats) in ISS risk management

A

Nature

People

Virtual

93
Q

Information Systems Security (ISS)

AAA Triad

A

Authentication

Authorization

Auditing

94
Q
A

Prueba 1 (19 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2024 Bold Learning Solutions. Terms and Conditions