Business Flashcards
1
Q
Information Security Management System
A
a framework of policy and controls to manage risks
2
Q
Risk Management
A
- identify, assess, manage risks to the business
- threat, vulnerability, likelihood, impact, cost/benefit
3
Q
Human Resource Security
A
- background checks
- employment agreements
- security awareness training
- disciplinary processes
- employee termination processes
4
Q
Operations security
A
- documented procedures
-change management
-capacity management
-backups
-logging - vulnerability management
5
Q
Communications security
A
- network protections, firewalls, IDS/IPS…
- segregation
- electronic messaging controls
- confidentiality agreements, NDAs
6
Q
Security in the SDLC
A
- SDLC = software development life cycle
- threat modeling
- secure code reviews
- security testing
7
Q
Threat Modeling
A
Model: What are you building?
Analyze: What could possibly go wrong?
Manage: What do you do about it?
- threats could be considered design bugs, so file bug reports for them
8
Q
STRIDE
A
spoofing (authentication)
tampering (integrity)
repudiation (non-repudiation)
information disclosure (confidentiality)
denial of service (accessibility
elevation of privilege (authorization)
9
Q
“good” threats are…
A
- pertinent to the model (not code bugs, avoids fantasy zone)
- actionable (can any developer tackle this, prioritize)
- complete and well-framed (“an attacker could do X thing, and lead to Y result”)
