CH 1. Security Governance Through Principles and Policies Flashcards

1
Q

Confidentiality (Definition)

A
  • measures used to ensure the protection of the secrecy of data, objects, and resources.
  • focuses security measures on ensuring that no one other than the intended recipient of a message is able to receive/read it.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What is the goal of Confidentiality?

A
  • prevent unauthorized access to data
  • encrypts data at rest (stored on a disk)
  • encrypts data on the network (in transit)
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What does Confidentiality protection provide?

A
  • provides a means for authorized users to access and interact with resources
  • actively prevents unauthorized users from accessing and interacting with resources
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

What is an access control?

A
  • the management of a relationship between subjects and objects
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

What is an “object” in a security relationship?

A
  • the passive element in a security relationship

- such as files, computers, network connections, and applications

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

What is an “subject” in a security relationship?

A
  • the active element in a security relationship that acts upon or against an object
  • such as users, programs, and computers
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

What are examples of attacks used to violate confidentiality?

A
  • capturing network traffic
  • stealing passwords
  • social engineering
    port scanning
  • shoulder surfing
  • sniffing
  • escalation of privileges
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

What are examples of human error that results in a violation of confidentiality?

A
  • not encrypting data transmissions
  • no securing access points
  • backdoors in code
  • misrouted faxes
  • documents left on printers
  • not locking terminals
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

What countermeasures can help ensure confidentiality against possible threats?

A
  • encryption
  • network traffic padding
  • access controls
  • authentication procedures
  • data classification
  • personnel training
  • IPsec tunnel for VPN
  • Multi-factor Authentication
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Sensitivity (Definition)

A
  • refers to the quality of information

- could cause harm if disclosed

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Discretion (Definition)

A
  • an act or decision where an operator can influence or control disclosure in order to minimize harm or damage
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Criticality (Definition)

A
  • the level to which information is mission critical

- the higher the level of criticality, the more likely the need to maintain the confidentiality of the information

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Concealment (Definition)

A
  • the act of hiding or preventing disclosure

- often viewed as a means of cover, obfuscation, or distraction

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Security Through Obscurity (Definition)

A
  • the concept of attempting to gain protection through hiding, silence, or secrecy
  • not considered a valid security measure, but may still have value
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Secrecy (Definition)

A
  • the act of keeping something a secret or preventing the disclosure of information
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Privacy (Definition)

A
  • refers to keeping information confidential that is personally identifiable or that might cause harm, embarrassment, or disgrace to someone if revealed
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

Seclusion (Definition)

A
  • involves something in an out-of-the-way location

- this location can also provide strict access controls

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

Isolation (Definition)

A
  • the act of keeping something separated from others

- Isolation can be used to prevent commingling of information or disclosure of information (confidentiality)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

Integrity (Definition)

A
  • the concept of protecting the reliability and correctness of data
  • prevents unauthorized alteration of data
  • ensures that data remains correct, unaltered, and preserved
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

What does properly implemented Integrity protection provide?

A
  • a means for authorized changes while protecting against intended and malicious unauthorized activities (such as viruses or intrusions) as well as mistakes made by unauthorized users.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

What does a security mechanism that protects Integrity provide?

A
  • high level of assurance that the data, objects, and resources are unaltered from their original protected state.
  • prevents alterations while the object is in storage, in transit, or in process
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

What are the three perspectives that Integrity is examined from?

A
  • preventing unauthorized subjects from making modifications
  • preventing authorized subjects from making unauthorized modifications (mistakes)
  • maintaining the internal and external consistency of objects so that their data is correct
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

What are examples of attacks on data Integrity?

A
  • viruses
  • logic bombs
  • unauthorized access
  • errors in coding and applications
  • malicious modifications
  • intentional replacement
  • system back doors
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

What are examples of unauthorized changes made by authorized users?

A
  • modifying or deleting files
  • entering invalid data
  • altering configurations
  • errors in commands, codes, and scripts
  • introducing a virus
  • executing malicious code
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Q

What are examples of security measures to protect against Integrity violations?

A
  • access control
  • authentication procedures
  • intrusion detection
  • data encryption
  • hash total verifications
  • interface restrictions
  • personnel training
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
26
Q

Accuracy (Definition)

A
  • being correct and precise
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
27
Q

Truthfulness (Definition)

A
  • being a true reflection of reality
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
28
Q

Authenticity (Definition)

A
  • being authentic or genuine
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
29
Q

Validity (Definition)

A
  • being factually or logically sound
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
30
Q

Nonrepudiation (Definition)

A
  • not being able to deny having performed an action or activity or being able to verify the origin of a communication or event
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
31
Q

Accountability (Definition)

A
  • being responsible or obligated for actions and results
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
32
Q

Responsibility (Definition)

A
  • being in charge or having control over something or someone
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
33
Q

Completeness (Definition)

A
  • having all needed and necessary components or parts
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
34
Q

Comprehensiveness (Definition)

A
  • being complete in scope

- the full inclusion of all needed elements

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
35
Q

Availability (Definition)

A
  • authorized subjects are granted timely and uninterrupted access to objects
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
36
Q

What must occur for Availability to be maintained on a system?

A
  • controls must be in place to ensure authorized access and an acceptable level of performance, to quickly handle interruptions, to provide for redundancy, to maintain reliable backups, and to prevent data loss or destruction
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
37
Q

What are examples of threats to Availability?

A
  • device failure
  • software errors
  • environmental issues (heat, static, flooding, power loss)
  • DoS attacks
  • Object destruction
  • Communication interruptions
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
38
Q

What are examples of unintended violations of Availability?

A
  • Accidentally deleting files
  • overutilization of hardware or software components
  • under-allocating resources
  • mislabeling or incorrectly classifying objects
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
39
Q

What are examples of countermeasures to prevent violations of Availability?

A
  • access controls
  • monitoring performance and network traffic
  • using firewalls and routers to prevent DoS attacks
  • implementing redundancy for critical systems
  • maintaining and testing backup systems
  • fault tolerant disk
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
40
Q

Usability (Definition)

A
  • the state of being easy to use or learn or being able to be understood and controlled by a subject
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
41
Q

Accessibility (Definition)

A
  • the assurance that the widest range of subjects can interact with a resource regardless of their capabilities or limitations
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
42
Q

Timeliness (Definition)

A
  • being prompt, on time, within a reasonable time frame, or providing low-latency response
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
43
Q

5 elements of AAA services?

A
  • Identification
  • Authentication
  • Authorization
  • Auditing
  • Accounting
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
44
Q

Identification

A
  • claiming to be an identity when attempting to access a secured area or system
  • the process by which a subject professes an identity and accountability is initiated
  • can include: providing a username; swiping a smart card; waving a proximity device; speaking a phrase; using a biometric device
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
45
Q

Authentication

A
  • proving that you are that identity
  • the process of verifying or testing that the claimed identity is valid
  • most common form is a password
  • Identification and authentication are often used together as a single two-step process
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
46
Q

Authorization

A
  • defining permissions (i.e. allow/grant and/or deny) of a resource and object access for a specific identity
  • once a subject is authenticated, access must be authorized
  • just because a subject has been identified and authenticated does not mean they have been authorized
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
47
Q

Auditing

A
  • recording a log of the events and activities related to the system and subjects
  • the programmatic means by which a subject’s actions are tracked and recorded for the purpose of holding the subject accountable for their actions while authenticated on a system
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
48
Q

Accounting (aka Accountability)

A
  • reviewing log files to check for compliance and violations in order to hold subjects accountable for their actions
  • an organization’s security policy can be properly enforced only if accountability is maintained.
  • effective accountability relies on the capability to prove a subject’s identity and track their activities.
  • if you are unable to legally support your security efforts, then you will be unlikely to be able to hold a human accountable for actions linked to a user account.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
49
Q

Access control matrix

A
  • compares the subject, the object, and the intended activity
  • if the specific action is allowed, the subject is authorized
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
50
Q

What is needed to hold a human accountable for their actions linked to a user account?

A
  • multi-factor authentication
  • with only a password as authentication, there is significant room for doubt since passwords are the least secure form of authentication
  • w/ MFA there is very little possibility that any other human could have compromised the authentication process
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
51
Q

What is required for legal restitution of a computer crime?

A

1) demonstrate that a crime was committed
2) that the suspect committed the crime
3) that you took reasonable efforts to prevent the crime
* ** your organization’s security needs to be legally defensible ***

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
52
Q

Layering

A
  • aka Defense in Depth
  • the use of numerous, different controls to guard against whatever threats come to pass
  • when security solutions are designed in layers, a failed control should not result in exposure of systems or data
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
53
Q

Abstraction

A
  • used for efficiency
  • similar elements are put into groups, classes, or roles that are assigned security controls, restrictions, or permissions as a collective
  • thus, the concept of abstraction is used when classifying objects or assigning roles to subjects
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
54
Q

Data Hiding

A
  • the act of intentionally positioning data so that it is not viewable or accessible to an unauthorized subject
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
55
Q

Security through Obscurity

A
  • does not implement any form of protection
  • it is an attempt to hope something important is not discovered by keeping knowledge of it a secret.
  • an example of security through obscurity is when a programmer is aware of a flaw in their software code, by they release the product anyway hoping that no one discovers the issue and exploits it
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
56
Q

Encryption

A
  • the art and science of hiding the meaning or intent of a communication from unintended recipients.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
57
Q

What is the primary benefit of hashing?

A
  • integrity
58
Q

What is the primary benefit of fault tolerant routers?

A
  • availability
59
Q

What is the primary benefit of IPsec using AES encryption?

A
  • confidentiality
60
Q

What is the “authentication factor”?

A
  • the “authentication factor” used to verify identity is typically labeled as, or considered to be, private information
61
Q

Which two security concepts are often used together, and required to gain access to a system?

A
  • identification

- authentication

62
Q

What are the different authentication types?

A
  • something you know (e.g. passwords, PINs)
  • something you have (e.g. keys, tokens, smart cards)
  • something you are (e.g. biometrics, such as iris)
63
Q

What does the process of authorization ensure?

A
  • the process of authorization ensures that the requested activity or access to an object is possible given the rights and privileges assigned to the authenticated identity
64
Q

What is the difference between monitoring and auditing? Which can you do without the other?

A
  • monitoring is a type of watching or oversight
  • auditing is recording of the information into a record or file
  • it is possible to monitor without auditing, but you cannot audit without some form of monitoring.
65
Q

How does Abstraction simplify security?

A
  • by enabling you to assign security controls to a group of objects collected by type or function
66
Q

Security Governance?

A
  • the collection of practices related to supporting, defining, and directing the security efforts of an organization
67
Q

Business Case?

A
  • a documented argument or stated position in order to define a need to make a decision or take some form of action
  • to make a business case is to demonstrate a business-specific need to alter an existing process or choose an approach to a business task
68
Q

What is meant by a top-down approach for security management and planning?

A
  • senior management is responsible for initiating and defining policies for an organization
  • security policies provide direction for all levels of the organization’s hierarchy
  • middle management fleshes out the security policy into standards, baselines, guidelines, and procedures.
  • the operational managers or security professionals must then implement the configurations prescribed in the security management documentation
  • finally, the end users must comply with all the security policies of the organization
69
Q

What are the three types of plans developed by the Security Management Planning team?

A
  • Strategic plan
  • Tactical plan
  • Operational plan
70
Q

Strategic Plan

A
  • long-term plan that is fairly stable
  • defines the organization’s security purpose
  • helps to understand security function and align it to the goals, mission, and objectives of the organization.
  • useful for about 5 years if it is maintained and updated annually
  • should include a risk assessment
71
Q

Tactical Plan

A
  • midterm plan
  • developed to provide more details on accomplishing the goals of the strategic plan
  • useful for about a year
  • prescribes and schedules the tasks necessary to accomplish organizational goals
72
Q

Operational Plan

A
  • short-term
  • highly detailed
  • must be updated often (monthly or quarterly)
  • spell out how to accomplish various goals of the organization
  • includes: resource allotments, budgetary requirements, staffing assignments, scheduling, step-by-step implementation procedures
73
Q

What is the goal of change management?

A
  • ensure that any change does not lead to reduced or compromised security
74
Q

Change Management

A
  • improves the security of an environment by protecting implemented security from unintentional, tangential, or affected reductions in security
  • responsible for making it possible to roll back any change to a previous secure state
75
Q

What is the primary purpose of Change Management?

A
  • make all changes subject to detailed documentation and auditing and thus able to be reviewed and scrutinized by management
76
Q

What are the requirements of Change Management?

A
  • implement change in a monitored and orderly manner
  • include a formalized testing process to verify a change produces expected results
  • all changes can be reversed
  • uses are informed of changes before they occur
  • minimize negative impacts on business
  • changes reviewed by a Change Advisory Board
77
Q

Data Classification

A
  • the primary means by which data is protected based on its need for secrecy, sensitivity, or confidentiality
  • the process of organizing items, objects, subjects, and so on into groups, categories, or collections with similarities
  • some data items need more security than others
  • data classification is used to determine how much effort, money, and resources are allocated to protect the data and control access to it
78
Q

What are the benefits of Data Classification?

A
  • demonstrates an organization’s commitment to protecting valuable resources and assets
  • assists in identifying those assets that are most critical or valuable to the organization
  • it lends credence to the selection of protection mechanisms
  • often required for regulatory compliance or legal restrictions
  • helps to define access levels, types of authorized uses, and parameters for declassification/destruction of resources that are no longer valuable
79
Q

What are some criteria that can be used for data classification?

A
  • usefulness of the data
  • timeliness of the data
  • value or cost of the data
  • maturity or age of the data
  • when data expires
  • data disclosure damage assessment
  • who has access to the data
  • who is restricted from the data
  • storage of the data
80
Q

What are the 7 steps to implement a data classification scheme?

A
  1. identify the custodian
  2. specify the classification criteria for information
  3. classify and label each resource
  4. document any exceptions
  5. select security controls to protect data
  6. specify procedures for declassifying data
  7. create enterprise-wide awareness program
81
Q

What are the 5 levels of government/military classification?

A
  • US Can Stop Terrorism (shortcut)
  • Top Secret (highest level): disclosure would compromise National Security (NS)
  • Secret: cause serious damage to NS
  • Confidential: cause damage to NS
  • Sensitive But Unclassified: for official use only
  • Unclassified: neither sensitive nor classified
82
Q

What are the 4 levels of business classification?

A
  • Confidential (highest): internal use only; significant impact if disclosed (e.g. proprietary data)
  • Private
  • Sensitive
  • Public
83
Q

COBIT

A
  • Control Objectives for Information and Related Technology
  • documented set of best IT security practices crafted by ISACA
  • prescribes goals and requirements for security controls and encourages the mapping of IT security ideals to business objectives
84
Q

What are the 5 key principles of COBIT?

A
  1. Meeting Stakeholder Needs
  2. Covering the Enterprise End-to-End
  3. Applying a Single, Integrated Framework
  4. Enabling a Holistic Approach
  5. Separating Governance From Management
85
Q

Due Care

A
  • using reasonable care to protect the interests of an organization
86
Q

Due Dilligence

A
  • practicing the activities that maintain the due care effort
87
Q

Security Policy

A
  • a document that defines the scope of security needed by an organization and discusses the assets that require protection and the extent to which security solutions should go to provide the necessary protection
  • overview or generalization of an organization’s security needs
  • defines the main security objectives and outlines the security framework of an organization
88
Q

What are examples of Security Policy uses?

A
  • Assign responsibilities
  • Define roles
  • Specify audit requirements
  • Outline enforcement processes
  • Indicate compliance requirements
  • Define acceptable risk levels
89
Q

What are the three categories of Security Policy?

A
  • regulatory
  • advisory
  • informative
90
Q

Regulatory Policy

A
  • required whenever industry or legal standards are applicable to your organization
  • discusses the regulations that must be followed and outlines the procedures that should be used to elicit compliance
91
Q

Advisory Policy

A
  • discusses behaviors and activities that are acceptable and defines consequences of violations
  • most policies are advisory
92
Q

Informative Policy

A
  • designed to provide information or knowledge about a specific subject, such as company goals, mission statements, or how the organization interacts with partners and customers
  • provides support, research, or background information relevant to the specific elements of the overall policy
93
Q

What is a rule of thumb for Security Policies?

A
  • security policies should not address individuals
  • instead, policies should define tasks and responsibilities to fit a role
  • then, these defined roles are assigned to individuals as a job description or an assigned work task
94
Q

Acceptable Use Policy

A
  • defines a level of acceptable performance and expectation of behavior and activity
95
Q

Standards

A
  • define compulsory requirements for the homogenous use of hardware, software, technology, and security controls
  • tactical documents that define steps or methods to accomplish the goals and overall direction defined by security policies
96
Q

Baseline

A
  • defines a minimum level of security that every system throughout the organization must meet
  • a more operationally focused form of a standard
  • takes the goals of a security policy and the requirements of a standard and defines them specifically in the baseline as a rule against which to implement and compare IT systems
97
Q

Guidelines

A
  • offer recommendations on how standards and baselines are implemented and serves as an operational guide for both security professionals and users
  • flexible
  • outline methodologies, include suggested actions
98
Q

Threat Modeling

A
  • the security process where potential threats are identified, categorized, and analyzed
  • can be proactive or reactive
  • identifies the potential harm, probability of occurrence, the priority of concern, and the means to eradicate or reduce the threat
99
Q

Proactive Threat Modeling

A
  • defensive approach
  • takes place during the early stages of systems development (initial design)
  • based on predicting threats and designing in specific defenses during the coding and crafting process
  • more cost effective and successful
100
Q

Reactive Threat Modeling

A
  • adversarial approach
  • takes place after a product has been created and deployed
  • ethical hacking, pentesting, source code review, and fuzz testing
101
Q

Fuzz Testing

A
  • dynamic testing technique
  • provides many different types of input to software
  • stresses its limits and finds previously undetected flaws
102
Q

STRIDE

A
  • threat categorization theme developed by Microsoft
  • Spoofing
  • Tampering
  • Repudiation
  • Information disclosure
  • Denial of service
103
Q

Spoofing

A
  • an attack with the goal of gaining access to a target system through the use of falsified identity
  • results in data theft or privesc
104
Q

What are some targets of spoofing?

A
  • IP
  • MAC
  • usernames
  • system names
  • SSID
  • email addresses
105
Q

Tampering

A
  • any action resulting in unauthorized changes or manipulation of data
  • can be data in transit or storage
  • violations of integrity and availability
106
Q

Repudiation

A
  • the ability of a user or attacker to deny having performed an action or activity
  • allows attackers to maintain plausible deniability to not be held accountable for their actions
  • can result in innocent third parties being blamed
107
Q

What are some causes of Information Disclosure?

A
  • failing to remove debugging code
  • leaving sample accounts
  • not sanitizing programming notes in HTML
  • using hidden form fields
  • detailed error messages
108
Q

What are some means of DoS?

A
  • flaw exploitation
  • connection overload
  • traffic flooding
109
Q

What are some permanent examples of DoS attack?

A
  • destruction of dataset
  • replacement of software with malicious alternatives
  • forcing a firmware flash operation to install faulty firmware
110
Q

PASTA

A
  • seven-stage threat modeling methodology
  • risk-centric approach that aims at selecting or developing countermeasures in relation to the value of the assets being protected
111
Q

What are the 7 steps of PASTA

A
  • Stage I: definition of the Objectives (DO) for the analysis of Risks
  • Stage II: definition of the Technical Scope (DTS)
  • Stage III: Application Decomposition and Analysis (ADA)
  • Stage IV: Threat Analysis (TA)
  • Stage V: Weakness and Vulnerability Analysis (WVA)
  • Stage VI: Attack Modeling & Simulation (AMS)
  • Stage VII: Risk Analysis & Management (RAM)
112
Q

TRIKE

A
  • threat modeling methodology that focuses on a risk-based approach instead of depending upon the aggregated threat model used in STRIDE and DREAD
  • provides a method of performing a security audit in a reliable and repeatable procedure
  • used to craft an assessment of an acceptable level of risk for each class of asset that is then used to determine appropriate risk response actions
113
Q

VAST

A
  • Visual, Agile, and Simple Threat

- threat modeling concept based on Agile project management and programming principles

114
Q

Reduction Analysis

A
  • aka Decomposing the application
  • purpose is to gain a greater understanding of the logic of the product as well as its interactions with external elements
115
Q

What are the 5 key concepts of Reduction Analysis?

A
  1. Trust Boundaries
  2. Data Flow Paths
  3. Input Points
  4. Privileged Operations
  5. Details about Security Stance and Approach
116
Q

DREAD

A
  • rating system for threats
  • scale of 1 to 100; 100 is most severe
  • Answers 5 questions about each threat:
    1. Damage potential
    2. Reproducibility
    3. Exploitability
    4. Affected users
    5. Discoverability
  • a value is assigned to each question
117
Q

What should be considered when evaluating a third party for security integration?

A
  • On-site Assessment
  • Document Exchange and Review
  • Process/Policy Review
  • Third-Party Audit
118
Q

Basic definition of Risk?

A
  • potential/probability for loss
119
Q

Counter measure?

A
  • compensates for a vulnerability
120
Q

Threat agent?

A
  • takes advantage of a weakness
121
Q

What are the 3 types (categories) of control?

A
  • technical
  • administrative
  • physical
122
Q

What are examples of Administrative controls?

A
  • policies
  • security awareness
  • standards
  • guidelines
123
Q

What are examples of Technical controls?

A
  • tokens
  • smart cards
  • biometric readers
  • passwords
  • encryption
  • ACL on file system
124
Q

What are examples of Physical controls?

A
  • security guard
  • locked door
  • fence
125
Q

DR

A
  • disaster recovery
126
Q

DRP

A
  • disaster recovery plan
127
Q

BC

A
  • business continuity
128
Q

BCP

A
  • business continuity plan
  • long-term
  • makes sure that business can continue
129
Q

BIA

A
  • business impact analysis
  • identifies all critical systems
  • how long critical systems can be down, and business still survive
  • regulatory requirements that apply to business
  • costs involved regarding loss if business is down
  • dependencies on other systems
130
Q

What are the phases of a policy life cycle?

A
  • Develop
  • Publish
  • Adopt
  • Review
131
Q

What does a policy need to be successful?

A
  • Endorsement from management
  • Relevance to the organization
  • Realistic
  • Adaptable/Flexible
  • Enforceable; measurable
132
Q

What are approaches to threat modeling?

A
  • attacker perspective
  • asset perspective
  • architecture perspective
133
Q

What is the “work factor”?

A

When threat modeling, determining how much work it would take for an attacker to compromise a system

134
Q

IOA

A
  • indicator of attack

- attack is currently underway, but hasn’t been completed yet

135
Q

What is threat modeling a part of?

A
  • Due dilligence
136
Q

What are some key steps of Supply Chain Risk Management?

A
  1. Clear identification and documentation of what is outsourced
  2. Consider the risks and have a backup plan
  3. BIA and contingency plans in case the supply chain is disrupted
137
Q

What is a good practice to follow when selecting vendors?

A
  • pick vendors that are following industry standards

- conduct a third-party audit of the vendor

138
Q

What are some examples of industry standards vendors should be following?

A
  • ISO 9001: quality standards

- ISO 27001: information security standards

139
Q

What is the auditing standard?

A
  • SSAE
140
Q

What is the quality management standard?

A
  • ISO 9001
141
Q

What are the ISMS standards?

A
  • ISO 27001
142
Q

What is the association representing the accounting profession?

A
  • AICPA