Chapter 1 Measuring and Weighing Risk Flashcards
Threat Vectors
pg.8
A way in which an attacker poses a threat
Mean Time Between Failures
pg.8
The measures of anticipated incidence of failure for a system or component
Mean time to failure
pg.8
the average time to failure for a non repairable system
Mean Time to Restore
pg.8
the measure for how long it takes to repair a system or component once a failure occurs
Recovery Time Objective
pg.9
the maximum amount of time that a process or service is allowed to be down and the consequences still be considered acceptable
Recovery Point Objective
pg.9
similar to RTO, but it defines the point at which the system needs to be restored
Risk Avoidance
pg.9
involves identifying a risk and making the decision not to engage any longer in the actions associated with the risk
Risk Transference
pg.9
share some of the burden of the risk completely to another entity
Risk Migration
pg.9
accomplished any time you take steps to reduce risk
Risk Deterrence
pg.10
understanding the enemy and letting them know the harm that can come their way if they cause harm to you
Risk Acceptance
pg.10
often the choice you must make when the cost for implementing any of the four choices exceeds there value for the harm that would occur if the risk came to fruition
Cloud computing
pg.17
Hosting services and data on the internet instead of hosting it locally
Platform as a service
pg.17
vendors allow apps to be created and run on the infrastructure
Software as service
pg.17
applications are remotely run over the web
Infrastructure as a service
pg.17
utilizes virtualization and the clients pay an outsourcer for resources used
Regulatory Compliance
pg.18
Agency rules with which you must comply
User Privileges
pg.18
allowing access to data to which they would not otherwise have the access and cause harm to it
Data Integration/segregation
pg.18
keeping data on secure servers/ makes sure that your data is not co mingled beyond your expectiations
Virtualization
pg.19
allowing one set of hardware to host multiplying virtual machines
Network and security controls can Intermingle
pg.19
tool used to administer the virtual machine monitor
Standard
pg.21
deals with specific issues or aspects of a business/ derived from policies
Roles and Responsibilities
pg.21
section of document outlines who is responsible for implementing, monitoring, and maintaining the standard
Reference Documents
pg.21
how the standard relates to the organizations different policies/ connecting the standard to the underlying policies that have been put in place
Performance Criteria
pg.21
outlines how to accomplish the task
Guidelines
pg.22
is to help users comply with policies and maintain the standard
Scope and Purpose
pg.22
the “whom it applies to /for” and the “why it exists”
Guideline Statements
pg.23
step by step instructions on how to accomplish a specific task in a specific manner
Operational Considerations
pg.23
specify and identify what duties are required and at what intervals
Separation of Duties Policies
pg.24
designed to reduce the risk of fraud and to prevent other losses in an organization
Collusion
pg.24
an agreement between two or more parties established for the purpose of committing deception or fraud
Privacy Policies
pg.24
what controls are required to implement and maintain the sanctity of data privacy in the work environment
Acceptable Use Policies
pg.24
describes how the employees in an organization can use company systems and resources.
Security Policies
pg.25
what controls are required to implement and maintain the security of systems, users, and networks
Mandatory Vacations
pg.26
requires all users to take time away from work to refresh
Job Rotation
pg.26
intervals at which employees must rotate through poositions
Least Privilege
pg.26
should be used when assigning permission
Single Point of Failure
pg.30
build an infrastructure that has more than one network and services
Contingency Plan
pg.30
a plan for the “what if’s”
High Availability
pg.32
the measures used to keep services and systems operational during an outage
Redundancy
pg.32
systems that either are duplicated or fail over to other systems int he event of malfunction
Fail over
pg.32
the process of reconstructing a system or switching over to other systems when a failure is detected
Fault Tolerance
pg.33
the ability of a system to sustain operations in the event of a component failure
Redundant Array of Independent Disk (RAID)
pg.34
technology that uses multiple disks to provide fault tolerance
RAID
pg.34
Level 0- disk striping- uses multiple drives and maps them together as a single physical drive
Level 1-disk mirroring- 100% redundancy- everything stored on 2 disk
disk duplexing- the same data is stored on both disks simultaneously
Level 3- disk striping with a parity disk
Level 5-disk striping with parity
Backups
duplicate copies of information