Chapter 1 Security Governance Through Principles and Policies Flashcards
Similar elements are put into groups, classes, or roles that
are assigned security controls, restrictions, or permissions as a collective.
Abstraction
Layering
Data Hiding
Encryption
Abstraction
use of multiple controls in a series.
Abstraction
Layering
Data Hiding
Encryption
Layering
the art and science of hiding the meaning or intent of a communication from
unintended recipients.
Abstraction
Layering
Data Hiding
Encryption
Encryption
preventing data from being discovered or
accessed by a subject by positioning the data in a logical storage compartment that is not
accessible or seen by the subject.
Abstraction
Layering
Data Hiding
Encryption
Data Hiding
A ______ is typically useful for about a year and often prescribes and schedules the tasks necessary to accomplish organizational goals.
Strategic Plan
Operational Plan
Tactical plan
tactical plan
a short-term, highly detailed plan
Strategic Plan
Operational Plan
Tactical plan
Operational Plan
a long-term plan that is fairly stable. It defines the organization’s security purpose. It also helps to understand security function and align it to goals, mission, and objectives of the organization.
Strategic Plan
Operational Plan
Tactical plan
Strategic Plan
The disclosure of this data does not compromise confidentiality or
cause any noticeable damage.
Top Secret
Secret
Confidential
Unclassified
Unclassified
The unauthorized disclosure of this data will have signifcant effects and cause critical damage to national security.
Top Secret
Secret
Confidential
Unclassified
Secret
The unauthorized disclosure of top-secret
data will have drastic effects and cause grave damage to national security.
Top Secret
Secret
Confidential
Unclassified
Top Secret
Used for data of a private, sensitive, proprietary, or highly valuable nature.
The unauthorized disclosure this data will have noticeable effects and cause serious damage to national security
Top Secret
Secret
Confidential
Unclassified
confidential
If this data is disclosed, it can have drastic effects on the competitive edge of an organization.
Confidential
Private
Sensitive
Public
Confidential
Its disclosure does not have a serious negative impact on the
organization.
Confidential
Private
Sensitive
Public
Public
data that is of a personal nature and intended for internal use only. A significant negative impact could occur for the company or individuals if this data is disclosed.
Confidential
Private
Sensitive
Public
Private
A negative impact could
occur for the company if sensitive data is disclosed.
Confidential
Private
Sensitive
Public
Sensitive
is responsible for reviewing and verifying that the security policy is
properly implemented and the derived security solutions are adequate.
Senior Manager Security Professional Data Owner Data Custodian User Auditor
Auditor
responsible for understanding and upholding the security policy of an
organization by following prescribed operational procedures and operating within defi ned
security parameters.
Senior Manager Security Professional Data Owner Data Custodian User Auditor
User
performs all activities necessary to provide adequate protection
for the CIA Triad (confi dentiality, integrity, and availability) of data and to fulfi ll
the requirements and responsibilities delegated from upper management.
Senior Manager Security Professional Data Owner Data Custodian User Auditor
Data Custodian
the person who is responsible for classifying information for placement and protection within the security solution.
Senior Manager Security Professional Data Owner Data Custodian User Auditor
Data Owner
writing the security policy and implementing it.
Senior Manager Security Professional Data Owner Data Custodian User Auditor
Security Professional
the person who will be held liable for the overall success or failure of a security solution and is responsible for exercising due care and due
diligence in establishing security for an organization.
Senior Manager Security Professional Data Owner Data Custodian User Auditor
Senior Manager
should broadly outline the security goals and practices
that should be employed to protect the organization’s vital interests.
Security Policies
This policy discusses
the rules that must be followed and outlines the procedures that should be
used to elicit compliance.
regulatory
advisory
informative
regulatory
______ policy discusses behaviors and activities that are
acceptable and defi nes consequences of violations. It explains senior management’s desires
for security and compliance within an organization.
regulatory
advisory
informative
advisory
______ policy is designed to provide information or knowledge about a specific subject, such as company goals, mission statements, or how the organization interacts with partners
and customers. An informative policy provides support, research, or background information
relevant to the specific elements of the overall policy.
regulatory
advisory
informative
informative
_____ define compulsory requirements for the homogenous use of hardware, software, technology, and security controls.
Standards
Baselines
Guidelines
Standards
______ establishes a common foundational secure state on which all additional and more stringent
security measures can be built.
Standards
Baselines
Guidelines
Baselines
_____ offers recommendations on how standards and baselines are implemented and serves as an operational guide for both security professionals and users.
Standards
Baselines
Guidelines
Guidelines
______ is a detailed, step-by-step how-to document that describes the exact actions necessary to
implement a specific security mechanism, control, or solution.
Procedures
___________ the security process where potential threats are identified, categorized,
and analyzed.
Threat Modeling
An attack with the goal of gaining access to a target system through the use
of a falsified identity.
Spoofing Tampering Repudiation Information disclosure Denial of service (DoS) Elevation of privilege
Spoofing
Any action resulting in the unauthorized changes or manipulation of
data, whether in transit or in storage.
Spoofing Tampering Repudiation Information disclosure Denial of service (DoS) Elevation of privilege
Tampering
The ability for a user or attacker to deny having performed an action or
activity.
Spoofing Tampering Repudiation Information disclosure Denial of service (DoS) Elevation of privilege
Repudiation
can take advantage of system design and implementation
mistakes, such as failing to remove debugging code, leaving sample applications
and accounts, not sanitizing programming notes from client visible content (such as comments in HTML documents), using hidden form fields, or allowing overly detailed
error messages to be shown to users.
Spoofing Tampering Repudiation Information disclosure Denial of service (DoS) Elevation of privilege
Information disclosure
attempts to prevent authorized use of a
resource.
Spoofing Tampering Repudiation Information disclosure Denial of service (DoS) Elevation of privilege
Denial of service (DoS)
might be accomplished through a system or application exploit that temporarily or permanently grants additional powers to an otherwise limited account.
Spoofing Tampering Repudiation Information disclosure Denial of service (DoS) Elevation of privilege
Elevation of privilege
The purpose of this task is to gain a greater understanding of the logic of the product as well as its interactions with external elements.
Reduction Analysis
Any location where the level of trust or security changes
Trust Boundaries Data Flow Paths Input Points Privileged Operations Details about Security Stance and Approach
Trust Boundaries
The movement of data between locations
Trust Boundaries Data Flow Paths Input Points Privileged Operations Details about Security Stance and Approach
Data Flow Paths
Locations where external input is received
Trust Boundaries Data Flow Paths Input Points Privileged Operations Details about Security Stance and Approach
Input Points
Any activity that requires greater privileges than of a standard user
account or process, typically required to make system changes or alter security
Trust Boundaries Data Flow Paths Input Points Privileged Operations Details about Security Stance and Approach
Privileged Operations
The declaration of the security policy, security
foundations, and security assumptions
Trust Boundaries Data Flow Paths Input Points Privileged Operations Details about Security Stance and Approach
Details about Security Stance and Approach
Identifying Threats three approaches:
Focused on Assets, Focused on Attackers, Focused on Software
Microsoft developed a threat categorization scheme known as STRIDE. STRIDE is often used in relation to assessing threats against applications or operating systems
Spoofing Tampering Repudiation Information disclosure Denial of service (DoS) Denial of service (DoS)—
The DREAD rating system is designed to provide a flexible rating solution that is based on the answers to five main questions about each threat:
Damage potential—How severe is the damage likely to be if the threat is realized?
Reproducibility—How complicated is it for attackers to reproduce the exploit?
Exploitability—How hard is it to perform the attack?
Affected users—How many users are likely to be affected by the attack (as a percentage)?
Discoverability—How hard is it for an attacker to discover the weakness?
