Chapter 1: Security Principles Flashcards

1
Q

Security commensurate with the risk and the magnitude of harm resulting from the loss, misuse or unauthorized access to or modification of information.

A

Adequate Security

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Controls implemented through policy and procedures. Examples include access control processes and requiring multiple personnel to conduct a specific operation. This type of controls in modern environments are often enforced in conjunction with physical and/or technical controls, such as an access-granting policy for new users that requires login and approval by the hiring manager.

A

Administrative Controls

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

The ability of computers and robots to simulate human intelligence and behavior.

A

Artificial Intelligence

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Anything of value that is owned by an organization. It includes both tangible items such as information systems and physical property and intangible property such as intellectual property.

A

Asset

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Access control process validating that the identity being claimed by a user or entity is known to the system, by comparing one (single-factor or SFA) or more (multi-factor authentication or MFA) factors of identification.

A

Authentication

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

The right or a permission that is granted to a system entity to access a system resource.

A

Authorization

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Ensuring timely and reliable access to and use of information by authorized users.

A

Availability

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

A documented, lowest level of security configuration allowed by a standard or organization.

A

Baseline

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Biological characteristics of an individual, such as a fingerprint, hand geometry, voice, or iris patterns.

A

Biometric

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Malicious code that acts like a remotely controlled “robot” for an attacker, with other Trojan and worm capabilities

A

Bot

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Information that has been determined to require protection against unauthorized disclosure and is marked to indicate its classified status and classification level when in documentary form.

A

Classified or Sensitive Information

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

The characteristic of data or information when it is not made available or disclosed to unauthorized persons or processes.

A

Confidentiality

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

A measure of the degree to which an organization depends on the information or information system for the success of a mission or of a business function.

A

Criticality

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

The property that data has not been altered in an unauthorized manner. It covers data in storage, during processing and while in transit. What is this concept?

A

Data Integrity

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

The process and act of converting the message from its plaintext to ciphertext. Sometimes it is also referred to as enciphering. The two terms are sometimes used interchangeably in literature and have similar meanings.

A

Encryption

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

In 2016, the European Union passed comprehensive legislation that addresses personal privacy, deeming it an individual human right.

A

General Data Protection Regulation (GDPR)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

The process of how an organization is managed; usually includes all aspects of how decisions are made for that organization, such as policies, roles and procedures the organization uses to make those decisions.

A

Governance

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

This U.S. federal law is the most important healthcare information regulation in the United States. It directs the adoption of national standards for electronic healthcare transactions while protecting the privacy of individual’s health information. Other provisions address fraud reduction, protections for individuals with health insurance and a wide range of other healthcare-related activities.

A

Health Insurance Portability and Accountability Act (HIPAA)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

The magnitude of harm that could be caused by a threat’s exercise of a vulnerability.

A

Impact

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

The potential adverse impacts to an organization’s operations (including its mission, functions and image and reputation), assets, individuals, other organizations, and even the nation, which results from the possibility of unauthorized access, use, disclosure, disruption, modification or destruction of information and/or information systems.

A

Information Security Risk

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

IEEE is a professional organization that sets standards for telecommunications, computer engineering and similar disciplines. What does IEEE stand for?

A

Institute of Electrical and Electronics Engineers

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

The property of information whereby it is recorded, used and maintained in a way that ensures its completeness, accuracy, internal consistency and usefulness for a stated purpose

A

Integrity

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

The ISO develops voluntary international standards in collaboration with its partners in international standardization, the International Electro-technical Commission (IEC) and the International Telecommunication Union (ITU), particularly in the field of information and communication technologies. What does ISO stand for?

A

International Standards Organization

24
Q

The internet standards organization, made up of network designers, operators, vendors and researchers, that defines protocol standards (e.g., IP, TCP, DNS) through a process of collaboration and consensus.

A

Internet Engineering Task Force (IETF)

25
Q

The probability that a potential vulnerability may be exercised within the construct of the associated threat environment.

A

Likelihood

26
Q

A weighted factor based on a subjective analysis of the probability that a given threat is capable of exploiting a given vulnerability or set of vulnerabilities.

A

Likelihood of Occurrence

27
Q

Using two or more distinct instances of the three factors of authentication (something you know, something you have, something you are) for identity verification.

A

Multi-Factor Authentication

28
Q

The NIST is part of the U.S. Department of Commerce and addresses the measurement infrastructure within science and technology efforts within the U.S. federal government. NIST sets standards in a number of areas, including information security within the Computer Security Resource Center of the Computer Security Divisions. What does NIST stand for?

A

National Institutes of Standards and Technology

29
Q

The inability to deny taking an action such as creating information, approving information and sending or receiving a message.

A

Non-repudiation

30
Q

The National Institute of Standards and Technology, known as NIST, in its Special Publication 800-122 defines it as “any information about an individual maintained by an agency, including (1) any information that can be used to distinguish or trace an individual’s identity, such as name, Social Security number, date and place of birth, mother’s maiden name, or biometric records; and (2) any other information that is linked or linkable to an individual, such as medical, educational, financial and employment information.” What is it?

A

Personally Identifiable Information (PII)

31
Q

Controls implemented through a tangible mechanism. Examples include walls, fences, guards, locks, etc. In modern organizations, many physical control systems are linked to technical/logical systems, such as badge readers connected to door locks.

A

Physical Controls

32
Q

The right of an individual to control the distribution of information about themselves.

A

Privacy

33
Q

The chances, or likelihood, that a given threat is capable of exploiting a given vulnerability or a set of vulnerabilities.

A

Probability

34
Q

Information regarding health status, the provision of healthcare or payment for healthcare as defined in HIPAA (Health Insurance Portability and Accountability Act). What is this information called?

A

Protected Health Information (PHI)

35
Q

A method for risk analysis that is based on the assignment of a descriptor such as low, medium or high.

A

Qualitative Risk Analysis

36
Q

A method for risk analysis where numerical values are assigned to both impact and likelihood based on statistical probabilities and monetarized valuation of loss or gain.

A

Quantitative Risk Analysis

37
Q

A possible event which can have a negative impact upon the organization.

A

Risk

38
Q

Determining that the potential benefits of a business function outweigh the possible risk impact/likelihood and performing that business function with no other action.

A

Risk Acceptance

39
Q

The process of identifying and analyzing risks to organizational operations (including mission, functions, image, or reputation), organizational assets, individuals and other organizations. The analysis performed as part of risk management which incorporates threat and vulnerability analyses and considers mitigations provided by security controls planned or in place.

A

Risk Assessment

40
Q

Determining that the impact and/or likelihood of a specific risk is too great to be offset by the potential benefits and not performing a certain business function because of that determination.

A

Risk Avoidance

41
Q

The process of identifying, evaluating and controlling threats, including all the phases of risk context (or frame), risk assessment, risk treatment and risk monitoring.

A

Risk Management

42
Q

A structured approach used to oversee and manage risk for an enterprise.

A

Risk Management Framework

43
Q

Putting security controls in place to reduce the possible impact and/or likelihood of a specific risk.

A

Risk Mitigation

44
Q

The level of risk an entity is willing to assume in order to achieve a potential desired result. Risk threshold, risk appetite and acceptable risk are also terms used synonymously.

A

Risk Tolerance

45
Q

Paying an external party to accept the financial impact of a given risk.

A

Risk Transference

46
Q

The determination of the best way to address an identified risk.

A

Risk Treatment

47
Q

The management, operational and technical controls (i.e., safeguards or countermeasures) prescribed for an information system to protect the confidentiality, integrity and availability of the system and its information.

A

Security Controls

48
Q

A measure of the importance assigned to information by its owner, for the purpose of denoting its need for protection.

A

Sensitivity

49
Q

Use of just one of the three available factors (something you know, something you have, something you are) to carry out the authentication process being requested.

A

Single-Factor Authentication

50
Q

The condition an entity is in at a point in time.

A

State

51
Q

The quality that a system has when it performs its intended function in an unimpaired manner, free from unauthorized manipulation of the system, whether intentional or accidental.

A

System Integrity

52
Q

Security controls (i.e., safeguards or countermeasures) for an information system that are primarily implemented and executed by the information system through mechanisms contained in the hardware, software or firmware components of the system.

A

Technical Controls

53
Q

Any circumstance or event with the potential to adversely impact organizational operations (including mission, functions, image or reputation), organizational assets, individuals, other organizations or the nation through an information system via unauthorized access, destruction, disclosure, modification of information and/or denial of service.

A

Threat

54
Q

An individual or a group that attempts to exploit vulnerabilities to cause or force a threat to occur.

A

Threat Actor

55
Q

The means by which a threat actor carries out their objectives.

A

Threat Vector

56
Q

A physical object a user possesses and controls that is used to authenticate the user’s identity.

A

Token

57
Q

Weakness in an information system, system security procedures, internal controls or implementation that could be exploited by a threat source.

A

Vulnerability