Chapter 5 - Describing Information Security Concepts Flashcards
What is the concept that guarantees only authorized users can view sensitive information?
Confidentiality
The concept that guarantees only authorized subjects can change sensitive information and may also guarantee authenticity of data.
Integrity
The concept that guarantees uninterrupted access by authorized users to important computing resources and data.
Availability
Information that can be used on its own, or with other information to identify, contact, or locate a single person.
Personally Identifiable Information (PII)
Any information about health status, provision of health care, or payment of health care that can be linked to a specific individual.
Personal Health Information (PHI)
A function of the likelihood of a given threat source’s exercising a particular potential vulnerability, and the resulting impact of that adverse event on the organization.
Risk
An intent and method that is targeted at the intentional exploitation of a vulnerability or a situation and method that may accidentally trigger a vulnerability.
Threat Source
The potential for a threat source to exercise (accidentally trigger or intentionally exploit) a specific vulnerability.
Threat
A weakness that makes a resource susceptible to a threat.
Vulnerability
The resulting damage to the organization that is caused by a threat.
Impact
A network attack in which an unauthorized person gains access to a network and stays there undetected for a long time period.
Advanced Persistent Threat (APT)
A risk option when the cost of other risk management options may outweigh the cost of the risk itself.
Risk Acceptance
A risk option that avoids any exposure to the risk.
Risk Avoidance
A risk option where a company’s risk exposure is limited by taking some action.
Risk Limitation
A risk option where the transference of risk to a willing third party.
Risk Transfer
A risk assessment approach that involves trying to map a dollar amount to each specific risk.
Quantitative approach
A risk assessment approach that involves assigning a risk level, such as low, medium, or high to each risk.
Qualitative approach
A defect in software or hardware, in the concept of information security.
Vulnerability
The open framework for communicating and characteristics and severity of software vulnerabilities.
CVSS
Access control model that secures information by assigning sensitivity labels on information and comparing it to the users operating sensitivity level.
Mandatory Access Control
Access control model that uses an ACL to decide which users or groups have access to the information.
Discretionary Access Control
Access control model that is based on an individual’s roles and responsibilities within the organization (RBAC).
Non-Discretionary Access Control
Name the three types of Security Operations Centers
Threat-centric - actively looks for threats on the network
compliance-based - focuses on security posture as it relates to compliancy testing
operational-based - focuses on maintaining operational integrity and functionality
Risk is a function of what three factors
Threat, Vulnerability, and Impact