Chapter 5: Prevention and Risk Management Flashcards
Information Security Management System (ISIM)
Organizational internal control process that ensures the following 3 objectives in relation to data and information within the organization: integrity, confidentiality, and availability.
ISIM Security Objectives
Confidentiality
Integrity
Availibility
Confidentiality
This concept involves ensuring that data and information are made available only to authorized persons.
Integrity
- Accuracy means inputting the correct data into the system and then processing it as intended, without errors.
- Completeness ensures that no unauthorized additions, removals, or modifications are made to data that has been inputted into the system
Availability
This concept involves ensuring that data and information are available when and where they are needed.
Implementing ISMSsPlan Phase
- Initiating the project
- Defining the scope of the ISMS
- Establishing an ISMS policy,
- Performing a risk assessment,
- Selecting risk treatments,
- Selecting control objectives, and
- Producing a statement of applicability
Implementing ISMSsPlan Phase
- Initiating the project
- Defining the scope of the ISMS
- Establishing an ISMS policy,
- Performing a risk assessment,
- Selecting risk treatments,
- Selecting control objectives, and
- Producing a statement of applicability
General categories of assets at risk:
- Human resources
- Information
- Documents
- Software
- Physical equipment
- Services
- Company image and reputation
What are the four security classifications?
Unclassified, Shared, Company only, Confidential
Unclassified
Unrestricted assets; the asset is available to the public.
Shared
Restricted access to specific groups of individuals including organizational insiders and outsiders.
Company only
Restricted access to organizational insiders.
Confidential
Restricted access to a specific list of individuals.
Active Threat
Potential intentional attack on the information system.
Active Threat Examples
- Input manipulation (most common source of fraud)
- Direct file alteration (bypass normal software)
- Program alteration (requires sophistication)
- Data theft (hard to detect and prove)
- Sabotage (disgruntled employees)
- Misappropriation of information system resources
Information security assurance (ISA)
Refers to some type of evidence-based assertion that increases the certainty that a security-related deliverable can withstand specified security threats.
target of evaluation (TOE)
performing assurance activities that satisfy a predefined security target or security protection profile.
target of evaluation (TOE)
This is the information security deliverable, the object for which assurances are made.
Assurance activities
These activities depend on the method of assessment. Various methods of assessment are discussed later.
Security target (ST)
This is the set of security specifications and requirements used to evaluate the target of evaluation.
Security protection profile (SPP)
Similar to a security target, this profile is much broader in scope. Unlike an ST, a SPP does not apply to any one particular deliverable but represents the security needs of a given individual or group of individuals.
