Chapter 5 Review Flashcards
Chapter 5 Review
An information security program is a collection of activities used to achieve these 3 activities in regards to risks
IDENTIFY, COMMUNICATE, and ADDRESS
Chapter 5 Review
The security program consists of controls, processes, and practices to increase the resilience of the computing environment and ensure that these 2 things are achieved effectively in regards to risks
KNOWN and HANDLED
Chapter 5 Review
This thing is a formal, written definition of the objectives of a program, its main timelines, the sources of funding, the names of its principal leaders and managers, and the business executives sponsoring the program
CHARTER
Chapter 5 Review
Information security programs include numerous business processes to fulfill the overall mission of this
INFORMATION and INFORMATION SYSTEMS PROTECTION
Chapter 5 Review
Information Security Programs business processes fall into three major categories:
- R____ ; Concerns to the business and adhearance to requirement
- A____ ; Design frameworks/manner in which information systems are built
- O____ ; Day to day functions of the business
- RISK and COMPLIANCE
- ARCHITECTURE
- OPERATIONS
Chapter 5 Review
Modern information security includes essential business processes such as these 2 management activities, but overall it is also heavily involved in IT.
RISK and POLICY
Chapter 5 Review
Information security is heavily involved in this area of the business as its mission is the protection of all things IT.
INFORMATION TECHNOLOGY
(IT)
Chapter 5 Review
To scale with the power and speed of IT, information security has its own portfolio of 2 key technologies.
PROTECTIVE and DETECTIVE
Chapter 5 Review
These are the things of value that an organization protects in an information security program.
ASSETS
Chapter 5 Review
In a typical organization, assets will consist of these 2 things
INFORMATION and INFORMATION SYSTEMS
Chapter 5 Review
This process is an activity whereby an organization assigns an asset to a category representing usage or risk.
ASSET CLASSIFICATION
Chapter 5 Review
In an information security program, the purpose of asset classification is to determine this for each asset in regards to its context to the organisation
LEVEL OF CRITICALITY
Chapter 5 Review
Information classification is a process whereby these 4 different sets and collections of data in an organization are analyzed;;
- V____ ; The worth
- C____ ; The importance
- I____ ; Trustworthiness
- S____ ; Delicacy of the system
- VALUE
- CRITICALITY
- INTEGRITY
- SENSITIVITY
These levels of information, together with examples of the types of levels that fall into each category and with instructions on handling information at each level, form the heart of a typical information classification program.
Chapter 5 Review
Once an organization is satisfied that its information classification is in order, it can embark on this activity
SYSTEM CLASSIFICATION
Chapter 5 Review
Information systems can be classified according to various criteria within these 2 areas
SECURITY and OPERATIONAL
Chapter 5 Review
In some organizations, additional requirements are imposed on persons who have access to this sort of data
SENSITIVE INFORMATION
Whether this information consists of trade secrets, government secrets, or other information, organizations may be required to meet specific requirements such as more thorough or frequent background investigations.
Chapter 5 Review
A key part of a risk assessment is identifying this in regards to each asset
VALUE
Chapter 5 Review
Risk analysis is more often done in this manner where by a numeric scale such as 1 to 5 is assigned
QUALITATIVE
Instead of assigning a dollar (or other currency) value to an asset, the value of an asset can be assigned to a low-medium-high scale or a numeric scale such as 1 to 5 or 1 to 10
Chapter 5 Review
A process that is common in larger or more mature organizations that want to better understand the actual costs associated with loss events
QUANTITATIVE ASSET VALUATION
Many organizations opt to surpass qualitative asset valuation and assign a dollar (or other currency) valuation to their assets. This is common in larger or more mature organizations that want to better understand the actual costs associated with loss events
Chapter 5 Review
There are several types of frameworks in information security, and sometimes they are confused with one another. The types of framework include
- C ____
- R ____ M ____
- A ____
- S ____ P ____ M ____
- CONTROL
- RISK MANAGEMENT
- ARCHITECTURE
- SECURITY PROGRAM MANAGEMENT
Chapter 5 Review
Standard control frameworks include
- C ____ 2019
- ISO/IEC ____
- ISO/IEC ____
- H ____
- NIST SP 800- ____
- NIST SP 800- ____
- NIST ____
- CIS ____
- ETSI TR 103 ____
- P ____
- COBIT 2019
- ISO/IEC 20000
- ISO/IEC 27002
- HIPAA
- NIST SP 800-53
- NIST SP 800-171
- NIST CSF
- CIS CSC
- ETSI TR 103 305-1
- PCI DSS.
Chapter 5 Review
Information security management frameworks are business process models that include these 2 essential things needed by most organizations.
PROCESSES and ACTIVITIES
Chapter 5 Review
Information security management frameworks are risk-centric because the identification of risk is a key driver for activities in other parts of the framework to reduce risk to acceptable levels. These frameworks include;
- ISO/IEC ____
- ISO/IEC ____
- C ____ 2019
- NIST SP 800- ____
- NIST ____
- ISO/IEC 27005
- ISO/IEC 31000
- COBIT 2019
- NIST SP 800-37
- NIST CSF
Chapter 5 Review
This is a business function and a technical model.
ENTERPRISE ARCHITECTURE
(EA)
In terms of a business function, establishing an Enterprise Architecture (EA) consists of activities that ensure that IT systems meet these.
BUSINESS NEEDS
Chapter 5 Review
Information security architecture can be thought of as a subset or special topic within Enterprise Architecture (EA) that is concerned with the protective characteristics found in many components in an overall EA and specific components in an EA that provide these 2 security functions
PREVENTIVE or DETECTIVE
Chapter 5 Review
These 4 Information security documents are the written artifacts that define the business and technical rules for information and information systems protection.
- POLICES
- STANDARDS
- GUIDELINES
- PROCEDURES
Chapter 5 Review
Development of these is foundational to any organization’s information security program.
SECURITY POLICIES
Chapter 5 Review
Information security policy defines the principles and required actions for the organization to perform this activity in regards assets and personnel properly.
PROTECT
Chapter 5 Review
These are nonbinding statements or narratives that pro vide additional direction to personnel regarding compliance with security policies, standards, and controls.
GUIDELINES
Information security departments often develop guidelines when they receive numerous inquiries for help understanding certain policies or have trouble understanding how to implement them.
Chapter 5 Review
These are formal statements describing the characteristics of a system to be changed, developed, or acquired.
REQUIREMENTS
Requirements should flow from, and align with, the structure and content of these 2 things
POLICIES and STANDARDS
Because of their use in systems and services development and acquisition, require ments should be published in a format that can be easily extracted for use in specific projects.
Chapter 5 Review
These 2 documents are the detailed, sequenced instructions to complete routine tasks.
PROCESSES and PROCEDURES
Chapter 5 Review
This document is a collection of one or more procedures that together fulfill a higher purpose
PROCESS
This document is a written set of instructions for a single task
PROCEDURE
Chapter 5 Review
This is a measurement of a periodic and ongoing activity that intends to help the organization understand the activity within the context of overall business operations.
METRIC
Chapter 5 Review
Metrics are the means through which management can measure these and know whether their strategies are working
KEY PROCESSES
Chapter 5 Review
A formal metrics program provides these 2 sets of data on the effectiveness of many elements of an organization’s security program and operations.
QUALITATIVE and QUANTITATIVE
Chapter 5 Review
Metrics can be developed via the SMART method:
- S ____
- M ____
- A ____
- R ____
- T ____
- SPECIFIC
- MEASUREABLE
- ATTAINABLE
- RELEVANT
- TIMELY
Chapter 5 Review
Metrics must align with these 3 things in regards to the organization
MISSION, STRATEGY, and OBJECTIVES
Chapter 5 Review
Some metrics can be used to report on results in the recent past, and some metrics serve as this as a means to a call to action by the leadership team when metrics are demonstrating a future changing trend.
LEADING INDICATORS
Chapter 5 Review
A common shortcoming of a metrics program is its failure to provide this for various audiences.
RELEVANT METRICS
As an organization develops its metrics program, it must take care to develop metrics that matter for each audience.
Chapter 5 Review
This can depict the high-level effectiveness of an organization’s security program
SECURITY BALANCED SCORECARD
Chapter 5 Review
This is a measure of how well a process is progressing according to expectations.
KEY PERFORMANCE INDICATOR
(KPI)
Chapter 5 Review
This is a measure that determines how well the process is perofrming in enabling a goal to be reached
KEY PERFORMANCE INDICATOR
(KPI)
Chapter 5 Review
This is a measure of information risk and used to reveal trends related to levels of risk
KEY RISK INDICATOR
(KRI)
Chapter 5 Review
This is the most common protocol used to ensure confidentiality of transmissions, as example, in a business-to-customer financial web application
SECURE SOCKET LAYER
(SSL)
Chapter 5 Review
This is a cryptographic protocol that provides secure communications by providing end point authentication and commucations privacy over the internet
SECURE SOCKET LAYER
(SSL)
Chapter 5 Review
This is a program that can give an attacker full control over an infected computer, allowing them to hijack, copy or alter information after authentication by a user
TROJAN
Chapter 5 Review
This process uses a mathematical algorithm to ensure data has not been changed
HASHING
Chapter 5 Review
This is a technique used to hide messages in another file i.e. a message within a JPEG
STEGANOGRAPHIC
Chapter 5 Review
The development of an information security program will begin after these have been defined
REQUIRED OUTCOMES
Chapter 5 Review
These documents require the most effort for reviewing and modifying when supporting an operational information security program as they are designed at a more granular level
PROCEDURES
When an information security program is operational, few changes to policies or standards will be needed. Procedures, however, are designed at a more granular level and will require reasonably frequent modification. Because procedures are more detailed and can be technology specific, there are generally far more procedures than standards or policies. Consequently, review and modification of procedures will consume the majority of effort
Chapter 5 Review
This document sets the allowable boundaries for technologies, procedures and practices. It is therefore the most appropriate control to address compliance with specific regulatory requirements
STANDARDS
Standards set the allowable boundaries for technologies, procedures and practices and thus are the appropriate documentation to define compliance requirements.
Chapter 5 Review
Policies are developed in response to these which exists against the organisation
PERCEIVED THREATS
Policies are developed in response to perceived threats. If there is no perceived threat, there is no need for a policy. A threat is defined as anything (e.g., object, substance, human) that is capable of acting against an asset in a manner that can result in harm
