Chapter 5 Review Flashcards
Chapter 5 Review
An information security program is a collection of activities used to achieve these 3 activities in regards to risks
IDENTIFY, COMMUNICATE, and ADDRESS
Chapter 5 Review
The security program consists of controls, processes, and practices to increase the resilience of the computing environment and ensure that these 2 things are achieved effectively in regards to risks
KNOWN and HANDLED
Chapter 5 Review
This thing is a formal, written definition of the objectives of a program, its main timelines, the sources of funding, the names of its principal leaders and managers, and the business executives sponsoring the program
CHARTER
Chapter 5 Review
Information security programs include numerous business processes to fulfill the overall mission of this
INFORMATION and INFORMATION SYSTEMS PROTECTION
Chapter 5 Review
Information Security Programs business processes fall into three major categories:
- R____ ; Concerns to the business and adhearance to requirement
- A____ ; Design frameworks/manner in which information systems are built
- O____ ; Day to day functions of the business
- RISK and COMPLIANCE
- ARCHITECTURE
- OPERATIONS
Chapter 5 Review
Modern information security includes essential business processes such as these 2 management activities, but overall it is also heavily involved in IT.
RISK and POLICY
Chapter 5 Review
Information security is heavily involved in this area of the business as its mission is the protection of all things IT.
INFORMATION TECHNOLOGY
(IT)
Chapter 5 Review
To scale with the power and speed of IT, information security has its own portfolio of 2 key technologies.
PROTECTIVE and DETECTIVE
Chapter 5 Review
These are the things of value that an organization protects in an information security program.
ASSETS
Chapter 5 Review
In a typical organization, assets will consist of these 2 things
INFORMATION and INFORMATION SYSTEMS
Chapter 5 Review
This process is an activity whereby an organization assigns an asset to a category representing usage or risk.
ASSET CLASSIFICATION
Chapter 5 Review
In an information security program, the purpose of asset classification is to determine this for each asset in regards to its context to the organisation
LEVEL OF CRITICALITY
Chapter 5 Review
Information classification is a process whereby these 4 different sets and collections of data in an organization are analyzed;;
- V____ ; The worth
- C____ ; The importance
- I____ ; Trustworthiness
- S____ ; Delicacy of the system
- VALUE
- CRITICALITY
- INTEGRITY
- SENSITIVITY
These levels of information, together with examples of the types of levels that fall into each category and with instructions on handling information at each level, form the heart of a typical information classification program.
Chapter 5 Review
Once an organization is satisfied that its information classification is in order, it can embark on this activity
SYSTEM CLASSIFICATION
Chapter 5 Review
Information systems can be classified according to various criteria within these 2 areas
SECURITY and OPERATIONAL
Chapter 5 Review
In some organizations, additional requirements are imposed on persons who have access to this sort of data
SENSITIVE INFORMATION
Whether this information consists of trade secrets, government secrets, or other information, organizations may be required to meet specific requirements such as more thorough or frequent background investigations.
Chapter 5 Review
A key part of a risk assessment is identifying this in regards to each asset
VALUE
Chapter 5 Review
Risk analysis is more often done in this manner where by a numeric scale such as 1 to 5 is assigned
QUALITATIVE
Instead of assigning a dollar (or other currency) value to an asset, the value of an asset can be assigned to a low-medium-high scale or a numeric scale such as 1 to 5 or 1 to 10
Chapter 5 Review
A process that is common in larger or more mature organizations that want to better understand the actual costs associated with loss events
QUANTITATIVE ASSET VALUATION
Many organizations opt to surpass qualitative asset valuation and assign a dollar (or other currency) valuation to their assets. This is common in larger or more mature organizations that want to better understand the actual costs associated with loss events
Chapter 5 Review
There are several types of frameworks in information security, and sometimes they are confused with one another. The types of framework include
- C ____
- R ____ M ____
- A ____
- S ____ P ____ M ____
- CONTROL
- RISK MANAGEMENT
- ARCHITECTURE
- SECURITY PROGRAM MANAGEMENT
Chapter 5 Review
Standard control frameworks include
- C ____ 2019
- ISO/IEC ____
- ISO/IEC ____
- H ____
- NIST SP 800- ____
- NIST SP 800- ____
- NIST ____
- CIS ____
- ETSI TR 103 ____
- P ____
- COBIT 2019
- ISO/IEC 20000
- ISO/IEC 27002
- HIPAA
- NIST SP 800-53
- NIST SP 800-171
- NIST CSF
- CIS CSC
- ETSI TR 103 305-1
- PCI DSS.
Chapter 5 Review
Information security management frameworks are business process models that include these 2 essential things needed by most organizations.
PROCESSES and ACTIVITIES