Chapter 5 Review Flashcards

1
Q

Chapter 5 Review

An information security program is a collection of activities used to achieve these 3 activities in regards to risks

A

IDENTIFY, COMMUNICATE, and ADDRESS

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Chapter 5 Review

The security program consists of controls, processes, and practices to increase the resilience of the computing environment and ensure that these 2 things are achieved effectively in regards to risks

A

KNOWN and HANDLED

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Chapter 5 Review

This thing is a formal, written definition of the objectives of a program, its main timelines, the sources of funding, the names of its principal leaders and managers, and the business executives sponsoring the program

A

CHARTER

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Chapter 5 Review

Information security programs include numerous business processes to fulfill the overall mission of this

A

INFORMATION and INFORMATION SYSTEMS PROTECTION

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Chapter 5 Review

Information Security Programs business processes fall into three major categories:

  1. R____ ; Concerns to the business and adhearance to requirement
  2. A____ ; Design frameworks/manner in which information systems are built
  3. O____ ; Day to day functions of the business
A
  1. RISK and COMPLIANCE
  2. ARCHITECTURE
  3. OPERATIONS
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Chapter 5 Review

Modern information security includes essential business processes such as these 2 management activities, but overall it is also heavily involved in IT.

A

RISK and POLICY

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Chapter 5 Review

Information security is heavily involved in this area of the business as its mission is the protection of all things IT.

A

INFORMATION TECHNOLOGY
(IT)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Chapter 5 Review

To scale with the power and speed of IT, information security has its own portfolio of 2 key technologies.

A

PROTECTIVE and DETECTIVE

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Chapter 5 Review

These are the things of value that an organization protects in an information security program.

A

ASSETS

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Chapter 5 Review

In a typical organization, assets will consist of these 2 things

A

INFORMATION and INFORMATION SYSTEMS

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Chapter 5 Review

This process is an activity whereby an organization assigns an asset to a category representing usage or risk.

A

ASSET CLASSIFICATION

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Chapter 5 Review

In an information security program, the purpose of asset classification is to determine this for each asset in regards to its context to the organisation

A

LEVEL OF CRITICALITY

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Chapter 5 Review

Information classification is a process whereby these 4 different sets and collections of data in an organization are analyzed;;

  1. V____ ; The worth
  2. C____ ; The importance
  3. I____ ; Trustworthiness
  4. S____ ; Delicacy of the system
A
  1. VALUE
  2. CRITICALITY
  3. INTEGRITY
  4. SENSITIVITY

These levels of information, together with examples of the types of levels that fall into each category and with instructions on handling information at each level, form the heart of a typical information classification program.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Chapter 5 Review

Once an organization is satisfied that its information classification is in order, it can embark on this activity

A

SYSTEM CLASSIFICATION

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Chapter 5 Review

Information systems can be classified according to various criteria within these 2 areas

A

SECURITY and OPERATIONAL

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Chapter 5 Review

In some organizations, additional requirements are imposed on persons who have access to this sort of data

A

SENSITIVE INFORMATION

Whether this information consists of trade secrets, government secrets, or other information, organizations may be required to meet specific requirements such as more thorough or frequent background investigations.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

Chapter 5 Review

A key part of a risk assessment is identifying this in regards to each asset

A

VALUE

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

Chapter 5 Review

Risk analysis is more often done in this manner where by a numeric scale such as 1 to 5 is assigned

A

QUALITATIVE

Instead of assigning a dollar (or other currency) value to an asset, the value of an asset can be assigned to a low-medium-high scale or a numeric scale such as 1 to 5 or 1 to 10

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

Chapter 5 Review

A process that is common in larger or more mature organizations that want to better understand the actual costs associated with loss events

A

QUANTITATIVE ASSET VALUATION

Many organizations opt to surpass qualitative asset valuation and assign a dollar (or other currency) valuation to their assets. This is common in larger or more mature organizations that want to better understand the actual costs associated with loss events

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

Chapter 5 Review

There are several types of frameworks in information security, and sometimes they are confused with one another. The types of framework include

  1. C ____
  2. R ____ M ____
  3. A ____
  4. S ____ P ____ M ____
A
  1. CONTROL
  2. RISK MANAGEMENT
  3. ARCHITECTURE
  4. SECURITY PROGRAM MANAGEMENT
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

Chapter 5 Review

Standard control frameworks include

  1. C ____ 2019
  2. ISO/IEC ____
  3. ISO/IEC ____
  4. H ____
  5. NIST SP 800- ____
  6. NIST SP 800- ____
  7. NIST ____
  8. CIS ____
  9. ETSI TR 103 ____
  10. P ____
A
  1. COBIT 2019
  2. ISO/IEC 20000
  3. ISO/IEC 27002
  4. HIPAA
  5. NIST SP 800-53
  6. NIST SP 800-171
  7. NIST CSF
  8. CIS CSC
  9. ETSI TR 103 305-1
  10. PCI DSS.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

Chapter 5 Review

Information security management frameworks are business process models that include these 2 essential things needed by most organizations.

A

PROCESSES and ACTIVITIES

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

Chapter 5 Review

Information security management frameworks are risk-centric because the identification of risk is a key driver for activities in other parts of the framework to reduce risk to acceptable levels. These frameworks include;

  1. ISO/IEC ____
  2. ISO/IEC ____
  3. C ____ 2019
  4. NIST SP 800- ____
  5. NIST ____
A
  1. ISO/IEC 27005
  2. ISO/IEC 31000
  3. COBIT 2019
  4. NIST SP 800-37
  5. NIST CSF
24
Q

Chapter 5 Review

This is a business function and a technical model.

A

ENTERPRISE ARCHITECTURE
(EA)

25
Q

In terms of a business function, establishing an Enterprise Architecture (EA) consists of activities that ensure that IT systems meet these.

A

BUSINESS NEEDS

26
Q

Chapter 5 Review

Information security architecture can be thought of as a subset or special topic within Enterprise Architecture (EA) that is concerned with the protective characteristics found in many components in an overall EA and specific components in an EA that provide these 2 security functions

A

PREVENTIVE or DETECTIVE

27
Q

Chapter 5 Review

These 4 Information security documents are the written artifacts that define the business and technical rules for information and information systems protection.

A
  1. POLICES
  2. STANDARDS
  3. GUIDELINES
  4. PROCEDURES
28
Q

Chapter 5 Review

Development of these is foundational to any organization’s information security program.

A

SECURITY POLICIES

29
Q

Chapter 5 Review

Information security policy defines the principles and required actions for the organization to perform this activity in regards assets and personnel properly.

A

PROTECT

30
Q

Chapter 5 Review

These are nonbinding statements or narratives that pro vide additional direction to personnel regarding compliance with security policies, standards, and controls.

A

GUIDELINES

Information security departments often develop guidelines when they receive numerous inquiries for help understanding certain policies or have trouble understanding how to implement them.

31
Q

Chapter 5 Review

These are formal statements describing the characteristics of a system to be changed, developed, or acquired.

A

REQUIREMENTS

32
Q

Requirements should flow from, and align with, the structure and content of these 2 things

A

POLICIES and STANDARDS

Because of their use in systems and services development and acquisition, require ments should be published in a format that can be easily extracted for use in specific projects.

33
Q

Chapter 5 Review

These 2 documents are the detailed, sequenced instructions to complete routine tasks.

A

PROCESSES and PROCEDURES

34
Q

Chapter 5 Review

This document is a collection of one or more procedures that together fulfill a higher purpose

A

PROCESS

35
Q

This document is a written set of instructions for a single task

A

PROCEDURE

36
Q

Chapter 5 Review

This is a measurement of a periodic and ongoing activity that intends to help the organization understand the activity within the context of overall business operations.

A

METRIC

37
Q

Chapter 5 Review

Metrics are the means through which management can measure these and know whether their strategies are working

A

KEY PROCESSES

38
Q

Chapter 5 Review

A formal metrics program provides these 2 sets of data on the effectiveness of many elements of an organization’s security program and operations.

A

QUALITATIVE and QUANTITATIVE

39
Q

Chapter 5 Review

Metrics can be developed via the SMART method:

  1. S ____
  2. M ____
  3. A ____
  4. R ____
  5. T ____
A
  1. SPECIFIC
  2. MEASUREABLE
  3. ATTAINABLE
  4. RELEVANT
  5. TIMELY
40
Q

Chapter 5 Review

Metrics must align with these 3 things in regards to the organization

A

MISSION, STRATEGY, and OBJECTIVES

41
Q

Chapter 5 Review

Some metrics can be used to report on results in the recent past, and some metrics serve as this as a means to a call to action by the leadership team when metrics are demonstrating a future changing trend.

A

LEADING INDICATORS

42
Q

Chapter 5 Review

A common shortcoming of a metrics program is its failure to provide this for various audiences.

A

RELEVANT METRICS

As an organization develops its metrics program, it must take care to develop metrics that matter for each audience.

43
Q

Chapter 5 Review

This can depict the high-level effectiveness of an organization’s security program

A

SECURITY BALANCED SCORECARD

44
Q

Chapter 5 Review

This is a measure of how well a process is progressing according to expectations.

A

KEY PERFORMANCE INDICATOR
(KPI)

45
Q

Chapter 5 Review

This is a measure that determines how well the process is perofrming in enabling a goal to be reached

A

KEY PERFORMANCE INDICATOR
(KPI)

46
Q

Chapter 5 Review

This is a measure of information risk and used to reveal trends related to levels of risk

A

KEY RISK INDICATOR
(KRI)

47
Q

Chapter 5 Review

This is the most common protocol used to ensure confidentiality of transmissions, as example, in a business-to-customer financial web application

A

SECURE SOCKET LAYER
(SSL)

48
Q

Chapter 5 Review

This is a cryptographic protocol that provides secure communications by providing end point authentication and commucations privacy over the internet

A

SECURE SOCKET LAYER
(SSL)

49
Q

Chapter 5 Review

This is a program that can give an attacker full control over an infected computer, allowing them to hijack, copy or alter information after authentication by a user

A

TROJAN

50
Q

Chapter 5 Review

This process uses a mathematical algorithm to ensure data has not been changed

A

HASHING

51
Q

Chapter 5 Review

This is a technique used to hide messages in another file i.e. a message within a JPEG

A

STEGANOGRAPHIC

52
Q

Chapter 5 Review

The development of an information security program will begin after these have been defined

A

REQUIRED OUTCOMES

53
Q

Chapter 5 Review

These documents require the most effort for reviewing and modifying when supporting an operational information security program as they are designed at a more granular level

A

PROCEDURES

When an information security program is operational, few changes to policies or standards will be needed. Procedures, however, are designed at a more granular level and will require reasonably frequent modification. Because procedures are more detailed and can be technology specific, there are generally far more procedures than standards or policies. Consequently, review and modification of procedures will consume the majority of effort

54
Q

Chapter 5 Review

This document sets the allowable boundaries for technologies, procedures and practices. It is therefore the most appropriate control to address compliance with specific regulatory requirements

A

STANDARDS

Standards set the allowable boundaries for technologies, procedures and practices and thus are the appropriate documentation to define compliance requirements.

55
Q

Chapter 5 Review

Policies are developed in response to these which exists against the organisation

A

PERCEIVED THREATS

Policies are developed in response to perceived threats. If there is no perceived threat, there is no need for a policy. A threat is defined as anything (e.g., object, substance, human) that is capable of acting against an asset in a manner that can result in harm