Course 5: Assets Threats and Vulnerabilities Flashcards
What is the definition of risk?
Def: anything that can impact the confidentiality, integrity, or availability of an asset.
True or False: Risk is the same for every organization
False: Risk differs by organization
Interpret risk by:
Effects and Events: interpret risk by considering the potential effects that negative events can have on a business
What is the formula for calculating risk?
Likelihood x Impact = Risk
Name 4 reasons why we calculate risk in this field
-Prevent costly and disruptive events
-Identify improvements that can be made to systems and processes
-Determine which risks can be tolerated
-Prioritize the critical assets that require attention
What are the 3 risk categories
-Damage
-Disclosure
-Loss of information
What 5 questions should you ask to determine impact in a risk calculation?
-How would the business be affected?
-What’s the financial harm to the business and its customers?
-Can important operations or services be impacted?
-Are there regulations that can be violated?
-What is the reputational damage to the company’s standing?
What 3 questions should you ask to determine likelihood in a risk calculation?
-Could the risk happen once a day?
-Could the risk happen once a month?
-Could the risk happen once in a year?
What is the definition of an asset?
Def: an item perceived as having value to an organization
Give 4 examples of an asset
-buildings
-equipment
-data
-people
What is the definition of a threat?
Def: any circumstance or event that can negatively impact assets
What are the two types of threats?
- intentional - ex. a malicious hacker who gains access to sensitive information by targeting a misconfigured application
- unintentional - ex. an employee who holds the door open for an unknown person and grants them access to a restricted area
What is a vulnerability?
Def: a weakness that can be exploited by a threat/flaws within an asset (analogy: a weak lock on a front door)
What are the 2 categories of vulnerabilities?
-technical - ex. misconfigured software that might give an unauthorized person access to important data
-human - ex. a forgetful employee who loses their access card in a parking lot
What is the definition of asset management?
Def: The process of tracking assets and the risks that affect them
True or False: You can only protect the things you account for
True
What is the definition of Asset Inventory?
Def: A catalog of assets that need to be protected
What is the definition of Asset Classification?
Def: The practice of labeling assets based on sensitivity and importance to an organization
Asset classification determines whether an asset can be ____, ____, or ____
disclosed, altered or destroyed
True or False: information can have multiple classification values at the same time
True
What are the 4 levels of asset classification?
Public, Internal-only, Confidential, and Restricted
Describe the public level of asset classification
- Lowest level
- Can be shared with anyone
- No negative consequences if released
Describe the internal-only level of asset classification
- Second level
- Asset can be shared w/ anyone within the organization (i.e. employees and business partners)
Describe the confidential level of asset classification
- Third level
- Asset should only be accessed by those working on a specific project.
- Disclosure may lead to a significant negative impact
Describe the restricted level of asset classification
- Fourth and Highest level
- Asset is highly sensitive and must be protected.
- need-to-know information (i.e.. intellectual property, health/payment information)
What are the 4 things you must know to determine the sensitivity and importance of an asset?
- What you have
- Where it is
- Who owns it
- How important it is
What are four different kinds of assets?
- Digital Assets
- Information Systems that process data
- Physical Assets
- Intangible Assets
Give an example of a digital asset
customer data or financial records
Give an example of an information system that processes data
network or software
Give an example of a physical asset
facilities, equipment, or supplies
Give an example of an intangible asset
brand reputation or intellectual property
What is the definition of Data?
Def: information that is translated, processed, or stored by a computer
What are the 3 states of data?
- In use
- In transit
- At rest
Describe data that is in the state of “in use”
It is data being accessed by one or more users
Describe data that is “in transit”
It is data traveling from one point to another
Describe data that is “at rest”
It is data not currently being access
What is the definition of Information Security (InfoSec)
Def: the practice of keeping data in all states away from unauthorized users.
What are the 3 cloud-based services?
- Software as a Service (SaaS)
- Platform as a Service (PaaS)
- Infrastructure as a Service (IaaS)
What is Software as a Service (SaaS)?
front-end applications that users access via a web browser. The service providers host, manage, and maintain all of the back-end systems for those applications.