D1. Security and Risk Management Flashcards
Refers to the process and methodologies involved in safeguarding information and underlying systems from inappropriate access, use, modifications, or disturbance.
What is Information security?
What are the three principles forming the pillars of information security?
CIA Triad (Confidentiality, Integrity, and Availability)
This is the concept of limiting access to data to authorized users and systems and restricting access from unauthorized parties?
What is Confidentiality?
Confidentiality is closely related to this security best practice.
What is least privileged? (Asserts that access to information should be granted only on a need-to-know basis)
This is the concept of maintaining the accuracy, validity, and completeness of data and systems.
What is Integrity?
These two concepts are closely related to Integrity.
What is Authenticity and Non-repudiation?
Refers to ensuring the data is genuine and that all parties are who they say they are.
What is Authenticity?
This concept requires ensuring that no party is able to deny their actions (e.g., creating, modifying, or deleting data).
What is Non-repudiation?
Most common mechanisms used to establish authenticity and nonrepudiation in information security.
What are digital signatures?
This concept is focused on ensuring that authorized users can access data when they need it.
What is Availability?
Concepts to be considered alongside Availability include:
What is accessibility (ability o erase of a user to use a resource or access data when needed), usability (ability of a user to meet their needs with available data), and timeliness (time expectation for availability of information and resources and is the measure of the time between when information is expected and when it is available for use)?
What are some mechanisms that can help prevent disruption of system and information availability?
Data backups, redundant storage, Bach up power supply, and web application firewalls (WAFs).
This National Institute of Standards and Technology (NIST) Special Publication included the CIA Triad as three of its five security objectives.
What is 800-33 “Underlying Technical Models for Information Technology Security”. The two additional concepts were accountability and assurance.
The actions of an entity may be traced uniquely to that entity is termed?
Accountability
The basis for confidence that the security measures, both technical and operational, work as intended to protect the system and the information it processes, is termed?
Assurance
This is the right of human individuals to control the distribution of information about themselves.
What is Privacy?
This is a set of responsibilities, policies, and procedures related to defining, managing, and overseeing security practices at an organization.
What is Security governance?
Applying security governance principles involves:
- Aligning the org security function to the company’s business strategy, mission, goals, and objectives.
- Defining and managing organizational processes that require security involvement or oversight.
- Developing security roles and responsibilities throughout the organization.
- Identifying one or more security control frameworks to align your organization with
- Conducting due diligence and due care activities on an ongoing basis.
This is a simple declaration that defines a company’s function and purpose; and summarizes what the company is, what it does, and why the company exist to do those things.
What is a mission statement?
Describes the action that a company takes to achieve its goals and objectives.
What is a business strategy?
This is something that can an organization expects to achieve or accomplish.
What is a business goal?
Is a milestone or a specific step that contributes to an organization reaching it’s goal and achieving its mission.
What is an objective?
A group of executives and leaders who regularly meet to set the direction of the company’s security function and provide guidance to help the security function align with the company’s overall mission and business strategy.
What is the governance committee?
This is the combining of two separate organizations that creates a new, joint organization.
What is merger?
This is a takeover of one organization by another.
What is acquisition?
Any person who accesses or handles an organization’s information systems and data.
What is a user or end user?
A technical, operational, or management safeguard used to prevent, detect, minimize, or counteract security threats.
What is security control?
(ISC)2 defines a notional construct outlining the organizations’s approach to security, including a list of specific security processes, procedures, and solutions used by the organization.
What is a security control framework?
System-based safeguards and countermeasures - things like firewalls, IDS/IPS, and data loss prevention (DLP).
What are technical controls?
System-based safeguards and countermeasures - that are primarily implemented and executed by people (as opposed to systems), security guards are a common example.
What are operational controls?
Includes policies, procedures, and other countermeasures that control (or manage) the information security risk.
What are management “also referred to as administrative” controls?
Legal term used to describe the conduct that a reasonable person would exercise in a given situation.
What is due care?
Adherence to a mandate; it includes the set of activities that an organization conducts to understand and satisfy all applicable laws, regulatory requirements, industry standards, and contractual agreements.
What is compliance?
A legal concept that establishes the official power to make legal decisions and judgments.
What is jurisdiction?
Auditing framework that gives organizations the flexibility to be audited based on their own needs.
What is SOC (System and Organization Control)?
An audit and compliance report that focuses strictly on a company’s financial statements and controls that can impact a customer’s financial statements.
What is SOC (System and Organization Control) 1?
What are the five “Trusted Service Principles” of AICPA (American Institute of Certified Public Accountants)?
Privacy
Security
Availability
Processing Integrity
Confidentiality
An audit and compliance report that evaluates an organization based on AICPA trusted service principles.
What is SOC (Systems and Organization Controls) 2?
This is a lite version of a SOC 2 report (does not disclose specifics) abstracts or removes all sensitive details.
What is SOC 3
Any criminal activity that directly involves computers or the internet.
What are cybercrimes?
A specific cybercrime where information is accessed or stolen by a cybercriminal without authorization
What is data breach?
