Day1 12-21-2018 Flashcards
@27th MArch
Build a business case
- Justify the investment of time and money
- Balance security and busines concerns
- Achieve confidentiality integrity and availiability goals
Florian receives a flyer from a federal agency announcing that a new administrative law will affect his business operations. Where should he go to find the text of the law?
The Code of Federal Regulations (CFR) is the codification of the general and permanent rules and regulations (sometimes called administrative law) published in the Federal Register by the executive departments and agencies of the federal government of the United States
Trademark process |
USPTO
Risk Acceptance
Risk Acceptance: Risk acceptance does not reduce any effects however it is still considered a strategy. This strategy is a common option when the cost of other risk management options such as avoidance or limitation may outweigh the cost of the risk itself. A company that doesn’t want to spend a lot of money on avoiding risks that do not have a high possibility of occurring will use the risk acceptance strategy.
Risk Avoidance
Risk Avoidance: Risk avoidance is the opposite of risk acceptance. It is the action that avoids any exposure to the risk whatsoever. Risk avoidance is usually the most expensive of all risk mitigation options.
Risk Limitation
Risk Limitation: Risk limitation is the most common risk management strategy used by businesses. This strategy limits a company’s exposure by taking some action. It is a strategy employing a bit of risk acceptance along with a bit of risk avoidance or an average of both. An example of risk limitation would be a company accepting that a disk drive may fail and avoiding a long period of failure by having backups.
Risk Transferrence
Risk Transference: Risk transference is the involvement of handing risk off to a willing third party. For example, numerous companies outsource certain operations such as customer service, payroll services, etc. This can be beneficial for a company if a transferred risk is not a core competency of that company. It can also be used so a company can focus more on their core competencies.
Cold Side
In simple language, cold sites are mere empty operational spaces with basic facilities like raised floors, air conditioning, power and communication lines etc. On occurring of an incident and if the operations can do with a little down time, alternate facilities are brought to and set up in the cold site to resume operations. A cold site is the least expensive type of backup site for an organization to operate
Warm
A warm site is a compromise between hot and cold. These sites will have hardware and connectivity already established, though on a smaller scale than the original production site or even a hot site. Warm sites might have backups on hand, but they may not be complete and may be between several days and a week old. The recovery will be delayed while backup tapes are delivered to the warm site, or network connectivity is established and data is recovered from a remote backup site (Example: SAN.)
HOT Side
A hot site is a duplicate of the original site of the organization, with full computer systems as well as near-complete backups of user data. Real time synchronization between the two sites may be used to completely mirror the data environment of the original site using wide area network links and specialized software. Following a disruption to the original site, the hot site exists so that the organization can relocate with minimal losses to normal operations in the shortest recovery tim
Which one of the following individuals would be the most effective organizational owner for an information security program?
CIO CISO
soc1 vs soc2
The Service Organizations Control audit program includes business continuity controls in a SOC 2, but not SOC 1,
Which one of the following laws requires that communications service providers cooperate with law enforcement requests?
A. ECPA
B. CALEAYour selection is incorrect
C. Privacy Act
D. HITECH Act
The Communications Assistance to Law Enforcement Act (CALEA) requires that all communications carriers make wiretaps possible for law enforcement officials who have an appropriate court order.
What principle of information security states that an organization should implement overlapping security controls whenever possible?
A. Least privilege
B. Separation of duties
C. Defense in depthYour selection is incorrect
D. Security through obscurity
Defense in depth states that organizations should have overlapping security controls designed to meet the same security objectives whenever possible. This approach provides security in the event of a single control failure.
Ben is responsible for the security of payment card information stored in a database. Policy directs that he remove the information from the database, but he cannot do this for operational reasons. He obtained an exception to policy and is seeking an appropriate compensating control to mitigate the risk. What would be his best option?
A. Purchasing insurance
B. Encrypting the database contentsYour selection is incorrect
C. Removing the data
D. Objecting to the exception
Ben should encrypt the data to provide an additional layer of protection as a compensating control. The organization has already made a policy exception, so he should not react by objecting to the exception or removing the data without authorization. Purchasing insurance may transfer some of the risk but is not a mitigating control.
