Domain 1 - part 3 Flashcards
Controls implemented with or by automated or electronic systems. firewalls, electronic badge readers, access control list. Example would be routers
technical/logical controls
Controls implemented through a tangible mechanism. walls, fence, guards, locks. Physical controls systems are linked to technical/logical systems, such as badge readers connected to door locks.
Physical controls
Controls implemented through policy and procedure. includes access control processes and requiring multiple to conduct a specific operation. often enforced in conjunction with physical and/or technical controls, such as an access-granting policy for new user that requires login and approval by the hiring manager
Administrative controls
often performed with automated tools that reviews the org IT env for know vulnerabilities cataloging and often sending alerts for any detection. This method detect only detect know vulnerabilities.
Vulnerability assessment
external, person has no access, and its not safe
simulate external attack and test orgs security defenses
Penetration testing
financial fraud
Coso
Publishes the Risk it framework as connecting risk management from a strategic perspective with risk related it management
isaca
SP 800-37 extremely influential and important on how US federal government agencies address risk.
nist
Both discuss risk from a holistic org perspective and specifically related to IT security is also endorsed by Europeoan union agency for network and information security as a means of managing risk
iso -Risk framework
standard 27001 ENISA
created by Microsoft a threat classification system used to inform software developers during the dev process
STRIDE
threat where attacker poses as entity other than the attacker, often as an authorized user
spoofing identify
attacker attempts to modify the target date in an unauthorized way
tampering with data
attacker as a participant of a transaction can deny or conceal the attacker’s participation in that transaction.
repudiation
can include both inadvertent release of data (authorized user gives it to attacker accidentally) or malicious access to data is where the attacker gets unauthorized access
information disclosure
an attack on the availability aspect of the CIA triad; creating a situation in the target where authorized users cannot get access to the system/app/data
Denial of Service DoS
when an attacker not only gains access to the target but can attain a level of control with which to completely disable/destroy the entire target system
elevation of privilege
Applicable list of security and privacy controls. one series only requires to be followed by federal agencies in the US. It can be applied to any kind of org as the methods and concepts are universal.
ISO 27001/27002
Created by ISACA maintain and document enterprise IT security functions for an org. Uses a governance and process perspective for resource management and its intended to address IT performance security operations risk management and regulatory compliance.
COBIT
Can generally be rated according to three factors: impact, likelihood, and exposure
risk assessment
the damage/harm/seriousness caused if the risk is realized. can be measured monetarily as an effect to health and human safety, and/or the criticality of the affected asset to the org. The BIA is an excellent tool for use of impact.
impact
probability or the measure of the possibility the risk will be realized. This is a form of prediction.
likelihood
establishing the realistic potential for the org to face certain types of threats.
exposure
typically split into two categories candidate should understand these for the purpose of adhering to the CBK
Risk analysis
when the org does not have a sufficient availability of time, budget, or personnel trained in this to put toward the effort. High-Med-Low
Qualitative