Domain 1: Security and Risk Management Flashcards
1
Q
Audit/Auditing
A
The tools, processes, and activities used to perform compliance reviews.
2
Q
Availability
A
Ensuring timely and reliable access to and use of information by authorized users
Usability, Accessibility, Timeliness
sy. 7
3
Q
Business Continuity(BC)
A
Actions, processes, and tools for ensuring an organization can continue critical operations during a contingency.
the Business …Continues
4
Q
Business impact analysis(BIA)
A
An analysis that identifies the resources that are critical to an organization’s ongoing viability and the threats posed to those resources. It also
assesses the likelihood that each threat will actually occur and the impact those occurrences
will have on the business. Aka business impact analysis (BIA).
5
Q
Compliance
A
Adherence to a mandate; both the actions demonstrating adherence and the tools, processes, and documentation that are used in adherence.
6
Q
Confidentiality
A
Preserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information.
sy. 5
What is meant to be secret, stays secret
7
Q
Data subject
A
The individual human related to a set of personal data.
The subject of the data
8
Q
Disaster recovery(DR)
A
Those tasks and activities required to bring an organization back from contingency operations and reinstate regular operations.
9
Q
Due care
A
A legal concept pertaining to the duty owed by a provider to a customer.
practicing the individual activities that maintain the due diligence effort.
10
Q
Due diligence
A
Actions taken by a vendor to demonstrate/provide due care.
establishing a plan, policy, and process to protect the interests of an organization.
11
Q
Governance
A
The process of how an organization is managed; usually includes all aspects of how decisions are made for that organization, such as policies, roles. and procedures the organization uses to make those decisions.
12
Q
Governance committee
A
A formal body of personnel who determine how decisions will be made within the organization and the entity that can approve changes and exceptions to current relevant governance.
13
Q
Guidelines
A
Suggested practices and expectations of activity to best accomplish tasks and attain goals.
14
Q
Integrity
A
Guarding against improper information modification or destruction and includes ensuring information non-repudiation and authenticity.
Reliability and correctness
sy. 5
15
Q
Intellectual Property
A
Intangible assets (notably, includes software and data).
16
Q
Maximum allowable downtime(MAD)
A
The measure of how long an organization can survive an interruption of critical functions. [also known as maximum tolerable downtime(MTD)]
our maximum allowable destruction
17
Q
Personally Identifiable information (PII)
A
Any data about a human being that could be used to identify that person.
18
Q
Policy
A
Documents published and promulgated by senior management dictating and describing the organization’s strategic goals.
Less Granular, Intention towards security
19
Q
Privacy
A
The right of human individual to control the distribution of information about themselves.
20
Q
Procedures
A
Explicit, repeatable activities to accomplish a specific task. Procedures can address one-time or infrequent actions or common, regular occurrences.
21
Q
Recovery time objective (RTO)
A
The target time set for recovering from any interruption
22
Q
Residual Risk
A
The risk remaining after security controls have been put in place as a means of risk mitigation.
Risk that remains
23
Q
Risk
A
The possibility of damage or harm and the likelihood that damage or harm will be realized.
24
Q
Risk Acceptance
A
Determining that the potential benefits of a business function outweigh the possible risk impact/likelihood and performing that business function with no other action.
25
Risk avoidance
Determining that the impact and/or likelihood of a specific risk is too great to be offset by the potential benefits and not performing a certain business function because of that determination.
| Avoid risk by NOT doing it, it's not worth
26
Risk mitigation
Putting security controls in place to attenuate the possible impact or likelihood, or both, of a specific risk.
27
Risk transference
Paying an external party to accept the financial impact of a given risk.
28
Security control framework
A notional construct outlining the organization's approach to security, including a list of specific security processes, procedures. and solutions used by the organization.
Security solution and management method connected.
29
Security governance
The entirety of the policies, roles. and processes the organization uses to make security decisions in an organization.
30
Standards
Specific mandates explicitly stating expectations of performance or conformance.
31
Sensitivity
refers to the quality of information, which could cause harm or damage if disclosed.
sy. 5
32
Discretion
is the act of decision where an operator can influence or control disclosure in order to minimize harm or damage.
sy. 5
33
Criticality
the level to which information is mission critical is its measure of criticality.
sy. 5
34
Concealment
the act of hiding or preventing disclosure.
sy. 5
35
Secrecy
the act of keeping something a secret or preventing the disclosure of information.
sy. 5
36
Privacy
refers to keeping information confidential that is personally identifiable or that might cause harm, embarrassment, or disgrace to some if revealed.
sy. 5
37
Seclusion
involves storing something in an out-of-the-way location, likely with strict access control.
sy. 5
38
Isolation
keeping something separated from others
sy. 5
39
DAD Triad
Disclosure, Alteration, and Destruction
sy. 8
40
Authenticity
Security concept that data is authentic or genuine and originates from its alleged source
sy. 8
41
Nonrepudiation
ensures that the subject of an activity or who cause an event cannot deny that the event occurred.
sy. 8
42
Identification
a subject must perform identification to start the process of auth, authz, and accountability
sy. 9
43
Authorization
ensures that the requested activity or access to an object is possible given the rights and privileges assigned to the authenticated identity.
sy. 10
44
Defense in depth
Layering, mulitple controls in a series.
sy. 11
45
Abstraction
for efficiency, similar elements are put into groups, classes, or roles that are assigned security controls, restrictions, or permissions as a collective.
Object Oriented programming
Sy. 12
46
Data hiding
preventing data from being discovered or access by a subject by positioning the data in a logical storage compartment that is not accessible or seen by the subject.
Can't see or access the data - Steganography
sy. 12
47
Security Boundary
the line of intersection between any two areas, subnets, or environments that have different security needs or requirements.
Policy should state where one controls ends and another begins
sy. 13
48
Third-Party Governance
the system of external entity oversight that may be mandated by law, regulation, industry standards, contractual obligation, or licensing requirements.
Verify compliance, know an org's requirements to fulfill
49
Documentation review
process of reading the exchanged materials and verifying them against standards and expectations.
sy. 15
50
Security management planning ensures proper creation, implementation, and enforcement of a ______
Security policy
sy. 17
51
A _____ ____ is usually documented argument or state position in order to define a need to make a decision to take some form of action.
Business case
Sy. 17
52
The best security plan is useless without one key factor _____.
Senior management approval, understanding the risks, exposures for which security policy is deployed.
sy. 18
53
Developing a security policy is evidence of ____ and ____.
Due Diligence and Due Care, without either senior management can be held liable for negligence and accountable for asset and financial loss.
sy. 18
54
Strategic Plan
Long-term plan that is fairly stable
sy. 18
55
Tactical Plan
midterm plan developed to provide more details on accomplishing the goals set forth in the strategic plan.
sy. 18
56
Operational Plan
short-term, highly detailed plan based on the strategic and tactical plans.
sy. 19
57
Service Level requirement (SLR)
a statement of the expectations of service and performance from the product or service of a vendor.
sy. 20
58
Asset Owner
the person how is responsible for classifying information for placement and protection within the security solution.
sy. 21
59
Data custodian
the user who is responsible for the tasks of implementing the prescribed protections defined by the security policy and senior management.
sy. 21
| Custodians clean Data, lock the doors at the end of the day
60
Control Objectives for Information and Related Technologies (COBIT)
Documented set of best IT security practices crafted by the Information Systems Audit and Control Association (ISACA).
Sy. 22
Controls orbit our technologies
Provide Stakeholder Value
Holistic Approach
Dynamic Governance System
Governance Distinct from Management
Tailored to Enterprise Needs
End-to-End Governance System
61
NIST 800-53 v5
Security and Privacy Controls for Information Systems and Organizations.
Government sourced general recommendations for security.
Sy. 22
62
NIST Risk Management Framework (RMF)
| and it's 5 functions
U.S. government guide for establishing and maintaining security crafted by the National Institute of Standards and Technology (NIST) that
establishes mandatory requirements for federal agencies. Aka NIST Risk Management
Framework (RMF).
Identify, Protect, Detect, Respond, and Recover
63
NIST Cybersecurity Framework (CSF)
| + Five Stages
U.S. government guides for establishing and maintaining
security crafted by National Institute of Standards and Technology (NIST), which is designed for
critical infrastructure and commercial organizations. Aka NIST Cybersecurity Framework (CSF).
Identify, Protect, Detect, Respond, and Recover.
64
International Organization for Standardization (ISO)/ International Electrotechnical Commission(IEC) 27000
International standard that can be the basis of implementing organizational security and related management practices.
65
Operational Security
The continued maintenance of due care and due diligence
66
Standards
Compulsory requirements for the homogenous use of hardware, software, technology, and security controls.
| Standards a REQUIRED to be followed for use
67
Baseline
Minimum level of security that every system throughout the organization must meet.
sy 25
68
Guideline
Recommendations on how standards and baselines are implemented and serves as an operational guide for security professionals and users.
sy 25
69
Procedures
detailed, step by step hot to document that describes the exact actions necessary to implement a specific security control, mechanism, or solution.
sy 25
70
Threat Modeling
Security Process where potential threats are identified, categorized, and analyzed. Priority can be determined in which defenses to build controls around.
71
Reduction Analysis
gain a greater understanding of the logic of the product, its internal components, as well as its interactions with external elements.
72
Steps of Decomposition Process
Trust boundaries, where levels of security changes
dataflow paths, movement of data between locations
input points, where external input is received
Privileged operations, any activity that requires greater privileges, making changes to security or system changes.
Details of security stance, mapping to security policy and assumptions
73
Supply Chain Risk Management
ensures that all vendors or links in the supply chain are reliable, trustworthy, reputable organizations that disclose their practices and security requirements.
74
Risk Management
detail process of identifying factors that could damage or disclose assets, evaluating those factors in light of asset value and countermeasure cost, and implementing cost effective solutions for minimizing risk.
75
Risk assessment/analysis
examination of an environment for risks, evaluating each threat event as its likelihood of occurring and the severity of the damage it would cause if it did occur.
76
Risk Response
evaluating countermeasures, safegaurds, and security controls using cost benefit analysis; adjusting findings based on the conditions, concerns, priorities, and resources and providing proposal of response options.
| How we evaluate and respond to risk
77
Single-loss expectancy (SLE)
percentage of loss that an organization would experience if a specific asset were violated by a realized risk.
SLE = Asset Value * Exposure Factor
78
Exposure factor
the percentage of loss that an organization would experience if a specific asset were violated by a realized risk
Loss Potential
| the factor of something being exposed! How much loss
79
Annualized Rate of Occurrence
expected frequency with which a specific threat or risk will occur
80
Annualized Loss Expectancy
the possible yearly loss of all instances of a specific realized threat against a specific asset.
ALE = ARO * SLE (ale is arousal)
81
Administrative controls
are the policies and procedures defined by an organization's security policy and other regulations or requirements.
managerial/procedural/management controls
82
Logical controls
involves the hardware or software mechanisms used to manage access and provide protection for IT resources and systems.
Technical controls
83
Security Control Assessment (SCA)
the formal evaluation of a security infrastructure's individual mechanisms against a baseline or reliability expectation
84
Risk register
a document that inventories all the identified risks to an organization or system or within an individual project.
85
Typo Squating
trying to redirect traffic when a user mistypes the domain name or ip address of an intended resources.
86
Five stages of business impact analysis
Identification of Priorities, Risk identification, likelihood assessment, impact analysis, and resource prioritization
How would I evaluate Impact? Find the prorities, determine the risks, how likely would those risks happens, what would be the impact of those risks, and how would you prioritize resources to combat it.
87
Civil Law
Designed to provide for an orderly society and govern matters that are not crimes but require an impartial arbiter
88
Administrative law
Executive orders, policies, procedures, and regulations that govern the daily operations of the executive branch agency
89
Computer Fraud and abuse act
first major legislation of computer cyber-specific crime
Built as part of the Comprehensive Crime Control Act of 1984
Doesn't say Cyber, must be old
90
Comprehension Crime Control Act
covered computer crimes that crossed state boundaries to avoid infringing on states' rights and treading constitutional thin ice
Basic unauthorized access, using computers for fraud, damaging federal computer systems,
91
National Information Infrastructure Protection Act of 1996
a set of amendments to the Computer fraud and abuse act that computer use to international and commercial use, and Industrial infrastructure (gas, trains, electric grids)
| Key word: Infrastructure
92
Digital Millennium Copywright Act (DMCA)
prohibition of attempts to circumvent copywrite protection mechanisms placed on a protected work by the copywrite holder.
World Intellectual Property Organization
ISPs are not liable for the traffic done by a user
93
Trade secrets
intellectual property that if disclosed would cause significant damage
coca-cola recipe
94
Electronic communications privacy act of 1986
makes it a crime to invade the electronic privacy of an individual
95
Communication assistance for law enforcement act 1994
Amended Electronics communications privacy act to make wiretapping for law enforcement with an appropriate court order
96
Economic Espionage Act of 1996
Extends the definition of property to include proprietary economic information so that the theft of this information can be considered industrial of corporate espionage.
97
Health Insurance Portability and Accountability Act of 1996
Clearly defines the rights of individuals who are the subject of medical records and organizations that maintain such records to disclose these rights.
98
ISO 27001
Establishes the guidelines for implementing an information management system (ISMS). It is the foundation of numerous other ISO standards, many of which are within the ISO 27000 family group. It prescribes that management perform a
systematized evaluation of an organization’s assets and threats (i.e., risk assessment), then design and implement a security response strategy to address the identified risks and adopt an ongoing management, oversight, and governance process to maintain and improve the security infrastructure over time.
99
ISO 27002
Prescribes best practices for the implementation and use of security controls within each of the 14 control groups from ISO 27001. ISO 27002 is effectively an extension of ISO 27001.
| 2700 2 steps further, specific controls
100
ISO 27701
An extension of ISO 27001 that focuses on privacy. It describes how to establish and maintain a privacy information management system (PIMS). It includes guidance on
implementing compliance with a range of privacy regulations, including General Data Protection Regulation (GDPR).
| double 7 007 secret privacy
101
ISO 31000
A family of standards and guidelines for implementing a risk management–based security program
102
root cause analysis
An operational investigation that seeks to identify the reason that an operational issue occurred. The root cause analysis often highlights issues that require remediation to prevent similar incidents in the future.
103
beyond a reasonable doubt
The standard of evidence in a criminal court case.
104
preponderance of the evidence
The standard of evidence in a civil court case.
105
artifacts
Any items of evidence left behind by a suspect when performing a criminal or otherwise violating activity.
106
admissible evidence
Evidence that is relevant to determining a fact. The fact that the evidence seeks to determine must be material (in other words, related) to the case. In addition, the evidence must be competent, meaning that it must have been obtained legally. Evidence that results from an illegal search would be inadmissible because it is not competent
107
admissibility
In U.S. courts, for evidence to be considered usable in court (i.e., admissible),
it must meet three requirements: relevant, material, and competent. Evidence is relevant if
it helps to determine or establish a fact about the case. Evidence is material if the fact determined by the evidence is related to the case. Evidence is competent if it was obtained legally, such as via a search warrant or consent.
108
real evidence
Items that can actually be brought into a court of law; aka object evidence.
109
documentary evidence
Any written items brought into court to prove a fact at hand. This type of evidence must also be authenticated.
110
best evidence rule
A rule that states that when a document is used as evidence in a court
proceeding, the original document must be introduced. Copies will not be accepted as evidence unless certain exceptions to the rule apply.
111
parol evidence rule
A rule stating that when an agreement between parties is put into written form, the written document is assumed to contain all the terms of the agreement and no
verbal agreements may modify the written agreement.
112
testimonial evidence
Evidence that consists of the testimony of a witness, either verbal
testimony in court or written testimony in a recorded deposition
113
direct evidence
Evidence that proves or disproves a specific act through oral testimony
based on information gathered through the witness’s five senses.
114
demonstrative evidence
Evidence used to support testimonial evidence. It consists of
items that may or may not be admitted into evidence themselves but are used to help a witness explain a concept or clarify an issue
115
write blocker
Hardware adapters that physically sever the portion of the cable used to
connect the storage device that would write data to the device, reducing the likelihood of
accidental tampering with the device. A software write blocker is a common feature of most
data duplication products, but it is not as reliable as a hardware write blocker.
116
memory dump
A file that contains the contents of memory. A memory dump may be triggered by a system error or by a forensics tool for investigative purposes.
117
voluntary surrender, voluntarily surrender
The act of willingly handing over evidence.
118
subpoena
A court order that compels an individual or organization to surrender evidence
or to appear in court.
119
plain view doctrine
A law enforcement officer performing a legally permissible duty may
seize evidence that is visible to the officer in plain view if the officer has probable cause to
believe that the evidence is associated with criminal activity.
120
exigent circumstances
This means that a reasonable person would believe that the evidence would be destroyed if not immediately collected or another emergency exists, such as
the risk of physical harm. When officers enter a premises under exigent circumstances, they
may conduct a warrantless search.
121
reasonable expectation of privacy
A legal concept used to determine whether a person
had a common-sense ability to assume their activities and actions were not being monitored.
122
interview
Questioning a person to gather information to assist with a criminal investigation. In an interview, the person being questioned is not suspected of committing the crime.
See also interrogation.
123
interrogation
Questioning a person suspected of committing a crime. See also interview.
124
computer crime
Any crime that is perpetrated against or with the use of a computer.
125
military and intelligence attacks
Attacks that are launched primarily to obtain secret and
restricted information from law enforcement or military and technological research sources.
126
business attack
An attack that focuses on illegally obtaining an organization’s confidential
information. Aka corporate espionage or industrial espionage.
127
financial attack
A crime that is carried out to unlawfully obtain money or services.
128
terrorist attacks
Attacks that differ from military and intelligence attacks in that the
purpose is to disrupt normal life, whereas a military or intelligence attack is designed to
extract secret information.
129
grudge attack
An attack usually motivated by a feeling of resentment and carried out
to damage an organization or a person. The damage could be in the loss of information or
harm to the organization or a person’s reputation. Often the attacker is a current or former
employee or someone who wishes ill will upon an organization
130
thrill attack
An attack launched by crackers/hackers with few true skills. The main motivation behind thrill attacks is the “high” of getting into a system.
131
ethics
The rules that govern personal conduct. Several organizations have recognized the
need for standard ethics rules, or codes, and have devised guidelines for ethical behavior.
These rules are not laws but are minimum standards for professional behavior. They should
provide you with a basis for sound, professional, ethical judgment.
132
Gramm–Leach–Bliley Act (GLBA)
A law passed in 1999 that eased the strict governmental barriers between financial institutions. Banks, insurance companies, and credit providers were severely limited in the services they could provide and the information they could share with each other. GLBA somewhat relaxed the regulations concerning the services each organization could provide.
133
Federal Information Security Management Act (FISMA)
A U.S. law passed in 2002 requiring that federal agencies implement an information security program that covers the agency’s operations. FISMA also requires that government agencies include the activities of contractors in their security management programs.
134
Children’s Online Privacy Protection Act (COPPA)
A law in the United States that places specific demands on websites that cater to children or knowingly collect information from children.
