Domain 2: Asset Security Flashcards

1
Q

Labels

A

defines the information sensitivity of an object

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Clearance

A

Subjects have clearance assigned to then. formal determination of whether a user can be trusted with a specific level of information.

Defines if a subject can have access to an object.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Compartmentalization

A

giving clearance to a user, but only in a specific area - not to all objects of the same level.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Formal access approval

A

Documented approval from a data owner for a subject to access cerain objects

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Need to Know

A

Giving access to a subject, only for those objects that they ‘need to know.’

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Sensitive information retention

A

Sensitive information only has a useful life of so long. IT should not be kept longer than necessary

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Data owner

A

Manager responsible for ensuring specific data is protected. Determin sensitivity labels and frequency of data backup.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

System owner

A

Manager responsible for the actual computers which house data.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Custodian

A

Performs hands-on protections of assets such as data.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Data Controller

A

Create and Manage sensitive data within an org. HR employees are often data controllers.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Data Processor

A

manage data on behalf of data controllers. Outsourced payroll company is an example of this.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Data collection limitation

A

Orgs should collect the minimum amount of sensitive information required.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Data Remanence

A

Data that persists beyond non-invasive means to delete.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Memory

A

Series of on/off switches representing 1s or 0s

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

RAM

A

Random Access Memory - Means CPU can jump to any physical location in memory, not limited by what’s available. Volatile

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Volatile Memory

A

Loses integrity after power loss

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

Non-volatile memory

A

doesn’t lose integrity after power loss.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

Real/Primary Memory

A

Directly accessible by the CPU. Used to hold instructions and data for currently running processes.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

Cache Memory

A

Fastest Memory, required to keep up with CPU.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

Register File

A

Fastest portion of the fastest memory (Cache Memory). Contains multiple registers for storing instructions/data.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

ROM

A

Non-volatile Read Only Memory. Some types of ROM can be written by flashing.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

DRAM

A

Dynamic Random Access Memory - Stores bits in capacitors (electric charge). Leaks charge so must be constantly recharged every few milliseconds. Slower and cheaper than SRAM.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

SRAM

A

Uses small latches called ‘flip flops’ to store information. Does not leak charge. Faster and more expensive than DRAM.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

Firmware

A

Stores programs that do not change often. Such as BIOS or router OS.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Q

Flash Memory

A

such as USB thumb drive, SSD

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
26
Q

PROM

A

Programmable read-only memory. Can be written only once. Usually in factory.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
27
Q

EPROM

A

Erasable Programmable Read-only memory. Can be flashed.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
28
Q

EEPROM

A

Electronically Erasable Programmable Read Only Memory

29
Q

UVEPROM

A

Ultra-violet erasable programmable read only memory.

30
Q

SSD

A

Combination of EEPROM and DRAM. Degaussing has no effect on ssds.

Blocks are logical, not physical - and organized by mapping.

Does not overwrite used blocks until disk is full. Risk of data remnance.

31
Q

SSD Garbage Collection

A

Systematically identifies which memory cells contain un-needed data, and clears the blocks.

32
Q

ATA Secure Erase

A

One of two ways to securely remove data from SSD

33
Q

Degaussing

A

Destroys the integrity of a magnetic medium (HHD or Tape), by exposing to a strong magnetic field.

34
Q

Overwriting

A

Reformats a disk by writing all bits as 1s or 0s, then marking as ‘unallocated’ Usually some data remnance still remains.

35
Q

Destruction

A

Physically destroys integrity of the media. Shredding (disks or papers), Cinerization, pulverization.

36
Q

Shredding

A

paper, HHDs, floppy disks

37
Q

System Certification

A

Means system has been certified to meet minimum requirements of Data Owner. Considers system, sec measures, and residual risk.

38
Q

Accreditation

A

Data Owners Acceptance of the Certification and of the Residual Risk. Required before production use begins.

39
Q

PCI DSS

A

Payment Card Industry Data Security Standard.

Protect Credit Cards by requiring vendors who use them to take specific security precautions.

40
Q

PCI DSS Principles

A
  • Build and Maintain a secure network and systems
  • Protect Cardholder data
  • Maintain a vulnerability management program.
  • Implement strong access control measures
  • regularly monitor and test network
  • maintain an information security policy.
41
Q

OCTAVE

A

Operationality Critical Threat, Asset, and Vulnerability Evaluation.

Three phase risk management process from Carnegie Mellon Uni.

42
Q

OCTAVE Phases

A
  1. Identifies staff knowldge, assets, and threats.
  2. identifies vulnerabilities and evaluates safeguards
  3. conducts risk analysis and develops risk mitigation strategy.
43
Q

International Common Criteria

A

internationally agreed upon criteria/hierarchy of requirements for testing sec. of information technology systems.

44
Q

ICC ToE

A

Target of evaluation - system/product being eval.

45
Q

ICC Sec Target

A

Documentation describing ToE. Including sec requirements and operational environment.

46
Q

ICC Protection Profile

A

Protection profile - set of sec requirements and objectives for a specific category of products, such as firewalls or IDS/IPS

47
Q

ICC Evaluation Assurance Level (EAL)

A

Evaluation score of tested product or system.

48
Q

ICC EAL1

A

International Common Criteria Evaluation Assurance Level 1

Functionally tested

49
Q

ICC EAL2

A

International Common Criteria Evaluation Assurance Level 2

Structurally Tested

50
Q

ICC EAL3

A

International Common Criteria Evaluation Assurance Level 3

Methodically tested and checked

51
Q

ICC EAL4

A

International Common Criteria Evaluation Assurance Level 4

Methodically designed, tested, and reviewed

52
Q

ICC EAL5

A

International Common Criteria Evaluation Assurance Level 5

Semi-formally designed, and tested

53
Q

ICC EAL6

A

International Common Criteria Evaluation Assurance Level 6

Semi formally verified, designed, and tested

54
Q

ICC EAL7

A

International Common Criteria Evaluation Assurance Level 7

Formally verified, designed, and tested.

55
Q

ISO 17799 Renumbered to ______

A

ISP 27002

56
Q

ISO 17799/ ISP 27002

A

Approach for the info security code of practice by the International Org of Standardization. Based on ISO 17799

57
Q

ISO 27001

A

Based on BS7799. Security techniques, info sec management systems.

58
Q

COBIT

A

Framework for employing information security governance best practices within an organization.

Developed by ISACA

59
Q

ITIL

A

Framework for providing best services in IT Management.

60
Q

COBIT # of domains

A

4

61
Q

COBIT # of processes

A

34

62
Q

ITIL # of Service MGMT Practices

A

5

63
Q

Scoping

A

process of determining which portions of a standard will be employed by an org.

64
Q

Tailoring

A

customizing standard for an organization.

65
Q

NIST SP-800-18

A

Outlines responsibilities for the information owner role.

66
Q

Sanitization

A

Removal of info from a storage medium

67
Q

Clearing

A

Sanitization method used to overwrite data. Data can be recovered in a laboratory.

68
Q

Purging

A

More thorough version of clearing.

69
Q

CASB Acronym (Cloud)

A

Cloud Access Security Broker

Software placed between user and cloud environments. Monitors all activity.