Domain 2: Asset Security Flashcards
Labels
defines the information sensitivity of an object
Clearance
Subjects have clearance assigned to then. formal determination of whether a user can be trusted with a specific level of information.
Defines if a subject can have access to an object.
Compartmentalization
giving clearance to a user, but only in a specific area - not to all objects of the same level.
Formal access approval
Documented approval from a data owner for a subject to access cerain objects
Need to Know
Giving access to a subject, only for those objects that they ‘need to know.’
Sensitive information retention
Sensitive information only has a useful life of so long. IT should not be kept longer than necessary
Data owner
Manager responsible for ensuring specific data is protected. Determin sensitivity labels and frequency of data backup.
System owner
Manager responsible for the actual computers which house data.
Custodian
Performs hands-on protections of assets such as data.
Data Controller
Create and Manage sensitive data within an org. HR employees are often data controllers.
Data Processor
manage data on behalf of data controllers. Outsourced payroll company is an example of this.
Data collection limitation
Orgs should collect the minimum amount of sensitive information required.
Data Remanence
Data that persists beyond non-invasive means to delete.
Memory
Series of on/off switches representing 1s or 0s
RAM
Random Access Memory - Means CPU can jump to any physical location in memory, not limited by what’s available. Volatile
Volatile Memory
Loses integrity after power loss
Non-volatile memory
doesn’t lose integrity after power loss.
Real/Primary Memory
Directly accessible by the CPU. Used to hold instructions and data for currently running processes.
Cache Memory
Fastest Memory, required to keep up with CPU.
Register File
Fastest portion of the fastest memory (Cache Memory). Contains multiple registers for storing instructions/data.
ROM
Non-volatile Read Only Memory. Some types of ROM can be written by flashing.
DRAM
Dynamic Random Access Memory - Stores bits in capacitors (electric charge). Leaks charge so must be constantly recharged every few milliseconds. Slower and cheaper than SRAM.
SRAM
Uses small latches called ‘flip flops’ to store information. Does not leak charge. Faster and more expensive than DRAM.
Firmware
Stores programs that do not change often. Such as BIOS or router OS.
Flash Memory
such as USB thumb drive, SSD
PROM
Programmable read-only memory. Can be written only once. Usually in factory.
EPROM
Erasable Programmable Read-only memory. Can be flashed.
EEPROM
Electronically Erasable Programmable Read Only Memory
UVEPROM
Ultra-violet erasable programmable read only memory.
SSD
Combination of EEPROM and DRAM. Degaussing has no effect on ssds.
Blocks are logical, not physical - and organized by mapping.
Does not overwrite used blocks until disk is full. Risk of data remnance.
SSD Garbage Collection
Systematically identifies which memory cells contain un-needed data, and clears the blocks.
ATA Secure Erase
One of two ways to securely remove data from SSD
Degaussing
Destroys the integrity of a magnetic medium (HHD or Tape), by exposing to a strong magnetic field.
Overwriting
Reformats a disk by writing all bits as 1s or 0s, then marking as ‘unallocated’ Usually some data remnance still remains.
Destruction
Physically destroys integrity of the media. Shredding (disks or papers), Cinerization, pulverization.
Shredding
paper, HHDs, floppy disks
System Certification
Means system has been certified to meet minimum requirements of Data Owner. Considers system, sec measures, and residual risk.
Accreditation
Data Owners Acceptance of the Certification and of the Residual Risk. Required before production use begins.
PCI DSS
Payment Card Industry Data Security Standard.
Protect Credit Cards by requiring vendors who use them to take specific security precautions.
PCI DSS Principles
- Build and Maintain a secure network and systems
- Protect Cardholder data
- Maintain a vulnerability management program.
- Implement strong access control measures
- regularly monitor and test network
- maintain an information security policy.
OCTAVE
Operationality Critical Threat, Asset, and Vulnerability Evaluation.
Three phase risk management process from Carnegie Mellon Uni.
OCTAVE Phases
- Identifies staff knowldge, assets, and threats.
- identifies vulnerabilities and evaluates safeguards
- conducts risk analysis and develops risk mitigation strategy.
International Common Criteria
internationally agreed upon criteria/hierarchy of requirements for testing sec. of information technology systems.
ICC ToE
Target of evaluation - system/product being eval.
ICC Sec Target
Documentation describing ToE. Including sec requirements and operational environment.
ICC Protection Profile
Protection profile - set of sec requirements and objectives for a specific category of products, such as firewalls or IDS/IPS
ICC Evaluation Assurance Level (EAL)
Evaluation score of tested product or system.
ICC EAL1
International Common Criteria Evaluation Assurance Level 1
Functionally tested
ICC EAL2
International Common Criteria Evaluation Assurance Level 2
Structurally Tested
ICC EAL3
International Common Criteria Evaluation Assurance Level 3
Methodically tested and checked
ICC EAL4
International Common Criteria Evaluation Assurance Level 4
Methodically designed, tested, and reviewed
ICC EAL5
International Common Criteria Evaluation Assurance Level 5
Semi-formally designed, and tested
ICC EAL6
International Common Criteria Evaluation Assurance Level 6
Semi formally verified, designed, and tested
ICC EAL7
International Common Criteria Evaluation Assurance Level 7
Formally verified, designed, and tested.
ISO 17799 Renumbered to ______
ISP 27002
ISO 17799/ ISP 27002
Approach for the info security code of practice by the International Org of Standardization. Based on ISO 17799
ISO 27001
Based on BS7799. Security techniques, info sec management systems.
COBIT
Framework for employing information security governance best practices within an organization.
Developed by ISACA
ITIL
Framework for providing best services in IT Management.
COBIT # of domains
4
COBIT # of processes
34
ITIL # of Service MGMT Practices
5
Scoping
process of determining which portions of a standard will be employed by an org.
Tailoring
customizing standard for an organization.
NIST SP-800-18
Outlines responsibilities for the information owner role.
Sanitization
Removal of info from a storage medium
Clearing
Sanitization method used to overwrite data. Data can be recovered in a laboratory.
Purging
More thorough version of clearing.
CASB Acronym (Cloud)
Cloud Access Security Broker
Software placed between user and cloud environments. Monitors all activity.