Domain 2: Asset Security 13% Flashcards
Military Classification
Top Secret, Secret, Confidential, Unclassified
Business Classification
Highly Sensitive, Sensitive, Internal, Public
Formal Access Approval
Document from the data owner approving access to the data for the subject
Need to know
Just because you have access does not mean you are allowed the data. You need a VALID reason for accessing the data.
Least privilege
Users have the minimum necessary access to perform their job duties.
Data has 3 States
Data at Rest (Stored data), Data in Motion (Data being transferred on a network), Data in Use (We are actively using the files/data, it can’t be encrypted)
DAD
protect against Disclosure, Alteration, Destruction
Data Remanence
Data left over after normal removal and deletetion of data.
Scoping
is determining which part of a standard we will disploy in our organization.
Tailoring
is customizing a standard to your organization.
Classification
A system, and the security measures to protect it, meet the security requirements set by the data owner or by regulations/laws.
Accreditation
The data owner accepts the certification and the residual risk. This is required before the system can be put into production.
PCI-DSS
Payment Card Industry Data Security Standard
OCTAVE
Operationally Critical Threat Asset, and Vulnerability Evalutation: Self-Directed Risk Management
COBIT
Control Objectives for Information and related Technology: Goals for IT - Stakeholder needs are mapped down to IT related goals.
COSO
Committee Of Sponsoring Organizations: Goals for the entire organization
ITIL
Information Technology Infrasturcture Library: IT Service Managment (ITSM)
FRAP
Facilitated Risk Analysis Process: Analyzes one business uit, application or system at a time in a roundtable brainstorm with internal employees. Impact is analyzed, threats and risks prioritized.
ISO 27001
Establish, implement, control and improve the ISMS. ISMS = Info. Sec. Man. Sys. Uses PDCA = Plan, Do, Check, Act.
ISO 27002
(From BS 799, 1/2, ISO 17799) Provides practical advice on how to implement security controls. It has 10 domains it uses for ISMS.
ISO 27004
Provides metrics for measuring the success of your ISMS.
ISO 27005
Standards-based approach to risk management.
ISO 27799
Directives on how to protect PHI (Protected Health Information)