Domain 2: Determining Data Security Controls Flashcards
System has been approved to meet the security requirements of the data owner
Certification
Data owner’s acceptance of the certification and of the residual risk
Accreditation
Risk Management framework from Carnegie Mellon University
Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE)
What’s the three phase process for managing risk according to OCTAVE?
Phase 1 - Identify staff knowledge, assets, and threats
Phase 2 - Identify vulnerabilities and evaluate safeguards
Phase 3 - Conduct the risk analysis and develop the risk mitigation strategy
- Internationally agreed-upon standard for describing and testing the security of IT products
- Replaced the TCSEC (US) and ITSEC (Europe)
International Common Criteria
- The system or product that is being evaluated
- International Common Criteria term
Target of Evaluation (ToE)
- Documentation describing the ToE, including the security requirements and operational environment
- International Common Criteria term
Security target
- Independent set of security requirements and objectives for a specific category of products or systems, such as firewalls or intrusion detection systems
- International Common Criteria term
Protection Profile
- The evaluation score of the tested product or system
- International Common Criteria term
Evaluation Assurance Level (EAL)
- Functionally tested
- International Common Criteria Evaluation Assurance Level (EAL)
EAL1
- Structurally test
- International Common Criteria Evaluation Assurance Level (EAL)
EAL2
- Methodically tested and checked
- International Common Criteria Evaluation Assurance Level (EAL)
EAL3
- Methodically, designed, tested and reviewed
- International Common Criteria Evaluation Assurance Level (EAL)
EAL4
- Semi Formally designed and tested
- International Common Criteria Evaluation Assurance Level (EAL)
EAL5
- Semi Formally verified, designed and tested
- International Common Criteria Evaluation Assurance Level (EAL)
EAL6
- Formally verified, designed, and tested
- International Common Criteria Evaluation Assurance Level (EAL)
EAL7
Control framework for employing security governance best practices within an organization
COBIT
What are the four COBIT domains?
- Plan and Organize
- Acquire and Implement
- Deliver and Support
- Monitor and Evaluate
Framework for providing the best service in IT service management
Information Technology Infrastructure Library (ITIL)
What are the five ITIL Service Management Practices?
- Service Strategy - Helps IT provide services
- Service Design - Details the infrastructure and architecture required to deliver IT services
- Service Transition - Describes taking new projects and making them operational
- Service Operation - Covers IT operations controls
- Continual Service Improvement - Describes easy to improve existing IT services
Process of determining which ports of a standard will be employed by an organization
Scoping
Process of customizing a standard for an organization
Tailoring
- Data stored on a media
- i.e. hard drives, external USB drives, SANs, etc
- Best protection encryption
Data at Rest
- Data transmitted over a network
- Best protection end-to-end encryption
Data in Transit
Data in memory or temporary storage buffers, while an application is using it.
Data in Use
- An alias
- i.e. In a medical database instead of referencing a patient’s personal name it could just refer to the patient as Patient 95764 in the record
Pseudonymization
The process of removing all relevant data so that it is impossible to identify the original subject or person.
Anonymization
Swaps data in individual data columns so that records no longer represent the actual data.
Data Masking
Typically designed around a limited set of specific functions in relation to the larger product of which it’s a component
Embedded system
Applications, OSs, hardware sets, or networks that are configured for a specific need, capability, or function and then set to remain unaltered
Static environments