Domain 5 Flashcards
Security Policy
Sets overall vision and goals for Information Security. Defines Why behind security measures. General statements. Policies are major input to standards
Security Standards
Translate the Policy into specific technical requirements and best practices. What and When for security goals. Mandatory
Security Procedure
Provide detailed instructions on how to implement standards. Defines How
Security Guidelines
Offer additional recommendations and best practices that can be adopted to further enhance security. They are not mandatory. Least specific.
Acceptable Use Policy (AUP)
Allowed/Appropriate Uses of the organisations IT resources
Information Security Policy
Sets overall direction for information security
Business Continuity Policy
Defines organisations overall strategy for business continuity
Disaster Recover Policy
Focuses on recover from disasters
Incident Response Policy
Sets high-level direction for how organisations will identify, contain, eradicate and recover from security incidents
Software Development Lifecycle (SDLC)
Guidance that Software development teams must follow in creating software
FIPS 140-2/3
Mandatory standard for protection of sensitive data within federal systems
Board
Highest level of authority
Committees
Subgroups that focus on specific areas or tasks, reporting to the Board
Government Entities
Eg NIST - These entities issue security regulations, standards and Best practices that organisations must comply
Centralized
Decisions are managed by central security team
Decentralized
Delegates security decisions and controls to some extent to business units and departments
Data Owner
Legal rights and complete control over a single piece of data. Member of senior Management. Can delegate day-to-day activities. Cannot delegate total responsibility
Data Custodian
Responsible for safe custody, transport, and storage of data. IT Department
Data Processor
Legal person, public authority, agency or other body which processes personal data solely on behalf of data controller
Data Controller
Person or entity that controls that controls processing of the data
Data Subject
Person who can be identified
Data Steward
Data’s context and meaning are understood and business rules governing the data usage are known and followed
Risk Identification
Process of identifying the threats and vulnerabilities that exist in operating environment
Risk Assessment
Process of Identifying, analysing, evaluating and prioritizing potential risks
Ad hoc Risk Assessment
One time assessments in response to a specific event
Recurring Risk Assessment
Assessments conducted periodically
One-Time Risk Assessment
One time assessment - In response to security incident or management request
Continuous Risk Assessment
Automated such as recurring system scan integrated into daily operations
Quantitative Risk Analysis
Assigns dollar Value to evaluate effectiveness of countermeasures
Qualitative Risk Analysis
Scoring System to rank effectiveness of countermeasures. Low/Medium/high
Impact
Potential consequences or negative effects that could occur if the risk materializes
Asset Value
Monetary value of the asset
Exposure Factor (EF)
Percentage of loss if a specific asset were violated by a realised risk
Single Loss Expectancy (SLE)
Cost associated with a single realized risk against a specific asset.
SLE == Asset Value X Exposure Factor (%)
Annualized Rate of Occurrence (ARO)
Expected frequency with which a specific threat or risk will occur within a single year. Example risk occurs every 5 years = 1/5 =0.2
Annualized Loss Expectancy
SLE XARO = ALE - How much will you loose per year.
ALE = Asset value X Exposure Factor X ARO
Risk Register
Track Potential Issues
Risk Matrix
Heat map . Visual Representation of risks affecting a company
Key Risk Indicators (KRIs)
Measurable metrics that signal potential changes
Risk Owner
Assigned designated owner
Risk Threshold
Level of risk tolerance established by the organisation
Risk Appetite
Risk an organisation is willing to accept without mitigating
Risk Tolerance
Ability to take on risk
Risk Exception
Temporary deviation for a defined period
Risk Exemption
Permanent deviation
Risk Reporting
Risk discovered and includes recommendations as well
Business Impact Analysis (BIA)
Includes 2 benefits Cost Benefit Analysis and Return on Investment
Recovery Point Objective (RPO)
Max tolerable data loss between last backup and disaster
Recovery Time Objective (RTO)
Duration or time within which a business process must be restored
Mean time between Fails (MTBF)
Time for how long IT infrastructure will continue to work before it fails
Mean time to Repair (MTTR)
Time how long it will take to get hardware/software back online
Right to Audit Clause
Written into supply chain contracts allow auditor can visit the premises to inspect
Service Level Agreements
Stipulate Performance Expectation
Memorandum of Understanding
Formal agreement between 2 parties intention to work together towards common goal. Lacks binding contract
Memorandum of Agreement
Serves as a legal document and describes terms and details of the agreement. MOA is legal contract
Master Service Agreement
Agreement for vendors that you will work with repeatedly. Has compliance and process requirements
Statement of Work
SOW is legal document created after MSA . SOW has requirements, expectations and deliverables
Business Partner Agreement
2 companies or individual who want to participate in a business venture to make a profit
Right to be forgotten
Deletion of their personal data
Attestation
Independent Verification of an organisation adherence to specific controls or standards
Penetration Testing
Actively assesses deployed security controls, trying to exploit vulnerabilities by simulating or performing an attack
Offensive Pentest
Focuses on technical security of computer systems and networks attempting to exploit vulnerabilities to gain unauthorised access
Defensive Pentest
Focuses on evaluating the effectiveness of existing security controls to withstand attacks
Integrated Pentest
Combines Physical, Offensive and Defensive techniques
Known Environment
White box test - Substantial/ Full Information
Unknown Environment
Black box test - Completely Blind
Partially Known Environment
Grey Box Test - Limited Information
Rules of Engagement
Purpose and Scope of Pentesting
Passive Reconnaissance
Not interacting with the target - Involves gathering data from publicly available sources ( Searching Internet, Reviewing Media, Analysing DNS records, Using Search Engines) - Google Dorking
Active Reconnaissance
Interacts Directly with Target (Using Port Scanners, Sending Ping sweeps, Utilizing vulnerability scanners, Employing social engineering techniques)
Authority
Position, Responsibility or Affiliation that grants the attacker the authority to make the request
Intimidation
Suggesting you may face negative outcomes
Scarcity
Similar to Urgency - Limited Opportunity, diminishing Availability
Consensus
Claiming that someone in a similar position or peer has carried out the same task
Familiarity
Liking - Attempting to establish a personal connection
Urgency -
Time Sensitivity to demand action
Trust
Citing Knowledge and experience
SPAM
Unsolicited Email
SPIM
SPAM over Instant Messaging
Dumpster Diving
Gathering important details (Intelligence ) from things people have thrown in the Trash
Tailgaiting
Unauthorised individual follow you without badging in themselves
Eliciting Information
Casual Conversation to extract information
Shoulder Surfing
Criminal Practice steal your personal data by spying over your shoulder
Pharming
Online Scan where website traffic is manipulated thru DNS, redirects a user to different website