Exam 1 Flashcards
Which security principle is opposite of disclosure? A) integrity B) availability C) confidentiality D) authorization
Confidentiality
Opposite of corruption?
Integrity
Opposite of destruction?
Availability
Opposite of disapproval?
Authorization
Security policy
Administrative control
CCTV and locks
Physical control
Data backups
Technical control
What is a vulnerability?
An absence or weakness of a countermeasure that is in place
Threat?
Vulnerability is identified or exploited
Threat agent?
Entity that carries out a threat
Exposure?
Organizational asset exposed to losses
Countermeasure or safeguard?
Control that reduces risk
Examples of technical threats?
Hardware/ software failure
Malicious code
New technologies
Human threat agents?
Malicious and non malicious insiders and outsiders
Terrorists
Spies
Terminated personnel
Natural threat agents?
Floods Fires Tornadoes Hurricanes Earthquakes Other natural disaster or weather event
Environmental threat agents?
Power or utility failure
Traffic issues
Biological warfare
Hazardous material issues
SLE?
Single-Loss expectancy. Monetary impact of threat occurrence.
ARO
Annualized rate of occurrence. How often a threat may occur annually.
ALE
Annual lose expectancy. Expected risk factor of an annual threat event
EF
Exposure Factor. Percent value or or functionality loss after threat event
Advisory security policies?
Instruction on acceptable and unacceptable activities.
Informative security policies?
Provide info on topics and act as educational tool.
Regulatory security policies?
Address specific industry regulations, including mandatory standards.
System-specific security policies?
Address security for a specific computer, network, technology, or application.
Computer assisted crime?
Computer used as a tool to help commit a crime
Incidental computer crime?
Computer involved in a crime but not the victim or the attacker
Computer targeted crime?
Computer is victim and the attacker means harm against the computer and its victim
Computer prevalence crime?
Happen because computer are so widely used
4 stages of security program lifecycle?
- Plan and organize
- Implement
- Operate and maintain
- Monitor and evaluate
CSO?
Chief security officer. Responsible for security effort. Reports directly to CEO
CPO?
Chief privacy officer. Responsible for private information. Reports directly to CIO
CFO?
Chief financial officer. Responsible for all financial aspects of the organization
Acceptable use policy?
Directive control. Lists proper procedures personnel must follow.
Corrective controls?
Reduce effect of attack
Detective controls?
Detect attack while occurring and inform proper authorities
Compensative controls?
Sub for primary controls to mitigate risk
Attacker centric threat model?
Profiles attackers characteristics, skills, and motivations to exploit vulnerabilities
Application centric threat modeling?
Uses application diagrams to analyze threats
Assets centric threat modeling?
Uses attack trees, attack graphs, or display patterns to determine how an asset can be attack.
risk avoidance
terminating the risk factor or chosing something not as risky
residual risk
the risk left over after safe guards
risk transfer
is passing the risk on to a third party
risk migration
is defining the acceptable risk level
data owner
determine the classification level or the data
data custodian
implements the classification to the data
security administrator
maintains security devices
corrective control
reduces the effect of an attack
compensative control
substitute for primary access control
preventive control
prevents an attack from happening
zachmans framework
two dimensional model that intersects 6 communications and various veiwpoints
what do employees sign to protect trade secrets
NDA or non-disclosure agreements
due care
took all measures possible to prevent a security breach
due diligence
investigated all vulnerabilities
CRAMM?
CCTA Risk analysis and management method. Steps:
- Indemnify value and assets
- Identify threats and vulnerabilities and calculate risks
- Identify and prioritize countermeasures
what not to worry about during a merger
the costs
Information life cycle?
- Create/ receive
- Distribute
- Use
- Maintain
- Dispose/ store
Data quality?
Fitness of data for use
Data remanence?
Clearing
Purging
Destruction
Media destruction?
Physical
Chemical
Magnetic
primary objective during a security incident is
minimal disruption to the organizations mission
Which framework uses six communication questions that intersect with six layers? Six Sigma SABSA ITIL ISO/ISEC 27000 Series
SABSA
Which of the following is a 2 dimensional model that intersects communication interrogatives with various viewpoints? SABSA Zachman framework TOGAF ITIL
Zachman framework
