Governance Flashcards
What is defense in depth?
Layering of security measures to provide “overlapped” security.
What is the difference in series and parallel when layering?
Parallel leaves gaps that can be exploited.
What is abstraction when securing data?
Grouping things together for efficiency.
What is used when hiding data?
Preventing discovery by unauthorized subjects. Can be done by positioning data in containers not accessible by certain subjects.
What is the definition of encryption?
Art or Science of hiding the meaning or intent of an Object from unintended Subjects.
Name some elements of Privacy.
Prevention of unauthorized access to information that is PII.
Freedom from unauthorized access to information deemed personal or confidential.
Freedom from being observed, monitored, or examined without consent/ knowledge.
What does COBIT stand for?
Control Objectives for
Information and Related Technology
What are the 5 elements of COBIT?
- Meet stakeholder needs
- Covering Enterprise E2E
- Apply single, integrated framework
- Enable holistic approach & principle.
- Separate governance from management.
What is Due Care?
Use of reasonable care to protect interests.
What is Due Diligence?
The practices required to maintain Due Care.
What is the CIA Triad?
Confidentiality
Integrity
Accountability
What does Confidentiality mean?
High level of assurance that objects and/ or resources are restricted from unauthorized Subjects.
What can cause a loss of confidentiality?
Failure to encrypt transmissions
Failure to properly authenticate Subjects.
Failure of an end user or administrator.
What is Integrity?
The ability to ensure that only authorized Subjects can intentionally modify and Object
What can be done to ensure integrity?
Logging & Monitoring
What are some risks to integrity?
Viruses, worms, and back doors.
What is the definition of availability?
Availability means that authorized Subjects can access an Object in a timely and uninterrupted manner.
What are some example of a loss of availability?
hardware failure, power loss, or DDOS attack.
Name other security concepts (non CIA Triad)
Identification - Subject professing identity
Authentication - Validating claimed identity
Authorization - allowing a Subject to access an Object.
Auditing - Holding a Subject accountable.
Accountability - Proof of identity
What is non repudiation?
Ensures the Subject cannot deny an event or the occurrence of an event.
What is essential for accountability?
non repudiation
What is a security policy?
Document(s) that define the scope of security needed by an organization.
What should be included in a security policy?
Assign responsibilities, define roles, specify audit requirements, and outline enforcement processes.
What are some different security “sub” policies?
Organizational - Org centric
Issue - lower level areas (networks, servers…)
Regulatory - Legal, statutory
Advisory - What is acceptable and unacceptable.
