Governance Flashcards

1
Q

Risk Assessment

A

o Identify and Valuate Assetso Identify Threats and Vulnerabilities

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Risk Analysis

A

o Qualitative o Quantitative (best)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Risk Mitigation/Response

A

o Reduce /Avoido Transfero Accept /Reject

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Risk Management

A
  1. Risk Assessment2. Risk Analysis3. Risk Mitigation/Response4. Ongoing Risk Monitoring
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

TCO

A

Total Cost of Ownership (TCO)- total cost of a mitigating safeguard

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Threat

A

potentially harmful occurrence (e.g. earthquake, attack)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Vulnerability

A

a weakness that allows a threat to cause harm

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Impact

A

consequences or severity of the damage, sometimes expressed in dollars

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

AV

A

Asset Value (AV)- tangible (i.e. equipment costs) and intangible assets. Intangible assets are calculated by:- Market approach- price at which comparable assets have been purchased- Income approach- the present value of the future earning capacity- Cost approach- the cost incurred to recreate or replace asset

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

EF

A

Exposure Factor (EF)- percentage of value an asset lost due to an incident

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

ARO

A

Annual Rate of Occurrence (ARO)- number of losses per year

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

SLE

A

Single Loss Expectancy (SLE)- cost of a single loss; SLE = AV x EF

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

ALE

A

Annualized Loss Expectancy (ALE)- annual cost of loss due to risk; ALE = SLE x ARO

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

ROI

A

Return on Investment (ROI)- money saved by implementing a safeguard; ROI = ALE - TCO

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Risk Option

A

Risk Options- Accept, Mitigate, Transfer (eg insurance), Reject (ignore)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

NIST (800-30) Risk Management Process

A

NIST (800-30) Risk Management Process:1. System characterization2. Threat ID3. Vulnerability ID4. Control analysis5. Likelihood determination6. Impact analysis7. Risk determination8. Control recommendations9. Results documentation

17
Q

Due Care

A

Due Care- doing what a reasonable person would do; it’s the actions of performing Due Diligence

18
Q

Due Diligence

A

Due Diligence- research, documentation & management of Due Care

19
Q

Best Practice

A

Best Practice- consensus on the best way to accomplish something; demonstrates due care and due diligence

20
Q

ISO 27001

A

ISO 27001- specification for an information security management system (ISMS). Organizations which meet the standard may gain an official certification issued by an independent and accredited certification body on completion of an audit

21
Q

ISO 27002

A

ISO 27002 (was ISO 17799 until 2005)- Focused on best practices/techniques for IS, with 11 areas:1. Policy2. Organization of information security3. Asset Management4. HR Security5. Physical & Environmental security6. Communications and Operations management7. Access Control8. Info systems acquisition, development & maintenance9. Info security incident management10. Business continuity management11. Compliance

22
Q

ITIL

A

ITIL (Information Technology Infrastructure Library)1. Framework for providing best practices on IT Service Management (ITSM)2. Five practices, publications1. Service Strategy2. Service Design3. Service Transition4. Service Operations5. Continual Service Improvement

23
Q

PCI DSS

A

PCI DSS- Payment Card Industry Data Security Standard

24
Q

COBIT

A

COBIT (Control Objectives for Information and related Technology)- IT goals focused

25
Q

COSO

A

COSO ((Committee of Sponsoring Organizations)- business goals focused

26
Q

OCTAVE

A

OCTAVE (Operationally Critical Threat, Asset, and Vulnerability Analysis) - approach where analysts identify assets, their criticality, identify vulnerabilities and threats, and base the protection strategy to reduce risk

27
Q

FRAP

A

FRAP (Facilitated Risk Analysis Process) Qualitative analysis used to determine whether or not to proceed with a quantitative analysis. If likelihood or impact is too low, the quantitative analysis if foregone

28
Q

Certification

A

Certification- a detailed inspection that verifies a system meets the security requirements; precedes and supports accreditation

29
Q

Accreditation

A

Accreditation- data owners acceptance of the risk represented by the system; authorizes operation

30
Q

NIST 4 step Certification and Accreditation process

A

NIST 4 step Certification and Accreditation process1. Initiation2. Security Certification Phase3. Security Accreditation Phase4. Continuous Monitoring Phase