GRC CHAPTER 1 & 2 WEEK 1 Flashcards
What is the purpose of Appendix III to OMB Circular No. A-130?
Establishes a minimum set of controls for Federal automated information security programs
Assigns Federal agency responsibilities for the security of automated information and links agency automated information security programs with agency management control systems.
Define ‘Application’ in the context of information resources.
Use of information resources to satisfy a specific set of user requirements
What is a ‘General Support System’?
An interconnected set of information resources under the same direct management control sharing common functionality
What distinguishes a ‘Major Application’?
Requires special attention to security due to risk and magnitude of harm from loss, misuse, or unauthorized access
List the basic requirements for deploying risk-based IT systems.
- System Risk
- Potential Impact
- Security Control
- Data Classification
- Adequate Security
- System Development Life Cycle (SDLC)
- Risk Management
- Relevant Standards & Regulations
- Roles & Responsibilities
What is an ‘Asset’ in information security?
People, property, and information that we are trying to protect
Define ‘Threat’ in the context of information security.
Anything that can exploit a vulnerability and obtain, damage, or destroy an asset
What does ‘Vulnerability’ refer to?
Weaknesses or gaps in a security program that can be exploited by threats
Define ‘Likelihood’ in information security.
Probability that a potential vulnerability may be exploited in the associated threat environment
What is ‘Risk’ in information security?
Potential for loss, damage, or destruction of an asset due to a threat exploiting a vulnerability
What is the Risk Formula?
R = V + A + T
True or False: Risk is the intersection of assets, threats, and vulnerabilities.
True
Fill in the blank: A _______ is a weakness or gap in our protection efforts.
Vulnerability
What is the definition of Impact in InfoSec?
The magnitude of harm from unauthorized disclosure, modification, destruction of information, or loss of system availability.
Impact is governed by potential mission impacts and produces a relative value for affected IT assets.
What are the basic requirements for Risk-Based IT Systems?
- Adequate Security & Risk
- Security Objectives
- Potential Impact
- Security Controls
- Data Classification
These requirements ensure a comprehensive approach to information security.
What does Adequate Security mean?
Security commensurate with the risk and magnitude of harm from loss, misuse, or unauthorized access to information.
This is defined in OMB A130 Appendix III.
How is Risk defined in InfoSec?
A measure of the extent to which an entity is threatened by a potential circumstance or event, based on likelihood and adverse impacts.
Risk assessment is crucial for determining security measures.
What are the three main Security Objectives?
- Confidentiality
- Integrity
- Availability
These objectives are essential for maintaining the security of information systems.
What does Confidentiality prevent?
The unauthorized disclosure of information.
Loss of confidentiality occurs when information is disclosed to unauthorized individuals or systems.
What is the definition of Integrity in InfoSec?
Prevents the unauthorized modification or destruction of information.
Loss of integrity is characterized by unauthorized changes to information.
What does Availability ensure?
Timely and reliable access to and use of information.
Loss of availability refers to the disruption of access to information or information systems.
What are the three levels of Potential Impact in case of a security breach?
- Low
- Moderate
- High
Each level indicates the severity of the adverse effects on operations, assets, or individuals.
What characterizes a Low level of impact?
Limited adverse effect on organizational operations, assets, or individuals.
Minor harm to individuals may occur.