Info Sec Gov and Risk Mgt Flashcards
Qualitative Risk Analysis
performed via Risk Analysis Matrix and is based on likelihood and consequences; uses simple approximate values, more subjective
senior management
creates the information security program and ensures that it is properly staffed and funded
AV
asset value: value of the asset you are trying to protect
procedure
step-by-step guide for accomplishing a task; low leve and specific; mandatory
accreditation
data owner’s acceptance of the risk represented by that system
HIPAA
Healthcare
due diligence
management of due care
Certification
detailed inspection that verifies whether a system meets the documented security requirements
ROI
return on investment: money saved by deploying a safeguard
Policy purpose
describes the need for the policy
GLBA
Gramm-Leach-Bliley Act: protects financial info in USA
policy types
NIST spec pub 800-12 [4] Chap 5 describes 3 specific policy types: program policy, issue-specific policy, system-specific policy
4 steps to C&A
- initiation phase 2. security certification phase 3. security accreditation phase 4. continuous monitoring phase
Info security governance
Info Sec at the organizational level: senior mgt, policies, processes, staffing
SLE
single loss expectancy: cost of a single loss
who poses biggest security risk to an org
user
privacy
protection of the confidentiality of personal info
risk
a matched threat and vulnerability
transfer the risk
“insurance model”; you pay someone else to assume the risk (like homeowners insurance)
safeguard
measure taken to reduce risk
market approach
assumes that the fair value of an asset reflects the price at which comparable assets have been purchased in transactions under similar circumstances
standards
describes the specific use of technology; mandatory
due care
doing what a reasonable person would do; aka “prudent man rule
4 domains of COBIT
- plan and organize 2. Acquire and implement 3. deliver and support 4. monitor and eval
data owner
management employee responsible for ensureing that specific data is protected