Info Sec Gov and Risk Mgt Flashcards

1
Q

Qualitative Risk Analysis

A

performed via Risk Analysis Matrix and is based on likelihood and consequences; uses simple approximate values, more subjective

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

senior management

A

creates the information security program and ensures that it is properly staffed and funded

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

AV

A

asset value: value of the asset you are trying to protect

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

procedure

A

step-by-step guide for accomplishing a task; low leve and specific; mandatory

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

accreditation

A

data owner’s acceptance of the risk represented by that system

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

HIPAA

A

Healthcare

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

due diligence

A

management of due care

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Certification

A

detailed inspection that verifies whether a system meets the documented security requirements

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

ROI

A

return on investment: money saved by deploying a safeguard

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Policy purpose

A

describes the need for the policy

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

GLBA

A

Gramm-Leach-Bliley Act: protects financial info in USA

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

policy types

A

NIST spec pub 800-12 [4] Chap 5 describes 3 specific policy types: program policy, issue-specific policy, system-specific policy

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

4 steps to C&A

A
  1. initiation phase 2. security certification phase 3. security accreditation phase 4. continuous monitoring phase
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Info security governance

A

Info Sec at the organizational level: senior mgt, policies, processes, staffing

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

SLE

A

single loss expectancy: cost of a single loss

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

who poses biggest security risk to an org

A

user

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

privacy

A

protection of the confidentiality of personal info

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

risk

A

a matched threat and vulnerability

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

transfer the risk

A

“insurance model”; you pay someone else to assume the risk (like homeowners insurance)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

safeguard

A

measure taken to reduce risk

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

market approach

A

assumes that the fair value of an asset reflects the price at which comparable assets have been purchased in transactions under similar circumstances

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

standards

A

describes the specific use of technology; mandatory

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

due care

A

doing what a reasonable person would do; aka “prudent man rule

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

4 domains of COBIT

A
  1. plan and organize 2. Acquire and implement 3. deliver and support 4. monitor and eval
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

data owner

A

management employee responsible for ensureing that specific data is protected

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

Risk Choices

A

Accept, Mitigate/eliminate, transfer, avoid

21
Q

offshoring

A

outsourcing to another country

22
Q

Quantitative Risk Analysis

A

uses hard metrics, such as dollars, more objective; ie calculating ALE

23
Q

ITL Service Mgt practicces publications

A
  1. service strategy 2. service design 3. service transition 4. service operation 5. continual service improvement
24
Q

cost approach

A

estimates the fair value of the asset by reference to the costst that would ve incurred in order to recreate or replace the asset

24
Q

ISO 17799

A

broadbased approach for info sec code of practice; 11 areas: 1. policy 2. Org of Info Sec 3. asset mg’t 4 Human resources sec 5. physical and environmental sec 6. comm and ops mgt 7. access control 8. info sys acq, dev, and mx 9. info sec incident mgt 10. business continuity mgt 11. compliance

26
Q

mitigate the risk

A

lowering the risk to an acceptable level

27
Q

OCTAVE

A

operationally critical threat, asset, and vulnerabilty evaluation; 3 phases: 1-ID staff knowledge, assets, threat 2-ID vulnerabiliites and eval safeguards 3-conduct risk analysis and develop risk mitigation strat

29
Q

ARO

A

annual rate of occurrence: number of losses you suffer per year

30
Q

income approach

A

based on the premise that the value of a security or asset is the present value of the future earning capacity that an asset will generate over the remainder of its useful life

31
Q

loss of human life

A

near infinite impact and must be mitigated at almost any cost

32
Q

SOX

A

Sarbanes-Oxley: publicly traded data in USA

34
Q

policy

A

high-level management directives; mandatory; components: purpose, scope, responsibilities, compliance

35
Q

vulnerability

A

weakness in a system

35
Q

auditing

A

verifying compliance to a security control framwork

36
Q

gross negligence

A

opposite of due care

37
Q

user

A

must follow the rules; cannot assume they know, must tell them via information security awareness

38
Q

outsourcing

A

use of a 3rd party to provide IT support services that were previously performed in-=house

40
Q

Risk Equations

A

Asset Value AV Exposure Factor EF Single Loss Expectancy (SLE) = AV * EF Annual Rate of Occurrence ARO Annualized Loss Expectancy (ALE) = SLE * ARO

41
Q

ALE

A

Annualized Loss Expectancy: cost of loss due to a risk over a year; allows you to make informed decisiosn to mitigate risk

43
Q

three methods for calculating value of intangible assets

A

Market approach, income approach, cost approach

45
Q

risk avoidance

A

simply not doing something that introduces risk

47
Q

guidelines

A

recommendations

48
Q

aspects of personnel security

A

background checks, employee termination, security awareness and training, contractor security, outsourcing/offshoring

50
Q

Accepting Risk

A

low-likelihood/low-condequence risks are candidates for risk acceptance; high and extremem risks cannot be accepted

51
Q

policy compliance

A

describes 1) how to judge the effectiveness of the polices (how well are they working) 2) what happens when policy is violated (the sanction)

52
Q

custodians

A

provide hands-on protection of assets such as data

53
Q

assets

A

valuable resources you are trying to protect

54
Q

baselines

A

uniform ways of implementing a safeguard; discretionary

55
Q

policy responsibilities

A

include responsibilities of info sec staff, policy and mgt teams, and all members of the org

56
Q

Threat

A

a potentially negative occurrence

57
Q

risk equation

A

Risk = Threat * Vulnerability (and sometimes * Impact)

58
Q

ISO 27002

A

formerly known as ISOP 17799

59
Q

TCO

A

total cost of ownership: cost of a mitigating safeguard. Combines upfront costs + annual cost of mx, staff, vendor mx, software, etc

60
Q

ITIL

A

Info Tech Infrastructure Library: framework for providing best services in IT Service Mgt

61
Q

policy scope

A

describes what systems, people, facilities, and organizations are covered by the policy

62
Q

EF

A

exposure factor: percentage of value an asset lost due to an incident

63
Q

COBIT

A

control objectives for Info and related Tech: control framework for employing info sec governance best practices w/in an org