IT Controls Flashcards
Multi-Tiered Risk Management (3 tiers)
Tier 1: Organization
Tier 2: Mission/Business Processes
Tier 3: Information Systems
Addressing Tier 3 Risk
- Categorize
- Select
- Implement
- Assess
- Authorize
- Monitor
Trustworthiness
Belief that a security-relevant entity will behave in a predictable manner when satisfying a defined set of security requirements under specified conditions/circumstances
Expresses the degree to which the systems can be expected to preserve the confidentiality, integrity, and availability of the information systems
Security Functionality
Security features, functions, mechanisms, services, procedures, and architectures implemented within organizational information systems or the environments in which those systems operate
Security Assurance
Measure of the confidence that the security functionality is implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the system
3 classes security controls are split into
- Management/Directive
- Operational/Physical
- Technical/Logical
Security Control Structure (5 sections)
- Control
- Supplemental Guidance
- Control Enhancements
- References
- Priority and Baseline Allocation
Baseline Controls
Starting point for the security control selection process and are chosen based on the security category and associated impact level of information systems
Security Control Designations include
- Common Controls
- System Specific Controls
- Hybrid Controls
Common Controls
Inheritable by one or more organizational information systems
Hybrid Controls
One part of the control is common and another part of the control is system-specific
6 Control Categories (Don’t Do Crack Riding Pregnant Cows)
- Deterrent
- Preventative
- Compensating
- Detective
- Corrective
- Recovery
Deterrent Controls
Designed to discourage people from violating security directives
Keeps some potential attackers from attempting to circumvent the control
Example: authorization needed to perform certain functions (action is monitored and recorded)
Preventative Controls
Implemented to prevent a security incident or information breach
Controls that keep a user from performing some activity or function
Not optional (like deterrent) and cannot be bypassed (the only way to bypass is finding a flaw in control’s implementation)
Example: segregation of duties (prevents certain users from performing certain tasks)
Compensating Controls
Implemented to substitute for the loss of primary controls and mitigate risk down to an acceptable level
Introduced when the existing capabilities of a system do not support the requirement of a policy or when a primary control does not mitigate the risk to a level lower than the acceptable risk
Example:
