Security+ 1 Flashcards
Security Policy Framework : Policies : provide foundation for a security program, are carefully written over long period of time, require compliance from all employees, policies are approved at highest level(s) of org. Policies can either be “too specific” or “Right level”. Right level is better. Standards : provide specific details of security controls, standards derive their authority from policies, follow less rigorous approval process but compliance is still required. Guidelines : provide security advice to org., follows best practices from industry, compliance not required. Procedures : outline step-by-step process for an activity, may be required or not compliance depending on circumstances (think of something being done this is procedures).
info …
Factors affecting Security Policy : culture of org., industry, regulations environment.
Information Security Policy : clear designation of individual responsible for security, description of security roles and responsibilities, an authority for creation of security standards, an authority for incident response, and process for policy exceptions and violations.
Privacy Policy : covers ways org. collects stores and shares information about individuals.
Acceptable Use Policy : describes how individuals may use information systems, it prohibits illegal activity, what personal use of computing resources is acceptable.
Policies …
Threat Vector : method attackers uses to get to a target, this might be a hacker toolkit, social engineering, physical intrusion, etc …
Vulnerability : weakness in security controls that a threat might exploit to undermine the confidentiality, integrity, or availability of information systems; these could be missing patches, lax firewall rules, etc …
Risks : are combo of vulnerability and corresponding threat. Likelihood : probability that a risk will occur. Impact : amount of expected damage that will occur.
Qualitative Risk Assessment : uses subjective ratings to evaluate risk likelihood and impact.
info …
Quantitative Risk Assessment : uses objective numeric ratings to evaluate risk and likelihood and impact.
Asset Value (AV) : the dollar value of an asset. Original Cost Technique : looks at invoices from an asset purchase and uses the purchase prices to determine asset value. Depreciated Cost Technique : begins with original cost and then reduces value of asset over time as it ages. Replacement Cost Technique : looks at current supplier prices to determine actual cost of replacing an asset in current market then uses that cost as asset’s value.
info …
Exposure Factor (EF) : expected percent of damage to an asset.
Single-Loss Expectancy (SLE) : expected dollar loss if a risk occurs one time. (impact)
(AV * EF = SLE)
ARO : no. times risk is expected to occur each year.
ALE : expected dollar loss from risk in any given year. (SLE * ARO = ALE)
MTTF : average time a non-repairable component will last.
MTBF : average time gap between failures of a repairable component.
MTTR : average time required to return a repairable component to service.
info …
Risk Management Characteristics:
Risk Avoidance : when your business changes it approach(es) so that risk no longer can affect the business.
Risk Transference : shifts impact of risk to another organization. ex : getting cyber liability insurance so that risk is on insurance co. rather than actual business.
Risk Mitigation : reduces likelihood or impact of the risk.
Risk Acceptance : accepts risk w/o taking further action.
Risk Deterrence : takes actions that dissuade a threat from exploiting a vulnerability.
Risk …
Risk Register : tracks risk information. Risk Register Contents : description, category, probability and impact, risk rating, risk management actions.
Risk Register Information Sources : Risk assessment results, audit findings, team member input, threat intelligence (shares risk information, may be used both strategically to monitor and operationally to actually for ex create a blacklist).
info …
SLR : document specific requirements that customer has about any aspect of vendor’s service performance. may include : service response time, service availability, data preservation. Documents SLRs in SLA.
MOU : letter written to document aspects of the relationship. Used when legal dispute is unlikely but would like to document situation to avoid future issues.
BPA : 2 org.’s agree to do business w/each other in a partnership.
info …
Vendor Management Life Cycle : (1) selecting a new vendor which may include using RFP, may be informal process, should include security requirements, should evaluate security. (2) Onboarding : verify contract details, arrange secure data transfer, est. incident procedures. (3) Monitoring (maintenance phase) : conduct site visits, review independent audits, handle security incidents. (4) Off-boarding : destroy all confidential info, unwind business relationship, may restart the life cycle w/selection of new vendor for those services.
info …
Vendor Agreements should : document security and compliance requirements, facilitate customer monitoring and compliance, ensure right of audit and assessment.
Two-Person Control : requires authorization of 2 separate individuals to carry out a sensitive action (also known as dual control).
BIA : identifies and prioritizes risks for a business, based on : impact on life and safety, impact on property and finances, and impact on reputation.
info …
