Security and Risk Management Domain Flashcards
Established to contribute to regional and international security and stability by promoting transparency and greater responsibility in transfers of conventional arms and dual-use goods and technologies, thus preventing destabilizing accumulations
Wassenaar Arrangement
Authorized the President to regulate exports to civilian goods and technologies that have military applications
Export Administration Act of 1979
Controls designed to specify acceptable rules of behavior within an organization.
Directive Controls
Procedures implemented to define the roles, responsibilities, policies and administrative functions needed to manage the control environment
Administrative Controls
Determines the potential impact of disruptive events on the organization’s business processes
Vulnerability Assessment
Proprietary business or technical information, processes, designs, practices, etc, that are confidential and critical to the business
Trade Secret
Any word, name, symbol, color, sound, product shape, device, or combination of these that is used to identify goods and distinguish them from those made or sold by others
Trademark
Any single input to a process that, if missing, would cause the process or several processes to be unable to function
Single Point of Failure (SPOF)
Defined as the differences between the original value and the remaining value of an asset after a single exploit
Single Loss Expectancy (SLE)
A systematic process for identifying, analyzing, evaluating, remedying and monitoring risk
Risk Management
The practice of passing on the risk in question to another entity, such as an insurance company
Risk Transfer
The practice of the elimination of or the significant decrease in the level of risk presented
Risk Mitigation
The practice of coming up with alternatives so that the risk in question is not realized
Risk Avoidance
The practice of accepting certain risks, typically based on a business decision that may also weigh the cost versus the benefit of dealing with the risk in another way
Risk Acceptance
- A combination of the probability of an event and its consequence (ISO 27000)
- An expectation of loss expressed as the probability that a particular threat will exploit a particular vulnerability with a particular harmful result (RFC 2828)
Risk
The point in time to which data must be restored in order to successfully resume processing
Recovery Point Objective (RPO)
How quickly you need to have that appilcation’s information available after downtime has occurred
Recovery Time Objective
Controls implemented to restore conditions to normal after a security incident
Recovery Controls
Controls implemented to prevent a security incident or information breach
Preventive Controls
Controls to protect the organization’s people and physical enviornment, such as locks, fire management, gates, and guards, physicall controls may be called ‘operational control’ in some contexts.
Physical Controls
Protects novel, useful and nonobvious inventions
Patent
Electronic hardware and software solutions implemented to control access to information and information networks
Logical (Technical) Controls
Granting users only the accesses that are required to perform their job functions
Least Privilege
Accountable for ensuring the protection of all of the business information assets from intentional and unintentional loss, disclosure, alteration, destruction and unavailability
Information Security Officer
Comes in two forms; making sure that information is processed correctly and not modified by unauthorised persons, and protecting information as it transits a network
Integrity
A security event that compromises the confidentiality, integrity or availability of an information asset
Incident
Ensures the business focuses on core activities, clarifies who in the organization has the authority to make decisions, determines accountability for actions and responsibility for outcomes, and addresses how expected performance will be evaluated
Governance
A process designed to identify potential events that may affect the entity, manage risk so it is within its risk appetite, and provide reasonable assurance regarding the achievement of entity objectives
Enterprise Risk Management
Is similar to due care with the exception that it is a pre-emptive measure made to avoid harm to other persons or their property
Due Diligence
The care a “reasonable person” would exercise under given circumstances
Due Care
Controls designed to discourage people from violating security directives
Deterrent Controls
Controls designed to signal a warning when a security control has been breached
Detective Controls
A breach for which it was confirmed that data was actually disclosed (not just exposed) to an unauthorized party
Data Disclosure
Controls implemented to remedy circumstances, mitigate damage, or restore controls
Corrective Controls
Covers the expression of ideas rather than the ideas themselves; it usually protects artistic property such as writing, recordings, databases and computer programs
Copyright
Supports the principle of “least Privilege” by providing that only authorized individuals, processes or systems should have access to information on a need to know basis
Confidentiality
Actions that ensure behavior that complies with established rules
Compliance
Controls that substitute for the loss of primary controls and mitigate risk down to an acceptable level
Compensating Controls
An incident that results in the disclosure or potential exposure of data
Breach
The principle that ensure that information is available and accessible to users when needed
Availability
Authorizes the President to designate those items that shall be considered as defence articles and defense services and control their import and the export
Arms Export Control Act of 1976
An estimate of how often a threat will be successful in exploiting a vulnerability over the period of a year
Annualized Rate of Occurence (ARO)
