Brainscape's Knowledge GenomeTM

Browse over 1 million classes created by top students, professors, publishers, and experts.


See full index

In2120 > Security Management > Flashcards

Security Management Flashcards

1
Q

ISO27000 series

A

The goal in developing the standard was to provide guidance to organisations on how to design, implement, and maintain policies, processes and technologies to manage risks to its sensitive information assets.

Industry best practise.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

ISO27001 (ISMS management)

A

ISO 27001 specifies requirements for establishing, implementing, maintaining and continually improving an information security management system (ISMS) within the context of the organization.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

ISO27002

Code of practise for information security controls

A

Code of practice for information security controls.

ISO 27002 provides a checklist of general security controls to be considered implemented/used in organizations.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

What’s the purpose of ISMS?

A

An ISMS outlines the controls that need to be put into place, and provides direction on how those controls should be managed throughout their life cycle.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Handling personnel/ employee departure

A

Different reasons for departure:
- Voluntary, Redundancy, Termination

Different types of actions:

  • Former employee may keep some privileges
  • Revoke all privileges
  • Escort to the exit.

Staff who lose their job due to redundancy are at greater risk to become insider attackers. To mitigate this risk:

  • The redundancy process must be seen as fair
  • Try to keep a good dialogue
  • During exit interview, review the original employment agreement (i.e. non-compete, wrongful disclosure, etc.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Social engineering

A

The act of tricking another person into providing confidential information by posing as an individual who is authorized to receive that information.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Phishing attacks

A

A kind of social-engineering attack in which criminals use spoofed emails to trick people into sharing sensitive information or installing malware on their computer.

  1. Sending phishing email, getting through spam-filters. Increasingly difficult to get through email filtering (SPF, DKIM, DMARC). Content must be sufficiently credible to trick the user.
  2. The victim taking the suggested action in the message.
    - Got to a fake website.
    - Replying with sensitive information
    - Installing malware
  3. The criminals exploiting and monetizing the stolen information
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Elements of the IS Management Cycle

A
  • Planning
  • Risk Assessment
  • Security Controls
  • Evaluation
  • Reporting
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Personnel integrity

A

Preventing employees from becoming attackers

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Personnel as defence

A

Making sure personnel do not fall victim to social engineering attacks

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Cybersecurity culture in organisations

A

Stimulate behaviour which strengthens security

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Security usability

A

Making sure users operate security correctly

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Multilevel defence against social engineering attacks

A
  1. Foundation level. (Policies to address SE attacks)
  2. Awareness level. (Awareness training for all staff)
  3. Fortress level. (Resistance training for all staff)
  4. Persistence level. (Ongoing reminders)
  5. Gotcha level. (Social engineering detectors)
  6. Offensive level. (Incident response)
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Types of phishing

A

Mass Phishing, large-volume attack intended to reach as many people as possible.

Spear Phishing, a targeted attack directed at specific individuals or companies using gathered information to personalize the message and make the scam more difficult to detect.

Whaling, including high-profile individuals or those with a great deal of authority or access.

Clone Phishing, a spoofed copy of a legitimate and previously delivered email, with original attachments or hyperlinks replaced with malicious versions, which is sent from a forged email address so it appears to come from the original sender or another legitimate source.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

CMMI / CMM
Capability maturity Model Integration
(For information security management)

A
  1. Initial / Ad Hoc
    + Processes are ad-hoc and disorganised.
    + Risks are considered on an ad hoc basis, but no formal processes exist.
  2. Repeatable but intuitive
    + Processes follow a regular pattern.
    + Emerging understanding of risk and the need for security
  3. Defined process
    + Processes are documented and communicated.
    + Company-
    + Awareness of security and security policy
4. Managed and measurable
\+ Processes are monitored and measured.
\+ Risks assessment standard procedures
\+ Roles and responsibilities are assigned
\+ Policies and standards are in place
  1. Optimized
    + Security culture permeates organisation
    + Organisation-wide security processes are implemented, monitored and followed
How well did you know this?
1
Not at all
2
3
4
5
Perfectly

In2120 (9 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2024 Bold Learning Solutions. Terms and Conditions