Brainscape's Knowledge GenomeTM

Browse over 1 million classes created by top students, professors, publishers, and experts.


See full index

INFOSYS 727 > Security Management Framework > Flashcards

Security Management Framework Flashcards

1
Q

ISO/IEC 27000

A

A series of Information Security standards or best practices to help organisations improve their information security.

Published by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (ICO), the ISO 27000 standards set out comprehensive information security management system (ISMS) requirements.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

ISMS

A

An Information Security Management System consists of all of the administrative, technical and operational controls that address information security within an organisation.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

ISO 27000 twelve domains

A
  • Risk assessment
  • Security Policy
  • Organisation of Information Security
  • Asset management
  • Physical and environmental security
  • Communications and operations management
  • Information systems acquisition, development and maintenance
  • Access Control
  • Information security incident management
  • Business continuity management
  • Compliance
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

What is the difference between the ISO cybersecurity model and the Open System Interconnection (OSI) model?

A

The structure of this ISO cybersecurity model differs from the Open System Interconnection (OSI) model in that it is a peer model that uses domains rather than layers to describe the security categories. Each domain has a direct relationship with the other domains.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Risk assessment

A

This is the first step in the risk management process, which determines the quantitative and qualitative value of risk related to a specific situation or threat.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Security policy

A

This document addresses the constraints and behaviours of individuals within an organisation and often specifies how data can be accessed, and what data is accessible by whom.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Organisation of Information Security

A

This is the governance model set out by an organization for information security.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Asset management

A

This is an inventory of and classification scheme for information assets within an organization.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Human resources security

A

This refers to the security procedures in place that relate to employees joining, moving within and leaving an organization.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Physical and environmental security

A

This refers to the physical protection of an organisation’s facilities and information.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Communications and operations management

A

This refers to the management of technical security controls of an organisation’s systems and networks.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Information systems acquisition, development and maintenance

A

This refers to security as an integral part of an organisation’s information systems.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Access Control

A

This describes how an organization restricts access rights to networks, systems, applications functions and data in order to prevent unauthorised user access.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Information Security Incident Management

A

This describes an organisation’s approach to the anticipation of and response to information security breaches.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Business Continuity Management

A

This describes the ability of an organisation to protect, maintain and recover business-critical activities following a disruption to information systems.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Compliance

A

This describes the process of ensuring conformance with information security policies, standards and regulations.

17
Q

Control Objectives ISO 27001

A

Control objectives define the high level requirements for implementing a comprehensive information security management system within an organisation, and usually provide a checklist to use during an ISMS audit.

18
Q

Controls ISO 27002

A

Controls set out how to accomplish an organisation’s control objectives.
They establish guidelines for implementing, maintaining and improving the management of information security in an organisation.

The ISO controls specifically address security objectives for data in each of the three states:
- in process
- at rest
- in transit

19
Q

SOA

A

Statement Of Applicability allows the organisation to tailor the available control objectives and controls to best meet its priorities around Confidentiality, Integrity and availability.

20
Q

NIST

A

The National Institute of Standards and Technologies created the National Cybersecurity Workforce Framework to support organisations seeking cybersecurity professionals.

21
Q

The National Cybersecurity Workforce Framework

A

The framework organizes cybersecurity work into seven categories, outlining the main job roles, responsibilities and skills needed for each one.

22
Q

Operate and Maintain

A

Provides the support, administration and maintenance required to ensure effective and efficient IT system performance and security.

23
Q

Protect and Defend

A

Identifies, analyses and mitigates threats to internal systems and networks.

24
Q

Investigate

A

Investigates cybersecurity events and/or cyber attacks involving IT resources.

25
Q

Collect and Operate

A

Provides specialised denial and deception operations and collection of cybersecurity information.

26
Q

Analyse

A

Performs highly specialized review and evaluation of incoming cybersecurity information to determine its usefulness for intelligence.

27
Q

Oversee and Govern

A

Provides leadership, management, direction or development and advocacy so an organization may effectively conduct cybersecurity work.

28
Q

Securely provision

A

Conceptualises, designs, procures or builds secure IT systems.

29
Q

Basic Controls

A

Organizations with limited resources and cybersecurity expertise available should implement:
- Inventory and control of hardware assets
- Inventory and control of software assets
- Continuous vulnerability management
- Controlled use of administrative privileges
- Secure configurations for hardware and software
- Maintenance, monitoring and analysis of audit logs

30
Q

Foundational Controls

A

Organisations with moderate resources and cybersecurity expertise available should implement the basic controls as well as:
- Email and web browser protections
- Malware defense
- Limitation and control of network ports, protocols and services
- Data recovery capabilities
- Secure configurations for network devices
- Boundary defense
- Data protections
- Controlled access based on the ‘need to know’ principle
- Wireless access control
- Account monitoring and control

31
Q

Organisational Controls

A

Organisations with significant resources and cybersecurity expertise available should implement the basic and foundational controls, as well as:
- A security awareness and training program.
- Application software security
- Incident response and management
- Penetration tests and red team exercises (simulated attack exercises to gauge an organisation’s security capabilities)

32
Q

CSA

A

The Cloud Security Alliance provides security guidance to any organisation that uses cloud computing or wants to assess the overall security risk of a cloud provider.

33
Q

CCM

A

The Cloud Control Matrix is a cybersecurity control framework that maps cloud-specific security controls to leading standards, best practices and regulations. It is composed of 197 control objectives that are structured in 17 domains covering all aspects of cloud technology, including governance and risk management, human resources and mobile security.

The CCM is considered a de-facto standard for cloud security assurance and compliance.

34
Q

SSAE

A

Statement on Standards for Attestation Engagements.

This is an independent audit of an organization’s reporting controls as they relate to the security, availability, processing integrity, confidentiality and privacy of a system. An attestation report will confirm that controls are in place at a specific point in time (Type I) or managed over a period of at least six months (Type II). These reports provide assurance to a client organisation that there are controls in place and operating to protect sensitive data.

35
Q

CMMC

A

Cybersecurity Maturity Model Certification.

This certification is aimed at any organisations providing a service to the U.S. Department of Defense (DoD) and verifies that these organisations have adequate cybersecurity practices and processes in place to ensure ‘basic’ cyber hygiene at a minimum.

The CMMC establishes five certification levels that range from ‘basic cyber hygiene practices’ to ‘enhanced practices that provide more sophisticated capabilities to detect and respond to APTs.’ It is likely that service providers will have to achieve the appropriate CMMC requirement in order to be considered for a DoD contract award.

INFOSYS 727 (54 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2024 Bold Learning Solutions. Terms and Conditions