Security & Risk Management Flashcards
Accountable for ensuring the protection of all of the business information assets from intentional & unintentional loss, disclosure, alteration, destruction, & unavailability
Information Security Officer
Authorizes the President to designate those items that shall be considered as defense articles & defense services & control their import & the export
Arms Export Control Act of 1976
Ensures the business focuses on core activities, clarifies who in the organization has the authority to make decisions, determines accountability for actions & responsibility for outcomes, & addresses how expected performance will be evaluated
Governance
Is similar to due care with the exception that it is a preemptive measure made to avoid harm to other persons or their property
Due Diligence
The care a “reasonable person” would exercise under given circumstances
Due Care
Controls designed to discourage people from violating security directives.
Deterrent Controls
Controls designed to signal a warning when a security control has been breached.
Detective Controls
Electronic hardware & software solutions implemented to control access to information & information networks
Logical Controls
The practice of coming up with alternatives so that the risk in question is not realized.
Risk Avoidance
The practice of accepting certain risk typically based on a business decision that may also weigh the cost versus the benefit of dealing with the risk in another way
Risk Acceptance
- Combination of the probability of an event & its consequences.
- An expectation of loss expressed as the probability that a particular threat will exploit a particular vulnerability with a particular harmful result. (RFC 2828)
Risk
The point in time to which data must be restored in order to successfully resume processing
Recovery Point Objective (RPO)
How quickly you need to have that application’s information available after downtime has occurred
Recovery Time Objective (RTO)
Controls implemented to prevent a security incident or information breach
Preventative Controls
Controls to protect the organization’s people & physical environment, such as locks, fire management, gates, & guards; physical controls may be called “operational controls” in some contexts
Physical Controls
Protects, novel, useful, & non-obvious inventions
Patent
Granting users only the accesses that are required to perform their job functions
Least Privilege
Comes in 2 forms; making sure information is processed correctly & not modified by unauthorized persons, & protecting information as it transits
Integrity
Covers the expression of ideas rather than the ideas themselves; it usually protects artistic property such as writing, recordings, databases, & computer programs
Copyright
An estimate of how often a threat will be successful in exploiting a vulnerability over the period of a year
Annualized Rate of Occurrence (ARO)
Procedures implemented to define the roles, responsibilities, policies, & administrative functions needed to manage the control environment
Administrative Controls
Defined as the difference between the original value & the remaining value of an asset after a single exploit
Single Loss Expectancy (SLE)
The principle that ensures that information is available & accessible to users when needed
Availability
An incident that results in the disclosure or potential exposure of data
Breach
The practice of the elimination of or the significant decrease in the level of risk presented
Risk Mitigation
Established to contribute to regional & international security & stability by promoting transparency & greater responsibility in transfers of conventional arms & dual-use goods & technologies, thus preventing destabilizing accumulations
Wassenar Arrangement
Determines the potential impact of disruptive events on the organization’s business processes
Vulnerability Assessment
Controls implemented to remedy circumstance, mitigate damage, or restore controls
Corrective Controls
Actions that ensure behavior that complies with established rules
Compliance
Supports the principle of “least privilege” by providing only authorized individuals, processes, or systems should have access to information on a need to know basis
Confidentiality
A breach for which it was confirmed that data was actually disclosed to an unauthorized party
Data Disclosure
A process designed to identify potential events that may affect the entity, manage risk so it is within its risk appetite, & provide reasonable assurance regarding the achievement of entity objectives
Enterprise Risk Management
Controls implemented to restore conditions to normal after a security
Recovery Controls
The practice of passing on the risk in question to another entity, such as an insurance company
Risk Transfer
Any single input to a process that, if missing, would cause the process or several processes to be unable to function
Single Point of Failure
Authorized the President to regulate exports of civilian goods & technologies that have military applications
Export Administration Act of `979
Proprietary business or technical information, processes, designs, practices that are confidential & critical to the business
Trade Secret
Any word, name, symbol, color, sound, product shape, device, or combination of these that is used to identify goods & distinguish them from those made or sold by others
Trademarl
Controls that substitute for the loss of primary controls & mitigate risk down to an acceptable level
Compensating Controls
A systematic process for identifying, analyzing, evaluating, remedying, & monitoring risk
Risk Management
Controls designed to specify acceptable rules of behavior within an organization
Directive Controls
A security event that compromises the confidentiality, integrity, or availability of an information asset
Incident
