Security & Risk Management Flashcards
Accountable for ensuring the protection of all of the business information assets from intentional & unintentional loss, disclosure, alteration, destruction, & unavailability
Information Security Officer
Authorizes the President to designate those items that shall be considered as defense articles & defense services & control their import & the export
Arms Export Control Act of 1976
Ensures the business focuses on core activities, clarifies who in the organization has the authority to make decisions, determines accountability for actions & responsibility for outcomes, & addresses how expected performance will be evaluated
Governance
Is similar to due care with the exception that it is a preemptive measure made to avoid harm to other persons or their property
Due Diligence
The care a “reasonable person” would exercise under given circumstances
Due Care
Controls designed to discourage people from violating security directives.
Deterrent Controls
Controls designed to signal a warning when a security control has been breached.
Detective Controls
Electronic hardware & software solutions implemented to control access to information & information networks
Logical Controls
The practice of coming up with alternatives so that the risk in question is not realized.
Risk Avoidance
The practice of accepting certain risk typically based on a business decision that may also weigh the cost versus the benefit of dealing with the risk in another way
Risk Acceptance
- Combination of the probability of an event & its consequences.
- An expectation of loss expressed as the probability that a particular threat will exploit a particular vulnerability with a particular harmful result. (RFC 2828)
Risk
The point in time to which data must be restored in order to successfully resume processing
Recovery Point Objective (RPO)
How quickly you need to have that application’s information available after downtime has occurred
Recovery Time Objective (RTO)
Controls implemented to prevent a security incident or information breach
Preventative Controls
Controls to protect the organization’s people & physical environment, such as locks, fire management, gates, & guards; physical controls may be called “operational controls” in some contexts
Physical Controls
Protects, novel, useful, & non-obvious inventions
Patent
Granting users only the accesses that are required to perform their job functions
Least Privilege
Comes in 2 forms; making sure information is processed correctly & not modified by unauthorized persons, & protecting information as it transits
Integrity
Covers the expression of ideas rather than the ideas themselves; it usually protects artistic property such as writing, recordings, databases, & computer programs
Copyright
An estimate of how often a threat will be successful in exploiting a vulnerability over the period of a year
Annualized Rate of Occurrence (ARO)
Procedures implemented to define the roles, responsibilities, policies, & administrative functions needed to manage the control environment
Administrative Controls
Defined as the difference between the original value & the remaining value of an asset after a single exploit
Single Loss Expectancy (SLE)
The principle that ensures that information is available & accessible to users when needed
Availability
An incident that results in the disclosure or potential exposure of data
Breach