SRM Flashcards
specifies the requirements for establishing, implementing, operating, monitoring, reviewing, maintaining, and improving a documented information security management system within the context of the organization’s overall business risks
27001
A standard that defines information’s confidentiality, integrity, and availability controls in a comprehensive information security management system
27002
telecommunications organization guidelines
ISO/IEC 27011
financial organization guidelines
ISO/IEC 27015
Digital evidence guidelines
ISO/IEC 27037
health organization guidelines
ISO/IEC 27799
concern that is acceptable to responsible management, due to the cost and magnitude of implementing controls
acceptable risk
A policy that establishes an agreement between users and the organization and defines for all parties the ranges of use that are approved before gaining access to a network or the Internet
acceptable use policy
Permissions or privileges granted to users, programs, or workstations to create, change, delete or view data and files within a system as defined by rules established by data owners and the information security policy
access rights
The ability to map a given activity or event back to the responsible party
accountablity
The rules, procedures, and practices dealing with operational effectiveness, efficiency, and adherence to regulations and management policies
administrative controls
an attacker repeatedly using multiple different attack vectors repeatedly to generate opportunities
advanced threat
Manual or programmed activities intended to ensure the completeness and accuracy of records and the validity of entries made. The objectives of application controls are to ensure the completeness and accuracy of the records and the validity of the entries made therein resulting from manual and programmed processing
application controls
Grounds for confidence that the other four security controls (integrity, availability, confidentiality, and accountability) have been adequately met by a specific implementation. “Adequately met” includes (1) functionality that performs correctly, (2) sufficient protection against unintentional errors (by users or software), and (3) sufficient resistance to intentional penetration or bypass.
Assurance
A visible trail of evidence enabling one to trace information contained in statements or reports back to the original input source
audit trail
Uptime, ready, in a condition to be used
Availability
An executive position charged with responsibility for managing and protecting information assets
Chief information security officer
CFAA of 1986
Computer Fraud and Abuse Act (CFAA)
Affects any entities that may engage in hacking of “protected computers” as defined in the Act
Computer Security Act of 1987
Was the first law written to require a formal computer security plan
An organization’s protection of data in storage, during processing, and in transit for use by the subjects that are specifically intended to have access to the data or resource
Confidentiality
A complete, internationally accepted process framework for IT that supports business and IT executives and IT management in their definition and achievement of business goals and related IT goals by providing a comprehensive IT governance, management, control and assurance model. COBIT describes IT processes and associated control objectives, management guidelines (activities, accountabilities, responsibilities, and performance metrics) and maturity models. COBIT supports enterprise management in the development, implementation, continuous improvement and monitoring of good IT-related practices.
Control Objectives for Information and related Technology
The system by which organizations are directed and controlled. Boards of directors are responsible for the governance of their organizations. It consists of the leadership and organizational structures and processes that ensure the organization sustains and extends strategies and objectives.
Corporate governance
The pattern of decisions in a company that determines and reveals its objectives, purposes or goals; produces the principal policies and plans for achieving those goals; and defines the range of business the company is to pursue, the kind of economic and human organization it is or intends to be, and the nature of the economic and non-economic contribution it intends to make to its shareholders, employees, customers and communities.
Corporate strategy
a control after attack
Countermeasure
to know more than one job
Cross training
the guardian of asset(s), a maintenance activity
Custodian
The assignment of a level of sensitivity to data (or information) that results in the specification of controls for each level of classification. Levels of sensitivity of data are assigned according to predefined categories as data are created, amended, enhanced, stored or transmitted. The classification level is an indication of the value or importance of the data to the organization.
Data classification
Data is transferred from high network users to low network users
Data regrade
The process of distributing computer processing to different locations within an organization
Decentralization
The prevention of authorized access to resources or the delaying of time critical operations
Denial of Service
A procedure that uses two or more entities (usually persons) operating in concert to protect a system resource such that no single entity acting alone can access that resource
Dual control
Managers and their organizations have a duty to provide for information security to ensure that the type of control, the cost of control, and the deployment of control are appropriate for the system being managed. Doing the right action at the right time.
Due care
Establishing a plan, policy, and process to protect the interests of an organization. For example, developing a formalized security structure containing a security policy, standards, baselines, guidelines, and procedures. Knowing what should be done and planning for it.
Due diligence
ECPA of 1986
Electronic Communications Privacy Act
Extended government restrictions on wiretaps from telephone calls to include transmissions of electronic data by computer and prohibited access to stored electronic communications
long term knowledge building
Education
the principles a person sets for themselves to follow
Ethics
an opportunity for a threat to cause loss. (terminology that encompasses many recent risk terms)
Exposure
Federal Privacy Act of 1974
Affects any computer that contains records used by a federal agency
FISA of 1978
Federal Intelligence Surveillance Act (FISA)
Affects law enforcement and intelligence agencies
Executive responsibilities of goal setting, delegation, and verification, based upon the mission.
Governance
written suggestions that direct choice to a few alternatives
Guidelines
the one person responsible for data, its classification and control setting
Information owner
The set of responsibilities and practices exercised by the board and executive management with the goal of providing strategic direction, ensuring objectives are achieved, ascertaining that risks are managed appropriately and verifying that the enterprise’s resources are used responsibly
Information security governance
The overall combination of technical, operational and procedural measures, and management structures implemented to provide for the confidentiality, integrity and availability of information based on business requirements and risk analysis
Information security program
The net mission impact considering (1) the probability that a particular threat-source will exercise (accidentally trigger or intentionally exploit) a particular information system vulnerability and (2) the resulting impact if this should occur. IT-related risks arise from legal liability or mission loss due to these 4 items: 1. Unauthorized (malicious or accidental) disclosure, modification, or destruction of information 2. Unintentional errors and omissions 3. IT disruptions due to natural or man-made disasters 4. Failure to exercise due care and diligence in the implementation and operation of the IT system.
IT-Related Risk
to move from location to location, keeping the same function
job rotation
employment education done one per position or at significant change of function
job training
A means of restricting access to data based on varying degrees of security requirements for information contained in the objects and the corresponding security clearance of users’ programs acting on their behalf
mandatory access control
requirement to take time off
mandatory vacations
a choice in risk management, to implement a control that limits or lessens negative effects
mitigate
The rules outlining or delineating the way in which information about the use of computers, networks, applications and information is captured
monitoring policy
Data or systems, passive
objects
intermediate level, pertaining to planning
operational
written core statements that rarely change
policy
Freedom from unauthorized intrusion or disclosure of information about individuals
privacy
Individual owned or ownership
private/privacy
written step-by-step actions
procedure
The portion of a security policy that states the general process that will be performed to accomplish a security goal
procedures
a risk assessment method, intrinsic value
qualitative
a risk assessment method, measurable real money cost
quantitative
quantity of risk remaining after a control is applied
total risks - controls gap
residual risk
the chance that something negative will occur
risk
the collection and summation of risk data relating to a particular asset and controls for that asset
risk assessment
The total process of identifying, controlling, and mitigating information system-related risks. It includes risk assessment; cost-benefit analysis; and the selection, implementation, test, and security evaluation of safeguards. This overall system security review considers both effectiveness and efficiency, including impact on the mission and constraints due to policy, regulations, and laws.
risk management
risk management phases
Framing
Assessing
Responding
Alternatives
Monitoring
a control before attack
safeguard
the level and label given to an individual for the purpose of compartmentalization
security clearance
The five security goals are integrity, availability, confidentiality, accountability, and assurance
security goals
Any form of measurement used to determine any aspect of the operation of any security-related activity
security metrics
to break a business process into separate functions and assign to different people
separation of duties
written internalized or nationalized norms that are internal to an organization
standard
A management committee assembled to sponsor and manage various projects, such as an information security program
steering committee
high level, pertaining to planning
strategic
people or groups, active
subjects
low level, pertaining to planning
tactical
The potential for a threat-source to exercise (accidentally trigger or intentionally exploit) a specific vulnerability
threat
those who initiate the attack
threat agent
The examination of threat-sources against system vulnerabilities to determine the threats for a particular system in a particular operational environment
threat analysis
vehicle or tool that exploits a weakness
threats
Either (1) intent and method targeted at the intentional exploitation of a vulnerability or (2) a situation and method that may accidentally trigger a vulnerability.
threat-source
calculation encompassing threats, vulnerabilities and assets
threats * vulnerabilities * assets
total risk
a choice in risk management, to convince another to assume risk, typically by payment
transfer
people who interact with assets
user
weakness or flaw in an asset
vulnerability
Framing Phase
Tactical/System
Operational/Business Process
Strategic/Whole business
Assessing Phase
Set scope (Tactical/System, Operational/Business Process, Strategic/Whole business from Framing Phase)
Identify threat sources
Identify threat events
Identify vulnerabilities
Determine likelihood
Determine impacts
Determine risks
Responding Phase
Developing alternatives
Evaluating alternatives (Avoid, Accept, Transfer from Alternatives Phase)
Determining course of action
Implementing (Mitigate = Control from Alternatives Phase)
Alternatives Phase
Avoid = Stop Doing,
Accept = Do Nothing,
Transfer = Buy Insurance,
Mitigate = Control
Monitoring Phase
Determining effectiveness of responses,
Identifying risk-impacting changes,
Verifying controls/compliance
