Terms and Definitions Flashcards

1
Q

Adequate Security

A

Security commensurate with the risk and the magnitude of harm resulting from the loss, misuse, or unauthorized access to or modification of information. Source: OMB Circular A-130

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Administrative Controls

A

Controls implemented through policy and procedures. Examples include access control processes and requiring multiple personnel to conduct a specific operation. Administrative controls in modern environments are often enforced in conjunction with physical and/or technical controls, such as an access-granting policy for new users that requires login and approval by the hiring manager.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Artificial Intelligence

A

The ability of computers and robots to simulate human intelligence and behavior.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Authentication

A

The act of identifying or verifying the eligibility of a station, originator, or individual to access specific categories of information. Typically, a measure designed to protect against fraudulent transmissions by establishing the validity of a transmission, message, station or originator.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Asset

A

Anything of value that is owned by an organization. Assets include both tangible items such as information systems and physical property and intangible assets such as intellectual property.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Authorization

A

The right or a permission that is granted to a system entity to access a system resource. NIST 800-82 Rev.2 Availability Ensuring timely and reliable access to and use of information by authorized users.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Baseline

A

A documented, lowest level of security configuration allowed by a standard or organization.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Bot

A

Malicious code that acts like a remotely controlled “robot” for an attacker, with other Trojan and worm capabilities.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Classified or Sensitive Information

A

Information that has been determined to require protection against unauthorized disclosure and is marked to indicate its classified status and classification level when in documentary form.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Confidentiality

A

The characteristic of data or information when it is not made available or disclosed to unauthorized persons or processes. NIST 800-66

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Criticality

A

A measure of the degree to which an organization depends on the information or information system for the success of a mission or of a business function. NIST SP 800-60 Vol. 1, Rev. 1

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Data Integrity

A

The property that data has not been altered in an unauthorized manner. Data integrity covers
data in storage, during processing and while in transit. Source: NIST SP 800-27 Rev A

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Encryption

A

The process and act of converting the message from its plaintext to ciphertext. Sometimes it is also referred to as enciphering. The two terms are sometimes used interchangeably in literature and have similar meanings.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

General Data Protection Regulation (GDPR)

A

In 2016, the European Union passed comprehensive legislation that addresses personal privacy, deeming it an individual human right.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Governance

A

The process of how an organization is managed; usually includes all aspects of how decisions are made for that organization, such as policies, roles, and procedures the organization uses to make those decisions.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Health Insurance Portability and Accountability Act (HIPAA)

A

This U.S. federal law is the most important healthcare information regulation in the United States. It directs the adoption of national standards for electronic healthcare transactions while protecting the privacy of individual’s health information. Other provisions address fraud reduction, protections for individuals with health insurance and a wide range of other healthcare-related activities. Est. 1996.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Impact

A

The magnitude of harm that could be caused by a threat’s exercise of a vulnerability.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

Information Security Risk

A

The potential adverse impacts to an organization’s operations (including its mission, functions and image and reputation), assets, individuals, other organizations, and even the nation, which results from the possibility of unauthorized access, use, disclosure, disruption, modification or destruction of information and/or information systems.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

Institute of Electrical and Electronics Engineers

A

IEEE is a professional organization that sets standards for telecommunications, computer engineering and similar disciplines.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

Integrity

A

The property of information whereby it is recorded, used and maintained in a way that ensures its completeness, accuracy, internal consistency and usefulness for a stated purpose.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

International Organization of Standards (ISO)

A

The ISO develops voluntary international standards in collaboration with its partners in international standardization, the International Electro-technical Commission (IEC) and the International Telecommunication Union (ITU), particularly in the field of information and communication technologies.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

Internet Engineering Task Force (IETF)

A

The internet standards organization, made up of network designers, operators, vendors and researchers, that defines protocol standards (e.g., IP, TCP, DNS) through a process of collaboration and consensus. Source: NIST SP 1800-16B

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

Likelihood

A

The probability that a potential vulnerability may be exercised within the construct of the associated threat environment.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

Likelihood of Occurrence

A

A weighted factor based on a subjective analysis of the probability that a given threat is capable of exploiting a given vulnerability or set of vulnerabilities.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

Multi-Factor Authentication

A

Using two or more distinct instances of the three factors of authentication (something you know, something you have, something you are) for identity verification.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Q

National Institutes of Standards and Technology (NIST)

A

The NIST is part of the U.S. Department of Commerce and addresses the measurement infrastructure within science and technology efforts within the U.S. federal government. NIST sets standards in a number of areas, including information security within the Computer Security Resource Center of the Computer Security Divisions.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
26
Q

Non-repudiation

A

The inability to deny taking an action such as creating information, approving information and sending or receiving a message.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
27
Q

Personally Identifiable Information (PII)

A

The National Institute of Standards and Technology, known as NIST, in its Special Publication 800- 122 defines PII as “any information about an individual maintained by an agency, including (1) any information that can be used to distinguish or trace an individual’s identity, such as name, Social Security number, date and place of birth, mother’s maiden name, or biometric records; and (2) any other information that is linked or linkable to an individual, such as medical, educational, financial and employment information.”

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
28
Q

Physical Controls

A

Controls implemented through a tangible mechanism. Examples include walls, fences, guards, locks, etc. In modern organizations, many physical control systems are linked to technical/logical systems, such as badge readers connected to door locks.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
29
Q

Privacy

A

The right of an individual to control the distribution of information about themselves.

30
Q

Probability

A

The chances, or likelihood, that a given threat is capable of exploiting a given vulnerability or a set of vulnerabilities. Source: NIST SP 800-30 Rev. 1 Protected

31
Q

Health Information (PHI)

A

Information regarding health status, the provision of healthcare or payment for healthcare as defined in HIPAA (Health Insurance Portability and Accountability Act).

32
Q

Qualitative Risk Analysis

A

A method for risk analysis that is based on the assignment of a descriptor such as low, medium or high. Source: NISTIR 8286 Quantitative

33
Q

Risk Analysis

A

A method for risk analysis where numerical values are assigned to both impact and likelihood based on statistical probabilities and monetarized valuation of loss or gain. Source: NISTIR 8286

34
Q

Risk

A

A measure of the extent to which an entity is threatened by a potential circumstance or event.

35
Q

Risk Acceptance

A

Determining that the potential benefits of a business function outweigh the possible risk impact/likelihood and performing that business function with no other action.

36
Q

Risk Assessment

A

The process of identifying and analyzing risks to organizational operations (including mission, functions, image, or reputation), organizational assets, individuals and other organizations. The analysis performed as part of risk management which incorporates threat and vulnerability analyses and considers mitigations provided by security controls planned or in place.

37
Q

Risk Avoidance

A

Determining that the impact and/or likelihood of a specific risk is too great to be offset by the potential benefits and not performing a certain business function because of that determination.

38
Q

Risk Management

A

The process of identifying, evaluating and controlling threats, including all the phases of risk context (or frame), risk assessment, risk treatment and risk monitoring.

39
Q

Risk Management Framework

A

A structured approach used to oversee and manage risk for an enterprise. Source: CNSSI 4009

40
Q

Risk Mitigation

A

Putting security controls in place to reduce the possible impact and/or likelihood of a specific risk.

41
Q

Risk Tolerance

A

The level of risk an entity is willing to assume in order to achieve a potential desired result. Source: NIST SP 800-32. Risk threshold, risk appetite and acceptable risk are also terms used synonymously with risk tolerance.

42
Q

Risk Transference

A

Paying an external party to accept the financial impact of a given risk.

43
Q

Risk Treatment

A

The determination of the best way to address an identified risk.

44
Q

Security Controls

A

The management, operational and technical controls (i.e., safeguards or countermeasures) prescribed for an information system to protect the confidentiality, integrity and availability of the system and its information. Source: FIPS PUB 199

45
Q

Sensitivity

A

A measure of the importance assigned to information by its owner, for the purpose of denoting its need for protection. Source: NIST SP 800-60 Vol 1 Rev 1

46
Q

Single-Factor Authentication

A

Use of just one of the three available factors (something you know, something you have, something you are) to carry out the authentication process being requested.

47
Q

State

A

The condition an entity is in at a point in time.

48
Q

System Integrity

A

The quality that a system has when it performs its intended function in an unimpaired manner, free from unauthorized manipulation of the system, whether intentional or accidental. Source: NIST SP 800-27 Rev. A

49
Q

Technical Controls

A

Security controls (i.e., safeguards or countermeasures) for an information system that are primarily implemented and executed by the information system through mechanisms contained in the hardware, software or firmware components of the system.

50
Q

Threat

A

Any circumstance or event with the potential to adversely impact organizational operations (including mission, functions, image or reputation), organizational assets, individuals, other organizations or the nation through an information system via unauthorized access, destruction, disclosure, modification of information and/or denial of service.

51
Q

Threat Actor

A

An individual or a group that attempts to exploit vulnerabilities to cause or force a threat to occur.

52
Q

Threat Vector

A

The means by which a threat actor carries out their objectives.

53
Q

Token

A

A physical object a user possesses and controls that is used to authenticate the user’s identity. Source: NISTIR 7711

54
Q

Vulnerability

A

Weakness in an information system, system security procedures, internal controls or implementation that could be exploited by a threat source. Source: NIST SP 800-30 Rev 1

55
Q

Breach

A

The loss of control, compromise, unauthorized disclosure, unauthorized acquisition, or any similar occurrence where:

a person other than an authorized user accesses or potentially accesses personally identifiable information; or an authorized user accesses personally identifiable information for other than an authorized purpose.

NIST SP 800-53 Rev. 5

56
Q

Event

A

Any observable occurrence in a network or system.

NIST SP 800-61 Rev 2

57
Q

Incident

A

An event that actually or potentially jeopardizes the confidentiality, integrity, or availability of an information system or the information the system processes, stores, or transmits.

58
Q

Threat

A

Any circumstance or event with the potential to adversely impact organizational operations (including mission, functions, image, or reputation), organizational assets, individuals, other organizations, or the nation through an information system via unauthorized access, destruction, disclosure, modification of information, and/ or denial of service.

NIST SP 800-30 Rev 1

59
Q

Zero Day

A

A previously unknown system vulnerability with the potential of exploitation without risk of detection or prevention because it does not, in general, fit recognized patterns, signatures, or methods.

60
Q

Exploit

A

A particular attack. It is named this way because these attacks exploit system vulnerability

61
Q

Intrusion

A

A security event, or combination of events, that constitutes a deliberate security incident in which an intruder gains, or attempts to gain, access to a system or system resource without authorization.

IETF RFC 4949 Ver 2

62
Q

Vulnerability

A

Weakness in an information system, system security procedures, internal controls, or implementation that could be exploited by a threat source.

NIST SP 800-30 Rev 1

63
Q

What is the primary distinction between business continuity planning (BCP) and disaster recovery planning (DRP)?

A

DRP is about restoring IT, while BCP focuses on business operations

Business continuity planning (BCP) centers on maintaining critical business functions, while disaster recovery planning (DRP) specifically targets the restoration of IT and communications services essential for business operations.

64
Q

The components of the incident response plan are?

A

Preparation, Detection & Analysis, Containment, Eradication & Recovery, and Post-Incident Activity.

65
Q

What is the definition of an object in the context of access controls?

A

An entity that responds to a request for service

66
Q

Derrick logs on to a system to read a file.

In this example, Derrick is the ______.

A

Subject

67
Q

What alternative control could be used if biometric locks on multiple doors are not necessary and access does not need to be audited?

A. Removing doors and securing the area permanently
B. Implementing biometric scanners on all doors
C. Installing a permanent wall
D. Replacing doors with deadbolt locks

A

D. Replacing doors with deadbolt locks

68
Q

What would be considered an administrative control in the context of seat belt usage?

A. Attaching the seat belt to the car
B. Building a car with seat belts
C. Passing a law requiring seat belt use
D. Using the seat belt

A

C. Passing a law requiring seat belt use is an example of administrative control, whereas the seat belt itself would be considered a physical control.

69
Q

What does RBAC stand for?

A

Role-Based Access Control

70
Q

In what type of environment does role-based access control (RBAC) work well?

A. Low-staff turnover
B. High-staff turnover and similar access requirements
C. Single personnel with unique access requirements
D. Limited access requirements for all personnel

A

B. High-staff turnover and similar access requirements

71
Q

What is user provisioning in identity management?

A. Enabling the option to delete a users account
B. Ensuring a user can always control what they want to access
C. Managing access to resources and information systems
D. Ensuring that users are conducting regular antivirus scans

A

C. Managing access to resources and information systems

72
Q

What term is used to describe the situation where someone inherits expanded permissions that are not appropriate for their role in Role-based Access Control (RBAC)?

A. Access overflow
B. Permissions anomaly
C. Role deviation
D. Privilege creep

A

D. Privilege creep (also called permissions creep)

73
Q

What does micro-segmentation aid in protecting against?

A. Polymorphic toolsets
B. Advanced persistent threats
C. Traditional security models
D. Infrastructure-centric design paradigms

A

D. Infrastructure-centric design paradigms