Untitled Deck

Question 1

CIA - Confidentiality - ISO/IEC 27000

Answer 1

Confidentiality: The property that information is not made available or disclosed to unauthorized individuals, entities, or processes (ISO/IEC 27000)

Question 2

CIA - Integrity - ISO/IEC 27000

Answer 2

Integrity: The property of accuracy and completeness (ISO/IEC 27000)

Question 3

CIA - Availability - ISO/IEC 27000

Answer 3

Availability: The property of being accessible and usable upon demand by an authorized entity (ISO/IEC 27000)

Question 4

Asset: Anything of Value to an organization - ISO/IEC 13335

3 Types of Assets are?

Answer 4

1. Pure Information (in whatever format)
2. Physical assets such as buildings or computer systems
3. Software used to process or otherwise manage information

Question 5

Threat, Vulnerability, Risk, and Impact -

Threat - ISO/IEC 27000

Answer 5

Threat: A potential cause of an unwanted incident, which may result in harm to a system or organization (ISO/IEC 27000)

Example - Storm clouds in sky - threat of rain

Question 6

Threat, Vulnerability, Risk, and Impact

Vulnerability - ISO/IEC 27000

Answer 6

Vulnerability: A weakness of an asset or control that can be exploited by one or more threats (ISO/IEC 27000)

Example - Leave house without a coat or umbrella

Question 7

Threat, Vulnerability, Risk, and Impact

Risk - ISO/IEC 27000

Answer 7

Risk: The effect of uncertainty on objectives (ISO/IEC 27000)

Example - You could risk getting wet

Question 8

Threat, Vulnerability, Risk, and Impact

Impact - ISO/IEC 13335

Answer 8

Impact: The result of an information security incident, caused by a threat, which affects assets (ISO/IEC 13335)

Question 9

What are the purpose of Controls?

Answer 9

Controls in the IA sense are those activities that are taken to manage the risks identified: There are 4 main types of STRATEGIC controls (controls high-level made at executive level)

Question 10

Strategic Controls - Eliminate - Risk Avoidance - ISO Guide 73

Answer 10

Eliminate. Risk Avoidance - Informed decision not to be involved in, or to withdraw from, an activity in order not to be exposed to a particular risk (ISO Guide 73)

Question 11

Strategic Controls - Reduce - Risk Reduction - ISO 22300:2018

Answer 11

Reduce. Risk Reduction - Action taken to lesson the probability, negative consequences, or both, associated with a risk (ISO 22300:2018)

Question 12

Strategic Controls - Transfer - Risk Transfer - ISO Guide 73

Answer 12

Transfer. Risk Transfer - A form of risk treatment involving the agreed distribution of risk with other parties (ISO Guide 73)

Question 13

Strategic Controls - Accept - Risk Acceptance - ISO Guide 73

Answer 13

Accept. Risk Acceptance - The decision to accept the risk (ISO Guide 73)

Question 14

Identity, Authentication, and Authorization

Identity - ISO/IEC 24760-1

Answer 14

Identity. Information that unambiguously distinguishes one entity from another one in a given domain (ISO/IEC 24760-1)

Question 15

Identity, Authentication, and Authorization

Authentication - ISO/IEC 15944-6

Answer 15

Authentication. The provision of assurance of the claimed identity of an entity (ISO/IEC 15944-6)

Question 16

Identity, Authentication, and Authorization

Authorisation - ISO/TR 22100-4

Answer 16

Authorisation. The right or permission that is granted to a system entity to access a system resource (ISO/TR 22100-4)

Question 17

Accountability, audit, and compliance

Accountability - ISO/IEC 21827

Answer 17

Accountability. The property that ensures that the actions of an entity can be traced uniquely to the entity (ISO/IEC 21827)

Question 18

Accountability, audit, and compliance

Audit - ISO 15638-5

Answer 18

Audit. The review of a party’s capacity to meet, or continue to meet, the initial and ongoing approval agreements as a service provider (ISO 15638-5)

Question 19

Accountability, audit, and compliance

Compliance - ISO/TR 19591

Answer 19

Compliance. Meeting or exceeding all applicable requirements of a standard or other published set of requirements (ISO/TR 19591)

Question 20

Information Security Management System (ISMS) - ISO 12812-2

Answer 20

Information Security Management System (ISMS). Part of the overall management system, based on a business risk approach, used to establish, implement, operate, monitor, review, maintain and improve information security (ISO 12812-2)

Question 21

What is Information Security - ISO 19092

Answer 21

Information Security - Preservation of confidentiality, integrity, and availability of information; in addition, other properties such as authenticity, accountability, no-repudiation and reliability can also be involved (ISO 19092)

Question 22

What is Information Assurance

Answer 22

Information Assurance (IA) - The confidence that information systems will protect the information they carry and will function as they need to, when they need to, under the control of legitimate users.

Question 23

What is Defense in Breadth

Answer 23

Defense in Breadth - All connected systems must now be taken into account when considering how an attack might materialize and the effect it might have.

Question 24

What is Defense in Depth

Answer 24

Defense in Depth - Layer of security which may start off as relatively low level, but which increase in complexity, cost and effectiveness as the information and systems being protected get more sensitive and important.