Vocab 1

Question 1

Organizational policy that describes both acceptable and unacceptable actions when using organizational computing resources, as well as the consequences of violating the policy.

Answer 1

acceptable use policy (AUP)

Question 2

The processes and technologies involved in protecting information, systems, and data against unauthorized disclosure, modification, or loss through the control of access to those resources physically and/or logically.

Answer 2

access control

Question 3

The ability to trace an action or event to a definitive user and to hold that user responsible for their actions.

Answer 3

accountability

Question 4

Tools that interact actively with a system and can often give you a more realistic perspective of vulnerabilities and the overall control effectiveness; can also cause performance issues.

Answer 4

active tools

Question 5

The process of determining whether a program or a project is meeting specified objectives and of determining whether the controls selected to protect the system are performing their desired function to the level required.

Answer 5

assessment

Question 6

Anything of value to an organization; assets can include tangible items such as information, data, equipment, supplies, facilities, and systems, or intangible items such as customer loyalty and reputation.

Answer 6

asset

Question 7

The process of reviewing different data sources, including log files and access control records, to determine compliance with security policy or detect deviations or anomalies.

Answer 7

auditing

Question 8

The process of validating credentials that a user has supplied to verify that they are the actual authorized user and that the credentials belong to that user.

Answer 8

authentication

Question 9

The process of giving authenticated users the proper accesses to systems, data, and facilities.

Answer 9

authorization

Question 10

The goal of having information and systems available to authorized users whenever and however they need them.

Answer 10

availability

Question 11

Must be made if the response can’t be quickly or easily implemented without a significant cost or change to the organization or the system. A business case for a risk response justifies the expense and work required to make the response function properly.

Answer 11

business case

Question 12

The process, generally detailed in a supporting plan, that keeps the company operating and functioning in the event of a power outage, IT malfunction, or major disaster.

Answer 12

business continuity

Question 13

The process of analyzing the critical missions and business processes and the systems used to complete those tasks and of determining the impact to the mission of a loss or disruption in access to those systems.

Answer 13

business impact assessment

Question 14

The ability for the organization to implement a risk response.

Answer 14

capability

Question 15

Control Objectives for Information and Related Technology (but now typically referred to by its acronym). This management and governance framework was developed and is used extensively by ISACA in its various risk management and business process frameworks. It is currently in version 5.

Answer 15

COBIT

Question 16

Controls spanning the entire organization and protecting multiple assets rather than only a specific system. Physical controls are good examples of common controls, and the responsible entity for these controls would be the common controls provider.

Answer 16

common controls

Question 17

The goal of protecting systems and information from unauthorized disclosure.

Answer 17

confidentiality

Question 18

A measure put in place to increase protection for an asset, to make up for a lack of protection for an asset, or to strengthen a weakness for an asset. Controls can be administrative, technical, or physical and operational. They can also be further divided by functionality, including deterrent, preventative, detective, and so on.

Answer 18

control

Question 19

The process of determining the difference between the existing state of a control’s effectiveness and its desired state.

Answer 19

control gap analysis

Question 20

The financial impacts of any decision, as well as the less-easily quantified aspects such as loss of goodwill, loss of brand status, and other hard-to-define attributes. Cost also includes the maintenance of the responsive mitigation over its required life span.

Answer 20

cost

Question 21

The level of protection information or data required based upon its impact to the organization if it were disclosed to unauthorized people, subject to unauthorized modification, or otherwise lost.

Answer 21

data sensitivity

Question 22

When risk response options simply don’t make good business sense, risk is assumed temporarily, perhaps until the costs are reduced, alternate measures are adopted, or risk is ultimately accepted.

Answer 22

deferral

Question 23

The process of reacting to an incident or disaster and recovering an organization, its personnel, and systems to a functioning state.

Answer 23

disaster recovery (DR)

Question 24

The design principle that states that you should attempt to design and implement controls that can be applied to more than one system or set of data or that provide more than one function in effectively mitigating risk. The goal is to minimize single-use controls (controls that apply only to a specific system or set of data) because they can be more expensive and specialized to implement.

Answer 24

economy of use

Question 25

The extent to which the response reduces the likelihood or the impact of the risk event to the organization; also the degree and depth that a control fulfills its security requirements.

Answer 25

effectiveness