Video Content Lesson 1 Flashcards

2
Q

Security Triad

A

CIA
Confidentiality
Integrity
Availability

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Confidentiality

Protects from

A

Protects Data from Unauthorized Disclosure

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Confidentiality

4 parts

A

Physical Security
Access Control
Encryption
Perimeter Defense

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Integrity

Protects from

A

Protects Data from Unauthorized Modification

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Integrity

3 parts

A

Physical Security
Access Control
Perimeter Defense

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Availability

A

Ensures the system is available when needed

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

InfoSec Management Governance

A

1-Assurance that appropriate security activities are being carried out
2-Security risks are being reduced
3-Security budget is being properly used

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Audit Frameworks for Compliance

A

1-COSO (Committee of Sponsoring Organizations of the Treadway Commission)
2-ITIL (Information Technology Infrastructure Library)
3-COBIT (Control Objectives for Information and related Technology)
4- ISO 17799 / BS 7799

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

COSO (Committee of Sponsoring Organizations of the Treadway Commission)

A

1-Defines 5 areas of internal control

2-Useful in meeting Sarbanes-Oxley Section 404 compliance

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

ITIL (Information Technology Infrastructure Library)

A

1-British government’s TSO (The Stationary Office)

2-Best practices for IT service management

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

COBIT (Control Objectives for Information and related Technology)

A

1-ITGI (IT Governance Institue)

2-Overall structure for Information Technology Control

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

ISO 17799 / BS 7799

A

1-Originially, UK Department of Trade and Industry Code of Practices
2-Basis for developing security standards and security management practices

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Security Administration

A
1-Management is responsible to ensure security
2-Look at Security Goals
a-Strategic - Long-term
b-Tactical - Medium Term
c-Operational - day-to-day
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Organizational Requirements

A

1-Government or Commercial

2-Management Style and Organizational Culture

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Physical Risks

A

Handling risks that can cause loss
Physical Damage
Hardware Malfunction
Software Malfunction

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

Human Risks

A

Malicious Attack
Espionage and theft
Human Errors

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

Risk Management

A

RM involves assessing risks and choosing appropriate responses

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

Risk Management Terms

A

Threat
Vulnerability
Probablility Determination
Control

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

Risk Management Options

A

Allow risk to exist

Reduce Loss

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

Legal Responsibility

A

Due Care

Due Dilligence

22
Q

Risk Assessment Methodologies

A
A methodology is a starting point or a structure that helps the process begin
NIST 800-30 and 800-66
OCTAVE
FRAP (Facilitated Risk Analysis Process)
CRAM (CCTA Risk Analysis Management)
23
Q

NIST 800-30 and 800-66

A

1-Qualitative

2-800-66 written with HIPAA in mind

24
Q

OCTAVE

A

Carnegie Mellons self-directed infromation security risk evaluation

25
Q

Risk Assessment Team

A

1-Upper Management (most Important)
2-multiple departments
3-accept all input equally
4-document all proceedings

26
Q

Risk Assessment

Types

A

Qualitative (no numbers, just comparisions)

Quantative (assign numberical value to risks)

27
Q

Single Loss Expectancy

A

Calculate Exposure
1-Assign a value for each asset
2-Determine % of loss for each realized threat (Exposure Factor-EF)
Calculate the Loss of a single threat occurrence
1-Single Loss Expectancy (SLE)
SLE = Asset Value * EF

28
Q

Annual Loss Expectancy

A

Calculate the annual probability of loss
Annual Rate of Occurrence (ARO)
Based on an estimage of annual probability a stated threat will be realized
Calculate the annual estimated loss of a specific realized threat
1-Annual Loss expectancy (ALE)
SLE * ARO = ALE

29
Q

Overall Risk

A

Look at costs of risks and cost of controls

30
Q

Qualiltative Risk Assessment

A

Ranked by impact and likelihood

Summarize each risk and its impact

31
Q

Selecting Controls

A

Choose appropriate controls to mitigate risk
Value is always related to amount of loss a control prevents
Explore alternate options for expensive controls

32
Q

Security Policy

A
Starts with Upper Management
Policy
1-Statement of expected performance
2-Consequences of noncompliance
Very High Level with Limited Specifics
33
Q

Security Policy Types

A

1-Regulatory (mandatory to satisfy legal/regulatory requirments)
2-Advisory (things which we require as a business ex. ID)
3-Informative (explains organizational strategies and behavior)

34
Q

Standards

A

What you must do
Lower level than policy
specify what products can be used (IE vs. Netscape)
specify best practices for each product
Compliance is mandatory (password expiry)

35
Q

Guidelines

A

Recommended action/guide
typically not mandatory
provide details on how to implement standards

36
Q

Procedures

A

“How to” documents
detailed step-by-step instructions
specific to well-defined areas
May have multiple sets of procedures

37
Q

Job Policies and Training

A
1-Hiring Practices
2-Terminations Practices
3-Job Descriptions
4-Job Activities
5-Security Awareness
6-Tailoring Training
7-ISO Responsibilities
38
Q

Hiring Practices

A

Background check
drug testing
security clearance
nondisclosure agreements

39
Q

Terminations practices

A

Revocation of Privileges
Security Escort
Exit Interview

40
Q

Job Descriptions

A

Roles and Responsibilities

41
Q

Job Activities

A

Separation of Duties and responsibilities
Mandatory Vacation Increments (audit employee’s work)
Job Rotation

42
Q

Security Awareness

A

most security incidents occur due to negligence
Awareness training informs and reminds participants and security responsibilities
Tailor training to match appropriate level of security needed
Various levels of training

43
Q

Tailoring Training

A

1-management
2-non-technical staff
3-technical staff

44
Q

ISO Responsibilities

A

ISO - Information Security Officer
Communicate risk to upper management
Budget for Infromation Security Activities
Ensure Development of (Policies, Procedures, Baselines, Standards, Guidelines)

45
Q

Ethics

A
Overview
(ISC)2 Code of Ethics
Ten Commandments
REC 1087
Ethics Topics
Common Computer Ethics Fallacies
46
Q

(ISC)2 Code of Ethics

A
Preamble
Four Canons
1-protect society
2-act honorably, honestly
3-provide diligent service to principles
4-advance and protect the profession
47
Q

Ten Commandments

A

Computer Ethics Institute

48
Q

RFC 1087

A

Internet Activities Board

49
Q

Ethics Topics

A
Computers in the Workplace
Computer Crime
Privacy and anonymity
Intellectual property
Professional Responsibilities
50
Q

Ethics Fallacies

A
The Computer Game Fallacy
The Law-abiding Citizen Fallacy
The Shatterproof Fallacy
The Candy-from-a-Baby Fallacy
The Hacker's Fallacy
The Free Information Fallacy