Topic 7 Flashcards
Security management models
How might an organization create a security blueprint?
To generate a usable security blueprint, most organizations draw on established security
frameworks, models, and practices. Some of these models are proprietary and are only
available for a significant fee; others are relatively inexpensive. The chosen model must be
flexible, scalable, robust, and sufficiently detailed.
What is COBIT? Who is its sponsor? What does it accomplish?
Control Objectives for Information and Related Technology (COBIT) is an IT governance
framework and supporting toolset that allows managers to bridge the gap between control
requirements, technical issues, and business risks. COBIT was created in 1992 by the
Information Systems Audit and Control Association (ISACA) and the IT Governance Institute
(ITGI). COBIT enables clear policy development and good practice for IT control throughout
organizations.
What are the two primary advantages of NIST security models?
Answer:
They are publicly available at no charge, and they have been available for some time; thus,
they are very thorough and have undergone a great deal of refinement over time.
What is the common name of NIST SP 800-30? What is the document’s purpose? What
resources does it provide?
The common name of NIST SP 800-30, Rev. 1, is “Guide for Conducting Risk Assessments.”
It is a foundation for the development of an effective risk management program, and it contains
both the definitions and the practical guidance necessary for assessing and mitigating risks
identified within IT systems. The ultimate goal is to help organizations better manage IT-
related mission risks.
What is COSO, and why is it important?
The Committee of Sponsoring Organizations of the Treadway Commission (COSO) is a U.S.
private-sector initiative formed in 1985. Its major objective is to identify the factors that cause
fraudulent financial reporting and to make recommendations to reduce its incidence. The
COSO established a common definition of internal controls, standards, and criteria against
which companies and organizations can assess their control systems. The committee’s report
has entered practical usage as a standard of performance that helps organizations comply with
critical regulations like the Sarbanes-Oxley Act of 2002.
What is access control?
Access control regulates the admission of users into trusted areas of the organization—both
logical access to the information systems and physical access to the organization’s facilities.
Access control is maintained through a collection of policies, programs to carry out those
policies, and technologies that enforce the policies.
What are the key principles on which access control is founded?
Access control is built on several key principles, including least privilege, need to know, and
separation of duties.
What are the essential processes of access control?
Access control includes four processes:
1. Identification—Obtaining the identity of the entity requesting access to a logical or
physical area
2. Authentication—Confirming the identity of the entity seeking access to a logical or
physical area
3. Authorization—Determining which actions an authenticated entity can perform in a
physical or logical area
4. Accountability—Documenting the activities of the authorized individual and systems
What is a mandatory access control?
A mandatory access control (MAC) is an implementation in which software elements are
structured and coordinated within a data classification scheme that rates each collection of
information as well as each user and forces compliance with policy through the use of a
reference monitor.
What is a data classification model? How is data classification different from a clearance level?
A data classification model provides guidance as to the sensitivity level for information assets.
A clearance level is applied to human resources, indicating the sensitivity levels of data to
which they have access.
