Domain 2: Determining Data Security Controls Flashcards
(30 cards)
System has been approved to meet the security requirements of the data owner
Certification
Data owner’s acceptance of the certification and of the residual risk
Accreditation
Risk Management framework from Carnegie Mellon University
Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE)
What’s the three phase process for managing risk according to OCTAVE?
Phase 1 - Identify staff knowledge, assets, and threats
Phase 2 - Identify vulnerabilities and evaluate safeguards
Phase 3 - Conduct the risk analysis and develop the risk mitigation strategy
- Internationally agreed-upon standard for describing and testing the security of IT products
- Replaced the TCSEC (US) and ITSEC (Europe)
International Common Criteria
- The system or product that is being evaluated
- International Common Criteria term
Target of Evaluation (ToE)
- Documentation describing the ToE, including the security requirements and operational environment
- International Common Criteria term
Security target
- Independent set of security requirements and objectives for a specific category of products or systems, such as firewalls or intrusion detection systems
- International Common Criteria term
Protection Profile
- The evaluation score of the tested product or system
- International Common Criteria term
Evaluation Assurance Level (EAL)
- Functionally tested
- International Common Criteria Evaluation Assurance Level (EAL)
EAL1
- Structurally test
- International Common Criteria Evaluation Assurance Level (EAL)
EAL2
- Methodically tested and checked
- International Common Criteria Evaluation Assurance Level (EAL)
EAL3
- Methodically, designed, tested and reviewed
- International Common Criteria Evaluation Assurance Level (EAL)
EAL4
- Semi Formally designed and tested
- International Common Criteria Evaluation Assurance Level (EAL)
EAL5
- Semi Formally verified, designed and tested
- International Common Criteria Evaluation Assurance Level (EAL)
EAL6
- Formally verified, designed, and tested
- International Common Criteria Evaluation Assurance Level (EAL)
EAL7
Control framework for employing security governance best practices within an organization
COBIT
What are the four COBIT domains?
- Plan and Organize
- Acquire and Implement
- Deliver and Support
- Monitor and Evaluate
Framework for providing the best service in IT service management
Information Technology Infrastructure Library (ITIL)
What are the five ITIL Service Management Practices?
- Service Strategy - Helps IT provide services
- Service Design - Details the infrastructure and architecture required to deliver IT services
- Service Transition - Describes taking new projects and making them operational
- Service Operation - Covers IT operations controls
- Continual Service Improvement - Describes easy to improve existing IT services
Process of determining which ports of a standard will be employed by an organization
Scoping
Process of customizing a standard for an organization
Tailoring
- Data stored on a media
- i.e. hard drives, external USB drives, SANs, etc
- Best protection encryption
Data at Rest
- Data transmitted over a network
- Best protection end-to-end encryption
Data in Transit
