Domains 1 & 2: Security and Risk Management / Asset Security Flashcards
(37 cards)
What is the CIA Triad ?
Confidentiality: assurance that objects are accessed by authorized subjects only
Integrity: assurance that objects maintain accuracy/truthfulness and are intentionally modified by authorized subjects
Availability: assurance that objects are always accessible to authorized subjects and prevents Denial of Service (DoS) attacks
An enterprise security architecture should be the perfect balance of all 3
What are the 3 types of data ?
(1) Data at rest: data sitting on discs somewhere not being used
(2) Data in motion: data traversing the network
(3) Data in use: data actively being used on a workstation or server
What is Need-to-Know ?
A user has access to more than they need but can only access what they need to know.
What is least privilege ?
Give resources the least amount of access they need to do their job.
What is IAAA ?
Identification, Authentication, Authorization, Accountability
Identification: something that identifies you; it is unique
Authentication: proves you are who you claim to be (something you know, something you have, something you are)
Authorization: what you are allowed to access
Accountability: Auditing; trace an action to the identity
What is non-repudiation ?
A user cannot deny having performed a certain action; requires both Authentication and Integrity.
What is Subject and Object ?
Subject: Most often users but can also be programs (active)
Object: Resource to which access is controlled, i.e. Data (passive)
Object is manipulated by Subject
What is PCI - DSS ?
Payment card Industry Data Security Standard
A standard but required if the enterprise handles debit and credit card information
What is OCTAVE ?
Operationally Critical Threat, Asset, and Vulnerability Evaluation
Self-directed risk management
What is COBIT ?
Control Objectives for Information and related Technology
Goals for IT: Stakeholder needs are mapped down to IT related goals
What is ITIL ?
Information Technology Infrastructure Library
IT Service Management
What is COSO ?
Committee of Sponsoring Organizations
Goas for the entire organization
What is FRAP ?
Facilitated Risk Analysis Process
Analyze one business unit, application or system at a time in a roundtable brainstorm with internal employees. The impact is analyzed and the risks and threats prioritized
List the 27000 series (5 in total):
ISO 27001: Establish, Implement, Control and Improvement of Information Security Management Systems (ISMS); uses Plan, Do, Check, Act (PDCA)
ISO 27002: Provides practical advice on how to implement security controls; it has 10 domains it uses for Information Security Management Systems; the more in-depth version of 27001
ISO 27004: Metrics to measure how successful our ISMS is
ISO 27005: Standard-based approach to Risk Management
ISO 27799: Directives on how to protect PHI (protected health information)
What is Layered Defense (Onion Defense) ?
Multiple overlapping security controls to protect an asset.
What is Due Diligence ?
What is Due Care ?
Due Diligence: the research, the preparing, all the practical “stuff” you do before implementing something.
Due Care: the implementation, monitoring and confirming that everything is working as it should.
Code of Ethics Preambles
The safety and welfare of society and the common good, duty to our principles, and to each other, requires that we adhere and be seen to adhere, to the highest ethical standards of behavior.
What are the 4 Code of Ethics Canons:
- Protect society, the common good, necessary public trust and confidence, and the infrastructure.
- Act honorably, honestly, justly, responsibly, and legally.
- Provide diligent and competent service to principals.
- Advance and protect the profession
What are the security governance principles?
- Values (ethics, principles, beliefs)
- Vision (what we aspire to be - hopes and ambition)
- Mission (who do we do it for - motivation and purpose)
- Strategic Objectives (how are we going to progress - plans, goals, sequencing)
- Action and Key Performance Indicators - (what do we need to do and how do we know we achieved it - actions, resources, outcomes, owners, and timeframe)
What are the 3 types of Information Security Governance policies?
Regulatory (associated with regulatory compliance)
Advisory (outlines acceptable behavior expectations)
Informational
What are the access control categories?
Administrative (Directive) - organizational policies and procedures; regulation, training and awareness
Technical - hardware, software, firmware, firewalls, routers, encryption
Physical - locks, fences, guards, dogs, gates
What are the access control types?
Preventative - prevents actions from happening (least privilege, firewalls, etc)
Detective - controls that detect during or after an attack (alarms, cctv, etc)
Corrective - contracts that correct an attack (patches, anti-virus)
Recovery - controls that help us recover after an attack (DR environments, backups)
Deterrent - controls that deter an attack (fences, lights, beware of the dog signs)
Compensating - when other controls are impossible to do or too costly to implement
What is risk?
Threat x Vulnerability x Impact (how bad is it?)
What is the risk management lifecycle?
- IT Risk Identification, 2. IT Risk Assessment, 3. Risk Response and Mitigation, 4. Risk and Control Monitoring and Reporting
