Flashcards in full_offl Deck (500)
What are the properties of a secure information processing system?
Confidentiality, Integrity, and Availability (and Non-repudiation).
What term is used to describe the property of a secure network where a sender cannot deny having sent a message?
A multinational company manages a large amount of valuable intellectual property (IP) data, plus personal data for its customers and account holders. What type of business unit can be used to manage such important and complex security requirements?
A security operations center (SOC).
A business is expanding rapidly and the owner is worried about tensions between its established IT and programming divisions. What type of security business unit or function could help to resolve these issues?
Development and operations (DevOps) is a cultural shift within an organization to encourage much more collaboration between developers and system administrators. DevSecOps embeds the security function within these teams as well.
The fundamental security goal of ensuring that computer systems operate continuously and that authorized persons can access data that they need.
The three principles of security control and management. Also known as the information security triad. Also referred to in reverse order as the AIC triad.
CISO (Chief Information Security Officer)
Typically the job title of the person with overall responsibility for information assurance and systems security. Sometimes referred to as Chief Information Officer (CIO).
The fundamental security goal of keeping information and communications private and protecting them from unauthorized access.
CSIRT (Computer Security Incident Response Team)
Team with responsibility for incident response. The CSIRT must have expertise across a number of business domains (IT, HR, legal, and marketing for instance).
A combination of software development, security operations, and systems operations, and refers to the practice of integrating each discipline with the others.
The fundamental security goal of keeping organizational information accurate, free of errors, and without unauthorized modifications.
ISSO (Information Systems Security Officer)
Organizational role with technical responsibilities for implementation of security policies, frameworks, and controls.
NIST (National Institute of Standards and Technology)
Develops computer security standards used by US federal agencies and publishes cybersecurity best practice guides and research.
The security goal of ensuring that the party that sent a transmission or created data remains associated with that data and cannot deny sending or creating that data.
SOC (security operations center)
The location where security professionals monitor and protect critical information assets in an organization.
You have implemented a secure web gateway that blocks access to a social networking site. How would you categorize this type of security control?
It is a technical type of control (implemented in software) and acts as a preventive measure.
A company has installed motion-activated floodlighting on the grounds around its premises. What class and function is this security control?
It would be classed as a physical control and its function is both detecting and deterring.
A firewall appliance intercepts a packet that violates policy. It automatically updates its Access Control List to block all further packets from the source IP. What TWO functions is the security control performing?
Preventive and corrective.
If a security control is described as operational and compensating, what can you determine about its nature and function?
That the control is enforced by a person rather than a technical system, and that the control has been developed to replicate the functionality of a primary control, as required by a security standard.
If a company wants to ensure it is following best practice in choosing security controls, what type of resource would provide guidance?
A cybersecurity framework and/or benchmark and secure configuration guides.
CIS (Center for Internet Security)
A not-for-profit organization (founded partly by SANS). It publishes the well-known "Top 20 Critical Security Controls" (or system design recommendations).
Cloud Security Alliance
Industry body providing security guidance to CSPs, including enterprise reference architecture and security controls matrix.
A security measure that takes on risk mitigation when a primary control fails or cannot completely meet expectations.
A type of security control that acts after an incident to eliminate or minimize its impact.
A type of security control that acts during an incident to identify or record that it is happening.
A type of security control that discourages intrusion attempts.
GDPR (General Data Protection Regulation)
Provisions and requirements protecting the personal data of European Union (EU) citizens. Transfers of personal data outside the EU Single Market are restricted unless protected by like-for-like regulations, such as the US's Privacy Shield requirements.
GLBA (Gramm-Leach-Bliley Act)
A law enacted in 1999 that deregulated banks, but also instituted requirements that help protect the privacy of an individual's financial information that is held by financial institutions.