IA 2 - UNIT 3 Flashcards
1
Q
Benefits of Incorporating Security Considerations
A
- Early integration reduces disruptions and costs.
- Ongoing security adaptation to evolving threats.
- Retrofitting post-incident is costly and less effective.
- Regular updates to the security plan are vital.
- Documenting decisions aids comprehensive coverage and audits.
2
Q
is the overall process of creating, implementing, and decommissioning information systems through a multistep process from initiation, analysis, design, implementation, and maintenance to disposal.
A
system development life cycle
3
Q
SDLC Phases
A
- Initiation
- Development
- Implementation
- Maintenance
- Disposal
4
Q
INITIATION PHASE
A
- Need establishment
- Security categorization
- Initial Risk Assessment
5
Q
DEVELOPMENT/ACQUISITION PHASE
A
- Requirement analysis/ development
- Risk assessment
- Budgeting
- Security planning
- Security control development
- Security test and evaluation
6
Q
IMPLEMENTATION PHASE
A
- Security test and evaluation
- Inspection and acceptance
- System integration/installation
- Security accreditation
7
Q
OPERATION/MAINTENANCE PHASE
A
- Configuration management and control
- Continuous monitoring and continuous accreditation (authorization)\
8
Q
2 Layer of Defense
A
- Physical security of premises and offices
- Physical security of equipment
9
Q
Main Threats For Physical and Environmental Security
A
- Energy (Electricity)
- Equipment (Mechanical or electronic components) Fire and Chemical Hazard (smoke, industrial pollution)
- Manmade Disasters (war, terrorist attack, bombing) Natural Disaster (earthquake, volcano, landslide, storms)
- Pandemic Disease (bacteria, virus) Radiation (electromagnetic pulse)
- Weather (Sandstorm, humidity, flood, lightning)
10
Q
DISPOSAL PHASE
A
Information preservation Media sanitization
Hardware and software disposal
11
Q
- Premises that contain critical information or systems require special protection.
The following controls are related to the physical security of premises.
* One of the controls is to establish the security perimeter as the outer boundary.
* This perimeter should contain all critical assets. Within this perimeter, there may be more secure areas or enclaves.
A
Physical security of premises and offices
12
Q
- Protect information-processing equipment physically to minimize the risk of unauthorized access to information and to safeguard against loss or damage.
- Offsite computing systems for reconstitution or contingency operations should also be addressed in a physical security plan.
A
Physical security of equipment
13
Q
Physical Entry Controls
A
- Employee Access
- Visitor Access
14
Q
Positive identification and access control are mandatory; therefore, all employees should be required to always wear some form of visible identification (ID badge) whenever they are on the premises.
A
Employee Access
15
Q
require redundancy in electric power system availability. (UPS or Backup Generators)
A
Electrical Power
16
Q
- Maintenance of information processing equipment based on the manufacturer’s recommended service intervals and specifications.
- All maintenance services to the equipment either onsite or sent off from the premises also need to be recorded and tracked.
A
Equipment Maintenance
17
Q
Use of any equipment outside an organization’s premises should be authorized by management.
A
PHYSICAL SECURITY OF EQUIPMENT OFF-PREMISES
18
Q
Careless disposal, disposition, or recycling of equipment can put information at risk.
A
SECURE DISPOSAL AND REUSE OF EQUIPMENT
19
Q
These devices can help mitigate the risks associated with malicious code and the loss of proprietary information by raising employee awareness about removable media usage policies and minimizing potential damage.
A
MANAGEMENT OF REMOVABLE MEDIA
20
Q
Disposal of Media
The following are some guidelines of proper media disposal:
A
- Electronic media
- Printed materials
21
Q
- containing sensitive customer information should be degaussed prior to disposal.
- Degaussing completely erases the information stored on the magnetic surface.
A
Electronic media
22
Q
which hold confidential and restricted data, should be
destroyed in a secure way, such as by shredding
A
Printed materials
23
Q
An effective AT&E program has four stages:
A
literacy, awareness, training, and education (LATE).
24
Q
- To cultivate a strong information assurance culture among employees, emphasize the organization’s commitment to safeguarding information assets through training
A
Purpose of the AT&E Program
25
Types of Learning Programs
1. IA AWARENESS
2. IA TRAINING
3. IA EDUCATION
26
**serve to motivate a sense of responsibility and encourage employees to be more cautious** about their work environment.
IA AWARENESS
27
**Training aims to teach or improve an individual’s skill, knowledge, or attitude,** which allows a person to carry out a specific function.
IA TRAINING
28
Using **internalized concepts and skills to perform operations** such as analyzing, evaluating, and judging to reach **higher cognitive-level decisions **.
IA EDUCATION
29
Restrict internet access for end users, enabling administrators to block specific websites based on local policies.
Content Filters
30
Examples of protocols that implement network services
1. Secure Sockets Layer (SSL)
2. Transport Layer Security (TLS)
3. IP Security (IPSec) protocols
31
preferred information security protocols in web environments
TLS and SSL
32
are preferred for implementing virtual private networks (VPNs).
IPSec
33
Preventive Information Assurance Tools
1. backup
2. Change and Configuration Management
3. IT Support
4. Media Controls and Documentation
5. Patch Management
34
Primary information assurance control.
FIREWALLS
35
Enforces **organizational infosec policies by analyzing network traffic** (Content- based and Anomaly-based)
NETWORK INTRUSION PREVENTION SYSTEM
36
Serve as intermediaries between clients and the internet. (e.g., gateway)
PROXY SERVERS
37
A **secure network that uses the Internet** for user connections, ensuring security through encryption. (e.g., IPSec, SSL, and PPTP)
VIRTUAL PRIVATE NETWORKS
38
Provides secure communication over unsecured networks.
PUBLIC KEY INFRASTRUCTURE
39
In a dynamic tech landscape, organizations must adapt and bolster their security measures.
Preventive Information Assurance Controls
40
Vital for information assurance, providing copies of data, software, and hardware. (e.g., full, differential, incremental, and mirror)
Backups
41
Organizations must **adapt constantly in an ever-changing environment.** (e.g., alliances, market demands, competition, operations, and regulations)
Change and Configuration Management
42
Handles various issues. Trained technicians
address security problems.
IT Support
43
Securing information goes beyond servers;
* **Environmental** safeguards against fires, temperature, and humidity issues.
* **Usage logging** (e.g., check-in/check-out).
* **Maintenance** (data overwriting, disposal).
* **Unauthorized access prevention.**
* **Proper labeling** (owner, date, version, classification).
* **Storage options** (off-site or locked server rooms).
Media Controls and Documentation
44
Involves timely and planned updates
* Establishing dedicated resources
* Monitoring/identifying patches
* Identifying risk in applying a patch
* Testing a patch before installing
Patch Management
45
should **protect vital resources** not only from **unauthorized external access but also from internal attacks.**
ACCESS CONTROL SYSTEM
46
prevents actions on an object (target to be accessed) by unauthorized users (subjects).
ACCESS CONTROL SYSTEM
47
is the first line of defense to protect the system from unauthorized modification
ACCESS CONTROL SYSTEM
48
ACCESS CONTROL TYPES
1. physical
2. logical
49
it serves as an auditing tool (to trace information security breaches, incidents, and events).
ACCESS CONTROL SYSTEM
50
* Organizations usually manage physical access with human, technological, or mechanical controls.
* A physical control might be biometric identification technology used to restrict entry to a property, a building, or a room to authorized persons.
PHYSICAL
51
* Logical access controls manage access based on processes such as identification, authentication, authorization, and accountability.
* Examples of logical access controls are digital signatures and hashing.
LOGICAL
52
Access Control Models
1. Discretionary
2. Mandatory
3. Role-based
53
* Owner of the object determines the access policy.
* Owner decides which subjects may access the object and what privileges the subject has.
* This model is adapted by Windows, Apple and various linux system
Discretionary
54
* control access to sensitive or controlled data in systems with multiple level classification
* Owner does not establish access policy since the system decides on the access control based on the information security classification and policy rules
Mandatory
55
* Uses a **centrally managed set of rules, which grants access to objects** **based on the roles of the subject**
* Since subjects are not assigned permission directly like other models, they acquire it through roles and the management of access becomes relatively easier
Role-based
56
* uses simple rules to determine the result of privileges, which a subject can have over an object.
* determines what can and cannot be allowed.
RULE-BASED ACCESS CONTROL
57
* a static, abstract, formal computer protection and information assurance model used in computer systems
* represents the relationship of subjects and objects in a tabulated form
ACCESS CONTROL MATRIX
58
a list containing information about the individual or group permission given to an object; the ACL specifies the access level and functions allowed onto the object.
ACCESS CONTROL LISTS
59
ACCESS CONTROL LISTS TWO TYPES
1. Network
2. File system
60
implemented on servers and routers
Network
61
implement file access by tracking subjects’ access to objects
File System
62
Access Control Techniques
1. rule-based access control
2. access control matrix
3. access control list
4. capability table
5. contrained user interfaces
6. content-dependent access control
7. context-dependent access control
63
* an authorization table that identifies a subject and specifies the access right allowed to that subject
* the rows list the capabilities that the subject can have
* frequently used to implement the RBAC model
CAPABILITY TABLES
64
* technique is used in databases
* access to objects is **dependent on the content of the objects** aims at controlling the availability of information by means of views
CONTENT-DEPENDENT ACCESS CONTROL
65
defines the access controls of a subject on objects based on a context or situation
CONTEXT-DEPENDENT ACCESS CONTROL
66
* contained in a department, unit or information security administrator
* ensures uniformity
* simplified method and cost effective
* slow because all changes are processed by single entity
ACCESS CONTROL ADMINISTRATION - CENTRALIZED
67
* gives control to people who are closer to the objects
* does not ensure uniformity more relaxed
* faster since changes are made to function rather to the whole organization
ACCESS CONTROL ADMINISTRATION -DECENTRALIZED
68
a way to limit access of subjects to a resource or information by presenting them with only the information, function, or access to the resource for which they have privileges.
CONSTRAINED USER INTERFACES
