Flashcards in Info Gov Deck (77)
What is the opposite of CIA?
What are the 5 classifications commonly used by the U.S. department of Defence?
Sensitive but Unclassified (SBU)
Which classification level (US DoD) may often use the terms "for official use only" or "for internal use only"?
What is the difference between unclassified and SBU? (US DoD)
SBU generally contains personal information ie medical records or disciplinary proceedings.
What is the lowest level of classified government information? (US DoD)
What term is commonly used to collectively represent policies, procedures, guidelines and standards that help steer an organisations decisions and operations?
What are the four main types of policies?
Which type of policy do most policies fall under?
Which type of identity management system facilitates authentication, non-repudiation and access control via digital certificates?
Which 3 of the following 5 background checks would commonly be included as part of more extensive pre-employment screening?
Special background investigation
Verification of personal/professional data in application
Special background investigations
Who is ultimately responsible for an organisations information security? management or information security professional?
With regards information a system admin what commonly be known as what? Information owner or custodian?
Which term is used to ensure that not one individual has complete authority or control over a critical system or process and also reduces dependence on individuals, ie avoiding a single point of failure?
Separation of duties
Which terms describes regularly transferring key personnel into different roles or positions in different parts of the organisation?
What 3 things does the risk assessment triple consist of?
Quantities risk methodologies
Safeguard selection criteria and objectives
What 2 elements are multiplied to calculate a risk?
Threat x Vulnerability = Risk
What 3 elements does the risk management triple consist of?
Risk management consists of 3 elements. What are they?
When does risk identification occur?
During a risk assessment
What are the two methods used for determining the value of an asset?
Which method is related to cost? Quantitive or qualative?
Which method is related to importance? Quantitive or qualative
What 3 basic elements are used to determine the value of an asset?
Initial and maintenance costs
Organisational (internal) value
Which value (organisational or public) includes the cost of acquiring, creating or re-creatinine information, and the business impact or loss if the information is lost or compromised. It can also include liability costs, personal injury, death, etc?
Which value (organisational or public) includes loss of proprietary information or processes and business reputation?
What are the 4 basic steps in threat analysis?
1. Define the threat
2. Identify the consequences if threat occurs
3. Determine the probable frequency of threat event
4. Assess the probability of threat occurring
What two types are threats generally categorised as?
Which 4 steps are involved in risk analysis?
1. Identify assets to be protected including sensitivity, value, importance to the organisation.
2. Define specific threats including threat frequency and impact data
3. Calculate Annualised Loss Expectancy (ALE)
4. Select appropriate safeguards
How is the annual loss expectancy calculated?
SLE x ARO = ALE
Single loss expectancy x annual rate of occurrence