Information Security & Risk Management Flashcards Preview

CISSP > Information Security & Risk Management > Flashcards

Flashcards in Information Security & Risk Management Deck (42):
1

CIA triad.

Confidentiality, integrity, availability or Disclosure, alteration, destruction

2

Ensures that private information remains protected from unauthorized disclosure.

Confidentiality

3

Ensures that data isn't modified in an unintended manner either through accidental modification by authorized individuals or malicious modification by any individual authorized or unauthorized.

Integrity

4

Ensures that data is always available for the use of authorized individuals.

Availability

5

The means by which users make an identity claim to the system.

Identification

6

The means by which the system validates the users identity.

Authentication

7

The systems ability to determine which activities may be permitted to an identified and authenticated user.

Authorization

8

The systems ability to determine the actions of users within the system and attribute those actions to individually identifiable users.

Accountability

9

The inability of the sender of a message to refute sending the message.

Non-repudiation

10

The users level of confidence that their data is safe from unauthorized disclosure.

Privacy

11

Five main government classification levels.

Unclassified, sensitive but unclassified, confidential, secret, top secret

12

Five main industry classification levels.

Public, internal, confidential, restricted, highly restricted

13

Four criteria for determining classification levels.

Value to the organization, age and useful life of the information, ability of an outsider to independently develop the same information, the potential harm to the organization

14

Every resource and user is associated with one of an ordered set of classes. Resources of a particular class may only be accessed by those whose associated class is as high or higher than that of the resource.

Lattice model

15

Defines relationships between objects and subjects. Subjects are allowed write access to objects as the same or higher level as the subject, read access to objects at the same or higher level as the subject, read access to objects at the same or lower level, and read/write access only to those objects at the same level.

Bell Lapadula

16

Four levels of security management hierarchy documents.

Policies, standards, guidelines, procedures

17

Broad statements about the organizations commitment to information security and the goals of the program. Mandatory.

Policies

18

Provide specific technical requirements for security mechanisms. Mandatory.

Standards

19

General guidance in areas of information security where formal policies and standards don't exist. Not mandatory.

Guidelines.

20

Step by step instructions for performing specific security related tasks.

Procedures

21

A formal mechanism for responding to any incident that appears to be a violation of a security policy, standard, guideline, or procedure that threatens the overall information security of the organization.

Computer incident response team (CIRT)

22

Potential harm or loss to a system; the probability that a threat will materialize.

Risk

23

A resource, process, product, system, etc...

Asset

24

Any event that causes an undesirable impact on an organization.

Threat

25

Absence of a safeguard.

Vulnerability

26

Asset, threat, and vulnerability,

Risk management (RM) triple

27

A technical means to exploit a vulnerability.

Exploit

28

Percentage loss a realized threat would have on an asset.

Exposure factor (EF)

29

Loss from a single threat

Single loss expectancy (SLE) SLE = asset value($) x EF

30

Estimated frequency at which a threat is expected to occur.

Annualized rate of occurrence (ARO)

31

The total of SLE multiplied by the ARO.

Annualized loss expectancy (ALE). ALE=SLE x ARO

32

Control or countermeasure to reduce risk associated with a threat.

Safeguard

33

Two types of risk analysis.

Qualitative, quantitative

34

Type of risk assessment that assigns an objective dollar cost to an asset.

Quantitative

35

Type of risk assessment that assigns intangible values to data loss and other issues that are not pure hard costs.

Qualitative

36

Four risk management techniques.

Mitigate, avoid, accept, transfer

37

Risk management technique that puts controls in place to reduce the risk to the organization.

Mitigate

38

Risk management technique that changes the organizations activities to completely avoid the risk.

Avoid

39

Risk management technique that acknowledges the risk and takes no action whatsoever.

Accept

40

Risk management technique that places the burden of the risk on someone else.

Transfer

41

Five elements of a security awareness training program.

Initial training, recurring training, retraining, remedial training, security reminders

42

Four levels of security awareness.

Security awareness, security training, security education, security certification