IS Governance & Risk Management Flashcards
Availability
Availability: Reliable and timely access to data and resources is provided to authorized individuals.
Integrity
Integrity: Accuracy and reliability of the information and systems are provided and any unauthorized modification is prevented.
Confidentiality
Confidentiality: Necessary level of secrecy is enforced and unauthorized disclosure is prevented.
Shoulder surfing
Viewing information in an unauthorized manner
by looking over the shoulder of someone else.
Social engineering
Gaining unauthorized access by tricking someone
into divulging sensitive information.
What controls can be implemented to protect data confidentiality?
Confidentiality
• Encryption for data at rest (whole disk, database encryption)
• Encryption for data in transit (IPSec, SSL, PPTP, SSH)
• Access control (physical and technical)
What controls can be implemented to protect asset integrity? Including
- Data integrity
- System integrity
- Process Integrity
- Hashing (data integrity)
- Configuration management (system integrity)
- Change control (process integrity)
• Access control (physical and technical)
• Software digital signing
• Transmission CRC functions
What controls can be implemented to ensure asset availability?
- Redundant array of inexpensive disks (RAID)
- Clustering
- Load balancing
- Redundant data and power lines
- Software and data backups
- Disk shadowing
- Co-location and off-site facilities
- Roll-back functions
- Fail-over configurations
Vulnerability
Weakness or lack of countermeasure.
Can be software, hardware, a procedural, or human weakness that can be exploited.
e.g. service running on a server, unpatched applications or operating systems, an unrestricted wireless access point, an open port on a firewall,
lax physical security that allows anyone to enter a server room, or unenforced password
management on servers and workstations
Threat Agent
An entity that can exploit a vulnerability
e.g.
• an intruder accessing the network through a port on the firewall
• a process accessing data in a way that violates the security policy
• a tornado wiping out a facility
• an employee making an unintentional mistake that could expose confidential information
Threat
The danger of a threat agent exploiting a vulnerability
Risk
The probability of a threat agent exploiting a vulnerability and the associated business impact.
e.g.
• If a firewall has several ports open, there is a higher likelihood that an intruder will use one to access the network in an unauthorized method.
• If users are not educated on processes and procedures, there is a higher likelihood that
an employee will make an unintentional mistake that may destroy data.
• If an intrusion detection system (IDS) is not implemented on a network, there is a higher likelihood
an attack will go unnoticed until it is too late.
Control
Safeguard/countermeasure that is put in place to reduce a risk.
A countermeasure may be a software configuration, a hardware device, or a procedure that eliminates a vulnerability or that reduces the likelihood a threat agent will be able to exploit a vulnerability.
e.g. • strong password • management, firewalls, a security guard, access • control mechanisms, encryption, and • security-awareness training.
Exposure
Presence of a vulnerability, which exposes the organization to a threat.
e.g.
• If password management is lax and password rules
are not enforced, the company is exposed to the possibility of having users’ passwords
captured and used in an unauthorized manner.
• If a company does not have its wiring
inspected and does not put proactive fire prevention steps into place, it exposes itself to
potentially devastating fires
Relationship between security concepts
A threat agent > gives rise to a threat > which exploits a vulnerability > leading to a risk > which can damage an asset > and cause an exposure > Can be countermeasures by a safeguard/control > which directly affects the threat agent.