Primary Definitions 8.0-13.0 Flashcards
Understanding the core security concepts. (144 cards)
1
Q
Risk Management
A
Fundamental process that involves identifying, analyzing, treating, monitoring, and reporting risks.
2
Q
Risk Assessment Frequency
A
The regularity with which risk assessments are conducted within an organization.
3
Q
Risk Identification
A
Recognizing potential risks that could negatively impact an organization’s ability to operate or achieve its objectives.
4
Q
Business Impact Analysis
A
Process that involves evaluating the potential effects of disruption to an organization’s business functions and processes.
5
Q
Recovery Time Objective (RTO)
A
It represents the maximum acceptable length of time that can elapse before the lack of a business function severely impacts the organization.
6
Q
Recovery Point Objective (RPO)
A
It represents the maximum acceptable amount of data loss measured in time.
7
Q
Mean Time to Repair (MTTR)
A
It represents the average time required to repair a failed component or system.
8
Q
Mean Time Between Failures (MTBF)
A
It represents the average time between failures.
9
Q
Risk Register (Risk Log)
A
A document detailing identified risks, including their description, impact likelihood, and mitigation strategies.
10
Q
Risk Tolerance/Risk Acceptance
A
Refers to an organization or individual’s willingness to deal with uncertainty in pursuit of their goals.
11
Q
Risk Appetite
A
Signifies an organization’s willingness to embrace or retain specific types and levels of risk to fulfill its strategic goals.
12
Q
Key Risk Indicators (KRIs)
A
Essential predictive metrics used by organizations to signal rising risk levels in different parts of the enterprise.
13
Q
Risk Owner
A
Person or group responsible for managing the risk.
14
Q
Qualitative Risk Analysis
A
A method of assessing risks based on their potential impact and the likelihood of their occurrence.
15
Q
Quantitative Risk Analysis
A
Method of evaluating risk that uses numerical measurements.
16
Q
Single Loss Expectancy (SLE)
A
Monetary value expected to be lost in a single event. Calculated by multiplying the value of the asset by the exposure factor
17
Q
Annualized Rate of Occurrence (ARO)
A
Estimate frequency with which a threat is expected to occur within a year.
18
Q
Annualized Loss Expectancy (ALE)
A
Expected annual loss from a risk (SLE x ARO).
19
Q
Exposure Factor (EF)
A
Proportion of an asset that is lost in an event. Expressed as percentage 0% is no loss 100% is total loss.
20
Q
Risk Transference (Risk Sharing)
A
Involves shifting the risk from the organization to another party.
21
Q
Risk Acceptance
A
Recognizing a risk and choosing to address it when it arises.
22
Q
Risk Avoidance
A
Strategy of altering plans or approaches to eliminate a specific risk.
23
Q
Risk Mitigation
A
Implementing measures to decrease the likelihood or impact of a risk.
24
Q
Risk Monitoring
A
Involves continuously tracking identified risks, assessing new risks, executing response plans, and evaluating their effectiveness during a project’s lifecycle.
25
Residual Risk
Likelihood and impact after implementing mitigation, transference, or acceptance measures on the initial risk.
26
Control Risk
Assessment of how a security measure has lost effectiveness over time.
27
Risk Reporting
Process of communicating information about risk management activities.
28
Third-party Vendor Risks
Potential security and operational challenges introduced by external entities (vendors, suppliers, or service providers).
29
Managed Service Providers (MSP)
Organizations that provide a range of technology services and support to businesses and other clients.
30
Supply Chain Attack
Attack that involves targeting a weaker link in the supply chain to gain access to a primary target.
31
Vendor Assessment
Process that organizations implement to evaluate the security, reliability, and performance of external entities.
32
Vendors
Businesses or individuals that provide goods or services to an organization.
33
Suppliers
Individuals involved in the production and delivery of products or parts of products.
34
Internal Audit
Vendor's self-assessment where they evaluate their own practices against industry standards or organizational requirements.
35
Independent Assessment
Evaluation conducted by third-party entities that have no stake in the organization's or vendor's operations.
36
Supply Chain Analysis
Used to dive deep into a vendor's entire supply chain and assess the security and reliability of each link.
37
Due Diligence
Rigorous evaluation that goes beyond surface-level credentials.
38
Conflict of Interest
Arises when personal or financial relationships could potentially cloud the judgment of individuals involved in vendor selection.
39
Vendor Questionnaires
Comprehensive documents that potential vendors fill out to offer insights into the operations, capabilities, and compliance.
40
Rules of Engagement
Guidelines that dictate the terms of interaction between an organization and its potential vendors.
41
Basic Contract
Versatile tool that formally establishes a relationship between two parties.
42
Service-Level Agreement (SLA)
The standards of service a client can expect from a provider.
43
Memorandum of Agreement (MOA)
Formal and outlines the specific responsibilities and roles of the involved parties.
44
Memorandum of Understanding (MOU)
Less binding and more of a declaration of mutual intent.
45
Master Service Agreement (MSA)
Blanket agreement that covers the general terms of engagement between parties across multiple transactions.
46
Statement of Work (SOW)
Used to specify details for a particular project.
47
Non-Disclosure Agreement (NDA)
Commitment to privacy that ensures that any sensitive information shared during negotiations remains confidential between both parties.
48
Business Partnership Agreement (BPA)
Document that goes a step beyond the basic contract when two entities decide to pool their resources for mutual benefit.
49
Governance
Overall management of the organization's IT infrastructure, policies, procedures, and operations.
50
Compliance
Adherence to laws, regulations, standards, and policies that apply to the operations of the organization.
51
Committees
Subgroups of a board of directors, each with a specific focus.
52
Government Entities
They establish laws and regulations that organizations must comply with.
53
Centralized Structures
Decision-making authority is concentrated at the top levels of management.
54
Decentralized Structures
Distributes decision-making authority throughout the organization.
55
Acceptable Use Policy (AUP)
A document that outlines the do's and don'ts for users when interacting with an organization's IT systems and resources.
56
Business Continuity
Focuses on how an organization will continue its critical operations during and after a disruption.
57
Disaster Recovery
Focuses specifically on how an organization will recover its IT systems and data after a disaster.
58
Incident Response
A plan for handling security incidents.
59
Software-Development Lifecycle (SDLC)
Guides how software is developed within an organization.
60
Change Management
Aims to ensure that changes are implemented in a controlled and coordinated manner, minimizing the risk of disruptions.
61
Password Standards
Dictate the complexity and management of passwords, which are the first line of defense against unauthorized access.
62
Access Control Standards
Determine who has access to what resources within an organization.
63
Discretionary Access Control (DAC)
Allows the order of the information or resource to decide who can access it.
64
Mandatory Access Control (MAC)
Uses labels or classifications to determine access. Government uses this one often.
65
Role-Based Access Control (RBAC)
Assigns based on organizational role, ensuring you only access what is needed for your job function.
66
Emergency Evacuation Procedure
Outlines the steps employees should take in case of an emergency, such as a fire or natural disaster.
67
Data Backup Procedure
Details how and when data should be backed up to prevent data loss.
68
Onboarding
The process of integrating new employees into the organization.
69
Offboarding
The process of managing the transition when an employee leaves.
70
Playbooks
Checklist of actions to perform to detect and respond to a specific type of incident
71
Internal Compliance Reporting
Collection and analysis of data to ensure that an organization is following its internal policies and procedures.
72
External Compliance Reporting
Demonstrating compliance to external entities such as regulatory bodies, auditors, customers, often mandated by law or contract.
73
Compliance Monitoring
The process of regularly reviewing and analyzing an organization's operations to ensure compliance with laws, regulations, and internal policies.
74
Attestation
Formal declaration by a responsible party that the organization's processes and controls are compliant.
75
Acknowledgement
Recognition and acceptance of compliance requirements by all relevant parties.
76
Acquisition
Process of obtaining goods and services.
77
Procurement
Encompasses the full process of acquiring goods and services, including all preceding steps.
78
Bring Your Own Device (BYOD)
Permits employees to use personal devices for work.
79
Corporate-Owned, Personally Enabled (COPE)
Involves the company providing a mobile device to employees for both work and personal use.
80
Choose Your Own Device (CYOD)
Offers a middle ground between BYOD and COPE by allowing employees to choose devices from a company-approved list.
81
Classification
Involves categorizing assets based on criteria like function, value, or other relevant parameters as determined by the organization.
82
Asset Tracking
Involves maintaining a comprehensive inventory with asset specifications, locations, assigned users, and relevant details.
83
Enumeration
Involves identifying and counting assets, especially in large organizations or during times of asset procurement or retirement.
84
Mobile Device Management (MDM)
Lets organization securely oversee employee devices, ensuring policy enforcement, software consistency, and data protection.
85
Sanitization
The thorough process of making data inaccessible and irretrievable from a storage medium using traditional forensic methods.
86
Overwriting
Replacing the existing data on a storage device with random bits of information to ensure that the original data is obscured.
87
Degaussing
Involves using a machine called a degausser to produce a strong magnetic field that can disrupt the magnetic domains on storage devices like hard drives or tapes.
88
Secure Erase
Completely deletes data from a storage device while ensuring that it can't be recovered using traditional recovery tools.
89
Cryptographic Erase
Leverages cryptographic techniques to sanitize the data on the storage device. The idea is you delete the encryption key so the encrypted data is no longer able to be decrypted.
90
Destruction
Ensures the physical device itself is beyond recovery or reuse.
91
Certification
An act of proof that the data or hardware has been securely disposed of.
92
Change Advisory Board (CAB)
Body of representatives from various parts of an organization that is responsible for evaluation of any proposed changes.
93
Stakeholder
A person who has a vested interest in the proposed change.
94
Audit Committee
Group of people responsible for supervising the organization's audit and compliance functions.
95
Self-assessment
Internal review conducted by an organization to gauge its adherence to particular standards or regulations.
96
External Assessment
Detailed analysis conducted by independent entities to identify vulnerabilities and risks.
97
Independent Third-party Audit
Offers validation of security practices, fostering trust with customers, stakeholders, and regulatory authorities.
98
Penetration Testing (Pentesting)
Simulated cyber-attack that helps in the assessment of computer systems for exploitable vulnerabilities.
99
Offensive (Red Teaming)
Proactive approach that involves the use of attack techniques, akin to real cyber threats, that seek and exploit system vulnerabilities.
100
Defensive (Blue Teaming)
Reactive approach that entails fortifying systems, identifying and addressing attacks, and enhancing incident response times.
101
Integrated (Purple Teaming)
Combination of aspects of both offensive and defensive testing into a single penetration test.
102
Reconnaissance
An initial phase where critical information about a target system is gathered to enhance an attack's effectiveness and success.
103
Active Reconnaissance
Direct engagement with the target system, offering more information but with a higher detection risk.
104
Passive Reconnaissance
Gathering information without direct engagement with the target system, offering lower detection risk but less data.
105
Known Environment
Detailed target infrastructure information from the organization is received prior to the test.
106
Partially Known Environment
Involves limited information provided to testers, who may have partial knowledge of the system.
107
Unknown Environment
Testers receive minimal to no information about the target system.
108
Cyber Resilience
Entity's ability to continuously deliver the intended outcome despite adverse cyber events.
109
Redundancy
Involves having additional systems, equipment, or processes to ensure continued functionality if the primary ones fail.
110
High Availability
The ability of a service to be continuously available by minimizing the downtime to the lowest amount possible.
111
Uptime
The number of minutes or hours that the system remains online over a given period
112
Load Balancing
The process of distributing workloads across multiple computing resources.
113
Clustering
The use of multiple computers, multiple storage devices, and redundant network connections that all work together as a single system to provide high levels of availability, reliability, and scalability.
114
Redundant Array of Independent Disks (RAID)
Combines multiple physical storage devices into a recognized single logical storage device.
115
RAID 0
Provides data striping across multiple disks to increase performance.
116
RAID 1
Mirrors data for redundancy across two drives or SSDs.
117
RAID 5
Stripes data with parity, using at least three storage devices.
118
RAID 6
Uses data striping across multiple devices with two pieces of parity data.
119
RAID 10
Combines RAID 1 and RAID 0, featuring mirrored arrays in a striped setup.
120
Capacity Planning
Crucial strategic planning to meet future demands cost-effectively.
121
Surges
A small and unexpected increase in the amount of voltage that is being provided.
122
Spikes
A short transient voltage that is usually caused by a short circuit, a tripped circuit breaker, a power outage, or a lightning strike
123
Sags
A small and unexpected decrease in the amount of voltage that is being provided.
124
Undervoltage events
Occurs when the voltage is reduced to lower levels and usually occurs for a longer period of time.
125
Full power loss events
Occurs when there is a total loss of power for a given period of time.
126
Line Conditioners
Used to overcome any minor fluctuations in the power being received by the given system.
127
Uninterruptible Power Supply Systems (UPS)
A device that provides emergency power to a system when the normal input power source has failed.
128
Generators
Machine that converts mechanical energy into electrical energy for use in an external circuit through the process of electromagnetic induction.
129
Power Distribution Centers (PDC)
Act as a central hub where power is received and then distributed to all systems in the data center.
130
Data Backup
The process of creating duplicate copies of digital information to protect against data loss, corruption, or unavailability.
131
Onsite or Offsite Backup
Where the backups of the data are physically being stored.
132
Frequency
How much data is the company willing to lose?
133
Snapshots
Point-in-time copies of the data that capture a consistent state that is essentially a frozen copy of the data in time.
134
Business Continuity Plan (BCP)
Addresses responses to disruptive events.
135
Disaster Recovery Plan (DRP)
Considered a subset of BC Plan, it focuses on how to resume operations swiftly after a disaster.
136
Redundant Site
Alternative sites for backup in case the primary location encounters a failure or interruption.
137
Hot Site
A fully equipped backup facility ready to swiftly take over in case of a primary site failure or disruption.
138
Warm Site
A partially equipped backup site that can become operational within days of a primary site disruption.
139
Cold Site
A site with no immediate equipment or infrastructure but can be transformed into a functional backup facility.
140
Mobile Site
A versatile site that utilizes independent and portable units like trailers or tents to deliver recovery capabilities
141
Virtual Site
Utilizes cloud-based environments and offers highly flexible approach to redundancy.
142
Platform Diversity
A vital aspect in redundant site design that uses different platforms to prevent single points of failure in disaster recovery.
143
Failover test
Verifies seamless system transition to a backup for uninterrupted functionality during disasters.
144
Parallel Processing
Replicates data and processes onto a secondary system, running both in parallel.
