Term
| What does information security mean? |
|
Definition
The term “information security” means protecting
information and information systems from
unauthorized access, use, disclosure, disruption,
modification, or destruction in order to provide:
- Confidentiality
- Integrity
- Availability |
|
|
Term
| What is a information security management system |
|
Definition
The information security management system is
an organizational internal control process
that controls the special risks associated
with information within the organization. |
|
|
Term
| What are the basic elements of an information system? |
|
Definition
The ISMS has the basic elements of
any information system, such as
hardware, databases, procedures, and reports. |
|
|
Term
| Who manages the information security system and who do they report to? |
|
Definition
The information security system must be
managed by a chief security officer (CSO). This individual should report directly
to the board of directors in order to
maintain complete independence. |
|
|
Term
| What are the two different approaches of analyzing vulnerabilities and threats? |
|
Definition
| Quantitative approach to risk assessment & Qualitative approach |
|
|
Term
| What is the equation for the quantitative approach? |
|
Definition
Cost of an individual loss
Likelihood of its occurrence |
|
|
Term
| What are the 2 difficulties with the quantitative approach? |
|
Definition
1) Identifying the relevant costs per loss and the associated likelihoods can be difficult.
2) Estimating the likelihood of a given
failure requires predicting the future,
which is very difficult. |
|
|
Term
| How does the qualitative approach analyze vulnerabilities and threats? |
|
Definition
The system’s vulnerabilities and
threats are subjectively ranked in
order of their contribution to the
company’s total loss exposure. |
|
|
Term
| What are the 7 loss expose areas examined by the qualitative approach? |
|
Definition
1) business interruption
2) loss of software
3) loss of data
4) loss of hardware
5) loss of facilities
6) loss of service and personnel
7) loss of reputation |
|
|
Term
| What are vulnerabilities and threats? |
|
Definition
| A vulnerability is a weakness in a system. A threat is a potential exploitation of a vulnerability. |
|
|
Term
| What are the three groups of individuals that pose a threat to the Information System? |
|
Definition
1) Information systems personnel
2) Users
3) Intruders and hackers |
|
|
Term
| Who 5 types of people are included in information systems personnel? |
|
Definition
1) computer maintenance persons
2) programmers
3) network operators
4) information systems administrative personnel
5) data control clerks |
|
|
Term
| What are users and intruders/hackers in regards to an information system? |
|
Definition
Users are composed of heterogeneous groups of people. Their functional area does not lie in data processing or information technology.
An intruder or a hackers is anyone who accesses equipment, electronic data, files, or any kind of privileged information without proper authorization. |
|
|
Term
| What do security and contingency plans do? |
|
Definition
Security measures focus on preventing and detecting threats.
Contingency plans focus on correcting the effects of threats. |
|
|
Term
| What does information security mean? |
|
Definition
The term “information security” means protecting
information and information systems from
unauthorized access, use, disclosure, disruption,
modification, or destruction in order to provide:
- Confidentiality
- Integrity
- Availability |
|
|
Term
| What is a information security management system |
|
Definition
The information security management system is
an organizational internal control process
that controls the special risks associated
with information within the organization. |
|
|
Term
| What are the basic elements of an information system? |
|
Definition
The ISMS has the basic elements of
any information system, such as
hardware, databases, procedures, and reports. |
|
|
Term
| Who manages the information security system and who do they report to? |
|
Definition
The information security system must be
managed by a chief security officer (CSO). This individual should report directly
to the board of directors in order to
maintain complete independence. |
|
|
Term
| What are the two different approaches of analyzing vulnerabilities and threats? |
|
Definition
| Quantitative approach to risk assessment & Qualitative approach |
|
|
Term
| What is the equation for the quantitative approach? |
|
Definition
Cost of an individual loss
Likelihood of its occurrence |
|
|
Term
| What are the 2 difficulties with the quantitative approach? |
|
Definition
1) Identifying the relevant costs per loss and the associated likelihoods can be difficult.
2) Estimating the likelihood of a given
failure requires predicting the future,
which is very difficult. |
|
|
Term
| How does the qualitative approach analyze vulnerabilities and threats? |
|
Definition
The system’s vulnerabilities and
threats are subjectively ranked in
order of their contribution to the
company’s total loss exposure. |
|
|
Term
| What are the 7 loss expose areas examined by the qualitative approach? |
|
Definition
1) business interruption
2) loss of software
3) loss of data
4) loss of hardware
5) loss of facilities
6) loss of service and personnel
7) loss of reputation |
|
|
Term
| What are vulnerabilities and threats? |
|
Definition
| A vulnerability is a weakness in a system. A threat is a potential exploitation of a vulnerability. |
|
|
Term
| What are the three groups of individuals that pose a threat to the Information System? |
|
Definition
1) Information systems personnel
2) Users
3) Intruders and hackers |
|
|
Term
| Who 5 types of people are included in information systems personnel? |
|
Definition
1) computer maintenance persons
2) programmers
3) network operators
4) information systems administrative personnel
5) data control clerks |
|
|
Term
| What are users and intruders/hackers in regards to an information system? |
|
Definition
Users are composed of heterogeneous groups of people. Their functional area does not lie in data processing or information technology.
An intruder or a hackers is anyone who accesses equipment, electronic data, files, or any kind of privileged information without proper authorization. |
|
|
Term
| What do security and contingency plans do? |
|
Definition
Security measures focus on preventing and detecting threats.
Contingency plans focus on correcting the effects of threats. |
|
|
Term
| What is the objective of Site-Access Controls? |
|
Definition
The objective of site-access controls
is to physically separate unauthorized
individuals from computer resources. |
|
|
Term
| What do System-Access Controls do? |
|
Definition
These controls authenticate users by using such means as user IDs, passwords, IP addresses, and hardware devices.
It is often desirable to withhold “administrative rights” from individual PC users. |
|
|
Term
| What do File-Access Controls do? |
|
Definition
The most fundamental file-access control
is the establishment of authorization guidelines
and procedures for accessing and altering files. |
|
|
Term
| What are the three types of file backups? |
|
Definition
| Full backups, Incremental backups, and Differential backups |
|
|
Term
| Internet-related vulnerabilities may arise from which six areas? |
|
Definition
1) the operating system or its configuration
2)the Web server or its configuration
3) the private network and its configuration
4) various server and communications programs
5) cloud and grid computing
6) general security procedures |
|
|
Term
| Why is Disaster risk management important? |
|
Definition
Disaster risk management is essential
to ensure continuity of operations
in the event of a catastrophe. |
|
|
Term
| Who implements a disaster recovery plan? |
|
Definition
| A disaster recovery plan must be implemented at the highest levels in the company. The first step in developing a disaster recovery plan should be obtaining the support of senior management and setting up a planning committee. |
|
|
Term
| The design of the risk management plan should do what three things? |
|
Definition
1) Assess the company’s critical needs.
2) List priorities for recovery.
3) Establish recovery strategies and procedures. |
|
|
Term
| What are the six things that set of recovery strategies should take into account? |
|
Definition
1) emergency response center
2) escalation procedures
3) alternate processing arrangements
4) personnel relocation and replacements plans
5) salvage plan
6) plan for testing and maintaining the system |
|
|
