Shared Flashcard Set

Details

Domain 1 - ISC2
CISSP - Information Security Management
71
Computer Networking
Professional
07/05/2011

Additional Computer Networking Flashcards

 


 

Cards

Term
Integrity
Definition
Prevent modification of data
Term
Confidentiality
Definition
Prevent disclosure of data
Term
Availability
Definition
Ensure reliable timely access to data
Term
Identification
Definition
Means in which user claims Identity
Term
Authentication
Definition
Establishes the users Identity
Term
Accountability
Definition
Systems ability to determine actions of users
Term
Authorization
Definition
Rights and permissions granted to an individual
Term
Privacy
Definition
Level of confidentiality that a user is given
Term
Data Classification
Definition
- Has high level enterprise wide benefit
- Demonstrates organizations commitment to security
- Helps identify sensitive and vital information
- Supports C.I.A.
- May be required for legal regulatory reasons
Term
Risk Analysis
Definition
Assess the impact of the threat and the risk of the threat occurring (likelihood)
Term
Unclassified
Definition
Neither sensitive nor classified, public release is acceptable
Term
Sensitive But Unclassified (SBU)
Definition
Minor secret, no serious damage if disclosed
Term
Confidential
Definition
Disclosure could cause damage to National Security
Term
Secret
Definition
Disclosure could cause serious damage to National Security
Term
Top Secret
Definition
Disclosure could cause exponentially grave damage to National Security
Term
Public
Definition
Similar to unclassified, should not be disclosed but is not a problem if it is
Term
Sensitive
Definition
Data protected from loss of Confidentiality and integrity
Term
Private
Definition
Data that is personal in nature and for company use only
Term
Confidential
Definition
Very sensitive for internal use only - could seriously negatively impact the company
Term
Value
Definition
Number one criteria classification critera, if it is valuable it should be protected
Term
Age
Definition
Value of data lowers over time, automatic de-classification. Number two classification crteria
Term
Useful Life
Definition
If the information is made obsolete it can often be de-classified. Number three classification criteria
Term
Personal Association
Definition
If the data contains personal information it should remain classified. Number four classificatoin criteria
Term
Owner
Definition
- May be executive or manager
- Has final corporate responsibility of the data protection
- Makes determination of classification level
- Reviews classification level regularly for appropriateness
- Delegates responsibility of data protection to the Custodian
Term
Custodian
Definition
- Generally IT systems personnel
- Running regular backups and testing recovery
- Performs restoration when required
- Maintains records in accordance with the classification policy
Term
User
Definition
- Anyone the routinely uses the data
- Must follow operating procedures
- Must take due care to protect
- Must use computing resources of the company for company purposes only
Term
Policy
Definition
A high-level statement of enterprise beliefs, goals, and objectives and the general means for their attainment for a specificed subject area.
Term
Regulatory Policies
Definition
Company is required to implement due to legal or regulatory requirements. Usually very detailed and specific to the industry of the organization. Ensure the company is following industry standard procedures and give the company confidence they are following industry standard procedures
Term
Advisory Polices
Definition
Not mandated but strongly suggested. Company wants employees to consider these mandatory. Can have exclusions for certain employees or job functions.
Term
Informative Policies
Definition
Exist simply to inform the reader. No implied or specified requirements.
Term
Standards
Definition
A specific product or mechanism that is selected for universal use throughout the organization in order to support policy.
Term
Guidelines
Definition
General statements designed to achieve the policy's objectives by providing a framework within which to implement controls not covered by procedures.
Term
Baseline
Definition
Mandatory descriptions of how to implement security packages to ensure that implementations result in a consistent level of security throughout the organization.
Term
Procedures
Definition
Spell out step-by-step specifics of how the policy and supporting standards and guidelines will actually be implemented in an operating environment.
Term
Exposure Factor (EF)
Definition
Percent of asset loss caused by threat
Term
Single Loss Expectancy (SLE)
Definition
Expected financial loss for single event
= Asset Value x Exposure Factor
Term
Annualized Rate of Occurrence (ARO)
Definition
represents estimated frequency in which threat will occur within one year
Term
Annualized Loss Expectancy (ALE)
Definition
Annually expected financial loss
= SLE x ARO
Term
Quantitative Analysis
Definition
Assigns objective numerical values (dollars)
Term
Qualitative analysis
Definition
An analysis based on more intangible values (data), scenario oriented.
Term
Preliminary Security Examination (PSE)
Definition
Conducted prior to the quantitative analysis. Helps gather elements that will be needed for actual Risk Analysis
Term
Risk Analysis Steps
Definition
1)Estimate of potential loss
2)Analyze potential threats
3)Define the Annualized Loss Expectancy (ALE)
Term
Risk Reduction
Definition
Implementation of controls to alter risk position
Term
Risk Transference
Definition
Get insurance, transfer cost of a loss to insurance
Term
Risk Acceptance
Definition
Accept the risk, absorb loss
Term
Qualitative Scenario Procedure
Definition
- Scenario Oriented
- List the threat and the frequency
- Create exposure rating scale for each scenario
- Scenario written that address each major threat
- Scenario reviewed by business users for reality check
- Risk Analysis team evaluates and recommends safeguards
- Work through each finalized scenario
- Submit findings to management
Term
Cost Benefit Analysis
Definition
ALE (PreControl) – ALE (PostControl) = Annualized value of the control
Term
Risk Management
Definition
The identification, measurement, control, and minimization of loss accociated with uncertain events or risks.
Term
Threat
Definition
An event the occurence of which could have an undersirable impact on the well-being of an asset.
Term
Vulnerability
Definition
The absence or weakness or a risk reducing safeguard.
Term
Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE)
Definition
Self-guided assessment developed by Carnegie Mellon has three phase.
Term
1st Phase of OCTAVE
Definition
Identify critical assets and corresponding threats
Term
2nd Phase of OCTAVE
Definition
Identify vulnerabilities exposing the threats
Term
3rd Phase of Octave
Definition
Develop protection stragtegy
Term
Security Posture Assesement Methodologies
Definition
-IAM
-OCTAVE
-FITSAF
Term
INFOSEC Assessment Methodology
Definition
Developed by NSA, detailed process of examinging IS vulnerabilities and recommending appropriate countermeasures
Term
Level 1 IAM assessment
Definition
Nonintrusive baseline analysis
Term
Level 2 IAM assessment
Definition
Hands on evaluation
Term
Level 3 IAM assessment
Definition
"Red Team" activities, penetration testing
Term
IAM Assessment Phases
Definition
1)Pre-assessment
2)On-site
3)Post-assessment
Term
Federal Information Technology Security Assessment Framework (FITSAF)
Definition
Cretead by NIST provides a methodology to determine current security posture and sets targets for improvement
Term
Levels of FITSAF
Definition
1)Documented
2)Complete
3)Implemented
4)Measured
4)Pervasive
Term
System Life Cycle Phases
Definition
1)Initiation
2)Development and Acquisition
3)Implementation
4)Operation and Maintenance
5)Disposal
Term
Information States
Definition
1)Processing
2)Storage
3)Tansmission
Term
Security Measures
Definition
1)Policy and Procedures
2)Technology
3)Eduation, Training, and Awareness
Term
Trade-Off Analysis (TOA)
Definition
Considering PROs/CONs and Benefit/Cost of a decision
Term
TOA Elements
Definition
-Define the Objective
-Identify Altneratives
-Compare Alternatives
Term
NIST SP 800-27
Definition
Engineering Principles for IT Security, contains 33 security principles for the life cycle of IS.
Term
Types of Security Controls
Definition
1)Deterrent
2)Preventative
3)Corrective
4)Detective
Term
Security Controls - Change control
Definition
Documentation detialing changes made to the system architecture or infrastructure
Term
Security Controls - Management
Definition
1)Hardware -disks, peripherals, drivers
2)Network - rules, architecture
3)Application and O/S - service packs, pathces, uprgrades
4)Policies & Procedures
5)Tools - checksums, signatures, integrity software
Supporting users have an ad free experience!