Term
| The categories of security policies |
|
Definition
corporate security policy
major policies (email, hiring, firing, PII)
AUP - summarizes key points
counter measures |
|
|
Term
|
Definition
| specify the DETAILED action that must be taken by specific employess |
|
|
Term
| the logical responses to risk |
|
Definition
reduction - adopting active countermeasures
acceptance - no countermeasures and absorbing damages
transference - having someone else absorb the risk (insurance/outsourcing)
avoidance - not partaking in an action that is too risky |
|
|
Term
|
Definition
| limits the discretion of people in order to simplify decisions, limit bad decisions and give consistency |
|
|
Term
|
Definition
| statements of what should be done under specific situations |
|
|
Term
|
Definition
| specifies how to do security planing and implementation |
|
|
Term
|
Definition
| things that require a firm to change it's security planing protections and responses |
|
|
Term
|
Definition
| describes the details of what is to be done without specifically describing how to do them. (Checklists: save data, but doesn't say through what media) |
|
|
Term
| absolute IT security is impossible and companies must think in terms of ___ |
|
Definition
|
|
Term
| high level decisions for what should be done are ___ |
|
Definition
|
|
Term
| name the aspects of strategic IT security planing |
|
Definition
assess current security
ID driving forces
ID all resources protected by IT security
classify resources by sensitivity |
|
|
Term
| units within a firm that are of special importance to IT security |
|
Definition
Ethics/compliance/privacy officers
HR
legal
Auditing (internal, financial, IT)
facilities management
uniformed security |
|
|
Term
| ___ requires strong protection for private data in health care organizations |
|
Definition
| Health Insurance Portability and Accountability Act (HIPAA) |
|
|
Term
| prescriptive statements about what companies SHOULD do |
|
Definition
|
|
Term
| in many cases ___ are the weakest links in security protection |
|
Definition
|
|
Term
| an element of the architecture at which an attacker can do a great deal of damage by compromising a single system |
|
Definition
| single point of vulnerability |
|
|
Term
| all of a company's technical countermeasures and how they are organized into complete systems of protection. |
|
Definition
| technical security architecture |
|
|
Term
| what is most commonly outsourced for security |
|
Definition
|
|
Term
| what is the purpose of auditing |
|
Definition
| develop opinions on the health of controls, not to find punishable instances of non compliance |
|
|
Term
| what is COS and it's objective |
|
Definition
focuses broadly on CORPORATE and internal financial controls
- strategic
- operations
- reporting
- compliance |
|
|
Term
| Possible locations of security in a business |
|
Definition
Outside IT - no independence from IT
within IT - IT and security share technology skill set
Hybrid - firewall maintenance in IT: policy making, planing and auditing outside IT |
|
|
Term
| descriptions of what the best firms in the industry are doing |
|
Definition
|
|
Term
| when should security be involved in a project? |
|
Definition
|
|
Term
| security technology that a company implemented in the past but are now at least somewhat ineffective |
|
Definition
| legacy security technology |
|
|
Term
| These are discretionary to implement |
|
Definition
|
|
Term
| formally announcing or making users aware of a new policy |
|
Definition
|
|
Term
| being able to manage security technologies from a single security management console |
|
Definition
| centralized security management |
|
|
Term
| Vulnerability tests are done to ___ |
|
Definition
| tell if the security policies are succeeding and ID vulnerabilities by attacking the system yourself |
|
|
Term
| ___ requires companies to report material control deficiencies in their financial reporting processes |
|
Definition
| sarbanes-oxley act of 2002 |
|
|
Term
| sanctions/liability if implementation isn't done properly |
|
Definition
|
|
Term
| if the failure of any single element will ruin security |
|
Definition
|
|
Term
| ___ are a few well chosen measurable indicators of security success or failure |
|
Definition
|
|
Term
| an outside firm that handles delegated security controls |
|
Definition
| managed security service provider |
|
|
Term
| what is the most important part of driving forces? |
|
Definition
| compliance laws and regulations |
|
|
Term
| mandatory implementation guidance are called ___ |
|
Definition
|
|
Term
| most common single point of vulnerability is ___ |
|
Definition
| DNS server (unless there are several) |
|
|
Term
| ___ doesn't evolve in an uncoordinated series of security decisions but follows a coherent plan |
|
Definition
| security system decisions |
|
|
Term
| define plan protect respond |
|
Definition
plan - reassessments, new threats and business conditions require security re-evaluation
protect - plan based creation and operation of countermeasures. most time is spent here
response - recovery according to plan. must be planned out in advance |
|
|
Term
| ___ has the power to prosecute firms that fail to take reasonable precautions to protect private informaion |
|
Definition
|
|
Term
| closing all routes of an attack |
|
Definition
|
|
Term
| multiple countermeasures for an attacker to break through. They are all independent |
|
Definition
|
|
Term
| ___ was enacted to bolster computer and network security within the federal government and affiliated parties. |
|
Definition
| Federal information security management act (FISMA) |
|
|
Term
| ___ is when a person who authorizes a request should never be the one who makes the request |
|
Definition
| request-authorization control |
|
|
Term
| compares probable losses with the cost of security protections |
|
Definition
|
|
Term
| ___ is a complete act that should require two or more people |
|
Definition
|
|
Term
|
Definition
opportunity
pressure
rationalization |
|
|
Term
|
Definition
Certification of the system by the organization or outside party
accreditation of the system by issuing an authorization to operate |
|
|
Term
| Broad set of rules ensuring privacy rights in Europe |
|
Definition
| EU data protection directive of 2002 |
|
|
Term
| ___ requires strong protection for personal data in financial institutions |
|
Definition
| Gramm-Leach-Bliley Act GLBA |
|
|
Term
| COSO framework components |
|
Definition
Internal environment
objective setting
event identification
risk assessment
risk response
control activity |
|
|
Term
| ___ is used to establish IT controls |
|
Definition
| Control Objectives for Information and Related Technologies (COBIT) |
|
|
Term
| a system's entire life from creation to termination |
|
Definition
|
|
Term
| professional association for IT auditors |
|
Definition
| Information Systems audit and control association |
|
|
Term
| ___ focuses on IT security in detail |
|
Definition
|
|
Term
|
Definition
plan and organize
acquire and implement
deliver and support
monitor and evaluate |
|
|
Term
| to protect against threats, most firms use the highest level security management process called ___ |
|
Definition
| Plan-Protect-Respond cycle |
|
|
Term
| companies must develop and follow ___ in security management |
|
Definition
|
|
