Shared Flashcard Set

Details

Domain 3 - Information Security Governance and Risk Manag.
CISSP - Domain 3 - Information Security Governance and Risk Management Terms From AIO 6th Addition
55
Computer Networking
Professional
11/24/2013

Additional Computer Networking Flashcards

 


 

Cards

Term
Availability
Definition
Reliable and timely access to data and resources is provided to authorized individuals.
Term
Integrity
Definition
Accuracy and reliability of the information and systems are provided and any unauthorized modification is prevented.
Term
Confidentiality
Definition
Necessary level of secrecy is enforced and unauthorized disclosure is prevented.
Term
Shoulder surfing
Definition
Viewing information in an unauthorized manner by looking over the shoulder of someone else.
Term
Social engineering
Definition
Gaining unauthorized access by tricking someone into divulging sensitive information.
Term
Vulnerability
Definition
Weakness or a lack of a countermeasure.
Term
Threat agent
Definition
Entity that can exploit a vulnerability.
Term
Threat
Definition
The danger of a threat agent exploiting a vulnerability.
Term
Risk
Definition
The probability of a threat agent exploiting a vulnerability and the associated impact.
Term
Control
Definition
Safeguard that is put in place to reduce a risk, also called a countermeasure.
Term
Exposure
Definition
Presence of a vulnerability, which exposes the organization to a threat.
Term
Security through obscurity
Definition
Relying upon the secrecy or complexity of an item as its security, instead of practicing solid security practices.
Term
ISO/IEC 27000 series
Definition
Industry-recognized best practices for the development and management of an information security management system.
Term
Zachman framework
Definition
Enterprise architecture framework used to define and understand a business environment developed by John Zachman.
Term
TOGAF
Definition

The Open Group Architecture Framework

 

Enterprise architecture framework used to define and understand a business environment developed by The Open Group.

 

[image]

Term
SABSA framework
Definition

Sherwood Applied Business Security Architecture

 

Risk-driven enterprise security architecture that maps to business initiatives, similar to the Zachman framework.

Term
DoDAF
Definition
U.S. Department of Defense architecture framework that ensures interoperability of systems to meet military mission goals.
Term
MODAF
Definition
Architecture framework used mainly in military support missions developed by the British Ministry of Defence.
Term
CobiT
Definition

Set of control objectives used as a framework for IT governance developed by Information Systems Audit and Control Association (ISACA) and the IT Governance Institute (ITGI).

 

It defines goals for the controls that should be used to properly manage IT and to ensure that IT maps to business needs.

 

CobiT is broken down into four domains:

  • Plan and Organize, 
  • Acquire and Implement
  • Deliver and Support
  • Monitor and Evaluate.
Term
SP 800-53
Definition
Set of controls that are used to secure U.S. federal systems developed by NIST.
Term
COSO
Definition
Internal control model used for corporate governance to help prevent fraud developed by the Committee of Sponsoring Organizations (COSO) of the Treadway Commission.
Term
ITIL
Definition
Best practices for information technology services management processes developed by the United Kingdom’s Office of Government Commerce.
Term
Six Sigma
Definition
Business management strategy developed by Motorola with the goal of improving business processes.
Term
NIST 800-30
Definition
Risk Management Guide for Information Technology Systems A U.S. federal standard that is focused on IT risks.
Term
Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE)
Definition
Team-oriented approach that assesses organizational and IT risks through facilitated workshops.
Term
AS/NZS 4360
Definition
Australia and New Zealand business risk management assessment approach.
Term
ISO/IEC 27005
Definition
International standard for the implementation of a risk management program that integrates into an information security management system (ISMS).
Term
Failure Modes and Effect Analysis
Definition
Approach that dissects a component into its basic functions to identify flaws and those flaws’ effects.
Term
Fault tree analysis
Definition
Approach to map specific flaws to root causes in complex systems.
Term
CRAMM
Definition
Central Computing and Telecommunications Agency Risk Analysis and Management Method.
Term
Quantitative risk analysis
Definition
Assigning monetary and numeric values to all the data elements of a risk assessment.
Term
Qualitative risk analysis
Definition

Opinion-based method of analyzing risk with the use of scenarios and ratings.

 

[image]

Term
Single loss expectancy
Definition
One instance of an expected loss if a specific vulnerability is exploited and how it affects a single asset. Asset Value × Exposure Factor = SLE.
Term
Annualized loss expectancy
Definition
Annual expected loss if a specific vulnerability is exploited and how it affects a single asset. SLE × ARO = ALE.
Term
Uncertainty analysis
Definition
Assigning confidence level values to data elements.
Term
Delphi method
Definition
Data collection method that happens in an anonymous fashion.
Term
Cost/benefit analysis
Definition
Calculating the value of a control. (ALE before implementing a control) – (ALE after implementing a control) – ,(annual cost of control) = value of control.
Term
Functionality versus effectiveness of control
Definition
Functionality is what a control does, and its effectiveness is how well the control does it.
Term
Total risk
Definition
Full risk amount before a control is put into place. Threats × vulnerabilities × assets = total risk.
Term
Residual risk
Definition
Risk that remains after implementing a control. Threats × vulnerabilities × assets × (control gap) = residual risk.
Term
Handling risk
Definition
Accept, transfer, mitigate, avoid.
Term
Policy
Definition
High-level document that outlines senior management’s security directives.
Term
Policy types
Definition
Organizational (master), issue-specific, system-specific.
Term
Policy functionality types
Definition
Regulatory, advisory, informative.
Term
Standard
Definition
Compulsory rules that support the security policies.
Term
Guideline
Definition
Suggestions and best practices.
Term
Procedures
Definition
Step-by-step implementation instructions.
Term
Data owner
Definition
Individual responsible for the protection and classification of a specific data set.
Term
Data custodian
Definition
Individual responsible for implementing and maintaining security controls to meet security requirements outlined by data owner.
Term
Separation of duties
Definition
Preventive administrative control used to ensure one person cannot carry out a critical task alone.
Term
Collusion
Definition
Two or more people working together to carry out fraudulent activities.
Term
Rotation of duties
Definition

Employees should be moved into different roles with the idea that they may be able to detect suspicious activity carried out by the previous employee carrying out that position.

 

Detective administrative control used to uncover potential fraudulent activities.

Term
Mandatory vacation
Definition
Detective administrative control used to uncover potential fraudulent activities by requiring a person to be away from the organization for a period of time.
Term
Architecture Framework
Definition

this means it provides a structure for individual

architectures to be built from.

Term
architecture methodology
Definition
this means it provides the processes to follow to build and maintain this architecture.
Supporting users have an ad free experience!