Help
Options
Didn't know it?
click below
click below
Knew it?
click below
click below
Don't Know
Remaining cards (0)
Know
retry
shuffle
restart
0:00
Embed Code - If you would like this activity on your web page, copy the script below and paste it into your web page.
Normal Size Small Size show me how
Normal Size Small Size show me how
CISSP-Ch2_QuickTips
CISSP-AIO-Sixth Ed by Shon Harris
| Term | Definition |
|---|---|
| Security | The objectives of security are to provide availability, integrity, and confidentiality protection to data and resources. |
| Vulnerability | A vulnerability is the absence of or weakness in a control. |
| Threat | A threat is the responsibility that someone or something would exploit a vulnerability, intentionally or accidentally, and cause harm to an asset. |
| Risk | A risk is the probability of a threat agent exploiting a vulnerability and the loss potential from that action |
| Countermeasure | A countermeasure, also called a safeguard or control, mitigates the risk. |
| Control | A control can be administrative, technical, or physical and can provide deterrent, preventive, detective, corrective, or recovery protection. |
| Comprehensive Control | A comprehensive control is an alternate control that is put into place because of financial or business functionality reasons. |
| CobiT | CobiT is a framework of control objectives and allows for IT governance. |
| ISO/IEC 27001 | ISO/IEC 27001 is the standard for the establishment, implementation, control and improvement of the information security management system (ISMS) |
| ISO/IEC 2700 | The ISO/IEC 2700 series were derived from BS7799 and are international best practices on how to develop and maintain a security program. |
| Enterprise Architecture Frameworks | Enterprise Architecture Frameworks are used to develop architectures for specific stakeholders and present information in views. |
| Information Security Management System (ISMS) | An Information Security Management System (ISMS)is a coherent set of policies, process, and systems to manage risks to information assets as outlined in ISO/IEC 27001 |
| Enterprise Security Architecture | Enterprise Security Architecture is a subset of business architecture and a way to describe current and future security processes, systems, and sub-units to ensure strategic alignment. |
| Blueprints | Blueprints are functional definitions for the integration of technology into the business process. |
| Enterprise Architecture Frameworks | Enterprise Architecture Frameworks are used to build individual architectures that best map to individual organizational needs and business drivers. |
| Zachman Framework | Zachman Framework is an enterprise architecture framework, and SABSA is a security enterprise architecture framework. |
| COSO | COSO is a governance model used to help prevent fraud within a corporate environment. |
| ITIL | ITIL is a set of best practices for IT service management. |
| Six Sigma | Six Sigma is used to identify defects in process so that the processes can be improved upon. |
| CMMI | CMMI is a maturity model that allows for processes to improve in an incremented and standard approach. |
| Security Enterprise Architecture | Security Enterprise Architecture should tie in strategic alignment, business enablement, process enhancement, and security effectiveness. |
| NIST 800-53 | NIST 800-53 uses the following control categories: technical, management and operational. |
| OCTAVE | OCTAVE is a team-oriented risk management methodology that employs workshops and is commonly used in the commercial sector. |
| Security Management | Security Management should work from the top down (from senior management down to the staff) |
| Handling Risk | Risk can be transferred, avoided, reduced, or accepted. |
| Total Risk | Threats x vulnerability x asset value = total risk. |
| Residual Risk | (Threats x vulnerability x asset value) x control gap = residual risk |
| Risk Analysis | The main goals of risk analysis are the following: identify assets and assign value to them, identify vulnerabilities and threats, quantify the impact of potential threats, and provide impact of risk and cost of safeguard. |
| Failure Modes and Affect Analysis (FMEA) | Failure Modes and Affect Analysis (FMEA)is a method for determining functions, identifying functional failures, and assessing the causes of a failure and their failure effects through a structured process. |
| Fault Tree Analysis | A Fault Tree Analysis is a useful approach to detect failure that can take place within complex environment and systems. |
| Quantitative Risk Analysis | A Quantitative Risk Analysis attempts to assign monetary values to components within the analysis. |
| Purely Quantitative Risk Analysis | A purely Quantitative Risk Analysis is not possible because qualitative items cannot be quantified with precision |
| Uncertainty | Capturing the degree of uncertainty when carrying out a risk analysis is important, because it indicates the level of confidence the team and management should have in the resulting figures. |
| Automated Risk Analysis | Automated Risk Analysis tools reduce the amount of manual work involved in the analysis. They can be used to estimate future expected losses and calculated the benefits of different security measures. |
| Single Loss Expectancy | Single Loss Expectancy x frequency per year = annualized loss expectancy (SLE X ARO = ALE) |
| Qualitative risk analysis | Qualitative risk analysis uses judgement and intuition instead of numbers. |
| Qualitative risk analysis | Qualitative risk analysis involves people with the requisite experience and education evaluation threat scenarios and rating the probability, potential loss, and severity of each threat based on their personal experience. |
| Delphi Technique | The Delphi technique is a group decision method where each group can communicate anonymously. |
| Cost Benefit Analysis | When choosing the right safeguard to reduce a specific risk, the cost functionality, and effectiveness must be evaluated and a cost/benefit analysis performed. |
| Security policy | A security policy is a statement by management dictating the role security plays in the organization. |
| Procedures | Procedures are detailed step-by-step actions that should be followed to achieve a certain task. |
| Standards | Standards are documents that outlined rules that are compulsory in nature and support the organization's security policies. |
| Baseline | A baseline is a minimum level of security |
| Guidelines | Guidelines are recommendations and general approaches that provide advice and flexibility. |
| Job Rotation | Job rotation is a detective administrative control to detect fraud. |
| Mandatory Vacation | Mandatory vacations are a detective administrative control type that help detect fraudulent activities. |
| Separation of duties | Separation of duties ensures no single person has total control over a critical activity or task. It is a preventative administrative control. |
| Split Knowledge and Dual Control | Split knowledge and dual control are two aspects of separation of duties. |
| Data Owners | Data owners specify the classification of data, and data custodians implement and maintain controls to enforce the set classification levels. |
| Security Functional Requirements | Security has functional requirements, which define the expected behavior from a product or system, and assurance requirements, which establish confidence in the implemented products or system overall. |
| Security Management | Management must define the scope and purpose of security management, provide support, appoint a security team, delegate responsibility, and review the team's findings. |
| Risk Management | The risk management team should include individuals from different departments within the organization, not just technical personnel. |
| Social Engineering | Social Engineering is a nontechnical attack carried out to manipulate a person into providing sensitive data to an unauthorized individual. |
| Personal identification information (PII) | Personal identification information (PII) is a collection of identity-based data that can be used in identity theft and financial fraud, and thus must be highly protected. |
| Security governance | Security governance is a framework that provides oversight, accountability, and compliance. |
| ISO/IEC 27004 | ISO/IEC 27004 is an international standard for information security measurement management. |
| NIST 800-55 | NIST 800-55 is a standard for performance measurement for information security. |
Created by:
dreoid
Popular Computers sets