click below
click below
Normal Size Small Size show me how
SecurityCHPT14
terms
Question | Answer |
---|---|
threat | action that has the potential to do harm |
threat agent | person has the power to carry out the threat |
vulnerability | a flaw or weakness that allows threat to bypass security |
risk | likelihood that the threat agent will exploit the vulnerabiliity |
risk classifications | strategic |
risk classifications | compliance |
risk classifications | financial |
risk classifications | operational |
risk classifications | environmental |
risk classifications | technical |
risk classifications | managerial |
privilege | subjects access level over an object |
privilege management | process of assigning and revoking privilieges to objects |
privilege auditing | examination of procedures that produces a detailed report of its findings |
change management | refers to a methodology for making modifications and keeping track of those changes |
two major changes need to be documented | any change in system architecture |
two major changes need to be documented | classification changes in files or documents |
incident management | the framework and functions required to enable incident response and incident handling within an organization |
incident response | defined as the components required to identify,analyze,and contain the incident |
incident handling | planning,coordination,communications, and planning functions that are needed in order to respond to an incident |
security policy | written document that states how an organization plans to protect the companys information technology assets |
an effective security policy must be able to balance | trust and control |
three approaches to trust | trust everyone all the time |
three approaches to trust | trust no one at any time |
three approaches to trust | trust some people some of the time |
one security policy goal | implement control |
designing a security policy involves | understanding the policy cycle |
designing a security policy involves | knowing the steps in policy development |
standard | collection of requirements specific to the system |
guideline | collection of guidelines that should be implemented |
policy | document that outlines specific requirements or rules that must be met |
security policy cycle | vulnerability assessment what needs to be protected |
security policy cycle | use the info from the risk management study how to protect it |
security policy cycle | review the policy for compliance evaluating protection |
policy characteristics | communicates a consensus of judgement |
policy characteristics | defines appropriate behavior for users |
policy characteristics | identify what tools and procedures are needed |
policy characteristics | provide directives for human resources |
due care | the obligations that are imposed on owners and operators of assets to exercise reasonable care of the assets and take precautions to protect them |
security policies | acceptable encryption |
security policies | antivirus |
security policies | audit vulnerability scanning |
security policies | automatically forward email |
security policies | database credentials |
security policies | demilitarized zone security |
security policies | |
security policies | email retention |
security policies | extranet |
security policies | information sensitive |
security policies | router security |
security policies | server security |
security policies | vpn security |
security policies | wireless communication |
acceptable use policy | defines the actions users may perform while accessing systems and networking equipment |
privacy policy | personally identifiable information |
pii | outlines how the organization uses personal information it collects |
security related human resource policy | statements that include how employee information technology resources will be addressed |
due care | imposed on owners and operators of assets to exercise reasonable care of the assets and take cautions to protect them |
due process | principle of treating all accused persons in an equal fashion |
due diligence | any investigation into suspicious employee conduct will examin all material facts |
password management and complexity policy | addresses how passwords are managed and created |
disposal and destruction policy | addresses the disposal of confidential resources |
classification of information policy | framework for classifying assets |
ethics policy | written code of conduct intended to be the central guide and refernce for employees on a day to day basis |
user practices | pasword behaviors |
user practices | data handling |
user practices | clean desk policies |
user practices | prevent tailgating |
user practices | personally owned devices |
standard | collection of requirements specific to the system or procedure |
guideline | collection of suggestions that must be implemented |
policy | document that outlines specific requirements or rules be met |
policy characteristics | communicate a consensus of judgement |
policy characteristics | define appropriate behavior for users |
policy characteristics | provide directives for hr action inresponse to inappropriate behavior |
security policy cycle | assest identification |
security policy cycle | threat identification |
security policy cycle | vulnerability appraisal |
security policy cycle | risk assessment |
security policy cycle | risk mitigation |
values | beliefs and principles used to define what is good,right and just |
morals | beliefs that help distinguish between right and wrong |
ethics | defined as the study of what a group of people understand to be good and right behavior |
user practices | password behaviors |
user practices | data handling |
user practices | clean desk policies |
user practices | prevent tailgating |
user practices | personally owned devices |
peer to peer networks | no servers |
peer to peer networks | communicate directly between two devices |
peer to peer networks | high risk of infection and legal consequences |
reasons social networking sites are popular for attackers | provide a treasure trove of personal data |
reasons social networking sites are popular for attackers | users are generally trusting |
reasons social networking sites are popular for attackers | vulnerable sites |
pedagogical approach | greek word meaning to lead a child |
andragogical approach | helping an adult to learn |
kinesthetic | learn thru a lab environment or hands on approach |