Help
Options
Didn't know it?
click below
click below
Knew it?
click below
click below
Don't Know
Remaining cards (0)
Know
retry
shuffle
restart
0:00
Embed Code - If you would like this activity on your web page, copy the script below and paste it into your web page.
Normal Size Small Size show me how
Normal Size Small Size show me how
DMBOK - Chp 7
Data Security
| Question | Answer |
|---|---|
| Data Security requirements come from | Stakeholders Government regulations Proprietary business concerns Legitimate access needs Contractual obligations |
| Effective data security policies and procedures ensure | that the right people can use and update data in the right way, and that all appropriate access and update is restricted. |
| Data Security definition | Definition, planning, development, and execution of security policies and procedures to provide proper authentication, authorization, access, and auditing of data and information assets |
| Data Security goals | 1. Enable appropriate, and prevent inappropriate, access to data assets 2. Understand and comply with all relevant regulations and policies 3. Ensure that the privacy and confidentiality needs of all stakeholders are enforced and audited |
| Data Security inputs | Business goals and strategy Business rules and processes Regulatory requirements Enterprise Architecture standards Enterprise Data Model |
| Data Security Deliverables | Architecture Policies Privacy and confidentiality standards Access controls Regulatory compliant data access views Documented security classifications Authentication and user access history Audit reports |
| Data Security participants | Data Stewards Information Security Internal Auditors Process Analysts |
| Security organizations are often tasked with managing | IT compliance requirements Policies Practices Data classifications Access authorization |
| An approach to managing sensitive data is via | Metadata; Security classifications are regulatory sensitivity can be captured at the data element and data set level. This Metadata can travel with the information as it flows across the enterprise. |
| Vulnerability | A weakness or defect in a system that allows it to be successfully attacked and compromised; a hole in an organization's defenses. Also called exploits. |
| Threat | A potential offensive action that could be taken against an organization. An occurrence is also called an attack surface. |
| Risk | Refers to both the possibility of loss and the thing or condition that poses the potential loss. |
| Risk classifications | Critical - would not only harm individuals, but would result in financial harm to the company High - iould expose the company to financial harm through loss of opportunity Moderate - would likely have a negative effect on the company |
| Security Processes | Access Audit Authentication Authorization Entitlement |
| Access | enable individuals with authorization to access systems |
| Audit | Review security actions and user activity to ensure compliance with regulations |
| Authentication | Validate users' access |
| Authorization | Grant individual privileges to access specific views of data, appropriate to their role |
| Entitlement | sum of all the data elements that are exposed to a user |
| Systems containing confidential information, such as salary or financial data, commonly implement | active, real-time monitoring that alerts the security administrator to suspicious activity or inappropriate access. |
| Data integrity | The state of being whole; protected from improper alteration, deletion, or addition. |
| Encryption | Process of translating text into complex codes to hide privileged information, verify complete transmission, or verify the sender's identity |
| Hash (type of encryption) | uses algorithms to convert data into a mathematical representation |
| Private-key (type of encryption) | uses one key to encrypt the data; sender and recipient must have the key |
| Public-key (type of encryption) | The sender uses a public key and the receiver uses a private key to reveal the original data |
| Obfuscation or Masking | Removes, shuffles, or otherwise changes the appearance of the data, without losing the meaning of the data or the relationship the data has to other data sets. |
| Persistent data masking | Permanently and irreversibly alters the data; typically used between a production environment and development or test environments |
| Masking methods | Substitution Shuffling Temporal variance Value variance Nulling or deleting Randomization Encryption |
| Backdoor | An overlooked or hidden entry into a computer system or application |
| Bot or Zombie | A workstation that has been taken over by a malicious hacker |
| Cookie | A small data file that a website installs on a computer's hard drive, to identify returning visitors and profile their preferences. |
| Firewall | Software and/or hardware that filters network traffice to protect an individual computer or an entire network from unauthorized attempts to access or attack the system |
| Perimeter | The boundary between an organization's environments and exterior systems |
| De-militarized zone (DMZ) | An area on the edge or perimeter of an organization, with a firewall between it and the organization. |
| Super User Account | Has administrator or root access to a system to be used only in an emergency. |
| Key Logger | Type of attack software that records all the keystrokes that a person types into their keyboard, then sends them elsewhere on the Internet. |
| Penetration Testing (or Penn Test) | An ethical hacker attempts to break into the system from outside in order to identify system vulnerabilities. |
| Virtiaul Private Network (VPN) | Use the unsecured internet to create a secure path or 'tunnel' into an organization's environment. |
| Types of Data Security | Facility Device Credential Electronic Communications |
| Identity Management Systems | User is required to enter the password only once, after which all authentication and authorization executes through a reference to the enterprise user directoy. also known as 'single-sign-on' or 'SSO' |
| Password standards | Every user account should be required to have a password set by the user (account owner) with a sufficient level of password complexity defined in the security standards. |
| Multiple Factor Identification (MFA) | Require additional identification procedures; e.g., text to mobile device that contains a code |
| Concepts that drive security restrictions | The level of confidentiality of data Regulation related to data |
| Confidentiality classification levels | For general audiences Internal use only Confidential Restricted confidential Registered confidential |
| Regulated data | Certain types of information are regulated by external laws, industry standards, or contracts that influence data can be used. |
| Personal Identification Information (PII) or Personally Private Information (PPI) | Any information that can personally identify the individual (individual or as a set) |
| Financially Sensitive Data | In the US, this is covered under Insider Trading laws, SOX (Sarbanes-Oxley Act), or GLBA (Gramm-Leach-Bliley/Financial Services Modernization Act) |
| Medically Sensitive Date or Personal Health Information (PHI) | All information regarding a person's health or medical treatments. In the US, this is covered by HIPAA |
| Payment Card Industry Data Security Standard (PCI-DSS) | Addresses any information that can identify an individual with an account at a financial organization. |
| System Security Risks | Abuse of excessive privilege Abuse of legitimate privilege Unauthorized privilege elevation Service account or Shared account abuse Platform intrusion attacks SQL injection vulnerability Default passwords Backup data abuse |
| Social engineering | Refers to how malicious hackers try to trick people into giving them either information or access |
| Phishing | Refers to a phone call, instant message, or email meant to lure recipients into giving out valuable or private information without realizing they are doing so. |
| Malware | Any malicious software created to damage, change, or improperly access a computer or network |
| Adware | Form of spyware that enters a computer from an internet download, that monitors a computer's user, such as websites visited |
| Spyware | Any software program that slips into a computer without consent, in order to track online activity. |
| Trojan Horse | Refers to a malicious program that enters a computer system disguised or embedded within legitimate software. |
| Virus | A program that attches itself to an executable file or vulnerable application and delivers a payload that ranges from annoying to extremely destructive. |
| Worm | A program built to reproduce and spread across a network by itself. |
| Malware Sources | Instant Messaging Social networking sites Spam |
| Data Security activities | Identify data security requirements Define Data Security policy Define Data Security standards Assess current security risks Implement Controls and Procedures |
| Type of data security requirements | Business (needs of the enterprise, mission, strategy, etc.) Regulatory |
| Data security policies should be based on | Business and Regulatory requirements |
| Levels of policies | Enterprise - e.g., access to facilities, email standards, security levels IT - e.g., directory structure standards, passwords, identify management Data - e.g., database roles, user groups, information sensitivity |
| Defining Data Security standards includes | Data Confidentiality levels Data Regulatory categories Defining security roles |
| Managing and maintaining data security includes | Controlling data availability Monitoring use authentication and access behavior |
| Managing security policy compliance includes | Managing regulatory compliance Audit data security and compliance activities |
| Data Security tools include | Anti-virus software HTTPS (website equipped with encrypted security layer) Identity management technology (e.g., LDAP or password safe) Intrusion detection and prevention software Firewalls Metadata Tracking Data Masking/Encryption |
| CRUD Matrix usage | Data-to-use and data-to-role relationship matrices to help map data access needs |
| Metadata repository is essential to | Assure the integrity and consistent use of an Enterprise Data Model across business processes. Should include security and regulatory classifications for data. |
| Types of Data Security metrics | Security Implementation (e.g., % of computers with most recent security patch) Security Awareness (e.g., risk assessments) Data Protection Security Incident Confidential Data Proliferation |
| LDAP | Lightweight Directory Access Protocol, for managing credentials |
| Document sanitization | Process of cleaning Metadata from documents before sharing. |
| Data Security implementation guidelines | Readiness/Risk assessment Organization and Cultural change Visibility into User Data Entitlement Data Security in an Outsourced world Data Security in Cloud environments |
| Data Security and Enterprise Architecture | Describes how data security is implemented within the enterprise to satisfy the business rules and external regulations. |
Created by:
sshupert