Chapter 1 Security and Risk Management – Flashcards
Unlock all answers in this set
Unlock answersquestion
Confidentiality
answer
supports the principle of least privilege - it provides only authorized people, process or systems access to information on a need to know basis. To ensure confidentiality of information is done through data classification. One way to maintain confidentiality is to encrypt information.
question
Integrity
answer
trustworthiness - information should be protected from intentional unauthorized or accidental changes. Controls are put in place to make sure that info is changed through accepted practices.
question
Availability
answer
makes sure info is available and users when you need it 2 threats to availability are: - 1) DOS - Loss of service due to disaster to include capacity planning, system crash, outdated hardware, poor testing in system crash after upgrade or natural disaster.
question
Security Governance
answer
-The purpose of governance is to make sure the right security activities are being performed to ensure the risks are appropriately reduced and investments are directed so management has an understanding of the program and is asking the right questions to make sure the program is working the way it is supposed to.
question
Sr. management
answer
final decision on level of security expenditures and risk
question
Sec mgt makes sure
answer
sure that risks are identified and an adequate control environment is used to manage the risks. Assess risk and find needs, then monitor and evaluate, promote awareness, implement policies and controls and all of this is centered around central management
question
Risk mgt
answer
give you a way to keep executive informed on risks and make informed decisions by using avoidance, transfer, mitigation, acceptance.
question
Risk Management Framework
answer
Strategic = risks that are a part of the buss environment and have an effect on buss objectives and performance - Organization = part of one's environment, to include people, culture, structure, values - Technology = use of systems and technology with availability, capacity, integrity, support, functions, and integration and change management - Legal /Regulatory = contracts, interpretation of laws, compliance and regulation
question
Organizational processes
answer
must understand the mission of the organization
question
acquisitions and mergers
answer
new data types; new technology; new staff and new roles; threats from former employees, possible threats new group may face; vulnerabilities when systems are merged; new policies and standards to support compliance with laws, regulations; external business partners
question
divestures and spinoffs
answer
could cause data loss or leaks; system interconnections, protocols and ports left open after a function they were using is no longer applicable; loss of visibility into the network and system logs; new threats from employees forced out of an organization; revise standards, policies, procedures; data segregation deadlines
question
Governance Committees
answer
has to recruit and maintain the board for an Organization - makes sure the committee understands the importance of info sec and risk management
question
Committee recruitment exercises for new board members
answer
- requirements for info security and risk aptitude
question
Sec roles responsibilities
answer
ISSO/CISO should report to the CIO or the individual responsible for the information technology activities of an organization
question
Resp of ISSO
answer
ISSO is to ensure the protection of all the buss information assets, loss, disclosure, alteration, destruction and unavailability. The ISSO is the facilitator of information security for the organization.
question
Organizational processes
answer
Bus don't stay the same; things change from day to day; must be able to adapt and adjust to meet the needs of the company
question
SO must be sure to inform
answer
C-levels what the real biz needs and facts are clearly represented. It is the executive management of an organization responsible for info security. Presentation should be at a high level to understand the technical safeguards and not too detailed.
question
Reporting model
answer
the SO and info sec should report as high in the organization as possible to:- maintain visibility of the importance of info sec - limit inaccurate translation of message that can occur due to hierarchical deep organizations. - should have good working relationships with bus exec mgt, middle and end-users Reporting to the CEO - reduces filtering of messages if it has to pass through several layers
question
Policies
answer
must align with what the business does
question
SO and team are responsible
answer
to make sure that security policy, procedure, baseline, standards and guidelines are written to address the info security needs of the company. Policies should be written with input from legal, hr, it, compliance, physical and buss units that must implement the policies.
question
Policy types
answer
Sr. management - high level mgt statement of sec objs, organ, individual responsibilities, ethic and beliefs and general reqmts and controls Regulatory - detailed and concise policies mandated by federal state, industry or other legal requirements Advisory - not mandatory but recommended has penalties or consequences for non compliances; most policies fall in this category Informative - only informs with no explicit requirements for compliance
question
Info system sec role
answer
draft security policies, standards and supporting guidelines, procedures and baselines. They are to provide guidance on technical security issues and emerging threats and starting new policies.
question
Executive management
answer
maintains the overall responsibility for protecting information assets of the company.
question
end users
answer
end of the line - are the eyes and ears to report security incidents and unusual behavior to the right people.
question
Data custodian
answer
maintains our systems takes care of the info on behalf of the owner. They make sure the data is backed up in case it is lost
question
Info systems auditor
answer
makes sure systems are in compliance with policy procedures standards, baselines, management direction and architecture.
question
Buss continuity plans
answer
**Initiation and management first steps: How do I keep my biz in biz develop contingency plans to prepare for any time something may impact the company goals negatively
question
DRP
answer
How do I fix what is broken
question
Physical security
answer
manage the install, maintenance and continuous operation and assist in investigations.
question
Network administrator
answer
configures network and server hardware and os. Use patch mgt and software distribution methods to install updates and test patches.
question
Info systems auditor
answer
makes sure systems are in compliance with policy procedures standards, baselines, management direction and architecture.
question
External roles
answer
Vendors, suppliers, contractors, temp employees, customers, buss partners, outsourced relationships should follow our security policies
question
Control frameworks
answer
To make sure ISSO do what we are supposed to be doing there to aid in security and privacy requirement are met;
question
Framework should be
answer
consistent - governance program in how info and security and privacy is approached and used. Measurable - program must provide a way to set and see goals. Modular - framework won't work for everybody all times Standardized - a control framework should rely on standardization so results can be compared; Extensible - flexible Comprehensive - framework should cover the minimum legal and regulatory requirements of an organization; modular - withstand changes of an organization. COSO - banking to eliminate fraud; iso 27000 - series of docs started with iso17799 and then to 270002 - Best Practices how to's; 27001 - is obtainable certification put all best practice into practice then certified. Information Security Management System is a mgt process cobit - how to do security for everything/auditing itil - service framework and SLAs
question
Due care
answer
Are you doing what you're supposed to be doing to protect the company? Are you following the guideline/policy/control.... ** care that a reasonable person would give under circumstances; caring is correcting** what an individual's or legal duty is. If an organization is mandated to comply with regulations then knowingly or not knowingly neglect those requirement could lead to legal exposure from a due care perspective.
question
Due diligence
answer
Put something in place and is made to stop harm to other persons or their property. It is the enforcement of due care. vulnerability, pen test, audits, background checks, credit checks, info system sec assessment, risk assessment, penetration tests, contingency test and back up, threat intelligence This should be incorporated by sec prof as core tenant of their career. Examples are: background checks, credit checks, info system sec assessment, risk assessment, penetration tests, contingency test and back up, threat intelligence **About detection** monitoring, auditing
question
Legislative and regulatory compliance
answer
must be understood by the people who work in those countries and the industries they are in.Laws and regulations must be met for a safe harbor provision which is a good faith conditions that if met may temporarily or indefinitely protect the organization from the penalties of a new law or regulation. **Identify the requirement and comply with that
question
PCI Data Security Standards
answer
all entities must hold process or transfer credit card and cardholder info to these standards
question
Privacy and data protection legislation
answer
Federal Privacy Act Health Insurance Portability and Accountability Act (HIPAA) for health related PII Gramm LeachBliley Act for economics credit related Health Information Technology for Economic and Clinical Health Act (HITECH)
question
Computer/Cyber Crime
answer
any criminal activity in which computer systems or networks are used as tools that violates the law or a regulation.
question
Categories of crimes and motivations behind them:
answer
Business, fun, disgruntled, corporate espionage terrorism, financial
question
cyber terrorism
answer
Destroy, steal government secrets, financial attacks,
question
impact of cyber crime
answer
loss of intellectual property and sensitive data; opportunity costs; damage to the brand image and company reputation; penalties and compensatory payment to customers; cost of countermeasures and; cost of mitigation strategies and recovery from cyber-attacks.
question
Federal Risk and Authorization Management Program (FedRAMP)
answer
government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services.
question
Intellectual property laws
answer
laws are there to protect both tangible and intangible items.
question
Patent
answer
are to protect novel, useful and nonobvious invents and it is one of the most significant forms of intellectual property protection available Allows one to have the sole ability to own an invention for 20 years; published in public domain ** Public**
question
trademark
answer
protects the good will that merchants or vendors invest in the recognition of their products....gives the owner of the markings exclusive rights over the item this is the protection of markings that are used to identify vendors or a merchant products and goods A trademark could be a word, name, symbol, color, sound product shape device or a combination of them to create a unique identifier of a product and distinguish it from others. Registrations granted on or after November 16, 1989 have a 10-year term
question
Copyright
answer
protects artistic property and that would be books, music databases, computer programs. It is not as strong as a patent protection. But it lasts longer at least 50 years after a person dies or the 70 years under the copyright protection. The term of copyright protection of a work made for hire is 95 years from the date of publication or 120 years from the date of creation, whichever expires first. (A work not made for hire is ordinarily protected by copyright for the life of the author plus 70 years.)
question
trade secrets
answer
Refer to how a buss or technical information or practice works A trade secret is not information that is generally known and it must provide a value to the business. Trade secrets can be protected forever and these are known as the reasons for industrial and espionage cases.
question
Licensing & different models
answer
software licenses have become easily stolen. There are different ways software can be licensed and that consists of freeware, shareware, commercial and academic.
question
Licensing agreement types
answer
With these different types, there are a variety of agreements that includes master, end user licensing (eulas) There is also license metering software that an enforce compliance to software agreements.
question
Import/Export Controls
answer
International Traffic in Arms Regulations (ITAR) -what is a defense item and what can be done created to control any illegal transfer of info, or defense items technology, products that involve the military that are based not in the us. Export Administration regulations allowed the prez to regulate export of civilian goods and technologies that are military based; data and know how
question
trans border data flow
answer
allows consumers access to the best resources in technology around the world. moving data between country borders from server to servers - ways to identify people and fight terrorism; fraud and deliver services - companies and govt are outsourcing to cut down on cost and increase efficiencies
question
RFID
answer
radio frequency identification chips,causes concern about data going to other countries with no data protection legislation
question
PII
answer
personal identifiable information
question
oecd
answer
organization for economic cooperation organization for economic cooperation and development; has categorized principles used to collect limited data, quality purpose and safeguards, openness participation and accountability.
question
privacy
answer
rights and obligations of people who collect use retain or disclose personal information.
question
Data breaches
answer
the form of an incident that could result in the exposure of data; breach is an incident that results in the disclosure or potential exposure of data and data disclosure is a breach that shows data was disclosed to someone not authorized.
question
VERIS
answer
Vocabulary for Event Recording and Incident Sharing ) is made to have a common language for describing security incidents in a structured and repeatable way
question
Gramm Leach Biley Act GLBA and Health Insurance Portability and Accountability Act
answer
two forms of how consumer data is regulated by federal and state laws
question
Code of ethics Preamble
answer
***should adhere to the highest code of ethics - Protect society commonwealth and infrastructure - people - act honorably honestly justly responsibly and legal - honor - provide diligent service to boss - boss - advance protect the profession - profession
question
Code of ethics canons:
answer
protect society, the commonwealth and infrastructure preserve public trust and confidence in information systems understand and accept good security practices preserve and make stronger the integrity of public infrastructure don't use unsafe practices Act Honorably, Honestly, Justly, Responsibly and Legally tell the truth acknowledge all contracts, agreements (formal and informal)- treat everyone fairly in resolving conflicts and public safety; duties to principles, individuals and professions give advice with out bring in uncalled for stress or discomfort. Be honest, open cautious and know your competency level. different laws apply in different jurisdictions, make sure you apply the law to where you are Diligent and Competent Service to Principals - maintain the value of the systems, apps and information - all respect the trust and privileges that you have - stay away from conflicts of interest or if it looks like it - only do what you can and are qualified to do Advance and Protect the Profession - sponsor for those who are certified and abide by these canons - don't tarnish the reputation of others through malice or indifference - maintain your qualifications though skills, knowledge; give your time to helping others.
question
Support Organization Code of Ethics
answer
develop a guide to computer ethics for unit develop a ethic policy to support computer security policy add info about computer ethic to employee handbook expand the business ethic policy and include computer ethics learn more about Ethics and spread the word help bring awareness of computer ethics by being a part of a campaign know your email privacy policy and be sure employees know what it is
question
Policy
answer
** Management goals and objectives** Document that defines the scope of security needed by the company and discuss the assets that need protection and the extent to which security solutions should go to provide the necessary protection. Overview or generalization of the organization needs as to what we need to protect our assets; security objectives and framework of the company.
question
standards
answer
are specific mandatory requirements that further define and support higher level policies
question
baselines
answer
are a consistent basis for an organization sec architecture taking into account system specific parms ie os,
question
guidelines
answer
don't have to be followed and a are recommendations not requirements
question
procedures
answer
detailed instructions on how to implement specific policies and meet the criter defined in standards.
question
Business continuity plan
answer
**My biz is still working ** Analyze biz, assess risk, develop strategy develop plan and rehearse plan;. How do we get back into buz and maintain our standards and meet our customer needs. Should have policies procedures and documents; a database of resources to call
question
Financial risks formula
answer
P * M = C Probability * Magnitude = Cost Probability of Harm - chance that a damaging event will occur; magnitude of harm = amount of damage that would occur is a disaster should happen; cost of prevention - price of putting in place a countermeasure preventing the disaster's effects
question
**Risk Assessment
answer
**Analyze biz, assess risk, develop strategy develop plan and rehearse plan Accept the risk - do nothing Accept risk with an arrangement after the incident Attempt to reduce the risk to not need outside help *** Risk avoidance practice of coming up with alternatives risk transference - passing on the risk in question risk mitigation - decrease in the level of resk presented through control risk acceptance - practice of accepting certain risk based on biz decision
question
BIA
answer
*** helps a company to decide what needs to be recovered and how quickly; mission functions are from critical, essential, supporting and nonessential staff; impacts that might damage an orgs reputation, assets or financial position timescale on interruption of each buss by activity workshops, questionnaires interviews, observation - should tell us how long can a unit not do its work without it having serious financial losses; potential loss scenarios
question
manage personnel security
answer
security pro might have to develop job desc contact reference investigate the background checks are beneficial as to help with risk mitigation, most qualified candidate is hired; lower hiring cost; less turnover; protection of assets; criminal activity.
question
Background checks could include
answer
types of checks include credit history;criminal history - harder to get these records; fair credit reporting act says that an applicant earns more than 75K can see their entire history. drug and substance testing - can result in absenteeism, accidents, turnover violence and computer crimes. prior employment - very employment info i.e., dates, title, performance and reason for leaving
question
Job rotation
answer
reduces the risk of fraud, collusion between individuals, gives back up coverage, succession planning, job enrichment opportunities
question
Separation of Duties (SOD)
answer
one person should not have ability to modify delete or add data to a system. Separation reduces the chances of errors or fraud; same person should not do the same job: system admin; network, data entry, computer operations, security admin, develop and maintenance, auditing, is mgt change management; if there are not enough people then might have to rely on a compensating control i.e., monitoring or supervisor ; employees in the info system should not be allowed to enter data into a business system;
question
Least privilege
answer
Is a need to know - granting access to only when you need to perform your job. This is known as a preventive or deterrent control as user knows that info is logged and detection can tell how info was modified after the fact.
question
Mandatory vacation
answer
help to identify fraudulent activities
question
Friendly/unfriendly termination
answer
Exit interview; nda; access badges, token and cards Disable accounts immediately/escort from building
question
**Risk
answer
**Risk is the function of a likelihood(probability) of a given threat source exercising a potential vulnerability and resulting impact of an adverse event on an organization. Somebody doing something to cause you problems. is the possibility of loss. risk management is the way you assess minimize and prevent accidental loss to a business through insurance safety.
question
Steps to risk assessment
answer
Prepare, conduct, identify threat source and events, identify vulnerabilities, determine likelihood of occurrence, determine magnitude of impact, determine risk then Communicate results, maintain assessment. An exhibit can be used to provide an audit trail for the company or evidence for internal or external auditors may have about the current state of risk. You have to know what you are protecting.
question
Privacy and monitoring
answer
Notifying or being conspicuous about monitoring can be good.
question
Threat source
answer
Is the somebody vulnerability is the weakness doing something to either intent of method at the intentional exploitation of a vulnerability or situation, method that may accidentally trigger a vulnerability What is doing the bad thing human, natural, technical physical, environmental operational
question
Likelihood
answer
probability that a potential vulnerability may be exercised within the construct of an threat environment Weakness being exploited inside of the company
question
Threat
answer
potential for a threat source to exercise a specific vulnerability To take advantage of your weakness which is a vulnerability and it has an impact on the company
question
vulnerability
answer
a flaw or weakness in system sec procedure, implementation, internal controls that could be exercised and result in a security breach or a violation of the system sec policy
question
Impact
answer
magnitude of harm that could be cause by a threat exercise of vulnerability
question
Asset
answer
anything of value owned by a company both tangible and intangible
question
Safeguard
answer
countermeasure that remove or reduce a vulnerability or protect from one or more threat, patch, config change hiring security guard, improve sec policy, train personnel etc something put in place to minimize a threat
question
Attack
answer
an exploitation of vulnerability by a threat. Intentional attempt to exploit a vulnerability to cause damage loss or disclosure of assets Violation to adhere to a security policy. Something or somebody taking advantage of a weakness that we have. Port scan is a type of attack; find a vulnerability can take advantage of them.
question
Breach
answer
the occurrence of a security mechanism being bypassed by a threat agent; when a breach is combined with an attack, penetration or intrusion can result. Threat agent gained access to a company by bypass security control and directly imperil assets. Get to the data and get to the system and underlying data. Taking of information. Threats are successful at penetrating in then it is a breach.
question
mean time between failure
answer
Measure of anticipated incidence of failure for a system or component = reliability
question
Mean time to failures
answer
avg time to failure for a non repairable system
question
Mean Time to Restore MTTR
answer
how long it takes to repair a system or component once it fails - found in SLAs
question
Recovery Time objective
answer
maximum tolerable downtime is the amount of time the unit can function without the application before it causes big impacts. Max downtime acceptable.
question
Recovery Point Objective
answer
point to which a crashed or failed system needs to be restored. When do we go back before the crash to get our data
question
risk mgt process
answer
risk management is the way you assess minimize and prevent accidental loss to a business through insurance safety.
question
quantitative method
answer
results in percentages that means the end result is a report that has dollar figures for levels of risk, potential loss, cost of countermeasure and value of safeguard. Figures for level of risk. Act of assigning a quantity to risk
question
qualitative risk
answer
assessment provide results that are used risk assessment in a descriptive way. These happen when: risk assessors have little expertise in quantitative risk assessment; time is short; easier to do; not a lot of data to help with the risk assessment; assessor and team are long time employees with a lot of experience with the bus and systems. The higher the risk level the more immediate the need for org to assist on an issue and make sure it is protected
question
exposure factor
answer
The percentage of loss that a company would have if a specific asset were violated by a realized risk; how long it is exposed.
question
SLE
answer
Single Loss Expectancy =difference between the original value and the remaining value of an asset after a single exploit. is the cost associated with a single realized risk against a specific asset The exact amount of loss Asset Value * Exposure Factor AV * EF
question
Annualized Loss Expectancy
answer
is an estimate of how often a threat will be successful in exploiting a vulnerability over the period of a year; how many times it will happen in a given year. Annualized Loss Expectancy = Single Loss Expectancy * Annualized Rate Occurrence. Known as probability determination.
question
risk avoidance
answer
is coming up with alternatives so that the risk does not come to pass.
question
risk transfer
answer
passing on the risk to someone else
question
risk mitigation
answer
is getting rid of or reducing the risk i.e, firewalls, ids/ips risk acceptance - accept the risk from certain scenarios.
question
containment
answer
when an exposure is exploited from important assets
question
deterrent
answer
discourage people from breaking the directive; just because the control exists it keeps bad guys out; it is harder to get around the control than the reward for being successful. Warning messages during logon; multifactor authentication will reduce system compromises.
question
countermeasure in the form of
answer
accountability; auditability source known, independence, consistently, cost effective, reliable, independence, easy to use, automation, sustainable, secure, protects cia, back out if issue,
question
security architect
answer
thinks about business issues and how to design a strong architecture
question
security practitioner
answer
thinks about time and tools; and how to deploy a strong architecture
question
security professional
answer
thinks about how will i manage the enterprise;metrics
question
preventative controls
answer
used to stop unwanted or unauthorized activity from occurring...fences, locks, biometrics, mantraps, job rotation, data class, pen test, encryption, auditing, cctv, callback procedure, security awareness, intrusion preventative personnel security,
question
detective
answer
Got through the preventative now we must remedy a situation, reduce damage or bring back controls; discover the activity after it has occurred; motion detector, honey pots, ids, ips, incident investigation; go back after the fact and get information about what happened. if deterrent, preventative and cc don't thwart an attack and these warn when something has happened
question
corrective controls
answer
that get to change the posture of an environment to fix deficiencies and take the environment back to a secure state. could be a quick fix like new firewall rule router access; antivirus
question
deterrent access controls
answer
discourage people from breaking the directive; just because the control exists it keeps bad guys out; it is harder to get around the control than the reward for being successful fence, lock, banner, security cameras
question
Directive controls
answer
rules of behavior in a company also known as administrative give guidance as to what the behavior is expected. They can be combined into a single acceptable use policy. AUP = signed at the time of security awareness training.
question
recovery controls
answer
restore conditions to normal after an incident. Fault tolerance, system imaging,, server clustering, virtual machine shadowing
question
compensating ac
answer
Used in addition to or in place of another control...- can be technical, procedural or manual instead of ssl could use an encryption protocol; separation of duties; can be a temporary solution to put in a short term change. If current capabilities dont support a policy then it is a cc; transfer of pii in encrypted form; protect data in transist instead of data at rest being encrypted
question
administrative controls
answer
Management controls policies processes and management of an access control system.- when changes to an environment happen it must be documented , approved, tested, applied verified, deployed. The architect, practitioner, professional are all involved in the bcp/drp that are used in a disaster recove
question
logical controls
answer
hardware or software used to manage controls ie.passwords, smart card, biometric, clipping network - used to restrict communication and restrict those who connect ot it and use that infrasturcutre. a proxy system could control web access voa jtt[/ firewall could block ports, a proxy could also block http session. network access control give restrict access based on a policy defined by the system admin remote - vpn is a popular solution for remote acces
question
physical controls
answer
prevent monitor or detect direct access with systems within the facility
question
control assessment
answer
verify the implementers and operators of info syst meet the goals and objs; how effective are our security controls used to implement a system
question
controls measured by
answer
vulnerability scan and penetration testing - Vulnerability Also known as ethical hacking, tiger teaming, red teaming and vulnerability testing. It Penetration testing - is the next step in vulenrability scans audits - try tailgating someone in the door; pretend to be tech support
question
tangible asset valuation
answer
touch it; have a physical presence trademarks, patents, copyrights, buss process, brand recognition, intellectual property; Also intangible are known as definite or indefinite: could be a intangible asset with a definite expiration period. Example is a patent has value as long as it is enforceable. when the patent goes, no more value.
question
Intangible asset valuation
answer
your morale, reputation, brand. customer satisfaction
question
reporting
answer
needs to go up the chain as high as it can goes; iso should explain technical terms in every day language
question
deming cycle
answer
pdca - plan do check act
question
Risk mgt frameworks
answer
aligning risk appetite and strategy - mgt says what the risk appetite is to evaluate strategic alternatives; enahnce risk response decision - how to select the right choice between avoidance reduction sharing and acceptance
question
ISO/IEC 27002
answer
Guideline and best practice Example of a framework Is a code of practice for information sec mgt...best practices frame for implementing and managing an info sec program used the International Org for Standardization and International Electrotechnical commission
question
ISO/IEC 27001
answer
Standard to give a more detailed implementation guidance or practitioner and defines the requirments for formal spec of an infor sec mgt system
question
Threat model
answer
procedure for optimizing network / apps/ internet security by identify objectives and vulnerabilities and define countermeasure to prevent or mitigate the effects
question
Threat
answer
potential or actual undesirable event that may be malicious ie dos or incidental
question
Assessment scope
answer
identify what your assets are
question
possible attacks
answer
who are the people that might attack an application; understand existing countermeasures; inside, outside, accident and malicious attacks. include any and all exsisting countermeasure deployed
question
prioritized risk
answer
each threat you give a number of likelihood and impact factor to know the overall risk or severity level;
question
identify countermeasure
answer
to reduce threat - how to reduce the risk to an acceptable level.
question
potential attacks
answer
baiting - getting to give you informatin attacker leaves a malware infected cd rom or flash drive in a location and wait for you to use the device. tailgating - following behind someone phishing -phishing attack - type of social engineering where it use email or malicious website to get personal info by posing as a trustworthy group., social engineering
question
reduction analysis
answer
avoid being a victim and reduce security risks
question
remediate threats
answer
policies, ids, ips, firewaals, encryption, security protocols,ssl/tls
question
acquisition
answer
hardware software, need to have redundancy
question
Manage third party governance
answer
three types IaaS, PaaS and SaaS;
question
Minimum sec requirements
answer
up to the organization; make a list of what is required and then tie them together
question
Service Level Requirements
answer
has the requirements for a service from the client viewpoint. and gets made into a SLA
question
Starting point in awareness training
answer
using security policies
question
p2p/peer to peer
answer
can transmit virus and malware
question
Internet Activities Board (IAB) - RFC 1087
answer
is a statement of policy in 1989 that says ethics and proper use of resource on the net.
question
SET
answer
Secure Electronic Transactions (SET) by visa and mc for secure offline debit card transactions
question
PGP
answer
Pretty Good Privacy - public keys with email function and data encryption by phil zimmerman
question
sanitized
answer
media is erased or cleared /process of preparing media so that classfied data cannot be recovered before during and after final destruction
question
purging
answer
making the information unrecoverable
question
degausing
answer
magnetic scrambling of patterns on a tape or disk
question
Wassenaar Agreement
answer
International agreement with Dual used good either civilian or military purposes;
