Principles of Information Security (4th edition) Chapter 1 – Flashcards

Unlock all answers in this set

Unlock answers
question
Champion
answer
A senior executive who promotes a security project and ensures its support.
question
Chief information officer (CIO)
answer
An executive-level position in which the person is in charge of the organization's computing technology, and strives to create efficiency in the processing and accessing of the organization's information.
question
community of interest
answer
A group of individuals united by shared interests or values within an organization and who share a common goal of helping the organization to meet its objectives.
question
Computer security
answer
A term that in the early days of computers specified the need to secure the physical location of hardware from outside threats. This term later came to stand for all actions taken to preserve computer systems from losses. It has evolved into the current concept of information security as the scope of protecting information in the organization has expanded.
question
Confidentiality
answer
The quality or state of information that prevents disclosure or exposure to unauthorized individuals or systems.
question
hash value
answer
A fingerprint of the author's message that is compared with the recipient's locally calculated hash of the same message.
question
Integrity
answer
The quality or state of being whole, complete, and uncorrupted.
question
Methodology
answer
A formal approach to solving a problem based on a structured sequence of procedures.
question
object of an attack
answer
The object or entity being attacked.
question
Organizational culture
answer
The specific social and political atmosphere within a given organization that determines the organization's procedures and policies and willingness to adapt to changes.
question
personnel security
answer
To protect the individual or group of individuals who are authorized to access the organization and its operations.
question
project team
answer
For information security, a group of individuals with experience in the requirements of both technical and nontechnical fields.
question
risk appetite
answer
The quantity and nature of risk that organizations are willing to accept.
question
security
answer
to be protected from adversaries - from those who would do harm, intentionally or otherwise.
question
threat agent
answer
a specific instance or component that represents a danger to an organization's assets. can be accidental or purposeful, for example lightning strikes or hackers.
question
utility
answer
the quality or state of having value for an end purpose. information that serves a purpose.
question
Attack
answer
An intentional or unintentional act that can cause damage to or otherwise compromise information and/or the systems that support it.
question
exposure
answer
a condition or state of being exposed
question
e-mail spoofing
answer
The act of sending an e-mail message with a modified field
question
Asset
answer
The organizational resource that is being protected. An asset can be logical, such as a Web site or information owned or controlled by the organization; or an asset can be physical, such as a computer system, or other tangible object.
question
bottom-up approach
answer
A method of establishing security policies that begins as a grassroots effort in which systems administrators attempt to improve the security of their systems.
question
C.I.A. Triangle
answer
The industry standard for computer security since the development of the mainframe. It is based on three characteristics that describe the utility of information: confidentiality, integrity, and availability.
question
chief information security officer (CISO)
answer
This position is typically considered the top information security officer in an organization. The CISO is usually not an executive-level position, and frequently the person in this role will report to the chief information officer (CIO).
question
Control
answer
Synonymous with safeguard and countermeasure. A security mechanism, policy, or procedure that can counter system attack, reduce risks, and resolve vulnerabilities.
question
Data custodians
answer
Individuals who are responsible for the storage, maintenance, and protection of information.
question
Data owners
answer
Individuals who determine the level of classification associated with data.
question
Data users
answer
Individuals who work with information to perform their daily jobs supporting the mission of the organization.
question
end user
answer
Synonymous with data user. An individual who uses computer applications for his daily work.
question
enterprise information security policy (EISP)
answer
Also known as a general security policy, IT security policy, or information security policy, this policy is based on and directly supports the mission, vision, and direction of the organization and sets the strategic direction, scope, and tone for all security efforts.
question
Exploit
answer
A technique used to compromise a system.
question
Exposure
answer
A single instance of a system being open to damage.
question
file hashing
answer
Method for ensuring information validity. Involves a file being read by a special algorithm that uses the value of the bits in the file to compute a single large number called a hash value.
question
Loss
answer
A single instance of an information asset suffering damage or unintended or unauthorized modification or disclosure.
question
McCumber Cube
answer
A graphical representation of the architectural approach widely used in computer and information security.
question
Object
answer
A passive entity in an information system that receives or contains information.
question
operations security
answer
A process used by an organization to deny an adversary information (generally not confidential information) about its intentions and capabilities by identifying, controlling, and protecting the organization"s planning processes or operations. OPSEC does not replace other security disciplines—it supplements them.
question
Phishing
answer
An attempt to obtain personal or financial information using fraudulent means, usually by posing as a legitimate entity.
question
physical security
answer
An aspect of information security that addresses the design, implementation, and maintenance of countermeasures that protect the physical resources of an organization.
question
Possession
answer
The quality or state of having ownership or control of some object or item.
question
Risk
answer
The probability that something can happen.
question
risk assessment specialist
answer
An individual who understands financial risk assessment techniques, the value of organizational assets, and security methods.
question
security policy developer
answer
An individual who understands the organizational culture, existing policies, and requirements for developing and implementing security policies.
question
security posture
answer
Synonymous with protection profile. The implementation of an organization"s security policies, procedures, and programs.
question
security professional
answer
A specialist in the technical and nontechnical aspects of security information.
question
Subject
answer
An active entity that interacts with an information system and causes information to move through the system for a specific purpose. Examples include individuals, technical components, and computer processes.
question
subject of an attack
answer
An agent entity that is used as an active tool to conduct an attack.
question
systems administrator
answer
An individual responsible for administering information systems.
question
systems development life cycle (SDLC)
answer
A methodology for the design and implementation of an information system
question
team leader
answer
For information security, a project manager who understands project management, personnel management, and technical requirements.
question
Threat
answer
An object, person, or other entity that represents a constant danger to an asset.
question
top-down approach
answer
A methodology of establishing security policies that is initiated by upper management.
question
Utility
answer
The quality or state of having value for an end purpose. Information has ____ if it serves a purpose.
question
Vulnerability
answer
Weakness in a controlled system, where controls are not present or are no longer effective.
question
waterfall model
answer
A methodology of the system development life cycle in which each phase of the process begins with the information gained in the previous phase.
question
Information Security (IS)
answer
To protect the confidentiality, integrity and availability of information assets, whether in storage, processing, or transmission. It is achieved via the application of policy, education, training and awareness, and technology.
question
Committee on National Security Systems
answer
CNSS
question
control, safeguard, or countermeasure
answer
security mechanisms, policies, or procedures that can successfully counter attacks, reduce risk, resolve vulnerabilities, and otherwise improve the security within an organization
question
salami theft
answer
aggregation of information used with criminal theft
question
Communications security
answer
the protection of communications media, technology, and content
question
Availability
answer
Enables authorized users -- persons or computer systems -- to access information without interference or obstruction and to receive it in the requested format
question
Accuracy
answer
when information is free from mistakes or errors and has the value that the end user expects
question
Authenticity
answer
The quality or state or being genuine or original, rather than a reproduction or fabrication
question
physical security, personnel security, operations security, communications security, network security, information security
answer
the six layers of security an organization should have in place to protect its operations
question
network security
answer
the protection of networking components, connections, and contents
question
Information security (CNSS definition)
answer
The protection of information and its critical elements, including the system and hardware that use, store, and transmit that information
question
Access
answer
a subject or object's ability to use, manipulate, modify, or affect another subject or object
question
protection profile or security posture
answer
the entire set of controls and safeguards, including policy, education, training and awareness, that the organization implements (or fails to implement) to protect the asset
question
subject of an attack
answer
an agent entity used to conduct the attack
question
pretexting
answer
phishing undertaken by law enforcement
Get an explanation on any task
Get unstuck with the help of our AI assistant in seconds
New