Chapter 4 Vocab - ISEC
Parallel test
A __________ evaluates the effectiveness of the DRP by enabling full processing capability at an alternate data center without interrupting the primary data center.
RTO - recovery time objective
A defined metric for how long it must take to recover an IT system, application, and data access.
Risk methodology
A description of how you will manage risk
Vulnerability
A weakness that allows a threat to be realized or to have an effect on an asset.
BCP - business continuity plan
A written plan for a structured response to any events that result in an interruption to critical business activities or functions
Mobility
Allows remote workers and employees to be connected to the IT infrastructure in almost real time
Warm site
Facility with environmental utilities and basic computer hardware
ISO/IEC 27005,"Information Security Risk Management"
An ISO standard that describes information security risk management in a generic manner. The documents include examples of approaches to information security risk assessment and lists of possible threats, vulnerabilities, and security controls.
BIA - business impact analysis
An analysis of an organization's functions and activities that classifies them as critical or noncritical
Mitigation
Any actions intended to reduce or address vulnerabilities found in either penetration tests or vulnerability tests.
Cold site
Facility with basic environmental utilities but no infrastructure components
Remote wiping
Install software that will enable organizations to initiate ___________ of data or email in the event of loss or theft of the device.
Disaster
Is an event that affects multiple business processes for an extended period; Causes substantial resource damage you must address before you can resolve business process interruption
Payment Card Industry Data Security Standard (PCI DSS)
Not a law, but affects any organization that processes or stores credit card information; a comprehensive security standard that includes requirements for security management, policies, procedures, network architecture, software design, and other critical protective measures.
Risk Management Guide for Information Technology Systems (NIST SP800-30)
Part of the Special Publication 800 series reports, these products provide detailed guidance of what you should consider in risk management and risk assessment in computer security; The reports include checklists, graphics, formulas, and references to U.S. regulatory issues.
Gramm-Leach-Bliley Act (GLBA)
Passed in 1999, __________ requires all types of financial institutions to protect customers' private financial information.
Data Ownership
Personal data such as contacts, pictures, or emails are the intellectual property of the employee
Risk-response plan
Starting with the highest priority risks, explore potential responses to each one. With direction from your organization's upper management, determine the responses to each risk that provide the best value.
Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE)
The _________ approach defines a risk-based strategic assessment and planning technique for security.
Compliance
The act of following laws, rules, and regulations that apply to your organization and its use of IT systems, applications, and data.
RPO - recovery point objective
The maximum acceptable level of data loss after a disaster
Government Information Security Reform Act (Security Reform Act) of 2000
This act focuses on management and evaluation of the security of unclassified and national security systems
Full-interruption test
This is the only complete test. ____________ interrupt the primary data center and transfer processing capability to an alternate site.
EF - exposure factor
This represents the percentage of the asset value that will be lost if an incident were to occur
Quantitative risk analysis
This type of risk assessment attempts to describe risk in financial terms and put a dollar value on each risk
SLE - single loss expectancy
You can calculate the value of a single loss using the two preceding factors. If an actuary calculates that the EF of a late-model SUV is 20 percent, then every time he receives a claim, all he needs to do is look up the asset value, multiply by the EF, and he'll have a very good prediction of the payout; This allows the actuary to calculate insurance premiums accurately and reduce the risk of the insurance company losing money.
Qualitative risk analysis
You can judge every risk on two scales: likelihood and impact
PMBOK
a best practices guide for project management maintained by the Project Management Institute (PMI); states that the effects of risk can be positive or negative
Impact
a loss of availability, integrity, and confidentiality; result of an exploited vulnerability
CCTA Risk Analysis and Management Method (CRAMM)
a risk analysis method developed by the U.K. government; best suited for large organizations.
ARO - annual rate of occurrence
also called the risk likelihood; determines how often a loss is likely to occur every year
Risk survey
an applicable instrument for gathering information on the nature of threats.
Threat
any action that could damage an asset; an opportunity to exploit a vulnerability
Risk register
can contain many different types of information but should contain at least the following: -A description of the risk -The expected impact if the associated event occurs -The probability of the event occurring -Steps to mitigate the risk -Steps to take should the event occur -Rank of the risk
DRP - disaster recovery plan
directs the actions necessary to recover resources after a disaster
Sarbanes-Oxley Act (SOX)
established the Public Company Accounting Oversight Board (PCAOB), which is responsible for overseeing, regulating, inspecting, and disciplining accounting firms in their roles as auditors of public companies; also dictates policies that address auditor independence, corporate governance, internal control assessment, and enhanced financial disclosure.
Cost
factors to implement functional, operational, technical, and security capabilities into IoT devices and applications
Health Insurance Portability and Accountability Act (HIPAA)
governs the way doctors, hospitals, and other health care providers handle personal medical information; requires that all medical records, billing, and patient information be handled in ways that maintain the patient's privacy; guarantees that all patients be able to access their own medical records, correct errors or omissions, and be informed of how personal information is used
Business driver
include people, information, and conditions that support business objectives
Gap analysis
is a comparison of the security controls you have in place and the controls you need in order to address all identified threats
Risk Management
is the process of identifying, assessing, prioritizing, and addressing risks
Simulation test
more realistic than a structured walk-through. In a _______________, the DRP team uses role playing and follows through with as many of the effects of a simulated disaster as possible without affecting live operations
Negative risk
probability that an uncertain event will negatively affect one or more of the business's assets or resources
Positive risk
probability that an uncertain event will positively affect one or more of the business's assets or resources
ALE - annual loss expectancy
the SLE (the loss when an incident happens) times the ARO. It helps an organization identify the overall impact of a risk.
Likelihood
the chance that something might happen. ______________ can be defined, determined, or measured objectively or subjectively and can be expressed either qualitatively or quantitatively (using mathematics).
Security gap
the difference between the security controls you have in place and the controls you need in order to address all vulnerabilities
Residual risk
the risk that remains after you have deployed countermeasures and controls:
Federal Information Security Modernization Act (FISMA)
the update to the original act in 2002