Module 4

Réussis tes devoirs et examens dès maintenant avec Quizwiz!

CBA formula*

CBA = pre-ALE - post-ALE - ACS

NIST

National Institute Standards of Technology

Qualitative approach uses labels to assess value rather than numbers. Quantitative using actual values or estimates for asset valuation

Qualitative vs quantitative

five stages of risk management.

Risk assessment Risk treatment Risk acceptance Risk communication Risk monitoring and review

US Military classifications

Top Secret, Secret, Confidential

TC SEC

Trusted Computer System Evaluation Criteria an older DoD system certification and accreditation standard that defines the criteria for assessing the access controls in a computer system. "Rainbow Series" color coded documents.

Delphi

a process whereby a group rates or ranks a set of information. Information responses are compiled and then returned to the group for another iteration.

Biba

an access control model that is similar to BLP and is based on the premise that higher levels of integrity are more worth of trust than lower levels. Assigns "read" or "write" integrity levels

Benchmarks

an attempt to improve information security practices by comparing an organization's efforts against practices of a similar organization or industry-developed standards to produce results to duplicate

Confidential

applied to information the unauthorized disclosure of which reasonably could be expected to cause "damage" to the national security that the original classification authority is able to identify or describe.

Secret

applied to information, the unauthorized disclosure of reasonably could be expected to cause "serious damage" to national security that the original classification authority is able to identify or describe

Top Secret

applied to information, the unauthorized disclosure of which reasonably could be expected to cause exceptionally "grave damage" to national security

Latus based matrix

assigns users a matrix of authorization for particular areas of access. Level of authorization may vary depending on the classification authorizations that individuals possess for each group of information assets or resources.

Transference

attempts to shift risk to another entity. May be accomplished by rethinking how services are offered, revising deployment models, outsourcing to other organizations, purchasing insurance, or implementing service contracts with providers.

Termination

based on the organization's need or choice to not protect an asset. Doesn't wish the information asset to remain at risk and so removes it from the environment where vulnerable to risk. Cost may outweigh the value.

Clarke wilson

built upon principles of change control rather than integrity levels, was designed for the commercial environment. No changes by unauthorized subjects No unauthorized changes by authorized subjects The maintenance of internal and external consistency

BLP Bell-LaPadula

confidentiality model "state machine reference model" ensures the confidentiality of the modeled system by using MACs, data classification and security clearance

Non-discretionary access controls

controls implemented by central authority based on roles called role-based access controls RBAC. can run in turn be based on lists maintained on subjects or objects.

Brewer-nash

designed to prevent a conflict of interest between two parties. Requires users to select one of two conflicting sets of data, after which they cannot access the conflicting data. "chinese wall"

Deterrent

discourages or deters an incipient incident

cba

economic feasibility study where presentation of economic expenditures needed for a particular security control, contrast to the projected value

ISO 270005

includes a standard for the performance of risk management: includes five stages of risk management.

ITIL Information Technology Infrastructure Library

is a collection of methods and practices for managing the development and operation of IT infrastructures. "ITIL" and "IT Infrastructure Library" are trademarked under the UK's OGC.

FAIR factor analysis of information risk

is a risk management framework developed by Jack A. Jones can help organizations understand analyze and measure information risk.

OCTAVE

method of InfoSec risk evaluation methodology that allows organizations to balance the protection of critical information assets against the costs of providing protective and detection controls.

Common criteria

of information technology is an international standard (ISO/IEC 15408) for computer security certification. Successor to TCSEC and ITSEC in that it reconciles som differences between various standards.

Security models

or framework a specification of a model to be followed during the design, selection, and initial and ongoing implementation of all subsequent security controls, including InfoSec Policies, security education, and training programs.

COSO Committee of Sponsoring Organizations

outlines the components, established a common definition of internal controls, standards and criteria against which companies and organizations can assess their control system.

Separation of duties

principle requires that significant tasks be split up in the such a way that more than one individual is responsible for their completion.

COBIT Control Objectives of Information and Related Technology

provides advice about the implementation of sound controls and control objectives for InfoSec. COBIT 5 is the only business framework for the governance and management of enterprise IT.

ISO 27001

provides information on how to implement ISO/IEC 27002 and how to set up an information security management system (ISMS)

Corrective

remedies a circumstance or mitigates damage done during an incident

Defense control strategy*

risk control strategy that eliminates or reduce remaining uncontrolled risk through the application of additional controls and safeguards. Avoidance Strategy.

Acceptance ctrl strategy*

risk control strategy that indicates the organization is willing to accept the current level of risk. A conscious decision is made to do nothing to protect information from risk and accept the damage.

Discretionary access controls

that are implemented at the discretion or option of the data user. Ability to share resources in a peer-to-peer configuration allows users to control and possibly provide access to information or resources at their disposal.

Mitigation

the control approach that focuses on planning and preparation to reduce the damage caused by a realized incident or disaster. Includes IR, DR, BC

Least privileges

the principle by which members of the organization can access the minimum amount of information for the minimum amount of time necessary to perform their required duties

Need to know

the principle of limiting users access privileges to only the specific information required to perform their assigned tasks.

Risk appetite

the quantity and nature of risk that organizations are willing to accept as they evaluate trade-offs between perfect security and unlimited accessibility

Covert channels

unauthorized or un-intended methods of communications hidden inside a computer system.

Reference Monitor

within TCB, a conceptual piece of the system that manages access controls-in other words, mediates all access to objects by subjects


Ensembles d'études connexes

MDA 142 Final Exam (Ch. 48, 49, 54, 55, 56, 57)

View Set

Examen Primer Parcial de Metodología (1 cuatrimestre)

View Set

Nervous System, Part 2 Edpuzzle:

View Set

Weak Points: AWS Cost Management

View Set