IS 4680 Final

अब Quizwiz के साथ अपने होमवर्क और परीक्षाओं को एस करें!

Guideline

A parameter within which a policy, standard, or procedure is suggested but optional

Procedure

A written statement describing the steps required to implement a process - very technical in nature -mostly used by IT personnel.

CIA

Confidentiality, Integrity, Availability

Detective controls

Detective controls are mechanisms that recognize when an undesired action has occurred, such as motion detectors or usage log analysis tools.

LAN-to-W AN Domain AND WAN Domain

The transition from the LAN to theW AN typically involves equipment such as a router or a firewall. A router is used to forward data between different networks. A firewall is another common component. A firewall is placed between networks and is designed to permit authorized access, while blocking everything else.

Single Sign On

Users have to log on several times as they use different applications. One solution is to use an SSO system.

Router

Within the LAN-to-WAN Domain this connects two or more separate networks

Security Assessment

a key activity that involves the management of risk. Information systems provide numerous benefits and efficiencies within organizations. However, the benefits come with risks as a result of operating these systems.

TACACS

a network protocol developed by Cisco to provide authentication services in the remote access domain. TACACS stands for Terminal Access Controller Access Control System.

RADIUS

a network protocol that supports remote connections by centralizing the management tasks. RADIUS stands for Remote Authentication Dial In User Service

a VPN solution

allows for choices such as IPSec, L2F, and GRE- each of which is an encapsulating protocol. When using remote access and VPN tunnels be sure to monitor remote computer login.

IT Security Audit

an independent assessment of an organization's internal policies, controls, and activities.You use an audit to assess the presence and effectiveness o IT controls and to ensure that those controls arecompliant with stated policies.

Operational impact

applying controls is a direct result of the risk assessment process combined with an analysis of the tradeoffs. This is the tradeoff.

difference between an Assessment and an Audit

assessment finds blame where an Audit does not.

Technical

controls (also called logical controls) use software and data to monitor and control access to information and computing systems. For example: passwords, network and host based firewalls, network intrusion detection systems, access control lists, and data encryption are logical controls. An important logical control that is frequently overlooked is the principle of least privilege. The principle of least privilege requires that an individual, program or system process is not granted any more access privileges than are necessary to perform the task.

Administrative

controls (also called procedural controls) consist of approved written policies, procedures, standards and guidelines. Administrative controls form the framework for running the business and managing people. They inform people on how the business is to be run and how day to day operations are to be conducted

Physical

controls monitor and control the environment of the work place and computing facilities. They also monitor and control access to and from such facilities.

Software configuration management

formal method to control the software development life cycle

two main types of attacks that may originate from within your organization

internal attacks on your organization and internal to external attacks on another organization

Certification and Accreditation Professional (CAP)

is a certification for professionals involved in certifying and accrediting the security of information systems.

Certified Secure Software Lifecycle Professional (CSSLP)

is a certification for those involved with ensuring security throughout the software life cycle.

ISACA

is a professional association that provides many resources for information systems auditors and IT security and governance professionals.

Systems Security Certified Practitioner (SSCP)

is an ideal certification for security engineers, analysts, and administrators. It is also popular for those without primary duties as an IS professional but who would benefit from understanding security. This includes information system auditors, programmers, and database administrators.

Remote Access Domain

is made up of the authorized users who access organization resources remotely.Access often occurs over unsecured transports such as the Internet. Other unsecured transports include dial-upvia a modem. Mobile workers often need access to the private LAN while traveling or working from home, for example. Mobile workers are granted this access using remote access solutions. Remote access solutions, such as a virtual private network (VPN), are able to create an encrypted communications tunnel over a public network such at the Internet.

System/Application Domain

made up of the many systems and software applications that users access. Knowledge within this domain can be very specialized as operators may focus on one specific aspect, such as mail servers, and be quite familiar with associated security ramifications. On the other hand, that same person might know very little about databases. Like the desktop operating system, server operating systems should be hardened to authorized baselines and configured according to policies and standards with the appropriate controls.

Preventive controls

mechanisms that keep an undesired action from happening, such as locked doors or computer access controls.

Corrective controls

mechanisms that repair damage caused by an undesiredaction and limit further damage, such as the procedure to remove viruses or using a firewall to block an attacking system

IDS/IPS

most firewall rules are based on static attributes; therefore, they are not effective at protecting a network from all types of attacks. These can be used to help firewalls do a better job

Security control management

pertains specifically to the configuration items that are directly related to controls or settings representing significant risk, if not managed properly.

Baseline configuration management

plan for establishing the basic standard of system configurations and the management of configuration items

System characterization

provides details about the infrastructure systems. This includes the hardware,software, data, interfaces, and associated users. A discussion of existing technical, management, and operational controls can be included.

network operating system (NOS)

provides the interface between the hardware and the application layer software .

Threat identification

requires the identification of all possible threats first.

LAN Domain Audit can examine various elements

• Logon mechanisms and controls for access to the LAN • Hardening and configuration of LAN systems • Backup procedures for servers • Review of power supply for the network

National Institute of Standards and Technology (NIST) include

• Management • Technical • Operational

types of assessments

• Network security architecture review • Review of security policies, procedures, and practices • Vulnerability scan and testing • Physical security assessment • Security risk assessment • Social engineering assessment • Application assessment

The IIA code has:

• Integrity • Objectivity • Confidentiality • Competency

RADIUS or TACACS

Authentication in the Remote Access Domain can be handled best by using:

Gap Analysis

By having sound policies in place and a framework for the application of controls, you will be able to map existing controls to each regulation, including future regulations. Thereafter, organizations perform these to identify anything that is missing.

Regulatory compliance benefits:

1. Organizations 2. Consumers 3. Shareholders

Policy

A document that states how the. organization is to perform and conduct business functions and transactions with a desired outcome- very high level and not very granular

GLBA

Also known as the Financial Modernization Act of 1999, includes provisions to protect consumers personal financial information held by financial institutions

User Domain

An audit of the ___________ should be considered for anyone accessing the organization's information systems. This includes not just employees but non employees as well, such as contractors or consultants. This domain considers the roles and responsibilities of the users. It should examine all policies that relate to them, specifically access policies.

Standard

An established and proven norm or method, which can be a procedural standard or a technical standard implemented organization-wide - somewhat more granular than the policy that it is derived from

COBIT

Control Objectives for Information and Related Technology

RACI Matrix

Each task in the audit process has one or more people who are responsible or accountable for that task. Many organizations use a RACI matrix to document tasks and personnel responsible for the assignments. RACI stands for responsible, accountable, consulted, and informed

FISMA

Enacted in 2002, requires federal agencies to implement a program to provide security for their information and information systems, including those provided or managed by another agency or contractor. It is Title III of theE-Government Act of2002. The Federal Information Security Management Act (FISMA) ensures that organizations have sound information security practices and the organizations have a framework for effective information security resources that support federal operations

Fault, Configuration, Accounting, Performance, Security

FCAPS

COSO

stands for Committee of Sponsoring Organizations. a joint initiative of :five private sector organizations, established in the United States, dedicated to providing thought leadership to executive management and governance entities on critical aspects of organizational governance, business ethics, internal control, enterprise risk management, fraud, and financial reporting

Application data encryption

strategy used for encrypting data to send to remote users

FCAPS

the ISO Telecommunications Management Network model and framework for network management.

Workstation Domain

the end users' operating environment

Risk assessment

the way in which firms quantity how significant each risk is to the achievement of their overall goals.

Certified Information Systems Security Professional (CISSP)

this is arguably the most recognized information security certification. This certification is ideal for information security management professionals or those who develop policies and procedures for information security. The CISSP includes three concentrations in architecture, engineering, and management.

Proxy Server

type of firewall that makes requests for remote services on the behalf of the local clients

PCIDSS

used for the payment card industry.

Main controls in this domain for maintaining a System/Application Domain include:

• Application patch management • Domain management

Institute of Internal Auditors (IIA), provides a fellowship program for experienced auditors to develop their careers. Participants must meet the following requirements:

• At least five years of professional experience in internal auditing • An active IIA membership or a professional certification • A bachelor's or higher degree • Two professional recommendations • A personal letter of interest • A minimum of two writing samples • A completed application

Under the two components, People and Documentation, you find people fall into three types:

• Employees • Guests/third parties • Contractors

The three authentication types include:

• Identity - What you know • Tokens - What you have • Biometrics - What you are


संबंधित स्टडी सेट्स

Bio 2 FINAL exam review (mastering)

View Set

Mariner Advancement CEL MOTORS Casualty Control and FO Purifiers

View Set

ACC 131 Exam (Chapters 7, 8, 9) Thomas

View Set

AP Econ Fall Final Review Unit 1

View Set