Chapter 4 Vocab - ISEC

Ace your homework & exams now with Quizwiz!

Parallel test

A __________ evaluates the effectiveness of the DRP by enabling full processing capability at an alternate data center without interrupting the primary data center.

RTO - recovery time objective

A defined metric for how long it must take to recover an IT system, application, and data access.

Risk methodology

A description of how you will manage risk

Vulnerability

A weakness that allows a threat to be realized or to have an effect on an asset.

BCP - business continuity plan

A written plan for a structured response to any events that result in an interruption to critical business activities or functions

Mobility

Allows remote workers and employees to be connected to the IT infrastructure in almost real time

Warm site

Facility with environmental utilities and basic computer hardware

ISO/IEC 27005,"Information Security Risk Management"

An ISO standard that describes information security risk management in a generic manner. The documents include examples of approaches to information security risk assessment and lists of possible threats, vulnerabilities, and security controls.

BIA - business impact analysis

An analysis of an organization's functions and activities that classifies them as critical or noncritical

Mitigation

Any actions intended to reduce or address vulnerabilities found in either penetration tests or vulnerability tests.

Cold site

Facility with basic environmental utilities but no infrastructure components

Remote wiping

Install software that will enable organizations to initiate ___________ of data or email in the event of loss or theft of the device.

Disaster

Is an event that affects multiple business processes for an extended period; Causes substantial resource damage you must address before you can resolve business process interruption

Payment Card Industry Data Security Standard (PCI DSS)

Not a law, but affects any organization that processes or stores credit card information; a comprehensive security standard that includes requirements for security management, policies, procedures, network architecture, software design, and other critical protective measures.

Risk Management Guide for Information Technology Systems (NIST SP800-30)

Part of the Special Publication 800 series reports, these products provide detailed guidance of what you should consider in risk management and risk assessment in computer security; The reports include checklists, graphics, formulas, and references to U.S. regulatory issues.

Gramm-Leach-Bliley Act (GLBA)

Passed in 1999, __________ requires all types of financial institutions to protect customers' private financial information.

Data Ownership

Personal data such as contacts, pictures, or emails are the intellectual property of the employee

Risk-response plan

Starting with the highest priority risks, explore potential responses to each one. With direction from your organization's upper management, determine the responses to each risk that provide the best value.

Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE)

The _________ approach defines a risk-based strategic assessment and planning technique for security.

Compliance

The act of following laws, rules, and regulations that apply to your organization and its use of IT systems, applications, and data.

RPO - recovery point objective

The maximum acceptable level of data loss after a disaster

Government Information Security Reform Act (Security Reform Act) of 2000

This act focuses on management and evaluation of the security of unclassified and national security systems

Full-interruption test

This is the only complete test. ____________ interrupt the primary data center and transfer processing capability to an alternate site.

EF - exposure factor

This represents the percentage of the asset value that will be lost if an incident were to occur

Quantitative risk analysis

This type of risk assessment attempts to describe risk in financial terms and put a dollar value on each risk

SLE - single loss expectancy

You can calculate the value of a single loss using the two preceding factors. If an actuary calculates that the EF of a late-model SUV is 20 percent, then every time he receives a claim, all he needs to do is look up the asset value, multiply by the EF, and he'll have a very good prediction of the payout; This allows the actuary to calculate insurance premiums accurately and reduce the risk of the insurance company losing money.

Qualitative risk analysis

You can judge every risk on two scales: likelihood and impact

PMBOK

a best practices guide for project management maintained by the Project Management Institute (PMI); states that the effects of risk can be positive or negative

Impact

a loss of availability, integrity, and confidentiality; result of an exploited vulnerability

CCTA Risk Analysis and Management Method (CRAMM)

a risk analysis method developed by the U.K. government; best suited for large organizations.

ARO - annual rate of occurrence

also called the risk likelihood; determines how often a loss is likely to occur every year

Risk survey

an applicable instrument for gathering information on the nature of threats.

Threat

any action that could damage an asset; an opportunity to exploit a vulnerability

Risk register

can contain many different types of information but should contain at least the following: -A description of the risk -The expected impact if the associated event occurs -The probability of the event occurring -Steps to mitigate the risk -Steps to take should the event occur -Rank of the risk

DRP - disaster recovery plan

directs the actions necessary to recover resources after a disaster

Sarbanes-Oxley Act (SOX)

established the Public Company Accounting Oversight Board (PCAOB), which is responsible for overseeing, regulating, inspecting, and disciplining accounting firms in their roles as auditors of public companies; also dictates policies that address auditor independence, corporate governance, internal control assessment, and enhanced financial disclosure.

Cost

factors to implement functional, operational, technical, and security capabilities into IoT devices and applications

Health Insurance Portability and Accountability Act (HIPAA)

governs the way doctors, hospitals, and other health care providers handle personal medical information; requires that all medical records, billing, and patient information be handled in ways that maintain the patient's privacy; guarantees that all patients be able to access their own medical records, correct errors or omissions, and be informed of how personal information is used

Business driver

include people, information, and conditions that support business objectives

Gap analysis

is a comparison of the security controls you have in place and the controls you need in order to address all identified threats

Risk Management

is the process of identifying, assessing, prioritizing, and addressing risks

Simulation test

more realistic than a structured walk-through. In a _______________, the DRP team uses role playing and follows through with as many of the effects of a simulated disaster as possible without affecting live operations

Negative risk

probability that an uncertain event will negatively affect one or more of the business's assets or resources

Positive risk

probability that an uncertain event will positively affect one or more of the business's assets or resources

ALE - annual loss expectancy

the SLE (the loss when an incident happens) times the ARO. It helps an organization identify the overall impact of a risk.

Likelihood

the chance that something might happen. ______________ can be defined, determined, or measured objectively or subjectively and can be expressed either qualitatively or quantitatively (using mathematics).

Security gap

the difference between the security controls you have in place and the controls you need in order to address all vulnerabilities

Residual risk

the risk that remains after you have deployed countermeasures and controls:

Federal Information Security Modernization Act (FISMA)

the update to the original act in 2002


Related study sets

Human Nutrition Final exam study guide Unf

View Set

Module 12. Performance and Recovery

View Set

Exceptional Learners Chapters 9-12

View Set

Business Law Chapter 37 Test Questions

View Set

Математика с нуля

View Set