Computer security test 2

Ace your homework & exams now with Quizwiz!

operational planning

Day to day (departments and teams)

contingency planning types

ramification, reaction, recovery, and relocation

Risk control strategies

1. Defense 2. Transfer 3. Mitigate 4. Accept 5. Terminate

incident characteristics

catastrophic and long-term

Annualized rate of Occurrence formula

number of times / year

Issue-Specific Security Policy (ISSP)

(should:) Address specific areas of technology, Require frequent updating, state an organizations position on a specific issue

five aspects of NIST

1. Identify 2. Protect 3. Detect 4. Respond 5. Recover

Cost benefit analysis formula

ALE(before) - ALE(after) - Annualized cost of a safeguard

Loss magnitude formula

Asset value * Probable loss

Standards

Detailed statements for compliance

access control

Determines types of user access, such as read-only access

risk control defense

Eliminate or reduce any remaining uncontrolled risk using additional controls and safeguards. (Avoidance strategy) (preferred approach)

Single Loss Expectancy (SLE)

Expected monetary loss every time a risk occurs; calculated by multiplying asset value by exposure factor.

Annualized Loss Expectancy (ALE)

Expected monetary loss for an asset due to a risk over a one-year period; calculated by multiplying single loss expectancy by annualized rate of occurrence.

Single loss expectancy formula

Exposure factor (EF) * Asset value

Mitigation strategy includes 3 types of plans

Incident response (IR) Disaster response (DR) Business continuity (BC)

Developing an incident response plan

Plan, detect, react, recover

Strategic planning

Long term planning

Risk formula

Loss frequency * Loss magnitude + uncertainty

NIST

National Institute of Standards and Technology

Guidelines

Recommendations for compliance

Annualized Loss Expectancy formula

Single loss expectancy * Annualized rate of Occ

Risk management definition

The identification, assessment, and prioritization of risks followed by coordinated and economical application of resources to minimize, monitor, and control the probability and/or impact of unfortunate events or to maximize the realization of opportunities.

Exposure factor (EF)

The potential percentage of loss to an asset if a threat is realized.

internal

all internal information that does not meet confidential category

cost-benefit analysis

a study that compares the costs and benefits to society of providing a public good

De facto

actually existing or in effect, although not legally required or sanctioned; (not fully protected)

external

all information that has been approved for public release

information asset valuation

assigning essential value or worth

Loss frequency formula

attack likelihood * Attack success

spheres of security

foundation of the security framework

De jure

fully protected

security awareness

cause people to think about security

management, users, IT

communities of interest regarding risk management

statement, authorized access/use, prohibited use, management, penalties, updating, liability

components of ISSP

controls

defense, transference, mitigation, acceptance, termination

analyze the business impact

essential assets/functionality, potential disruptions, priorities

Enterprise information security policy (EISP)

high-level policy, sets security strategic direction, philosophy/ purpose, structure and responsibilities

IDPRR

identify, detect, protect, respond, recover

dimensions

impact (seriousness) and likelihood (probability)

Annualized cost of a safeguard (ACS)

in a cost-benefit analysis, the total cost of a control or safeguard, including all purchase, maintenance, subscription, personnel, and support fees, divided by the total number of expected years of use.

management

information security is mainly a ___________ problem

incident response plan

initial response/reaction

Procedures

instructions to obtain compliance

business continuity plan

maintaining/ relocating operations

procedures and practice reviews

making policies, procedures, guidelines, and practices themselves

policy administrator

manage, input, communicate

security education

offer formal knowledge toward understanding

day-to-day operations departments and teams, actual implementation

operational planning

security training

provide hands-on and technical skills

disaster recovery plan

restoration/recovery process

plan & organize; identify & categorize; classify & prioritize; identify & prioritize; and specify

risk identification

identify risk, assess potential impact, take steps to reduce risk, and balancing cost/benefit

risk management

policies/mechanisms

security clearance, clean desk policy, proper disposal

SETA

security, education, training, awareness

Issue specific security policy (ISSP)

should address specific areas of technology, requires frequent updating, state an organization's position on a specific issue

senior management, long-term goals, major decisions

strategic planning

security, short-term objectives, more concrete

tactical planning

Confidnetial

the most sensitive corporate information, must be tightly controlled even within the organization

tactical planning

the process of setting work standards and schedules necessary to implement the company's tactical objectives

strategic, tactical, operational

three levels of planning

purpose of security plans

to provide an overview of the security requirements of the system and describe the controls in place or planned for meeting those requirements

having something that a competitor does not

what is competitive advantage


Related study sets

Chapter 9. Nursing Care of Patients in Shock

View Set

Accident and Health Exam Ch 11-17

View Set