Bookmark and Share

Front Back
Define Annualized Loss Expectancy
the cost of loss due to a risk over a year
Define Threat
a potentially negative occurence
Define Vulnerability
a weakness in a system
Define Risk
a matched threat and vulnerability
Define Safeguard
a measure taken to reduce risk
Define Total Cost of Ownership (TCO)
the cost of a safeguard
Define Return on Investment (ROI)
money saved by deploying a safeguard
What are the three elements of the CIA triad?
Confidentiality, Integrity and Availability
Define Confidentiality
seeks to prevent the unauthorized disclosure of information
Define Integrity
seeks to prevent the unauthorized modification of information
Define Availability
ensures that information is available when needed
What are the three opposites to the CIA triad aka DAD?
Disclosure, Alteration and Destruction
Define Disclosure
unauthorized disclosure of information
Define Alteration
unauthorized modification of data
Define Destruction
making a system unavailable
What does AAA stand for?
Authentication, Authorization and Accountability
Define Identification
Association of an individual
Define Authentication
Proof of the identity claim
Define Authorization
Describes the actions you can perform on a system once you have identified and authenticated
Define Accountability
Holds user accountable for their actions
Define Nonrepudiation
a user cannot deny (repudiate) having performed a transaction
Define Nonrepudiation combines what two things
authentication and integrity
Define Least privilege
user should be granted the minimum amount of access (authorization) required to do their jobs, but no more
Define Need to know
More granular than least privilege; user must need to know that specific piece of information before accessing it
Define Defense-in-depth
applies multiple safeguards to protect and asset
Define Assets
valuable resources you are trying to protect
Equation - Risk = ? x ? [ x ?]
Risk = Threat x Vulnerability [ x Impact] where the values range from 1-5 5 being huge impact and 1 being very little
Risk Analysis Matrix Comes from what document?
AS/NZS 4360 - The Australia/New Zealand 4360 Standard on Risk Management. Qualitative.
Define Asset Value (AV)
The value of the asset you are trying to protect
Define Exposure Factor (EF)
percentage of value an asset lost due to an incident
Define Single Loss Expectancy (SLE)
Cost of a single loss. AV x EF
Define Annual Rate of Occurrence (ARO)
number of losses you suffer per year
What is the formula for Annualized Loss Expectancy (ALE)
What are the four risk Choices after calculation
Accept the risk, mitigate or eliminate the risk, transfer the risk or avoid the risk
Explain Accept the risk
Accept the risk instead of taking the time, effort and money to fix it
Explain Mitigate or eliminate the risk
Lower the risk to an acceptable level or eliminate the risk
Explain Transfer the risk
Hand off the risk duty to a different group or company
Explain Risk avoidance
Avoid projects if needed that are too risky
Define Quantitative Risk Analysis
uses hard metrics such as dollars (objective)
Define Qualitative Risk Analysis
uses simple approximate values (subjective)
What is the order of the Risk Management Process
1. System Characterization 2. Threat Identification 3. Vulnerability Identification 4. Control Analysis 5. Likelihood Determination 6. Impact Analysis 7. Risk Determination 8. Control Recommendations 9. Results Documentation
Define Policy
High-level management directives
Is a policy mandatory of discretionary?
All policy should contain these basic components
Purpose, Scope, Responsibilities, and Compliance
Which NIST Special Publication lists the Policy Types?
What are the three types of policy?
program, issue-specific and system-spec
Describe Program policy
It is used to create an organization's computer security program
Describe Issue-specific policies
Address specific issues of concern to the organization
Describe System-specific polices
Focus on decisions taken by management to protect a particular system
What is a procedure
Step-by-step guide for accomplishing a task
x of y cards Next >|