The organization must be able to demonstrate that the policy has been uniformly
enforced- regardless of employee status or assignment. Uniform enforcement (fairness in application) Information security policy Access control list (ACL) Access control matrix. Written instructions provided by management that inform employees and others in
the workplace about proper behavior regarding the use of information and
information assets. Uniform enforcement (fairness in application) Information security policy Access control list (ACL) Access control matrix. Specifications of authorization that govern the rights and privileges of users to a
particular information asset Uniform enforcement (fairness in application) Information security policy Access control list (ACL) Access control matrix. An integration of access control lists (focusing on assets) and capability tables
(focusing on users) that results in a matrix with organizational assets listed in the
column headings and users listed in the row headings. Uniform enforcement (fairness in application) Information security policy Access control list (ACL) Access control matrix. Lattice-based access control with rows of attributes associated with a particular
subject (such as a user). Capabilities table Configuration Rule Policies Information security blueprint Information security framework. Configuring firewalls- intrusion detection and prevention systems (IDPSs)- and proxy
servers—use specific configuration scripts that represent the configuration rule policy Capabilities table Configuration Rule Policies Information security blueprint Information security framework. A framework or security model customized to an organization- including
implementation details. Capabilities table Configuration Rule Policies Information security blueprint Information security framework. A specification of a model to be followed during the design- selection- and initial and
ongoing implementation of all subsequent security controls- including information
security policies- security education and training programs- and technological controls. Capabilities table Configuration Rule Policies Information security blueprint Information security framework. It illustrates how information is under attack from a variety of sources. It illustrates the
ways in which people access information. Spheres of Security Design of Security Architecture (Layers PPT) Defense in depth managerial controls. It is designed and implemented policies- people (education- training- and awareness
programs)- and technology. Spheres of Security Design of Security Architecture (Layers PPT) Defense in depth managerial controls. A strategy for the protection of information assets that uses multiple layers and
different types of controls (managerial- operational- and technical) to provide optimal
protection. Spheres of Security Design of Security Architecture (Layers PPT) Defense in depth managerial controls. Information security safeguards that focus on administrative planning- organizingleading-
and controlling- and that are designed by strategic planners and implemented
by the organization’s security administration. These safeguards include governance
and risk management. Spheres of Security Design of Security Architecture (Layers PPT) Defense in depth managerial controls. Information security safeguards focusing on lower-level planning that deals with the
functionality of the organization’s security. These safeguards include disaster recovery
and incident response planning. operational controls technical controls Security Education- Training- and Awareness (SETA) Program Business continuity plan (BC plan). Information security safeguards that focus on the application of modern technologiessystems-
and processes to protect information assets. These safeguards include
firewalls- virtual private networks- and IDPSs. operational controls technical controls Security Education- Training- and Awareness (SETA) Program Business continuity plan (BC plan). It is a managerial program designed to improve the security of information assets by
providing targeted knowledge- skills- and guidance for an organization’s employees operational controls technical controls Security Education- Training- and Awareness (SETA) Program Business continuity plan (BC plan). The documented product of business continuity planning. Occurs concurrently with
the DR plan when the damage is major or ongoing. operational controls technical controls Security Education- Training- and Awareness (SETA) Program Business continuity plan (BC plan). The actions taken to develop and implement the BC policy. Business continuity planning (BCP) Business resumption planning (BRP) Contingency planning (CP) Contingency planning management team (CPMT). The actions taken to implement a combined DR and BC policy- and plan. Business continuity planning (BCP) Business resumption planning (BRP) Contingency planning (CP) Contingency planning management team (CPMT). The actions taken to incident response- disaster recovery- and business continuity
efforts- as well as preparatory business impact analysis. It includes incident response
planning (IRP)- disaster recovery planning (DRP)- and business continuity planning
(BCP) Business continuity planning (BCP) Business resumption planning (BRP) Contingency planning (CP) Contingency planning management team (CPMT). It leads all CP efforts. Business continuity planning (BCP) Business resumption planning (BRP) Contingency planning (CP) Contingency planning management team (CPMT). The documented product. It focuses on restoring systems. Disaster recovery plan (DR plan) Disaster recovery planning (DRP) Incident response plan (IR plan) Business impact analysis (BIA). The actions taken. Disaster recovery plan (DR plan) Disaster recovery planning (DRP) Incident response plan (IR plan) Business impact analysis (BIA). The documented product. It focuses on immediate response- but if the attack is there Disaster recovery plan (DR plan) Disaster recovery planning (DRP) Incident response plan (IR plan) Business impact analysis (BIA). An investigation and assessment of the various adverse events that can affect the
organization. The BIA attempts to answer the question- “How will it affect us?” Disaster recovery plan (DR plan) Disaster recovery planning (DRP) Incident response plan (IR plan) Business impact analysis (BIA). The total amount of time the system owner or authorizing official is willing to accept
for a mission/business process outage or disruption- including all impact
considerations. Maximum tolerable downtime (MTD) Recovery point objective (RPO) Recovery time objective (RTO) Work recovery time (WRT). The point in time prior to a disruption or system outage to which mission/business
process data can be recovered after an outage (given the most recent backup copy of
the data). Maximum tolerable downtime (MTD) Recovery point objective (RPO) Recovery time objective (RTO) Work recovery time (WRT). The maximum amount of time that a system resource can remain unavailable before
there is an unacceptable impact on other system resources- supported
mission/business processes- and the MTD. Maximum tolerable downtime (MTD) Recovery point objective (RPO) Recovery time objective (RTO) Work recovery time (WRT). The amount of effort (expressed as elapsed time) necessary to make the business
function operational after the technology element is recovered (as identified with
RTO). Tasks include testing and validation of the system. Maximum tolerable downtime (MTD) Recovery point objective (RPO) Recovery time objective (RTO) Work recovery time (WRT). It is important to collect critical information about each business unit before
prioritizing the business units. Business Impact Analysis stage1 Business Impact Analysis stage2 Business Impact Analysis stage3 Incident classification. Identify Resource Requirements. Once the organization has created a prioritized list of
its mission and business processes- it needs to determine which resources would be
required to recover those processes and associated assets Business Impact Analysis stage1 Business Impact Analysis stage2 Business Impact Analysis stage3 Incident classification. Identify Recovery Priorities for System Resources To do so- it needs to understand the
information assets used by those processes. Business Impact Analysis stage1 Business Impact Analysis stage2 Business Impact Analysis stage3 Incident classification. The process of examining an incident candidate and determining whether it
constitutes an actual incident (both host-based and network-based). Business Impact Analysis stage1 Business Impact Analysis stage2 Business Impact Analysis stage3 Incident classification. Information or information systems become unavailable. Loss of availability Loss of integrity Loss of confidentiality Violation of policy. Users report corrupt data files- garbage where data should be- or data that looks
wrong. Loss of availability Loss of integrity Loss of confidentiality Violation of policy. You are notified of sensitive information leaks or informed that information you
thought was protected has been disclosed Loss of availability Loss of integrity Loss of confidentiality Violation of policy. Organizational policies that address information or information security have been
violated. Loss of availability Loss of integrity Loss of confidentiality Violation of policy. The law has been broken- and the organization’s information assets are involved. Violation of law Alert message Alert roster After-action review. A scripted description of the incident that usually contains just enough information so
that each person knows what portion of the IR plan to implement without slowing
down the notification process. Violation of law Alert message Alert roster After-action review. A document that contains contact information for people to be notified in the event of
an incident. Violation of law Alert message Alert roster After-action review. A detailed examination and discussion of the events that occurred- from first
detection to final recovery Violation of law Alert message Alert roster After-action review. The process of collecting- analyzing- and preserving computer-related evidence. Computer forensics Evidence Software as a Service (SaaS) Platform as a Service (PaaS). A physical object or documented information entered into a legal proceeding that
proves an action occurred or identifies the intent of a perpetrator Computer forensics Evidence Software as a Service (SaaS) Platform as a Service (PaaS). in which applications are provided for a fee but hosted on third-party systems and
accessed over the Internet and the Web. Computer forensics Evidence Software as a Service (SaaS) Platform as a Service (PaaS). in which development platforms are available to developers for a fee and are hosted
by third parties. Computer forensics Evidence Software as a Service (SaaS) Platform as a Service (PaaS). which is informally known as Everything as a Service- provides hardware and
operating systems resources to host whatever the organization wants to implement.
Again- the service is hosted by a third party for a fee. Infrastructure as a Service (IaaS) Disaster Recovery as a Service (DRaaS) Differential backup Full backup. One of the newest options available as a specialized disaster recovery Infrastructure as a Service (IaaS) Disaster Recovery as a Service (DRaaS) Differential backup Full backup. The duplication of all files that have changed or been added since the last full backup Infrastructure as a Service (IaaS) Disaster Recovery as a Service (DRaaS) Differential backup Full backup. The duplication of all files for an entire system- including all applications- operating
systems components- and data Infrastructure as a Service (IaaS) Disaster Recovery as a Service (DRaaS) Differential backup Full backup. The duplication of only the files that have been modified since the previous
incremental backup. Incremental backup Disk duplexing Disk mirroring L1 Disk striping L0. An approach to disk mirroring in which each drive has its own controller to provide
additional redundancy Incremental backup Disk duplexing Disk mirroring L1 Disk striping L0. It is where the computer records all data to twin drives simultaneously- providing a
backup if the primary drive fails. Incremental backup Disk duplexing Disk mirroring L1 Disk striping L0. L1- It is where one logical volume is created by storing data across several available
hard drives in segments called stripes. Incremental backup Disk duplexing Disk mirroring L1 Disk striping L0. A hard drive feature that allows individual drives to be replaced without powering
down the entire system and without causing a fault during the replacement. Hot swap Redundant array of independent disks (RAID) Server fault tolerance Cold site. A system of drives that stores information across Multiple units to spread out data and
minimize the impact of a single drive failure. Hot swap Redundant array of independent disks (RAID) Server fault tolerance Cold site. provided by mirroring entire servers to provide redundant capaA level of redundancy
city for services Hot swap Redundant array of independent disks (RAID) Server fault tolerance Cold site. A facility that provides only rudimentary services- with no computer hardware or
peripherals. Hot swap Redundant array of independent disks (RAID) Server fault tolerance Cold site. A backup strategy to store duplicate online transaction data along with duplicate
databases at the remote site on a redundant server. Database shadowing Hot site Warm site Bonus. A fully configured computing facility that includes all services- communications linksand
physical plant operations Database shadowing Hot site Warm site Bonus. A facility that provides many of the same services and options as a hot site- but
typically without installed and configured software applications Database shadowing Hot site Warm site Bonus. Bonus Database shadowing Hot site Warm site Bonus. The adoption and implementation of an innovative business model- method technique-
resource- or technology in order to outperform the competition. competitive advantage risk assessment risk control risk identification. A determination of the extent to which an organization’s information assets are
exposed to risk. competitive advantage risk assessment risk control risk identification. The application of controls that reduce the risks to an organization’s information
assets to an acceptable level competitive advantage risk assessment risk control risk identification. The recognition- enumeration- and documentation of risks to an organization’s
information assets competitive advantage risk assessment risk control risk identification. The process of identifying risk- assessing its relative magnitude- and taking steps to
reduce it to an acceptable level. risk management residual risk In Asset Identification - People Procedures. The risk to information assets that remains even after current controls have been
applied. risk management residual risk In Asset Identification - People Procedures. Position name- number- or ID (avoid using people’s names and stick to identifying
positions- roles- or functions)- supervisor- security clearance level- special skills risk management residual risk In Asset Identification - People Procedures. Description- intended purpose- relationship to software- hardware- and networking
elements- storage location for reference- storage location for update risk management residual risk In Asset Identification - People Procedures. Classification- owner- creator- and manager- the size of data structure- data structure used
(sequential or relational)- online or offline- location- backup procedures employed. Data Name IP address Media access control (MAC) address. Make sure that the names you choose are meaningful to all the groups that use the
information. You should adopt naming standards that do not convey information to
potential system attackers Data Name IP address Media access control (MAC) address. This can be a useful identifier for network devices and servers- but it does not usually
apply to software. You can- however- use a relational database to track software
instances on specific servers or networking devices Data Name IP address Media access control (MAC) address. They are sometimes called electronic serial numbers or hardware addresses. Data Name IP address Media access control (MAC) address. For hardware- you can develop a list of element types- such as servers- desktop networking
devices- or test equipment. For software elements- you may develop a list
of types that includes operating systems- custom applications by type (accounting- HRor
payroll- for example)- packaged applications- and specialty applications- such as
firewall programs. Element type Physical location Logical location Threats-vulnerabilitiesassets(TVA). This information falls under asset inventory- which can be performed once the
identification process is started. Element type Physical location Logical location Threats-vulnerabilitiesassets(TVA). The logical location is most useful for networking devices and indicates the logical
network where the device is connected Element type Physical location Logical location Threats-vulnerabilitiesassets(TVA). triples Apairing of an asset with a threat and identification of vulnerabilities that
exist between the two. Element type Physical location Logical location Threats-vulnerabilitiesassets(TVA). Likelihood? Attack Success Probability Loss Frequency Loss Magnitude single loss expectancy (SLE) annualized loss expectancy (ALE). Asset Value ? Probable Loss Loss Frequency Loss Magnitude single loss expectancy (SLE) annualized loss expectancy (ALE). exposure factor (EF) * asset value (AV). Loss Frequency Loss Magnitude single loss expectancy (SLE) annualized loss expectancy (ALE). single loss expectancy (SLE) * annualized rate of occurrence (ARO) Loss Frequency Loss Magnitude single loss expectancy (SLE) annualized loss expectancy (ALE). The number of successful attacks that are expected to occur within a specified time
period. attack success probability Likelihood loss frequency transference risk control strategy. The probability that a specific vulnerability within an organization will be the target of
an attack. attack success probability Likelihood loss frequency transference risk control strategy. The calculation of the likelihood of an attack coupled with the attack frequency to
determine the expected number of losses within a specified time range. attack success probability Likelihood loss frequency transference risk control strategy. It attempts to shift risk to other assets- other processes- or other organizations. attack success probability Likelihood loss frequency transference risk control strategy. It indicates the organization is willing to accept the current level of risk. Acceptance termination risk control strategy access control access control list (ACL). It eliminates all risk associated with an information asset by removing it from service
or handling decision points Acceptance termination risk control strategy access control access control list (ACL). The selective method by which systems specify who may use a particular resource and
how they may use it. Acceptance termination risk control strategy access control access control list (ACL). Specifications of authorization that govern the rights and privileges of users to a
particular information asset. Acceptance termination risk control strategy access control access control list (ACL). An access control approach whereby the organization specifies the use of objects
based on some attribute of the user or system. attribute-based access control (ABAC) capabilities table discretionary access controls (DACs) lattice-based access control (LBAC). In a lattice-based access control- the row of attributes associated with a particular
subject (such as a user). attribute-based access control (ABAC) capabilities table discretionary access controls (DACs) lattice-based access control (LBAC). Access controls that are implemented at the discretion or option of the data user. attribute-based access control (ABAC) capabilities table discretionary access controls (DACs) lattice-based access control (LBAC). A variation on the MAC form of access control- which assigns users a matrix of
authorizations for particular areas of access- incorporating the information assets of
subjects such as users and objects. attribute-based access control (ABAC) capabilities table discretionary access controls (DACs) lattice-based access control (LBAC). A required- structured data classification scheme that rates each collection of
information as well as each user. mandatory access control (MAC) nondiscretionary access controls (NDACs) role-based access control (RBAC) task-based access control (TBAC). They are implemented by a central authority mandatory access control (MAC) nondiscretionary access controls (NDACs) role-based access control (RBAC) task-based access control (TBAC). An example of a nondiscretionary control where privileges are tied to the role a user
performs in an organization- and are inherited when a user is assigned to that role mandatory access control (MAC) nondiscretionary access controls (NDACs) role-based access control (RBAC) task-based access control (TBAC). An example of a nondiscretionary control where privileges are tied to a task a user
performs in an organization and are inherited when a user is assigned to that task. mandatory access control (MAC) nondiscretionary access controls (NDACs) role-based access control (RBAC) task-based access control (TBAC). An integration of access control lists (focusing on assets) and capabilities tables
(focusing on users) that results in a matrix with organizational assets listed in the
column headings and users listed in the row headings. access control matrix accountability authentication authorization. The access control mechanism that ensures all actions on a system—authorized or
unauthorized—can be attributed to an authenticated identity. Also known as
audibility. access control matrix accountability authentication authorization. The access control mechanism that requires the validation and verification of an
unauthenticated entity’s purported identity. access control matrix accountability authentication authorization. The access control mechanism that represents the matching of an authenticated entity
to a list of information assets and corresponding access levels. access control matrix accountability authentication authorization. It is the method by which systems determine whether and how to admit a user into a
trusted area of the organization—that is-information system- restricted areas such as
computer rooms- and the entire physical location Access control dumb card identification passphrase. An authentication card that contains digital user data- such as a personal identification
number (PIN)- against which user input is compared Access control dumb card identification passphrase. The access control mechanism whereby unverified or unauthenticated entities who
seek access to a resource provide a label by which they are known to the system Access control dumb card identification passphrase. A plain-language phrase- typically longer than a password- from which a virtual
password is derived. Access control dumb card identification passphrase. A secret word or combination of characters that only the user should know- a
password is used to authenticate the user. password smart card biometric access control minutiae. An authentication component similar to a dumb card that contains a computer chip to
verify and validate several pieces of information instead of just a PIN. password smart card biometric access control minutiae. The use of physiological characteristics to provide authentication for a provided
identification. password smart card biometric access control minutiae. In biometric access controls- unique points of reference that are digitized and stored in
an encrypted format when the user’s system access credentials are created password smart card biometric access control minutiae. Firewall rules designed to prohibit packets with certain addresses or partial addresses
from passing through the device. address restrictions dynamic packet-filtering firewall firewall application layer proxy firewall. A firewall type that can react to network traffic and create or modify configuration
rules to adapt address restrictions dynamic packet-filtering firewall firewall application layer proxy firewall. In information security- a combination of hardware and software that filters or
prevents specific information from moving between the outside network and the
inside network address restrictions dynamic packet-filtering firewall firewall application layer proxy firewall. A device capable of functioning both as a firewall and an application layer proxy
server. address restrictions dynamic packet-filtering firewall firewall application layer proxy firewall. This relies on individual characteristics- such as fingerprints- palm or prints virtual private network (VPN) In authentication factors - Something You Know In authentication factors - Something You Have In authentication factors - Something You Are or Can Produce.