The need to secure the physical location of computer technology from outside threats. Computer security Security Communications security Network security. A state of being secure and free from danger or harm. Also; the actions are taken to make
someone or something secure.
A Computer security B Security C Communications security D Network security. The protection of all communications media; technology; and content.
A Computer security B Security C Communications security D Network security. A subset of communications security; the protection of voice and data; Networking
components; connections; and content.
A Computer security B Security C Communications security D Network security. Protection of the confidentiality; integrity; and availability of information assets;
whether in storage; processing; or transmission; via the application of policy;
education; training and awareness; and technology.
A information security B C.I.A. triad C Access D Asset. The industry standard for computer security since the development of the mainframe.
The standard is based on three characteristics that describe the utility of information -
confidentiality; integrity; and availability.
A information security B C.I.A. triad C Access D Asset. Authorized users have legal access to a system; whereas hackers must gain illegal
access to a system.
A information security B C.I.A. triad C Access D Asset. The organizational resource that is being protected.
A information security B C.I.A. triad C Access D Asset. An intentional or unintentional act that can damage or compromise information and
the systems that support it. Attacks can be active or passive; intentional or
unintentional; and direct or indirect.
A Attack B A direct attack C Indirect attack D Control; safeguard; or countermeasure. It is perpetrated by a hacker using a PC to break into a system Direct attacks originate
from the threat itself
A Attack B A direct attack C Indirect attack D Control; safeguard; or countermeasure. It is originated from a compromised system or resource that is malfunctioning or
working under the control of a threat.
A Attack B A direct attack C Indirect attack D Control; safeguard; or countermeasure. Security mechanisms; policies; or procedures that can successfully counter attacks;
reduce risk; resolve vulnerabilities
A Attack B A direct attack C Indirect attack D Control; safeguard; or countermeasure. A technique used to compromise a system. This term can be a verb or a noun. Threat
agents may attempt to exploit a system or other information asset by using it illegally
for their personal gain
A Exploit B Exposure C Loss D Risk. A condition or state of being exposed; in information security; exposure exists when a
vulnerability is known to an attacker
A Exploit B Exposure C Loss D Risk. A single instance of an information asset suffering damage or destruction; unintended
or unauthorized modification or disclosure; or denial of use. When an organization’s
information is stolen; it has suffered a loss.
A Exploit B Exposure C Loss D Risk. The probability of an unwanted occurrence; such as an adverse event or loss
A Exploit B Exposure C Loss D Risk. EX; it can be compromised by an attack (object) and then used to attack other systems
(subject). A Subjects and objects of attack B Threat C Threat agent D Threat event. Any event or circumstance that has the potential to adversely affect operations and
assets. A Subjects and objects of attack B Threat C Threat agent D Threat event. The specific instance or a component of a threat. A Subjects and objects of attack B Threat C Threat agent D Threat event. An occurrence of an event caused by a threat agent. A Subjects and objects of attack B Threat C Threat agent D Threat event. A category of objects; people; or other entities that represent the origin of danger to
an asset—in other words; can be purposeful or undirected - threat source is known as
“acts of God/acts of nature.” A Threat source B Vulnerability C Accuracy D Authenticity. A potential weakness in an asset or its defensive control system(s). Some examples of
vulnerabilities are a flaw in a software package; an unprotected system A Threat source B Vulnerability C Accuracy D Authenticity. An attribute of information that describes how data is free of errors and has the value
that the user expects A Threat source B Vulnerability C Accuracy D Authenticity. An attribute of information that describes how data is genuine or original rather than
reproduced or fabricated. A Threat source B Vulnerability C Accuracy D Authenticity. An attribute of information that describes how data is accessible and correctly
formatted for use without interference or obstruction. Availability Confidentiality Integrity Personally Identifiable Information (PII). An attribute of information that describes how data is protected from disclosure or
exposure to unauthorized individuals or systems. Availability Confidentiality Integrity Personally Identifiable Information (PII). An attribute of information that describes how data is whole; complete; and
uncorrupted Availability Confidentiality Integrity Personally Identifiable Information (PII). A set of information that could uniquely identify an individual. Availability Confidentiality Integrity Personally Identifiable Information (PII). An attribute of information that describes how the data’s ownership or control is
legitimate or authorized. Possession Utility Information System (IS) Software. An attribute of information that describes how data has value or usefulness for an end
purpose. Possession Utility Information System (IS) Software. The entire set of software; hardware; data; people; procedures; and networks that
enable the use of information resources in the organization. physical security The
protection of physical items; objects; or areas from unauthorized access and misuse. Possession Utility Information System (IS) Software. It includes applications (programs); operating systems; and assorted command
utilities. Possession Utility Information System (IS) Software. It is the physical technology that houses and executes the software; stores and
transports the data; and provides interfaces for the entry and removal of information
from the system. Physical security policies deal with hardware as a physical asset and
with the protection of physical assets – such as locks and keys - from harm or theft. Ex:
passed it through the conveyor scanning devices Hardware Data People Procedures. Data stored; processed; and transmitted by a computer system must be protected.
Data is often the most valuable asset of an organization and therefore is the main
target of intentional attacks. Information was originally defined as data with meaning
we will use the term information to represent both unprocessed data and actual Hardware Data People Procedures. Though often overlooked in computer security considerations; people have always
been a threat to information security. In the end; the Khan simply bribed the
gatekeeper - and the rest is history. Whether this event actually occurred or not; the
moral of the story is that people can be the weakest link in an organization’s
information security program. Hardware Data People Procedures. They are written instructions for accomplishing a specific task. should be disseminated
among members of an organization on a need-to-know basis. Hardware Data People Procedures. Networking is the IS component that created much of the need for increased
computer and information security. When information systems are connected to each
other to form LANs; and these LANs are connected to other networks such as the
Internet; new security challenges rapidly emerge. However; when computer systems
are networked; this approach (locks and keys) is no longer enough. Steps to provide
network security such as installing and configuring firewalls are essential Networks Balancing Information Security and Access Bottom-up approach Top-down approach. Information security technologists and end-users must recognize that both groups
share the same overall goals of the organization—to ensure that data is available
when; where; and how it is needed; with minimal delays or obstacles. Networks Balancing Information Security and Access Bottom-up approach Top-down approach. A method of establishing security policies and/or practices that begins as a grassroots
effort in which systems administrators attempt to improve the security of their
systems. Networks Balancing Information Security and Access Bottom-up approach Top-down approach. A methodology of establishing security policies and/or practices that is initiated by
upper management. It has a higher probability of success. Networks Balancing Information Security and Access Bottom-up approach Top-down approach. A formal approach to solving a problem based on a structured sequence of
procedures. Methodology Systems Development Life Cycle (SDLC) Waterfall SDLC DevOps SDLC. A methodology for the design and implementation of an information system. The SDLC
contains different phases depending on the methodology deployed; but generally the
phases address the investigation; analysis; design; implementation; and maintenance
of an information system Methodology Systems Development Life Cycle (SDLC) Waterfall SDLC DevOps SDLC. A type of SDLC in which each phase of the process “flows from” the information
gained in the previous phase; with multiple opportunities to return to previous phases
and make adjustments Methodology Systems Development Life Cycle (SDLC) Waterfall SDLC DevOps SDLC. A formal approach to solving a problem based on a structured sequence of
procedures. focuses on integrating the need for the development team to provide
iterative and rapid improvements to system functionality and the need for the
operations team to improve security and minimize the disruption from software
release cycles. Methodology Systems Development Life Cycle (SDLC) Waterfall SDLC DevOps SDLC. In the logical design phase; the information gained from the analysis phase is used to
begin creating a systems solution for a business problem. Logical Design Implementation Maintenance and Change Software Assurance (SA). In the implementation phase; any needed software is created Logical Design Implementation Maintenance and Change Software Assurance (SA). The maintenance and change phase is the longest and most expensive of the process.
This phase consists of the tasks necessary to support and modify the system for the Logical Design Implementation Maintenance and Change Software Assurance (SA). A methodological approach to the development of software that seeks to build
security into the development life cycle rather than address it at later stages. Logical Design Implementation Maintenance and Change Software Assurance (SA). Keep the design as simple and small as possible. Economy of mechanism Fail-safe defaults Complete mediation Open design. Base access decisions on permission rather than exclusion Economy of mechanism Fail-safe defaults Complete mediation Open design. Every access to every object must be checked for authority Economy of mechanism Fail-safe defaults Complete mediation Open design. The design should not be secret; but rather depend on the possession of keys or
passwords. Economy of mechanism Fail-safe defaults Complete mediation Open design. Where feasible; a protection mechanism should require two keys to unlock; rather
than one. Separation of privilege Least privilege Least common mechanism Psychological acceptability. Every program and every user of the system should operate using the least set of
privileges necessary to complete the job. Separation of privilege Least privilege Least common mechanism Psychological acceptability. Minimize mechanisms (or shared variables) common to more than one user and
depended on by all users. Separation of privilege Least privilege Least common mechanism Psychological acceptability. It is essential that the human interface be designed for ease of use; so that users
routinely and automatically apply the protection mechanisms correctly Separation of privilege Least privilege Least common mechanism Psychological acceptability. The CIO translates the strategic plans of the organization as a whole into strategic
information plans for the information systems or data processing division of the
organization. An executive-level position that oversees the organization’s computing
technology and strives to create efficiency in the processing and access of the
organization’s information. chief information officer (CIO) chief information security officer (CISO) Project team Champion. Typically considered the top information security officer in an organization. chief information officer (CIO) chief information security officer (CISO) Project team Champion. A small functional team of people who are experienced in one or multiple facets of the
required technical and nontechnical areas for the project to which they are assigned. chief information officer (CIO) chief information security officer (CISO) Project team Champion. A senior executive who promotes the project and ensures its support; both financially
and administratively; at the highest levels of the organization. chief information officer (CIO) chief information security officer (CISO) Project team Champion. A project manager who may also be a departmental line manager or staff unit
manager; and who understands project management; personnel management; and
information security technical requirements. Team leader Security policy developers Risk assessment specialists Security professionals. People who understand the organizational culture; existing policies; and requirements
for developing and implementing successful policies. Team leader Security policy developers Risk assessment specialists Security professionals. People who understand financial risk assessment techniques; the value of
organizational assets; and the security methods to be used. Team leader Security policy developers Risk assessment specialists Security professionals. Dedicated; trained; and well-educated specialists in all aspects of information security
from both a technical and non-technical standpoint. Team leader Security policy developers Risk assessment specialists Security professionals. People with the primary responsibility for administering systems that house the
information used by the organization. Systems administrators End users data custDdians Security as Art. Those whom the new system will most directly affect. Ideally; a selection of users from
various departments; levels; and degrees of technical knowledge assist the team in
focusing on the application of realistic controls that do not disrupt the essential
business activities they seek to safeguard. Systems administrators End users data custDdians Security as Art. Individuals who work directly with data owners and are responsible for storage;
maintenance; and protection of information. Systems administrators End users data custDdians Security as Art. The administrators and technicians who implement security can be compared to a
painter applying oils to the canvas. A touch of color here; a brushstroke there; just
enough to represent the image the artist wants to convey without overwhelming the
viewer—or in security terms; without overly restricting user access. Systems administrators End users data custDdians Security as Art. Technology developed by computer scientists and engineers—which is designed for
rigorous performance levels—makes information security science as well as an art. Security as Science Security as a Social Science delete. Social science examines the behavior of people as they interact with systems; whether
they are societal systems or; as in this context; information systems Security as Science Security as a Social Science delete. To protect the confidentiality of information; you can use several measures; including
the following: Information classification A direct attack Indirect attack Control; safeguard; or countermeasure. To protect the confidentiality of information; you can use several measures; including
the following:
Exploit Secure document storage Loss Risk. To protect the confidentiality of information; you can use several measures; including
the following: Subjects and objects of attack Threat Application of general security policies Threat event. To protect the confidentiality of information; you can use several measures; including
the following: Threat source Vulnerability Accuracy Education of information custodians and end users. For detecting a virus or worm is to look for changes in file integrity; as shown by The file size. Confidentiality Integrity Personally Identifiable Information (PII). For detecting a virus or worm is to look for changes in file integrity; as shown by Attack File hashing Indirect attack Control; safeguard; or countermeasure. Secure Software Assurance (SwA) Common Body of Knowledge (CBK) examine two
key questions Exploit Exposure What are the engineering activities or aspects of activities that are relevant to
achieving secure software? Risk. Secure Software Assurance (SwA) Common Body of Knowledge (CBK) examine two
key questions Subjects and objects of attack Threat Threat agent What knowledge is needed to perform these activities or aspects?. The SwA CBK; which is a work in progress; contains the following sections: Nature of Dangers Vulnerability Accuracy Authenticity. The SwA CBK; which is a work in progress; contains the following sections: Availability Fundamental Concepts and Principles Integrity Personally Identifiable Information (PII). The SwA CBK; which is a work in progress; contains the following sections: Attack A direct attack Ethics; Law; and Governance Control; safeguard; or countermeasure. The SwA CBK; which is a work in progress; contains the following sections: Exploit Exposure Loss Secure Software Requirements. The SwA CBK; which is a work in progress; contains the following sections: Secure Software Design Threat Threat agent Threat event. The SwA CBK; which is a work in progress; contains the following sections: Threat source Secure Software Construction Accuracy Authenticity. The SwA CBK; which is a work in progress; contains the following sections: Availability Confidentiality Secure Software Verification; Validation; and Evaluation Personally Identifiable Information (PII). The SwA CBK; which is a work in progress; contains the following sections: Attack A direct attack Indirect attack Secure Software Tools and Methods. The SwA CBK; which is a work in progress; contains the following sections: Secure Software Processes Exposure Loss Risk. The SwA CBK; which is a work in progress; contains the following sections: Subjects and objects of attack Secure Software Project Management Threat agent Threat event. The SwA CBK; which is a work in progress; contains the following sections: Threat source Vulnerability Acquisition of Secure Software Authenticity. The SwA CBK; which is a work in progress; contains the following sections: Availability Confidentiality Integrity project mangment & sustainment. They carry the authority of a governing body. laws Ethics Aggregate information Information aggregation. They are based on cultural mores. laws Ethics Aggregate information Information aggregation. Collective data that relates to a group or category of people and that has been altered
to remove characteristics or components that make it possible to identify individuals
within the group. laws Ethics Aggregate information Information aggregation. Pieces of nonprivate data that- when combined- may create information that violates
privacy. Not to be confused with aggregate information. laws Ethics Aggregate information Information aggregation. In the context of information security- the right of individuals or groups to protect
themselves and their information from unauthorized access- providing confidentiality. Privacy Association of Computing Machinery (ACM) Federal Bureau of Investigation (FBI) Payment Card Industry Data Security Standards (PCI DSS). It is a respected professional society that was established in 1947 as “the world’s first
educational and scientific computing society.” Privacy Association of Computing Machinery (ACM) Federal Bureau of Investigation (FBI) Payment Card Industry Data Security Standards (PCI DSS). It investigates both traditional crimes and cybercrimes- and works with the U.S. Privacy Association of Computing Machinery (ACM) Federal Bureau of Investigation (FBI) Payment Card Industry Data Security Standards (PCI DSS). It is an organization that process payment cards- such as credit cards- debit cards- ATM
cards- stored-value cards- gift cards- or other related items Privacy Association of Computing Machinery (ACM) Federal Bureau of Investigation (FBI) Payment Card Industry Data Security Standards (PCI DSS). The desired end of a planning cycle. goals objectives strategic plan strategic planning. The intermediate states obtained to achieve progress toward a goal or goals. goals objectives strategic plan strategic planning. A plan for the organization’s intended strategic efforts over the next several years. goals objectives strategic plan strategic planning. The process of defining and specifying the long-term direction (strategy). goals objectives strategic plan strategic planning. The process of tactical planning breaks each strategic goal into a series of incremental
objectives. Tactical planning Policies Standard Practice. They direct how issues should be addressed and how technologies should be used. Tactical planning Policies Standard Practice. A detailed statement of what must be done to comply with policy- sometimes viewed
as the rules governing policy compliance Tactical planning Policies Standard Practice. recommendations Tactical planning Policies Standard Practice. recommendations the employee may use as a reference in complying with a policy. guidelines procedures Comprehension (understanding) Compliance (agreement). Step-by-step instructions designed to assist employees in following policies- standards and
dissemination (distribution) - The organization must be able to demonstrate
that the policy has been made readily available for review by the employee (eg.- hard
copy and electronic distribution). guidelines procedures Comprehension (understanding) Compliance (agreement). The organization must be able to demonstrate that the employee understands the
requirements and content of the policy (eg.- quizzes and other assessments). guidelines procedures Comprehension (understanding) Compliance (agreement). The organization must be able to demonstrate that the employee agrees to comply
with the policy through act or affirmation (eg.- logon banners- which require a specific
action to acknowledge agreement). guidelines procedures Comprehension (understanding) Compliance (agreement). An intermediate area between two networks designed to provide servers and firewall
filtering between a trusted internal network and the outside- untrusted network. demilitarized zone (DMZ) proxy server content filter data loss prevention. A server that exists to intercept requests for information from external users and
provide the requested information by retrieving it from an internal server- thus
protecting and minimizing the demand on internal servers. Some proxy servers are
also cache servers. demilitarized zone (DMZ) proxy server content filter data loss prevention. A software program or hardware/software appliance that allows administrators to
restrict content that comes into or leaves a network—for example- restricting user
access to Web sites from material that is not related to business- such as pornography
or entertainment demilitarized zone (DMZ) proxy server content filter data loss prevention. A strategy to gain assurance that the users of a network do not send high value
information or other critical information outside the network demilitarized zone (DMZ) proxy server content filter data loss prevention. A private- secure network operated over a public and insecure network. virtual private network (VPN) In authentication factors - Something You Know In authentication factors - Something You Have In authentication factors - Something You Are or Can Produce. This factor of authentication relies on what the unverified user or system knows and
can recall—for example- a password- passphrase- or other unique authentication code such
as a personal identification number (PIN). virtual private network (VPN) In authentication factors - Something You Know In authentication factors - Something You Have In authentication factors - Something You Are or Can Produce. This authentication factor relies on something an unverified user or system has and
can produce when necessary. virtual private network (VPN) In authentication factors - Something You Know In authentication factors - Something You Have In authentication factors - Something You Are or Can Produce.
