What are the differences between a policy a standard and a practice quizlet?

Recommended textbook solutions

The Language of Composition: Reading, Writing, Rhetoric

2nd EditionLawrence Scanlon, Renee H. Shea, Robin Dissin Aufses

661 solutions

Ways of the World: A Global History

3rd EditionRobert W. Strayer

232 solutions

Tonal Harmony, Workbook

8th EditionByron Almen, Dorothy Payne, Stefan Kostka

1,387 solutions

U.S. History

1st EditionJohn Lund, Paul S. Vickery, P. Scott Corbett, Todd Pfannestiel, Volker Janssen

567 solutions

Upgrade to remove ads

Only ₩37,125/year

• Flashcards

• Learn

• Test

• Match

• Flashcards

• Learn

• Test

• Match

Terms in this set (73)

threat agent

the facilitator of an attack

threat

a category of objects, people, or other entities that represents a potential danger to an asset. They are always present

vulnerability

a weakness or fault in a system or protection mechanism that opens it to attack or damage

exposure

a condition or state of being exposed. this exists when a vulnerability is known to an attacker

What are the three components of the C.I.A. triangle?

confidentiality, integrity, availability

confidentiality

assurance that information is shared only among authorized people or organizations

integrity

assurance that the information is complete and uncorrupted

availability

assurance that information systems and the necessary data are available for use when needed

Why is the top-down approach to information security superior to the bottom-up approach?

has a higher probability of success; has strong upper management support, a dedicated champion, usually dedicated funding, a clear planning and implementation process, and the means of influencing organizational culture

Which members of an organization are involved in the security systems development life cycle? Who leads the process?

upper management-initiation and control

responsible managers, contractors, and employees execute

lead by senior executive (Champion)

Who is ultimately responsible for the security of information in the organization?

CISO

Who decides how and when data in an organization will be used or controlled? Who is responsible for seeing that these decisions are carried out?

data owners (responsible for security and use of information), data custodians (work directly with data owners and are responsible for the storage,maintenance, and protection of information), data users (end users who work with the information to perform their daily jobs and support the mission of the organization)

Why is data the most important asset an organization possesses?

Without data, an organization will lose its record of transactions and its ability to deliver value to customers.

information extortion

When an attacker can control access to an asset, it can be held hostage to the attacker's demands.

Why are employees one of the greatest threats to information security?

they are the people closest to the organization's data and they have access to it. Employee mistakes can easily lead to the revelation of classified data, entry of erroneous data, accidental data deletion or modification, storage of data in unprotected areas, and failure to protect information.

What is the difference between a skilled hacker and an unskilled hacker, other than skill levels?

expert hacker develops software scripts and codes to exploit relatively unknown vulnerabilities; master of several languages and OS

unskilled hackers uses scripts and code developed by skilled hackers; rarely write own hacks, unskilled in programming languages

What are the various types of malware?

viruses, worms, trojan horses, logic bombs, and back doors

How do worms differ from viruses?

virus- code that induces other programs to perform actions
worms- malicious programs that replicate themselves constantly without requiring another program to provide a safe environment for replication

Do Trojan horses carry viruses or worms?

once a trusting user executes a Trojan horse program, it unleashes viruses or worms to the local workstation and the network as a whole.

Why does polymorphism cause greater concern than traditional malware? How does it affect detection?

makes malicious code more difficult to detect; code changes overtime

How is technological obsolescence a threat to information security?

by management's potential lack of planning and failure to anticipate the technology needed for evolving business requirements. It occurs when infrastructure becomes outdated, and leads to unreliable and untrustworthy systems

What are the types of password attacks? What can a systems administrator do to protect against them?

password crack, brute force, dictionary

system administrator can:
• Implement controls that limit the number of attempts allowed.
• Use a "disallow" list of passwords from a similar dictionary.
• Require use of additional numbers and special characters in passwords.

password crack

Attempting to reverse-calculate a password is called "cracking." This attack is used when a copy of the Security Account Manager (SAM) data file can be obtained. A possible password is taken from the SAM file and run through the hashing algorithm in an attempt to guess the actual password.

brute force

The application of computing and network resources to try every possible combination of options for a password.

dictionary

A form of brute force for guessing passwords. The dictionary attack selects specific accounts and uses a list of common passwords to make guesses.

What is the difference between a denial-of-service attack and a distributed denial-of-service attack? Which is more dangerous? Why?

DoS-occurs when an attacker sends a large number of connection or information requests to a target
DDoS-occurs when a coordinated stream of requests is launched against a target from many locations at the same time
DDoS is more dangerous b/c more difficult to defend against with no controls any org can apply

What is a buffer overflow, and how is it used against a Web server?

when more data is sent to a buffer than it can handle; used when there is a mismatch in the processing rates between the two communicating entities

What is the difference between law and ethics?

laws- rules that mandate or prohibit certain behavior in society (have a governing authority, ethics do not)
ethics- define socially acceptable behavior

Which law amended the Computer Fraud and Abuse Act of 1986, and what did it change?

National Information Infrastructure Protection Act of 1986 ; modified several sections of the CFA and increased the penalties for selected crimes

What is privacy in an information security context?

a "state of being free from unsanctioned intrusion"

What is the primary purpose of the USA PATRIOT Act?

in 2001, modified a wide range of existing laws to provide law enforcement agencies with broader latitude to combat terrorism-related activities

How has thePATRIOT Act been revised since its original passage?

in 2011,the PATRIOT Sunset Extension Act of 2011 was signed into law to extend certain provisions of the USA PATRIOT Act. These provisions covered wiretaps, searching of business records, and surveillance of people with suspected ties to terrorism.

What is due care? Why should an organization make sure to exercise due care in its usual course of operations?

has been taken when an organization makes sure that every employee knows what is acceptable or unacceptable behavior, and knows the consequences of illegal or unethical actions.; The more active an organization is in exercising due care, the less likely it will be held liable for its employees' illegal or unethical actions.

How is due diligence different from due care? Why are both important?

Due diligence requires that an organization make a valid effort to protect others and continually maintain this level of effort; important to decrease its chances of being found liable if an incident occurs

What is a policy? How is it different from a law?

A policy is a formalized body of expectations that describe acceptable and unacceptable employee behavior in the workplace. The difference between a policy and a law is that ignorance of a policy is an acceptable defense

How can a security framework assist in the design and implementation of a security infrastructure? What is information security governance? Who in the organization should plan for it?

pg 5 ch 4 1

Briefly describe management, operational, and technical controls

• Management controls cover security processes that are designed by strategic planners and implemented by an organization's security administration.
• Operational controls deal with the functionality of security in the organization, including disaster recovery and incident response planning.
• Technical controls address tactical and technical issues related to designing and implementing security in the organization, as well as issues related to examining and selecting appropriate technologies for protecting information.

What are the differences between a policy, a standard, and a practice? What are the three types of security policies?

• A policy is a plan or course of action intended to influence and determine decisions, actions, and other matters. Policies function like laws within an organization because they dictate acceptable and unacceptable behavior within the context of the organization's culture.
• A standard has the same requirement for compliance as a policy, but a standard provides more detail for what must be done to comply with policy. The level of acceptance for standards may be informal, as for de facto standards, or formal (as for de jure standards).
• Practices, procedures, and guidelines effectively explain how to comply with policy.

Who is ultimately responsible for managing a technology?

senior management

Contingency planning

all planning conducted by the organization to prepare for, react to, and recover from events that threaten its security of information and information assets
three types: incident response plans, disaster recovery plans, and business continuity plans

When is IR plan used?

covers the identification, classification, response to, and recovery from an incident. The plan should be used when an incident in progress is first detected by an organization.

When is DR plan used?

addresses preparations for and recovery from a disaster, whether natural or man-made. The plan is used before a disaster in preparation for its occurrence, and then afterward to rebuild and recover the organization's functionality.

When is the BC plan used?

will be needed if a disaster has rendered the current location of the business unusable for continued operation. BCP outlines the reestablishment of critical business operations during a disaster that affects operations at the primary site.

How do you determine when to use the IR, DR, and BC plans?

An incident response plan is used as soon as an incident in progress has been identified. An attack is identified as an incident if:
1. It is directed against information assets.
2. It has a realistic chance of success.
3. It could threaten the confidentiality, integrity, or availability of information resources.

A disaster recovery plan is used if an incident escalates or is disastrous. The plan typically focuses on restoring systems at the original site after a disaster occurs.

A business continuity plan is used concurrently with the disaster recovery plan when the damage is major, creates long-term consequences, or requires more than simple restoration of information and information resources.

Containment

the process of determining which systems have been attacked and removing their ability to attack uncompromised systems.

hot site

fully configured computer facility with all services, communications links, and physical plant operations, including heating and air conditioning.

warm site

provides many of the same services and options as a hot site. However, it typically does not include the actual applications the company needs, or the applications may not yet be installed and configured.

cold site

provides only rudimentary services and facilities. No computer hardware or peripherals are provided. All communications services must be installed after the site is occupied.

time-share

is a hot, warm, or cold site that is leased in conjunction with a business partner or sister organization. The time-share allows the organization to maintain a disaster recovery and business continuity option at a reduced overall cost. The time-share has the same advantages as the type of site selected (hot, warm, or cold). The primary disadvantage is the possibility that more than one organization involved in the time-share may need the facility simultaneously

service bureau

an agency that provides a service for a fee. In the case of disaster recovery and continuity planning, the service is the agreement to provide physical facilities during and after a disaster. These types of agencies also frequently provide off-site data storage for a fee. Contracts can be carefully created with service bureaus to specify exactly what the organization needs without having to reserve dedicated facilities.

mutual agreement

is a contract between two or more organizations that specifies how each will assist the other in the event of a disaster. It stipulates that each organization is obligated to provide necessary facilities, resources, and services until the receiving organization can recover from the disaster.

risk management

the process of identifying vulnerabilities in an organization's information systems and taking carefully reasoned steps to ensure the confidentiality, integrity, and availability of all the components in those systems.

Who is responsible for risk management in an organization? Which community of interest usually takes the lead in information security risk management?

community of interest; the information security community

What are vulnerabilities? How do you identify them?

specific avenues that threat agents can exploit to attack an information asset. they are a flaw or weakness in an information asset

What five strategies for controlling risk

• The defense control strategy attempts to prevent the exploitation of vulnerabilities.
• The transfer control strategy attempts to shift risk to other assets, other processes, or other organizations.
• The mitigation control strategy attempts to reduce the impact of exploited vulnerabilities through planning and preparation.
• The acceptance control strategy is the choice to do nothing to protect against a vulnerability and accept the outcome of its exploitation.
• The termination control strategy directs the organization to avoid business activities that introduce uncontrollable risks.

Describe the defense strategy for controlling risk. List and describe the three common methods.

attempts to prevent the exploitation of vulnerabilities
• Application of policy
• Education and training
• Application of technology

Describe the transfer strategy for controlling risk.

the control approach that attempts to shift risk to other assets, other processes, or other organizations. These controls may be accomplished by rethinking how services are offered, revising deployment models, outsourcing to other organizations, purchasing insurance, or implementing service contracts with providers.

Describe the mitigation strategy for controlling risk.

the control approach that attempts to reduce the impact of exploited vulnerabilities through planning and preparation. Mitigation begins with the early detection of an attack in progress and the organization's ability to respond quickly, efficiently, and effectively.
(IR, DR, BC)

How is an incident response plan different from a disaster recovery plan?

The disaster recovery plan focuses on preparations completed before a disaster or escalated incident and actions taken afterward to reestablish operations at the primary site. The incident response plan focuses on intelligence gathering, information analysis, coordinated decision making, and urgent, concrete actions taken while an incident is occurring.

risk appetite

defines the quantity and nature of risk that organizations are willing to accept as they evaluate the trade-offs between perfect security and unlimited accessibility.

cost-benefit analysis

the formal decision-making process an organization uses to evaluate whether the benefit gained from a given project is worth the expense.

single loss expectancy

the value associated with the most likely loss from an attack. It is a calculation based on an asset's value and the expected percentage of loss from one occurrence of a particular attack.

residual risk

When vulnerabilities have been controlled as much as possible, any remaining risk that has not been removed, shifted, or planned for

What is the typical relationship among the untrusted network, the firewall, and the trusted network?

The untrusted network is usually the Internet or another segment of a public access network, while the trusted network is typically a privately owned network. The firewall serves as a mechanism to filter traffic from the untrusted network into the trusted network to foster assurance that the traffic is legitimate.

How is an application layer firewall different from a packet-filtering firewall?

The application layer firewall takes into consideration the nature of the applications that are being run, including the type and timing of the network connection requests as well as the type and nature of the traffic that is generated. The packet-filtering firewall simply looks at the packets as they are transferred.

How is static filtering different from dynamic filtering of packets?

Static filtering requires that the firewall's packet filtering rules are developed and installed with the firewall. This type of filtering is common in network routers and gateways. Dynamic filtering allows the firewall to react to an emergent event and update or create rules to deal with it. This reaction could be positive, as in allowing an internal user to engage in a specific activity upon request, or it could be negative, as in dropping all packets from a particular address when the system detects an increased presence of a particular type of malformed packet.

What is stateful inspection?

keep track of each network connection between internal and external systems using a state table.

What special function does a cache server perform? Why is this useful for larger organizations?

These types of servers can store the most recently accessed Web pages in their internal cache memory, and thus can provide content for heavily accessed pages without the level of traffic required when pages are not cached. Larger organizations often find that just a few Web sites account for a large quantity of their traffic and that they can lower total network traffic measurably by using a cache server.

What is a sacrificial host? What is a bastion host?

They are synonyms. Because the bastion host stands as a sole defender on the network perimeter, it is also commonly referred to as the sacrificial host. To its advantage, this configuration requires the external attack to compromise two separate systems before it can access internal data.

What is a DMZ

is the network segment that may be engineered between the external access to a network and the internal areas.

What questions must be addressed when selecting a firewall for a specific organization?

• What type of firewall technology offers the right balance between protection and cost for the organization's needs?
• What features are included in the base price? What features are available at extra cost? Are all cost factors known?
• How easy is it to set up and configure the firewall? How accessible are the staff technicians who can competently configure the firewall?
• Can the candidate firewall adapt to the growing network in the target

What is a content filter?

a software filter—technically not a firewall—that allows administrators to restrict access to content from within a network.

What is a VPN?

a private and secure network connection between systems that uses the data communication capability of an unsecured and public network.

Students also viewed

Security - Chapter 02 - Review*

20 terms

ogsaw1

Info Security Exam 1

23 terms

spaceoranges

Chapter 5 Planning for Security

11 terms

cherokee5301

Principles of Information Security, 4th Edition. C…

20 terms

cherokee5301

Sets found in the same folder

CIS 322 Final Review

116 terms

bmuncy

Chapter 1 Quiz Question Bank - CIST1601 - Informat…

34 terms

bwheele6791

CP3302_Chap3

28 terms

Marksy_010

ISA3060-01-Chapter6

25 terms

cfarsee

Other sets by this creator

Integrated Business Exam 1 (Ch2-3 & 5)

46 terms

kbeard12

Info Sec Quiz #2

43 terms

kbeard12

Quiz #3 for BUS 494

21 terms

kbeard12

Quiz #2 for BUS 494

19 terms

kbeard12

Verified questions

algebra

Use the real estate amortizationtable to find the monthly payment for the following loans. (See the Example discussed before .) $$ \begin{array}{ccccc} \begin{array}{}\text{Amount }\\\text{of Loan}\end{array}& \begin{array}{}\text{Interest}\\\text{Rate}\end{array}& \begin{array}{}\text{Term of}\\\text{Loan}\end{array}& \begin{array}{}\text{Monthly}\\\text{Payment}\end{array}\\ \$112,800& 8\frac{1}{2}\% & 15\text{years}& \underline{\qquad\qquad} \end{array} $$

Verified answer

management

Describe how Goldman Sachs' resilience training might influence different parts of the stress process as it is described in this chapter.

Verified answer

question

Suppose that a company's sales were $\$ 5,000,000$ three years ago. Since that time sales have grown at annual rates of $10$ percent, $-10$ percent, and $25$ percent. Find the ending value of sales after this three-year period.

Verified answer

psychology

Researchers believe that one important function of sleep is to facilitate learning and memory. How does knowing this help you in your college studies? What changes could you make to your study and sleep habits to maximize your mastery of the material covered in class?

Verified answer

Recommended textbook solutions

Operations Management: Sustainability and Supply Chain Management

12th EditionBarry Render, Chuck Munson, Jay Heizer

1,698 solutions

Service Management: Operations, Strategy, and Information Technology

7th EditionJames Fitzsimmons, Mona Fitzsimmons

103 solutions

Human Resource Management

15th EditionJohn David Jackson, Patricia Meglich, Robert Mathis, Sean Valentine

249 solutions

Information Technology Project Management: Providing Measurable Organizational Value

5th EditionJack T. Marchewka

346 solutions

Other Quizlet sets

CWPC 14C Highlighted SOBs

65 terms

shawn_sullivan60

DLP4-Exercise 1.1

68 terms

Nabeel_Hashim

ACCT 201 EXAM 2

53 terms

rvandermuss421

chapter 5 class 10

17 terms

madelinemchugh2

What is the difference between a policy and a standard quizlet?

What is the difference between a policy and a procedure quizlet?

What type of policy would be needed to guide use of the web e mail office equipment for personnel use?

Who is responsible for managing a technology?