C845 - Information Systems Security
A NON-REGULATORY agency of the United States Department of COMMERCE that
offers an incredible variety of standards - answer A non-regulatory agency of the United
States Department of Commerce that offers an incredible variety of standards
Internet Engineering Task Force (IETF) - answer Develops and promotes INTERNET
standards that may be voluntarily adopted throughout the industry.
At one time supported by the federal government, it now performs a standards
development function under the Internet Society
Institute of Electrical and Electronics Engineers (IEEE) - answer Professional
organization for the advancement of computer engineering and computer science,
among other aspects of electronics and communications. As one of the leading
standards organizations, it is responsible for the 802 group of standards
American National Standards Institute (ANSI) - answerA NONPROFIT ORGANIZATION
that oversees the development of STANDARDS that are approved by consensus and
are applied on a voluntary basis across a given industry.
Manages and maintains the ASCII standard
World Wide Web Consortium (W3C) - answerStandards organization in which
members, staff, and the public collaborate to develop web standards. The web
technologies include the recommended implementation of Cascading Style Sheets and
XHTML, among many other recommendations
International Organization for Standardization (ISO) - answerA true standards
organization. It tests various products and provides its seal of approval once they pass
rigorous tests. The organization administers over 13,000 standards across many
industries.
Telecommunications Industry Association (TIA) - answerAccredited by the American
National Standards Institute (ANSI) to develop voluntary, consensus-based industry
standards for a wide variety of information and communication technologies (ICT)
products and currently represents nearly 400 companies
SANS Institute - answerA private company formed in 1989 that provides training to the
cyber security industry
Security Triad - answerConfidentiality
Availability
,Integrity
The Primary Security Categories - answerPrevention
Detection
Recovery
Access Control Steps - answerIdentification
Authentication
Authorization
Accounting
Auditing
Risk - answerA chance of damage or loss based upon the exposure to a potential
hazard or threat.
Threat Vector - answerA path that an attacker might take to take advantage of a
vulnerability and do harm
Prudent Man Concept - answerRefers to actions that may be REASONABLY TAKEN
(or are obvious) to safeguard corporate assets and data
Components of Risk - answerThreat
Vulnerability
Controls
Threat - answerAny incident or action that, if carried out, could cause harm or loss of
data or an asset.
Vulnerabilities - answerWeaknesses that may be penetrated or exploited by an attacker
Controls - answerUsed to reduce the possibility that a threat will exploit a vulnerability
Types of Access Controls - answerPhysical
Administrative
Logical
Due Diligence - answerENSURING that the CONTROLS put into place are functioning
ADEQUATELY.
May also be referred to as ASSUREDNESS.
Due Care - answerThe actions that a PRUDENT and REASONABLE person would
make to protect an organization's assets
Categories of Assets - answerPhysical Resources
Data
,Data - answerContents placed on the company network and storage devices
Concept of Least Privilege - answerRefers to granting the least amount of access rights
and permissions required to perform a task.
The Three As of Accounting - answerAuthentication
Authorization
Accounting
Mandatory Vacation - answerA security technique that allows for the review of
employee activities.
Separation of Duties - answerEnsures that no one person has too much power or
¬control
M of N Requirement - answerRequires a certain number of individuals to agree prior to
action being taken. M represents the minimum number of individuals that must agree on
a course of action. N represents the total number individuals involved.
Two-Man Rule - answerA procedure popular in very high-security locations and
situations. It features two individuals who must agree upon action yet are physically
separated and must therefore take action independent of the other
Types of Security Awareness Education Programs - answerNew Hire Orientation
Mandatory Security Training
Corporate-Wide Security Training
Specialty Security Training
Mitigation - answerThe act of limiting risk
Physical Controls - answerRestrict or prohibit access to the physical components of the
infrastructure; usually independent of computer hardware, software, and communication
systems
Usually the first line of defense
Include doors, locks, and fences.
Logical Controls - answerAny network device or software that protects the network
hardware and digital information assets of the company
These include an access control list (ACL), an intrusion detection system (IDS),
firewalls, routers, virus protection software, and activity logging mechanisms.
, Administrative Controls - answerConsist of policies, directives, regulations, and rules set
up by a company to govern activities taken by individuals or to establish operating
procedures.
These include banners, signs, policies or procedures, directives, rules or regulations,
and documents or log-on screens.
Types of Assets - answerDigital - Data stored on IT systems
Information - Content represented by the digital data
Physical - Tangible things
Assurance Procedures - answerProcedures that ensure that the access control
mechanisms correctly implement the security policy
Defense-in-Depth Strategy - answerRelies on two concepts: discouraging the attack
and slowing the attacker
Subject - answerThe user or entity taking the action or accessing a resource such as a
database; always active
Object - answerThe item or resource being acted upon; always passive
Access Control Lists (ACLs) - answerContain the identity and access authority for every
user (subject)
Compatibility Table - answerA type of ACL; maintains the permissions assigned to the
USER
Authorized Use Policy (AUP) - answerSpecifies how the user must behave when using
the networks, information, and IT products of the company. May be a signed policy in a
new-hire folder as well as a logon screen stating appropriate system use.
False Positive - answerRefers to a condition where an unknown user has been
identified and authenticated and allowed access to a system
False Negative - answerRefers to a condition where a known good user is denied
access to the system
Error Rate - answerThe frequency of false positives and false negatives
Factors of Authentication - answer1. Something You Know
2. Something You Have
3. Something You Are
4. Somewhere You Are
A NON-REGULATORY agency of the United States Department of COMMERCE that
offers an incredible variety of standards - answer A non-regulatory agency of the United
States Department of Commerce that offers an incredible variety of standards
Internet Engineering Task Force (IETF) - answer Develops and promotes INTERNET
standards that may be voluntarily adopted throughout the industry.
At one time supported by the federal government, it now performs a standards
development function under the Internet Society
Institute of Electrical and Electronics Engineers (IEEE) - answer Professional
organization for the advancement of computer engineering and computer science,
among other aspects of electronics and communications. As one of the leading
standards organizations, it is responsible for the 802 group of standards
American National Standards Institute (ANSI) - answerA NONPROFIT ORGANIZATION
that oversees the development of STANDARDS that are approved by consensus and
are applied on a voluntary basis across a given industry.
Manages and maintains the ASCII standard
World Wide Web Consortium (W3C) - answerStandards organization in which
members, staff, and the public collaborate to develop web standards. The web
technologies include the recommended implementation of Cascading Style Sheets and
XHTML, among many other recommendations
International Organization for Standardization (ISO) - answerA true standards
organization. It tests various products and provides its seal of approval once they pass
rigorous tests. The organization administers over 13,000 standards across many
industries.
Telecommunications Industry Association (TIA) - answerAccredited by the American
National Standards Institute (ANSI) to develop voluntary, consensus-based industry
standards for a wide variety of information and communication technologies (ICT)
products and currently represents nearly 400 companies
SANS Institute - answerA private company formed in 1989 that provides training to the
cyber security industry
Security Triad - answerConfidentiality
Availability
,Integrity
The Primary Security Categories - answerPrevention
Detection
Recovery
Access Control Steps - answerIdentification
Authentication
Authorization
Accounting
Auditing
Risk - answerA chance of damage or loss based upon the exposure to a potential
hazard or threat.
Threat Vector - answerA path that an attacker might take to take advantage of a
vulnerability and do harm
Prudent Man Concept - answerRefers to actions that may be REASONABLY TAKEN
(or are obvious) to safeguard corporate assets and data
Components of Risk - answerThreat
Vulnerability
Controls
Threat - answerAny incident or action that, if carried out, could cause harm or loss of
data or an asset.
Vulnerabilities - answerWeaknesses that may be penetrated or exploited by an attacker
Controls - answerUsed to reduce the possibility that a threat will exploit a vulnerability
Types of Access Controls - answerPhysical
Administrative
Logical
Due Diligence - answerENSURING that the CONTROLS put into place are functioning
ADEQUATELY.
May also be referred to as ASSUREDNESS.
Due Care - answerThe actions that a PRUDENT and REASONABLE person would
make to protect an organization's assets
Categories of Assets - answerPhysical Resources
Data
,Data - answerContents placed on the company network and storage devices
Concept of Least Privilege - answerRefers to granting the least amount of access rights
and permissions required to perform a task.
The Three As of Accounting - answerAuthentication
Authorization
Accounting
Mandatory Vacation - answerA security technique that allows for the review of
employee activities.
Separation of Duties - answerEnsures that no one person has too much power or
¬control
M of N Requirement - answerRequires a certain number of individuals to agree prior to
action being taken. M represents the minimum number of individuals that must agree on
a course of action. N represents the total number individuals involved.
Two-Man Rule - answerA procedure popular in very high-security locations and
situations. It features two individuals who must agree upon action yet are physically
separated and must therefore take action independent of the other
Types of Security Awareness Education Programs - answerNew Hire Orientation
Mandatory Security Training
Corporate-Wide Security Training
Specialty Security Training
Mitigation - answerThe act of limiting risk
Physical Controls - answerRestrict or prohibit access to the physical components of the
infrastructure; usually independent of computer hardware, software, and communication
systems
Usually the first line of defense
Include doors, locks, and fences.
Logical Controls - answerAny network device or software that protects the network
hardware and digital information assets of the company
These include an access control list (ACL), an intrusion detection system (IDS),
firewalls, routers, virus protection software, and activity logging mechanisms.
, Administrative Controls - answerConsist of policies, directives, regulations, and rules set
up by a company to govern activities taken by individuals or to establish operating
procedures.
These include banners, signs, policies or procedures, directives, rules or regulations,
and documents or log-on screens.
Types of Assets - answerDigital - Data stored on IT systems
Information - Content represented by the digital data
Physical - Tangible things
Assurance Procedures - answerProcedures that ensure that the access control
mechanisms correctly implement the security policy
Defense-in-Depth Strategy - answerRelies on two concepts: discouraging the attack
and slowing the attacker
Subject - answerThe user or entity taking the action or accessing a resource such as a
database; always active
Object - answerThe item or resource being acted upon; always passive
Access Control Lists (ACLs) - answerContain the identity and access authority for every
user (subject)
Compatibility Table - answerA type of ACL; maintains the permissions assigned to the
USER
Authorized Use Policy (AUP) - answerSpecifies how the user must behave when using
the networks, information, and IT products of the company. May be a signed policy in a
new-hire folder as well as a logon screen stating appropriate system use.
False Positive - answerRefers to a condition where an unknown user has been
identified and authenticated and allowed access to a system
False Negative - answerRefers to a condition where a known good user is denied
access to the system
Error Rate - answerThe frequency of false positives and false negatives
Factors of Authentication - answer1. Something You Know
2. Something You Have
3. Something You Are
4. Somewhere You Are
