Topic 5b- Chapter 4- Information Security and Controls

Created by

NeutralMouse80286

Cards (55)

Security 
Protection of information resources from threats
View source
Information security 
Protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction
View source
Threat 
Any circumstance or event with the potential to adversely impact organizational operations, organizational assets, individuals, other organizations, or society through an information system via unauthorized access, destruction, disclosure, modification of information, and/or denial of service
View source
Exposure 
The state of being unprotected and vulnerable to damage or harm
View source
Vulnerability 
A weakness in an information system, system security procedures, internal controls, or implementation that could be exploited by a threat source
View source
Five key factors contributing to vulnerability
Today's interconnected, interdependent, wirelessly networked business environment
Smaller, faster, inexpensive computers and storage devices
Decreasing skills necessary to be a computer hacker
International organized crime taking over cybercrime
Lack of management support
View source
Human errors 
Unintentional threats to information systems caused by mistakes made by people
View source
Social engineering 
An attack in which the perpetrator uses social skills to trick or manipulate legitimate employees into providing confidential company information such as passwords
View source
Deliberate threats to information systems
Espionage or trespassing
Information extortion
Sabotage or vandalism
Theft of equipment or information
Identity theft
Compromises to intellectual property
Software attacks
Alien software
Supervisory control and data acquisition (SCADA) attacks
Cyberterrorism and cyberwarfare
View source
Virus 
A type of remote software attack that requires user action
View source
Worm 
A type of remote software attack that requires user action
View source
Phishing attack 
A type of remote software attack that requires user action
View source
Spear phishing attack 
A type of remote software attack that requires user action
View source
Whaling attack 
A type of remote software attack that requires user action
View source
Smishing attack 
A type of remote software attack that requires user action
View source
Vishing attack 
A type of remote software attack that requires user action
View source
Denial of service attack 
A type of remote software attack that needs no user action
View source
Distributed denial of service attack
A type of remote software attack that needs no user action
View source
Trojan horse 
A type of software attack by a programmer developing a system
View source
Back door 
A type of software attack by a programmer developing a system
View source
Logic bomb 
A type of software attack by a programmer developing a system
View source
Adware 
A type of alien software
View source
Spyware 
A type of alien software, including keyloggers
View source
Spamware 
A type of alien software
View source
Cookies 
A type of alien software, including tracking cookies
View source
Risk 
The potential for loss, damage, or destruction of an asset as a result of a threat exploiting a vulnerability
View source
Risk analysis 
The process of identifying, quantifying, and prioritizing the risks to organizational operations (including mission, functions, image, or reputation), organizational assets, individuals, other organizations, and the Nation, resulting from the operation of an information system
View source
Risk mitigation strategies 
Risk acceptance
Risk transference
Risk limitation
View source
Risk acceptance 
A risk mitigation strategy where the organization acknowledges the existence of a particular risk and makes an informed decision to accept it without engaging in special efforts to control it
View source
Risk transference 
A risk mitigation strategy where the organization shifts the burden of risk to another party, such as purchasing insurance
View source
Risk limitation 
A risk mitigation strategy where the organization applies controls to minimize the adverse impact of threats and vulnerabilities, i.e. reducing the risk
View source
Information systems auditing 
The process of collecting and evaluating evidence to determine whether an information system safeguards assets, maintains data integrity, and allows organizational goals to be achieved effectively and efficiently
View source
Types of auditors and audits
Internal auditors
External auditors
Operational audits
Compliance audits
Financial audits
Information systems audits
View source
Physical controls 
Security measures that are designed to deny access to unauthorized personnel from physically accessing a company's facilities and information resources
View source
Examples of physical controls
Walls
Doors
Fencing
Gates
Locks
Badges
Guards
Alarm systems
View source
Access controls 
Security measures that are designed to allow only authorized personnel to access information resources
View source
Communication controls 
Security measures that are designed to protect the transmission of information across computer networks
View source
Application controls 
Security measures that are designed to ensure the completeness, accuracy, and validity of data input, processing, and output within specific applications
View source
Business continuity planning 
The process of developing and documenting arrangements and procedures that enable an organization to respond to an event that causes an abnormal and undesirable situation, in order to continue minimum business operations and minimize losses
View source
Disaster recovery plan 
A plan for restoring an organization's critical information technology infrastructure and operations after a disaster
View source