Exam Reviewer PDF
Document Details
Uploaded by AdaptableOctagon268
National University
Tags
Summary
This document covers the introduction to information security, including its key concepts, components, and framework. It also details the roles and responsibilities involved in maintaining information security and includes coverage of modules.
Full Transcript
Module 1: Introduction to Information Security 1. Define Information Assurance (IA): ○ Measures that protect and defend information and information systems by ensuring their availability, integrity, authentication, confidentiality, and non-repudiation. 2....
Module 1: Introduction to Information Security 1. Define Information Assurance (IA): ○ Measures that protect and defend information and information systems by ensuring their availability, integrity, authentication, confidentiality, and non-repudiation. 2. Five Pillars of Information Assurance: ○ Confidentiality, Integrity, Authentication, Availability, Non-repudiation. 3. Define Information Security: ○ The protection of information and its critical elements, including the systems and hardware that use, store, and transmit the information. 4. Difference Between Information Security and Cybersecurity: ○ Information Security focuses on protecting information assets, while Cybersecurity primarily deals with protecting internet-connected systems from cyber threats. 5. Six Components of an Information System: ○ Hardware, Software, Networks, Data, People, Procedures. 6. C.I.A. Triangle: ○ Confidentiality: Preventing unauthorized access. ○ Integrity: Ensuring information is accurate and unaltered. ○ Availability: Information is accessible when needed. 7. Security as an Art: ○ Emphasizes creative problem-solving and adapting solutions to unique organizational challenges. 8. Security as a Science: ○ Relies on scientific principles and data-driven approaches to identify and mitigate risks. 9. Security as a Social Science: ○ Focuses on human behavior and the interaction of individuals with systems to improve security measures. 10.Three Layers of Security in an Organization: ○ Physical, Technical, Administrative. 11.Define Threat: ○ A potential danger to information or systems. 12.Difference Between Threat and Vulnerability: ○ Threat: A potential danger; Vulnerability: A weakness that can be exploited by a threat. 13.Examples of Physical Security Controls: ○ Locks, Access Badges, Surveillance Cameras. 14.Define Network Security: ○ Protecting networking components, connections, and content from unauthorized access. 15.Operations Security: ○ Protecting details of operations or activities to prevent exploitation. 16.Nonrepudiation: ○ Ensures actions cannot be denied later by providing proof of origin and integrity. 17.Top-down vs. Bottom-up Approaches: ○ Top-down: Initiated by upper management. ○ Bottom-up: Developed by technical staff. 18.Role of a CISO: ○ Oversees information security strategy, implementation, and compliance. 19.Balancing Security and Access: ○ Ensuring information is secure while allowing reasonable access for authorized users. 20.Data Custodian Responsibilities: ○ Implementing data storage and backup, managing security policies, and reporting to data owners. Module 2: Legal, Ethical, and Professional Issues 21.Due Care vs. Due Diligence: ○ Due Care: Acting legally and ethically. ○ Due Diligence: Continuously ensuring compliance. 22.Policy vs. Law: ○ Policies are internal rules; laws are legally enforceable. 23.Five Criteria for Enforceable Policies: ○ Dissemination, Review, Comprehension, Compliance, Uniform Enforcement. 24.Define Privacy: ○ Protecting personal information from unauthorized access. 25.GDPR Importance: ○ Provides control to individuals over personal data and simplifies regulations. 26.Personally Identifiable Information (PII): ○ Data that can identify an individual, such as name, SSN, or financial details. 27.Key Principles of PH Data Privacy Act of 2012: ○ Transparency, Accountability, Consent, Data Minimization. 28.Sarbanes-Oxley Act Impact: ○ Ensures accurate financial reporting and accountability. 29.Purpose of USA PATRIOT Act: ○ Enhances tools to combat terrorism, including surveillance. 30.Three Major U.S. Laws on Identity Theft: ○ Identity Theft Enforcement and Restitution Act, Computer Fraud and Abuse Act, Financial Modernization Act. Module 3: Planning for Security 31.Strategic Planning in Information Security: ○ Long-term direction for allocating resources and achieving objectives. 32.Security Policy Importance: ○ Provides a framework for protecting information assets. 33.EISP, ISSP, and SysSP Differences: ○ EISP: Broad policies. ○ ISSP: Specific issues. ○ SysSP: Technical guidance. 34.Access Control List (ACL): ○ Defines access permissions for resources. 35.Configuration Rules: ○ Policies for system reactions to specific inputs. 36.Role of Policy Administrator: ○ Manages policy reviews, updates, and enforcement. 37.Information Security Blueprint: ○ A detailed plan for implementing security measures. 38.ISO 27000 Significance: ○ International standard for information security management. 39.Defense in Depth: ○ Multiple layers of security to protect assets. 40.Security Perimeter: ○ Boundary separating secure and non-secure areas. Module 4: Risk Management 41.Define Risk Management: ○ Process of identifying, assessing, and controlling risks. 42.Three Phases of Risk Management: ○ Identification, Assessment, Control. 43.Qualitative vs. Quantitative Risk Analysis: ○ Qualitative: Subjective assessments. ○ Quantitative: Numeric calculations. 44.Single Loss Expectancy (SLE): ○ Financial impact of a single incident: SLE = AV × EF. 45.Annualized Loss Expectancy (ALE): ○ ALE = SLE × ARO. 46.Exposure Factor (EF): ○ Proportion of asset loss due to a threat. 47.Five Risk Control Strategies: ○ Defense, Transfer, Mitigation, Acceptance, Termination. 48.Mitigation as a Risk Control Strategy: ○ Reducing impact through preparation and planning. 49.Cost-Benefit Analysis (CBA): ○ Weighing costs of controls against benefits. 50.DREAD Model: ○ Rates risks based on Damage, Reproducibility, Exploitability, Affected Users, Discoverability. Module 4: Risk Management (Continued) 51.Benchmarking in Risk Management: ○ Comparing security practices against peers or standards to identify gaps. 52.Importance of Baselining: ○ Establishing a reference point for performance comparisons over time. 53.Organizational Feasibility: ○ Ensures proposed controls align with organizational objectives and strategy. 54.Role of Technical Feasibility: ○ Evaluates whether the organization has the technical resources and expertise to implement controls. 55.Residual Risk: ○ Remaining risk after all feasible controls have been implemented. 56.Advantages of Risk Management Frameworks: ○ Provides structure for consistent risk assessment and control. 57.Operational Feasibility in Implementing Controls: ○ Ensures user acceptance and integration of security measures into daily operations. 58.Risk Appetite: ○ The level of risk an organization is willing to accept. 59.Defense Strategy in Risk Control: ○ Prevents exploitation by implementing safeguards and policies. 60.Risk Termination and Its Applications: ○ Avoiding activities that introduce unmanageable risks. Module 5: Overview of Vulnerability Assessment 61.Define Vulnerability Assessment: ○ Process of identifying, quantifying, and prioritizing vulnerabilities in a system. 62.Difference Between Vulnerability Assessment and Penetration Testing: ○ Vulnerability Assessment: Identifies and measures weaknesses. ○ Penetration Testing: Simulates attacks to exploit vulnerabilities. 63.Top 10 OWASP Web Vulnerabilities: ○ Broken Access Control, Cryptographic Failures, Injection, Insecure Design, Security Misconfiguration, Vulnerable Components, Identification and Authentication Failures, Software and Data Integrity Failures, Security Logging and Monitoring Failures, Server-Side Request Forgery. 64.OWASP ZAP Role in Vulnerability Assessment: ○ A tool for identifying vulnerabilities in web applications through automated scanning and manual testing. 65.Pre-Vulnerability Assessment Steps: ○ Asset identification, defining scope, prioritizing critical systems. 66.Importance of Regular Assessments: ○ Ensures emerging vulnerabilities are identified and addressed promptly. 67.Role of Configuration Management in Vulnerability Mitigation: ○ Helps maintain secure and consistent system configurations. 68.Difference Between Reactive and Proactive Approaches: ○ Reactive: Responding to incidents after occurrence. ○ Proactive: Identifying and addressing potential issues before exploitation. 69.Purpose of OWASP Documentation: ○ Provides best practices to secure applications against current threats. 70.What Is a Security Patch? ○ Updates released to fix vulnerabilities in software.
