CISA Domain 5
Information security steering committee - Answer- Security policies, guidelines and procedures affect the entire organization and as such, should have the support and suggestions of end users, executive management, auditors, security admins, information systems personnel and legal ...
CISA Domain 5
Information security steering committee - Answer- Security policies, guidelines and
procedures affect the entire organization and as such, should have the support and
suggestions of end users, executive management, auditors, security admins,
information systems personnel and legal counsel. Therefore, individuals representing
various management levels should meet as a committee to discuss these issues and
establish and approve security practives
Executive Management - Answer- Responsible for the overall protection of
information assets, and for issuing ad maintaining the policy framework.
CISO - Answer- The person in charge of information security within the enterprise
Ownership of Information and Classification - Answer- The information owner is
responsible for the information and should decide on the appropriate classification,
based on the organizations data classification and handling policy.
Public/Private/Sensitive Classification - Answer- Public - company brochures
Private - Internal policies, procedures, normal business email messages
Sensitive - Unpublished financials, company secrets
Fraud Triangle - Answer- The three key elements are opportunity, motivation and
rationalization.
Proactive Controls (Safeguards) - Answer- They attempt to prevent an incident. Ex.
A sign that warns a person about a dangerous condition
Reactive Controls (Countermeasures) - Answer- They allow the detection,
containment and revovery from an incident. Ex. a fire extinguisher or sprinkler
system.
Types of Controls - Answer- Preventative, Detective or Corrective
Security Administration - Answer- Implements logical access capabilities in a set of
access rues that stipulate which users are authorized to access a resource at a
particular level and under which conditions. The security administrator invokes the
appropriate sstem access control mechanism upon receipt of a proper authorization
request from the information owner or manager to grant a specified user the rights
for access to, or use of, a protected resource.
Access Control Good Practice - Answer- Integration of the review of access rights
with human resource processes. When an employee transfers to a different function,
access rights are adjusted at the same time.
Mandatory Access Control - Answer- Logical access control filters used to validate
access credentials that cannot be controlled or modified by normal users or data
owners. Could be carried out by comparing the sensitivity of the information
, resources, kept on user-unmodifiable tag attached to the security object with the
security clearance of the accessing entity such as a user or an application. Only
administrators may make decisions that are derived from policy. Only admins can
change the category of a resource, and no one may grant a right of access that is
explicitly forbidden in the access control policy. Anything that is not expressly
permitted is forbidden.
Discretionary Access Control - Answer- Controls that may be configured or modified
by the users or data owners. The case of data owner-defined sharing of information
resources, where the data owner may select who will be enabled to access his/her
resource and the security level of this access. DACs cannot override MACs.
Security training - Answer- Strong leadership, direction and commitment by senior
management on security training is needed. This commitment should be supported
with a comprehensive program of formal security awareness training. Security
awareness training should focus on common user security concerns - such as
password selection, appropriate use of computing resources, email and web
browsing safety and social engineering.
Access to third parties - Answer- Where there is a need to allow an external party
access to the information processing facilities or information of an organization, a
risk assessment should be carried out to identify any requirements for specific
controls.
Alteration Attack - Answer- Occurs when unauthorized modifications affect the
integrity of the data or code. Cryptographic hash is a primary defense against
alteration attacks
Smurf Attack - Answer- Occurs when misconfigured network devices allow packets
to be sent to all hosts on a particular network via the broadcast address of the
network
Teardrop Attack - Answer- Involves sending mangled IP fragments with overlapping,
oversized payloads to the target machine
Phlashing - Answer- Permanent denial of service attack - damages a system
hardware to the extent of replacement
Banana attack - Answer- Redirects outgoing messages from the client back onto the
client, preventing outside access, as well as flooding the client with the sent packets
Pulsing Zombie - Answer- A DoS attack in which a network is subjected to hostile
pinging by different attacker computers over an extended period of time.
Nuke - Answer- A DoS attack against computer networks in which fragmented or
invalid ICMP packets are sent to the target
Reflected Attack - Answer- Involves sending forged requests to a large number of
computers that will reply to the requests. The source IP address is spoofed to that of
the targeted victim.
The benefits of buying summaries with Stuvia:
Guaranteed quality through customer reviews
Stuvia customers have reviewed more than 700,000 summaries. This how you know that you are buying the best documents.
Quick and easy check-out
You can quickly pay through credit card or Stuvia-credit for the summaries. There is no membership needed.
Focus on what matters
Your fellow students write the study notes themselves, which is why the documents are always reliable and up-to-date. This ensures you quickly get to the core!
Frequently asked questions
What do I get when I buy this document?
You get a PDF, available immediately after your purchase. The purchased document is accessible anytime, anywhere and indefinitely through your profile.
Satisfaction guarantee: how does it work?
Our satisfaction guarantee ensures that you always find a study document that suits you well. You fill out a form, and our customer service team takes care of the rest.
Who am I buying these notes from?
Stuvia is a marketplace, so you are not buying this document from us, but from seller Freshy. Stuvia facilitates payment to the seller.
Will I be stuck with a subscription?
No, you only buy these notes for $15.49. You're not tied to anything after your purchase.
