Computer Security Ch 15

  1. control, safeguard, or countermeasure
    helps to reduce risks - a means of managing risk, including policies, procedures, guidelines, practices, or organizational structures, which can be of administrative, technical, managment, or legal nature
  2. management controls
    operational controls
    technical controls
    the classifications of security controls
  3. management controls
    security controls that are very broad, and focus on security policies, planning, guidelines, and standards that influence the selection of operational and technical controls to reduce the risk of loss and to protect the organization's mission
  4. operational controls
    security controls that address the correct implementation and use of security policies and standards - primarily implemented by people rather than systems - improve the security of a system or group of systems
  5. technical controls
    security controls that involve the correct use of hardware and software security capabilities in systems - range from simple to complex measures that work together to secure critical and sensitive data, info, and IT systems functions
  6. supportive controls
    pervasive, generic, underlying technical IT security capabilities that are interrelated with, and used by, many other controls
  7. preventative controls
    focus on preventing security breaches from occuring, by inhibiting attempts to violate security policies or exploit a vulnerability
  8. detection and recovery controls
    focus on the response to a security breach, by warning of violations or attempted violations of security policies or the identified exploit of a vulnerability and by providing means to restore the resulting lost computing resources
  9. IT security plan
    documents what needs to be done for each selected control, along with the personnel responsible, and the resources and time frame to be used
  10. -risks - asset/threat/vulnerability combinations
    -recommended controls - from the risk -assessment
    -action priority for each risk
    -selected controls - on the basis of the cost-benefit analysis
    -required resources for implementing the selected controls
    -responsible personnel
    -target start and end dates for implementation
    -maintenance requriements and other comments
    IT security plan should include:
  11.  - maintenance of security controls
     - security compliance checking
     - change and configuration managament
     - incident handling
    the follow-up stage of the management process includes:
  12.  - controls are periodically reviewed
     - controls are upgraded whtn new requirements are discovered
     - changes to systems do not adversely affect the controls
     - new threats or vulnerabilities have not become known
    maintenance tasks include ensuring that:
  13. security compliance
    an audit process to review the organization's security processes - to verify compliance with the security plan
  14. change management
    the process used to review proposed changes to systems for implications on the organization's systems and use
  15. configuration management
    is concerned with specifically keeping track of the configuration of each system in use and the changes made to each -  includes lists of the hardware and software versions installed on each system
Card Set
Computer Security Ch 15
Computer Security