IM540 Midterm

Governance - Processes and structures that inform, direct, manage, & monitor organization activities to achieve objectives. Need to ensure effective use of resources and alignment with business objectives.

Compliance - regulations regarding IT governance

Bring Your Own Device (BYOD) - use of a personal device for job duties and accessing company’s software/applications

Legal concerns about BYOD - FLSA compliance: employees completing job tasks outside their shift time, Liability for Employee Actions, Data Breach Notifications, Legal Discovery, Privacy Issues

MDM - Mobile Device Management, software that contains the process of monitoring, managing, and securing mobile devices such as smartphones, tablets, and laptops used in enterprises to access data.

Risk Management - leads to the need for controls and security to reduce risks

Data breach laws in all US states - enacted legislation

to protect consumer privacy- requiring private or governmental entities to notify individuals of security breaches of information involving personally identifiable information

EU GDPR - Any organization processing personal data of EU residents must protect personal data

UK Data Protection Act - complements the EU GDPR

CCPA - mirrors the standards in GDPR. processing information on CA residents or doing business in CA must be protected

PIPEDA - Canadian law that mirrors the standards in GDPR

FERPA - federal law that affords parents the right to have access to their children’s educational records, the right to seek to have the records amended, and the right to have some control over the disclosure of personally identifiable information from education records

FISMA - US federal agencies protection of information and IT systems
GLBA - US financial institutions must protect privacy of personal information, safety of Internet-based products and services, fair and accurate transactions, anti-terrorism

HIPAA - Governs healthcare organization and partners creating, storing and transmitting electronic protected health information

PCI DSS - Entities that take credit cards must protect privacy of customer financial data

SOX - defined to secure the public against corporate fraud and misrepresentation

J-SOX - Financial Instruments and Exchange Act, is the set of Japanese standards for internal controls

FLSA - Fair Labor Standards Act, non-exempt workers must be paid overtime for hours worked outside the 40 hours per week.

Risk - the potential for loss or damage when a threat exploits a vulnerability. measure of the extent to which an entity is threatened by a potential circumstance or event, and typically a function of: (i) the adverse impacts that would arise if the circumstance or event occurs; and (ii) the likelihood of occurrence.

Internal Control - A process designed to provide reasonable assurance regarding the achievement of objectives relating to operations, reporting, and compliance

Information Security - Protection of information assets from harm

Internal Control Objectives - Effectiveness and Efficiency of operations including operational and financial performance goals, and safeguarding assets against loss

Information Security Objectives - Confidentiality/Privacy, Integrity, Availability, Authentication, Nonrepudiation

COSO - Committee of Sponsoring Organizations of the Treadway Commission, is dedicated to providing thought leadership through the development of frameworks and guidance on enterprise risk management, internal control and fraud deterrence

Three categories of COSO objectives - Operating, Compliance, and Reporting

Five components of internal controls - Control Environment, Risk Assessment, Control Activities, Information & Communication, and Monitoring Activities

Control Environment - the foundation on which an effective system of internal control is built and operated in an organization that strives to 1) achieve its strategic objectives, 2) provide reliable financial reporting to internal and external stakeholders, 3) operate its business efficiently and effectively, 4) comply with all applicable laws and regulations, and 5) safeguard its assets

Risk Assessment - requires management to consider the impact of possible changes in the internal and external environment and to potentially take action to manage the impact

Control Activities - actions (generally described in policies, procedures, and standards) that help management mitigate risks in order to ensure the achievement of objectives

Information & Communication - allows senior management to demonstrate to employees that control activities should be taken seriously

Monitoring Activities - periodic or ongoing evaluations to verify that each of the five components of internal control, including the controls that affect the principles within each component, are present and functioning around their products

Enterprise Risk Management - five components: Governance and culture, Strategy and objectives, performance, review and revision, and information, communication and reporting.

IT Governance - subset of overall organizational governance. processes that ensure the effective and efficient use of IT in enabling an organization to achieve its goals.

CIO - Chief Information Officer. Leads the development of an IT governance framework for the organization. Oversees selection of corp standards, technology architecture, technology evaluation and transfer.Responsible for planning, choosing, buying and installing a company’s technologies and information-processing operations.

IT Governance Approach - Ideation/Design, Develop, Test, Deploy, Operate, Retire

Standards - Defined very well (one way of doing things) and to comply, the organization has to follow a specific method

Frameworks - defines the ways and methods through which an organization can implement, manage and monitor IT governance within an organization

ISO - International Organization for Standardization, non governmental but participation from public and private organizations.

ISO 27000 - ISMS is a family of standards that contains overview and vocabulary.

ISO 27001 - standard that helps organizations become risk-aware and proactively identify and address weaknesses. promotes a holistic approach to information security: vetting people, policies and technology

ISO 27002 - guideline standards that provide code of practice for information security controls with detailed guidance. reference set of generic information security controls including implementation guidance

ISMS - information security management system, consists of the policies, procedures, guidelines, and associated resources and activities, collectively managed by an organization, in the pursuit of protecting its information assets

NIST - National Institute of Standards and Technology, non regulatory governmental agency, part of Department of Commerce, Develops technology, metrics, and information security standards and guidelines that can help drive innovation and economic competitiveness. Standards include guidance to assist agencies with FISMA compliance.

NIST Special Publications - publish information security and guidelines, recommendations and reference materials

SP 8XX - Computer Security, NIST's primary mode of publishing computer/cyber/information security guidelines, recommendations and reference materials

SP 18XX - Cybersecurity Practice Guides, Complement SP 800s; targets specific cybersecurity challenges in the public and private sectors; practical guides to facilitate adoption of standards-based approaches to cybersecurity

SP 5XX - Computer Systems Technology, General subseries for computer security

FIPS - Federal Information Processing Standards, To meet Federal government requirements for security and interoperability when there are no acceptable industry standards or solutions

FIPS 199 - Standards for Security Categorization of Federal Information and Information Systems, The standard that establishes security category for both information and an IS (information system). SC information system = {(confidentiality, impact), (integrity, impact), (availability, impact)}

FIPS 200 - Minimum Security Requirements for Federal Information and Information Systems, mandatory federal standard developed by NIST in response to FISMA. Specifies minimum security requirements for federal information and information systems and a risk-based process for selecting the security controls necessary to satisfy the minimum requirements.

High water mark concept - must be used to determine the overall impact level of the information system. Thus, a low-impact system is an information system in which all three of the security objectives are low. A moderate-impact system is an information system in which at least one of the security objectives is moderate and no security objective is greater than moderate. And finally, a high-impact system is an information system in which at least one security objective is high.

FISMA 2002 - Federal Information Security Management Act, assigns responsibilities to NIST to provide standards and guidance to aid agencies in meeting the requirements of the law

SP 800.53 - apply the appropriately tailored set of baseline security controls.

HMG Cyber Essentials - Five areas: firewalls, secure configuration, user access control, malware protection, security update management

Digital Transformation – refers to incorporating computer-based technologies into an organization's products, processes and strategies.

DevOps – software development that involves more collaboration between IT operations and development teams (balancing speed and quality).

Agile Project management - is based on breaking down a project into smaller “pieces”. At intervals throughout the project, teams can release these project “pieces” for feedback and testing, enabling timely feedback about the project product before a new phase is started. The idea is to reduce the likelihood of finding out a project is an overall failure at the end, because there was continuous feedback and improvement throughout the project lifecycle.

Lean IT - The approach is a way of thinking and acting, focusing heavily on organizational culture. Lean IT is associated with the development and management of Information Technology products and services. The essence of Lean is to deliver value to the customer and to continuously improve by removing waste and using less resources.

ITIL - IT Infrastructure Library, operational perspective, with a focus on service management and delivery. Strives to help organizations optimize IT services such that they best support the organization

Value Stream - A series of steps that an organization uses to create and deliver valued IT products and services to a service consumer. a combination of the organization’s value chain activities.

Co-creation of value- recognizes that while some customers might expect providers to “deliver value” independently, value requires open dialogue and active collaboration between providers and consumers (end users). The service provider and consumer have a relationship, a two-way communication process to generate feedback and pre-empt demands in a proactive rather than reactive way. Although co-created, value realization is in the eye of the beholder (the consumer).

Value - The perceived benefits, usefulness, and importance of something. can be seen as a combination of outcomes, cost and risk.

Outcome - A result for a stakeholder enabled by one or more outputs.

Cost - The amount of money spent on a specific activity or resource.

Risk - A possible event that could cause harm or loss or make it more difficult to achieve objectives. can also be defined as uncertainty of outcome and can be used in the context of measuring the probability of positive outcomes as well as negative outcomes.

Output - a tangible or intangible delivery of an activity

service - a means of enabling value cocreation by facilitating outcomes that customers want to achieve, without the customer having to manage specific costs and risks.

Service value system - represents how the various components and activities of the organization work together to facilitate continual value (co) creation through IT-enabled services (which included connected services such as technology creation, delivery and support).

Parts of SVS - Guiding principles, governance, service value chain, practices, continual improvement

Guiding Principles – Recommendations that guide an organization and its people on how to work flexibly in all circumstances

Governance – The means by which an organization is directed and controlled

The Service Value Chain (SVC) – (the “heart”) an operating model which outlines the key activities required to respond to demand and facilitate value creation through the creation and management of products and services

Practices - sets of organizational resources designed for performing work or accomplishing an objective, including process and capabilities

Continual Improvement - a recurring organizational activity performed at all levels to ensure that an organization’s performance continually improves in meeting stakeholders’ expectations

Seven guiding principles of SVS - Focus on value, Start where you are – (leverage what you can), Progress iteratively with feedback, Collaborate and promote visibility, Think and work holistically, Keep it simple and practical, Optimize and automate

Service value chain - describes six key activities needed to realize value (including guidance about how to plan, manage, and improve key activities for the creation, delivery, and continual improvement of services).

service value chain activities - Plan, improve, engage, design and transition, obtain/build, deliver and support

Plan - This activity creates plans, portfolios, architectures, policies etc. to ensure a shared understanding of what the organization is trying to achieve, and how this will be done.

Improve - This activity creates improvement plans and initiatives to ensure continual improvement of all products, services, and practices across all four dimensions of service management

Engage - This activity encourages good understanding, transparency, engagement with stakeholders to understand their needs and develop strong relationships.

Design and transition - This activity creates new and changed products and services and ensures that they meet stakeholder expectations for quality, cost, and time to market

Obtain/build - This activity creates service components, ensures they are available when and where they are needed, and that they meet agreed specifications.

Deliver and support - This activity ensures that services are delivered according to specification and supported in a way that meets stakeholder expectations.

Four dimensions of service management - organizations and people, information and technology, partners and suppliers, value streams and processes

Organizations and people - This includes the culture, systems of authority, roles, skills, and competencies needed to plan, manage, and deliver services.

Information and technology - This includes the information and technology needed to deliver services (servers, storage, networks, databases, etc.) as well as the information and technology needed to manage those services (IT service management (ITSM) tools, knowledge bases, configuration information, etc.).

Partners and suppliers - The partners and suppliers dimension helps to ensure that we consider all the relationships needed to foster effective service delivery, since in the modern business environment no service provider can do everything by themselves. We all work with a wide number of other organizations who contribute in various ways to the services we deliver.

Value streams and processes - This dimension considers all the activities, workflows, controls, and procedures needed to succeed. They need to work together seamlessly to take incoming demand from customers and users and help to create value.

COBIT - Control Objectives for Information and Related Technologies, root in audit and controls. addresses the modern technologies, trends and security requirements for organizations. It strives to provide guidance for improving alignment/compliance to global standards, frameworks and best practices such as TOGAF, CMMI, and ITIL, providing an open-source model that enables feedback from the external governance community for quicker enhancements released on a rolling basis.

COBIT Principles of Governance System - Provide stakeholder value, holistic approach, dynamic governance system, governance distinct from management, tailored to enterprise needs, end to end governance system

COBIT Principles of Government Framework - Based on conceptual model, open and flexible, aligned to major standards

Meet stakeholder needs -Each enterprise needs a governance system to satisfy stakeholder needs and to generate value from the use of I&T. Value reflects a balance among benefits, risk and resources, and enterprises need an actionable strategy and governance system to realize this value.

Holistic approach - A governance system for enterprise I&T is built from a number of components that can be of different types and that work together in a holistic way.

Dynamic governance system - This means that each time one or more of the design factors are changed (e.g., a change in strategy or technology), the impact of these changes on the EGIT system must be considered. A dynamic view of EGIT will lead toward a viable and future-proof EGIT system.

Distinct governance from management - A governance system should clearly distinguish between governance and management activities and structures.

Tailored to enterprise needs - A governance system should be tailored to the enterprise’s needs, using a set of design factors as parameters to customize and prioritize the governance system components.

End to end governance system - A governance system should cover the enterprise end to end, focusing not only on the IT function but on all technology and information processing the enterprise puts in place to achieve its goals, regardless where the processing is located in the enterprise.

Components of a Governance System - Processes, Organizational structures, principles, policies & frameworks, information, culture, ethics & behavior, people, skills & competencies, services, infrastructure & applications

Focus area - describes a certain governance topic, domain or issue that can be addressed by a collection of governance and management objectives and their components.

Technopedia, CIO, ComputerWorld Knowledge Centers, CNet, ZDNet, Tech on the Web, Wired - publishes reviews, news, articles, blogs, podcasts, and videos on technology and consumer electronics globally

Executive Support System (ESS) - software that allows users to transform enterprise data into quickly accessible and executive-level reports, such as those used by billing, accounting and staffing departments

Management Information System (MIS) - system that provides managers with the tools to effectively organize, evaluate, and manage departments within an organization

Decision Support System (DSS) - computer-based application that collects, organizes and analyzes business data to facilitate quality business decision-making for management, operations and planning

Knowledge Management System (KMS) - centralized repository that’s used to organize, store and share organizational knowledge with employees and customers

Transaction Processing System (TPS) - information processing system for business transactions involving the collection, modification and retrieval of all transaction data

Office Automation System (OAS) - collective hardware, software and processes that enable automation of the information processing and communication tasks in an organization

Business Intelligence (BI) - tools, systems, and strategies that create analysis and planning processes within a corporation.

Computing - process of using computer technology to complete a given goal-oriented task. may encompass the design and development of software and hardware systems for a broad range of purposes

ISACA ITCA - Information Technology Certified Associate

ISACA CET - Emerging technologies

Processes - set of policies and procedures to manage technologies

People - who use data and who manage technology/processes

IT Architecture - “blueprint” principles, guidelines or rules used by an enterprise to direct the process of acquiring, building, modifying and interfacing IT resources throughout the enterprise.

IT Infrastructure - hardware, software, facilities and service components

IT Standards - rule, condition, or requirement

Enterprise Architecture - organizations standardize and organize IT infrastructure to align with business goals.

Enterprise Technology Architecture - reusable standards, guidelines, individual parts and configurations that are technology-related (technical domains)

Business Architecture - business issues, enterprise blueprint that defines the organizational structure of governance, business process, people and business information

Application Architecture - influence application design decisions, such as SOA Service Oriented Architecture

Information Architecture - structure and flow of data, information and knowledge in an organization, along with rules

Data Architecture - set of rules, policies, standards and models that govern and define the type of data collected and how it is used, stored, managed and integrated within an organization and its database systems

Enterprise Data Architecture - align IT programs and information assets with business strategy

Mainframe - very large and expensive computer capable of supporting hundreds, or even thousands, of users simultaneously

Minicomputer - small general-purpose computer that uses one or more processors to complete work.

Microcomputer - personal computer (PC), or a computer that depends on a microprocessor

Server - computer or device on a network that manages network resources

Smartphone/Tablet - mobile phones that primarily run on the Android and iOS operating systems but also include any open operating system that has a software development kit available to developers that can use native APIs to write applications

Workstation - computer used for tasks such as programming, engineering, and design

CPU - Central Processing Unit. controls the interpretation and execution of instructions

Bit processor - binary digit: 0 or 1.

BYOD - alternative strategy allowing employees, business partners and other users to utilize a personally selected and purchased client device to execute enterprise applications and access data

Configuration - Step in system design

RAM - Random access memory. high-speed component in devices that temporarily stores all information a device needs for the present and future

ROM - read-only memory. computer memory on which data has been pre-recorded. Once data has been written onto a ROM chip, it cannot be removed and can only be read.

Peripherals - computer device, such as a keyboard or printer, that is not part of the essential computer

Processor - integrated electronic circuit that performs the calculations that run a computer

SCADA - Supervisory Control and Data Acquisition. manufacturing for acquiring measurements of process variables and machine states, and for performing regulatory or machine control across a process area or work cell.

Terminal - device, combining keyboard and display screen, that communicates with a computer

Computer Operator - person who controls a computer system

Separation of duties - basic internal control that prevents or detects errors and irregularities by assigning to separate individuals the responsibility for initiating and recording transactions and for the custody of assets

Clients - Devices on a network that request and receive information from servers e.g., desktops, tablets, laptops, mobile devices, servers, printers

Software and hardware to enhance security for networks - firewalls

Hardware and software that connects devices for networks - routers , switches, hubs, and modems note- comparison of router, switch, hub

Internet - massive network of networks, a networking infrastructure

Intranet - private network based on TCP/IP and belongs to an individual organization. It’s only accessible to that organization’s members, employees, or others with authorization

Extranet - an intranet that is partially accessible to authorized outsiders. Whereas an intranet resides behind a firewall and is accessible only to people who are members of the same company or organization, an extranet provides various levels of accessibility to outsiders

network edge - precise point where devices connect to the Internet

Network Perimeter - actual boundary between private and public networks

Centralized Network Architecture - all users connect to a central server, which is the acting agent for all communications

Decentralized Network Architecture - multiple authorities that serve as a centralized hub for a subsection of participants

Distributed Network Architecture - type of computer network that is spread over different networks

Demilitarized Zone (DMZ) - host or network that acts as a secure and intermediate network or path between an organization’s internal network and the external, or non-propriety, network

World Wide Web - way of accessing information over the medium of the internet

MAC Address - Media Access Control) address, sometimes referred to as a hardware address or physical address, is an ID code that’s assigned to a network adapter or any device with built-in networking capability

Modem - modulator-demodulator. device or program that enables a computer to transmit data over, for example, telephone or cable lines

Online - Turned on and connected

Offline - Not connected

Nearline - storage medium that is external to a computer and provides quick and scalable access to storage devices/capacity within an IT environment

RFID - Radio Frequency Identification. transmits signals that identify the item to which it is affixed.

TCP - Transmission Control Protocol. enables two hosts to establish a connection and exchange streams of data

IP - communication protocols for exchanging data packets or datagrams across internet-connected networks

Wireless - describes any network or device that does not need a wired connection to transmit information or perform tasks

Mobile - portable computing device

Outsourcing - subcontracting infrastructure, software development, directing strategy, maintenance, running the service desk, and other functions

Service Level Agreement (SLA) - responsibilities, quality, and availability of the services provided to a client by a service provider

Data - raw and unorganized

Information - organizes data and gives it context

Checkpoint - known good point from which the SQL Server Database Engine can start applying changes contained in the log during recovery after an unexpected shutdown or crash

Data dictionary - file that defines the basic organization of a database.

Database administrator - maintains a successful database environment by directing or performing all related activities to keep the data secure

Database keys (different key types) - composite key, primary key and foreign key

Database Management System software - middleware that allows programmers, database administrators (DBAs), software applications and end users to store, organize, access, query and manipulate data in a database.

Journaling - data consistency and integrity in the event of a failure during a transaction

Logging - keeps track of both inode changes and file content changes

Personally Identifiable Information (PII) - Information that can be used to distinguish or trace an individual’s identity—such as name, social security number, biometric data records

RDBMS - Relational database management system.

Referential integrity - relational data in database tables has to be universally configurable so that changes in one part of the system don't lead to unanticipated problems elsewhere

Retention period - minimum amount of time that a key or other cryptographically related information should be retained.

Rollback - operation of restoring a database to a previous state by canceling a specific transaction or transaction set.

SQL - Structured Query Language. programming language that is typically used in relational database or data stream management systems.

Bit - binary digit: 0 or 1.

Byte - sequence of eight bits

RAID - Redundant Array Of Independent Disks. storage device that uses multiple disks to provide fault tolerance, improve overall performance, and increase storage capacity. NOT a backup

System Software - platform comprised of Operating System (OS) programs and services, including settings and preferences, file libraries and functions used for system applications

Network software - wide range of software that streamlines the operations, design, monitoring, and implementation of computer networks.

Online Analytical Processing (OLAP) - category of software for performing multidimensional analysis at high speeds on large volumes of business data from a data warehouse or centralized data store

Online Transaction Processing (OLTP) - category of data processing that is focused on transaction-oriented tasks

Private cloud – own IT department

Public cloud – third party provider

Community cloud – group owned

Hybrid cloud – combo of private and public

Software as a service (SaaS)– on demand hosted application software

Platform as a service (PaaS) – on demand access, ready to use platform for developing, running, maintaining and managing applications.

Infrastructure as a service (IaaS) - on-demand access to cloud-hosted physical and virtual servers, storage and networking - the backend IT infrastructure for running applications and workloads in the cloud.

Security as a service - SecaaS

Disaster recovery as a service - DRaaS

Identity as a service - Idaas

Blockchain as a service - BaaS

Quantum Computing - deals in more than just 1s and 0s

Robotic Process Automation - technology that uses software agents (bots) to carry out routine clerical tasks without human assistance

GRC - governance, risk management, compliance

Governance - How can you help advise organizations on governing their processes, technology, and systems?

Risk Management - How can you help organizations identity (and control) the risks associated with their processes and systems?

Compliance - How can you help organizations comply with the laws and regulations governing them (both internal and external, which can vary based on industry, location, and organizational structure)?

Threat - event or condition (e.g., exploit of a vulnerability) that has the potential for causing asset loss and/or undesirable consequences or impact.

Threat Actors - entities who can create/pose a threat. They carry out actions

Vulnerability - Weakness, flaw or error that potentially exposes an entity to threats

Risk - measure of likelihood/probability of a threat occurrence AND measure of impact

I&T Risk - IT related risk that could potentially impact that business

Cyber security and ransomware – Data loss and service disruption, as well as ransomware attacks, due to a cyber attack.

Cloud adoption - Historically, there was a perception that cloud environments are inherently more secure or resilient than on-premise systems, however businesses are becoming more aware that this is not the case.

Technology transformation programs- Effective delivery of business strategy is increasingly reliant on technology, leading to greater integration between business and IT.

Data- The need to focus on quality and integrity to ensure data used by the business to support commercial operations, and regulatory and internal control compliance is reliable.

DevOps - DevOps involves effectively leveraging cloud computing resources, including developing cloud native apps, which can increase exposure to a range of technology risks, including cyber risks.

Supply chain assurance - Third parties increasingly provide significant parts of business capability, particularly for technology services. Outsourcing does not outsource the associated risks and organizations need to expand their range of assurance activities to cover third-party providers.

IT control programs- Documenting centralized IT control frameworks and using them to facilitate periodic reviews of the control environment.

Resilience- Avoiding service outages.

Digital talent- Post-pandemic, businesses have needed to invest significantly in new and emerging technologies, and in the skills required to deliver technological solutions. How do we find the IT talent?

Automation- Ensuring you have effective Robotic Process Automation (RPA) framework to deliver and manage compliance with regulatory, security and continuity requirements.

Security - compromised business data due to unauthorized access or use

Availability - inability to access your IT systems needed for business operations

Performance - reduced productivity due to slow or delayed access to IT systems

Compliance - failure to follow laws and regulations

CIA - Confidentiality, Integrity, and Availability

ITIG - IT general controls. establish a framework for controlling the design, development, implementation, security, and use of computer programs, as well as the integrity of program and data files and of computer operations, throughout an organization

ITAC - application controls. Specific controls unique to each computerized application, such as payroll or order processing

Control system layers - Management (non IT controls), IT general controls, IT application controls

IT risk, controls, and audit process - Identify and assess the risk → Implement controls to reduce risk to an acceptable level → Evaluate the controls (internal and external assessment) → Investigate exceptions and track outcomes

Control considerations - How could it be done, how should it be done, what could go wrong?

Physical access - actual hands-on, on-site access to assets

Logical access - interactions with hardware through remote access.

Access Control - limiting access to a system or to physical or virtual resources. Uses Authenticate and Authorize

Identity and Access Management - IAM. grant or deny employees and others authorization to use system resources. Uses Identify, Authenticate, Authorize

Identification - ability to identify uniquely a user of a system or an application that is running in the system

Authentication - prove that a user or application is genuinely who that person or what that application claims to be

Authorization - process of determining which level of access each user is granted

Digital identity - comprised of characteristics, or data attributes, such as username and password, online search activities, date of birth, social security number, medical history, purchasing history

Discretionary access control (DAC) - DAC allows an individual complete control over any objects they own along with the programs associated with those objects. The object owner assigns access rights based on rules specified by users. This is often referred to as Rule-based access control, (RuBAC)

Mandatory access control (MAC) - Considered the strictest of all levels of access control systems. It uses a hierarchical approach to control access to files/resources. Under a MAC environment, access to resource objects is controlled by the settings defined by a system administrator. This means access to resource objects is controlled by the operating system based on what the system administrator configured in the settings.

Role based access control (RBAC) - access control based on the position an individual fills in an organization (or role he/she plays). RBAC is used when system administrators need to assign rights based on organizational roles instead of individual user accounts within an organization.

Attribute based access control (ABAC) –access control based on dynamic user, environment, or resource attributes.

Routers - device that analyzes the contents of data packets transmitted within a network or to another network

Switches - context of networking, is a high-speed device that receives incoming data packets and redirects them to their destination on a local area network (LAN).

Hubs - hardware device that relays communication data

Modems - modulates and demodulates analog carrier signals (called sine waves) for encoding and decoding digital information for processing

Network architecture - refers to the overall design of a computer network, while network topology is more limited and refers to how the elements are laid out or arranged/ linked together.

Endpoint - internet capable computer hardware device on a TCP/IP network. Examples include computers, tablets, printers, and sales terminals.

Threats to Endpoints - malware, virus, unauthorized access to devices, devices that become unstable or unsafe

Malware - Designed to infiltrate, damage or obtain information from a computer system without the owner’s consent. Examples include viruses, worms, trojan horses, spyware, and adware.

Vulnerabilities of Endpoints - Not installing and monitoring protective software, Not controlling the flow of traffic to endpoint devices, and Unencrypted devices.

Risks related to Endpoints - Devices could be infected with malicious software, Employees could remove software on devices, and Employees could access harmful websites.

Ways to control risks of endpoints - host based firewall, encryption, anti virus software, running compliance report timely and investigate any findings.

Host-based Firewall - A piece of firewall software that runs on an individual computer or device connected to a network.

Blacklisting - The process of blocking communication to specific domains, email addresses, or websites. Starts with an allow-all policy then block specified sites.

Whitelisting - The process of allowing specific connections/communications to specific domains, email addresses or websites. Starts with a deny-all policy.

Endpoint encryption - protects data at different network endpoints such as devices, hardware, and files, and authorizes endpoints at which data can be accessed.

Anti-virus Software - application software deployed at multiple points in an IT architecture. It is designed to detect and potentially eliminate virus code before damage is done and repair or quarantine files that have already been infected

Removable/portable media - any type of storage device that can be removed from a computer while the system is running. Examples include backup tapes, CDs, DVDs and Blu-Ray disks, as well as diskettes and USB drives.

Identify & Access Management - process used in businesses and organizations to grant or deny employees and others authorization to use system resources. Identify, Authenticate, and Authorize

Identification - the ability to identify uniquely a user of a system or an application that is running in the system.

Authentication - the ability to prove that a user or application is genuinely who that person or what that application claims to be.

digital identity - an online or networked identity adopted or claimed in cyberspace by an individual, organization or electronic device

Authorization - the process of determining which level of access each user is granted

Threats to IAM - A user gaining unauthorized access to the system, A user gaining unauthorized access to assets within the system, A bogus digital identify (someone appears to be authenticated but is not the expected/assumed user identity), and Centralized management via IAM creates a single, centralized target for hackers.

Risks related to IAM - Unauthorized access, Data breaches, Noncompliance, Unauthorized code changes, and Unauthorized tampering with a software build process (converting source code into code that can be run on a computer)

Discretionary access control (DAC) - allows an individual complete control over any objects they own along with the programs associated with those objects. The object owner assigns access rights based on rules specified by users. This is often referred to as Rule based access control, (RuBAC)

Mandatory access control (MAC) - Considered the strictest of all levels of access control systems. It uses a hierarchical approach to control access to files/resources. access to resource objects is controlled by the settings defined by a system administrator. This means access to resource objects is controlled by the operating system based on what the system administrator configured in the settings.

Role based access control (RBAC) - access control based on the position an individual fills in an organization (or role he/she plays). is used when system administrators need to assign rights based on organizational roles instead of individual user accounts within an organization.

Attribute based access control (ABAC) –access control based on dynamic user, environment, or resource attributes.

Business resilience - an organization’s ability to adapt to disruptions and incidents in order to maintain continuous operations and to protect the organization’s assets

Business continuity - a proactive way to ensure mission-critical business operations proceed during a disruption or in the event of a disaster. It encompasses a business's level of readiness to maintain critical functions after an emergency or disruption

Business Continuity Plan (BCP) - A plan used by an organization to respond to disruption of critical business processes. encompasses all business functions needed to keep the business operational, no matter the type of crisis or event and addresses a contingency plan for restoration of critical systems.

Disaster Recovery Plan (DRP) - A plan focuses mainly on specific systems or data that has been impacted by an event (emergency or disaster) and looks at restoring data access and IT infrastructure affected as quickly as possible. It includes a set of human, physical, technical and procedural resources necessary to recover within a defined time and cost.

Business Impact Analysis (BIA) - helps to identify critical and non-critical systems.

Cold Sites - Facilities with the space and basic infrastructure adequate to support resumption of operations, but lacking any IT or communications equipment, programs, data or office support.

Mobile Sites - Packaged, modular processing facilities mounted on transportable vehicles and kept ready to be delivered and set up at a location that may be specified upon activation.

Warm Sites - Complete infrastructures but are partially configured in terms of IT, usually with network connections and essential peripheral equipment such as disk drives, tape drives and controllers.

Hot sites - facilities with space and basic infrastructure and all of the IT and communications equipment required to support the critical applications, along with office furniture and equipment for use by the staff.

Mirrored sites - fully redundant sites with real-time data replication from the production site. They are fully equipped and staffed and can assume critical processing with no interruption perceived by the users.

full backup - a complete copy of all data.

differential backup - backs up only the files that changed since the last full backup. quicker than full backups because so much less data is being backed up.

incremental backup - backs up only the changed data, but it only backs up the data that has changed since the last backup, no matter the type of backup. The result is a much smaller and faster backup. The advantage is the shorter the time intervals between backups, with fewer data to be backed up.

Data redundancy - the practice of storing data in more than one location within a database or storage system.

Backups - specifically about creating copies of data in the event that your business experiences an incident where data loss occurs

Recovery Time Objective - how much time can an application be down without causing significant damage to the business? (how quickly do you need to get back up and running? This can inform decisions about choice of recovery sites.)

Recovery Point Objective - what is the amount of data that can be lost before significant harm to the business occurs? (at what time intervals do you need to back up? This can inform not only timeliness choice, but backup medium choice.)

SQL Injection - computer attack in which malicious code is embedded in a poorly-designed application and then passed to the backend database

(Risk) Exposure – potential loss from a vulnerability. Includes all possibilities of harm to an entity without regard to its likelihood.

Exploit – (Verb) take advantage of a vulnerability. (Noun) tools/procedures used to take advantage of a vulnerability. (Unfortunately, exploit code for many vulnerabilities is readily available to be purchased, shared, or used by attackers- e.g., on Internet sites such as exploit-db.com as well as on the dark web.)

Attack – series of steps taken by a threat to achieve an unauthorized result.

Countermeasure – action/item that reduces the potential loss from a known vulnerability.

Threat assessment - performed to determine the best approaches to securing a system against a particular threat, or class of threat.

Risk score - a calculated number that reflects the severity of a risk due to specified factors that reflects severity and the likelihood that it will occur.

Risk Governance- ensuring that the risk function is has direction and is monitored.

Key Risk Indicators (KRIs)- any measure that can be used to describe and track a risk.

Risk assessment -a process to identify potential hazards and analyze (rank) what could happen if a hazard occurs. Risk assessment describes the whole process where all types of risks are identified.

Risk analysis - a step within risk assessment, where each risk level is defined and often quantified.

Risk Appetite - the amount of risk (loss exposure) an entity is prepared to accept

Risk Capacity - usually defined as the objective magnitude or amount of loss that an enterprise has the capacity to absorb or tolerate without risking its continued existence

Risk Tolerance - the tolerable deviation from the level set by the risk appetite definition for an individual risk

Risk culture - risk-aware culture promotes open discussion of risk, and acceptable levels of risk are understood and maintained

Risk aggregation - individual risk may be combined for the purpose of reporting or treatment, or to obtain an integrated risk profile or risk score

Risk disposition - Risk avoidance, risk reduction/mitigation, risk sharing/transfer, rick acceptance

Risk reduction/mitigation - Once risk has been identified and analyzed, actions are taken to reduce the frequency and/or impact of the risk

Siloed Risk management strategy - Lack of communication between teams, Multiple plans/resources to address the same risk, Teams may not be aware of risks relevant to their functional area, No easy way to prioritize risk