SSCP Administration
Terms
undefined, object
copy deck
- What are the seven phases of the system development life cycle?
- determine requirements; systems analysis; system design; programming; testing; production & maintenence; and disposal & reuse
- What is certification & accreditation (C&A)?
- a standard set of steps used to prove that a system meets the design goals
- Who usually performs certification of a system?
- a 3rd party, either a certifier or a Certification Authority (CA)
- Who usually performs accreditation?
- management or a Designated Approving Authority (DAA)
- What is the Department of Defense Information Technology Security Certification and Accreditation Process (DITSCAP)?
- the certification & accreditation process used by the DoD where security is a priority
- What is the National Information Assurance Certification and Accreditation Process (NIACAP)?
- the certification & accreditation process for non-Defense government organizations
- What are the two types of security-related policies?
- employee policies and security policies
- What is the security mode of operation?
- the outline of processes by which information is access & processed
- What are the four security modes of operation?
- dedicated mode; system high mode; compartmented/partitioned mode; and multilevel mode
- What is the dedicated security mode of operation?
- a system intended solely for one type or classification of information
- What do users need to access a dedicated-mode system?
- clearance for all classified information, an NDA, and need-to-know
- What do users need to access a system high-mode system?
- clearance for all classified information and an NDA
- What do users need to access a compartmented system?
- clearance for the most classified information, an NDA, and need-to-know
- What do users need to access a partitioned-mode system?
- clearance for the most classified information
- What do users need to access a multilevel-mode system?
- clearance for data they have access to and need-to-know
- What is a roadmap?
- a blueprint designed to meet the specific security needs of a company
- What are the three types of NAT?
- static, dynamic, and overloading
- What is static NAT?
- a NAT where each host always receives the same external IP address unique to them
- What is dynamic NAT?
- a NAT where a host receives an IP address from a pool of available addresses
- What is an overloading NAT?
- a NAT which assigns the same external IP address to multiple internal hosts at the same time
- What five types of filtering can be performed by firewalls?
- packet filtering; stateful inspection; application gateway; circuit-level gateway; and proxy server
- What two disadvantages do packet-filtering firewalls have?
- they are vulnerable to spoofing and difficult to configure
- What disadvantage does an application gateway have?
- it is extremely processor-intensive
- What does a circuit-level gateway do?
- applies security when a TCP or UDP connection is established
- What is a bastion host?
- a host that sits outside of a DMZ
- What is a back-to-back network?
- a DMZ protected by firewalls from both internal and external attack
- What are the three parts of a service leg DMZ?
- the external DMZ network; the internal network; and the protected service leg DMZ
- What is the primary disadvantage to a service leg DMZ?
- it is more vulnerable to a DoS attack, since all traffic must go through a firewall
- What is configuration management (CM)?
- the process of identifying, monitoring, and maintaining control of the hardware and software of a system
- Who authorizes all changes when configuration management is in effect?
- a Configuration Control Board (CCB)
- When assigning value to an asset, what two factors should be considered?
- the criticality amount and its sensitivity level
- What is a criticality amount?
- the importance of an asset to an organization