Security controls that depend on secrecy.
Security through obcurity
Controls that exist in a layered fashion.
Defense in depth
Controls that aim to stop an attack from succeeding.
Controls that aim to identify malicious activity on the network.
Controls that aim to restore a resource to its pre-attack state.
Focuses on the features and system architecture used to ensure that the security policy is enforced during system operations.
Four types of recover under the common criteria.
Manual, automated, automated without undue loss, function
Mechanisms that require human intervention to retore the system to a secure state.
Provides for at least one type of service discontinuity recovery to a secure state without human intervention. May require human intervention for recovery from other discontinuities.
Provides for automated recovery but strengthens the requirements by disallowing undue loss of protected objects.
Automated recovery without undue loss
Provides for recovery at the level of particular security functions ensuring either successful completion or rollback of data to a secure state.
Steps taken by an organization to ensure that a system is designed developed and maintained using formalized and rigorous controls and standards.
Three parts of lifecycle assurance
Security testing, design specification and verification, configuration management
Five steps of the change control process.
Applying, cataloging, scheduling, implementing, reporting