Cyber Security Chapter 1

What is CIA?

Describe security using relevant and meaningful words that make security more understandable to management and users and define its purpose

Permitting authorized access to information while protecting information

What is PII?

Data about an individual that could be used to identify them (Name, physical appearance, SSN, parents name, etc)

What is PHI?

data regarding one’s health status (Health care)

Trade secrets, research, business plans and intellectual property

Measure of importance assigned to information

What is Integrity ?

What is the Critical component in ensuring that systems, processes, organizations, and individuals are trustworthy, reliable, and accountable for their actions

Assurance that data has not been altered by an unauthorized user. Covers data in storage, during processing and while in transit.

State of a system where it maintains a known good configuration and expected operational function as it processes information

understanding of the current state of a system or its data at a specific point in time. It involves the process of documenting and analyzing the current state of a system or its components in order to ensure system integrity. This is essential for effective system management and security as it enables timely detection of changes or deviations from the expected state.

Condition an entity is in at a point in time

refer to the current state of the information or reference point

What is Availability ?

Ability of authorized users to access data and information services in a timely and reliable manner, as needed and in the required format

Measure of the degree to which an organization depends on the information

Critical systems must have ______ to ensure that authorized users can access the information they need to perform their roles effectively

process of verifying or proving the user’s identification via SFA or MFA

Common techniques for authentication

Examples of Knowledge authentication

Examples of Token Authentication

What is Token Authentication

Examples of Characteristics authentication

Legal term and is defined as protection against individuals falsely denying a particular action

Right of an individual to control the distribution of information about themselves

Process of identifying, evaluating and controlling threats including all phases of risk context/frame, risk assessment, risk treatment, and risk monitoring

Measure of the extent to which an entity is threatened by a potential event

Risk is often express as a combination of ______

The potential adverse impacts that result from the possibility of unauthorized access, use, disclosure, disruption, modification or destruction of information

Gap or weakness in an organization’s protection of assets

Something or someone that aims to exploit a vulnerability to gain unauthorized access

An individual attempt to exploit vulnerability

Examples of Threat actors

Means by which a threat actor carries out their objective

something in need of protection

Probability that a potential vulnerability may be exercised within the construct of the associated threat environment

measure of how likely it is for a particular threat to take advantage of a vulnerability

magnitude of harm that can be expected to result from the consequences of unauthorized disclosure of information, unauthorized modification of information, unauthorized destruction of information, or loss of information or information system availability

process of identifying, estimating and prioritizing risks to an organization’s operations (including its mission, functions, image and reputation), assets, individuals, other organizations and even the nation

Risk identification takeaways (Identify ___ to communicate it ________)

Risk identification takeaways (Employees at _____ of the organization are responsible for identifying risk)

Risk Identification takeaways (Identify risk to ___ against it)

Relates to making decisions about the best actions to take regarding the identified and prioritized risk

Decision to attempt to eliminate the risk entirely

No action to reduce the likelihood of a risk occurring

Common type, taking action to prevent or reduce possibility of a risk event or its impact

Practice of passing the risk to another party, insurance policy

Two types of Risk priorities

Method for risk analysis that is based on descriptor such as low, medium or high (Impact)

Numerical values are assigned to both impact and probability (Probability)

level of risk an entity is willing to assume in order to achieve potential results

usually the starting point for getting management to take action

Determines what is acceptable level of risk

Maintains the level of risk within management’s limit of risk tolerance

pertain to physical, technical, and administrative mechanisms that act as safeguards or countermeasures prescribe for an information system to protect confidentiality

What are the three types of security controls

Implementation of control should ____ to an acceptable level

Implemented through a tangible mechanism

Security controls for an information system that is implemented by computer systems and networks

Implemented through policy and procedures

Administrative/Managerial control cover the ____ of the organization and its activities with external parties and stakeholders

Administrative/Managerial control is a vital tool for achieving _____

Implement the systems and structures that the organization will use to achieve its goals, they are guided by laws and regulations created by governments to enact public policy

What is Laws and regulations?

Governs the use of protected health information (PHI) in the United States

EU comprehensive legislation that addresses personal privacy, deeming it an individual human right

are subject to regulations in more than one nation in addition to multiple regions and municipalities.

Organizations need to consider the regulations that apply to their business at all levels—______—and ensure they are compliant with the most restrictive regulation.

Examples of Laws and Regulation

What is Procedures?

Procedures establish the _______ to use to determine whether a task has been successfully completed

Properly documenting procedures and training personnel on how to locate and follow them is necessary for deriving the ________ from procedures

What is Policies?

Used to moderate and control decision-making, to ensure compliance when necessary and to guide the creation and implementation of other policies

High level governance policies - used by ____ to shape and control decision-making processes

What is Standards?

develops and publishes international standards on a variety of technical subjects, including information systems and information security, as well as encryption standards.

United States government agency under the Department of Commerce and publishes a variety of technical standards in addition to information technology and information security standards

recommended standards by industries worldwide

standards in communication protocols that ensure all computers can connect with each other across borders, even when the operators do not speak the same language

Standards for telecommunications, computer engineering and similar disciplines.

commonly issued in the form of laws, usually from government (not to be confused with governance) and typically carry financial penalties for noncompliance.

____ the highest-level governance documents in an organization, usually approved and issued by management, usually to support a compliance initiative.

A security practitioner who needs step-by-step instructions to complete a provisioning task might use a ___ to ensure they are performing the task in a consistent manner.

Frameworks, or __________ are often offered by third-party organizations and cover specific advisory or compliance objectives.

Usually mandated by a government agency, __ are a set of rules that everyone must comply with and usually carry monetary penalties for noncompliance.

The Healthcare Insurance Portability and Accountability Act of 1996 (HIPAA) is a federal _____ in the United States that requires certain actions be taken to protect health information

Many organizations use published frameworks, or _______

to guide the organizational ____ that support the compliance effort.

Many departments or workgroups within the organization implement _________ that detail how they complete day-to-day tasks while remaining compliant.

The ____states the purpose and intent of the ISC2 Code of Ethics.

The ______________, duty to our principals, and to each other, requires that we adhere, and be seen to adhere, to the highest ethical standards of behavior.

ISC2 Code of Ethics Preamble

ISC2 Code of Ethics Canon

The ________ represent the important beliefs held in common by the members of ISC2.

Protect ______, the common good, necessary public trust and confidence, and the infrastructure

Act ___, honestly, justly, responsibly and legally