Studied by 1 person
Confidentiality
Ensures that unauthorized individuals are not able to gain access to sensitive information.
Integrity
Ensures that there are not unauthorized modifications to information or systems, either intentionally or unintentionally.
Availability
Ensures that information and systems are ready to meet the needs of legitimate users at the time those users request them.
Security Incidents
Occur when an organization experiences a breach of the confidentiality, integrity, and/or availability of information of information systems.
Disclosure
The exposure of sensitive information to unauthorized individuals, otherwise known as data loss.
Alteration
The unauthorized modification of information and is a violation of the principle of integrity.
Denial
The unintended disruption of an authorized user's legitimate access to information.
Financial Risk
The risk of monetary damage to the organization as the result of a data breach.
Reputational Risk
Occurs when the negative publicity surrounding a security breach causes the loss of goodwill among customers, employees, suppliers, and other stakeholders.
Strategic Risk
The risk that an organization will become less effective in meeting its major goals and objectives as a result of the breach.
Operational Risk
Risk to the organizations ability to carry out its day-to-day functions.
Compliance Risk
Occurs when a security breach causes an organization to run afoul of legal or regulatory requirements.
Technical Controls
Enforce confidentiality, integrity, and availability in the digital space.
Operational Controls
The process that we put in place to manage technology in a secure manner.
Managerial Controls
Procedural mechanisms that focus on the mechanics of the risk management process.
Preventative Controls
Intended to stop a security issue before it occurs. ex. Firewall, Encryption
Detective Controls
Identifies security events that have already occurred. ex. Intrusion detection systems
Corrective Controls
Remediate security issues that have already occurred. ex. Restoring backups
Deterrent Controls
Seeks to prevent an attacker from attempting to violate security policies. ex. Barbed wire
Physical Controls
Security controls that impact the physical world. ex. Fire Suppression Systems, burglar alarms
Compensating Controls
Controls designed to mitigate the risk associated with exceptions made to a security policy. (see page 9 for more info)
Data at rest
Stored data that resides on hard drives, tapes, in the cloud, or on other storage media. This data is prone to pilfering by insiders or external attackers who gain access to systems and are able to browse through their contents.
Data in motion
Data that is in transit over a network. When data travels on an untrusted network, it is open to eavesdropping attacks by anyone with access to those networks.
Data in processing
Data that is actively in use by a computer system. This includes the data stored in memory while processing takes place. An attacker with control of the system may be able to read the contents of memory and steal sensitive information.
Encryption
Technology that uses mathematical algorithms to protect information from prying eyes, both while it is in transit over a network and while it resides on systems.
Data Loss Prevention (DLP)
A system that helps organizations enforce information handling policies and procedures to prevent data loss and theft.
Host-Based DLP
Uses software agents installed on systems that search those systems for the presence of sensitive information. Can also monitor system configuration and user actions, blocking undesirable actions. ex. block users from accessing USB-based devices.
Network DLP
Dedicated devices that sit on the network and monitor outbound network traffic, watching for any transmissions that contain unencrypted sensitive information.
Pattern Matching
Where they watch for the telltale signs of sensitive information. ex. Numbers formatted like credit cards or ssn
Watermarking
Where systems or administrators apply electronic tags to sensitive documents and then the DLP system can monitor systems and networks for unencrypted content containing those tags.
Data Minimization
Techniques seeking to reduce risk by reducing the amount of sensitive information that we maintain on a regular basis. ex. Destroying data when it is no longer needed
Hashing
Uses a hash function to transform a value in our dataset to a corresponding hash value.
Tokenization
Replaces sensitive values with a unique identifier using a lookup table. ex. replacing a student ID with a randomly generated 10-digit number. Then maintaining a lookup table that allows us to convert those back to student IDs
Masking
Partially redacts sensitive information by replacing some or all sensitive fields with blank characters. ex. Replacing last four digits of credit card with xxxx
Note
Flashcard