Cyber Security Chapter 1

Confidentiality, Integrity and Availability

What is CIA?

CIA (Confidentiality, integrity and Availability)

Describe security using relevant and meaningful words that make security more understandable to management and users and define its purpose

Confidentiality

Permitting authorized access to information while protecting information

Personally identifiable Information

What is PII?

Personally Identifiable Information (PII)

Data about an individual that could be used to identify them (Name, physical appearance, SSN, parents name, etc)

Protected health information

What is PHI?

Protected health information (PHI)

data regarding one’s health status (Health care)

Classified or sensitive information

Trade secrets, research, business plans and intellectual property

Sensitivity

Measure of importance assigned to information

Property of information that is recorded, used and maintained that ensures its completeness, accuracy, internal consistency, and usefulness

What is Integrity ?

Integrity

What is the Critical component in ensuring that systems, processes, organizations, and individuals are trustworthy, reliable, and accountable for their actions

Data integrity

Assurance that data has not been altered by an unauthorized user. Covers data in storage, during processing and while in transit.

System integrity

State of a system where it maintains a known good configuration and expected operational function as it processes information

System State Awareness

understanding of the current state of a system or its data at a specific point in time. It involves the process of documenting and analyzing the current state of a system or its components in order to ensure system integrity. This is essential for effective system management and security as it enables timely detection of changes or deviations from the expected state.

State

Condition an entity is in at a point in time

Baseline

refer to the current state of the information or reference point

Accessibility of systems and data on demand

What is Availability ?

Availability

Ability of authorized users to access data and information services in a timely and reliable manner, as needed and in the required format

Criticality

Measure of the degree to which an organization depends on the information

High availability levels

Critical systems must have ______ to ensure that authorized users can access the information they need to perform their roles effectively

Authentication

process of verifying or proving the user’s identification via SFA or MFA

Knowledge, Token, Characteristics

Common techniques for authentication

Passwords, UserID, paraphrases

Examples of Knowledge authentication

Tokens, memory card, smart cards

Examples of Token Authentication

Use of physical objects to validate users

What is Token Authentication

Biometrics, measurable characteristics

Examples of Characteristics authentication

Non-repudiation

Legal term and is defined as protection against individuals falsely denying a particular action

Privacy

Right of an individual to control the distribution of information about themselves

Risk Management

Process of identifying, evaluating and controlling threats including all phases of risk context/frame, risk assessment, risk treatment, and risk monitoring

Risk

Measure of the extent to which an entity is threatened by a potential event

Result and chance of occurrence

Risk is often express as a combination of ______

Information security risk

The potential adverse impacts that result from the possibility of unauthorized access, use, disclosure, disruption, modification or destruction of information

Vulnerability

Gap or weakness in an organization’s protection of assets

Threat

Something or someone that aims to exploit a vulnerability to gain unauthorized access

Threat actor

An individual attempt to exploit vulnerability

Insider, Outside individuals, formal entities that are political and non political, Technology (Bots and AI)

Examples of Threat actors

Threat vector

Means by which a threat actor carries out their objective

Asset

something in need of protection

Likelihood

Probability that a potential vulnerability may be exercised within the construct of the associated threat environment

Likelihood of occurrence

measure of how likely it is for a particular threat to take advantage of a vulnerability

Impact

magnitude of harm that can be **expected to result** from the **consequences** of unauthorized disclosure of information, unauthorized modification of information, unauthorized destruction of information, or loss of information or information system availability

Risk assessment

process of identifying, estimating and prioritizing risks to an organization’s operations (including its mission, functions, image and reputation), assets, individuals, other organizations and even the nation

Risk; Clearly

Risk identification takeaways (Identify ___ to communicate it ________)

All Levels

Risk identification takeaways (Employees at _____ of the organization are responsible for identifying risk)

protect

Risk Identification takeaways (Identify risk to ___ against it)

Risk Treatment

Relates to making decisions about the best actions to take regarding the identified and prioritized risk

Avoidance

Decision to attempt to **eliminate** the risk entirely

Acceptance

**No action** to reduce the likelihood of a risk occurring

Mitigation

Common type, taking action to prevent or **reduce** possibility of a risk event or its impact

Transfer

Practice of **passing** the risk to another party, insurance policy

Qualitative and Quantitative

Two types of Risk priorities

Qualitative Risk priority

Method for risk analysis that is based on descriptor such as low, medium or high (Impact)

Quantitative Risk priority

Numerical values are assigned to both impact and probability (Probability)

Risk tolerance

level of risk an entity is willing to assume in order to achieve potential results

Senior management

usually the starting point for getting management to take action

Executive management or Board of Directors

Determines what is acceptable level of risk

Security professionals

Maintains the level of risk within management’s limit of risk tolerance

Security controls

pertain to physical, technical, and administrative mechanisms that act as safeguards or countermeasures prescribe for an information system to protect confidentiality

Physical, Technical, and Administrative

What are the three types of security controls

reduce risk

Implementation of control should ____ to an acceptable level

Physical control

Implemented through a **tangible** mechanism

Technical/logical control

Security controls for an information system that is implemented by **computer systems and networks**

Administrative/Managerial control

Implemented through **policy** and **procedures**

entire scope

Administrative/Managerial control cover the ____ of the organization and its activities with external parties and stakeholders

information security

Administrative/Managerial control is a vital tool for achieving _____

leaders and management

Implement the systems and structures that the organization will use to achieve its goals, they are guided by laws and regulations created by governments to enact public policy

guide the development of standards, which cultivate policies, which result in procedures.

What is Laws and regulations?

Health Insurance Portability and Accountability act (HIPAA)

Governs the use of protected health information (PHI) in the United States

General Data protection regulation (GDPR)

EU comprehensive legislation that addresses personal privacy, deeming it an individual human right

Multinational organizations

are subject to regulations in more than one nation in addition to multiple regions and municipalities.

national, regional, local

Organizations need to consider the regulations that apply to their business at all levels—______—and ensure they are compliant with the most restrictive regulation.

HIPAA, GDPR, Multinational organizations

Examples of Laws and Regulation

detailed steps to complete a task that support departmental or organizational policies.

What is Procedures?

measurement criteria and methods

Procedures establish the _______ to use to determine whether a task has been successfully completed

maximum organizational benefits

Properly documenting procedures and training personnel on how to locate and follow them is necessary for deriving the ________ from procedures

put in place by organizational governance, such as executive management, to provide guidance in all activities to ensure that the organization supports industry standards and regulations.

What is Policies?

Governance policies

Used to moderate and control decision-making, to ensure compliance when necessary and to guide the creation and implementation of other policies

Senior executive

High level governance policies - used by ____ to shape and control decision-making processes

used by governance teams to provide a framework to introduce policies and procedures in support of regulations.

What is Standards?

International Organization for Standardization (ISO)

develops and publishes international standards on a variety of technical subjects, including information systems and information security, as well as encryption standards.

National Institute of Standards and Technology (NIST)

United States government agency under the Department of Commerce and publishes a variety of technical standards in addition to information technology and information security standards

NIST

recommended standards by industries worldwide

Internet Engineering Task Force (IETF)

standards in communication protocols that ensure all computers can connect with each other across borders, even when the operators do not speak the same language

Institute of Electrical and Electronics Engineers (IEEE)

Standards for telecommunications, computer engineering and similar disciplines.

Regulations

commonly issued in the form of laws, usually from government (not to be confused with governance) and typically carry financial penalties for noncompliance.

Policies

____ the highest-level governance documents in an organization, usually approved and issued by management, usually to support a compliance initiative.

Procedure

A security practitioner who needs step-by-step instructions to complete a provisioning task might use a ___ to ensure they are performing the task in a consistent manner.

Standards

Frameworks, or __________ are often offered by third-party organizations and cover specific advisory or compliance objectives.

Laws or Regulations

Usually mandated by a government agency, __ are a set of rules that everyone must comply with and usually carry monetary penalties for noncompliance.

Law

The Healthcare Insurance Portability and Accountability Act of 1996 (HIPAA) is a federal _____ in the United States that requires certain actions be taken to protect health information

Standards

Many organizations use published frameworks, or _______

Policies 

to guide the organizational ____ that support the compliance effort.

Procedures 

Many departments or workgroups within the organization implement _________ that detail how they complete day-to-day tasks while remaining compliant.

Preamble

The ____states the purpose and intent of the ISC2 Code of Ethics.

Safety and welfare of society and the common good

The ______________, duty to our principals, and to each other, requires that we adhere, and be seen to adhere, to the highest ethical standards of behavior.

• The safety and welfare of society and the common good, duty to our principals, and to each other, requires that we adhere, and be seen to adhere, to the highest ethical standards of behavior.

• Therefore, strict adherence to this Code is a condition of certification.

ISC2 Code of Ethics Preamble

• Protect society, the common good, necessary public trust and confidence, and the infrastructure.

• Act honorably, honestly, justly, responsibly and legally. =

• Provide diligent and competent service to principals.

• Advance and protect the profession.

ISC2 Code of Ethics Canon

Canons

The ________ represent the important beliefs held in common by the members of ISC2.

Society

Protect ______, the common good, necessary public trust and confidence, and the infrastructure

Honorably

Act ___, honestly, justly, responsibly and legally