DOMAIN 1: SECURITY PRINCIPLES

Confidentiality

information must not be exposed or accessed by any unauthorized individual

Integrity

Information must be consistent and correct unless an authorized change was made

Availability

Information must be accessible when and where it is needed

Personally Identifiable Information (PII)

Data that can single out or trace a specific person.
Examples: your full name, home address, phone number, Social Security number, or even email.

Protected Health Information (PHI)

information regarding one’s health status.the provision of healthcare or payment for healthcare

as defined in HIPAA (Health Insurance Portability and Accountability Act).

Health Insurance Portability and Accountability Act (HIPAA)

is a law that required the creation of national standards to protect sensitive patient health information from being disclosed without the patient’s consent or knowledge

Classified or Sensitive Information

Data that’s important to an organization, company, or government, usually not about one person but about operations, strategies, or assets. 
Examples: a company’s trade secrets, research results, product bluepirnts, or business plan

Data Integrity

Making sure information hasn’t been changed or tampered with without permission.

Example: If you send an email attachment, data integrity ensures the file arrives exactly as you sent it, not corrupted or altered by someone else.

System Integrity

Keeping a computer or system in its trusted setup so it works the way it should.

Example: Your computer operating system updates are verified, so hackers can’t slip in fake updates that

break your device.

State

The current condition of the system at a specific moment.

Example: Taking a screenshot of your computer settings today shows its “state” — you can compare it later if

something goes wrong.

Baseline

like the official “starting point” or current condition of the information. It shows

how the data looks right now.

To keep that baseline, the information must stay protected whenever it’s being used, and any changes need

to go through proper approval and tracking.

Availability

-timely and reliable access to information and the ability

to use it, and;

 -for authorized users, timely and reliable access to data

and information services.

Availability

It doesn’t mean the system is up 100% of the time, but it

should be reliable enough to meet the business’s needs for

timely access.

Availability

often associated with the term criticality,

because it represents the importance an organization gives

to data or an information system in performing its

operations or achieving its mission.

Authentication

This process of verifying or proving the user’s

identification.

Authorization

determine which resources users can access, along with the

operations that users can perform.

Accountability

This is a legal term and is defined as the

protection against an individual falsely

denying having performed a particular

action.

Privacy

state of condition of being free from

being observed or disturbed by other

people.

Data privacy act of 2012

It is the policy of the State to protect the fundamental human right of privacy, of

communication while ensuring free flow of information to promote innovation and

growth.

The State recognizes the vital role of information and communications technology in

nation-building and its inherent obligation to ensure that personal information in

information and communications systems in the government and in the private sector

are secured and protected.

Asset

is something in need of protection

Vulnerability

is a gap or weakness in those protection efforts

Threat

something or someone that aims to exploit a vulnerability to thwart protection efforts

Risk Assessment

defined as the process of identifying, estimating and prioritizing risks to an

organization’s operations (including its mission, functions, image and

reputation), assets, individuals, other organizations.

Risk Treatment

is making decisions about the best actions to take regarding the identified and prioritized risk. The

decisions made are dependent on the attitude of management toward risk and the availability — and

cost — of risk mitigation. The options commonly used to respond to risk are:

Risk Avoidance

is the decision to attempt to eliminate the risk entirely.

Risk Acceptance

is taking no action to reduce the likelihood of a risk occuring

Risk Mitigation

is taking actions to prevent or reduce the occurence of a risk event or its impact

Risk Transference

is the practice of passing the risk to another party, who will accept the financial impact of the harm resulting from a risk being realized in exchange for payment.

Due Diligence

Doing research before implentation

Due Care

The implementation

Qualitative risk analysis

How likely is to

happen and how bad is it if it happens. This is necessary to determine root cause and

narrow down apparent risks and core risks.

Probability

the chances, or likelihood, that a given threat is capable of

exploiting a given vulnerability or a set of vulnerabilities.

Likelihood of occurrence

is a weighted factor based on a subjective

analysis of the probability that a given threat or set of threats is capable of

exploiting a given vulnerability or set of vulnerabilities.

Impact

is the magnitude of harm that can be expected to result from the

consequences of unauthorized Disclosure, Alteration or Destruction (DAD)

Disclosure, Alteration, Destruction

DAD

DAD triad

inverse of CIA Triad.

Quantitative Analysis

Annual Loss Expectancy; putting number on the asset and the risk to have an estimated monetary cost

Asset Value

AV

Exposure Factor

EF

Single Loss Expectancy

SLE

Annual Rate Occurence

ARO

Annualize Loss Expectancy

ALE

Adequate Security

Security commensurate with the risk and the magnitude of harm resulting from the loss, misuse or unauthorized

access to or modification of information.

Artificial Intelligence

The ability of computers and robots to simulate human intelligence and

behavior.

Biometric

Biological characteristics of an individual, such as a fingerprint, hand geometry, voice, or iris patterns.

Bot

Malicious code that acts like a remotely controlled “robot” for an attacker, with other Trojan and worm capabilities.

Criticality

A measure of the degree to which an organization depends on the information or information system for the success

of a mission or of a business function.

General Data Protection Regulation (GDPR)

In 2016, the European Union passed comprehensive legislation that addresses

personal privacy, deeming it an individual human right.

General Data Protection Regulation

GDPR

Health Insurance Portability and Accountability Act

HIPAA

Health Insurance Portability and Accountability Act (HIPAA)

This U.S. federal law is the most important healthcare

information regulation in the United States. It directs the adoption of national standards for electronic healthcare transactions

while protecting the privacy of individual’s health information.

Rsik acceptance

If the consequences of a risk are minor and the likelihood is unlikely, which type of risk response would be appropriate?

A complete asset inventory

What is required for us to do a proper risk assessment?

Confidentiality

After an attack we have suffered a loss of public confidence, which leg of CIA was compromised

Multifactor authentication

most secure form of authentication

Security controls

pertain to different mechanisms that act as safeguards or countermeasures prescribed

for an information system to protect the C-I-A of the system and its information.

Physical Controls, Administrative Controls, Technical Controls

Security Controls

Physical Controls

Typically provide ways of controlling, directing

or preventing the movement of people and

equipment throughout a specific physical

location, such as an office suite, factory or

other facility.

Administrative Controls

Also known as managerial controls are

directives, guidelines or advisories

aimed at the people within the

organization. They provide frameworks,

constraints and standards for human

behavior, and should cover the entire

scope of the organization’s activities and

its interactions with external parties and

stakeholders.

Technical Controls

Also called logical controls are security

controls that computer systems and networks

directly implement. These provide automated

protection from unauthorized access or

misuse, facilitate detection of security

violations and support security requirements

for applications and data.

Preventive, Detective, Corrective, Deterrent, Recovery, Compensating

Control Functionality

Preventive

Avoidance of an incident; Policies, Password,

Fences, Guard Dogs

Detective

Identification of data and information involved in an incident; Audits, penetration test, log monitoring

Corrective

Fixes damage brought about by an incident; Malware eradication, system updates, disaster recovery plan

Deterrent

Discourages threat actors for committing incident; security guards, warning signs

Recovery

Control to immediately reverts environment back to its normal state; backup, insurances, fault-tolerant systems

Compensating

Control that provide alternative measure to an existing control; security guards, multi-hierarchy approvals, MFA

Regulations, Policies, Standards, Procedure, Guidelines

Governance Elements

Regulations

Mandatory; government-level, non-specific

Policies

Mandatory; organization level, non-specific

Standards

Mandatory; describe a specific use of technology

Procedure

Mandatory; low-level, step-by-step guide

Guidelines

Non-mandatory; recommendation, discretionary

ISO

is an independent, non-governmental international organization. It brings global experts together to agree on the best ways of doing things

The National Institute of Standards and Technology

NIST

The National Institute of Standards and

Technology (NIST)

was founded in 1901 and is

now part of the U.S. Department of Commerce. Develops cybersecurity standards, guidelines,

best practices, and other resources to meet the

needs of U.S. industry, federal agencies and the

broader public.

Password

something you know

ID badge or cryptographic key

something you have

Fingerprint or other biometric data

something you are

Governance

C-Level executives; • Chief Executive Officer

• Chief Operating Officer

• Chief Information Security

Officer

• Chief Information Officer

Decides the risk appetite

(Aggressive, neutral or adverse)

Legally liable if there are regulatory

violations affecting information

security

Management

Plans, Build, Run and Monitor to

achieve Cyber security objectives

• Hired Information Security

professionals

Ensure that risks are in tolerant

state

Provides expertise feedback in

terms of cybersecurity.

Internet Engineering Task Force

IETF

Internet Engineering Task Force (IETF)

The internet standards organization, made up of network designers, operators, vendors and researchers,

that defines protocol standards (e.g., IP, TCP, DNS) through a process of collaboration

and consensus.