Introduction to Information Security: NIST SP 800-12 Key Concepts
Call Kai
Learn
Practice Test
Spaced Repetition
Match
Flashcards
Knowt Play1/24
There's no tags or description
Looks like no tags are added yet.
Name | Mastery | Learn | Test | Matching | Spaced | Call with Kai |
|---|
No analytics yet
Send a link to your students to track their progress
25 Terms
Purpose
The primary purpose of this publication is to provide a broad overview and introduction to information security program principles.
Target Audience
It is designed to assist organizational managers and security practitioners in understanding how to establish, implement, and maintain an effective information security program.
Scope
It introduces foundational security concepts, interrelationships of security controls, and risk management strategies to help organizations understand the security needs of their respective systems.
Information Security
The protection of information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction.
The CIA Triad
The foundation of information security is built on three core objectives: Confidentiality, Integrity, and Availability.
Confidentiality
Preserving authorized restrictions on information access and disclosure (protecting privacy and proprietary data).
Integrity
Guarding against improper information modification or destruction (ensuring data authenticity and non-repudiation).
Availability
Ensuring timely and reliable access to and use of information.
System / Information System
A discrete set of information resources organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of information.
Business Enabler
Security is not an end in itself; rather, it exists to support the organization's business goals and mission.
Operational Alignment
Information security measures should facilitate the organization's operations, not hinder them unnecessarily.
Risk-Based Approach
Organizations cannot realistically eliminate all risk. Therefore, they must implement protections that are proportional to the risk involved.
Cost-Benefit Analysis
The cost of implementing a security control should not exceed the value of the asset it protects or the potential cost of a security breach.
Resource Allocation
By understanding risk (threats, vulnerabilities, and potential impact), organizations can allocate their limited security resources to protect their most critical assets first.
External Constraints
Security programs do not operate in a vacuum. They must comply with laws, regulations, privacy rights, and societal norms.
Organizational Culture
The internal culture of an organization heavily dictates how security is perceived and practiced.
Balancing Act
Security professionals must balance the need for rigorous technical controls with ethical considerations and standard expectations of privacy.
Threats
Any circumstance or event with the potential to adversely impact an organization's operations, assets, or individuals.
Vulnerabilities
Weaknesses in an information system, internal controls, security procedures, or implementation that a threat could potentially exploit.
Risk
The potential for loss or harm that arises when a threat exploits a vulnerability.
Adversarial Threat Sources
Individuals, groups, or entities with malicious intent who deliberately target organizational systems.
Nature of Attacks
They actively seek to exploit vulnerabilities for a variety of reasons, utilizing methods that range from simple social engineering to highly sophisticated cyberattacks.
Malicious Hacker
An individual who attempts to gain unauthorized access to an IT system for malicious intent.
Motivations of Hackers
Hackers may be driven by various factors, including financial gain, ego or status, ideology, or simple malice.
Activities of Hackers
They actively scan for and exploit system vulnerabilities, often using advanced tools, scripts, or social engineering techniques.