CSF 4003 Security and Risk Management - Chapter 1: Introduction

Flashcards covering key concepts from the lecture notes on Security and Risk Management.

Security

Being free from danger, protected from loss, damage, unwanted modification, or other hazards.

Specialized Areas of Security

Multiple layers include physical, operations, communications, cyber (or computer), and network security.

Security

Being free from danger, protected from loss, damage, unwanted modification, or other hazards.

Specialized Areas of Security

Multiple layers include physical, operations, communications, cyber (or computer), and network security.

Information Security (InfoSec)

Focuses on the protection of information and the technology that stores and transfers it.

The C.I.A. Triangle

Confidentiality, Integrity, and Availability. Expanded into 9 critical characteristics of information to protect.

Confidentiality

Limiting access to information only to authorized individuals; protects from information disclosure.

Integrity

Only authorized individuals can change or delete the data.

Availability

Ensuring information is available when requested to authorized individuals only.

Privacy

The right of individuals or groups to protect themselves and their information from unauthorized access, providing confidentiality.

Information Aggregation

Collecting and combining personal information from several sources, potentially without the original data owner's consent or knowledge.

Identification

The access control mechanism by which unverified entities provide a label by which they are known to the system.

Authentication

The access control mechanism that requires the validation and verification of a claimed identity.

Authorization

The access control mechanism that represents the matching of an authenticated entity to a list of information assets and corresponding access levels.

Accountability

The access control mechanism that ensures all actions on a system can be associated with an authenticated identity; also known as auditability.

Threat

A potential risk to an information asset.

Attack

An ongoing act against an asset that could result in a loss.

Threat Agents

Damage or steal an organization's information or physical assets by using exploits to take advantage of a vulnerability.

Patent

Exclusive right granted for an invention.

Trademark

Recognizable sign, design, or expression that identifies products or services.

Trade Secret

Information that gives a business a competitive edge.

Copyright

Legal right granted to the creator of original works.

Management

The process of achieving objectives using a given set of resources.

Governance

The set of responsibilities and practices exercised by executive management to provide strategic direction and ensure objectives are achieved.

Planning

Activities necessary to support the design, creation, and implementation of information security strategies.

Policy

A set of organizational guidelines that dictate certain behavior within the organization.

Programs

InfoSec operations that are specifically managed as separate entities, such as a security education training and awareness (SETA) program.

Protection

Executed via risk management activities, including risk assessment and risk control, as well as protection mechanisms, technologies, and tools.

People

The most critical link in the information security program.

Project Management

The application of thorough project management discipline to all elements of the information security program.