Manage Security Risks, Module 2

Security framework

Guidelines used for building plans to help mitigate risk and threat to data and privacy

Security controls

Safeguards designed to reduce specific security risks

Encryption

The process of converting data from a readable format to an encoded format. It is used to ensure confidentiality of sensitive data, such as customers’ account information or social security numbers.

Plaintext

Readable text

Ciphertext

The raw, encoded message that’s unreadable to humans and computers. This data cannot be read until it’s been decrypted into its original plaintext form.

Exampes of controls

Encryption, authentication, authorization

Authentication

The process of verifying who someone or something is

Multi-factor authentication

Aka MFA

MFA

An advanced method of authentication that challenges the user to demonstrate that they are who they claim to be by requiring both a password and an additional form of authentication, like a security code or biometrics, such as a fingerprint, voice, or face scan

Biometrics

Unique physical characteristics that can be used to verify a person’s identity.

Examples of biometrics

Fingerprint, eye scan, palm scan.

Vishing

The exploitation of electronic voice communication to obtain sensitive information or to impersonate a known source.

Authorization

The concept of granting access to specific resources within a system

National Institute of Standards and Technology

Aka NIST

Risk Management Framework

Aka RMF

Cybersecurity Framework

Aka CSF

confidentiality, integrity, and availability triad

Aka CIA Triad

Health Insurance Portability and Accountability Act

Aka HIPAA

HIPAA

Requires that medical professionals keep patient information safe.

Cyber Threat Framework

Aka CTF

CTF

According to the Office of the Director of National Intelligence, this framework was developed by the U.S. government to provide “a common language for describing and communicating information about cyber threat activity.” By providing a common language to communicate information about threat activity, the CTF helps cybersecurity professionals analyze and share information more efficiently. This allows organizations to improve their response to the constantly evolving cybersecurity landscape and threat actors’ many tactics and techniques.

International Organization for Standardization/International Electrotechnical Commission 27001

Aka ISO/IEC 27001

ISO/IEC 27001

An internationally recognized and used framework. The family of standards enables organizations of all sectors and sizes to manage the seuciryt of assets, such as financial information, intellectual property, employee data, and information entrusted to third parties. This framework outlines requirements for an information security management system, best practices, and controls that support an organization’s ability to manage risks. Although the framework does not require the use of specific controls, it does provide a collection of controls that organizations can use to improve their security posture.

Examples of physical controls

Gates, fences, locks, security guards, closed-circuit television (CCTV), surveillance cameras, motion detectors, access cards or badges to enter office spaces.

Examples of technical controls

Firewalls, MFA, antivirus software

Examples of administrative controls

separation of duties, authorization, asset classification