domain 1- the security triad and security principles

confidentiality

protects information and systems from unauthorized access

integrity

protects information and systems from unauthorized modification

availability

ensures that information and systems are available for authorized users when needed

authenticity

achieved when the recipient of a message can be confident that the message actually came from the purported sender

non repudiation

achieved when the recipient of a message can prove to an independent third party that the message actually came from the purported sender

SSCP code of ethics canon 1

protect society, the common good, necessary public trust and confidence, and the infrastructure

SSCP code of ethics canon 2

act honorably, honestly, justly, responsibly, and legally

SSCP code of ethics canon 3

serve principals diligently and competently

SSCP code of ethics canon 4

advance the information security profession

standing of complainant

who can file a complaint:

• any member of the public may file a complaint under canons 1 and 2

• only principals may file a complaint under canon 3

• only professionals may file a complaint under canon 4

accountability

the ability to trace every action taken on a systeme back to an individual user without any ambiguity and without allowing the user to deny responsibility for that action

• 2 prerequisites to this: identifcation and authentication

PHI

individually identifiable health records governed under HIPAA

PII

any info that can be traced back to an individual

generally accepted privacy principles (GAPP)

outlines 10 components of data privacy

GAAP Principle 1 - Management

organizations handling private info should have policies, procedures, and governance structures in place to protect privacy

GAAP Principle 2 - Notice

data subjects should receive notice that their information is being collected and used, as well as access to the privacy policies and procedures followed by the organization

GAAP Principle 3 - Choice and Consent

the organization should inform data subjects of their options regarding the data they own and get consent from those individuals for the collection, storage, use, and sharing of that information

GAAP Principle 4 - Collection

the organization should only collect personal information for purposes disclosed in their privacy notices

GAAP Principle 5 - use, retention, and disposal

organizations should only collect and use personal information for disclosed purposes, and they should dispose of data securely as soon as it is no longer needed for the disclosed purpose

GAAP Principle 6 - Access

organizations should provide data subjects with the ability to review and update their personal information

GAAP Principle 7 - Disclosure to Third Parties

organizations should only share information with third parties if that sharing is consistent with the purposes disclosed in privacy notices and they have consent to the individual to share that information

GAAP Principle 8 - security

the organization must secure private information against unauthorized access, either physically or logically

GAAP Principle 9 - Quality

the organization should take reasonable steps to ensure that the private information they maintain is accurate complete and relevant

GAAP Principle 10 - Monitoring and Enforcement

the organization should have a program in place to monitor compliance with its privacy policies and provide a dispute resolution mechanism

minimization principle

collect minimal information and store only as long as it is needed

limited access principle

as few employees as possible should have access

seperation of duties

no individual should possess two permissions that, in combination, allow them to perform a highly sensitive action

two person control

requires the authorization of two seperate individuals to carry out a sensitive action, also known as dual control