DOMAIN 1: SECURITY PRINCIPLES

CEO, Murphy’s Law

Think like a ___ mindset and always considering __________

Confidentiality, Integrity, Availability

The 3 key areas of Cyber Security that needs to be protected.

Confidentiality

Information must not be exposed or accessed by any unauthorized individual.

Integrity

Information must be consistent and correct unless an authorized change was made.

Availability

Information must be accessible when and where it is needed.

Personally Identifiable Information (PII)

Terms Related to Confidentiality: pertains to any data about an individual that could be used to identify them

Protected Health Information (PHI)

Terms Related to Confidentiality: is information regarding one’s health status.

Health Insurance Portability and Accountability Act

Define the acronym: HIPAA

Classified or Sensitive information

which includes trade secrets, research, business plans and intellectual property

Data integrity

is the assurance that data has not been altered in an unauthorized manner regardless of the data in storage, during processing and while in transit.

System integrity

refers to the maintenance of a known good configuration and expected operational function as the system processes the information

State

is the current condition of the system. The awareness of the state is the ability to document and understand the state of data or a system at a certain point, creating a baseline

Baseline

refers to the current state of the information. Then, to preserve that state, the information must always continue to be protected through a transaction and any changes must undergo proper change management

criticality

Availability is often associated with the term _____________, because it represents the importance an organization gives to data or an information system in performing its operations or achieving its mission

Authentication, Authorization, Accountability

AAA Operations

Authentication

This process of verifying or proving the user’s identification.

Authorization

services determine which resources users can access, along with the operations that users can perform

Accountability

This is a legal term and is defined as the protection against an individual falsely denying having performed a particular action.

Privacy

A state of condition of being free from being observed or disturbed by other people.

July 25, 2011

Date? :Data Privacy Act of 2012

Data Privacy Act of 2012

It is the policy of the State to protect the fundamental human right of privacy, of communication while ensuring free flow of information to promote innovation and growth.

Authorization

The right or a permission that is granted toa system entity to access a system resource

Integrity

The property that data has not been altered in an unauthorized manner

Confidentiality

The characteristic of data or information when it is not made available or disclosed to unauthorized persons or processes

Privacy

The right of an individual to control the distribution of information about themselves.

Avaialability

Ensuring timely and reliable access to and use of information by authorized users.

Non-repudiation

The inability to deny taking an action, such as sending an email message.

Authentication

Access control process that compares one or more factors of identification to validate that the identity claimed by a user or entity is known to the system.

Asset

An __________ is something in need of protection

Vulnerability

A ___________ is a gap or weakness in those protection efforts.

Threat

A ___________ is something or someone that aims to exploit a vulnerability to thwart protection efforts.

Risk Assessment

defined as the process of identifying, estimating and prioritizing risks to an organization’s operations (including its mission, functions, image and reputation), assets, individuals, other organizations.

Risk Management Framework

A structured approach used to oversee and manage risk for an enterprise

Risk Treatment

is making decisions about the best actions to take regarding the identified and prioritized risk. The decisions made are dependent on the attitude of management toward risk and the availability — and cost — of risk mitigation.

Risk avoidance

is the decision to attempt to eliminate the risk entirely.

Risk mitigation

is taking actions to prevent or reduce the occurrence of a risk event or its impact.

Risk acceptance

is taking no action to reduce the likelihood of a risk occurring.

Risk transference

is the practice of passing the risk to another party, who will accept the financial impact of the harm resulting from a risk being realized in exchange for payment.

Risk Rejection

is not an acceptable response

Due Diligence

Doing research before implementation

Due Care

The implementation

Mitigation

Taking action to prevent or reduce the impact of an event

Acceptance

Ignoring the risks and continuing risky activities

Avoidance

Ceasing the risky activity to remove the likelihood that an event will occur

Vulnerability

An inherent weakness or flaw

Asset

Something of value that is owned by an organization, including physical hardware and intellectual property.

Threat

A person or entity that deliberately takes action to exploit a target

Transference

Passing risk to a third party

Qualitative risk analysis and Quantitative risk analysis

When risks have been identified, we prioritize and analyze core risks through

Qualitative risk analysis

How likely is to happen and how bad is it if it happens

Probability

The chances, or likelihood, that a given threat is capable of exploiting a given vulnerability or a set of vulnerabilities

Likelihood of occurrence

is a weighted factor based on a subjective analysis of the probability that a given threat or set of threats is capable of exploiting a given vulnerability or set of vulnerabilities.

Impact

is the magnitude of harm that can be expected to result from the consequences of unauthorized Disclosure, Alteration or Destruction (DAD

Disclosure, Alteration, Destruction

DDD

Asset Register

Qualitative Analysis:

Annual Loss Expectancy

Quantitative Analysis:

Asset Value

AV -

Exposure Factor

EF -

Single Loss Expectancy

SLE -

Annual Rate of Occurence

ARO -

Annualize Loss Expectancy

ALE -

Adequate Security

Security commensurate with the risk and the magnitude of harm resulting from the loss, misuse or unauthorized access to or modification of information.

Artificial Intelligence

The ability of computers and robots to simulate human intelligence and behavior.

Biometric

Biological characteristics of an individual, such as a fingerprint, hand geometry, voice, or iris patterns

Bot

Malicious code that acts like a remotely controlled “robot” for an attacker, with other Trojan and worm capabilities.

Criticality

A measure of the degree to which an organization depends on the information or information system for the success of a mission or of a business function.

General Data Protection Regulation

In 2016, the European Union passed comprehensive legislation that addresses personal privacy, deeming it an individual human right.

Health Insurance Portability and Accountability Act

This U.S. federal law is the most important healthcare information regulation in the United States. It directs the adoption of national standards for electronic healthcare transactions while protecting the privacy of individual’s health information.

Protected Health Information

Information regarding health status, the provision of healthcare or payment for healthcare as defined in HIPAA (Health Insurance Portability and Accountability Act).

Risk Acceptance

If the consequences of a risk are minor and the likelihood is unlikely, which type of risk response would be appropriate?

A complete asset inventory

What is required for us to do a proper risk assessment?

Confidentiality

After and attack we have suffered a loss of public confidence, which leg of the CIA was compromised?

Which of these is the most secure form of authentication

Multifactor authentication