CHICKEN WINGS

Access Control

is a security technique that regulates who or what can view or use resources in a computing environment

Role-Based Access Control

Users are assigned roles that determine what they can access.

Mandatory Access Control

Users specify rules that can determine who access what, often used in file systems where the file creator can assign access to others.

Discretionary Access Control

system decides who can access what based on factors like the user’s identity and group membership. Requires admin to manually configure access levels.

Rule-Based Access Control

type of access control mechanism where permissions are granted or denied based on predefined rules set by an administrator. These rules are usually based on time, location, device type.

Physical access control

limits access to campuses, building rooms and physical it assets

Logical access control

limits connections to computer networks, system, files and data

Authority Policy

is a set of rules that guide how an organization manages who can access its systems and data.

Biometric Identification

using unique physical traits like fingerprints, facial features or eye patterns

Knowledge-based Identification

relying on information that person knows such as a username and password

Possession-based identification

using something a person has like a smartcard or a mobile device

Single-Factor Authentication or SFA

Involves one form of identification, most common example is password, weakest method because passwords can be guessed, stolen or cracked

Two-Factor authentication 2FA

Method adds a second layer of security after the user enters a password, they are required to provide a second form of verification such as OTP sent via SMS or EMAIL or a code generated by a mobile app like google authenticator

Multi-Factor Authentication MFA

involves using more than two authentication factors such as password, biometric data and smartcard or token. Most secure way to verify an individual's identity.

Token-based authentication

uses encrypted tokens instead of passwords for authentication

Inherence-based authentication

relies on something the user is such as fingerprint scanning, facial recognition, iris or retina scanning and voice recognition.

Adaptive or Risk-based authentication

Uses AI and ML to analyze users behavior and risk factors (detecting unusual behaviors), requesting additional authentication if behavior is suspicious

Single Sign-ON (SSO)

is an authentication scheme that allows users to securely access multiple applications and services using a single ID

Security Assertion Markup Language SAML

an XML-based standard for exchanging identity information

Log File

Essential for tracking user access and authentication events. These logs should be retained for a specific period to comply with security policies

Data Retention Policy

establish guidelines for how long logs are kept ensuring they are securely stored and disposed of after the retention period

Secure Disposal

all media containing sensitive authentication data must be disposed of securely to prevent unauthorized access

Methods

use techniques like shredding physical media or securely wiping digital storage

Non-Decentralized access control

refers to a centralized system where a single authority or entity manages and enforces access policies for resources, data or systems

Constrained User Interface CUI

is a design approach that limits or restricts user interactions based on their access permissions or roles.

Security administration

refers to the processes, policies, and practices used to protect an organization's information systems, networks, and data from threats, breaches, and unauthorized access.

AUTHORIZATION, ACCOUNTING, AUTHENTICATION

THREE TYPES OF AAA SERVICES

PROPER DOCUMENTATION

IS ESSENTIAL FOR MAINTAINING SECURITY STANDARDS AND ENSURING CONSISTENCY IN SECURITY POLICIES AND PROCEDURES.

SECURITY POLICY

THE OVERALL SECURITY OBJECTIVES AND RESPONSIBILITIES OF ORGANIZATION

WHAT IS SECURITY OUTSOURCING

Many organizations outsource security services to specialized third-party providers to improve protection while reducing cost.

Security operations and administration

involve the continuous protection of an organization's assets. This includes actively monitoring systems for threats, responding to security incidents, setting and enforcing security policies, and, importantly, adhering to regulatory requirements.

Compliance

is a critical aspect of security. It helps us mitigate legal and financial risks, maintain the trust of our customers and partners, and build a strong reputation.

Security event logs

provide a detailed record of system and application activity. They are crucial for detecting suspicious behavior, investigating security incidents, and demonstrating compliance during audits. Proper management and storage of these logs are essential.

Compliance liaison

acts as a bridge between technical teams and regulatory requirements

Remediation

when vulnerabilities or compliance gaps are identified, involves documenting issues, developing and implementing corrective actions, tracking progress and verifying the effectiveness of solutions

Professional ethics

refers to the moral principles, values, and standards that guide behavior within a specific profession. These ethical guidelines ensure individuals act with integrity, accountability, and fairness while performing their duties.

Acceptable Use Policy (AUP)

Purpose - Defines what employees can and cannot

do with company IT resources

Access Control Policy

Ensures only authorized users can

access sensitive systems.

Password Management Policy

maintaining secure passwords.

Incident Response Policy

Outlines how an organization

should respond to security incidents.

Data Protection & Privacy Policy

Ensures proper handling of

sensitive customer and business data.

International & Industry Standards

Guidelines developed by global organizations.

Company-Specific Standards

Internal security frameworks tailored to an organization’s needs.

Technical and Operational Standards

Specific configurations and security controls for IT Systems

ISO/IEC 27001 (International Standard for Information Security Management)

Defines requirements for an information security management system (ISMS)

security baseline

is the minimum set of security controls and configurations that must

be implemented to protect an organization's IT systems.

Guideline

is a recommended practice that provides flexibility in achieving security objectives.

Procedure

is a detailed, step-by-step set of instructions that explain how to implement a specific security policy or process.

Data classification

is the process of organizing data into categories that make it easier to retrieve, manage, and protect. It ensures that sensitive information is handled appropriately, reducing risks of unauthorized access, data breaches, and compliance violations.

Public

Information that can be freely shared without any restrictions

Internal

Data meant for internal use within an organization but not for public disclosure

Confidential

Sensitive business data requiring elevated access but won’t result in legal consequences if confidentiality is violated

Restricted

Highly sensitive data that, if exposed, could cause severe harm

Data Identification and Inventory

Organizations must first locate all data assets, whether stored in databases, cloud services, physical files, or local systems.

Data Categorization

Once identified, data is categorized based on sensitivity, compliance requirements, and business impact.

Access Control and Protection

Proper security measures are implemented to restrict access based on the classification level.

Ongoing Monitoring and Compliance

Data classification is a continuous process that requires regular audits, automated scanning, and compliance checks.

Assurance

involves maintaining trust in the accuracy, security, and availability of classified information.

hardware inventory

is a detailed list of all physical components in an organization's IT infrastructure. This includes computers, servers, networking devices, peripherals, and other assets.

configuration chart

provides a visual representation of how each hardware component is connected and interacts with other systems.

CHANGE MANAGEMENT PROCESS

IS A STRUCTURED APPROACH TO TRANSITIONING INDIVIDUALS,

CHANGE CONTROL MANAGEMENT

REFERS TO ALL THE ACTIVITIES UNDERTAKEN TO SET UP A CHANGE CONTROL FRAMEWORK IN A PROJECT, SUCH AS APPOINTING A CHANGE CONTROL BOARD, MANAGING DOCUMENTATION AND ESTABLISHING A PROCESS FOR THE EVALUATION OF CHANGES.

CHANGE MANAGEMENT COMMITTEE CMC

SERVES AS THE MECHANISM AND FORUM TO REVIEW, APPROVE, IMPLEMENT, AND COMMUNICATE CHANGES AND

INFORMATION THAT IMPACT RESEARCH ADMINISTRATION PROCESSES.

CHANGE CONTROL PROCEDURES

ASSESS THE CHANGE AND PROVIDE DETAILS OF ITS ASPECTS TO BE SURE THEY ALIGN WITH THE NEEDS OF THE BUSINESS.

CHANGE CONTROL ISSUES

CAN INCLUDE POOR COMMUNICATION,

LACK OF LEADERSHIP, AND RESISTANCE TO CHANGE.

TESTING AND DEVELOPMENT SYSTEMS

A SET OF PROCESSES AND TOOLS USED WITHIN SOFTWARE DEVELOPMENT TO THOROUGHLY TEST AND VERIFY THE FUNCTIONALITY OF A SOFTWARE APPLICATION AT VARIOUS STAGES OF DEVELOPMENT, ENSURING IT MEETS THE REQUIRED SPECIFICATIONS AND QUALITY STANDARDS BEFORE DEPLOYMENT

System Life Cycle SLC

covers the entire life of a system, including hardware, software, and people, ensuring it works well over time.

software development lifecycle (SDLC)

is a process for planning, implementing and maintaining software systems

Testing levels

ensure software quality by verifying functionality at different stages.

Software development methodology

is a set of practices and principles that guide the process of building software.

Waterfall Model

was the first Process Model to be introduced. It is also referred to as a linear-sequential life cycle model.

Agile Software Development

is a software development methodology that values flexibility, collaboration, and customer satisfaction.

DevOps

is a methodology aiming at establishing closer collaboration between programmers and system administrators in the software development process.

spiral model

is a systems development lifecycle (SDLC) method used for risk management that combines the iterative development process model with elements of the Waterfall model.

PROTOTYPING MODEL

is a software development methodology where a

prototype (an early version of the software with limited functionality) is built, tested, and refined based on user feedback before developing the final product.

Dynamic methodology

in software development is an approach that emphasizes adaptability, flexibility, and continuous improvement.