INFOASSURANCE REVIEW

Information Assurance

It is defined as the set of measures intended to protect and defend information and information systems by ensuring their availability, integrity, authentication, confidentiality, and non-repudiation.

Five Information Assurance Pillars

These pillars serve as the fundamental cornerstones for guaranteeing confidence and integrity in information systems,

Integrity

means protecting against improper information modification or damage, and includes ensuring information non repudiation and authenticity

confidentiality

means preserving authorized restrictions on access and disclosure

availability

means ensuring timely and reliable access to and use of information

Information Technology (IT) security

Sometimes referred to as “computer security”

Information Security

Sometimes shortened to “InfoSec”

Information assurance

The act of ensuring that data is not lost when critical issues arise.

Threat

It is a malicious act that aims to corrupt or steal data or disrupt an organization's systems or the entire organization.

Social Engineering

take advantage of human nature, such as the willingness to trust others, to trick individuals into divulging sensitive information.

Phishing

hackers will use deceptive emails, websites, and text messages to steal sensitive personal or organizational information from unsuspecting victims.

Spear Phishing

This email scam is used to carry out targeted attacks against individuals or businesses.

Baiting

This type of attack can be perpetrated online or in a physical environment.

Malware

A category of attacks that includes ransomware, victims are sent an urgently worded message and tricked into installing malware on their device(s).

Pretexting

This attack involves the perpetrator assuming a false identity to trick victims into giving up information.

Quid Pro Quo

This attack centers around an exchange of information or service to convince the victim to act.

Tailgating

This attack targets an individual who can give a criminal physical access to a secure building or area.

Vishing

In this scenario, cyber criminals will leave urgent voicemails to convince victims they must act quickly to protect themselves from arrest or another risk.

Water-Holing

This attack uses advanced social engineering techniques to infect a website and its visitors with malware.

Third-Party Exposure

It refers to damages alleged by clients or other third parties for

which the policyholder firm may be liable.

Cybersecurity risk

The risk of exposure or loss resulting from a cyber attack, data breach, or other security incidents.

Operational risk

The risk that a third party will cause disruption to the business operations.

Legal, regulatory, and compliance risk

The risk that a third party will impact your organization's compliance with local legislation, regulation, or agreements, e.g. the EU's General Data Protection Regulation (GDPR).

Reputational risk

The risk arising from negative public opinion caused by a third party.

Financial risk

The risk that a third party will have a detrimental impact on the financial success of your organization.

Strategic risk

The risk that your organization will fail to meet its business objectives because of a third-party vendor.

Configuration Mistakes

A security misconfiguration is a flaw or weakness in a system or application that occurs due to improper setup, negligence in maintaining robust security protocols, or unintended oversight in the configuration process.

Poor Cyber Hygiene

is often compared to personal hygiene.

Cloud Vulnerabilities

are a sensitive subject because cloud services are used for development, analytics, machine learning, and other tasks.

Application-based

these threats spread through mobile applications.

Web-based

this is the most discreet type of mobile device threat as you can get infected by only browsing a website.

Network-based

these are risks associated with Wi-Fi public networks that can be used by cybercriminals to steal unencrypted data.

Physical threats

this type of threats refers to the loss or theft of the device.

Internet of Things

describes the network of physical objects— “things”—that are embedded with sensors, software, and other technologies for the purpose of connecting and exchanging data with other devices and systems over the internet.

Ransomware

is a type of malware that prevents or limits users from accessing their system, either by locking the system's screen or by locking the users' files until a ransom is paid.

Poor Data Management

Data is the lifeblood of any business. It’s what powers your day-to-day operations and helps you make informed decisions that grow business.

Copyright Law

involves the documents you write and how it should be protected from others.

Financial Reporting

is actually not usually seen in the IT world, not in the IT

developers/department.

Digital millennium copyright act (DMCA)

is a part of copyright law, but focuses on the digital aspect such as media, and current days even the lines of codes you write in the systems you make, and the project documentation

CIA Triad

Confidentiality, Integrity, Availability

Risks

refers to the potential loss, damage, or destroyed assets, dealt by a successful Threat

Threat

is the one dealing with the potential loss, damage, or destruction of assets.

Risk Identification

is simply the process of finding out what can damage an organization.

Risk Management Framework

It is a 6 step process where each step will be used to maximize the security of the organization and its assets, with the least amount of costs.

Monitor Security Controls

This step is about checking the overall control and the risk themselves.

Categorize Information Systems

This step is about creating the priority levels (least important to most important) and for each risk you identified we set their priority levels based on its likelihood and severity.

Select Security Controls

This step is to choose what security controls we will use for every risk we listed.

Implement Security Controls

This step is about applying the security controls in the identified risks.

Assess Security Controls

This step is about checking if the selected control for the identified risk is best for the situation that was given.

Authorize Information Systems

This step is about including the executives or higher ups on approving the security control, and issuing memos, policies, and complying to laws.