Asset Security Flashcards
Risk
Anything that can impact the confidentiality, integrity, or availability of an asset
Security risk planning is based on analysis of…
Assets
Threats
Vulnerabilities
Asset
Something of perceived value to the org
Threat
Any circumstance or event that can negatively impact assets
Vulnerability
Something that can be exploited by a threat
The risk equation
Likelihood * Impact.
In other words, how likely is the risk to happen, and how big will the impact be?
Intentional Threat
Something/someone that intentionally plans to exploit vulnerabilities
Unintentional threat
Something that accidentally threatens a vulnerability.
Technical vulnerability
Software or hardware problem
Human vulnerability
Stupid human behavior
Asset Management
The process of tracking assets and the risks that affect them
Asset Inventory
A catalog of assets that need to be protected
Asset classification
The practice of labeling assets based on sensitivity and importance to an organization
Public assets
Those that can be shared with anyone
Internal-only
Only to be shared internally
Confidential
Only for people in a certain part of the org
Restricted
Only for very specific people (need to know)
Data
Information that is translated, processed, and stored on a computer
In use data
Being accessed by 1 or more actors
In transit data
Email or any data going from a->b
Data at rest
The data that is not being used atm
Information security
Keep data in all states away from potential bad actors
Damage risk
Disclosure risk
Loss of information risk
Security Policy
Set of rules that reduce risk and protect information
Standards
References for how to set policy
Procedures
Step by step process for how to do certain security tasks
Compliance
The process of adhering to internal standards and external regulations
Regulations
Rules set by a government or other authority to control the way something is done
NIST (CSF) Framework
A voluntary framework that consists of standards, guidelines, and best practices to manage security risks
NIST Core
Core functions of the NIST framework
Identify
Protect
Detect
Respond
Recover
Tiers
1-4 how well the core functions are being performed
Profiles
A snapshot of functions and the tier of each at a given time
Security controls
Safeguards designed to reduce specific risks
Technical controls
Encryption, authentication, and more
Operational Comtrols
Awareness management and incident response