CH 8.4 Information Security Flashcards
What is confidentiality to information security?
Confidentiality means prevention of unauthorized disclosure of information.
What is integrity to information security?
Integrity ensures information is protected from unauthorized or unintentional alteration, modification or deletion.
What is availability to information security?
Availability means information is readily accessible to authorized users
What is CIA to information security?
Confidentiality, Integrity, Availability
How is risk defined by information security?
The combination of the probability of an event and its consequence (ISO/IEC 73)
The means of managing risk, including policies, procedures, guidelines, practices or organizational structures, which can be of an administrative, technical, management, or legal nature.
controls
Preventive controls
Prevent an incident from occurring (e.g., preventing unauthorized users) - firewalls, passwords, training.
Detective controls
Detect and report when errors, omissions and unauthorized uses of entries occur (e.g., by sounding an alarm and alerting the appropriate person). audits, anti-virus software.
Corrective controls
intended to limit the extent of any damage caused by the incident.
They are designed to correct errors, omissions and unauthorized uses and intrusions once they are detected (e.g., by recovering the organization to normal working status as efficiently as possible). business continuity plans.
Best known and most prominent information security standards.
International Organization for Standardization (ISO) Standards
Privacy and Information Security disconnects
Privacy has a wider set of obligations; confidentiality (personal information, for example phone numbers, is not always confidential); different classification systems
Privacy and Information Security overlaps
Both groups have vested interested in keeping information safe.
Information security classification categories
Most information security classification schemas use the following categories:
1) Public
2) Confidential
3) Highly confidential
4) Restricted
Access control
Access to an organization’s information systems should be tied to an employee’s role.
No employees should have greater information access than is necessary to perform their job functions.
Segregation of duties.
Ensure one person cannot exploit or gain access to information inappropriately.