Chapter 1 Flashcards
Confidentiality
Ensures that unauthorized individuals are not able to gain access to sensitive information.
Integrity
Ensures that there are no unauthorized modifications to information or systems, either intentionally or unintentionally.
Availability
Ensures that information and systems are ready to meet the needs of legitimate users at the time those users request them.
Disclosure
The exposure of sensitive information to unauthorized individuals, also known as data loss. This is a violation of Confidentiality.
Alteration
The unauthorized modification of information, and is a violation of Integrity.
Denial
The unintended disruption of an authorized user’s legitimate access to information. This violates the principle of Availability.
Financial Risk
The risk of monetary damage to the organization as the result of a data breach.
Reputational Risk
The risk of negative publicity surrounding a security breach causes the loss of goodwill among customers, employees, suppliers, and other stakeholders.
Strategic Risk
The risk that an organization will become less effective in meeting its major goals and objectives as a result of the breach.
Operational Risk
The risk to the organization’s ability to carry out its day-to-day functions.
Compliance Risk
The risk that when a security breach causes an organization to run afoul of legal or regulatory requirements.
Technical Controls
Enforce confidentiality, integrity, and availability in the digital space. Examples: firewall rules, access control lists, intrusion prevention systems, and encryption.
Operational Controls
The processes that we put in place to manage technology in a secure manner. Examples: access reviews, log monitoring, and vulnerability management.
Managerial Controls
Procedural mechanisms that focus on the mechanics of the risk management process. Examples: periodic risk assessments, security planning exercises.
Preventive Controls
To stop a security issue before it occurs.
Detective Controls
To identify security evens that have already occurred.
Corrective Controls
remediate security issues that have already occurred.
Physical Controls
Security controls that impact the physical world. Examples: fences, perimeter lighting, locks, alarms.
Compensating Controls
Designed to mitigate the risk associated with exceptions made to a security policy.
Data At Rest
Data that resides on hard drives, tapes, in the cloud, or on other storage media.
Data In Motion
Data that is in transit over a network.
Data In Processing
Data that is actively in use by a computer system.
DLP (Data Loss Prevention)
Systems that help organizations enforce information handling policies and procedures to prevent data loss and theft.
Pattern Matching
DLP mechanism that watches for telltale signs of sensitive information. Examples: a number that is formatted like a Social Security number.
Watermarking
Systems or administrators apply electronic tags to sensitive documents and then the DLP system can monitor systems and networks for unencrypted content containing those tags.
Data Minimization
A technique that seeks to reduce risk by reducing the amount of sensitive information that we maintain on a regular basis.
Hashing
A function that transforms a value in a dataset to a corresponding has value.
Tokenization
Replaces sensitive values with a unique identifier using a lookup table.
Masking
Partially redacts sensitive information by replacing some or all sensitive fields with blank characters.