Chapter 1: Cybersecurity Governance Flashcards
Objectives of security
Provide confidentiality, integrity, availability, authenticity, and nonrepudiation
Confidentiality
keep unauthorized entities (people or processes) from gaining access to assets
Integrity
keep an asset free from unauthorized alterations
Availability
ensure reliable and timely access to assets for authorized individuals
Authenticity
ensure we can trust that something comes from its claimed source
Nonrepudiation
someone cannot disavow being the source of a given action
Vulnerability
a weakness in a system which allows a threat source to compromise security
threat
any potential danger associated with exploiting a vulnerability
threat source
threat agent or threat actor; any entity which can exploit a vulnerability
Risk
likelihood of a threat source exploiting a vulnerability and corresponding business impact
Control
countermeasure; put into place to mitigate (reduce) potential risk
security governance
a framework which provides oversight, accountability, and compliance
ISMS
information security management system; a collection of policies, procedures, baselines, and standards for an org to ensure that security efforts are aligned with business needs, streamlined, and effective and no security controls are missing
Enterprise security architecture
Implements an info security strategy and consists of layers of solutions, processes, and procedures and how they are linked across an enterprise strategically, tactically, and operationally
Enterprise security architecture core features
strategic alignment, business enablement, process enhancement, and security effectiveness
Security governance
framework which supports the creation and communication of security goals to consistently apply and assess them
Senior management
always carries the ultimate responsibility for the org; support needed for necessary attention, funds, resources, and enforcement capabilities
Security policy
a statement by management dictating the role security plays in the org; intended to be strategic
Standards
documents that describe specific requirements that are compulsory in nature and support the org’s security policies; describe mandatory activities, actions, or rules
baseline
minimum level of security
Guidelines
recommendations and general approaches that provide advice and flexibility; recommended but optional practices
Procedures
detailed step-by-step tasks that should be performed to achieve a certain goal; describes the manner in which something must be done
Job rotation and mandatory vacations
administrative security controls to help detect fraud
Separation of duties
ensures no single person has total control over a critical activity or task; admin control to ensure that fraud cannot happen successfully unless collusion occurs
Split knowledge and dual control
two variations of separation of duties; admin preventative controls
Social engineering
an attack carried out to manipulate a person into providing sensitive data to an unauthorized individual
Security awareness training
comprehensive, tailored for specific groups, and organization-wide
Gamification
the application of elements of game play to other activities such as security awareness training
Security champions
members of an org who aren’t in security but inform and encourage the adoption of security practices within their own teams
Professional ethics
codify the right ways for a group of people to behave