CIA Triad Concept Flashcards
Prevents the disclosure of data to unauthorized people so that only authorized people have access to data.
Confidentiality
encryption uses one key, known as the secret key.
Symmetric
encryption uses two keys, known as the private key and the public key.
Asymmetric
This means that you know that data has not been altered or tampered with. We use a technique called hashing that takes the data and converts it into a numerical value called a hash or message digest.
Integrity
which allows one or two disks to fail while still keeping the data available.
RAID Redundant Array Independent Disk
two servers can access the same data, and if one fails, the other can still provide the data, a data backup,
Fail Over Cluster
regulates the temperature for critical servers. In a datacentre, if the temperature is too hot then the servers will shut down.
HVAC
where you give someone only the most limited access required so that they can perform their job role; this is known as a need-to-know basis.
Least Privilege
is the concept of protecting a company’s data with a series of protective layers so that if one layer fails, another layer will already be in place to thwart an attack.
Defense in Depth
written by managers to create organizational policies and procedures to reduce risk within companies. They incorporate regulatory frameworks so that the companies are legally compliant.
Managerial Controls
A company will have a risk register where the financial director will look at all of the risks associated with money and the IT manager will look at all of the risks posed by the IT infrastructure.
Annual Risk Assessment
is not intrusive as it merely checks for vulnerabilities,
Vulnerability Scan
is more intrusive, as it goes deeper into a computer and can exploit vulnerabilities. It could cause the system to crash unexpectantly.
Penetration Testing
are executed by company personnel during their day-to-day operations.
Operational Controls
This is an annual event in which you are reminded about what you should be doing each day to keep the company safe:
Annual Security Awareness Training
This is a process that a company adopts so that changes made don’t cause any security risks to the company. A change to one department could impact another department.
Change management
This is contingency planning to keep the business up and running when a disaster occurs by identifying any single point of failure that would prevent the company from remaining operational.
Business Continuity Plan:
implemented by the IT team to reduce the risk to thebusiness.
Technical Controls
Firewalls prevent unauthorized access to the network by IP address, application, or protocol.
Firewall Rules
This is the most common threat to a business, and we must ensure that all servers and desktops are protected and up to date.
Antivirus Antimalware
These log computers off when they are idle, preventing access.
Sreen saver
These prevent people that are walking past from reading the data on your screen.
Screen Filter
CCTV and motion sensors. When someone is walking past a building and the motion sensors detect them, it turns the lights on to deter them. A building with a CCTV camera in a prominent position and a sign warning people that they are being recorded
Deterrent Controls
are used to investigate an incident that has happened and needs to be investigated;
Detective Control
records events as they happen and from that, you can see who has entered a particular room or has climbed through a window at the rear of a building.
CCTV
are the actions you take to recover from an incident. You may lose a hard drive that contained data; in that case, you would replace the data from a backup you had previously taken.
Corrective Controls
form of corrective control. There may have been a fire in your data center that destroyed many servers, therefore, when you purchase replacement servers, you may install an oxygen suppressant system that will starve a fire of the oxygen needed.
Fire Suppression System
can also be called Alternative or Secondary Controls and can be used instead of a primary control that has failed or is not available.
Compensating Controls
are in place to deter any attack; this could be having a security guard with a large dog walking around the perimeter of your building. This would make someone trying to break in think twice about doing so.
Preventative Controls
