Cybersecurity and Governance Flashcards
The objective of security:
to provide confidentiality, integrity, availability, authenticity, and nonrepudiation.
Confidentiality
Keeping unauthorized access entities (be they people or processes) from gaining access to information assets.
Integrity
An asset is free from unauthorized alterations.
Availability
Protection ensures reliability and timely access to data and resources to authorized individuals
Authenticity
Protections ensure we can trust that something comes from its claimed source.
Nonrepudiation
Which is closely related to authenticity, means that someone cannot disallow being the source of given action.
Vulnerability
This is a weakness in a system that allows a threat source to compromise its security.
Threat
This is any potential danger that is associated with the exploitation of a vulnerability.
Threat Source
(Threat agent or threat actor) is any entity that can exploit a vulnerability.
Risk
A Risk is the likelihood of a threat source exploiting a vulnerability and the corresponding business impact.
Control or Countermeasure
A Control or Countermeasure is put into place to mitigate (reduce) the potential risk.
Information Security Management System (ISMS)
ISMS is a collection of policies, procedures, baselines, and standards that an organization puts in place to make sure that its security efforts are aligned with business needs, streamlined and effective and that no security controls are missing.
Enterprise Security Architecture
Enterprise Security Architecture implements an information security strategy and consists of layers of solutions, processes, and procedures and the way they are linked across an enterprise strategically, tactically, and operationally. Enterprise Security Architecture should tie in strategic alignment, business enablement, process enhancement, and security effectiveness.
Security Governance
Security governance is a framework that provides oversight, accountability, and compliance.
Security Governance is a framework that supports the security goals of an organization being set and expressed by senior management, communicated throughout the different levels of the organization, and consistently applied and assessed.
Senior management
Senior management always carries the ultimate responsibility for the organization.
Security Policy
A security policy is a statement by management dictating the role security plays in the organization.
Standards and Documents
Standards and Documents that describe specific requirements that are compulsory in nature and support the organization’s security policies.
Baseline
A Baseline is minimum level of security.
Guidelines
Guidelines are recommendations and general approaches that provide advice and flexibility.
Procedures
Procedures are detailed step-by-step tasks that should be performed to achieve a certain goal.
Job Rotation
Job Rotation and mandatory vacations are administrative security controls that can help detect fraud.
Separation of Duties
Separation of Duties ensures no single person has total control over a critical activity or task.
Split knowledge and Dual Control
Split knowledge and Dual Control are two variations of separation of duties.
Social Engineering
Social Engineering is an attack carried out to manipulate a person into providing sensitive data to an unauthorized individual.
Security Awareness
Security Awareness training should be comprehensive, tailored for specific groups, and organization wide.
Gamification
Gamification is the application of elements of game play to other activities such as security awareness training.
Security Champions
Security Champions, which are members of an organization that though their job description does not include security, inform, and encourage the adoption of security practices within their own teams.
Professional Ethics
Professional Ethics codify the right way for a group of people to behave.
