Domain 1 Flashcards
Due Diligence
Practicing the activities that maintain the due care effort
Think before you act
Due Care
Doing what a reasonable person would do in a given situation. “Prudent man” rule
Actions speak louder than words
CIA Triad
Confidentiality
Integrity
Availability
Confidentiality
Access controls help ensure that only authorized subjects can access objects
Integrity
Ensures data or system config are not modified without authentication
Availability
Auth requests or objects must be granted to subjects with in a reasonable amount of time
ISC2 Code of Ethics
- Protect society, the common wealth, and the infrastructure
- Act honorably, honestly, justly, responsibly, and legally
- Provide diligent and competent service to principals
- Advance and protect the profession
Security Policy Development
from the bottom up
Security Procedures
- Detailed step by step
Security Guidelines
- Offer reccomendations
Security baselines
- Define “minimum levels”
Acceptable Use Policy
- Assign roles / responsibility
Risk Categories
Damage
Result in physical loss of an asset or inability to access that asset
Risk Categories
Disclosure
Disclosed critical info regardless of where or how it was disclosed
Risk Categories
Losses
Permanent or temp, including altered or inaccessible data
Risk Factors
Physical Damage
Natural disaster, power loss, vandalism
Risk Factors
Malfunctions
Failure of systems, networks, or peripherals
Risk Factors
Attacks
Purposeful acts
Risk Factors
Human Errors
Accidental incidents
Risk Factors
Application Errors
Fails of apps including OS
Security Planning
Strategic
Long term, includes risk assessment
5 year, annual updates
Security Planning
Tactical
Midterm, ~1 year
Security Planning
Operational
Short term, monthly / quarterly
Response to Risk
Acceptance
Do nothing, accept risk and potential loss
Response to Risk
Mitigation
Implement countermeasure and aceept residual
Response to Risk
Assignment
Transfer to 3rd party (insurance)
Response to Risk
Avoidance
When cost to mitigate / accept are higher than the benefits of service
Response to Risk
Deterance
Would be violators of policy
Response to Risk
Rejection
Unacceptable, to reject / ignore
Risk Management Framework
NIST 800-37
- Prepare
- Categorize info systems
- Select security controls
- Implement security controls
- Assess security controls
- Authorize the system
- Monitor security controls
People Can See I Am Always Monitoring
Types of Risk
Residual
remains, with all safeguards in place.
- Mngmt chose to accept rather than mitigate
After
Types of Risk
Inherent
New risk, not yet identified with mngmt
- exists in absence of controls
Before
Types of Risk
Total
risk if no safeguards in place
Without
Total Risk = threats * Vulns * asset value
Formula
Risk
Risk = Threat * Vuln