Domain 1: Security and Risk Management Flashcards
CIA Triad
Confidentiality: prevent the unauthorized disclosure of information.
Integrity: prevent unauthorized modification of information; keep accurate
Availability: ensures that the information is available when needed
Identity
Subjects
Objects
Subjects: an active entity on an information system. (Doing something)
Object: a passive data file. (What is being accessed.)
Risks
Annualized Loss Expectancy (ALE)
Safeguard (Control)
Total Cost of Ownership (TCO)
Return on Investment (ROI)
Risk: the likelihood of something bad happening and the impact if it did; threats (source) and vulnerabilities (weakness)
Annualized Loss Expectancy (ALE): the cost of loss due to a risk over a year
Safeguard (Control): a measure taken to reduce risk
Total Cost of Ownership (TCO): total cost of a safeguard/control
Return on Investment (RIO): money saved by deploying a safeguard.
Information Security
Information security is managing the risks to the confidentiality, integrity, and availability of information using administrative and, physical and technical controls.
Opposite of CIA
Disclosure
Alteration
Destruction
Confidentiality
.Prevent unauthorized access; disclosure, or read access
.Keeping data secret
.Data accessible to subjects with clearance, formal approval, and need to know.
Integrity
Prevent unauthorized modification or write access.
Data integrity:
System integrity:
Availability
Ensure that data is available when needed
Risk Management
In order to determine risk, we must first determine what our most important (or critical assets) are
We use safeguards (or controls) to protect our assets and mitigate (not eliminate) risk.
Risk tolerance: the amount of risk that the business is willing to tolerate (or accept).
Privacy
Managing the risk to confidentiality, integrity and availability of personally identifiable information (PII) using administrative, technical and physical controls.
Privacy is not concerned with integrity and availability.
Identity
A claim to be someone or something
Authentication
Proof that I am who I say I am.
A subject proves identity to another subjects or object
3 types
.Something you know: Password, PIN
.Something you have: token, phone debit card
Something you are: biometrics
Strong multi-factor authentication: Using a combination of 2 or more factors
Authorization
What actions are are a subject permitted to perform?
Read, write execute
Privileges, rights, permissions
Rule 802
Hearsay Rule: second hand information is normally inadmissible in court.
There are exceptions
Evidence integrity
Integrity of evidence in a critical forensic function
Checksum: can ensure that no data changes occurred as a result of the acquisition and analysis
One-way hash functions are used for this purpose.
EU General Data Protection Regulation
2018
Designed to harmonise data privacy laws across Europe and give data protection rights to individuals.
Replaced the EU Data Protection Directive.
Health Information Portability and Accountability Act
Passed 1996
Security Rule 2003 (HITECH)
Modified 2009
Omnibus Rule 2013
Gramm-Leach-Bliley Act
GLBA
1999
Requires protection of the confidentiality and integrity of consumer financial information.
Risk Calculations
Annualized Loss Expectancy ALE= SLE x ARO
Exposure Factor (EF) - expressed as a percent of asset exposed (given a threat or vulnerability)
Single Loss Expectancy (SLE) = AV x EF
STRIDE
Spoofing Tampering Repudiation Information Disclosure Denial of Service Elevation of Privileges
Threat categorization scheme developed by MS
ISC Code of Ethics
I. Protect society, the common good, necessary public trust and confidence and the infrastructure
II. Act honorably, honestly, justly, responsibility, and legal
III. Provide diligent and competent service to principals.
IV. Advance and protect the profession.
Risk Management Framework (RMF) Steps
Prepare - to execute the RMF
Categorize - the system and information
Select - the initial set of controls
Implement -the controls
Assess - the controls to determine correctness
Authorize - the system or common controls
Monitor - the system and associated controls
Business Continuity Plan Steps
Project scope and planning
.Perform a structured review of the business’s organization
.Create a BCP team
.Assess the resources available
.Analyze the legal and regulatory landscape
Business Impact Analysis .Identify priorities .Risk identification .Likelihood assessment .Impact analysis .Resource prioritization
Continuity Planning
.Strategy development
.Provisions and processes (procedures and mechanisms)
Approval and Implementation