Domain 1: SECURITY PRINCIPLES Flashcards
Data integrity
Property that has not been altered in an unauthorized manner
Encryption
The process and act of converting the message from its plain text to ciphertext
General data protection regulation
In 2016 the European Union passed comprehensive legislation that addresses personal privacy deeming it an individual human right
Governance
The process of how an organization is managed
Health insurance portability and accountability act or HIPAA
This US federal law is the most important Healthcare information regulation in the United States
Impact
The magnitude of harm that could be caused by a threats exercise of a vulnerability
Information security risk
The potential adverse effects to an organization’s operations including Mission functions image and reputation
Integrity
The property of information whereby it is recorded used and maintained in a way that ensures it’s completely accuracy internal consistency and usefulness for a stated purpose
International organization of standards or ISO
The iso develops voluntary International standards in collaboration with its Partners in international standardization
Internet engineering task force ietf
The internet standards organization made up of network designers operators vendors and researchers that defines protocol standards through a process of collaboration and consensus
Likelihood
The probability that a potential vulnerability may be exercised within the construct of the associated threat environment
Likelihood of occurrence
A weighted Factor based on a subjective analysis of the probability that a given threat is capable of exploiting a given vulnerability or set of vulnerabilities
Multi-factor Authentication
Using two or more distinct instances of the three factors of authentication something you know something you have something you are for identity verification
National Institutes of standards and technology or nist
The nist is part of the US Department of Commerce and addresses the measurement infrastructure within Science and Technology efforts in the US federal government
Non repudiation
The inability to deny taking an action such as creating information approving information and sending or receiving a message
Personally identifiable information
The National Institute of Standards and Technology nist defines personally identifiable information pii as any data that can distinguish or trace an individual’s identity
Physical controls
Controls implemented through tangible mechanism examples include walls fences guards locks Etc
Privacy
The right of an individual to control the distribution of information about themselves
Probability
The chances or likelihood that a given threat is capable of exploiting a given vulnerability or a set of vulnerabilities
Protected health information or Phi
Information regarding health status the provision of healthcare or payment for healthcare as defined in HIPAA
Qualitative risk analysis
A method for risk analysis that is based on the assignment of a descriptor such as low medium or high
Quantitative risk analysis
A method for risk analysis where numerical values are assigned to both impact and likelihood based on statistical probabilities and monetaryized valuation of loss or gain
, risk
A measure of the extent to which any entity is threatened by a potential circumstance or event
Risk acceptance
Determining that the potential benefits of a business function outweigh the possible risk or impact and Performing that business function with no other action
Risk assessment
The process of identifying and analyzing risks to organizational operations including Mission functions image or reputation the analysis performed as part of risk management which incorporates threat and vulnerability analysis
Risk avoidance
Determining that the impact and or likelihood of a specific risk is too great to be offset by the potential benefits and not performing a certain business function because of that determination
Risk management
The process of identifying evaluating and controlling threats including all the phases of risk context or frame risk assessment risk treatment and risk monitoring
Risk management framework
A structured approach used to oversee and manage risk for an Enterprise
Risk mitigation
Putting security controls in place to reduce the possible impact and or likelihood of a specific risk
Risk tolerance
The level of risk and entities willing to assume in order to achieve a potential desired result
Risk transference
Paying an external party to accept the financial impact of a given risk
Risk treatment
The determination of the best way to address and identified risk
Security controls
The management operational and Technical controls prescribed for an information system to protect the confidentiality integrity and availability of the system and its information
Sensitivity
A measure of the importance assigned to information by its owner for the purpose of denoting its need for protection
Single Factor Authentication
Use of just one of the three available factors something you know something you have something you are to carry out the authentication process being requested
State
The condition and entity is in at a point of time
System integrity
The quality that a system has when it performs its intended function in an unimpaired manner free from unauthorized manipulation of the system whether intentional or accidental
Technical controls
Security controls IE safeguards or countermeasures for an information system that are primarily implemented and executed by the information system through mechanisms contained in the hardware software or firmware components of the system
Threat
Any circumstance or event with the potential to adversely impact organizational operations including Mission functions image or reputational
Threat actor
An individual or group that attempts to exploit vulnerabilities to cause or force a threat to occur
Threat Vector
The means by which a threat actor carries out their objectives
Token
A physical object a user possesses and controls that is used to authenticate the user’s identity
Vulnerability
Weakness in an information system system security procedures internal controls or implementation that could be exploited by a threat source
Institute of electrical and electronics engineers
IEEE is a professional organization that sets standards for telecommunications Computer Engineering and similar disciplines
