Information Security Governance & Risk Management Flashcards
What is the C-I-A Triad ?
Confidentiality - Integrity - Availability
- three sides domain (triangle shaped)
- all other domans are based on these 3 concepts
What is Confidentiality (CIA) ?
- Prevention of unauthourised use or disclosure of information.
- associated with Privacy.
- Privacy ensures the confidentiality of personal data.
What is Integrity (CIA) ?
Integrity safeguards the accuracy of and completeness of information and processing methods.
What does integrity ensure ?
- Unauthourised users or processes don’t make modications to data.
- Authourised users and processes don’t make unauthourised modifications to data.
- Data is internally and externally consistent, meaning a given input produces an expected output.
What is Availability (CIA) ?
This ensures that authourised users have reliable and times access to informaton and associated systems and assets when needed.
Threats to availability (CIA) ?
- Denial of Service
- Single points of failure
- equipment malfunction
- inadequate capacity planning
- business interuptions / disasters
- fail-safe control mechanisms.
The Opposite of C-I-A ?
D-A-D:
D - Disclosure
A - Alteration
D - Destruction
Defense in Depth ?
- An info. sec. strategy based on layers of defense.
- Has it’s roots in the military.
- Result of a holistic approach to IT Security.
Commerical Data Classification ?
- implemented to protect information that has a monetary value. Criteria include:
- Value - monetary or intrinsic value
- Age / Useful Life - Information that loses value over time, becomes obsolete or irrelevant or becomes common / public knowledge is classified this way.
Government Data Classifications
- protect national interests / security
- comply with applicable laws
- protect privacy
Department of Defense Categories:
- Unclassified
- sensitive but unclassified (SBU)
- Confidential
- secret
- top secret
D.o.D. Classification - Unclassified
- lowest level of classification
- not sensitive, no threat to national security
- Can include data that was previously classified, but has since been declassified.
- Can include - for official use only
- Can include - for internal use only
D.o.D. Classification - Sensitive, but classified (SBU)
- information that is private, personal.
* Ex: Test Questions, disiplinary proceedings, medical records.
D.o.D. Classification - Confidential
- Information that could damage national security
* lowest lest of classified gov. information.
D.o.D. Classification - Secret
- information that could cause serious damage if leaked.
* must be accounted for throughout lifecycle.
D.o.D. Classification - Top Secret
- information that could cause grave damage if leaked.
- must be accounted for throughout lifecycle.
- may include special designations
- handling restrictions
What is a Mission Statement ?
- This expresses an organisations reasons to exist.
- Easily understood.
- general purpose statement.
What are Goals and Objectives ?
- A goal is something(s) that an organisation is attempting to accomplish
- Should align with the mission statement
- Should define a vision for the organisation.
- AN objective is a milestone or a result that is expected to be achieved.
- An objective supports a goal (short term) which in turn supports a mission (Medium-Long term).
What is Governance ?
Governane is a term that collectively represents the system of polices, standards, guidelines and procedures that help steer an organisation’s operations and decisions day in and day out.
What is a security policy ?
a formal statement of rules by which people who are given access to an organisations technology and assets must abide by.
What are the 4 policy Types ?
- Sr. Mgmnt - a high level management statement.
- Regulatory - Highly detailed and precise policy dictated by government or legal requirements.
- Advisory - Not mandatory, but highly recommended set of policies. (Most policies reside here)
- Informative - No restrictions or requirements just an FYI.