Isc^2 Flashcards
An data about an individual that could be used to identify them.
PII
Personally a identifiable Information
Information regarding one’s health status
PHI
Protected Health Information
Includes trade secrets, research, business plans, and intellectual property
Classified Sensitive Information
Level of importance assigned to information by its owner or the purpose of denoting its need for protection.
Sensitivity
Something you now
Passwords or phrases
Something you have
Tokens, memory cards, smart cards
Something you are
Biometrics, measurable characteristics
Process to prove the identity of the request or
Authentication
Protection against an individual falsely denying having performed a particular action.
Non-repudiation
A measure of the extent to which an entity is threatened by a potential circumstance or event
Risk
Something in need of protection
ASSET
A gap or weakness in those protection efforts
Vulnerability
Something or someone that aims to exploit a vulnerability to thwart protection efforts.
Threat
Taking no action to reduce the likelihood of a risk occurring
Risk Acceptance
Decision to attempt to eliminate the risk entirely
Risk avoidance
Prevent or reduce the possibility of a risk event or it’s impact
Risk mitigation
Passing the risk onto another party
Risk Transfer
A method of risk analysis that is based on the assignment of a descriptor such as low medium or high
Qualitative Risk Analysis
A method of risk analysis where numerical values are assigned to both impact and likelihood based on statistical probabilities and monetarized valuation of loss or gain.
Quantitative Risk Analysis
Pertain to the physical, technical, and administrative mechanism that act as safeguards or countermeasures prescribed for an information system to protect the confidentiality, integrity, and availability of the system and it’s information.
Security Controls
Address process based security needs using physical hardware devices such as badge readers, features on buildings and facilities,
Physical Controls
Security controls that systems and networks directly implement. Provide automated protection from unauthorized access and misuse and facilitate detection of security violations and support.
Technical Controls
Are directives, guidelines, or advisories aimed at the people within the organization. Provide framework, constraints and standards for the entire organization.
Administrative Controls
HIPAA
Health insurance portability and accountability act of 1996
Governs the use of PHI in the US
GDPR
General Data Protection Regulation
Control the use of PII of its citizens in Europe
Policies
Highest level of governance documents in an organization usually approved and issued by management to support compliance initiatives
Procedures help when step by step instructions are needed
Laws and regulations
Are usually mandated by a government agency.
Security commensurate with the risk and magnitude of harm resulting from the loss misuse or unauthorized access to or modification of information.
Adequate security
A documented losers level of security configuration allowed by a standard or organization
Baseline
Malicious code that acts like a remotely controlled robot or an attacker.
Bot
Information that has been determined to require protection against unauthorized disclosure and is marked to indicate its classified status and level
Classified or Sensitive Information
A measure of degree to which an organization depends on the information or info system for the success of a mission or biz function
Criticality
Process of how an organization or managed usually includes all aspects of how decisions are made for that organization such as policies roles procedures.
Governance
Magnitude of harm that could be used by a threats exercise of a vulnerability
Impact
Potential adverse impacts to an organizations operation assets, individuals other organization and even the nation.
Information Security Risk
The internet standards organization made up of network designers operators vendors and researchers that define protocols through standards (IP , TCP, DNS) through process of collaboration and consensus
IETF Internet Engineering Task Force
Probability that a potential vulnerability may be exercised within the construct of the associated environment
Likelihood
Weighted factor based on subjective analysis of the probability that a given threat is capable of exploiting a given vulnerability or set of vulnerabilities
Likelihood of Occurrence
Using two or more sustain the instances of of 3 factors of authentication (something you know, something you have, something you are)
Multi factor Authentication
Apart of the US Department of commerce and addresses the measurement infrastructure within the science and technology efforts within the government.
Sets standards within Computer Security Resource Center of the Computer Security Divisions
National Institute of standards and Technology (NIST)
The inability to deny taking action such as creating information, approving information and sending or receiving a message.
Non-repudiation
Any information that can be used to trace a persons individual identity
Personally Identifiable Information
PII
Controls implemented through a tangible mechanism. Examples include walls, fences, guards, locks etc.
Physical controls
The right of an individual to control the distribution of the information about themselves
Privacy
The chances or likelihood that a given vulnerability or a set of vulnerabilities
Probability
Information regarding health status, the provision of healthcare or payment for healthcare as defined in HIPPA
Protected Health Information
PHI
