ISC2 - Study Notes 21 Flashcards
within a database are known as tuples. A primary key uniquely identifies each row (tuple) in a table. A foreign key in one table points to a primary key in another table to link the tables together through a common relationship.
Rows
is a virtual table that provides access to specific columns in one or more tables. It doesn’t actually hold any data but presents the data in the underlying table or tables. A database administrator can grant access to a view without granting access to a table, thereby limiting what a user can see and manipulate.
View
Act of 2002 mandates specific protections for data related to publicly held companies. SOX requires high-level officers (such as CEOs and CFOs) to verify personally the accuracy of financial data.
GDPR : primary purpose of the GDPR is to protect personal data of EU residents and it strictly restricts the transfer of data of EU residents outside of the EU.
Info
refers to the steps used to manage important assets within an organization throughout their lifecycle. It helps the organization maintain control of its assets. In this context, assets include hardware, software, and data. The lifecycle refers to the time period from when the asset is first obtained or created to when it is discarded or destroyed.
Asset Management
Within the U.S. government, a Designated Approving Authority (DAA) provides official accreditation by approving a system for operation at a specific level of risk. It does not guarantee that a system is free of risk.
Info
Certification and accreditation are two separate processes used to test, evaluate, and approve systems for specific purposes. The certification process includes several steps to evaluate, describe, and test a system. This includes all the security controls that are used to mitigate risks to the system. Once a system is certified, an accrediting authority provides a formal declaration, which approves the system operation.
Info
uses EALs to determine the level of assurance of a system or product. EAL1 is the lowest level of assurance and EAL7 is the highest level. Many commercial operating systems achieve EAL4.
The Common Criteria
Categorize System (examine the system, including the data it processes, stores, and transmits. Then combine this information with an impact analysis to determine the security category of a system), Select Controls (select a set of baseline security controls based on the category of the system, supplement these controls based on the system and the needs of the organization), Implement Controls (also document information on the controls to show how they are used within the system and what risks they mitigate), Access Controls (periodically examine the security controls to verify they are implemented correctly), Authorize System (If the level of risk is determined to be acceptable based on the assessment of the implemented controls, the system is authorized), Monitor Controls.
Security Life Cycle
Initation (identify the need for the system in this phase. This includes documenting the purpose of the system and high-level requirements), Development/Acquisition (design, purchase, program, develop, or create the system), Implementation/Assessment (install, configure, and test the system in this phase. Testing and evaluation steps determine whether the system meets the originally identified need), Operations/Maintenance (regular maintenance on the system to ensure it continues to operate as desired), Disposal (remove the system from service. A key component of this phase is sanitizing all media. If it is being replaced by another system, it should be removed only after the other system has completed the implementation/assessment phase. Personnel should also update inventory records to reflect the final disposition).
Security issues should be addressed starting in the initiation phase and continuing all the way through to the disposal phase.
System Development Lifecycle
Initial stage Personnel draft the security policy based on the needs of the organization. This might be a formal, nearly complete draft of the policy or an initial proposal to senior management identifying the needs and objectives of the policy.
Approval stage Senior management approves the policy. It might take several iterations between the initial stage and the approval stage to create a document that senior management approves. Once approved, it provides direction for personnel to enforce the policy.
Publication stage The policy is provided to relevant personnel so that they can follow and implement it.
Implementation stage A security policy is an important first step to provide security within an organization, but it isn’t the final step by any means. After senior management has approved a security policy, personnel must take steps to implement and enforce it.
Maintenance stage Periodic reviews (such as once a year) ensure that the policy remains up to date, meets the needs of the organization, and addresses current threats.
Security Policy
