Lesson 1 Flashcards
Confidentiality
• Information should only be known to certain people
Integrity
• Data is stored and transferred as intended and that any modification is
authorized
Availability
• Information is accessible to those authorized to view or modify it
• Non-repudiation
• Subjects cannot deny creating or modifying data
Cybersecurity Framework
Identify, protect, detect, respond, Recover
Information Security Roles and Responsibilities
• Overall responsibility • Chief Security Officer (CSO) • Chief Information Security Officer (CISO) • Managerial • Technical • Information Systems Security Officer (ISSO) • Non-technical • Due care/liability
Information Security Business Units
Security Operations Center (SOC) • DevSecOps • Development, security, and operations • Incident response • Cyber incident response team (CIRT) • Computer security incident response team (CSIRT) • Computer emergency response team (CERT)
Security Control Categories
• Technical • Controls implemented in operating systems, software, and security appliances • Operational • Controls that depend on a person for implementation • Managerial • Controls that give oversight of the system
Security Control Functional Types (1)
Preventive
• Physically or logically restricts
unauthorized access
• Operates before an attack
• Detective • May not prevent or deter access, but it will identify and record any attempted or successful intrusion • Operates during an attack
• Corrective • Responds to and fixes an incident and may also prevent its reoccurrence • Operates after an attack
• Physical
• Controls such as alarms, gateways, and locks that deter access to premises and
hardware
• Deterrent
• May not physically or logically prevent access, but psychologically discourages
an attacker from attempting an intrusion
- Compensating
- Substitutes for a principal control
CSF
(NIST) Cybersecurity Framework
(CSF) is a relatively new addition to the IT governance space and distinct from other
frameworks by focusing exclusively on IT security, rather than IT service provision more
generally
RMF
Risk Managemetn Framework - designed for federal agencies
FIPS
Federal Information Processing Standards (FIPS)
US Gov’t security standars for data and its
ISO 27k
Information Security Standards
ISO 31k
Enterprise risk management
• Cloud Security Alliance
Cloud Security Alliance
• Security guidance for cloud service providers (CSPs)
• Enterprise reference architecture
• Cloud controls matrix
SSAE)
Statements on Standards for Attestation Engagements are audit
specifications developed by the American Institute of Certified Public Accountants
SOC2 evaluates service provider
• Type I report assesses system design
• Type II report assesses ongoing effectiveness
• SOC3 public compliance report
CIS
Center for Internet Security (CIS)
• The 20 CIS Controls
• CIS-RAM (Risk Assessment Method)
OWASP
publishes several secure application development resources, such as
the Top 10 list of the most critical application security risks (
SOX
Sarbanes-Oxley Act (SOX)
mandates the implementation of risk assessments, internal controls, and
audit procedures.
Computer Security Act (1987)
requires federal agencies to
develop security policies for computer systems that process confidential information.
FISMA
Federal Information Security Management Act (FISMA) was introduced to
govern the security of data processed by federal government agencies.
GDPR
Fairness and the right to privacy,
as enacted by regulations such as the European Union’s General Data Protection
Regulation (GDPR), means that personal data cannot be collected, processed, or
retained without the individual’s informed consent.
GLBA
Gramm–Leach–Bliley Act (GLBA) - for financial services
CCPA
California Consumer Privacy Act
ISO 22301
security & resilience, business continuity management
ISO 27001
information security rules and requirements (compliance/regulations)
ISO 27701
Privacy Information Management
IS 27002
Information Security Best Practices
