SSCP Flashcards
SSCP
Mitigation
Implement Security Controls to protect the assets to mitigate the risk to an acceptable level
Assignment or Transferring
Transfer the risk to a third party like an insurance company
Avoidance
Eliminate the complete risk by eliminating the assets to be protected
Acceptance
Accept the risk associated with a potential threat - not prudent but usually done when control is more expensive than the possible impact of the threat.
Policy Standard Procedure Guideline Baseline
Mandatory Mandatory Mandatory Discretionary Discretionary
Areas of Law
Regulatory Law Criminal Law Civil Law Religious Law
Data Ownership
Data Custodians - IT Department, handles, protects, backups data daily. Receives instructions from Data Owner. Data Processor - Someone who works under the direction of the owner. Data Steward / User / Controller- Those who use data for business purposes. Data Owner - Collector and Creator of Data. Legally responsible and accountable for protecting it and educating others on how to protect it. Data subject - The entity who the data is about. Auditors - They check that everyone is doing what they are supposed to be doing. Ensure compliance, and see that the procedures are followed. System Owner - Person who owns the Responsibility for Hardware and Software.
Information Life Cycle
Acquisition -> Use Archival -> Disposal
Commercial Label Model
Public -Team Members Sensitive -Financial Information Private -Medical Information Confidential -Trade Secrets
Military Label Model
Unclassified -Recruiting Information Sensitive but classified -Tests -Medical Records Secret -Deployment plans for troop Top Secret -Weapon Blueprints
-Clearances -Need-To-Know
-Determines what the users can and cannot access -Necessity for the user to know the information
Certification
Certification is used for verifying that personnel have adequate credentials to practice certain disciplines, as well as for verifying that products meet certain requirements.
Accreditation
Accreditation is used to verify that laboratories have an appropriate quality management system and can properly perform certain test methods (e.g., ANSI, ASTM, and ISO test methods) and calibration parameters according to their scopes of accreditation.
Security Model Types
Non-Interference Model -Under a non-interference provision, a computer is seen as a machine having inputs and outputs. These are categorized in terms of their sensitivity as low (not classified information, or having a low sensitivity) or high (sensitive, and not to be viewed by individuals or resources without the necessary clearance). According to the conditions laid down by the model, any sequence of low sensitivity inputs will produce outputs that are correspondingly low, regardless of any high-level inputs that may also exist. So if a user with a low or no security clearance is working on a system it will respond in exactly the same manner on low sensitivity inputs, irrespective of there being a high-level user with greater security clearance working with sensitive data on the same machine. The low-sensitivity user won’t be able to glean any information about the high-level user’s activities. State Machine Model -State machine models monitor the condition of a system to prevent it from moving into an insecure state. Any system supporting a state machine model must at all times have the possible states of its processes examined to verify that they are controlled. Multi-Level Lattice Model A latticed security model, each of the lattice elements is a security label that consists of a security level and a set of categories. Information Flow Model -An extension of the state machine model concept, the information flow model consists of objects, state transitions, and lattice states which govern data flow policy. Its primary objective is to prevent the flow of unauthorized and insecure data in any direction across the system. Matrix Based Model
Bell-LaPadula Model
Concerned with Confidentiality Top Secret Secret Unclassified No Read UP - Simple Security Property * (star) Property - No Write Down Strong * Property - Read/Write only on the same Level