Podcast
Questions and Answers
The right or permission granted to a system entity to access a system resource is called:
The right or permission granted to a system entity to access a system resource is called:
- Availability
- Authorization (correct)
- Privacy
- Authentication
The property that data has not been altered in an unauthorized manner is referred to as:
The property that data has not been altered in an unauthorized manner is referred to as:
- Availability
- Integrity (correct)
- Privacy
- Confidentiality
What is a common access control process that compares one or more factors of identification to validate that the identity claimed by a user or entity is known to the system?
What is a common access control process that compares one or more factors of identification to validate that the identity claimed by a user or entity is known to the system?
- Non-repudiation
- Authorization
- Availability
- Authentication (correct)
The right of an individual to control the distribution of information about themselves is known as:
The right of an individual to control the distribution of information about themselves is known as:
What ensures timely and reliable access to and use of information by authorized users?
What ensures timely and reliable access to and use of information by authorized users?
The characteristic of data or information when it is not made available or disclosed to unauthorized persons or processes is referred to as:
The characteristic of data or information when it is not made available or disclosed to unauthorized persons or processes is referred to as:
What is the inability to deny taking an action, such as sending an email message?
What is the inability to deny taking an action, such as sending an email message?
Something of value that is owned by an organization, including physical hardware and intellectual property, is known as an:
Something of value that is owned by an organization, including physical hardware and intellectual property, is known as an:
What is the entity that deliberately takes action to exploit a target?
What is the entity that deliberately takes action to exploit a target?
Passing risk to a third party is referred to as:
Passing risk to a third party is referred to as:
Taking action to prevent or reduce the impact of an event is known as:
Taking action to prevent or reduce the impact of an event is known as:
Ignorance of risks and continuing risky activities is a characteristic of:
Ignorance of risks and continuing risky activities is a characteristic of:
Ceasing the risky activity to remove the likelihood that an event will occur is called:
Ceasing the risky activity to remove the likelihood that an event will occur is called:
An inherent weakness or flaw is known as a(n):
An inherent weakness or flaw is known as a(n):
Which of the following is a type of risk management response that involves eliminating or completely avoiding a risk?
Which of the following is a type of risk management response that involves eliminating or completely avoiding a risk?
What is the level of risk an entity is willing to assume in order to achieve a potential desired result?
What is the level of risk an entity is willing to assume in order to achieve a potential desired result?
Which of the following is NOT one of the four typical ways of managing risk?
Which of the following is NOT one of the four typical ways of managing risk?
A chief information security officer (CISO) at a large organization documented a policy that establishes the acceptable use of cloud environments for all staff. This is an example of:
A chief information security officer (CISO) at a large organization documented a policy that establishes the acceptable use of cloud environments for all staff. This is an example of:
Is it possible to avoid risk?
Is it possible to avoid risk?
Which of the following best describes the concept of non-repudiation?
Which of the following best describes the concept of non-repudiation?
Guillermo is the system administrator for a midsized retail organization. Guillermo has been tasked with writing a document that describes, step-by-step, how to securely install the operating system on a new laptop. This document is an example of a:
Guillermo is the system administrator for a midsized retail organization. Guillermo has been tasked with writing a document that describes, step-by-step, how to securely install the operating system on a new laptop. This document is an example of a:
Lankesh is the security administrator for a small food-distribution company. A new law is published by the country in which Lankesh's company operates; the law conflicts with the company's policies. Which governance element should Lankesh's company follow?
Lankesh is the security administrator for a small food-distribution company. A new law is published by the country in which Lankesh's company operates; the law conflicts with the company's policies. Which governance element should Lankesh's company follow?
Kristal is the security administrator for a large online service provider. Kristal learns that the company is harvesting personal data of its customers and sharing the data with local governments where the company operates, without the knowledge of the users, to allow the governments to persecute users on the basis of their political and philosophical beliefs. The published user agreement states that the company will not share personal user data with any entities without the users' explicit permission. According to the (ISC)² Code of Ethics, to whom does Kristal ultimately owe a duty in this situation?
Kristal is the security administrator for a large online service provider. Kristal learns that the company is harvesting personal data of its customers and sharing the data with local governments where the company operates, without the knowledge of the users, to allow the governments to persecute users on the basis of their political and philosophical beliefs. The published user agreement states that the company will not share personal user data with any entities without the users' explicit permission. According to the (ISC)² Code of Ethics, to whom does Kristal ultimately owe a duty in this situation?
While taking the certification exam for this certification, you notice another candidate for the certification cheating. What should you do?
While taking the certification exam for this certification, you notice another candidate for the certification cheating. What should you do?
The concept of "secrecy" is most related to which foundational aspect of security?
The concept of "secrecy" is most related to which foundational aspect of security?
Flashcards
CIA Triad
CIA Triad
Model that defines security in terms of Confidentiality, Integrity, and Availability.
Confidentiality
Confidentiality
Protection against unauthorized access to sensitive information.
Integrity
Integrity
Ensuring data has not been altered in an unauthorized manner.
Availability
Availability
Ensuring authorized users have timely access to data when needed.
Signup and view all the flashcards
Non-Repudiation
Non-Repudiation
Ensuring a party cannot deny the authenticity of their signature on a document.
Signup and view all the flashcards
Multi-Factor Authentication (MFA)
Multi-Factor Authentication (MFA)
Authentication method using two or more verification factors.
Signup and view all the flashcards
Single-Factor Authentication (SFA)
Single-Factor Authentication (SFA)
Authentication method using only one verification factor.
Signup and view all the flashcards
Authentication
Authentication
The process of verifying the identity of a user.
Signup and view all the flashcards
Risk
Risk
The possibility of something bad happening.
Signup and view all the flashcards
Vulnerability
Vulnerability
A weakness that increases the likelihood of a risk occurring.
Signup and view all the flashcards
Threat
Threat
Anything that can cause harm to data or systems.
Signup and view all the flashcards
Risk Management
Risk Management
The process of identifying, assessing, and prioritizing risks.
Signup and view all the flashcards
Authorization
Authorization
The permission granted to access system resources.
Signup and view all the flashcards
Asset
Asset
Anything of value owned by an organization.
Signup and view all the flashcards
Compliance
Compliance
Following rules, regulations, and standards set by authority.
Signup and view all the flashcards
Standards
Standards
Recommended guidelines or best practices.
Signup and view all the flashcards
Policies
Policies
General guidelines on how a company should operate.
Signup and view all the flashcards
Procedures
Procedures
Step-by-step instructions on completing specific tasks.
Signup and view all the flashcards
Residual Risk
Residual Risk
Risk remaining after security controls have been implemented.
Signup and view all the flashcards
Privacy
Privacy
The right to control the dissemination of personal information.
Signup and view all the flashcards
Governance
Governance
The framework of rules, practices, and processes by which an organization is directed.
Signup and view all the flashcards
Physical Controls
Physical Controls
Security measures that rely on physical barriers or devices.
Signup and view all the flashcards
Technical Controls
Technical Controls
Automated safeguards carried out through technology.
Signup and view all the flashcards
Administrative Controls
Administrative Controls
Policies and procedures managing behaviors of individuals.
Signup and view all the flashcards
Threat Management
Threat Management
The systematic approach to identifying and mitigating threats.
Signup and view all the flashcards
Risk Tolerance
Risk Tolerance
The amount of risk an organization is willing to accept.
Signup and view all the flashcards
Incident Response
Incident Response
The approach taken to handle a security breach or attack.
Signup and view all the flashcards
Security Controls
Security Controls
Measures implemented to safeguard information systems.
Signup and view all the flashcards
Risk Assessment
Risk Assessment
The process of identifying and evaluating risks to an organization.
Signup and view all the flashcards
(ISC)² Code of Ethics
(ISC)² Code of Ethics
A set of standards guiding the conduct of members.
Signup and view all the flashcardsStudy Notes
Chapter Agenda
- Module 1: Information Assurance
- Module 2: Risk Management Process
- Module 3: Security Controls
- Module 4: Governance
- Module 5: (ISC)² Code of Ethics
- Module 6: Chapter Review
Module 1: Information Assurance
Module Overview
- Foundation Concepts
- CIA Triad
- Authentication
- Multi-Factor Authentication
- Non-Repudiation
- Privacy
The CIA Triad
- Confidentiality
- Integrity
- Availability
Confidentiality
- Protect data from unauthorized individuals
Integrity
- Ensure data hasn't been altered improperly
Availability
- Ensure data is accessible to authorized users
Identification
- Process of asserting an identity and having it confirmed
Multi-Factor Authentication
- Something you know (username/password, PIN)
- Something you have (code, ID Badge)
- Something you are (fingerprint, facial recognition, iris/retinal scanning)
Authentication
- Process of proving the identity of the requestor
- Three common methods: Something you know, something you have, something you are
Multifactor Authentication or Single Factor Authentication
- Single-factor authentication (SFA) uses only one method
- Multi-factor authentication (MFA) uses two or more methods
Non-Repudiation
- Repudiate = Deny
- Non-repudiation = non-deniability
- Includes transactions and emails
Privacy
- Is privacy a right?
- United Nations Declaration of Human Rights (UDHR) 1948
- Personally Identifiable Information (PII) - Name, photo, passport#
- Protecting society
- Balancing the needs of the many against the individual
Methods of Authentication
- Knowledge-based (passphrase/secret code)
- Token-based (tokens, memory cards, smart cards)
- Characteristic-based (biometrics)
Non-repudiation
- Protects against denying action
Risk Management Terminology
- Asset: Something needing protection
- Vulnerability: Gap or weakness in protection
- Threat: Something aiming to exploit a vulnerability
- Risk: Intersection of assets, vulnerabilities, and threats
Module Overview (Risk Management)
- Risks and security-related issues are ongoing concerns
- Risk assessment, analysis, mitigation, remediation, and communication are crucial
- Many frameworks and models are used to facilitate the risk management process, and organizations have different tolerance levels for accepting risk
- A risk is a measure of the extent to which an entity is threatened by a potential circumstance or event, and often a measure of the adverse impact and the likelihood of occurrence.
- Information security risks arise in relation to a threat’s potential to harm or affect resources
- IT risks are a subset of business risks
Threats
- Insider threats: Deliberate, error, or incompetence
- Outside threats: Deliberate or opportunistic
- Cybercriminals
- Nation States
- Terrorists
- Hacktivists
- Intelligence agencies
- Technology (e.g., bots, AI)
Vulnerabilities
- Inherent weaknesses or flaws in systems
Likelihood
- Probability of a vulnerability being exploited
Risk Assessment
- Asset management
- Physical/tangible assets (computers, servers)
- Logical/intangible assets (information, network configuration)
- Threat management
- Environmental risks
- Accidental or intentional threats
- Vulnerability management
- Estimating likelihood
Risk Management
- Risk appetite/tolerance
- Risk management responses (Accept, Avoid, Reduce/Mitigate, Share/Transfer, Insurance)
Risk Management - Context
- How risk management is applied in a home vs. a business setting
- High-value items vs. low-value items
- Environmental risk factors (location, disaster prone areas)
Risk Identification
- Understanding your organization's unique situation
- Risk identification and prioritization by all levels of the organizations
- Tactical, operational, and strategic plans are used in identification processes
Risk Assessment
- Identifying, estimating and prioritizing risks to operations, assets and individuals.
- Risk assessment activities align risk to goals and objectives
- Identifying risks is an ongoing process and results are documented as a report for management review
Risk Treatment
- Risk avoidance
- Risk acceptance
- Risk mitigation
- Risk transference
- Cost/impact analysis of risks
Risk Priorities
- Qualitative risk analysis
- Quantitative risk analysis
- Prioritization based on likelihood and impact
Risk Tolerance
- Risk appetite is often likened to an entity’s tolerance for risk
- Management level tolerance for risk varies amongst various organizational departments and amongst the entire organization as a whole
- Geographic location plays a role in levels of risk tolerance and planning/mitigation (e.g., volcanoes in Iceland as a risk)
- Time factors and likelihood of risk occurrences will determine risk tolerance requirements in numerous ways
Security Controls
- Detect, correct, prevent or reduce a risk
- Part of major frameworks (ISO27001, COBIT, NIST SP800-53)
- Administrative controls (directive behavior, policy, procedure, guidelines, standards
- Physical control examples (PACS, door entry systems, CCTV, alarm systems
- Technical/logical control examples (encryption, endpoint security, clustering, firewalls)
Governance
- Compliance: Regulations, Laws, Standards, Policies, Procedures
- Laws and/or regulations can conflict with organizational policy (in which case the law takes precedence)
- Examples of laws and/or regulations: HIPAA, GDPR
(ISC)² Code of Ethics
- Preamble: Safety and welfare of society
- Canons: Protect society and the infrastructure, act honorably, provide diligent service, advance and protect professionalism
Chapter Review
- CIA and Privacy are foundation concepts in security
- Different authentication methods depend on assurance level
- Risks, threats, vulnerabilities, and likelihood are formally managed by organizations based on risk appetite
Studying That Suits You
Use AI to generate personalized quizzes and flashcards to suit your learning preferences.
