Podcast
Questions and Answers
The right or a permission that is granted to a system entity to access a system resource.
The right or a permission that is granted to a system entity to access a system resource.
The property that data has not been altered in an unauthorized manner.
The property that data has not been altered in an unauthorized manner.
The characteristic of data or information when it is not made available or disclosed to unauthorized persons or processes.
The characteristic of data or information when it is not made available or disclosed to unauthorized persons or processes.
The right of an individual to control the distribution of information about themselves.
The right of an individual to control the distribution of information about themselves.
Signup and view all the answers
Ensuring timely and reliable access to and use of information by authorized users.
Ensuring timely and reliable access to and use of information by authorized users.
Signup and view all the answers
Access control process that compares one or more factors of identification to validate that the identity claimed by a user or entity is known to the system.
Access control process that compares one or more factors of identification to validate that the identity claimed by a user or entity is known to the system.
Signup and view all the answers
The inability to deny taking an action, such as sending an email message.
The inability to deny taking an action, such as sending an email message.
Signup and view all the answers
Taking action to prevent or reduce the impact of an event.
Taking action to prevent or reduce the impact of an event.
Signup and view all the answers
Ignoring the risks and continuing risky activities.
Ignoring the risks and continuing risky activities.
Signup and view all the answers
Ceasing the risky activity to remove the likelihood that an event will occur.
Ceasing the risky activity to remove the likelihood that an event will occur.
Signup and view all the answers
An inherent weakness or flaw.
An inherent weakness or flaw.
Signup and view all the answers
Something of value that is owned by an organization, including physical hardware and intellectual property.
Something of value that is owned by an organization, including physical hardware and intellectual property.
Signup and view all the answers
A person or entity that deliberately takes action to exploit a target.
A person or entity that deliberately takes action to exploit a target.
Signup and view all the answers
Passing risk to a third party.
Passing risk to a third party.
Signup and view all the answers
A chief information security officer (CISO) at a large organization documented a policy that establishes the acceptable use of cloud environments for all staff. This is an example of a:
A chief information security officer (CISO) at a large organization documented a policy that establishes the acceptable use of cloud environments for all staff. This is an example of a:
Signup and view all the answers
Is it possible to avoid risk?
Is it possible to avoid risk?
Signup and view all the answers
What is meant by non-repudiation?
What is meant by non-repudiation?
Signup and view all the answers
Which of the following is NOT one of the four typical ways of managing risk?
Which of the following is NOT one of the four typical ways of managing risk?
Signup and view all the answers
What kind of risk management approach did Siobhan make?
What kind of risk management approach did Siobhan make?
Signup and view all the answers
Guillermo is the system administrator for a midsized retail organization. Guillermo has been tasked with writing a document that describes, step-by-step, how to securely install the operating system on a new laptop. This document is an example of a
Guillermo is the system administrator for a midsized retail organization. Guillermo has been tasked with writing a document that describes, step-by-step, how to securely install the operating system on a new laptop. This document is an example of a
Signup and view all the answers
Lankesh is the security administrator for a small food-distribution company. A new law is published by the country in which Lankesh's company operates; the law conflicts with the company's policies. Which governance element should Lankesh's company follow?
Lankesh is the security administrator for a small food-distribution company. A new law is published by the country in which Lankesh's company operates; the law conflicts with the company's policies. Which governance element should Lankesh's company follow?
Signup and view all the answers
Kristal is the security administrator for a large online service provider. Kristal learns that the company is harvesting personal data of its customers and sharing the data with local governments where the company operates, without the knowledge of the users, to allow the governments to persecute users on the basis of their political and philosophical beliefs. The published user agreement states that the company will not share personal user data with any entities without the users' explicit permission. According to the (ISC)² Code of Ethics, to whom does Kristal ultimately owe a duty in this situation?
Kristal is the security administrator for a large online service provider. Kristal learns that the company is harvesting personal data of its customers and sharing the data with local governments where the company operates, without the knowledge of the users, to allow the governments to persecute users on the basis of their political and philosophical beliefs. The published user agreement states that the company will not share personal user data with any entities without the users' explicit permission. According to the (ISC)² Code of Ethics, to whom does Kristal ultimately owe a duty in this situation?
Signup and view all the answers
While taking the certification exam for this certification, you notice another candidate for the certification cheating. What should you do?
While taking the certification exam for this certification, you notice another candidate for the certification cheating. What should you do?
Signup and view all the answers
The concept of "secrecy" is most related to which foundational aspect of security?
The concept of "secrecy" is most related to which foundational aspect of security?
Signup and view all the answers
Study Notes
Chapter Agenda
- Module 1: Information Assurance
- Module 2: Risk Management Process
- Module 3: Security Controls
- Module 4: Governance
- Module 5: (ISC)² Code of Ethics
- Module 6: Chapter Review
Module 1: Information Assurance
- Foundation Concepts
- CIA Triad
- Authentication
- Multi-Factor Authentication
- Non-Repudiation
- Privacy
The CIA Triad
- Concepts to shape thinking
- Span both logical and physical environments
- Confidentiality
- Integrity
- Availability
Confidentiality
- Protect data from unauthorized individuals
- Protect data that needs protection
Integrity
- Ensure data hasn't been altered
- Ensure data is complete, accurate, internally consistent and useful for a stated purpose.
Availability
- Ensure data accessible to authorized users
- Data accessible when and where needed and in the required format
Identification
- Process for asserting an identity and having it confirmed
Multi-Factor Authentication
- Something you know (Username and Password, PIN)
- Something you have (Code, ID Badge)
- Something you are (Finger-print, Facial recognition, Iris/Retinal Scanning)
Authentication
- Validating the rightful owners of an identity
- Process to prove the identity of the requestor
- Three common methods:
- Something you know (passwords, paraphrases)
- Something you have (tokens, memory cards, smart cards)
- Something you are (biometrics, measurable characteristics)
Multi-factor Authentication or Single Factor?
- Single factor authentication (SFA): All items come from the same factor (e.g., something you know).
- Example: a bank asking for username, passcode and password; they all come from “something you know." This is SFA, not MFA.
Multi-Factor Authentication (MFA)
- Two-factor authentication (2FA)
- Multi-Factor authentication (MFA)
- One-time passwords (OTP) – single use credential used with MFA
- Considerations:
- Throughput
- Acceptability
- Accuracy
Non-Repudiation
- Repudiate = Deny
- Non-Repudiation = Non-Deniability
- Transactions
Privacy
-
Right to control the distribution of information about themselves
-
United Nations Declaration of Human Rights (UDHR) 1948, Article 12:
- Protection from arbitrary interference with privacy, family, home, correspondence, honor and reputation
-
Personally Identifiable Information (PII)
- Name, photo, passport number
-
Balancing society's needs against individual needs protection.
Methods of Authentication
- Single-factor authentication (SFA): Using only one method.
- Multi-factor authentication (MFA): Using two or more methods.
- Common Techniques for authentication:
- Knowledge-based
- Token-based
- Characteristic-based
Non-repudiation
- Protection against denying an action
- Used in e-commerce and electronic transactions to ensure accountability.
Privacy
- The right of an individual to control information about themselves.
- Global implications due to growing digital data collection and storage.
- Legislation and regulations on privacy and data protection. Legal considerations (GDPR).
Risk Management Terminology
- Asset: Something needing protection
- Vulnerability: A gap or weakness in protection.
- Threat: Something that aims to exploit a vulnerability.
- Risk: The intersection of threats, vulnerabilities, and assets.
Threats
- Insider threats: Deliberate, unintentional error or incompetence.
- External threats: Planned, opportunistic groups or individuals
- Formal entities: Competitors, cybercriminals, terrorists, nation-states
- Intelligence gatherers
- Technology: Bots, AI
Vulnerabilities
- Weakness in systems or components
- Security teams assess likelihood and impact of threat to decrease vulnerability
Likelihood
- Probability of an exploited vulnerability
- Weighted subjective analysis of probability of a threat exploiting a vulnerability
Risk Assessment
- Asset Management: Physical/tangible assets (computers, servers) and logical/intangible assets (information, network configuration)
- Threat Management: Environmental, accidental, and intentional threats
- Vulnerability Management: Estimating likelihood
Risk Management
- Risk appetite/tolerance
- Risk management responses: Accept, Avoid, Reduce (mitigate), Share(transfer), Insurance
- The role of security in risk management
Risk Management Context
- Assessing risk at home: Value of assets (i.e. high value vs. low value)
- Environmental risk: Local conditions impacting risk.
Risk Identification
- Organizational risk analysis
- Identifying different risks
Risk Assessment
- Identifying, estimating, and prioritizing risks to an organization's operations
- Aligning risk with organization's goals and objectives
- Risk of fire to a building — mitigation strategies such as fire alarms and sprinklers
Risk Treatment
- Avoidance: Eliminating the risk entirely
- Acceptance: No action to reduce risk
- Mitigation: Measures to prevent or reduce risk events.
- Transferring: Passing risk to another party (e.g., insurance)
Risk Priorities
- Prioritizing risks through quantitative or qualitative analysis.
- Understanding organization's mission and functions to contextualize risks.
- Prioritizing risk responses based on likelihood and impact.
Risk Tolerance
- Managing the quantity of risk an entity is willing to take.
- Varies across organizations and within departments.
- Geographical locations and threats influence risk tolerances.
Security Controls
- Something that affects outcomes
- Administrative controls (directive, physical control)
- Physical controls (e.g., door entry systems)
- Technical/logical controls (e.g., encryption, firewall)
Governance Elements:
- What are considered Regulations: Laws, Policies, Procedures, Standards, Guidelines
- Standards: ISO27007, ISO27032, NIST SP 800-53, NIST Cyber Security Framework.
- Policies, Procedures and Practices
(ISC)² Code of Ethics
- Safety and welfare of society
- Duty to principles, and to each other
- Highest Ethical standards
- Condition of certification
Chapter 1 Review
- Confidentiality, Integrity, Availability (CIA), and privacy (foundation concepts)
- Authentication (various factors, implementation)
- Risk management (threats, vulnerabilities, likelihood)
Course Summary
- Information Assurance Principles
- CIA Triad (confidentiality, integrity, availability)
- Importance of Risk Management
- Types of Security Controls (physical, technical, administrative)
- Governance and its relation to policies, procedures, and standards.
- Compliance with laws and regulations
- (ISC)² Code of Ethics compliance requirements
Terms and Definitions
- List of terms with their corresponding definitions
- Important concepts and examples to understand the function of each
Security Principles Quiz
- Answer keys to quiz
Studying That Suits You
Use AI to generate personalized quizzes and flashcards to suit your learning preferences.
Related Documents
Description
Test your knowledge on Information Assurance with this quiz covering key concepts such as the CIA Triad, authentication methods, and the principles of confidentiality, integrity, and availability. Evaluate your understanding of security controls and risk management processes in information security.
