14 Questions
What is the primary goal of Risk Management?
To make risks as small as possible
What is the primary goal of Information Security?
To protect assets in order to achieve CIA (Confidentiality, Integrity, Availability)
What is an Incident in the context of security?
The occurrence of a security violation
What is the risk associated with a lack of confidentiality?
Loss of privacy, unauthorized access, identity theft
What is the primary purpose of tracking vulnerabilities?
To mitigate potential security violations
What is the term for the potential loss of an asset upon an incident?
Exposure Factor
What is the purpose of audit logs?
To track security controls such as errors, login attempts, changes, etc.
What is the primary method of ensuring the integrity of information?
Quality assurance and audit logs
What is a common system used to track vulnerabilities?
Common Vulnerability Scoring System
What is the term for an action or event that may potentially compromise security?
Threat
What is the purpose of authentication?
To verify/prove a subject's claims to a given identity
What is the primary purpose of authorization?
To grant an authenticated subject proper access rights to different assets
What type of access control assigns security levels on users and resources?
Mandatory Access Control
What is the risk associated with a lack of availability?
Business disruption, loss of customer confidence, loss of revenue
Study Notes
Information Security
- Information Security is the process and methods of protecting assets to achieve CIA (Confidentiality, Integrity, Availability)
- CIA is crucial to protect print, electronic, or any other form of confidential, private, and sensitive information or data from unauthorized access
Confidentiality
- Confidentiality ensures that information is kept private and secure
- It assures that information is available only to those who have authorized access
- Risks associated with confidentiality: loss of privacy, unauthorized access, identity theft
- Controls to maintain confidentiality: encryption, authentication, access controls
Integrity
- Integrity ensures that information is not modified, deleted, or added without authorization
- It ensures the trustworthiness, accuracy, and completeness of the data
- Risks associated with integrity: unreliable/inaccurate information
- Controls to maintain integrity: quality assurance and audit logs
Availability
- Availability ensures that systems for processing, delivering, and storing information are accessible when required
- Risks associated with availability: business disruption, loss of customer confidence, and loss of revenue
- Controls to maintain availability: back-up storage and sufficient capacity
Triple A of InfoSec
- Authentication: process in which a subject attempts to verify/prove their claims to a given identity
- Three primary forms of authentication: what you have, who you are, and what you know
- Authorization: the act of granting an authenticated subject to their proper access rights to different assets
- Schemes of authorization: Mandatory Access Control, Discretionary Access Control, Role-based Access Control, and Attribute-based Access Control
Audit Trail
- Audit Trail tracks security controls such as errors, login attempts, changes, etc.
- Actions should be traceable to a specific subject for the information to be useful
Assets
- Assets are any tangible/intangible item with value to an organization
- Assets whose loss can cause a potential disruption to an organization
Vulnerabilities
- Vulnerabilities are weaknesses/flaws that may intentionally/unintentionally triggered, leading to violation of security policies
- Vulnerabilities may be present in inherent design or the actual system
- Current and existing vulnerability tracking systems: U.S. Computer Emergency Readiness Team, Common Vulnerability Scoring System, Common Vulnerabilities and Exposure
Threats, Impacts, Exposure Factor
- Threat: an action/event that may potentially compromise/violate security
- Incident: the occurrence upon realization of a violation of security
- Impact: the outcome of the incident
- Exposure Factor: potential loss of an asset upon an incident
Risk
- Risk: probability of a particular threat to occur because of a specific vulnerability
- Risk Management: process of reducing risks to acceptable levels
- Goal of risk management is to minimize risk, not eliminate it
Security Controls (Countermeasures)
- Security Controls: mechanisms to mitigate threats
- Improper implementation may lead to increased risks
- Groups of Security Controls: Technical, Administrative, and Physical
Learn about the importance of information security and how to protect assets from unauthorized access, use, misuse, disclosure, destruction, modification, or disruption.
Make Your Own Quizzes and Flashcards
Convert your notes into interactive study material.
Get started for free