Security Principles ISC2 PDF

## (ISC)² Chapter Agenda **Chapter Agenda** - Module 1: Information Assurance - Module 2: Risk Management Process - Module 3: Security Controls - Module 4: Governance - Module 5: (ISC)² Code of Ethics - Module 6: Chapter Review ## Module 1: Information Assurance **Module Overview** - Foundation Concepts - CIA Triad - Authentication - Multi-Factor Authentication - Non-Repudiation - Privacy ### The CIA Triad **Concept description:** - Concepts to help shape our thinking - Span both logical and physical environments **CIA Triad Diagram:** The CIA Triad is depicted as a triangle with the following components: - **Confidentiality:** Represented by two individuals in a huddle with speech bubbles above them. - **Integrity:** Represented by a magnifying glass focused on a person. - **Availability:** Represented by a clock above a piece of paper with a checkmark on it. **Detailed descriptions of each component:** - **Confidentiality:** Protect the data that needs protection and prevent access to unauthorized individuals. - **Integrity:** Ensure the data has not been altered in an unauthorized manner. - **Availability:** Ensure data is accessible to authorized users when and where it is needed, and in the form and format that is required. **The CIA Triad - An important aspect of security** To define security, it has become common to use Confidentiality, Integrity and Availability, also known as the triad. The purpose of these terms is to describe security using relevant and meaningful words that make security more understandable to management and users and define its purpose. **Deep Dive: Confidentiality** - **Confidentiality is a difficult balance to achieve** when many system users are guests or customers, and it is not known if they are accessing the system from a compromised machine or vulnerable mobile application. The security professional's obligation is therefore to **regulate access**, protect the data that needs protection, yet permit access to authorized individuals. - **Important terms related to confidentiality:** - **Personally Identifiable Information (PII):** Any data about an individual that could be used to identify them. - **Protected health information (PHI):** Information regarding one's health status. - **Classified or sensitive information:** Includes trade secrets, research, business plans and intellectual property. - **Sensitivity:** A measure of the importance assigned to information by its owner, or the need for protection. Sensitive information is information that if improperly disclosed... **Deep Dive: Integrity** - **Integrity measures the degree to which something is whole and complete,** internally consistent and correct. The concept of integrity applies to: - Information or data - Systems and processes for business operations - Organizations - People and their actions - **Data integrity is:** the assurance that data has not been altered in an unauthorized manner. This requires the protection of the data in systems and during processing to ensure that it is free from improper modification, errors or loss of information and is recorded, used and maintained in a way that ensures its completeness. Data integrity covers data in storage, during processing and while in transit. **Deep Dive: Availability** - **Availability can be defined as** (1) timely and reliable access to information and the ability to use it and (2) *for authorized users, timely and reliable access to data and information services.* - **The core concept of availability is:** that data is accessible to authorized users when and where it is needed and in the form and format required. This does not mean that data or systems are available 100% of the time. Instead, the systems and data meet the requirements of the business for timely and reliable access. - **Some systems and data are far more critical than others**, so the security professional must ensure that the appropriate levels of availability are provided. This requires consultation with the involved business to ensure that critical systems are identified and available. Availability is often associated with the term *criticality*, because it represents the importance an organization gives to data or an information system in performing its operations or achieving its mission. ### Identification - **Process of asserting an identity** and having it confirmed. ### Multi-Factor Authentication The concept of "**Something you know**" is illustrated by a password. **Something you know:** - Username and Password - Pin The concept of "**Something you have**" is illustrated by an ID badge. **Something you have:** - Code - ID Badge The concept of "**Something you are**" is illustrated by a human being. **Something you are:** - Finger-print - Facial recognition - Iris/Retinal Scanning ### Authentication - **When users have stated their identity, it is necessary to validate that they are the rightful owners of that identity.** This process of verifying or proving the user's identification is known as authentication. Simply put, authentication is a process to prove the identity of the requestor. - **Common authentication methods:** - **Something you know:** Passwords or paraphrases - **Something you have:** Tokens, memory cards, smart cards - **Something you have:** Biometrics, measurable characteristics ### Multifactor Authentication or Single Factor Authentication? - **Example of authentication:** If your bank asks for a username, some digits from a passcode and a password, is this multi-factor authentication? *No! This is single-factor authentication (SFA)*. All these items come from the same factor - something you know. - **Multi-Factor Authentication (MFA)**: Employs multiple factors, such as two factor authentication (2FA) and one-time passwords (OTP) which are single use credentials used with MFA. - **MFA Considerations:** - Throughput - Acceptability - Accuracy ### Non-Repudiation - **Repudiate:** Deny - **Non-Repudiation:** Non-Deniability - **Examples:** Email and transactions. ### Privacy - **Is privacy a right?** Yes, according to the United Nations Declaration of Human Rights (UDHR) 1948, Article 12: "**No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence, nor to attacks upon his honor and reputation. Everyone has the right to the protection of the law against such interference or attacks.**" - **Personally Identifiable Information (PII) -** Name, photo, passport #. - **Balancing the needs of the many against the individual.** ### Methods of Authentication - **Types of authentication:** - **Single-factor authentication (SFA):** Only one method of authentication is used. - **Multi-factor authentication (MFA):** Two or more methods are used. - **Common best practices in authentication:** Implement at least two of the following: - Knowledge-based - Token-based - Characteristic-based ### Non-Repudiation - **Definition:** The protection against an individual falsely denying having performed a particular action. It provides the capability to determine whether a given individual took a particular action, such as created information, approved information or sent or received a message. - **Importance in today's world of e-commerce and electronic transactions** - Non-repudiation methodologies ensure that people are held responsible for transactions they conducted. ### Privacy - **Definition:** The right of an individual to control the distribution of information about themselves. While security and privacy both focus on the protection of personal and sensitive data, there is a difference. With the increasing rate at which data is collected and digitally stored across all industries, the push for privacy legislation and compliance with existing policies steadily grows. - **Privacy legislation can impact corporations and industries regardless of physical location.** Global privacy is an especially crucial issue when considering requirements regarding the collection and security of personal information. There are several laws that define privacy and data protection, which periodically change. - **Ensuring that protective security measures are in place is not enough to meet privacy regulations or to protect a company from incurring penalties or fines from mishandling, misuse, or improper protection of personal or private information.** Examples of multinational laws include: - The **European Union's General Data Protection Regulation (GDPR)** which applies to all organizations, foreign or domestic, doing business in the EU or with its citizens. - **Several state legislations in the United States** that regulate the collection and use of consumer data and privacy. - **Member nations of the EU enact laws to put GDPR into practice** and sometimes add more stringent requirements. These laws, including national- and state-level laws, dictate that any entity anywhere in the world handling the private data of people in a particular legal jurisdiction must abide by its privacy requirements. *As a member of an organization's data protection team, you will not be required to interpret these laws, but you will need an understanding of how they apply to your organization.* ### Methods of Authentication Quiz - **Question 1: ** The right or a permission that is granted to a system entity to access a system resource. - **Answer: ** Authorization - **Question 2: ** The property that data has not been altered in an unauthorized manner. - **Answer:** Integrity - **Question 3: ** Access control process that compares one or more factors of identification to validate that the identity claimed by a user or entity is known to the system. - **Answer:** Authentication - **Question 4: ** Ensuring timely and reliable access to and use of information by authorized users. - **Answer:** Availability - **Question 5:** The characteristic of data or information when it is not made available or disclosed to unauthorized persons or processes. - **Answer:** Confidentiality - **Question 6:** The inability to deny taking an action, such as sending an email message. - **Answer:** Non-repudiation ## Module 2: Risk Management Process **Module Overview** - Key Concepts and Definitions - Security and its Relationship to Risk - Risk Appetite - Risk Assessments - Risk Management ### Risk - Concepts and Definitions - **Risk-based approach to security** - **What is a risk?** - Possibility of something bad happening - **Threats:** - Thing that can cause harm - **Vulnerabilities:** - A weakness that increases the likelihood of the risk materializing or increase impact - **Likelihood/probability** ### Risk - Concepts and Definitions - **Risk is:** the possibility of something bad happening. **Risk Matrix:** - Shows the intersection of likelihood and impact. - **Likelihood:** The probability that a given threat is capable of exploiting a given vulnerability or set of vulnerabilities. - **Impact:** The magnitude of harm that could be caused by a threat's exercise of a vulnerability. **Example of Risk Matrix:** | Impact | High Probability Low Impact | High Probability High Impact | Low Probability Low Impact | Low Probability High Impact | |---|---|---|---|---| | **Probability** | | | | | ### Risk Assessment **Key components:** - **Asset management:** - Physical/Tangible assets: computers, servers - Logical/Intangible assets: information, network configuration - **Threat management:** - Environmental - Accidental - Intentional - **Vulnerability management:** - Estimating likelihood ### Risk Management - **Risk appetite/tolerance:** How much risk is an entity willing to take? - **Risk management responses:** - Accept - Avoid - Reduce (mitigate) - Firewall - Share (transfer) - Insurance - **Important considerations:** - Ignoring a risk is not the same as choosing to accept a risk. **SHOULD NEVER DO** - **The role of security in risk management** ### Risk Management - Context - **How do you apply risk management in your home?** - Think about the value of your assets, garbage vs. high-value items - **Does your environment affect risk?** - Example: Would a company operating in Japan face similar risks to one operating in the Middle East? ### Risk Identification - **How do you identify risks?** - Are you looking for problems? - **In the world of cyber, identifying risks is not a one-and-done activity.** - **It involves looking at your unique company and analyzing its unique situation.** - **Security professionals know their organization's strategic, tactical and operational plans.** - **Takeaways to remember about risk identification:** - Identify risk to **communicate it clearly.** - **Employees at all levels of the organization are responsible for identifying risk.** - **Identify risk to protect against it.** - **As a security professional, you are likely to assist in risk assessment at a system level, focusing on process, control, monitoring or incident response and recovery activities.** If you're working with a smaller organization, or one that lacks any kind of risk management and mitigation plan and program, you might have the opportunity to help fill that planning void. ### Risk Assessment - **Definition:** The process of identifying, estimating and prioritizing risks to an organization's operations (including its mission, functions, image and reputation), assets, individuals, other organizations and even the nation. - **Risk assessment should result in:** aligning (or associating) each identified risk resulting from the operation of an information system with the goals, objectives, assets or processes that the organization uses, which in turn aligns with or directly supports achieving the organization's goals and objectives. - **Example:** Common risk assessment activity identifies the risk of fire to a building. There are many ways to mitigate that risk, but *the primary goal of a risk assessment is to estimate and prioritize.* - Fire alarms - Lowest cost, alert personnel to evacuate and reduce the risk of personal injury. - Sprinkler systems do not prevent a fire but can minimize the amount of damage. - Gas-based solution is the best solution to protect the systems, however is cost-prohibitive. - **A risk assessment can prioritize these items for management to determine the method of mitigation that best suits the assets being protected.** - **The result of the risk assessment process is often:** documented as a report or presentation given to management for their use in prioritizing the identified risk(s). This report is provided to management for review and approval. In some cases, management may indicate a need for a more in-depth or detailed risk assessment performed by internal or external resources. ### Risk Treatment - **Risk treatment relates:** to making decisions about the best actions to take regarding the identified and prioritized risk. The decisions made are dependent on the attitude of management toward risk and the availability -and cost-of risk mitigation. - **Risk management responses:** - **Avoidance:** The decision to attempt to eliminate the risk entirely. This could include ceasing operation for some or all of the activities of the organization that are exposed to a particular risk. Organization leadership may choose risk avoidance when the potential impact of a given risk is too high or if the likelihood of the risk being realized is simply too great. - **Acceptance:** Taking no action to reduce the likelihood of a risk occurring. Management may opt for conducting the business function that is associated with the risk without any further action on the part of the organization, either because the impact or likelihood of occurrence is negligible, or because the benefit is more than enough to offset that risk. - **Mitigation:** The most common type of risk management and includes taking actions to prevent or reduce the possibility of a risk event or its impact. Mitigation can involve remediation measures, or controls, such as security controls, establishing policies, procedures, and standards to minimize adverse risk. Risk cannot always be mitigated, but mitigations such as safety measures should always be in place. - **Transfer:** Passing the risk to another party, who will accept the financial impact of the harm resulting from a risk being realized in exchange for payment. Typically, this is an insurance policy. ### Risk Treatment Quiz - **Question 1:** Taking action to prevent or reduce the impact of an event. - **Answer:** Mitigation - **Question 2:** Ignoring the risks and continuing risky activities. - **Answer:** Acceptance - **Question 3:** Ceasing the risky activity to remove the likelihood that an event will occur. - **Answer:** Avoidance - **Question 4:** An inherent weakness or flaw. - **Answer:** Vulnerability - **Question 5:** Something of value that is owned by an organization, including physical hardware and intellectual property. - **Answer:** Asset - **Question 6:** A person or entity that deliberately takes action to exploit a target. - **Answer:** Threat - **Question 7:** Passing risk to a third party. - **Answer:** Transference ### Risk Priorities - **When risks have been identified:** It's time to prioritize and analyze core risks through qualitative risk analysis and/or quantitative risk analysis. This is necessary to determine root cause and narrow down apparent risks and core risks. Security professionals work with their teams to conduct both qualitative and quantitative analysis. - **Understanding the organization's overall mission and the functions that support the mission helps to place risks in context** , determine the root causes and prioritize the assessment and analysis of these items. In most cases, management will provide direction for using the findings of the risk assessment to determine a prioritized set of risk-response actions. - **One effective method to prioritize risk is to use a risk matrix** which helps: identify priority as the intersection of likelihood of occurrence and impact. It also gives the team a common language to use with management when determining the final priorities. *For example, a low likelihood and a low impact might result in a low priority, while an incident with a high likelihood and high impact will result in a high priority.* Assignment of priority may relate to business priorities, the cost of mitigating a risk or the potential for loss if an incident occurs. ### Risk Tolerance - **Risk tolerance is often likened to the entity's appetite for risk.** How much risk are they willing to take? Does management welcome risk or want to avoid it? *The level of risk tolerance varies across organizations, and even internally: Different departments may have different attitudes toward what is acceptable or unacceptable risk.* - **Understanding the organization and senior management's attitude toward risk is usually the starting point** for getting management to take action regarding risks. - **Executive management and/or the Board of Directors determines what is an acceptable level of risk** for the organization. Security professionals aim to maintain the levels of risk within management's limit of risk tolerance. - **Risk tolerance is often dictated by geographic location.** For example, companies in Iceland plan for the risks that nearby volcanoes impose on their business. Companies that are outside the projected path of a lava flow will be at a lower risk than those directly in the path's flow. - Power outages are: a real threat in all areas of the world. In areas where thunderstorms are common, power outages may occur more than once a month, while other areas may only experience one or two power outages annually. - **Calculating the downtime that is likely to occur with varying lengths of downtime will help to define a company's risk tolerance.** If a company has a low tolerance of the risk of downtime, they are more likely to invest in a generator to power critical systems. A company with an even lower tolerance for downtime will invest in multiple generators with multiple fuel sources to provide a higher level of assurance that the power will not fail. ## Module 3: Security Controls **Module Overview** - What are Controls? - Security Controls and Risk - Administrative Controls: Directive - what to do and how to behave - Physical Controls: Lock, physical barrier - Technical/Logical Controls: Firewall ### Security Controls - **A control helps to:** detect, correct, prevent or reduce a risk to an asset. - **Controls and control activity form part of all major frameworks.** - **Common frameworks:** - ISO27001 - COBIT - NIST SP800-53 - ISO - International Standards Organization - COBIT - Control Objectives in IT - NIST - National Institute for Science and Technology ### Security Controls - **Security controls help to:** manage risk, by reducing risk to a level that is acceptable - **Residual risk:** risk remaining after you apply security controls - **Control cost vs. impact:** Judgement made by leadership evaluating cost vs. impact **Security Control Triangles:** - **Physical Controls:** Lock, physical barrier - **Administrative Controls:** Directive - what to do and how to behave - **Technical/Logical Controls:** Firewall ### Security Controls - Administrative - **Directing behavior** - **Common forms of administrative control:** - Policy - Procedure - Guidelines - Standards - **Are administrative controls effective in isolation?** ### Security Controls - Physical - **Physical control examples:** - Physical Access Control Systems (PACS) - Door Entry Systems - CCTV - Alarm Systems ### Security Controls - Technical-Logical - **Technical control examples:** - Encryption - Endpoint security - Clustering - Firewalls - **Preventive vs Detective:** **Preventive controls:** intend to prevent a threat action. **Detective controls:** intend to identify a threat action. ### Discussion - Is a control worthwhile? - **Control assessment:** - **Common control frameworks:** - ISO 27001 - COBIT ( and RISK IT) - NIST SP800-53 ### What are Security Controls? - **Security controls pertain to:** the physical, technical and administrative mechanisms that act as safeguards or countermeasures prescribed for an information system to protect the confidentiality, integrity and availability of the system and its information. The implementation of controls should reduce risk, hopefully to an acceptable level. **Security Control Triangles:** - **Physical Controls** - **Administrative Controls** - **Security Controls** - **Technical Controls** ### Physical Controls - **Definition:** Address process-based security needs using physical hardware devices, such as badge readers, architectural features of buildings and facilities, and specific security actions to be taken by people. They typically provide ways of controlling, directing or preventing the movement of people and equipment throughout a specific physical location, such as an office suite, factory or other facility. - **Physical controls also provide:** protection and control over entry onto the land surrounding the buildings, *parking lots or other areas that are within the organization's control.* In most situations, physical controls are supported by technical controls as a means of incorporating them into an overall security system. - **Example:** Visitors and guests accessing a workplace must often enter the facility through a designated entrance and exit, where they can be identified, their visit's purpose assessed, and then allowed or denied entry. Employees would enter, perhaps through other entrances, using company-issued badges or other tokens to assert their identity and gain access. These require technical controls to integrate the badge or token readers, the door release mechanisms and the identity management and access control systems into a *more seamless security system.* ### Technical Controls - **Definition:** Security controls that computer systems and networks directly implement. These controls can provide automated protection from unauthorized access or misuse, facilitate detection of security violations and support security requirements for applications and data. - **Technical controls can be:** - Configuration settings or parameters stored as data, managed through a software graphical user interface (GUI). - Hardware settings done with switches, jumper plugs or other means. - **However, the implementation of technical controls always requires significant operational considerations and should be consistent with the management of security within the organization.** ### Administrative Controls - **Definition:** Directives, guidelines or advisories aimed at the people within the organization. They provide frameworks, constraints and standards for human behavior, and should cover the entire scope of the organization's activities and its interactions with external parties and stakeholders. - **It is vitally important to realize:** that administrative controls can and should be powerful, effective tools for achieving information security. Even the simplest security awareness policies can be an effective control, if you can help the organization fully implement them through systematic training and practice. - **Many organizations are improving their overall security posture by integrating their administrative controls into the task-level activities and operational decision processes that their workforce uses throughout the day.** This can be done by providing them as in-context ready reference and advisory resources, or by linking them directly into training activities. These and other techniques bring the policies to a more neutral level and away from the decision-making of only the senior executives. It also makes them immediate, useful and operational on a daily and per-task basis. ### Security Controls Quiz - **Question 1:** Acceptable Use Policy - **Answer:** Administrative Control - **Question 2:** Badge Reader - **Answer:** Physical Control - **Question 3:** Stop Sign in Parking Lot - **Answer:** Physical Control - **Question 4:** Emergency Operations Procedures - **Answer:** Administrative Control - **Question 5:** Access Control List - **Answer:** Technical Control - **Question 6:** Door Lock - **Answer:** Physical Control - **Question 7:** Employee Awareness Training - **Answer:** Administrative Control ## Module 4: Governance **Module Overview** - Governance Elements - Compliance: Regulations and Laws - Standards - Policies - Procedures ### Compliance - **Definition:** A set of rules or guidelines that all members of a group or organization must follow. **Components:** - **Laws:** Rules that are enforced by the government - **Regulations:** Specific rules for how laws are implemented. - **Policies:** General guidelines for how a company should operate. - **Procedures:** Step-by-step instructions for how to perform specific tasks. - **Standards:** Recommended best practices. - **Guidelines:** General guidance on how to perform a task or activity. ### Standards - **Definition:** Recommended guidelines or best practices. **Examples:** - ISO27001 - ISO27032 - NIST SP800-53 - NIST Cyber Security Framework ### Policies - **Definition:** General guidelines for how a company should operate. **Components:** - What are we doing? - Why are we doing it? - **Typically signed by a member of the board.** ### Procedures - **Definition:** Step-by-step instructions for how to perform specific tasks. **Components:** - How we do it. - Step-by-step instructions. - **Typically signed off by a business unit.** - Needs specific knowledge related to that task. ### Governance Elements - **Any business or organization exists to fulfill a purpose,** whether it is to provide raw materials to an industry, manufacture equipment to build computer hardware, develop software applications, construct buildings or provide goods and services. - **To complete the objective requires:** that decisions are made, rules and practices are defined, and policies and procedures are in place to guide the organization in its pursuit of achieving its goals and mission. - **When leaders and management implement the systems and structures that the organization will use to achieve its goals,** they are guided by laws and regulations created by governments to enact public policy. Laws and regulations guide the development of standards, which cultivate policies, which result in procedures. **How are regulations, standards, policies and procedures related?** - **Procedures are the detailed steps to complete a task that support departmental or organizational policies.** - **Policies are put in place by:** organizational governance , such as executive management, to provide guidance in all activities to ensure that the organization supports industry standards and regulations. - **Standards are often used by governance teams to provide a framework to introduce policies and procedures in support of regulations.** - **Regulations are commonly issued in the form of laws,** usually from government (not to be confused with governance) and *typically carry financial penalties for noncompliance.*. Now that we see how they are connected, we'll look at some details and examples of each. ### Governance Elements: Regulations and Laws - **Regulations and associated fines and penalties can be imposed by governments at the national, regional or local level.** Because regulations and laws can be imposed and enforced differently in different parts of the world, here are a few examples to connect the concepts to actual regulations. - **The Health Insurance Portability and Accountability Act (HIPAA) of 1996:** Is an example of a law that governs the use of protected health information (PHI) in the United States. Violation of the HIPAA rule carries the possibility of fines and/or imprisonment for both individuals and companies. - **The General Data Protection Regulation (GDPR):** was enacted by the European Union (EU) to control use of Personally Identifiable Information (PII) of its citizens and those in the EU. It includes provisions that apply financial penalties to companies who handle data of *EU citizens and those living in the EU* even if the company does not have a physical presence in the EU, *giving this regulation an international reach.* - **Multinational organizations are subject to regulations in more than one nation** in addition to multiple regions and municipalities. Organizations need to consider the regulations that apply to their business at all levels - national, regional and local - and ensure they are compliant with the **most restrictive regulation.** ### Governance Elements: Standards - **Organizations use multiple standards as part of their information systems security programs,** both as compliance documents and as advisories or guidelines. Standards cover a broad range of issues and ideas and may *provide assurance that an organization is operating with policies and procedures that support regulations and are widely accepted best practices.* - **The International Organization for Standardization (ISO) develops and publishes international standards on a variety of technical subjects,** including information systems and information security, as well as encryption standards. ISO solicits input from the international community of experts to provide input on its standards *prior to publishing*. Documents outlining ISO standards may be purchased online. - **The National Institute of Standards and Technology (NIST) is a United States government agency under the Department of Commerce and publishes a variety of technical standards in addition to information technology and information security standards.** Many of the standards issued by NIST are *requirements for U.S. government agencies* and are considered recommended standards by industries worldwide. - **Finally, think about how computers talk to other computers across the globe.** People speak different languages and do not always understand each other. How are computers able to communicate? **Through standards, of course!** Thanks to the Internet Engineering Task Force (IETF), there are standards in communication protocols that *ensure all computers can connect with each other across borders, even when the operators do not speak the same language*. ## Module 5: (ISC)² Code of Ethics **Module Overview** - What are Ethics? - (ISC)² Code of Ethics ### What are Ethics? - **Ethics are a set of moral principles that guide a person's behavior.** Ethics are often based on a person's beliefs, values, and experiences. - **Ethical behavior is important because it helps to create a just and fair society.** **Ethics are shaped by:** - Society - Culture - Law **Globalization:** - As the world becomes more interconnected, it is important to consider the ethical implications of our actions. **What is ethical?** - **There is no one-size-fits-all answer** to this question. What is considered ethical can vary depending on the situation and the people involved. ### (ISC)² Code of Ethics - **The safety and welfare of society and the common good, duty to our principals, and to each other,** requires that we *adhere, and be seen to adhere, to the highest ethical standards of behavior*. - **Therefore, strict adherence to this Code is a condition of certification**. ### Professional Code of Conduct - **Every (ISC)² member is required to commit to fully support the Canons of the (ISC)² Code of Ethics.** **The Preamble:** This states the purpose and intent of the (ISC)² Code of Ethics. **The Canons:** - **The Canons represent the important beliefs** held in common by the members of (ISC)². - **The most important tenets are listed first, followed by the rest in order of priority.** Cybersecurity professionals who are members of (ISC)² have a duty to all entities listed in the Canons. - **An (ISC)² member is expected to:** - **Protect society**, the common good, *necessary public trust and confidence*, and the infrastructure. - **Act honorably, honestly, justly, responsibly, and legally.** - **Provide diligent and competent service to principals.** - **Advance and protect the profession.** ### (ISC)² Code of Ethics Quiz - **Question 1:** True or False? All (ISC)² members commit to uphold and adhere to the Code of Ethics Canons. - **Answer:** True ## Module 6: Chapter Review **Chapter 1 Review** - **Confidentiality, Integrity, Availability (CIA) and Privacy are important foundation concepts** that are* widely referenced and used throughout this course*. - **Authentication can occur in a variety of ways through different factors.** The correct implementation depends on the level of assurance that we require. - **Risks, threats, vulnerabilities and likelihood are managed formally by organizations according to their risk appetite.** We should never ignore a risk. ### Course Summary - **We covered security principles, starting with concepts of information assurance.** We highlighted the CIA triad as the primary components of information assurance. - **The "C" stands for confidentiality:** We must protect the data that needs protection and prevent access to unauthorized individuals. - **The "I" represents integrity:** We must ensure the data has not been altered in an unauthorized manner. - **The "A" symbolizes availability:** We must make sure data is accessible to authorized users when and where it is needed, and in the form and format that is required. - **We also discussed the importance of:** privacy, authentication, non-repudiation and authorization. - **You explored the safeguards and countermeasures prescribed for an information system to protect the confidentiality, integrity and availability of the system and its information.** - **By applying risk management**, we were able to assess and prioritize the risks (asset vulnerabilities that can be exploited by threats) to an organization. - **An organization can decide whether to:** - **Accept the risk (ignoring the risks and continuing risky activities),** - **avoid the risk (ceasing the risky activity to remove the likelihood that an event will occur),** - **mitigate the risk (taking action to prevent or reduce the impact of an event),** or - **transfer the risk (passing risk to a third party).** - **We then learned about the three types of security controls: physical, technical and administrative.** They act as safeguards or countermeasures prescribed for an information system to protect the confidentiality, integrity and availability of the system and its information. The implementation of security controls should reduce risk, hopefully to an acceptable level. - **Physical controls address process-based security needs using physical hardware devices,** such as a badge reader, architectural features of buildings and facilities, and specific security actions taken by people. - **Technical controls (also called logical controls) are security controls that computer systems and networks directly implement.** - **Administrative controls (also known as managerial controls) are directives, guidelines or advisories aimed at the people within the organization.** - **You were then introduced to:** organizational security roles and governance, the policies and procedures that shape organizational management and drive decision-making. - **We typically derive procedures from policies, policies from standards, standards from regulations.** - **Regulations are commonly issued in the form of laws, usually from government** (not to be confused with governance) and *typically carry financial penalties for noncompliance.* - **Standards are often used by governance teams to provide a framework to introduce policies and procedures in support of regulations.** - **Policies are put in place by:** organizational governance, such as executive management, to provide guidance in all activities to ensure the organization supports industry standards and regulations. - **Procedures are:** the detailed steps to complete a task that will support departmental or organizational policies. - **Finally, we covered the (ISC)² Code of Ethics, which members of the organization commit to fully support.** Bottom line, *we must act legally and ethically in the field of cybersecurity.* ### Terms and Definitions - **Adequate Security:** Security commensurate with the risk and the magnitude of harm resulting from the loss, misuse or unauthorized access to or modification of information. Source: OMB Circular A-130 - **Administrative Controls:** Controls implemented through policy and procedures. Examples include access control processes and requiring multiple personnel to conduct a specific operation. Administrative controls in modern environments are often enforced in conjunction with physical and/or technical controls, such as an access-granting policy for new users that requires login and approval by the hiring manager. - **Artificial Intelligence** - The ability of computers and robots to simulate human intelligence and behavior. - **Asset:** Anything of value that is owned by an organization. Assets include both tangible items such as information systems and physical property and intangible assets such as intellectual property. - **Authentication:** Access control process validating that the identity being claimed by a user or entity is known to the system, by comparing one (single factor or SFA) or more (multi-factor authentication or MFA) factors of identification. - **Authorization:** The right or a permission that is granted to a system entity to access a system resource. NIST 800-82 Rev.2 - **Availability:** Ensuring timely and reliable access to and use of information by authorized users. - **Baseline:** A documented, lowest level of security configuration allowed by a standard or

Security Principles ISC2 PDF

Document Details

Tags

Related

Summary

Full Transcript