Chapter 1: Security Governance Through Principles and Policies Flashcards
The CIA Triad
Confidentiality, Integrity, Availability
The elements of AAA services
Identification
Authentication
Authorization
Auditing
Accountability
The DAD Triad
Disclosure
Alteration
Destruction
Nonrepudiation
Ensures that the subject of an activity or who caused an event cannot deny that the event occurred.
Prevents a subject from claiming not to have sent a message, performed an action, or been the cause of an event
Authentication vs Authorization
Authentication is verifying identity is valid
Authorization is verifying a user is allowed to perform a specific action
Abstraction
Used to collect similar elements into groups, classes, or roles that are assigned security controls, restrictions, or permissions as a collective
Adds efficiency to carrying out a security plan
Data Hiding
Preventing data from being discovered or accessed by a subject
Security Boundary
Line of intersection between any two areas, subnets, or environments that have different security requirements or needs
Security Governance
Collection of practices related to supporting, defining, and directing the security efforts of an organization
Strategic Plan
Long term plan that is fairly stable, defines org’s goals, mission, and objectives
Tactical Plan
Mid term plan developed to provide more details on accomplishing the goals set forth in the strategic plan
Operational Plan
Short term, highly detailed, based on strategic and operational plans
To create a comprehensive security plan, you need these items in place
Security Policy
Standards
Baselines
Guidelines
Procedures
COBIT
Control Objectives for Information and Related Technology
Goals for IT- stakeholder needs are mapped down to IT related goals.
Six Key Principles of COBIT
Provide Stakeholder Value
Holistic Approach
Dynamic Governance System
Governance Distinct from Management
Tailored to Enterprise Needs
End-to-End Governance System