Chapter 1 (Domain 1 & 3) Flashcards
Security Governance Through Principles and Policies
Confidentiality
The goal of confidentiality protection is to prevent or minimize unauthorized access.
Sensitivity
Sensitivity refers to the quality of information, which could cause harm or damage if disclosed.
Discretion
Discretion is an act of decision where an operator can influence or control disclosure in order to minimize harm or damage.
Criticality
The level to which information is mission critical is its measure of criticality. The higher the level of criticality, the more likely the need to maintain the confidentiality.
Concealment
Concealment is the act of hiding or preventing disclosure. Often concealment is viewed as a means of cover, obfuscation, or distraction.
Secrecy
Secrecy is the act of keeping something secret or preventing the disclosure of information.
Privacy
Privacy refers to keeping information confidential that is personally identifiable or that might cause harm, embarrassment, or disgrace to someone if revealed.
Seclusion
Seclusion involves storing something in an out-of-the-way location, likely with strict access controls.
Isolation
Isolation is the act of keeping something separated from others.
Integrity
Integrity is the concept of protecting the reliability and correctness of data.
Availability
Availability means authorized subjects are granted timely and uninterrupted access to objects.
DAD Triad
Disclosure, alteration, and destruction. Represents the failures of security protections in the CIA Triad.
AAA services
Identification, Authentication, Authorization, Auditing, Accounting
Defense In Depth terms
Level, multi-leveled, layers.
Classifications, zones, realms, components, compartments, silos, segmentation, lattice structure, and protection rings.
Abstraction
Abstraction is used for efficiency. Similar elements are put into groups, classes, or roles that are assigned security controls, restrictions, or permissions as a collective.
Data Hiding
Preventing data from being discovers or accessed by a subject by positioning the data in a logical storage compartment that is not accessible or seen by the subject.
Three types of security management planning
1) Strategic
2) Tactical
3) Operational
Organization Roles
Senior Manager-Ultimately responsible for the security maintained by an organization.
Security Professional-Writing and implementing policies
Asset Owner-Responsible for classifying information for placement and protection
Custodian-Implements the controls
User-Responsible for understanding and upholding the security policy
Auditor-Reviewing and verifying that the security policy is properly implemented.
Merger/Acquisition Risks
- Inappropriate information disclosure
- Data loss
- Down time
- Failure to achieve sufficient ROI
What is COBIT?
Control Objectives for Information and Related Technology - Security concept infrastructure used to organize the complex solutions of companies.
COBIT Six key principles
1) Provide stakeholder value
2) Holistic approach
3) Dynamic governance system
4) Governance distinct from management
5) Tailored to enterprise needs
6) End-to-end governance
NIST 800-53 Rev 5
Contains U.S. government-sourced general recommendations for organizational security.
CIS
Center for Interned Security - Provides OS, application, and hardware security configuration guides
NIST Risk Management Framework(RMF)
Six phases
Establishes mandatory requirements for federal agencies.
1) Categorize
2) Select
3) Implement
4) Assess
5) Authorize
6) Monitor
