Chapter 1. The Information Security Environment Flashcards Preview

(ISC)2 Official Flashcards > Chapter 1. The Information Security Environment > Flashcards

Flashcards in Chapter 1. The Information Security Environment Deck (18)
Loading flashcards...

The process of reviewing a system for compliance against a standard or baseline. Examples include audits of security controls, configuration baselines, and financial records.



Ensuring timely and reliable access to and use of information by authorized users.



Security model with the three security concepts of confidentiality, integrity, and availability make up the CIA triad. It is also sometimes referred to as the AIC triad.

CIA Triad


Adherence to a mandate; both the actions demonstrating adherence and the tools, processes, and documentation that are used in adherence.



The property that data or information is not made available or disclosed to unauthorized persons or processes.



An act that involves the use of information, information systems, or information technologies in ways that violate the laws that pertain to the system and the information in question.



The natural person who is identified or described by the data.

Data Subject


A legal and ethical duty owed by a provider to a customer, and the actions taken by provider to fulfill that duty. Due care reflects a judgement of the circumstances or an event which would cause a prudent person to take action. Due care is the standard to which a governing body would be held.

Due Care


Due diligence are the measures taken to manage, oversee, monitor, and assess the successful accomplishment and continued applicability of a duty of due care. Due diligence requires a higher standard of research and application of knowledge than due care. Due diligence is not measured by any absolute standard.

Due Diligence


The process of how an organization is managed; usually includes all aspects of how decisions are made for that organization, such as policies, roles, and procedures the organization uses to make those decisions.



A formal body of personnel who determines how decisions will be made within the organization and the entity that can approve changes and exceptions to current relevant governance.

Governance Committee


The property of information whereby it is recorded, used, and maintained in a way that ensures its completeness, accuracy, internal consistency, and usefulness for a stated purpose.



Refers to creations of the mind: inventions; literary and artistic works; and symbols, names and images used in commerce.

Intellectual Property


The inability to deny. In cryptography, it is a security service by which evidence is maintained so that the sender and the recipient of data cannot deny having participated in the communication. There are two kinds of non-repudiation: "non-repudiation of origin" means the sender cannot deny having sent a particular message, and "non-repudiation of delivery" is when the receiver cannot say that they have received a different message than the one that they actually did receive.



Any data about a human being that could be used to identify that person.

Personally Identifiable Information (PII)


The right of a human individual to control the distribution of information about themselves.



The entirety of the policies, roles, and processes the organization uses to make security decisions in an organization.

Security Governance


Specific mandates explicitly stating expectations of performance or conformance. Standards can be defined by one entity and adopted by others, or may be internal mandates exclusive to an organization.