Confidentiality, integrity, availability or Disclosure, alteration, destruction
Ensures that private information remains protected from unauthorized disclosure.
Ensures that data isn't modified in an unintended manner either through accidental modification by authorized individuals or malicious modification by any individual authorized or unauthorized.
Ensures that data is always available for the use of authorized individuals.
The means by which users make an identity claim to the system.
The means by which the system validates the users identity.
The systems ability to determine which activities may be permitted to an identified and authenticated user.
The systems ability to determine the actions of users within the system and attribute those actions to individually identifiable users.
The inability of the sender of a message to refute sending the message.
The users level of confidence that their data is safe from unauthorized disclosure.
Five main government classification levels.
Unclassified, sensitive but unclassified, confidential, secret, top secret
Five main industry classification levels.
Public, internal, confidential, restricted, highly restricted
Four criteria for determining classification levels.
Value to the organization, age and useful life of the information, ability of an outsider to independently develop the same information, the potential harm to the organization
Every resource and user is associated with one of an ordered set of classes. Resources of a particular class may only be accessed by those whose associated class is as high or higher than that of the resource.
Defines relationships between objects and subjects. Subjects are allowed write access to objects as the same or higher level as the subject, read access to objects at the same or higher level as the subject, read access to objects at the same or lower level, and read/write access only to those objects at the same level.
Four levels of security management hierarchy documents.
Policies, standards, guidelines, procedures
Broad statements about the organizations commitment to information security and the goals of the program. Mandatory.
Provide specific technical requirements for security mechanisms. Mandatory.
General guidance in areas of information security where formal policies and standards don't exist. Not mandatory.
Step by step instructions for performing specific security related tasks.
A formal mechanism for responding to any incident that appears to be a violation of a security policy, standard, guideline, or procedure that threatens the overall information security of the organization.
Computer incident response team (CIRT)
Potential harm or loss to a system; the probability that a threat will materialize.
A resource, process, product, system, etc...
Any event that causes an undesirable impact on an organization.
Absence of a safeguard.
Asset, threat, and vulnerability,
Risk management (RM) triple
A technical means to exploit a vulnerability.
Percentage loss a realized threat would have on an asset.
Exposure factor (EF)
Loss from a single threat
Single loss expectancy (SLE) SLE = asset value($) x EF
Estimated frequency at which a threat is expected to occur.
Annualized rate of occurrence (ARO)
The total of SLE multiplied by the ARO.
Annualized loss expectancy (ALE). ALE=SLE x ARO
Control or countermeasure to reduce risk associated with a threat.
Two types of risk analysis.
Type of risk assessment that assigns an objective dollar cost to an asset.
Type of risk assessment that assigns intangible values to data loss and other issues that are not pure hard costs.
Four risk management techniques.
Mitigate, avoid, accept, transfer
Risk management technique that puts controls in place to reduce the risk to the organization.
Risk management technique that changes the organizations activities to completely avoid the risk.
Risk management technique that acknowledges the risk and takes no action whatsoever.
Risk management technique that places the burden of the risk on someone else.
Five elements of a security awareness training program.
Initial training, recurring training, retraining, remedial training, security reminders
Four levels of security awareness.
Security awareness, security training, security education, security certification