Security and Risk Management Flashcards
(24 cards)
CIA Triad
Confidentiality, Integrity, and Availability
Concepts of Confidentiality
Sensitivity- Quality of information
Discretion- Influence or control disclosure to minimize harm or damage
Criticality- Level of mission criticality
Concealment- Hiding or preventing disclosure
Secrecy- Maintaining a secret or preventing disclosure
Privacy- Keeping information confidential that is PII or that might cause harm, embarrassment, or disgrace to the individual
Seclusion- Storing data in out-of-way location
Isolation- Keeping information separated from others, prevents commingling of data and disclosure
5 Elements of AAA Service
Identification- Claiming an identity
Authentication- Proving you are identity
Authorization- Defining allows and denials of resource and object access for identity
Auditing- Recording log of events for subject or object
Accounting- Reviewing log files to check for compliance and violations to hold accountability
AAA Leads To
Nonrepudation- Subject cannot resort to denial. Established using digital certificates, session identifiers, transaction logs, access control mechanisms
Protection Mechanisms
Common characteristics of security controls
Layering
Defense in depth- Use of multiple controls in a series. Liner/Layer is better than parallel.
Abstraction
Similar elements are put into groups, classes, and roles that are assigned security controls, restrictions, permissions as a collective. Subject Roles/Object Classification.
Data Hiding
Preventing data from being discovered or accessed by a subject by positioning data in a logical storage compartment that is unseen by the subject
Encryption
Art/science of hiding meaning or intent of communication from unintended recipients
Security Governance
Collection of practices related to supporting, defining, and directing the organizational security efforts. Equates to Corporate/IT Governance. Implementation of a security solution and management method that are tightly connected.
Security Management
Responsibility of upper management, not IT staff. Considered a business operation. Team responsible is autonomous. Security Plan MUST be approved by senior management.
Security Management Planning
Ensures proper creation, implementation, and enforcement of a security policy
Top Down Approach
Must be used. Begins with Senior Management and ends with Users.
Security Management Plans
Strategic, Tactical, Operational
Strategic Plans
Long term plan/stable. Defines organizational security purpose. Useful for 5 years if updated annually. Should include Risk Assessment.
Tactical Plans
Midterm plan that provides more details on goals of strategic plan. Useful for 1 year. Includes project plans, acquisition plans, hiring plans, budget, maintenance, etc.
Operational Plans
Short term, highly detailed plan. Must be updated monthly or quarterly. Includes resource allotments, budget requirements, staffing assignments, scheduling, and procedures.
Change Management
Goal- to ensure any change does not compromise security. Purpose- to make changes subject to documentation and auditing and thus have it approved/scrutinized by senior management
Change Advisory Board
Reviews and approves all changes
Data Classification
Primary means by which data is protected based on its need for secrecy, sensitivity, or confidentiality
Data Classification Basis
Usefulness, timeliness, value, cost, age, lifetime, storage, national security implications, who has access, who does not have access, disclosure/damage assessment.
Declassification
Required once asset no longer warrants or needs protection of classification level
Two Classification Schemes
Government/military and commercial business/private sector
Government classification
Top-secret, secret, confidential, unclassified.
Top secret: unauthorized disclosure will have drastic effects and cause grave damage
