Security Fundamentals Flashcards
(33 cards)
CODE OF ETHICS CANONS
- Protect society, the common good, necessary public trust and confidence, and the infrastructure
- Act honorably, honestly, justly, responsibly, and legally
- Provide diligent and competent service to principles
- Advance and protect the profession
Confidentiality
- Unauthorized access to application, system, or data
Integrity
- Change or removal of data from a system or product
Availability
- Disruption or prevention of access to data or services
Incorporating Stakeholder Input
- Look for subject-matter expertise with internal stakeholders, regardless of roles and responsibility
- Stake holder input is critical in early phases
- Stakeholder buy-in is necessary
- Input from project and program managers is critical
Owner
- Owns the information
* Determines the classification level
Steward
- Manages the data and metadata
* Ensures compliance (standards/controls) and data quality
Custodian
- Is the keeper of the information
* Ensures CIA is maintained
Chief privacy officer
- Ensures privacy of all data in the entire organization
Protecting Privacy: Often mandate from regulations or industry compliance such as HIPAA or PCI-DSS
- Data owners
- Data Processors
- Data Remanence
- Collection Limitations
Data Loss Prevention (DLP)
- Provides strategic methods for ensuring that end users do not transmit sensitive or critical information outside the corporate network
- Stops data breaches and leakage
Personally Identifiable information (PII)
- Individuals identifiable information
- Consists of first name or initial with last name and one or more pieces of info
- Social Security number, driver’s license number, ID card, financial account number, medical/health info
Protected health information (PHI)
- Individuals identifiable health information
- Contains at least one piece of info
- Name, address, birth date, phone number, mail or e-mail address, social security number, URL, IP
Data Retention
- Keeping data until it’s no longer needed
Data retention policy
- Identifies how, where, and why data will be retained
- Operational use / Current and Future use
- Adherence to legal and regulatory requirements
- Periodic audits
Destruction
- Burning
- Shredding
- Pulverizing
- Pulping
Sanitization
- Degaussing: Removing the magnetic field of drive
- Purging: Clearing everything off the media
- Wiping: Overwriting every sector of drive with 1s and 0s
- Encryption: Encrypting all files before deleting or disposing of media
Security Control Categories
Administrative, Technical, and Physical
Administrative
Defines policies, procedures, and guidelines:
* Password policy, hiring policy, screening policy, mandatory vacations, training, Rotation of duties
Technical
Controls access to a resource:
* Firewalls, encryption, passwords, IDS/IPS, smart cards, bio-metrics, RADIUS, Anti-Virus Software
Physical
Controls access to facility:
* Locks, Guards, Fences, Video cameras, Gates, Bollards, Dogs, Alarms, Motion Detectors
Preventive
- Stops attacker from performing attack
: Fences, IPS sensor, Security Guard gates, Locks
Detective
- Identifies an attack that is happening
: Cameras, IDS Sensor, Anti-malware
Corrective
- Restores a system to state before attack
: Disaster recovery policies, Business continuity planning, Automated, Cloud-based, antivirus, anti-malware and DLP
