Chapter 1 - ISC2 | PDF | Information Security | Risk
Scribd
Upload
35 views

Chapter 1 - ISC2

The document discusses key security concepts like confidentiality, integrity, availability, authentication, and privacy. It also covers risk management including identifying assets, vulnerabilities, threats, probability and impact of risks. The document then discusses security controls, governance elements like regulations, standards, policies and procedures, and a code of ethics.

Uploaded by

Jamaal Jackson
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
35 views

Chapter 1 - ISC2

The document discusses key security concepts like confidentiality, integrity, availability, authentication, and privacy. It also covers risk management including identifying assets, vulnerabilities, threats, probability and impact of risks. The document then discusses security controls, governance elements like regulations, standards, policies and procedures, and a code of ethics.

Uploaded by

Jamaal Jackson
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 2

Chapter 1:

Security Concepts:
❖ CIA: Confidentiality, Integrity and Availability
➢ Confidentiality
■ Personally Identifiable Information (PII)
■ Protected Health Information (PHI)
■ Classified or Sensitive Information
● Trade secrets, business plans, intellectual property
■ Sensitivity: importance assigned to information assigned by its
owner
➢ Integrity
■ Complete and Consistent
● Ex: Data, systems for BO, ppl and their actions
■ Data Integrity: data has not been altered in an unauthorized manner
● Covers storage, processing and transit
■ System Integrity: Ensuring that maintenance is done to continue
operation is functional. The system is working as it should
➢ Availability
■ Reliable access to information
● Not available 100% of the time but for timely and reliable
access; ei. Regular business hours
❖ Authentication: Verification of identity through passwords, biometrics, etc
➢ Single-Factor aAuthentication (SFA) and Multi-Factor Authentication
(MFA)
❖ Non-Repudiation: Protection against individuals falsely denying having
performed a particular action.
❖ Privacy: Control over information about oneself
➢ Laws and policies help to ensure the safety and integrity of information
across industries and countries. EX: General Data Protection Regulation
(GDPR)

Risk Management:
❖ Asset: Something that need protection
❖ Vulnerability: Gap or weakness in protection
❖ Threat: Something aiming to exploit vulnerability
➢ Insiders (error or deliberate), outsider, political and non political
(competing business vs. terrorist), and technology (bots or AI)
❖ Probability: Likelihood of vulnerability being exploited
❖ Impact: Magnitude of harm that can be expected from event
❖ Risk Identification and Assessment: Taking into account all threats and forming
solutions based on the capacity and need for the asset
➢ Risk avoidance is the decision to attempt to eliminate the risk entirely.
➢ Risk acceptance is taking no action to reduce the likelihood of a risk
occurring.
➢ Risk mitigation is taking actions to prevent or reduce the possibility of a
risk event or its impact.
➢ Risk transference is the practice of passing the risk to another party
❖ Risk Priorities
➢ Qualitative and Quantitative
❖ Risk Tolerance
➢ Determined by Executive Management

Security Controls:
❖ Security controls pertain to the physical, technical and
administrative mechanisms that act as safeguards
➢ Physical controls address process-based security needs using physical
hardware devices
➢ Technical controls are security controls that computer systems and
networks directly implement.
➢ Administrative controls are directives, guidelines or advisories aimed at
the people within the organization.

Governance Elements and Processes


❖ Regulations and Laws
➢ HIPAA
➢ GDPR
❖ Standards
➢ International Organization for Standardization (ISO)
➢ National Institute of Standards and Technology (NIST): US standards
➢ Internet Engineering Task Force (IETF): International despite language
➢ Institute of Electrical and Electronics Engineers (IEEE)
❖ Policies
❖ Procedures

Code of Ethics
❖ Preamble
➢ The safety and welfare of society and the common good, duty to our
principals, and to each other, requires that we adhere, and be seen to
adhere, to the highest ethical standards of behavior.

You might also like