Primary goals are contained in the CIA. The three principles are considered the most important within the realm of security.
Confidentiality is the principle that objects are not disclosed to unauthorized subjects.
Integrity is the principle that objects retain their veracity and are intentionally modified by only authorized subjects.
Availability is the principle that authorized subjects are granted timely and uninterrupted access to objects.
There are multiple meanings and definitions of privacy, why is it important to protect it and what are the issues surrounding it in the work environment and elsewhere?
Active prevention of unauthorized access to information that is personally identifiable.
Freedom from unauthorized access to information deemed personal or confidential
Freedom from being observed, monitored, or examined without consent or knowledge.
It can be hard to balance individual rights to privacy and the rights or activities of an organization.
Identification is the process by which a subject professes an identity and accountability is initiated. AAA.
The process of verifying or testing that a claimed identity is valid is authentication.
Once a subject is authenticated, its access must be authorized.
Security governance is the collection of practices related to supporting, defining and directing the security efforts of an organization.
Auditing, or monitoring is the programmatic means by which subjects are held accountable for their actions while authenticated on a system. It’s also the process by which unauthorized or abnormal activities are detected. Auditing is needed to detect malicious actions by subjects, attempted intrusions, and system failures and to reconstruct events, provide evidence for prosecution and produce problem reports and analysis.
An organization’s security policy can be properly enforced only if accountability is maintained. Security can only be maintained if subjects are held accountable for their actions.
Nonrepudiation ensures that the subject of an event or activity cannot deny said event or activity.
Security management planning is based on 3 basic plans. Strategic, Tactical and Operational.
Strategic plans are long-term plans that are fairly stable and they define the organization’s goals, mission and objectives.
Tactical plans are midterm plans developed to provide more details on accomplishing the goals set forth in the strategic plan.
Operational plans are short-term and highly detailed plans based on the strategic and tactical plans.
The elements of a formalized security policy structure are security policy, standards, baselines, guidelines and procedures.
Key security roles are: the Senior Manager, organizational owner, upper management, security professional, user, data owner, data custodian, and auditor.
Know how to implement security awareness training. All new employees require some level of training so they will be able to comply with standards, guidelines, and procedures mandated by the security policy.
Layering simplifies security. Using a multilayered solution allows for numerous controls to guard against threats.
Abstraction is used to collect similar elements into groups, classes or roles that are assigned security controls, restrictions, or permissions as a collective. It adds efficiency to carrying out a security plan.
Data hiding is preventing data from being discovered or accessed by a subject.
Encryption is the art and science of hiding the meaning or intent of a communication from unintended recipients. It is an important element in security controls, especially in regards to transmissions between systems.
Change in a secure environment can introduce loopholes, overlaps, missing objects, and oversights that can lead to new vulnerabilities.
Data is classified to simplify the process of assigning security controls to groups of objects rather than individual objects. There are two common classification schemes: government/military and commercial business/private sector.
Military/Government: Private:
Top Secret Restricted
Secret Confidential
Confidential Internal Use Only
Restricted Public
Unclassified
It’s important to have a declassification policy.
Cobit stands for control objectives for information and related technology. It’s a security concept infrastructure used to organize the complex security solutions of companies.