Use LEFT and RIGHT arrow keys to navigate between flashcards;
Use UP and DOWN arrow keys to flip the card;
H to show hint;
A reads text to speech;
30 Cards in this Set
- Front
- Back
The concept of security |
Security is used in at least two senses: - a condition - in which hard does not arise, despite the occurrence of threat - a set of safeguards - whose purpose is to achieve that condition |
|
Main information security concerns |
Information quality
- validity - reliability - complete etc Information accessibility - access when required - by those who should - by others Information Usability |
|
Core principles |
confidentiality
integrity availability non-repudiation authenticity privacy accountability assurance |
|
Common perception of information security |
Cost factor only - can do without it - need to be able to convince them it's complicated Highly complicated - business needs to be involved Expensive - yes in some cases it is but is not a cost is an investment |
|
Complexity |
Info security is currently where networking was 15-20 years ago |
|
2 key messages
|
Due care - establishment of controls Due diligence - maintenance of controls |
|
Information Security is more than just technology |
Challenges - organising requirements getting the level of detail right prescription vs options inclusion of background material everyone has security in their job but detail differ |
|
Enterprise wide risk management |
technology architecture governance and management entire business needs to be involved |
|
Consequences |
Poor information security outcomes are usually the result of poor management not poor technical controls |
|
Supporting controls |
there has to be complimentary controls - management controls - operational controls - technical controls - physical controls |
|
Administrative Controls (Management Controls) |
Policies Standards Guidelines Personnel screening Security awareness training |
|
Operational controls |
Processes (business and security) Physical access control Safety equipment (UPS, backup) DRP/BCP |
|
Technical Controls |
Logical access control Encryption Security devices Identify management Authentication |
|
Physical Controls |
Facility protection Security guards Locks, monitoring, environmental controls Intrusion detection |
|
Controls breakdown |
Preventive controls Detective controls Deterrent controls Corrective controls Recovery controls Compensating controls |
|
Preventative Controls |
Attempt to avoid the occurrence of the unwanted event Eg - Authentication - Authorisation - Access control - Non-repudiation - Transaction privacy - Fence |
|
Detective Controls |
Attempt to identify unwanted events after they have occurred Eg - Audit - Intrusion detection and containment - Logs - Review of incident reports - IDs - CCTV, sentry |
|
Deterrent Controls |
Intended to discourage individuals from intentionally violating information security policies or procedures - Eg Policy - standards Security banners Warning signs |
|
Corrective Controls |
Attempt to remedy the circumstances that allowed the unauthorised activity or return conditions to what they were before the violation Eg - Isolation - Resetting - Reformatting - Termination - Terminate connection, isolate, unplug, checkpoint restart - Fire extinguisher |
|
Recovery Controls |
Restore lost computing resources or capabilities and help the organisation recover monetary losses caused by a security violation Eg - Backup - Fault tolerance - RAID (0,1,5) DR plan - Tape backups - Fault tolerance - Reconstruction, rebuild |
|
Compensating Controls |
Attempt to reduce the risk that an existing or potential control weakness will result in a failure to meet a control objective - last attempt to secure data Eg - Layered defence - Culture - Supervision - Job rotation - Need to know - Diskless workstation |
|
Read Tipton & Krause 2003, PCI Security Standards Council, LLC, 2014 |
|
|
Risk |
Threat Event creates Attack which Exploits Vulnerability and results in Impact |
|
Controls |
Detective Control discovers an Attack & triggers a Preventative control which protects vulnerability and reduces impact and complements a compensating control Deterrent Control reduces likelihood of Attack Corrective control tries to decrease the impact Recovery control tries to correct the impact (i.e. restore from backup etc) |
|
Key principles 1-2 |
1. a common definition of risk, which addresses both value preservation and value creation, is used consistently throughout the org 2. A common risk framework supported by appropriate standards is used throughout the organisation to manage risks |
|
Key principles 3-4 |
3. key roles, responsibilities, and authority relating to risk management are clearly defined and delineated within the organisation 4. a common risk management infrastructure is used to support the business units and functions in the performance of their risk responsibilities |
|
Key principes 5-6 |
5. Governing bodies (e.g. boards, risk committees, etc) have appropriate transparency and visibility into the organisation's risk management practices to discharge their responsibilities. 6. Executive management is charged with primary responsibility for designing, implementing, and maintaining an effective risk program |
|
Key principles 7-8 |
7. Business units (departments, agencies etc) are responsible for the performance of their business and the management of risks they take within the risk framework established by executive management 8. Certain functions (e.g. HR, Finance, IT, tax, legal etc) have a pervasive impact on the business and provide support to the business units as it relates to the orgs risk program |
|
Key principles 9 |
9. Certain functions (e.g. internal audit, risk management, compliance, etc) provide objective assurance as well as monitor and report on the effectiveness of an organisations risk program to governing bodies and executive management |
|
Coso Cube |
Look into |