ISC2 CC Chapter 1

Objectives

Fundamental concepts

Cybersecurity Principles

Information Assurance

Risk Management

Terminology

Process Summary

Personal and Professional Practices

Types of Security Controls

Distinguish between policies, procedures, standards, regulations and laws. 

Demonstrate the relationship among governance elements. 

Analyze appropriate outcomes according to the canons of the ISC2 Code of Ethics when given examples. 

CIA Triad

Confidentiality

Manage information access

Protect information from disclosure

Integrity

Ensure information in

Completeness

Accuracy

Internal consistency

Usefulness for a stated purpose

When information is

Recorded

Used

Maintained

Availability

Ability in time of

Data

Services

Systems

Definitions

PII : Personally Identifiable Information

Mother's maiden name

Biometrics

Date and place of birth

Medical

Social Security Number

Educational

Name

Financial

Linked or linkable to an individual information

Employment

PHI : Protected health information

Provision of health care

Payment for healthcare

Information regarding health status

HIPAA (Health Insurance Portability and Accountability Act)

Classified or sensitive information

Requiring protection againt unauthorized disclosure

Marked to indicate its classified status and classification level

Sensitivity

Importance assigned to information by the owner

Or Purpose of denoting its need for protection

Applies to

Information or data

Systems and processes for business operations

Organizations

People and their actions

Can be hard when there's many guests or customers

Data integrity

Assurance that there is no unauthorized alteration

System integrity

Maintenance of a known good configuration and expected operational function

State

Entity condition at a point in time

Baseline

Documented, lowest level of security configuration allowed by a standard or organization

Criticality

Measure of the degree to which an organization depends on the information or information system for the success of a mission or of a business

Authentication

Identification or verification of the eligibility of an entity to access information.

Tokens

A physical object a user possesses and controls for authentication

Biometrics

Biological characteristics of an individual, such as a fingerprint, hand geometry, voice, or iris patterns.

MFA : Multi-factor authentication

Using two or three factors of authentication (smth you know, smth you have, smth you are)

Non-repudiation

Protection against a false denial

Privacy

Rigt to control the distribution of personal informations

Risk Management Terminology

Asset

Something in need of protection

Vulnerability

Gap or weakness in those protection efforts

Threat

Something or someone that aims to exploit a vulnerability to thwart protection efforts

Likelihood

Probability to use a vulnerability within the construct of the associated threat environment.

Likelihood of occurrence

Weighted factor based on a subjective analysis

Impact

Magnitude of harm that can be expected to result from the consequences of an action

Risk assesment

process of indentitfying,estimating and prioritizing risks in an organization

Risk treatment

relates to making decisions about the best actions to take regarding the identified and prioritized risk

Risk avoidance

Decision to attempt to eliminate the risk entirely

Risk acceptance

Decision to take no action to reduce the likelihood of a risk occurring

Risk mitigation

Actions to prevent or reduce the possibility of a risk event or its impact

Risk transference

Pass the risk to another party who accepts the financial impact