CISSP

GLBA (Graham, Leach, Bliley)

1999: Regulates Financial institutions. Requires a written information security program. requires a designated security officer. Limits sharing of financial records.

Six Sigma

A business process for improving quality, reducing costs, and increasing customer satisfaction

COBIT

A framework developed by the Information Systems Audit and Control Association and the IT Governance Institute. Defines the goals for the controls that should be used to properly manage IT and ensure IT maps to business needs. Four domains: Plan and Organize, Acquire and Implement, Deliver and Support, and Monitor and Evaluate

Quantitative Risk Analysis

A numerical assessment of the probability and impact of the identified risks. Quantitative risk analysis also creates an overall risk score for the project.

Capability Maturity Model Integration (CMMI)

A process improvement approach that provides organizations with the essential elements of effective processes

Digital certificates

A technology used to associate a user's identity to a public key.

Acceptable use policy

Also known as responsible use policy. describes how individuals may use information systems. Prohibits illegal activity. Describes what personal use is permitted.

Fault Tree Analysis

Approach to map specific flaws to root causes in complex systems.

COPPA

Children's Online Privacy Protection Act (1998) requires commercial online content providers (websites) to obtain verifiable parental consent of children under the age of 13 before they can collect, archive, use, or resell any personal information pertaining to that child personally identifiable information is anything that would allow someone to identify or contact the child (i.e. full name, address, e-mail address, telephone number, or Social Security number, and, when combined with an identifier, information collected through cookies such as hobbies, interests, or other data concerning the child and/or the parents) important for librarians to understand these rules so that they can assist children who are asked for parental consent before engaging in certain online activities, and, if necessary, guide them to other sites that do not collect personal information

control frameworks, why adopt

Cobit: Business-focused control Framework. ISO 27001: part of a series of business standards. Nist 800-53: Mandatory for federal agencies.

redundant components

Components used so that a functioning computer can take over automatically the tasks of a similar component that fails

GDPR Provisions

Consent right to be informed right to restrict processing right to be forgotten data breaches

Hash Functions

Create Message digests from large files

compliance obligations

Criminal Law Civil law administrative law Private regulations

Information Security Policy

Designation of individuals responsible for security. Description of security roles and responsibilities. Authority for the creation of security standards. Authority for incident response. Process for policy exceptions and violations.

Criminal Law

Deter and punish acts detrimental to society. Punishable by the deprivation of liberty.

Separation of Duties

Dividing responsibilities between two or more people to limit fraud and promote accuracy of accounting records.

Integrating Security Governance

Ensure Governing bodies understand risk and controls inform governing bodies of security incidents. Provide audit reports to governing bodies

Availability

Ensure that information and systems are available for authorized users when needed.

Administrative Law

Facilitate effective government. Hippa.

GLBA (Gramm-Leach-Bliley Act)

Federal law enacted in 1999 to control the ways that financial institutions deal with the private information of individuals

Private Regulations

Flow from contractual relationships. PCI-DSS.

BCP Policy

Framework for building the business continuity plan.

18 USC 1029

Fraud and related activity in connection with access devices

18 USC 1030

Fraud and related activity in connection with computers

FISMA

Governs the law for federal agencies and government contractors.

risk assessment

Identify assets determine the likelihood that a threat exploits a vulnerability determine the business impact of these potential threats. provide an economic balance between the impact of the threat and the cost of the countermeasure.

Software License Agreement

Individuals who may use the software. amount of information that may be processed. locations of use. number of servers.

Security Governance

Information Governance Committee Risk Management Committee Board of Directors

Office of Foreign Assets Control (OFAC)

Maintains a list of countries with which transfers of assets or anything of value including cash, payments, and services may be prohibited.

The Ministry of Defence Architecture Framework

Makes sure all data is presented in the right format.

Military-oriented architecture framework

Makes sure that all of the military's operations can talk to each other. Spy satellite image must be able to be read by software.

Availability Controls

Malicious attackers Component failures Application failures Utility failures

Business Impact Analysis (BIA)

Maximum tolerable downtime operational disruption and productivity financial considerations regulatory responsibilities reputation

Agreement Types

Negotiated contracts. click-through agreements. -- take it or leave it. shrink-wrap agreements. --included on physical software.

OECD

Organization for Economic Cooperation and Development

Security Procedures

Outline a step-by-step process for an activity. may require compliance, depending upon circumstances.

Risk Categories

Physical Human interaction Equipment malfunction inside and outside attacks misuse of data loss of data application error

Security Policy Framework

Policies standards guidelines procedures

HITECH

Privacy laws related to electronic transmission of health information

Encryption

Process of converting readable data into unreadable characters to prevent unauthorized access.

GDPR

Processing must be lawful, transparent, and fair. data must be collected for specific, legitimate purposes. collect the minimum amount of data. ensure the accuracy of information. delete information when no longer needed. protect the security of personal information.

CFAA (Computer Fraud and Abuse Act)

Prohibits unauthorized access to computer systems. prohibits the creation of malicious code. Hacking is a criminal offense.

Patents

Protect inventions. Novelty. Usefulness. Non-obviousness. Patents generally last for 20 years. patents require public disclosure of the invention. Trade secrets offer an alternative to patent protection.

high availability

Protect services against the failure of a single server.

Security Standards

Provide specific details of security controls. derive their authority from policies. requires compliance with all employees.

Attack Tree

Provides a visual image of the attacks that may occur against an asset.

NIST 800-53

Publication that recommends security controls for federal info systems and organizations except those designed for national security.

FERPA

Regulates handling of student educational records. provides right of inspection provides right to request corrections restricts release of personal information.

Civil Law

Resolve Disputes --Monetary damages.

Export Controls

Restrict flow of goods and data. For military and Scientific purposes.

Access Controls

Restrict users from accessing sensitive information without permission.

ECPA (Electronic Communications Privacy Act)

Restricts the interception or monitoring of oral and wire communications unless the interception or monitoring is undertaken for a business purpose or by consent Employers may monitor employees' emails and communications with some exemptions.

AV * EF

SLE

Denial Attacks

Seek to undermine availability

PII Elements

Social Security Numbers Driver's license numbers. bank account numbers. Notify individuals if there is a breach.

18 USC 2701

Stored wire and Electronic Communications and Transactional Records access.

Due Dilligence

Taking reasonable measures to investigate security risks.

ITIL

The Information Technology Infrastructure Library (ITIL) is a set of concepts and practices for Information Technology Services Management (ITSM), Information Technology (IT) development and IT operations. ITIL gives detailed descriptions of a number of important IT practices and provides comprehensive checklists, tasks and procedures that any IT organization can tailor to its needs.

Non-repudiation

The security principle of providing proof that a transaction occurred between identified parties. Repudiation occurs when one party in a transaction denies that the transaction took place.

ARO (Annualized Rate of Occurrence)

This is calculated by dividing number of failures into the number of years between failures. Example: 1 failure every 5 years (1/5 = .20) or 20%

Threats X vulnerability X asset value

Total Risk

Mandatory Vacation

Two-consecutive weeks of vacation. Because fraud may come to light during a time when they can't cover up the fraud.

Zachman Architecture Framework

What, how, where, who, when and why? Each row should explain the company from that row's perspective. IT, HR, Marketing etc.

job rotation

a job enrichment strategy that involves moving employees from one job to another

Least Privilege

a principle that users be granted the privilege for some activity only if there is a justifiable need to grant this authorization

Qualitative Risk Analysis

a subjective approach to determine the likelihood that a risk will actually occur and the impact to the project if it does occur.

OECD (Organization for Economic Cooperation and Development)

collection limitation data quality purpose specification use limitation security safeguards openness individual participation Accountability

Sherwood Applied Business Security Architecture (SABSA) Framework

contextual, conceptual, logical, physical, component, and operational levels. done in phases. Ask what, why, how, who, where, when at each layer.

COSO Framework

control environment, risk assessment, control activities, information and communication, monitoring

Integrity Controls

controls that reject invalid data inputs, prevent unauthorized data outputs, and protect data and programs against accidental or malicious tampering

Intellectual property Protections

copyrights trademarks patents trade secrets

ITAR

defense articles. firearms, tanks, submarines.

due dilligence objective

detect problems

Don't make the policy too specific

don't make policy too specific

FISMA

federal info security management act - US law requires federal agencies to create, document and implement security program

Due Care Theory

focuses on relative vulnerability of the customer, who has less information and expertise than the firm, and the ethical responsibility that places on the firm.

Risk Management process

frame risk assess risk respond to risk monitor risk

The Open Group architecture Framework (Togaf)

from department of defense. for: Business Architecture. Data Architecture. Application architecture. technology architecture. Uses ADM (architecture development method). analogy: people don't build cities without planning.

Corporate Acquisition

get together to get rid of redundancies between security systems.

Policies and standards are mandatory

guidelines are optional

Ethics

isc2 has it's own code of ethics.

Building a business case

justify the investment of time and money balance security and business concerns achieve confidentiality, integrity, and availability goals

Patch management

keeping operating systems and application's patched to current levels also enhances availability

ITADA

makes identity theft a federal crime.

NIST 800-39 risk tiers

organizational tier business process tier information systems tier

PCI DSS

payment card industry data security standard - credit card, prevent identity theft

PIPEDA

personal info protection and electronic documents act

copyright

protect creative works against theft. works, web content, art, music, computer software. granted to the creator automatically. Provided for 70 years beyond creator's death. Moves covered work to public domain after expiration.

Encryption

protects against data breaches.

Security Guidelines

provide security advice to the organization. follow best practices from industry. compliance guidelines are not mandatory.

Security Policy

provide the foundation for a security program. are written carefully over a long period of time. require compliance from all employees.

Export Administration Regulations (EAR)

regulations designed to control the export and re-export of most commercial items. EAR restrictions vary from country to country, and embargoed countries such as Cuba, North Korea, Sudan, Syria and Iran are prohibited from receiving US exports. EAR does not control all goods, services, and technologies, however.

Corporate divestiture

require separate controls

Enterprise Security Architecture

studies the enterprise architecture and business environment to develop an overall strategy and plan that best fits enterprise specific needs

Steganography

the art and science of hiding information by embedding messages within other, seemingly harmless messages

Supply Chain Risk Management

the practice of managing the risk of any factor or event that can materially disrupt a supply chain, whether within a single firm or across multiple firms

Residual Risk

the risk that remains after management implements internal controls or some other response to risk

18 USC 2510

wire and electronic communications interception and interception of oral communications

Trademarks

words, symbols, names or devices used to specify goods and to differentiate them from others. Granted upon registration. Provided for renewable 10-year periods. granted contingent upon active use in commerce.