Information Protection Principles
Risk Mitigation: ____________________________________________________________________
Mitigation means taking steps to reduce the probability of occurrence of a particular risk.
USA Patriot Act: ______________________________________________________________________ ___________________________________________________________________________________
The US Patriot Act mandates reduced restrictions in law enforcement agencies to gather intelligence within the United States to detect and suppress terrorism.
Policy and Procedure Establishment: ____________________________________________________
The overarching principle to help establish proper security levels is known as the Principle of Least Privilege (PoLP). The PoLP, according to NIST SP 800-179 is "The principle that users and programs should only have the necessary privileges to complete their tasks."
Risk Transference: ___________________________________________________________________
Risk transference means you share the risk with another entity since you can never fully remove risk from the picture.
User Awareness: ________________________________________________________________
"Awareness is not training. The purpose of awareness presentations is simply to focus attention on security. Awareness presentations are intended to allow individuals to recognize IT security concerns and respond accordingly."
Electronic Communication Privacy Act (ECPA): ______________________________________________
"Provides for reduced criminal penalties where the unauthorized access to the electronic communication is not for a tortious or illegal purpose or private commercial gain. States that the interception of certain satellite transmissions is not an offense unless it is for the purposes of direct or indirect commercial advantage or private financial gain."
Sarbanes Oxley Act (SOX): _______________________________________________________________ _____________________________________________________________________________________
"The Act contains provisions affecting corporate governance, risk management, auditing, and financial reporting of public companies, including provisions intended to deter and punish corporate accounting fraud and corruption."
Policies: _____________________________________________________________________________
"a high-level overall plan embracing the general goals and acceptable procedures especially of a governmental body." AFIs, proper network use agreements, and cell phone usage doctrines are examples of policies.
Procedures: ________________________________________________________________________
"a series of actions that are done in a certain way or order." Steps outlined by a unit commander for violations of network resources or computer misuse are examples of procedures.
Event vs. Incident: ___________________________________________________________________
An event is "Any observable occurrence in a network or system" while an incident is "An occurrence that actually or potentially jeopardizes the confidentiality, integrity, or availability of an information system or the information the 11 system processes, stores, or transmits or that constitutes a violation or imminent threat of violation of security policies, security procedures, or acceptable use policies"
The AAA model ______________________________, _______________________________, ______________________________, and _____________________________.
Authentication, Authorization, and Accounting (The Triple A model) focuses on controlling access to the information and data, which is a model to protect access to data.
The CIA Triad ___________________________, __________________________, and ________________________.
Confidentiality, Integrity, and Availability (The CIA triad) focus(es) on data protection from an IT Security (ITSec) standpoint.
Health Insurance Portability and Accountability Act (HIPPA): ___________________________________
HIPAA encompasses a federal law that requires the creation of national standards to protect personal health information (PHI) from being disclosed without their consent or knowledge.
User Accountability: ________________________________________________________________
Individual accountability should be one of your organization's prime security objectives and derived from a fully informed, well-trained, and aware workforce. Users who can be held accountable are less likely to disrupt or compromise the installation, base, squadron, or other responsible groups.
Risk Avoidance: ____________________________________________________________________
Risk avoidance is the idea that whatever the activity is that puts you at risk, you decide not to perform that activity anymore in order to avoid the risk. Risk avoidance is typically taken when a highrisk action is found and not worth involving the unit, device, etc.
Risk Acceptance: __________________________________________________________________
Risk acceptance means that you understand and accept the risk as-is. Furthermore, when accepting risk, a solution to protect against the threat is not implemented because the chances of the threat occurring and the impact of the threat do not warrant the cost of implementing a security control.
Risk Assessment: ________________________________________________________________
Risk assessment is the process of testing security controls to discover a system's strengths and weaknesses/vulnerabilities.
User Agreement: ________________________________________________________________
Users on U.S. Government information systems must agree to certain conditions before they may have access. User agreements can contain an acceptable use policy (AUP) of an information system, classification of information, and Personally Identifiable Information (PII). It may also contain the user's consent to monitor their use of the information system and any other consents that the MAJCOM deems necessary.