ISC2 - CC - Domain 1 - Security Principles

okay

One effective method to prioritize risk is to use a risk matrix, which helps identify priority as the intersection of likelihood of occurrence and impact.

executive management and board of directors

Who is responsible for determining risk tolerance in an organization?

IEEE (Institute of Electrical and Electronics Engineers)

a Standards institute that sets standards for telecommunication, computer engineering, and similar disciplines

vulnerability

a gap or weakness in protection efforts of an asset

PII (personally identifiable information)

a term used to describe information that, when combined with other pieces of data, significantly narrows the possibility of association with more individuals.

okay

policies are broad but not detailed like standards and procedures are

asset

something that needs protection

something you have

something you know, something you have, something you are: - smart cards, keys

IETF (Internet Engineering Task Force)

the internet standards organization made up of: - network designers - operators - vendors and researchers that define protocol standards, such as IP, TCP, DNS. in order for computers to talk to each other even when the user speak different languages

risk management

the process of identifying, evaluating, and controlling threats , including all of the phases of a risk management framework - risk assessment - risk treatment - risk monitoring

Classification

the process of recognizing the organizational impacts if the information suffers any security compromise related to its characteristics of CIA. Information is then labeled and handled accordingly. - highly restricted - moderately restricted - low sensitivity - unrestricted public data

threat vector (attack vector)

the technique and approach by which a threat actor carries out their objective

ISO (International Organization for Standardization)

this internationally recognized group develops voluntary international standards in collaboration with its partners in international standardization, the IEC (International Electrotechnical Commission), and the ITU (International Telecommunication Union), particularly in the field of information and communication technology. - An example of standardization is - how to destroy data in a secure fashion

Regulation, Standard, Policy, Procedure

what is the order of governance from highest to most granular?

mitigating risk (to a level deemed acceptable by the entity)

what is the purpose of implementing security controls in the risk management process?

FERPA

1974 Family Educational Rights and Privacy Act (Buckley Amendment). Assures confidentiality of student records. Parents are afforded rights to examine, review, request changes if inaccurate, and stipulate person who has access.

GDPR (General Data Protection Regulation)

A European Union law establishing broad-reaching data protection standards for any information that could be tied to a single individual, deeming it an individual human right

okay

Employees at all levels of the company are responsible for identifying risk

policies

Governance: - these are put in place by executive management to provide guidance in all activities to ensure that the organization supports industry standards and regulations

standards

Governance: - often used by governance teams to provide a framework to introduce policies and procedures in support of regulation

procedures

Governance: - the detailed list of steps to complete a task that support departmental or organizational policies

regulations

Governance: - these are commonly issued in the form of laws by the government and typically carry financial penalties for non-compliance