ISC2 - CC - Domain 1 - Security Principles
okay
One effective method to prioritize risk is to use a risk matrix, which helps identify priority as the intersection of likelihood of occurrence and impact.
executive management and board of directors
Who is responsible for determining risk tolerance in an organization?
IEEE (Institute of Electrical and Electronics Engineers)
a Standards institute that sets standards for telecommunication, computer engineering, and similar disciplines
vulnerability
a gap or weakness in protection efforts of an asset
PII (personally identifiable information)
a term used to describe information that, when combined with other pieces of data, significantly narrows the possibility of association with more individuals.
okay
policies are broad but not detailed like standards and procedures are
asset
something that needs protection
something you have
something you know, something you have, something you are: - smart cards, keys
IETF (Internet Engineering Task Force)
the internet standards organization made up of: - network designers - operators - vendors and researchers that define protocol standards, such as IP, TCP, DNS. in order for computers to talk to each other even when the user speak different languages
risk management
the process of identifying, evaluating, and controlling threats , including all of the phases of a risk management framework - risk assessment - risk treatment - risk monitoring
Classification
the process of recognizing the organizational impacts if the information suffers any security compromise related to its characteristics of CIA. Information is then labeled and handled accordingly. - highly restricted - moderately restricted - low sensitivity - unrestricted public data
threat vector (attack vector)
the technique and approach by which a threat actor carries out their objective
ISO (International Organization for Standardization)
this internationally recognized group develops voluntary international standards in collaboration with its partners in international standardization, the IEC (International Electrotechnical Commission), and the ITU (International Telecommunication Union), particularly in the field of information and communication technology. - An example of standardization is - how to destroy data in a secure fashion
Regulation, Standard, Policy, Procedure
what is the order of governance from highest to most granular?
mitigating risk (to a level deemed acceptable by the entity)
what is the purpose of implementing security controls in the risk management process?
FERPA
1974 Family Educational Rights and Privacy Act (Buckley Amendment). Assures confidentiality of student records. Parents are afforded rights to examine, review, request changes if inaccurate, and stipulate person who has access.
GDPR (General Data Protection Regulation)
A European Union law establishing broad-reaching data protection standards for any information that could be tied to a single individual, deeming it an individual human right
okay
Employees at all levels of the company are responsible for identifying risk
policies
Governance: - these are put in place by executive management to provide guidance in all activities to ensure that the organization supports industry standards and regulations
standards
Governance: - often used by governance teams to provide a framework to introduce policies and procedures in support of regulation
procedures
Governance: - the detailed list of steps to complete a task that support departmental or organizational policies
regulations
Governance: - these are commonly issued in the form of laws by the government and typically carry financial penalties for non-compliance
