PRE5

avatar
Created by
yann

Cards (62)

  • Strategic documentation
    • Long-term strategic and short-term tactical objectives
    • Contains secrets and insight that competitors may want to access
  • Products/service information
    • Critical information about products and services
    • Source code for in-house developed application
    • Data or information products that are sold to customers
  • Intellectual property/patents
    • Information security controls to protect intellectual property, including developing software
  • Proprietary knowledge/trade secrets

    • Unique insights and understanding that give your business a competitive advantage
  • Ongoing project documentation

    • Documented details of products or services that are in the process of being launched
  • Employee Data
    • Collect and retain data about employees, including performance reviews, employment history, salaries and other information
  •  
    WHO IS RESPONSIBLE FOR PROTECTING AN ORGANIZATION’S INFORMATION ASSETS?
     
    01. Those in the field of information security
    02. Those in the field of IT
    03. Those from the rest of the organization
  • INFORMATION TECHNOLOGY IS THE VEHICLE THAT STORES AND TRANSPORTS INFORMATION— A COMPANY’S MOST VALUABLE RESOURCE—FROM ONE BUSINESS UNIT TO ANOTHER.
  • The emergence of executive-level information security managers allows for the creation of professionally managed information security teams that have a primary objective to protect information assets, wherever and whatever they may be.
  • INFORMATION SECURITY
     
    Protection of the confidentiality, integrity, and availability of information assets, whether in storage, processing, or transmission, via the application of policy, education, training and awareness, and technology.
     
  • INFORMATION ASSETS
     
    The focus of information security; information that has value to
    the organization, and the systems that store, process, and transmit the information.
  • KEY CHARACTERISTIC OF INFORMATION SECURITY
     
    Confidentiality - limiting access to information only to those who need it, and preventing access by those who do not.
    Integrity - implementing controls that ensure the consistency and accuracy of stored data throughout its entire life cycle. Protecting information from being modified by unauthorized parties.
    Availability - means that users, either people or other systems, have access to information in a usable format
  • CIA triad
    A more comprehensive list of critical characteristics and processes including:
  • Privacy
    Information that is collected, used, and stored by an organization should be used only for the purposes stated by the data owner at the time it was collected
  • Identification
    The first step in gaining access to secured material, and it serves as the foundation for subsequent authentication and authorization
  • Authentication
    The process by which a control establishes whether a user (or system) is the entity it claims to be
  • Authorization
    After the identity of a user is authenticated, a process called authorization defines what the user (whether a person or a computer) has been specifically and explicitly authorized by the proper authority to do, such as access, modify, or delete the contents of an information asset
  • Accountability
    A control provides assurance that every activity undertaken can be attributed to a named person or automated process
  • INFORMATION SECURITY IMPORTANT FUNCTIONS
     
    • PROTECT THE ORGANIZATION’S ABILITY TO FUNCTION • ENABLE THE SAFE OPERATION OF APPLICATIONS
    PROTECT THE DATA
    SAFEGUARD INFORMATION ASSETS
     
  • Threats
    ·          A threat represents a potential risk to an information asset, whereas an attack represents an ongoing act against the asset that could result in a loss. Threat agents damage or steal an organization’s information or physical assets by using exploits to take advantage of a vulnerability where controls are not present or no longer effective.
  • SECURITY CONTROLS
     
    The focus of information security; information that has value to
    the organization, and the systems that store, process, and transmit the information.
     
    What are Security Controls?
    Security Controls countermeasures or safeguards used to reduce the chances that a threat will exploit a vulnerability
  •  
    THREE DIFFERENT SETS OF SECURITY CONTROLS
     
    ·          Managerial Security Controls
    ·          Operational Security Controls
    ·          Technical Security Controls
  • Management Security Controls
     
    Managerial controls focus on the management of the information system and the management of risk for a system. They are techniques and concerns that are normally addressed by management.
  • The following are managerial security controls:
    ·          Risk assessment
    ·          Planning
    ·          System and services acquisition
    ·          Cerification, accreditation, and security assessments
     
  • Operational controls addressed security methods focusing on mechanisms primarily implemented and executed by people (not technology). These controls are put in place to improve the security of a particular system (or group of systems). They often require technical or specialized expertise and often rely on management activities as well as technical controls
  • The following are operational security controls:
    ·          Personnel Security
    ·          Physical and
    ·          Contingency planning
    ·          Awareness and training
     
  • Technical controls focus on security controls that the computer system executes. The controls can provide automated protection for unathorized access or misuse, facilitate detection of security violations, and support security requirements for applications and data. Technical controls use software and data to monitor and control access to information and computing system.
     
  • The following are technical security controls:
    ·          Encryption
    ·          Antivirus and Anti-Malware Software
    ·          Firewalls
  • What is Ethics?
    Some define ethics as the organized study of how humans ought to act. Others define it as a set of rules we should live by. The student of information security is not expected to study ethics in a vacuum, but within a larger framework. However, Infosec professionals may be expected to be more informed about the topic than others in the organization, and they must often withstand a higher degree of scrutiny.
  • The Ten Commandments of Computer Ethics
  • 1. Thou shalt not use a computer to harm other people
  • 2. Thou shalt not interfere with other people’s computer work
  • 3. Thou shalt not snoop around in other people’s computer files
  • 4. Thou shalt not use a computer to steal
  • 5. Thou shalt not use a computer to bear false witness
  • 6. Thou shalt not copy or use proprietary software for which you have not paid
  • 7. Thou shalt not use other people’s computer resources without authorization or proper compensation
  • 8. Thou shalt not appropriate other people’s intellectual output
  • 9. Thou shalt think about the social consequences of the program you are writing or the system you are designing
  • 10. Thou shalt always use a computer in ways that ensure consideration and respect for your fellow humans