- When a user cannot deny having performed a certain action on a system.
- Both authentication and integrity are combined.
Nonrepudiation
Users should be granted the minimum amount of access required to do their jobs no more.
Least privilege
Users must know a specific piece of info before accessing it.
Need to know
- Term used to describe an active entity on a system.
- Users and computer programs can be labeled this as well.
Subjects
Term used to describe data on a system
Objects
Multiple safeguards are put into place in order to protect an asset. Safeguards aka controls are measures taken to reduce risks
Defense in Depth
What are some auditing frameworks for the purpose of a security assessment?
SOC1 and SOC2
- Report that covers internal controls over financial reporting.
- Gives your company’s user entities some assurance that their financial information is being handled safely and securely
SOC1
Focuses on implemented security controls in relation to availability security, integrity privacy, and confidentiality
SOC2
A thirty-party is brought in to review the practices of the service provider and make a statement regarding their security posture
Attestation
Documents provided that give written approval to the security company to perform pen test or audit the organization network.
Right to penetration test/right to audit
Process of acquiring products or services from a third party
Procurement
Ensures that the business is continually getting sufficient quality from its third-party vendors
Vendor Governance
What are some steps taken before an acquisition of a company?
Due diligence of acquired company’s current cybersecurity program and assessment of current network security.
When one company is split into two or more companies
Divestitures
What are security concerns relating to divestitures?
The split companies inadvertently maintaining duplicate accounts and passwords
- “protect society, the commonwealth, and the infrastructure.”
- Security professionals are charred with the promotion of safe security practices and improvement of system infrastructure for the public good.
- (ISC)^2 Code of Ethics
First canon of (ISC)^2 Code of Ethics
- “act honorably, honestly, justly, responsibly, and legally.”
- If laws from different jurisdictions are found to be in conflict. Then priority should be given to the jurisdiction in which services are being provided.
- (ISC)^2 Code of Ethics
Second canon of (ISC)^2 Code of Ethics
- “provide diligent and competent service to principles.”
- Security professionals provide competent services for which he or she is qualified.
- (ISC)^2 Code of Ethics
Third canon of (ISC)^2 Code of Ethics
- “advance and protect the profession.”
- Requires security professionals to maintain their skills and advance the skills and knowledge of others.
- (ISC)^2 Code of Ethics
Fourth canon of (ISC)^2 Code of Ethics
A document defined by the RFC regarding the expected ethical behavior on the internet.
Internet Activities Board (IAB) Code of Ethics
According to the Internet Activities Board (IAB) what are some examples of unethical behavior?
Someone who purposely:
Seeks to gain unauthorized access to a resource
Disrupt the intended use of the internet
Wastes resources (people, capacity, computer) through such actions
Destroy the Integrity of computer-based information
Compromises to privacy of users
The collection of practices related to supporting, defining and directing the security efforts of an organization
Security Governance
- High-level management directives
- Mandatory document
Policies
-
Domain 1: Legal and Regulatory Issues58
-
Domain 1: Risk Analysis34
-
Domain 1: Everything Else45
-
Domain 1: Threat Modeling29
-
Domain 2: Classifying Data39
-
Domain 2: Memory and Remanence27
-
Domain 2: Determining Data Security Controls30
-
Domain 3: Security Models31
-
Domain 3: System Design48
-
Domain 3: System Vulnerabilities40
-
Domain 3: Cryptography31
-
Domain 3: Types of Cryptography38
-
Domain 3: Cryptography Attacks and Implementing34
-
Domain 3: Environmental Controls41
-
Domain 4: Communication and Network Security37
-
Domain 5: Authentication Methods47
-
Domain 5: Access Control Technologies49
-
Domain 6: Security Assessment and Testing26
-
Domain 7: Forensics and Incident Response30
-
Domain 7: Assessment Management31
-
Domain 7: BCP/DRP29
-
Domain 7: BCP/DRP pt 230
-
Domain 7 : Backups20
-
Domain 8: Programming Concepts37
-
Domain 8: Databases25
-
Domain 8: Software Security32
-
Domain 4: Communication and Network Security Pt 230
-
Domain 4: Communication and Network Security Pt 339
-
Domain 8: Database pt 223
-
Domain 6: Security Assessment and Testing pt 226
