Scribd
Upload
27 views3 pages

Domain 1

The document outlines key security principles including identity assurance, privacy control mechanisms, and safeguarding data, emphasizing the importance of the CIA triad: confidentiality, integrity, and availability. It discusses authentication methods, risk management terminology, and the implementation of security controls to mitigate risks. Additionally, it highlights the significance of privacy regulations like the GDPR and the responsibilities of employees in identifying risks within organizations.

Uploaded by

Appu Aravind
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
27 views3 pages

Domain 1

The document outlines key security principles including identity assurance, privacy control mechanisms, and safeguarding data, emphasizing the importance of the CIA triad: confidentiality, integrity, and availability. It discusses authentication methods, risk management terminology, and the implementation of security controls to mitigate risks. Additionally, it highlights the significance of privacy regulations like the GDPR and the responsibilities of employees in identifying risks within organizations.

Uploaded by

Appu Aravind
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 3

Security Principles

02 February 2025 00:12

Key Topics Include


• Identity Assurance
• Privacy Control Mechanisms
• Safeguarding Data
• Strategic Risk Management
The Confidentiality, Integrity, and Availability (CIA) Triad

Confidentiality means permitting authorized access to information while at the same time protecting it from improper
disclosure(KW:
Personally Identifiable Information (PII) protected health information (PHI))
Integrity is the property of information whereby it is recorded, used, and maintained in a way that ensures its completeness,
accuracy, internal consistency, and usefulness for a stated purpose
Availability means that systems and data are accessible at the time users need them
Authentication
There are three common methods of authentication:
● Something you know: Passwords or passphrases
● Something you have: Tokens, memorycards, smart cards
● Something you are: Biometrics,measurable characteristics
Methods of Authentication
MFA:Use of two or more distinct instances of the three factors of authentication (something you know, something you
have,something you are) for identity verification
SFA:Use of just one of the three available factors(something you know, something you have, something you are) to carry out the
authentication process being request
Non-repudiation
Non-repudiation methodologies ensure that people are held responsible for transactions they conducted
Privacy
• Privacy is the right of an individual to control the distribution of information about themselves
• In 2016, the European Union passed comprehensive legislation that addresses personal privacy, deeming
it an individual human right.
• European Union’s General Data Protection Regulation (GDPR) which applies to all organizations, foreign or domestic, doing
business inthe EU or any persons in the EU
• The General Data Protection Regulation (GDPR) is the regulation that affords data protection and control to individuals
within the territorial boundaries of the EU, irrespective of their citizenship.
Introduction to Risk Management

Domain 1 Security Principles Page 1


Risk Management Terminology
● An asset is something in need of protection.
● A vulnerability is a gap or weakness in those protection efforts.
● A threat is something or someone that aims to exploit a vulnerability to thwart protection efforts.
Risk Identification
● Identify risk to communicate it clearly.
● Employees at all levels of the organization are responsible for identifying risk.
● Identify risk to protect against it.
• Security professionals are likely to assist in risk assessment at a system level, focusing on process, control, monitoring, or
incident response and recover
• Risk assessment is defined as the process of identifying, estimating, and prioritizing risks to an organization’s operations (including its
mission, functions, image, and reputation), assets, individuals, other organizations, and even the nation
• Risk treatment involves making decisions about the best actions to take regarding the identified and prioritized risk.
• Risk Priorities: When risks have been identified, itis time to prioritize and analyze core risks through qualitative risk analysis and/or
quantitative risk analysis
What are Security Controls?

Security controls are implemented in the risk management process to mitigate the risk to a level that is deemed acceptable
by the entity.
- Security controls pertain to the physical, technical, and administrative mechanisms that act as safeguards or countermeasures to protect
the confidentiality, integrity, and availability of the system and its information
 Physical controls address security needs using physical hardware devices, such as badge readers, architectural features of buildings and
facilities, and specific security actions taken by staff.
 Technical controls (also called logical controls) are security controls that computer systems and networks directly implement.
 Administrative controls (also known as managerial controls) are directives, guidelines, or advisories aimed at the people
within the organization.
Governance Elements

 Regulations and associated fines and penalties can be imposed by governments at the national, regional, or local level.
 Standards - Organizations use multiple standards as part of their information systems security programs, both as compliance
documents and as advisories or guidelines
- Examples: National Institute of Standards and Technology (NIST), International Organization for Standardization (ISO), Internet
Engineering Task Force (IETF),Institute of Electrical and Electronics Engineers (IEEE) also sets standards for telecommunications,
computer engineering, and similar disciplines.
 Policy is informed by applicable law(s) and specifies which standards and guidelines the organization will follow. Policy is
broad but not detailed; it establishes context and sets out strategic direction and priorities. Governance policies are used to
moderate and control decision-making, to ensure compliance when necessary, and to guide the creation and implementation
of other policies
 Procedures define the explicit, repeatable activities necessary to accomplish a specific task or set of tasks. They provide
supporting data, decision criteria, or other explicit knowledge needed to perform each task.

Domain 1 Security Principles Page 2


Assessment:
 Confidentiality is about limiting access to information/assets and is therefore most similar to secrecy.
 In 2016, the European Union passed comprehensive legislation addressing personal privacy, deeming it an
individual human right.
 Security controls are implemented in the risk management process to mitigate the risk to a level that is
deemed acceptable by the entity.
 Companies offering identity theft insurance engage in financial risk management by calculating that
premium payments or subscription payments will exceed the payouts they may have to make in the event
of a claim.
 Personally Identifiable Information (PII) is the term used to describe information that, when combined with
other pieces of data, significantly narrows the possibility of association with more individuals.
 Information security professionals are expected to uphold honourable, honest, just, responsible, and legal
conduct, as mentioned in the code of ethics.
 The Preamble to the ISC2 Code of Ethics requires that ISC2 membership "requires that we adhere, and be
seen to adhere, to the highest ethical standards of behaviour." Cheating violates this standard. ISC2 has
enforcement mechanisms for ensuring membership complies with this requirement.
 In the United States, HIPAA controls how the privacy of medical information must be maintained.
 In risk management terminology, an asset is something in need of protection.
 In order to mitigate the risk associated with a threat, it is recommended to evaluate how likely an event is to
take place and take appropriate actions to mitigate the risk associated with the threat.
 The General Data Protection Regulation (GDPR) is the regulation that affords data protection and control to
individuals within the territorial boundaries of the EU, irrespective of their citizenship.
 Employees at all levels of the organization are responsible for identifying risks.

Domain 1 Security Principles Page 3

You might also like