1. Security Principles


Permitting authorized access to info/protecting it

A security professional’s obligation is to:

  • Regulate access: Protect data, but allow to authorized individuals

PII: Personally Ident. Info: Any data about someone that could ID them PHI: Protected Health Info: Data regarding one's health Sensitivity: Importance of info; need to protect it because of this


Process of verifying and proving people are who they say they are

Three common methods:

  1. Something you know: Passwords/passphrases

  2. Something you have: Tokens, memory or smart cards

Token: An object possessed to authenticate identity NISTIR 7711

  1. Something you are: Biometrics, measurable characteristics

Biometrics: Bio characteristics: Fingerprints, hand geometry, voice, eyes

Legal: A user can't falsely deny having done an action

  • Example: Paying for an item/signing a receipt

  • Capability to determine whether an action was done

  • Example: Denial: Making purchases online/denying it

  • Important all participants trust online transactions

Risk Management

Risk: Measuring the extent an entity is threatened by a potential event:

  1. Adverse impacts, likelihood of occurrence 

Infosec risk: Unauthorized access, use, disclosure, disruption, modification, destruction

Threat actors include:

  • Insiders: deliberate, human error, gross incompetence

  • Outsiders: Planned, opportunistic, discovering vulnerability

  • Formal entities, nonpolitical: Business competitors, cybercriminals

  • Formal entities, political: Terrorists, nation-states, hacktivists

  • Intel & info gatherers: Any of above

Risk Treatment

Making decisions about the best actions regarding identified, prioritized risk

Attempting to eliminate risk entirely

  1. Stopping operation for some; all activities exposed to a risk

  2. May choose when potential impact is too high; great

Security Controls: Safeguards to CIA  

Hardware: Badge readers, building structures

  1. Controlling, directing, people movement through equipment

  2. Protection, control over entry, parking lots

  3. Supported by technical controls in an overall system

Governance Elements/Processes

Detailed steps to complete a task that supports dept/org policies

  • Explicit, repeatable activities needed to accomplish specific task(s) 

ISC2 Code of Conduct

Certification is a privilege. Every ISC2 member is required to commit to fully support the ISC2 Code of Ethics

The safety/welfare of society/the common good, duty to principals, and each other, requires we adhere, to the highest ethical standards of behavior

Last updated