lOMoARcPSD|9452196

INFO ASSURANCE AND SECURITY2

was stored in servers in multiple areas, leaving us open to

risk.

World Risk Map

Information is one of the most significant resources.

Non-substantial

20 different risk markers grouped under five main categories

Security, Medical, Political, Environmental and Infrastructural Risks

The need for skilled workers and allocation of funds for security within their
budget: Companies are making the effort to allocate more funds in their budgets
for security.

True

First Reason why investing in information security is significant

Rising cost of breaches

Fourth Reason why investing in information security is significant

 lOMoARcPSD|9452196

Funded hackers and wide availability of hacking tools What jobs in

information security is this?

Salary: $95,510
Responsibilities: Information security analysts monitor their companies’ computer
networks to combat hackers and compile reports of security breaches.

Information Security Analyst

Feeling confident about their organization’s security level: When information

security community members participated in the Cybersecurity Trends Report,
they were asked how positive they felt about their security stance.

True
What jobs in information security is this?

Salary: $104,000
Responsibilities: Create an in-office network for a small business or a cloud
infrastructure for a business with corporate locations in cities on opposite coasts.

Computer Network Architects

Disruptions in their day-to-day business: Time is money.

True

Second Reason why investing in information security is significant

 lOMoARcPSD|9452196

Increasingly sophisticated attackers

Third Reason why investing in information security is significant

Proliferation of iot devices

What jobs in information security is this? Salary:

$103,560
Responsibilities: Software developers can be tasked with a wide range of
responsibilities that may include designing parts of computer programs and
applications and designing how those pieces work together.

Software developer

Fifth Reason why investing in information security is significant

Regulatory compliances

What jobs in information security is this? Salary:

$139,000
Responsibilities: Information systems managers work toward ensuring a
company’s tech is capable of meeting their IT goals.

Computer and Information Systems Managers

PRELIM EXAM:
 lOMoARcPSD|9452196

The Layer describes the notion that the physical acess to any
system, server, computer, data center, or another physical object storing
confidential information has to be constrained to business ought-to-know.

Physical Access

The principle dictates that information should solely be viewed

by people with appropriate and correct privileges.

Confidentiality
consists of changing the data located in files into unreadable bits
of characters unless a key to decode the file is provided.

Encryption

The Layer describes the notion that access to infrastructure

components has to be constrained to business ought-to-know. For instance,
access to servers.

Infrastructure Access

The contemporary differs substantially from the classic one,

which used pen and paper for encryption and which was far less complex.

cryptography

The aim of is to ensure that information is hidden from people

unauthorized to access it.

confidentiality
 lOMoARcPSD|9452196

The establishment of the rotor machine and the subsequent

emergence of electronics and computing enabled the usage of much more
elaborate schemes and allowed confidentiality to be protected much more
effectively.

Enigma

The principle dictates that information should solely be viewed

by people with appropriate and correct privileges.

Confidentiality

The Layer describes the notion that data ought to be secured

while in motion.

Data In Motion

The Layer describes the notion that access to end-user

applications have to be constrained to business ought-to-know.

Application Access

The concept of layers illustrates that data communications and

are designated to function in a layered manner,
transferring the data from one layer to the next.

computer network protocol

CIA stands for , integrity, and availability and these are the
three main objectives of information security.

confidentiality
 lOMoARcPSD|9452196

To continue, confidentiality can be easily breached so each employee in an

organization or company should be aware of his responsibilities in maintaining
confidentiality of the delegated to him for the exercise
of his duties.

information

A principle which is a core requirement of information security for the safe

utilization, flow, and storage of information is the

CIA triad

As regards to , its means of protection are somewhat similar –

access to the area where the information is kept may be granted only with the
proper badge or any different form of authorization, it can be physically locked
in a safe or a file cabinet, there could be access controls, cameras, security, etc.

physical data

: assuring that information and programs are changed only in a specified

and authorized manner.
Integrity
: controlling who gets to read information.
Confidentiality
 lOMoARcPSD|9452196

The requirements for applications that are connected to

will differ from those for applications without such interconnection. external
systems
For a , the chief concern may be ensuring the
confidentiality of classified information, whereas a funds transfer system
may require strong integrity controls.
national defense system
: assuring that authorized users have continued access to information and
resources.
Availability

The weight given to each of the three major requirements describing needs for
information security—confidentiality, integrity, and availability—depends
strongly on
circumstances
Early disclosure may jeopardize advantage, but disclosure just
before the intended announcement may be insignificant.
competitive
A that must be restored within an hour after disruption
represents, and requires, a more demanding set of policies and controls than
does a similar system that need not be restored for two to three days.
 lOMoARcPSD|9452196

system
is a requirement whose purpose is to keep sensitive information from being
disclosed to unauthorized recipients.
confidentiality
With attacks, for example, even legitimate and honest users of an
owner mechanism can be tricked into disclosing secret data.
Trojan horse

The framework within which an organization strives to meet its needs for
information security is codified as
security policy
To be useful, a must not only state the security need (e.g., for
confidentiality—that data shall be disclosed only to authorized individuals), but
also address the range of circumstances under which that need must be met and
the associated operating standards.
security policy
may prevent people from doing unauthorized things but cannot prevent them
from doing things that their job functions entitle them to do.
Technical measures
Some are explicitly concerned with protecting information and
information systems, but the concept of management controls includes much
more than a computer's specific role in enforcing security.
 lOMoARcPSD|9452196

management controls
Computers are entities, and programs can be changed in a
twinkling, so that past happiness is no predictor of future bliss.
active
An effective controls is needed to cover all aspects of
information security, including physical security, classification of information,
the means of recovering from breaches of security, and above all training to
instill awareness and acceptance by people.
program of management
A is a concise statement, by those responsible for a system
(e.g., senior management), of information values, protection responsibilities,
and organizational commitment.
security policy
In any particular circumstance, some threats are more probable than others,
and a must assess the threats, assign a level of concern
to each, and state a policy in terms of which threats are to be resisted.
prudent policy setter
are the mechanisms and techniques—administrative, procedural, and
technical—that are instituted to implement a security policy.
Management controls
A major conclusion of this report is that the lack of a clear
of security policy for general computing is a major
impediment to improved security in computer systems.
articulation
 lOMoARcPSD|9452196

An must have administrative procedures in place to bring

peculiar actions to the attention of someone who can legitimately inquire into
the appropriateness of such actions, and that person must actually make the
inquiry.
organization
As viruses have escalated from a hypothetical to a commonplace threat, it has
become necessary to rethink such policies in regard to methods of distribution
and acquisition of
software
One can implement that policy by taking specific actions guided by management
control principles and utilizing specific security standards, procedures, and
mechanisms
The must be managed by auditing, backup, and recovery
procedures supported by general alertness and creative responses.
residual risk

is another way of saying “data security.”

Information Security
is all about protecting data that is found in electronic form (such as computers,
servers, networks, mobile devices, etc.) from being compromised or attacked.
 lOMoARcPSD|9452196

Cybersecurity
The process to protect that data requires more advanced IT
security tools
Info security is concerned with making sure data in any form is kept secure and is
a bit broader than
Cybersecurity

If your data is stored physically or digitally, you need to be sure you have all
the right in place to prevent unauthorized
individuals from gaining access.

physical access controls

In some scenarios, an would help a cybersecurity professional

prioritize data protection – and then the cybersecurity professional would
determine the best course of action for the data protection.

information security professional

Over the last decade, we’ve seen a between cybersecurity and

information security, as these previously siloed positions have come together.

fusion
 lOMoARcPSD|9452196

Both individuals need to know what data is most critical to the organization
so they can focus on placing the right and
monitoring controls on that data.

cyber risk management

Cybersecurity professionals traditionally understand the technology,

firewalls, and intrusion protection systems needed, but weren’t necessarily
brought up in the .

data evaluation business

Computer security and cybersecurity are both children of

.

information security

Because ratings are easy to understand, they are a useful mechanism for
and vendor risk to a non-technical audience in the C-suite,
boardroom, or with the vendor in question.

communicating internal

Computer security and cybersecurity are completely , and

require digital computer technology from 1946’s ENIAC to now.

interchangeable terms
 lOMoARcPSD|9452196

IT security can probably be used interchangeably with cybersecurity,

computer security and information security if .

it pertains to business

Business partners and investors are increasingly aware of the importance of this
topic, and companies are asked regularly about their effectiveness in securing
data and managing both .

physical and cyber risk

Keeping information electronic computers (such as ancient

cryptography) to this very day falls under the banner of information security.

secure for the history of data predating

or security ratings are the cyber equivalent of a credit score.

Cybersecurity ratings

sing this high-level, objectively-derived data can simplify the

around risk.

conversation

Ensuring proper HTTPS implementation for an e-commerce website or mobile app

falls under cybersecurity and computer security, so it’s
.

information security
 lOMoARcPSD|9452196

IT is the for practical purposes, largely for industry

(mainframes, supercomputers, datacenters, servers, PCs and mobile devices
as endpoints for worker interaction) and consumers (PCs, mobile devices,
IoT devices, and video game console endpoints for enduser lifestyles.)

application of computer science