Information Assurance and Security 2

sing this high-level, objectively-derived data can simplify the

conversation
______________________ around risk.
IT is the ___________________for practical purposes, largely
for industry (mainframes, supercomputers, datacentres,
application of
servers, PCs and mobile devices as endpoints for worker
computer
interaction) and consumers (PCs, mobile devices, IoT
science
devices, and video game console endpoints for enduser
lifestyles.)
Because ratings are easy to understand, they are a useful
communicating
mechanism for ____________________ and vendor risk to a
internal
non-technical audience in the C-suite,
Business partners and investors are increasingly aware of the
importance of this topic, and companies are asked regularly physical and
about their effectiveness in securing data and managing both cyber risk
___________________.
Computer security and cybersecurity are both children of information
______________________. security
___________________ or security ratings are the cyber Cybersecurity
equivalent of a credit score. ratings
Computer security and cybersecurity are completely
interchangeable
___________________, and require digital computer
terms
technology from 1946’s ENIAC to now. 
IT security can probably be used interchangeably with
it pertains to
cybersecurity, computer security and information security if
business
___________________.
Ensuring proper HTTPS implementation for an ecommerce
information
website or mobile app falls under cybersecurity and computer
security
security, so it’s ___________________.
Keeping information___________________ electronic secure for the
computers (such as ancient cryptography) to this very day history of data
falls under the banner of information security. predating
is all about protecting data that is found in electronic form
(such as computers, servers, networks, mobile devices, etc.) Cybersecurity
from being compromised or attacked.
Information
is another way of saying “data security.”
security
Info security is concerned with making sure data in any form is
cybersecurity
kept secure and is a bit broader than
Cybersecurity professionals traditionally understand the
technology, firewalls, and intrusion protection systems data evaluation
needed, but weren’t necessarily brought up in the business
___________________.
If your data is stored physically or digitally, you need to be
physical access
sure you have all the right ____________________ in place
controls
to prevent unauthorized individuals from gaining access.
Over the last decade, we’ve seen a _________________
between cybersecurity and information security, as these fusion
previously siloed positions have come together. 
In some scenarios, an __________________ would help a
information
cybersecurity professional prioritize data protection — and
security
then the cybersecurity professional would determine the best
professional
course of action for the data protection.
Both individuals need to know what data is most critical to the
organization so they can focus on placing the right cyber risk
____________________ and monitoring controls on that management
data.
are the mechanisms and techniques—administrative,
Management
procedural, and technical—that are instituted to implement a
controls
security policy. 
An must have administrative procedures in place to bring
peculiar actions to the attention of someone who can
organization
legitimately inquire into the appropriateness of such actions,
and that person must actually make the inquiry. 
Some management controls are explicitly concerned with
protecting information and information systems, but the
management
concept of management controls includes much more than a
computer's specific role in enforcing security.
 is a concise statement, by those responsible for a system
(e.g., senior management), of information values, protection security policy
responsibilities, and organizational commitment.
is the study of how to protect your information assets from
Information
destruction, degradation, manipulation and exploitation. But
Assurance
also, how to recover should any of those happen.
controls is needed to cover all aspects of information security, program of
including physical security, classification of information, the
means of recovering from breaches of security, and above all management
training to instill awareness and acceptance by people.
One can implement that policy by taking specific actions
guided by management control principles and utilizing specific mechanisms
security standards, procedures, and
The framework within which an organization strives to meet its
security policy
needs for information security is codified as
Computers are entities, and programs can be changed in a
twinkling, so that past happiness is no predictor of future active
bliss. 
In any particular circumstance, some threats are more
probable than others, and a must assess the threats, assign a prudent policy
level of concern to each, and state a policy in terms of which setter
threats are to be resisted.
To be useful, a must not only state the security need (e.g., for
confidentiality—that data shall be disclosed only to authorized
individuals), but also address the range of circumstances security policy
under which that need must be met and the associated
operating standards. 
A major conclusion of this report is that the lack of a clear of
security policy for general computing is a major impediment to articulation
improved security in computer systems.
may prevent people from doing unauthorized things but
Technical
cannot prevent them from doing things that their job functions
measures
entitle them to do.
As viruses have escalated from a hypothetical to a
commonplace threat, it has become necessary to rethink such software
policies in regard to methods of distribution and acquisition of
must be managed by auditing, backup, and recovery
procedures supported by general alertness and creative residual risk
responses. 
: assuring that authorized users have continued access to
Availability
information and resources.
  :assuring that information and programs are changed only in
Integrity
a specified and authorized manner.
The requirements for applications that are connected to will external
differ from those for applications without such interconnection systems
For a , the chief concern may be ensuring the confidentiality of
national
classified information, whereas a funds transfer system may
defense system
require strong integrity controls. 
:controlling who gets to read information. Confidentiality
The weight given to each of the three major requirements
describing needs for information security— confidentiality, circumstances
integrity, and availability—depends strongly on
Early disclosure may jeopardize advantage, but disclosure
competitive
just before the intended announcement may be insignificant
that must be restored within an hour after disruption
represents, and requires, a more demanding set of policies
system
and controls than does a similar system that need not be
restored for two to three days. 
With attacks, for example, even legitimate and honest users of
an owner mechanism can be tricked into disclosing secret Trojan horse
data. 
is a requirement whose purpose is to keep sensitive
Confidentiality
information from being disclosed to unauthorized recipients. 
a variety of ongoing measures taken to reduce the likelihood
and severity of accidental and intentional alteration,
destruction, misappropriation, misuse, misconfiguration,
Personnel
unauthorized distribution, and unavailability of an
security
organization’s logical and physical assets, as the result of
action or inaction by insiders and known outsiders, such as
business partners.”.
a data endowed with relevance and purpose. Information
refers to the protection of hardware, software, and data
Physical
against physical threats to reduce or prevent disruptions to
security
operations and services and loss of assets.”.
According to n , IA has four major categories: physical
Debra Herrman
security personnel security IT security operational security.
security measures to establish the validity of a transmission,
Authentication
message, or originator.
timely, reliable access to data and information services for
Availability
authorized users.
assurance that the sender is provided with proof of a data Non-
delivery and recipient is provided with proof of the sender’s repudiation
identity, so that neither can later deny having processed the
data.
assurance that information is not disclosed to unauthorized
Confidentiality
persons.
protection against unauthorized modification or destruction of
Integrity
information.
Criminals are constantly surveying the environment for an
TRUE
opportunity to commit crimes.
While you are walking, keep your mind on what is going on
TRUE
around you.
Carrying items makes you more vulnerable targets for criminal TRUE
If you have an intuitive feeling something is wrong, trust your
TRUE
instincts.
Walk without purpose, scan the area around you and make
FALSE
casual eye contact with others to display confidence.
If you feel vulnerable do not ask Police or Security to escort
FALSE
you to your car
Always closely guard their personal effects when it comes to
TRUE
identity theft.
Identity Theft,
Theft of personal items such as pursues can result in more Stolen Auto,
criminal opportunities such as: Residential
Burglary
Be alert and
aware, Display
confidence,
Keep your
hands free,
Method of reducing criminal opportunity. Trust your
instincts, Ask
for help,
Closely Guard
your personal
Effects
Types of private security Technology,
Private Alarm
Response,
Private Patrol
Services,
 Private Security
Guards
First Reason why investing in information security is Rising cost of
significant breaches
Feeling confident about their organization's security level:
When information security community members participated
TRUE
in the Cybersecurity Trends Report, they were asked how
positive they felt about their security stance.
Fifth Reason why investing in information security is Regulatory
significant compliances
Disruptions in their day-to-day business: Time is money. TRUE
What jobs in information security is this? Salary: $139,000 Computer and
Responsibilities: Information systems managers work toward Information
ensuring a company's tech is capable of meeting their IT Systems
goals Managers
The need for skilled workers and allocation of funds for
security within their budget: Companies are making the effort TRUE
to allocate more funds in their budgets for security.
Third Reason why investing in information security is Proliferation of
significant IoT devices
What jobs in information security is this? Salary: $104,000
Computer
Responsibilities: Create an in-office network for a small
Network
business or a cloud infrastructure for a business with
Architects
corporate locations in cities on opposite coasts
What jobs in information security is this? Salary: $103,560
Responsibilities: Software developers can be tasked with a
Software
wide range of responsibilities that may include designing parts
Developer
of computer programs and applications and designing how
those pieces work together.
What jobs in information security is this? Salary: $95,510
Information
Responsibilities: Information security analysts monitor their
Security
companies' computer networks to combat hackers and
Analyst
compile reports of security breaches.
20 different risk markers grouped under five main categories Security,
Medical,
Political,
Environmental
and
 Infrastructural
Risks
Information is one of the most significant substantial
What jobs in information security is this? Salary: $103,560
Responsibilities: Software developers can be tasked with a
Software
wide range of responsibilities that may include designing parts
Developer
of computer programs and applications and designing how
those pieces work together.
What jobs in information security is this? Salary: $139,000 Computer and
Responsibilities: Information systems managers work toward Information
ensuring a company's tech is capable of meeting their IT Systems
goals. Managers
What jobs in information security is this? Salary: $104,000
Computer
Responsibilities: Create an in-office network for a small
Network
business or a cloud infrastructure for a business with
Architects
corporate locations in cities on opposite coasts.
The requirements for applications that are connected to will external
differ from those for applications without such interconnection. systems
:assuring that information and programs are changed only in a
integrity
specified and authorized manner.
With ttacks, for example, even legitimate and honest users of
an owner mechanism can be tricked into disclosing secret Trojan horse
data.
:controlling who gets to read information. Confidentiality
: assuring that authorized users have continued access to
Availability
information and resources.
The weight given to each of the three major requirements
describing needs for information security—confidentiality, circumstances
integrity, and availability—depends strongly on
that must be restored within an hour after disruption
represents, and requires, a more demanding set of policies
system
and controls than does a similar system that need not be
restored for two to three days. 
is a requirement whose purpose is to keep sensitive
Confidentiality
information from being disclosed to unauthorized recipients. 
Early disclosure may jeopardize advantage, but disclosure
competitive
just before the intended announcement may be insignificant.
are explicitly concerned with protecting information and
information systems, but the concept of management controls management
includes much more than a computer's specific role in controls
enforcing security.
One can implement that policy by taking specific actions
guided by management control principles and utilizing specific mechanisms
security standards, procedures, and
As viruses have escalated from a hypothetical to a
commonplace threat, it has become necessary to rethink such software
policies in regard to methods of distribution and acquisition of
are the mechanisms and techniques—administrative,
Management
procedural, and technical—that are instituted to implement a
Controls
security policy
To be useful, a must not only state the security need (e.g., for
confidentiality—that data shall be disclosed only to authorized
individuals), but also address the range of circumstances security policy
under which that need must be met and the associated
operating standards
are the mechanisms and techniques—administrative,
Management
procedural, and technical—that are instituted to implement a
Controls
security policy.
must have administrative procedures in place to bring peculiar
actions to the attention of someone who can legitimately
Organization
inquire into the appropriateness of such actions, and that
person must actually make the inquiry.
Computers are entities, and programs can be changed in a
active
twinkling, so that past happiness is no predictor of future bliss
A major conclusion of this report is that the lack of a clear of
security policy for general computing is a major impediment to articulation
improved security in computer systems.
The framework within which an organization strives to meet its
security policy
needs for information security is codified as
In any particular circumstance, some threats are more
probable than others, and a must assess the threats, assign a prudent policy
level of concern to each, and state a policy in terms of which setter
threats are to be resisted.
is a concise statement, by those responsible for a system security policy
(e.g., senior management), of information values, protection
responsibilities, and organizational commitment.
An effective controls is needed to cover all aspects of
information security, including physical security, classification
program of
of information, the means of recovering from breaches of
management
security, and above all training to instill awareness and
acceptance by people.
The must be managed by auditing, backup, and recovery
procedures supported by general alertness and creative residual risk
responses
may prevent people from doing unauthorized things but
Technical
cannot prevent them from doing things that their job functions
measures
entitle them to do.