(ISC)2 SSCP

Beschreibung

Mindmap am (ISC)2 SSCP, erstellt von Steve Forbes am 25/03/2017.
Steve  Forbes
Mindmap von Steve Forbes , aktualisiert more than 1 year ago
Steve  Forbes
Erstellt von Steve Forbes vor fast 8 Jahre
22
2

Zusammenfassung der Ressource

(ISC)2 SSCP
  1. Terms
    1. CIA Triad

      Anmerkungen:

      • Confindentiality - Applies to both data and system information and is somethines refered to as the secrecy object.  Information must be protected to eliminate the lost or dsiclosure of the information. Encryption algorithm are used while data is in transit.  Availability - ensures accessibility to all hardware software applications, and date throughout the system.  Availability concepts include hardware and data physical availability, system hardware redundancy, connection and transmission. Integrity- Integrity ensures that the system resoureces are protected from unauthorized, unanticipated, or unintentional modifications.
      1. Primary Security Categories

        Anmerkungen:

        • Prevention - These are the action taken or the products purchased and installed in an effort to reduce the likelihood that something bad may happen. I.E. Using a lock.  creating a strong identification and authentication system, providing user training. Utilizing strong security rules on firewalls and routers.  Detection - Using IDS (Intrusion detection system). using automated log monitoring that generates various alerts. Recovery - Actions any f us must take after an unwanted occurrence. Implement various plans and programs should systems be damaged, databases corrupted.
        1. Access Controls

          Anmerkungen:

          • Identification  - First step in the process. Every user,application or system begins the access process by providing some form of identification. Authentication - Second step of the access process. This FACTOR should be something unique to the user or the system. Authorization - is the third step of the access process.  Upon satisfactory Authentication, the user is assigned rights and privileges based upon a profile they have in storage. Accounting Refers to tracing and recording the use of network assets and resources by users or intruders. Auditing - is the act of reviewing log files or forensic information.  People are always the biggest threat to the resources and data within an enterprise. Training is a nontechnical control used with people. 
          1. Nonrepudiation

            Anmerkungen:

            • Nonrepudiation, neither the sender nor the receiver (under certain circumstances may deny their actions).  the primary tool user to enforce nonrepudiation of the sender is a digital signature. A user is directly identified as the sender of a message.
            1. Risk

              Anmerkungen:

              • Reducing risk is referred to a mitigating risk. By locking the door, I reduce the risk and by placing chains around the door, I mitigate the risk even further.  Components of risk: Threat - any incident or action that if carried out could cause harm or loss of data or an asset. Threat vector is path that an attacker might take to take advantage of a vulnerability and do harm. Threat vectors of the server room fire: A fuse shorts out and causes a power cable to overheat, causing a fire. Lightning strikes a power pole and sends a surge into the server room equipment causing a fire.  Vulnerabilities: These are the weaknesses within a network , host application or database that may be penetrated or exploited by an attacker. Controls: Are represented by safeguards, countermeasures, policies, and procedures that may be used to mitigate risk. Controls are grouped into three categories:  Physical, logical and administrative.  Exam point: Vulnerabilities are weaknesses.  Controls are used to reduce possibility that a theat wil exploit a vulnerability, and these controls may be classified as physical , logical or administrative. 
              1. Due Care

                Anmerkungen:

                • Due care ae the actions tat a reasonable and prudent person would make to protect an organization's assets. this would include selecting and installing controls to mitigate risk.  Due diligences is ensuring that the controls put into place are functioning adequately.
                1. User Security Management

                  Anmerkungen:

                  • Security professional's responsibility is to secure and protect the organizations assets. Resources:  Physical resources include the general assets of  the company - computer systems  network hardware, printers telephone equipment. Data - The content placed on the company network and storage devices.
                  1. Least Privilege

                    Anmerkungen:

                    • Users, systems, and applications should have only the minimal level of access that is absolutely necessary for them to perform the duties required of them.  Granting the least amount of access rights and permissions required to perform a task.
                    1. AAA

                      Anmerkungen:

                      • The three A's of Security - Authentication, Authorication and accounting. These three processes work together to provide the assurance that access is granted only to authorized users.
                      1. M of N

                        Anmerkungen:

                        • M - represents the minimum number of individuals that must agree on a course of action.  N - represents the total number individuals involved. Used for redundancy can act as a safeguard in the even that one of the check signers is on vacation.
                        1. Two man Rule

                          Anmerkungen:

                          • Popular in very high security locations and situations. Two individuals who must agree upon action yet are physically separated and must therefore action independent of the other. officers had to turn their keys at exactly the same moment.
                          1. Job Rotation

                            Anmerkungen:

                            • Primarily used as a fraud prevention mechanism, rating individuals between positions provides not only for cross training bu also for the capability of cross-checking individuals work.
                            1. Temporal Access Control - Time of day Control

                              Anmerkungen:

                              • Time of Day - Users within a certain department who are not required to work on weekends may have their account logons restricted to only working hours Monday through Friday.
                              1. Privacy

                                Anmerkungen:

                                • Protect personal Information. Personal health and medical information is protected by the Health Insurance Portability and Accountability Act. (HIPAA)
                                1. Implicit Deny

                                  Anmerkungen:

                                  • Implicit deny restricts access to everyone unless they have been explicitly given specific right to access. I.E. The act of providing two users with a key to a padlock. Providing each user with a key is an explicit action giving permission and granting access. By default, all other users are implicitly denied access because they simply do not have a key.
                                2. D 1 Access Controls

                                  Anmerkungen:

                                  • The act of limiting risk is referred to as mitigation.  The tools available to mitigated a risk are called controls. Physical Controls - These include doors, locks and fences Logical Controls - Access Control List (ACL) Intrusion Detection System(IDS) , Firewalls, routers, virus protection software, activity logging mechanisms.  Administrative Controls - Include banners, signs, policies or procedures, directives, rules or regulations, and documents. 
                                  1. Resources and assets

                                    Anmerkungen:

                                    • Physical Assets -tangible things such as the building property  or business equipment which includes network hardware and people. Digital Assets - Data contained or stored on the IT systems. Information Assets Content Information represented by the digital data.
                                    1. Seven Main categories of Access Controls

                                      Anmerkungen:

                                      • The seven main categories of access control are: 1. Directive: Controls designed to specify acceptable rules of behavior within an organization 2. Deterrent: Controls designed to discourage people from violating security directives 3. Preventive: Controls implemented to prevent a security incident or information breach 4. Compensating: Controls implemented to substitute for the loss of primary controls and mitigate risk down to an acceptable level 5. Detective: Controls designed to signal a warning when a security control has been breached 6. Corrective: Controls implemented to remedy circumstance, mitigate damage, or restore controls 7. Recovery: Controls implemented to restore conditions to normal after a security incident
                                    Zusammenfassung anzeigen Zusammenfassung ausblenden

                                    ähnlicher Inhalt

                                    Essay schreiben - Tipps
                                    AntonS
                                    Teil B, Kapitel 3, Entscheidungsgrundlagen bei der Wahl der Rechtsform
                                    Stefan Kurtenbach
                                    Faust: Die Gretchen-Tragödie
                                    barbara91
                                    Fragenkatalog Wirtschaftspolitik
                                    Isaak Roscher
                                    The United Kingdom - Identity and Immigration
                                    Laura D
                                    Pädagogik Abitur 2016: Piaget
                                    Lena S.
                                    Systemwissenschaften 1 Teil Füllsack
                                    Gustav Glanz
                                    Vetie Viro 2018
                                    Anna Nie
                                    Vetie Virologie 2013
                                    Isabelle K.
                                    Vetie AVO 2016
                                    Johanna Müller
                                    MS-1.3 Foliensatz 6-7
                                    Markus Voßmann