Chapter -1 Security Principals

CIA Triad

The CIA Triad is a widely used model in information security that represents the three core principles essential for ensuring the security and confidentiality of information. These principles are:

1. Confidentiality: Ensures that information is only accessible to those who are authorized to access it. This principle helps protect sensitive data from unauthorized access, such as through encryption or access control mechanisms.

2. Integrity: Ensures that the information remains accurate, consistent, and unaltered unless authorized. Integrity involves protecting data from being modified, corrupted, or deleted, ensuring that it can be trusted.

3. Availability: Ensures that information and systems are accessible and usable when needed by authorized users. This principle focuses on ensuring that systems are operational and data can be accessed in a timely manner, typically through backups and redundancy.

Together, these three principles form the foundation of information security practices.

---

Threat & Risk Management Process

Risk:

Risk refers to the potential for harm or loss to an organization's assets, systems, or data due to vulnerabilities or threats. It is the likelihood that a threat will exploit a vulnerability and cause damage, and the impact of that damage. Risk is typically assessed based on the probability of an event occurring and the potential severity of its consequences.

• Risk = Likelihood × Impact

• For example, the risk of a data breach might be higher if an organization does not have adequate security measures in place, and the impact could be severe if sensitive data is exposed.

Threat:

A threat is any potential cause of an incident that could harm or compromise the security of information, systems, or infrastructure. Threats can be intentional (like cyberattacks) or unintentional (like natural disasters or human error). A threat becomes a risk when it can exploit vulnerabilities in a system.

• Examples of threats include hackers, malware, social engineering, natural disasters, and even employee negligence.

Risk management process

Risk Identification

• Goal: To clearly identify and communicate risks within an organization.

• Key Points:

  • All employees, regardless of their role or level, have a responsibility to identify potential risks in their respective areas of work.

  • Identifying risks early helps in understanding them and allows organizations to take protective measures.

  • Risk identification helps in safeguarding the organization’s assets, operations, and people from potential harm.

Risk Assessment

• Goal: To assess and evaluate risks in a structured way, estimating both the likelihood and potential impact of identified risks.

• Key Points:

  • The process involves identifying risks and estimating the potential impact on various aspects of the organization, such as:

    • Operations: Including mission-critical functions, reputation, and public image.

    • Assets: The physical, intellectual, and digital assets of the organization.

    • Individuals: The impact on employees, stakeholders, and customers.

    • Other Organizations: The effect on partners, suppliers, or collaborators.

    • Nation: In the case of risks that could have broader implications, such as in critical infrastructure or national security.

  • Risk assessment leads to a prioritized risk management strategy, where each identified risk is linked to specific goals, objectives, assets, or processes within the organization.

Risk Treatment (Management Options)

Once risks are identified and assessed, they need to be treated using one of the following approaches:

1. Accept the Risk:

   • Definition: This means acknowledging that the risk exists and choosing not to take action to mitigate or eliminate it.

   • When it's used: Typically used for risks that are minor, with low impact or likelihood, or where the cost of mitigation is greater than the potential damage.

   • Example: Accepting the risk of a low-cost data loss in a non-critical system.

2. Avoid the Risk:

   • Definition: Risk avoidance involves eliminating the risk altogether by changing plans, processes, or actions to avoid the exposure to the risk.

   • When it's used: When the risk is deemed too high to tolerate or manage.

   • Example: Avoiding the risk of a particular vulnerability by not using outdated software or hardware.

3. Reduce (Mitigate) the Risk:

   • Definition: Risk mitigation involves implementing measures to reduce the likelihood of the risk occurring or reducing its potential impact if it does occur.

   • When it's used: The most common approach, as it aims to lower risks to acceptable levels.

   • Example: Implementing firewalls, encryption, or employee training to reduce the risk of a cyberattack.

4. Transfer or Share the Risk:

   • Definition: Risk transference involves shifting the responsibility for the risk to a third party. This often involves outsourcing certain services or purchasing insurance.

   • When it's used: When the organization wants to shift the financial consequences of the risk to another party.

   • Example: Purchasing cyber insurance to cover potential financial losses from a data breach or outsourcing IT services to a company with better security practices.

---

Security Controls

Security controls are measures implemented to safeguard an organization's information, systems, and assets from risks and threats. These controls can be categorized into Physical, Technical, and Administrative controls, each addressing different aspects of security.

Physical Controls

Physical security controls are measures designed to protect the physical infrastructure, facilities, and equipment of an organization. These controls focus on preventing unauthorized access to physical spaces and protecting against physical threats such as theft, vandalism, or natural disasters.

• Examples:

  • Access control systems: Keycards, biometric scanners, or security guards that restrict access to buildings, server rooms, or restricted areas.

  • Surveillance cameras: CCTV cameras to monitor and record activity in critical areas.

  • Locks and barriers: Physical locks, gates, fences, or safes to secure valuable assets and prevent unauthorized entry.

  • Environmental controls: Fire suppression systems, water leak detectors, and temperature controls to protect against environmental hazards.

Technical Controls

Technical security controls (also called logical controls) involve the use of technology to protect systems, networks, and data from unauthorized access, misuse, or attacks. These controls focus on safeguarding the organization's digital assets through various software and hardware measures.

• Examples:

  • Firewalls: Devices or software that monitor and filter network traffic to prevent unauthorized access and attacks.

  • Encryption: Protecting data by converting it into a coded format to prevent unauthorized access, both for data at rest (stored) and in transit (moving across networks).

  • Intrusion Detection and Prevention Systems (IDPS): Systems that detect and block suspicious or malicious network traffic and activities.

  • Multi-factor authentication (MFA): Requiring multiple forms of verification to ensure that only authorized users can access systems or data.

  • Antivirus and anti-malware software: Programs designed to detect, prevent, and remove malicious software such as viruses and trojans.

Administrative Controls

Administrative controls focus on the policies, procedures, and practices that govern the organization’s security efforts. These controls ensure that security is maintained through effective management, training, and oversight.

• Examples:

  • Security policies and procedures: Written guidelines and protocols that define how security should be managed within the organization (e.g., password policies, incident response plans).

  • Employee training and awareness: Programs that educate staff about security best practices, such as identifying phishing attempts or securing sensitive information.

  • Risk management processes: Identifying, assessing, and mitigating risks through regular risk assessments and the implementation of appropriate countermeasures.

  • Incident response and recovery planning: Developing and practicing procedures to respond to security incidents (e.g., data breaches, cyberattacks).

  • Access control policies: Defining and enforcing rules regarding who has access to specific systems and data, ensuring that individuals can only access the resources necessary for their job.

---

Governance

1. Procedures : The detailed steps to complete a task that support departmental or organizational policies.

2. Policies : Put in place by organizational governance, such as executive management, to provide guidance to all activities to ensure that the organization supports industry standards and regulations.

3. Standards : Often used by governance teams to provide a framework to introduce policies and procedures in support of regulations.

4. Regulations : Commonly issued in the form of laws, usually from government (not to be confused with governance) and typically carry financial penalties for non-compliance.

---

Chapter Resouces :

383KB

CC-Chapter1.pdf

pdf