Gramm-Leach Bliley Act(GLBA - Passed in 1999, requires that all types of financial institutions to protect private financial information.
Protecting Private Data - The process of ensuring data confidentiality.
Standard - A detailed written definition for hardware and software and how it is to be used.
Data Classification Standards - Four Major Categories:
• Private data
• Internal use only
• Public domain data
White-hat hackers - Ethical hacking...Intending to be helpful.
Vulnerabilities and Threats - any weakness in a system that makes it possible for a threat to cause harm.
Remote Access Domain - Primarily affected by endpoint security on VPN clients.
Risk - Refers to the likely hood of exposure to danger.
Closing Security Gaps - A laps in a security control in a policy creates a gap.
Logical access control - These control access to a computer system or network.
Identification Methods - The first step enforcing an authorization policy in Identification.
Linked to identification methods - The second step is Authentication.
Authentication Types - Knowledge, ownership, characteristics
Formal Models Of Access - Discretionary access control (DAC) - The owner of a resource decides who gets in, and changes permissions as needed. The owner can give that job to others.
Brewer and Nash Integrity Model - based on a mathematical theory published in 1989 to ensure fair competition.
Two levels of Organizational Compliance - Regulatory Compliance, Organizational Compliance
IT Security Policy - A security framework addresses these directives through policies and their supporting elements, such as standards, procedures, baselines, and guidelines.
Data classification standards - Helps to determine the appropriate access to classify data.Configuration control - The management of the baseline settings for a system device.SDLC - Design is a primary step
Security Auditing - to process to verify policy compliance.Baseline - In order to recognize something as abnormal, you first must know what normal looks like (when monitoring systems for anomalies.
Monitoring Issues - many organizations turn off logs because they produce too much information.
Verifying Security Controls - Controls that monitor activity include intrusion detection systems (IDS), intrusion prevention systems (IPSs), and firewalls.
Testing Methods - Black-box testing, White-box testing, Grey-box testing
Risk Management - Directly affects security controls
BCP - Is not part of quantitative risk assessment
Primary components of Risk Management - Reduction, Avoidance, Mitigation
Planning for Disasters - part of business continuity management (BCM), which includes both: BCP and DRP
Business Impact Analysis (BIA) - determines the extent of the impact that a particular