Security And Risk Management.
In Europe, this lists the rights of the data subject, meaning the rights of the individuals whose personal data is being processed - the need for an individual's clear consent to the processing of his or her personal data.
General Data Protection Regulation (GDPR)
Management level, they assign sensitivity labels and backup frequency
Data/information owners
a type of Encryption that uses 2 keys: A Public Key and a Private Key (Key Pair).
Asymmetric Encryption
An authorized simulated attack on our organization that looks for security weaknesses
Penetration Testing
a software development model where its Very linear, and each phase leads directly into the next.
Waterfall model
Implementing multiple overlapping security controls to protect an asset.
Defense in Depth
When Data is in _____, we should encrypt our network traffic, end to end encryption, this is both on internal and external networks
Data in Motion
More than one individual in one single task is an internal control intended to prevent fraud and error.
Separation of Duties
A black box testing that submits random, malformed data as inputs into software programs to determine if they will crash.
Fuzz testing
Act as coaches to the rest of the team, or servant leaders
Facilitates and accountable for removing impediments to the ability of the team to deliver the product goals and deliverables
scrum master
involves implementing and maintaining appropriate policies, procedures, standards, and controls that align with the organization's risk appetite and regulatory requirements
Due care
This type of data destruction is good for hard drives but will not work for SSD (solid state drives)
Degaussing
This security model helps protect Confidentiality with subjects at a lower level unable to read up and subjects at a higher level cannot write down
Bell-LaPadula: (Confidentiality)
A type of Social Engineering Attack where they use a apply "If you don't act now, it is too late"
Social Engineering Attack: Scarcity
Cooperation between development, operations, and Quality Assurance. that also adds security into the mix, Aligned with Agile, code is deployed rapidly, multiple times a day
DevSecOps
The acceptable amount of data that cannot be recovered
RPO (Recovery Point Objective):
The data owner accepts the certification and the residual risk. This is required before the system can be put into production.
Accreditation
a Threat model developed by Microsoft for security threats of six categories including Spoofing and tampering
STRIDE - Spoofing, tampering, repudiation, information disclosure, Denial of Service (DoS), elevation of privilege.
A documents testing typically outlines the scope, objectives, methodology, deliverables, and timeline of the penetration testing engagement
Statement of Work (SOW)
in relational databases the matching primary key of a parent database table
Foreign Key:
Define measures that tell management, after the fact – whether an IT process has achieved its business requirements.
KGI (Key Goal Indicators)
is determining which portion of a standard we will deploy in our organization
Scoping
This protocol suite provides secure communication over IP networks by authenticating and encrypting each IP packet of a communication session.
IPSEC
This type of report and type assess internal controls for compliance and operations over a period of time usually 6 months
SOC 2 Type II
When an organization reaches this level in the CMM (Capability Maturity Model), they have some processes are repeatable, possibly with consistent results,
Level 2: Repeatable