Understand and Apply Security Concepts Security management concepts and principles are inherent

elements in a security policy and solution deployment. They define the basic parameters needed for a
secure environment. They also define the goals and objectives that both policy designers and system
implementers must achieve to create a secure solution

Security controls are typically evaluated on how well they address these three core information security
tenets. Vulnerabilities and risks are also evaluated based on the threat they pose against one or more of
the CIA Triad principles. Confidentiality The first principle of the CIA Triad is confidentiality.
Confidentiality is the concept of the measures used to ensure the protection of the secrecy of data,
objects, or resources. The goal of confidentiality protection is to prevent or minimize unauthorized
access to data. Confidentiality protections prevent disclosure while protecting authorized access.
Violations of confidentiality are not limited to directed intentional attacks. Many instances of
unauthorized disclosure of sensitive or confidential information are the result of human error, oversight,
or ineptitude. Confidentiality violations can result from the actions of an end user or a system
administrator. They can also occur because of an oversight in a security policy or a misconfigured
security control. Numerous countermeasures can help ensure confidentiality against possible threats.
These include encryption, network traffic padding, strict access control, rigorous authentication
procedures, data classification, and extensive personnel training. Concepts, conditions, and aspects of
confidentiality include the following: Sensitivity Sensitivity refers to the quality of information, which
could cause harm or damage if disclosed. Discretion Discretion is an act of decision where an operator
can influence or control disclosure in order to minimize harm or damage. Criticality The level to which
information is mission critical is its measure of criticality. The higher the level of criticality, the more likely
the need to maintain the confidentiality of the information. Concealment Concealment is the act of
hiding or preventing disclosure. Often concealment is viewed as a means of cover, obfuscation, or
distraction. A related concept to concealment is security through obscurity, which is the concept of
attempting to gain protection through hiding, silence, or secrecy. Secrecy Secrecy is the act of keeping
something a secret or preventing the disclosure of information. Privacy Privacy refers to keeping
information confidential that is personally identifiable or that might cause harm, embarrassment, or
disgrace to someone if revealed. Seclusion Seclusion involves storing something in an out-of-the-way
location, likely with strict access controls. Isolation Isolation is the act of keeping so

Integrity Integrity is the concept of protecting the reliability and correctness of data. Integrity protection
prevents unauthorized alterations of data. Properly implemented integrity protection provides a means
for authorized changes while protecting against intended and malicious unauthorized activities (such as
viruses and intrusions) as well as mistakes made by authorized users (such as accidents or oversights).
Integrity can be examined from three perspectives: ■ Preventing unauthorized subjects from making
modifications ■ Preventing authorized subjects from making unauthorized modifications, such as
mistakes ■ Maintaining the internal and external consistency of objects so that their data is a correct and
true reflection of the real world and any relationship with any other object is valid, consistent, and
verifiable For integrity to be maintained on a system, controls must be in place to restrict access to data,
objects, and resources. Maintaining and validating object integrity across storage, transport, and
processing requires numerous variations of controls and oversight. Numerous attacks focus on the
violation of integrity. These include viruses, logic bombs, unauthorized access, errors in coding and
applications, malicious modification, intentional replacement, and system backdoors. Human error,
oversight, or ineptitude accounts for many instances of unauthorized alteration of sensitive information.
They can also occur because of an oversight in a security policy or a misconfigured security control.
Numerous countermeasures can ensure integrity against possible threats. These include strict access
control, rigorous authentication procedures, intrusion detection systems, object/ data encryption, hash
verifications (see Chapter 6, “Cryptography and Symmetric Key Algorithms,” and Chapter 7, “PKI and
Cryptographic Applications”), interface restrictions, input/ function checks, and extensive personnel
training. Confidentiality and integrity depend on each other. Without object integrity (in other words,
the inability of an object to be modified without permission), confidentiality cannot be maintained.
Integrity is dependent on confidentiality and access control. Concepts, conditions, and aspects of
integrity include the following: ■ Accuracy: Being correct and precise ■ Truthfulness: Being a true
reflection of reality ■ Validity: Being factually or logically sound ■ Accountability: Being responsible or
obligated for actions and results ■ Responsibility: Being in charge or having control over something or
someone ■ Completeness: Having all necessary components or parts ■ Comprehensiveness: Being
complete in scope; the full inclusion of all needed elements

Availability Availability means authorized subjects are granted timely and uninterrupted access to
objects. Often, availability protection controls support sufficient bandwidth and timeliness of processing
as deemed necessary by the organization or situation. Availability includes efficient uninterrupted access
to objects and prevention of denial-of-service (DoS) attacks. Availability also implies that the supporting
infrastructure—including network services, communications, and access control mechanisms—is
functional and allows authorized users to gain authorized access. For availability to be maintained on a
system, controls must be in place to ensure authorized access and an acceptable level of performance, to
quickly handle interruptions, provide for redundancy, maintain reliable backups, and prevent data loss or
destruction. There are numerous threats to availability. These include device failure, software errors, and
environmental issues (heat, static electricity, flooding, power loss, and so on). Some forms of attack focus
on the violation of availability, including DoS attacks, object destruction, and communication
interruptions. Many availability breaches are caused by human error, oversight, or ineptitude. They can
also occur because of an oversight in a security policy or a misconfigured security control. Numerous
countermeasures can ensure availability against possible threats. These include designing intermediary
delivery systems properly, using access controls effectively, monitoring performance and network traffic,
using firewalls and routers to prevent DoS attacks, implementing redundancy for critical systems, and
maintaining and testing backup systems. Most security policies, as well as business continuity planning
(BCP), focus on the use of fault tolerance features at the various levels of access/storage/security (that is,
disk, server, or site) with the goal of eliminating single points of failure to maintain availability of critical
systems. Availability depends on both integrity and confidentiality. Without integrity and confidentiality,
availability cannot be maintained. Concepts, conditions, and aspects of availability include the following:
■ Usability: The state of being easy to use or learn or being able to be understood and controlled by a
subject ■ Accessibility: The assurance that the widest range of subjects can interact with a resource
regardless of their capabilities or limitations ■ Timeliness: Being prompt, on time, within a reasonable
time frame, or providing lowlatency response
Domain 2: Asset Security

Asset Security focuses on protecting organizational information and assets throughout their
lifecycle.

 Identify and classify information and assets.

 Establish proper handling requirements for sensitive data.
 Ensure compliance with security and regulatory standards.
 Data Classification is categorizing information based on sensitivity and impact.
 Asset Classification is categorizing organizational assets to prioritize protection.

Slide 2: Information & Asset Handling

Establishing Handling Requirements:

 Define responsibilities for data owners, controllers, custodians, processors, and users.
 Set policies for data collection, storage, and location.
 Ensure proper data maintenance, retention, and remanence practices.
 Implement secure data destruction methods to prevent leakage.

End-of-Life Considerations:

 Ensure assets are securely disposed at EOL (End-of-Life) or EOS (End-of-Support).

Slide 3: Data Lifecycle Management

Key Phases of Data Lifecycle:

1. Data Collection: Gather data securely with minimal exposure.

2. Data Location & Storage: Protect data physically and digitally.
3. Data Maintenance: Apply updates and access control.
4. Data Retention: Retain according to legal and business requirements.
5. Data Remanence: Ensure no recoverable data remains after deletion.
6. Data Destruction: Use secure methods like shredding, wiping, or cryptographic erasure.

Slide 4: Data Security Controls & Compliance

Determining Security Requirements:

 Protect data in all states: in use, in transit, and at rest.

 Scoping & Tailoring: Adjust controls to organizational context.
 Standards Selection: Adopt ISO, NIST, or other relevant frameworks.

Data Protection Methods:

 Digital Rights Management (DRM) – Prevent unauthorized copying or use.

 Data Loss Prevention (DLP) – Monitor and protect sensitive data.
 Cloud Access Security Broker (CASB) – Secure cloud-based resources.

Overview of

Domain 5: Identity and Access Management (IAM)

 Focus: Controlling physical and logical access to organizational assets.

 Assets include:
o Information
o Systems
o Devices
o Facilities
o Applications
 Goal: Ensure only authorized users and devices access resources.

Slide 2: Identity & Authentication Management

Key IAM Activities:

 Identity Management (IdM) Implementation – Managing identities throughout their

lifecycle.
 Single / Multi-Factor Authentication (MFA) – Enhancing security through multiple
verification methods.
 Accountability – Ensuring users are responsible for their actions.
 Session Management – Secure handling of active sessions.
 Registration & Proofing – Verifying and establishing identities.
Slide 3: Advanced IAM Concepts

 Federated Identity Management (FIM) – Centralized authentication across multiple

systems.
 Credential Management Systems – Securely store and manage authentication
credentials.
 Single Sign-On (SSO) – One login grants access to multiple systems.
 Just-In-Time (JIT) Access – Temporary, need-based access provisioning.
 Federated Identity Deployment
o On-premise
o Cloud
o Hybrid

Slide 4: Identity and Access Lifecycle Management

Managing Access and Accounts:

 Account Access Review – Regular review of user, system, and service access.
 Provisioning & Deprovisioning – Onboarding, offboarding, and role transfers.
 Role Definition – Assigning users to appropriate roles based on responsibilities.

Goal:

 Maintain secure, efficient, and compliant access control across the organization.