WGU C725 STUDY GUIDE NOTES QUESTIONS WITH ANSWERS ALL CORRECT

Chapter 1: Information security is primarily a discipline to manage the behavior of people. Confidentiality, integrity, and availability represent the three objectives of information security. Important certifications:  CISSP (certified information systems security professional  GIAC (Global Information Assurance Certification  SSCP (Systems Security Certified Practitioner Parts of an information security practice:  Laws and ethical practices  Access controls  Security architecture Common classes of safe ratings:  B-rate – catchall rating for any box with a lock on it. Describes thickness of steel  C-Rate – variable thick steel box with 1 inch thick door and a lock  UL TL-15 - Requires safe be constructed of 1-inch solid steel or equivalent. Safe against 15-minute working time  UL TL-30 – same as TL-15, but with a 30-minute networking time Confidentiality – also known as privacy, secrecy, and discretion Three goals of security: (CIA Triad)  Confidentiality of data  Integrity of data  Availability of data for authorized use Integrity models – keep data pure and trustworthy by protecting system data from intentional or accidental changes. Availability models – keep data and resources available for authorized use. Defense in Depth – layered security. Provides prevention, detection, and response Functional requirements – describe what a system should do Assurance requirements – describe how functional requirements should be implemented and tested.  Does the system do the right things (behave as promised)?  Does the system do the right things in the right way Extreme Risk- Immediate action is required High Risk – senior management’s attention is needed Moderate risk – management responsibility must be specified Vulnerability – refers to a known problem within a system or program Exploit – a program or cookbook on how to take advantage of a specific vulnerability Attacker – a link between a vulnerability and an exploit. Three types of Security controls:  Preventative  Detective  Responsive Complexity – the enemy of security Security function requirements – what a security system should do by design Three types of security controls – People, process, and technology 10 domains of CBK (common body of knowledge)  Information Security Governance and Risk Management  Security Architecture and Design  Business Continuity and Disaster Recovery Planning  Legal Regulations, Investigations and Compliance  Physical (Environmental) Security  Operations Security  Access Control WGU C725 STUDY GUIDE NOTES QUESTIONS WITH ANSWERS ALL CORRECT  Cryptography  Telecommunications and Network Security  Software Development Security Governance and Risk Management –set of executive support and management define an IT security program Policies – high-level statements, beliefs, goals, and objectives. the most crucial element in a corporate information security infrastructure. Contains: Title, Purpose, Authorizing individual, Author/Sponsor, Reference to other policies Scope, Measurement expectations, Exception process, Accountability, Compliance management and measurements description, Effective/expiration dates, Definitions The Four types of policies:  Program-level policies – needs to establish a security program, assign program-management responsibilities, state an organization-wide security purpose and objectives and establish a basis for policy compliance. Components: Purpose, Scope, Responsibilities, Compliance  Program framework policies – provide an organization-wide direction for areas of program implementation. Examples: Business continuity planning framework , Physical security requirements framework for data centers, Application development security