Module 1: Understand the

Security Concepts of
Information Assurance
Module Objective

• Recognize foundational security concepts of information assurance .

Introduction to
Information Security
Information Security is the practice of
protecting information from
unauthorized access, use, disclosure,
disruption, modification, or destruction.

● Vital for maintaining privacy in the

digital age
● Protects sensitive data from
breaches and cyber threats
● Essential for building trust in digital
transactions and communications
The CIA TRIAD

To define security, it has become

common to use Confidentiality,
Integrity and Availability, also known
as the CIA triad. The purpose of these
terms is to describe security using
relevant and meaningful words that
make security more understandable to
management and users and define its
purpose.
 Understand the Security
Concepts of Information
Assurance

Fundamental Principles:
● Confidentiality: Ensuring that
information is only accessible to those
authorized to view it.
● Integrity: Maintaining the accuracy and
reliability of data, ensuring it is not altered
or tampered with.
● Availability: Ensuring that information
and resources are accessible to
authorized users when needed.
CONFIDENTIALITY

is a difficult balance to achieve when

many system users are guests or
customers, and it is not known if they
are accessing the system from a
compromised machine or vulnerable
mobile application. So, the security
professional’s obligation is to regulate
access—protect the data that
needs protection, yet permit access to
authorized individuals.
CONFIDENTIALITY

Personally Identifiable Information (PII) is

a term related to the area of confidentiality. It
pertains to any data about an individual that
could be used to identify them.
Other terms related to confidentiality are
protected health information (PHI) , which
is information regarding one’s health status,
and classified or sensitive information,
which includes trade secrets, research,
business plans and intellectual property.
CONFIDENTIALITY

Another useful definition is sensitivity, which is

a measure of the importance assigned to
information by its owner, or the purpose of
denoting its need for protection. Sensitive
information is information that if improperly
disclosed (confidentiality) or modified (integrity)
would harm an organization or individual. In
many cases, sensitivity is related to the
harm to external stakeholders; that is, people or
organizations that may not be a part of the
organization that processes or uses the
information
INTEGRITY

Integrity measures the degree to which

something is whole and complete, internally
consistent and correct.

The concept of integrity applies to:

•information or data
•systems and processes for business
operations
•organizations
•people and their actions
INTEGRITY
Data integrity is the assurance that data has not
been altered in an unauthorized manner. This requires
the protection of the data in systems and during
processing to ensure that it is free from improper
modification, errors or loss of information and
is recorded, used and maintained in a way that
ensures its completeness.

Consistency, as part of data integrity, requires that all

instances of the data be identical in form, content and
meaning.
System integrity refers to the maintenance of a
known good configuration and expected operational
function as the system processes the information.
AVAILABILITY
Availability can be defined as (1) timely and
reliable access to information and the ability to
use it, and (2) for authorized
users, timely and reliable access to data and
information services.
Availability is often associated with the term
criticality, because it represents the
importance an organization gives to data or an
information system in performing its operations
or achieving its mission.
 AUTHENTICATION

The process of verifying or proving the user’s

identification is known as authentication.
Simply put, authentication is a process to prove
the identity of the requestor.

There are three common methods

of authentication:
•Something you know: Passwords or
passphrases
•Something you have: Tokens, memory cards,
smart cards
•Something you are: Biometrics, measurable
characteristics
 AUTHENTICATION
Methods of Authentication

● Single-factor authentication (SFA)

● Multi-factor authentication (MFA)

Common best practice is to implement at least

two of the three common techniques for
authentication:

•Knowledge-based
•Token-based
•Characteristic-based
 NON-REPUDIATION
● Non-repudiation is a crucial principle in
information security that ensures that a
party in a transaction cannot deny the
authenticity of their signature on a
document or the sending of a message
itself. It provides proof of the origin, delivery,
and integrity of data.

● Non-repudiation is a legal term and is

defined as the protection against an
individual falsely denying having performed
a particular action.
 NON-REPUDIATION

Importance of Non Repudiation

● Enhances Trust in Digital Transactions
● Prevents Fraud and Misunderstanding
● Supports Legal and Regulatory Compliance
● Strengthens Security Posture

Mechanisms of Non Repudiation

Non-repudiation mechanisms ensure that communication or transactions
cannot be denied by the involved parties. This is usually achieved through
digital signatures, timestamps, and transaction logs.

Digital Signatures
Digital signatures are cryptographic equivalents of handwritten signatures
or stamped seals. They provide proof of origin, identity, and status of an
electronic document.
 NON-REPUDIATION
Cryptographic Techniques
1. Public Key Infrastructure (PKI)
2. Hash Functions and Digital Signatures
3. Timestamping Services
4. Secure Communication Protocols

Legal Implications
Non-repudiation is not only a technical issue but
also a legal one. It plays a vital role in
agreements, contracts, and transactions and is
recognized by various legal systems around the
world.
 PRIVACY

Privacy is the right of an individual to control the

distribution of information about themselves.
Common Threats to
Information Security
Types of Threats:

● Malware: Malicious software designed to

harm or exploit any programmable device or
network. Examples include viruses, worms,
and ransomware.
● Phishing Attacks: Deceptive attempts to
obtain sensitive information by masquerading
as a trustworthy entity in electronic
communications.
● Insider Threats: Risks posed by individuals
within an organization, such as employees or
contractors, who may misuse access to
information.
Strategies for Protecting
Information
Effective Protection Strategies:

● Encryption: Converting data into a coded

format to prevent unauthorized access.
Essential for protecting sensitive information
during transmission and storage.
● Regular Software Updates: Keeping
software up-to-date to protect against known
vulnerabilities. This includes operating
systems, applications, and security software.
● Employee Training: Educating employees
about security best practices, including
recognizing phishing attempts and securing
sensitive data.
Conclusion and Future Trends
Key Points Summary
- Information Security is crucial for
protecting sensitive data and maintaining
privacy.
- Understanding the principles of
confidentiality, integrity, and availability is
essential.
- Awareness of common threats and
effective protection strategies is vital for
everyone.
Future Trends
- The rise of artificial intelligence in
cybersecurity for threat detection and
response.
- Increased focus on data privacy
regulations and compliance.
- The growing importance of cloud security
as more organizations move to cloud-based
solutions.
Encouraging students to stay informed
about evolving technologies and security
practices is essential for a secure digital
future.
 Module 2: Understand the
Risk Management Process
Module Objective

• Define risk management terminology and summarize the process.

• Relate risk management to personal or professional practices.
Risk Management

Risk - is a measure of the extent to which

an entity is threatened by a potential
circumstance or event. It is often expressed
as a combination of:

1. the adverse impacts that would arise if

the circumstance or event occurs, and
2. the likelihood of occurrence.
Risk Management

Information security risk - reflects the

potential adverse impacts that result from
the possibility of unauthorized access, use,
disclosure, disruption, modification or
destruction of information and/or
information systems.

This definition represents that risk is

associated with threats, impact and
likelihood, and it also indicates that IT risk is
a subset of business risk.
Risk Management

• An asset is something in need of

protection.

• A vulnerability is a gap or weakness in

those protection efforts.

• A threat is something or someone that

aims to exploit a vulnerability to thwart
protection efforts.
Risk Management

Typical threat actors include the following:

• Insiders (either deliberately, by simple

human error, or by gross incompetence).
• Outside individuals or informal groups
(either planned or opportunistic,
discovering vulnerability).
• Formal entities that are nonpolitical
(such as business competitors and
cybercriminals).
• Formal entities that are political (such as
terrorists, nation-states, and hacktivists).
Risk Management

Typical threat actors include the following:

• Intelligence or information gatherers

(could be any of the above).
• Technology (such as free-running bots
and artificial intelligence , which
could be part of any of the above).

• *Threat Vector: The means by which a

threat actor carries out their objectives.
Risk Management

Vulnerability is an inherent weakness or

flaw in a system or component, which, if
triggered or acted upon, could cause a risk
event to occur.
Likelihood of occurrence is a weighted
factor based on a subjective analysis of the
probability that a given threat or set of threats
is capable of exploiting a given vulnerability
or set of vulnerabilities.
Impact is the magnitude of harm that can be
expected to result from the consequences of
unauthorized disclosure of information,
unauthorized modification of information,
unauthorized destruction of information, or
loss of information or information system
availability.
Risk Management

Risk Identification

It involves looking at your unique company

and analyzing its unique situation. Security
professionals know their organization’s
strategic, tactical and operational plans.
● Takeaways to remember about risk
identification:

• Identify risk to communicate it clearly.

• Employees at all levels of the organization
are responsible for identifying risk.
• Identify risk to protect against it.
Risk Management

Risk assessment

is defined as the process of identifying,

estimating and prioritizing risks to an
organization’s operations (including its
mission, functions, image and reputation),
assets, individuals, other organizations and
even the nation.
Risk Management
Risk Management

Risk treatment

relates to making decisions about the best

actions to take regarding the identified and
prioritized risk. The decisions made are
dependent on the attitude of management
toward risk and the availability — and
cost — of risk mitigation.
Risk Management

Risk treatment

The options commonly used to respond to risk

are:

1. Risk avoidance is the decision to attempt

to eliminate the risk entirely. This could
include ceasing operation for some or all of
the activities of the organization that are
exposed to a particular risk. Organization
leadership may choose risk avoidance when
the potential impact of a given risk is too high
or if the likelihood of the risk being realized is
simply too great.
Risk Management

Risk treatment

The options commonly used to respond to risk

are:

2. Risk acceptance is taking no action to

reduce the likelihood of a risk occurring.
Management may opt for conducting the
business function that is associated with the
risk without any further action on the part of
the organization, either because the impact
or likelihood of occurrence is negligible, or
because the benefit is more than enough to
offset that risk.
Risk Management

Risk treatment

The options commonly used to respond to risk

are:

3. Risk mitigation is the most common type

of risk management and includes taking
actions to prevent or reduce the possibility of
a risk event or its impact. Mitigation can
involve remediation measures, or controls,
such as security controls, establishing
policies, procedures, and standards to
minimize adverse risk. Risk cannot always be
mitigated, but mitigations such as safety
measures should always be in place.
Risk Management

Risk treatment

The options commonly used to respond to risk

are:

4. Risk transference is the practice of

passing the risk to another party, who will
accept the financial impact of the harm
resulting from a risk being realized in
exchange for payment. Typically, this is an
insurance policy.
 Module 3 : Understand
the Security Controls
Module Objective

• Classify types of security controls.

SECURITY CONTROL

Security controls
pertain to the physical, technical and
administrative mechanisms that act as
safeguards or countermeasures prescribed for
an information system to protect the
confidentiality, integrity and availability of the
system and its information.
SECURITY CONTROL

Physical controls
address process-based security needs using
physical hardware devices, such as badge
readers, architectural features of buildings
and facilities, and specific security actions to
be taken by people.
SECURITY CONTROL

Technical controls
(also called logical controls) are security
controls that computer systems and networks
directly implement. These controls can
provide automated protection from
unauthorized access or misuse, facilitate
detection of security violations and support
security requirements for applications and
data.
SECURITY CONTROL

Administrative controls (also known as

managerial controls) are directives, guidelines
or advisories aimed at the people within the
organization. They provide frameworks,
constraints and standards for human behavior,
and should cover the entire scope of the
organization’s activities and its interactions
with external parties and stakeholders.

• User Management
• Privilege Management
• Employee Security, Clearance, and Evaluation
• Employee training and awareness, etc.
SECURITY CONTROL

Administrative controls (also known as

managerial controls) are directives, guidelines
or advisories aimed at the people within the
organization. They provide frameworks,
constraints and standards for human behavior,
and should cover the entire scope of the
organization’s activities and its interactions
with external parties and stakeholders.

• User Management
• Privilege Management
• Employee Security, Clearance, and Evaluation
• Employee training and awareness, etc.
 Module 4 : Understand
Governance Elements and
Processes
Module Objective

• Distinguish between policies, procedures, standards, regulations and laws.

• Demonstrate the relationship among governance elements.
Governance Elements

Governance refers to the systems, processes, and rules

that guide decision-making and the behavior of
individuals in an organization or institution.

Importance of Governance

Effective governance is crucial for

accountability, transparency, and ethical
operation, ensuring organizations meet their
goals and serve their stakeholders.
Governance Elements

How are regulations, standards, policies and

procedures related?

1. Regulations are commonly issued in the

form of laws, usually from government (not to
be confused with governance) and typically
carry financial penalties for noncompliance.

2. Standards are often used by governance

teams to provide a framework to introduce
policies and procedures in support of
regulations.
Governance Elements

How are regulations, standards, policies and

procedures related?

3. Policies are put in place by organizational

governance, such as executive management, to
provide guidance in all activities to ensure that
the organization supports industry standards
and regulations.

4. Procedures are the detailed steps to

complete a task that support departmental or
organizational policies.