CyberRookie CSX Fundamentals - Section 2: Cybersecurity Concepts
1 / 9
1. Core duty of cybersecurity: to identify, mitigate and manage cyberrisk to an
organization's digital assets
2. Assessing risk: one of the most
...
CyberRookie CSX Fundamentals - Section 2: Cybersecurity Concepts
1 / 9
1. Core duty of cybersecurity: to identify, mitigate and manage cyberrisk to an
organization's digital assets
2. Assessing risk: one of the most critical functions of a cybersecurity organization
3. Dependent on understanding the risk and threats an organization faces-
: Effective policies, security implementations, resource allocation and incident
response preparedness
4. (3) three different approaches to implementing cybersecurity: Compliance-based, Risk-based, Ad hoc
5. Compliance-based: Also known as standards-based security, this approach
relies on regulations or standards to determine security implementations. Controls
are implemented regardless of their applicability or necessity, which often leads to
a "checklist" attitude toward security.
6. Risk-based: relies on identifying the unique risk a particular organization faces
and designing and implementing security controls to address that risk above and
beyond the entity's risk tolerance and business needs.
7. Ad hoc: implements security with no particular rationale or criteria. Driven
by vendor marketing, or they may reflect insufficient subject matter expertise,
knowledge or training when designing and implementing safeguards.
8. Most organizations with mature security programs use a combination of
these two (2) approaches.: risk-based and compliance-based
9. Require risk assessments to drive the particular implementation of the
required controls.: Payment Card Industry Data Security Standard (PCIDSS) or
the US Health Insurance Portability and Accountability Act (HIPAA).
10. Risk: The combination of the probability of an event and its consequence and
mitigated through the use of controls or safeguards.
11. Threat: Anything (e.g., object, substance, human) that is capable of acting
against an asset in a manner that can result in harm. A potential cause of an
unwanted incident.
12. Threat source: as the actual process or agent attempting to cause harm
13. Threat event: as the result or outcome of a threat agent's malicious activity.
14. Asset: Something of either tangible or intangible value that is worth protecting,
including people, information, infrastructure, finances and reputation
[Show More]