Chapter 1: Definition of Information Security C.I.A triangle: confidentiality, integrity, availability NSTISSC model Components of an information system Top-down and bottom-up approach. Security personnels: CIO, CISO, champion SecSDLC: based on waterfall model, phases Data ownership Access control: Terms: threat, vulnerability, risk, single sign on (SSO) Different types of access control: --preventative, detective, corrective, recovery, --administrative, logical/technical, physical --Security in depth The process of accountability: identification, authentication, authorization, auditing and accountability Three types of authentication factors: sth you know, sth you have, sth you are (be able to give example for each one) Two factor authentication and strong authentication Understand the weakness of password mechanism and what measures you can take to make the mechanism more secure. Biometric: three types of rates, relationship between rates and sensitivity level, relationship between accuracy/effectiveness and acceptance Token Access control models: discretionary, … Information classification and security clearance level Centralized and decentralized access control, know the fact that RADIUS and TACTCS are both examples of centralized access control, and decentralized access control are normally based on domains Some security principles: need to know, least privilege, separation of duties, avoid “security through obscurity” Security models: Bell-lapudula model, Biba model, non-inference model, Chinese wall model