Chapter 1:
Definition of Information Security
C.I.A triangle: confidentiality, integrity, availability
NSTISSC model
Components of an information system
Top-down and bottom-up approach.
Security personnels: CIO, CISO, champion
SecSDLC: based on waterfall model, phases
Data ownership
Access control:
Terms: threat, vulnerability, risk, single sign on (SSO)
Different types of access control:
--preventative, detective, corrective, recovery,
--administrative, logical/technical, physical
--Security in depth
The process of accountability: identification, authentication, authorization, auditing and
accountability
Three types of authentication factors: sth you know, sth you have, sth you are (be able to
give example for each one)
Two factor authentication and strong authentication
Understand the weakness of password mechanism and what measures you can take to
make the mechanism more secure.
Biometric: three types of rates, relationship between rates and sensitivity level,
relationship between accuracy/effectiveness and acceptance
Token
Access control models: discretionary, …
Information classification and security clearance level
Centralized and decentralized access control, know the fact that RADIUS and TACTCS
are both examples of centralized access control, and decentralized access control are
normally based on domains
Some security principles: need to know, least privilege, separation of duties, avoid
“security through obscurity”
Security models: Bell-lapudula model, Biba model, non-inference model, Chinese wall
model