top of page
✳️ Official ISC2 CC Online Course
In English
code ethics
✳️ COURSE CONTENT
1. Security Principles
2. Incident response, business continuity and disaster recovery concepts
3. Access control concepts
4. Network security
5. Security Operations
+. Course conclusions
✳️ ISC2 CODE OF ETHICS
PREAMBLE
The safety and welfare of society and the common good, duty to our principles and to each other, requires the best and highest ethical standards of behavior. Strict adherence to this code is a condition of certification.
CANONS
1. Protect society, the common good, necessary public trust and confidence, and the infraestructure.
2. Act honorably, honestly, justly, responsaibly and legally.
3. Provide diligent and competent service to principals.
4. Advance and protect the profession.
✳️ CIA TRIAD
CONFIDENTIALITY / CONFIDENCIALIDAD
Allowing authoriced access to information while at the same time, protecting info from disclosure.
INTEGRITY / INTEGRIDAD
The property of information whereby it is recorded, used and maintained in a wat that ensures its accuracy, completeness, internal consistency and usefulnes for a stated purpose.
AVAILABILITY / DISPONIBILIDAD
Sytems and data are available/accessible at the time users need them.
💬 CONFIDENTIALITY
Regulated access to protect the data that needs protection, yet permit access to authoried individuals. A difficult balance to achieve when many users are gusts or customers.
PII (personally identifiable information / datos personales)
It pertains to any data about an individal that could be sed to identify them.
PHI (protected health information / datos de la salud)
All classified or sensitive information regarding ones health status
CoSI (classified or sensitive information / información clasificada o sensible)
- Trade Secrets / acuerdos comerciales
- Research / investigación
- Business Plans / planes de negocios
- Intellectual Property / propiedad intelectual
🔎 INTEGRITY
It measures the degre to which something is whole and complete, internally cosistent and correct. It applies to:
- Information or data
- Systems and processes for business operations
- Organizations
- People and their actions
DATA INTEGITY
The assurance that data has not been altered in an unauthoriced manner. It covers data in storage, during processing and while in transit. It must be accurate, internally consistent and useful for a stated purpose.
CONSISTENCY
As part of integrity, requires that all instances of the data to be identical in form, content and meaning.
SYSTEM INTEGRITY
The maintenance of a known good configration and expected operational function as the system processes the information.
1. AWARENESS OF STATE (or the current condition of the system)
Concerns the hability to document and understand the state of data or a system at a certain point, creating a baseline.
2. BASELINE
Could be the current state of the information (whether it is protected). To preserve that state, the information must always continu to be protected through a TRANSACTION.
When comparing the currect state of the information with the baseline, if the two match, then the integrity is INTACT, if not, the data has been compromised.
* The need to safeguard information and system integrity could be:
1. Dictated by laws (LOPD)
2. Regulated by laws (RPD)
3. Dictated by the needs of the organization (internal)
☑️ AVAILABILITY
Timely and reliable access to information and the hability to use it (also to data and services), publicly or for authoriced users onlyn depending on the circumstances.
Some systems or data are more important than others, so those associated with a high level of importance are known as CRITIAL, which meets access requirements in all cases (dictated by the organization).
✳️ AUTHENTICATION
The process of verifying or providing users identification.
The 3 methods are classified as:
🧠 SOMETHING YOU KNOW - password or passphrase
💳 SOMETHING YOU HAVE - tokens / memory cards / smart cards / flash drives
🖐️ SOMETHING YO ARE - measurable characteristics - face recognition
- fingerprint
- eye recognition
- hand recognition
When combining methods of authentification, they must be from different types to be effective.
For example, a password and a smart card, but not two passwords. Those combinations are classified as:
SFA Single Factor Authentification
2FA Two.factor authentification
MFA Multi-factor authentification
✳️ NON-REPUDIATION
Is a legal term that is defined as the protection against an individual falsely denying having performed a particular action. Non.repudiation technologies and methodologies ensure that people are held responsible for actions and transactions on the digital world. Non-repudiation is based in TRUST.
✳️ PRIVACY
Is the right of an individual to control the distribution of information about themselves. Security and privacy are focused on the protection of personal data, but they are different.
Meet national and/or internationa regulations
GOALS OF PRIVACY PROTECTION <
Meet the organization needs
It is needed to know how they all apply at anytime.
* GDPR General Data Protection Regulation EU / RGDP Reglament oGeneral de Protección de Datos UE
It applies to all organizations, foreign or domestic, doing business in the European Union or an person living in a territory of the European Union.
✳️ RISK MANAGEMENT
Is a measure of the extent to which an entity is threatened by a potential circumstance or event. It is ALSO expressed as a combination of:
1. The adverse impacts that would arise if the circumstance or event occurs
2. The likelyhood of occurrence
*. An IT risk is a subset of business risk
Risks intersect with this 3:
/ ASSET / activo o posison capital (something in need of protection)
RISKS - VULNERABILITY (a gap or weakness in those protection efforts)
\ THREAT (something or someone that aims to exploit a vulnerability to thwart protection efforts)
✳️ VULNERABILITIES
A vulnerability is an inherent weakness or flaw (defecto) in a system or component, which if triggered or acted iupon, could cause a RISK EVENT to occur.
To decrease an organization vulnerability, you must view it from the eyes of the threat actor. First you must learn what the vulnerabilities are, and ask yourself things such as:
- Why would we be an attractive target?
- What do we have which is in need of protection? (assets or information)
- Who can be a potential threat? (competitors, international actors, ex-employees, terrorism, political actors...)
- In which areas is our organization system/platform vulnerable?
- Is there a time of the day, or a time of the year, in which an attact is more likely to occur?
- Has there been leaked information of the organization in the past? could that information still be used against us?
- Does the organization has enough authentification methods? are they effective?
- Is there a stadard operative procedure regarding security available and implemented company-wide?
LIKELYHOOD
When determining an organization's vulnerabilities, the security team will consider the likelyhood or probability of a potential vulnerability being exploited.
IMPACT
Is the magnitude of harm that can be expected to result from the consequences of:
- unauthoriced disclosure of info
- unauthoriced modification of info
- unauthoriced destruction of info
- loss of info
- loss of system availability
✳️ RISK IDENTIFICATION
Identifying risks is not a one-and-done activity, its a recurring process in time of identifying diferent possible risks, characterizing them an them estimating their potential for disrupting the organization.
* It involves analyzing the company's unique situation
1. Identifying risks to communicate them clearly
2. Emplyees at all levels of the organization are responsible for identifying risks
3. Do the previous to protect against those risks
SECURITY TEAM PLANING VOID
- Risk assestment (at a system level)
- Focusing on process, control and monitoring
- Incident response
- Recovery activities
cia triad
confidentiality
integrity
availbility
authentication
vulnerabilities
risk identification
bottom of page