0:00 Let's start everything with a story. 0:04 Recently, Mei started using Quick Pay, a payment tool that allows payments by scanning QR codes, simply by linking her account or credit card. With her phone in hand, she could handle all her meals, finding it very convenient. 0:18 Today, Mei went to the supermarket as usual, armed with her phone, and queued up, ready to check out using Quick Pay 0:26 However, during checkout, the cashier informed her that the barcode couldn't be scanned. Although Mei was confused, she didn't think much of it and simply refreshed her barcode for the cashier 0:34 Later, when Mei checked her transaction records for the day, she discovered an unauthorized transaction. It dawned on her that she had fallen victim to theft through unauthorized scanning of her payment barcode.

筆記傳送門 ISC2 CC - Security Principles ISC2 CC - Incident Response and Business Continuity ISC2 CC - Risk Management ISC2 CC - Access Control ISC2 CC - Network Security ISC2 CC - Security Operations Introduction

Introduction Types of access control, physical and logical controls and how they are combined to strengthen the overall security of an organization. Access Control Concepts What is Security Control? Access control involves limiting what ==objects== can be available to what ==subjects== according to what ==rules==. Controls Overview Earlier in this course we looked at security principles through foundations of risk management, governance, incident response, business continuity and disaster recovery. But in the end, security all comes down to, “who can get access to organizational assets (buildings, data, systems, etc.) and what can they do when they get access?”

Understand the Security Concepts of Information Assurance Confidentiality It relates to permitting authorized access to information, while at the same time protecting information from improper disclosure. Difficulties to achieve confidentiality are related to: many users are guests or customers, and it is not clear if the access comes from a compromised machine or vulnerable mobile application. To avoid those difficulties, security professionals must regulate access, permitting access to authorized individuals, for that protecting the data that needs protection. Data that needs protections is also known as PII or PHI. PII stands for Personally Identifiable Information and it is related to the area of confidentiality and it means any data that could be used to identify an individual. PHI stands for Protected Health Information and it comprehends information about one's health status, and classified or sensitive information, which includes trade secrets, research, business plans and intellectual property. Related to confidentiality is the concept sensitivity a measure of the importance assigned to information by its owner, or the purpose of denoting its need for protection. Sensitive information is information that if improperly disclosed (confidentiality) or modified (integrity) would harm an organization or individual. In many cases, sensitivity is related to the harm to external stakeholders; that is, people or organizations that may not be a part of the organization that processes or uses the information.