Argosenpaikun

Posted on Mar 3 • Edited on Mar 5

Security Principles

#security #cybersecurity #securirtyprinciples

CIA Triad

Confidentiality, Integrity, and Availability

Confidentiality

Ensures that sensitive information is only accessible to authorized users.
Prevents unauthorized disclosure of data
Examples:
- Using strong passwords and encryption.
- Implementing access control.

Integrity

Ensures that data remains accurate and unaltered, except by authorized users.
Protects against unauthorized modification, deletion, or corruption.
Examples:
- Using checksums or hashes to verify file integrity.
- Version control systems to track changes.

Availability

Ensures that authorized users can access data and systems when needed.
Protect against disruptions that might make systems or information unavailable.
Examples:
- Redundant servers, backups, and failover systems.
- Protection against Denial-of-Service (DoS) attacks.

The CIA triad is like a security balance when we want our data private (confidential), trustworthy (integrity), and accessible when needed (availability).

Identification, Authentication, and Multi-Factor Authentication (MFA)

Identification

The process of claiming an identity.
The purpose is to tells the system "Who are you?"
Example:
- Entering a username or email when logging in.
- Presenting an ID card at a workplace.
Keypoint: Identification alone does not prove you are who you claim to be; it just declares an identity.

Authentication

The process of verifying the identity claimed during identification.
The purpose is to ensures that person is actually who they claim to be.
Methods of authentication:
1. Something you know-password, PIN, or secret answer.
2. Something you have-smart card, security token, or phone.
3. Something you are-fingerprint, face scan, or other biometrics.
Example:
- Entering a password after typing a username.
- Scanning a fingerprint to unlock a device.

Multi-Factor Authentication (MFA)

A security process that requires two or more different authentication factors to verify identity.
The purpose is to adds extra layers of security, so that even if one factor is compromised, unauthorized access is prevented.
Typical MFA combinations:
- Password (something you know) + SMS code (something you have).
- Password + fingerprint (something you are).
Example:
- Logging into your email, then entering a code sent to you phone.
- Using an authenticator app (such as Google Authenticator) along with your password.

Three Main Types of Factors in MFA

Something You Know (Knowledge Factor)

Information that only the user should known.
Examples:
- Passwords
- PINs
- Security questions
Its purpose is to confirm the user knows a secret that other don't.

Something You Have (Possession Factor)

A physical items or devices that the user possesses.
Examples:
- Security tokens or key fobs.
- Smartphones with authenticator apps (e.g., Google Authenticator).
- Smart cards or ID cards.
- One-time passwords (OTP) sent via SMS or email.
It purpose is to confirm the user physically has a trusted device.

Something You Are (Inherence Factor)

A unique physical or behavioral characteristics of the user (biometrics).
Examples:
- Fingerprint scans
- Facial recognition
- Iris or retina scans
- Voice recognition
Its purpose is to confirms the user is physically who they claim to be.

Non-Repudiation

Ensures that a person or entity cannot deny the authenticity of their actions or communication.
Its purpose to protect against disputes by providing proof of who did what and when.
The keypoint is that non-repudiation is about accountability and traceability.
Examples:
- Digital signatures on emails or documents to prove the sender actually sent it.
- Transaction logs in banking to show who authorized a payment.
- Certificates or receipts in online transactions that cannot be denied later.

Privacy

The right of individuals or organizations to control their personal or sensitive information and determine who can access it.
Its purpose to protect personal data from misuse or exposure.
The key point of privacy is about control over information, while confidentiality is about keeping it secret.
Examples:
- A website asking for consent before collecting your data.
- Encrypting emails so only intended recipients can read them.
- Laws like GDPR that regulate how personal data can be used.

What is GDPR?

Known as General Data Protection Regulation (GDPR) is a data protection law enforced by the European Union since 25th May 2018.
Its main purpose is:

To protect the privacy and personal data of individuals within the EU.

How Privacy and GDPR Are Connected?

The GDPR is basically a legal tool to enforce privacy rights.

Here's the connection clearly:

Privacy Concept	How GDPR Supports It
Control over personal data	Requires consent before collecting data
Transparency	Organizations must explain how data is used
Data protection	Requires security measures to protect data
Right to access	Individuals can request their data
Right to delete	"Right to be forgotten"
Accountability	Organizations must prove compliance

This indicates that:

Privacy is the right. GDPR is the law that protects that right.

What is PII?

Stands for Personally Identifiable Information
It refers to any information that can be used to identify, contact, or locate a specific person, either directly or indirectly.
PII is a key concept in privacy and data protection because if it's exposed, it can lead to identity theft, fraud or privacy violations.

Types of PII

Direct PII - Information that directly identifies a person:

Full name
Social Security Number (or national ID)
Passport number
Email address
Phone number

Indirect PII - Information that can identify a person when combined with other data:

Date of birth
Gender
Job title
IP address or device ID
Location data

Why PII is Important?

Protecting PII is crucial to privacy and legal compliance.
Many regulations require organizations to safeguard PII:
- GDPR (European Union)
- CCPA (California, USA)
- PDPA (Malaysia and other countries in Asia)

How to Protect PII

Encrypt sensitive data.
Limit access only to authorized users.
Avoid collecting unnecessary PII.
Use strong authentication and security measures.

PII is essentially any data that could identify a person, and protecting it is essential to privacy, security, and legal compliance.

Risk

What is Risk?

Risk is the possibility of a negative event or loss occurring, usually as a result of threats exploiting vulnerabilities.
In information security, risk is the chance that data, systems, or networks will be compromised, causing harm to confidentiality, integrity, or availability.

Core Concepts of Risk

Risk is generally defined using three key elements:

Threat

Anything that can cause harm or exploit a vulnerability.
Example: hackers, malware, natural disasters, insider threats.

Vulnerability

A weakness in a system, process, or control that can be exploited by a threat.
Examples: weak passwords, outdated software, unsecured networks.

Impact (or Consequence)

The damage or loss that results if threat exploits a vulnerability.
Examples: financial loss, data breach, reputation damage.

What Is an Asset?

In security and risk management, an asset is anything that has value to an organization.

Examples:

Data (customer information, source code)
Systems and servers
Applications
Reputation
Employees
Intellectual property
Financial resources

If it has value and losing it would cause damage - it is an asset.

Why Risk Management Focused on Assets?

The main goal of risk management is not to eliminate all risk.

Its main goal is:

Protect valuable assets
Reduce the likelihood of loss
Minimize impact if something happens

Because without assets, there is nothing to protect.

Core Object Protect Assets Value

Organizations protect assets in three may ways based on CIA Triad:

Confidentiality → Prevent unauthorized access
Integrity → Prevent unauthorized modification
Availability → Ensure systems are accessible when needed

If any of these are compromised, the asset's value decreases.

Risk Formula (Conceptual)

A simple way to present risk is:

Risk = Threat X Vulnerability X Impact

The higher the threat, vulnerability, or impact, the higher the risk.
This helps organizations prioritize which risks to mitigate first.

Types of Risk in Information Security

Operational Risk: Risk from daily IT operations.
Strategic Risk: Risk that affects long-term goals.
Compliance Risk: Risk of violating laws, regulations, or policies.
Financial Risk: Risk of monetary loss due to security incidents.

Keypoints of Risk

Risk is inherent in every system or organization; it cannot be eliminated entirely.
Risk management focuses on identifying, assessing, and mitigating risk to acceptable levels.
Methods to handle risk include avoidance, mitigation, transfer (insurance), or acceptance.

Risk Matrix

Two Dimensions of the Matrix

Probability (Vertical Axis)

This measures how likely the risk event is to occur:

Very Likely
Likely
Possible
Unlikely
Very Unlikely

As we move up, the probability increases.

Impact (Horizontal Axis)

This measures how serious the consequences would be if the event occurs:

Negligible
Minor
Moderate
Significant
Severe

As we move right, the impact increases.

How Risk Level is Determined

Each intersection of Probability and Impact gives a Risk Level, categorized as:

Low (Green)
Low Medium (Light Green)
Medium (Yellow)
Medium-High (Orange)
High (Red)

How to Read the Matrix (Examples)

Example	Matrix	Description
Example 1	Probability: Very Likely Impact: Severe Result: High Risk	This is critical and requires immediate action.
Example 2	Probability: Possible Impact: Moderate Result: Medium Risk	Needs monitoring and mitigation planning.
Example 3	Probability: Very Unlikely Impact: Minor Result: Low Risk	Acceptable or minimal treatment required.

Risk Escalation Pattern

You'll notice:

Risk increases as we move upward (high probability).
Risk increases as we move to the right (high impact).
The top-right corner represents the highest risk.
The bottom-left corner represents the lowest risk.

Purpose of this Measurement

This matrix helps organizations:

Prioritize which risks to address first.
Allocate resources effectively.
Decide treatment strategies (avoid, mitigate, transfer, accept).
Support risk-based decision making.

Key Concept

Risk is not just about likelihood or impact alone - it is the combination of both.

A low-probability event can still be high risk if the impact is severe.
A high-probability event may be acceptable if the impact is negligible.

Risk Assessment

A risk assessment is the process identifying, analyzing and evaluating.
Its purpose:
- Understand potential threat and vulnerabilities.
- Determine the likelihood and impact of risks.
- Help prioritize actions to reduce or manage risks effectively.

Key Steps in Risk Assessment:

Identify assets → what you need to protect.
Identify threats → what could harm your assets.
Identify vulnerabilities → weakness that could be exploited.
Analyze risk → likelihood x impact.
Evaluate risk → decide whether to accept, mitigate, or avoid.

Asset Management

Asset management is the process of identifying, classifying, and maintaining control over an organization's assets to ensure they are protected and used efficiently.
Examples of Assets:
- Hardware: servers, laptops, network devices
- Software: applications, databases,
- Data: PII, intellectual property
- People: employees with access to critical system
Its purpose of knowing what assets exists is essential to assesses risk accurately.

Threat Management

Threat management is the process of identifying, assessing, and mitigating threats that could exploit vulnerabilities in assets.
Examples:
- Cyber attacks (malware, phishing, ransomware)
- Insider threats (disgruntled employees)
- Physical threats (fire, theft, natural disasters)
Its purpose is to anticipate potential attacks or harms and implement controls to reduce them.

Vulnerability Management

Vulnerability management is the process of identifying, evaluating, and mitigating weakness in systems, processes, or applications that could be exploited by threats.
Examples:
- Outdated software or unpatched systems
- Weak passwords or misconfigured network settings.
- Poor access controls.
Its purpose is to reduce the likelihood of exploitation and lower overall risk.

Term	Definition	Purpose
Risk Assessment	Process of identifying and analyzing risk.	Determine likelihood and impact of risks.
Asset Management	Identifying and controlling assets.	Know what to protect.
Threat Management	Identifying and mitigating threats.	Reduce chances of harm.
Vulnerability Management	Identifying and fixing weakness.	Prvent exploitation of vulnerabilities.

Risk Appetite

Risk appetite is the level of risk an organization is willing to accept in pursuit of its objectives.
Purpose:
- Helps guide decision and strategy.
- Determines which risks are acceptable without mitigation.
Key Points:
- It is strategic - set by management.
- Varies by organization, industry, and type of risk.
Example:
- A startup might have a high risk appetite and accept some cybersecurity risks to move quickly.
- A bank may have a low risk appetite because security breaches can cause major financial and legal issues.

Risk Tolerance

Risk tolerance is the acceptable level of variation or exposure to risk within a specific activity.
Purpose:
- Provides practical limits on risk-taking.
- Help determine how much risk is too much for a particular project or operation.
Key Points:
- It is operational - applied to day-to-day decisions.
- Often quantified (e.g., maximum acceptable downtime, financial loss, or data breach likelihood).
Example:
- A company may tolerate up to 1% of data loss per year for non-critical systems.
- In a software project, the tolerance may be no more than 2 hours of downtime per month.

Difference Between Risk Appetite and Risk Tolerance

Aspect	Risk Appetite	Risk Tolerance
Scope	Strategic, organization-wide	Operational, specific to activity/project
Definition	Level of risk willing to accept	Acceptable deviation from risk limits
Decision Guidance	Guides major strategic decisions	Guides day-to-day operational decisions

Risk Management Responses

Risk management responses are strategies or actions taken to address risks to bring them to an acceptable level. There are five main responses:

Risk Avoidance

Eliminate the risk entirely by not engaging in the activity that creates it.
Example:
- A company decides not to launch a system that handles sensitive data in an unsecured environment.
- The keypoint its often involves avoiding certain decisions, processes, or technologies.

Risk Mitigation (Reduction)

Taking steps to reduce the likelihood or impact of the risk.
Example:
- Installing firewalls, anti-virus software, or intrusion detection systems.
- Implementing strong access controls and regular employee security training.
- The keypoint is to reduces risk without eliminating it completely.

Risk Transfer

Shift the risk to a third party, usually through contracts, insurance, or outsourcing.
Example:
- Buying cybersecurity insurance to cover losses from data breaches.
- Using a cloud provider that assumes responsibility for infrastructure security.
The keypoint is the organization is not eliminating the risk, just transferring financial or operational responsibility.

Risk Acceptance (Retention)

Acknowledge the risk and accept it without active measures, usually because the cost of mitigation is higher than the potential loss.
Example:
- Accepting minor system downtime because the impact is low.
- Not securing a low-value asset because protecting it is more expensive than the potential loss.
The key point used when risk is low or unavoidable.

Risk Exploitation (Opportunity)

Actively take advantage of a risk if it could result in a positive outcome.
Example:
- Launching a new technology product despite uncertain market demand, hoping for high returns.
The key point its usually discussed in enterprise risk management focusing on opportunities as well as threats.

What is a Security Control?

A security control is a safeguard or countermeasure put in place to reduce the risk to information, systems, or assets.
Purpose:
- Prevent, detect, or respond to threats.
- Protect the confidentiality, integrity, and availability (CIA) of assets.

Security Controls and Risk

Security controls are applied to manage or mitigate risk. They act to:

Reduce the likelihood of a threat exploiting a vulnerability.
Reduce the impact if an incident occurs.
Help organizations comply with regulations and policies.

Example:
- Risk: Unauthorized access to sensitive data
- Security control: Multi-factor authentication (MFA)
- Effect: Reduces the chance (likelihood) of unauthorized access.

Types of Security Controls

Security controls are generally classified into three main categories:

Administrative Controls

Policies, procedures, and guidelines that manage how people behave and handle information.
Its purpose is to reduce risk by setting rules and guidelines.
Examples:
- Security policies and procedures.
- Employee training and awareness programs.
- Background checks for staff.
- Incident response planning.

Common Form of Administrative Control

Policies

A high-level statements that define what must be done in an organization regarding security.
Its purpose is to set the rules and expectation for the organization.
Common Forms/Examples:
- Information Security Policy: Overall framework for protecting information.
- Acceptable Use Policy (AUP)
- Password Policy: Requirements for password creation and management.
- Data Classification Policy: Defines how to categorize data (e.g., public, confidential, restricted).

Procedures

Step-by-step instruction describing how to implement a policy.
Its purpose is to provide practical guidance to achieve compliance with policies.
Common Forms/Examples:
- Incident Response Procedure: Steps to follow during a security incident.
- User Account Creation Procedure: How to create, modify, and deactivate accounts.
- Backup and Recovery Procedure: Instructions for backing up and restoring data.
- Change Management Procedure: Steps to request, review, approve and implement changes.

Guidelines

Recommended practices that help employees make decisions when procedure are not strictly defined.
Its purpose is to provide flexibility while encouraging secure behavior.
Common Forms/Examples:
- Password Creation Guidelines: Tips on creating strong passwords.
- Email and Internet Usage Guidelines: Best practices for avoiding phising or malware.
- Remote Work Security Guidelines: Recommendations for securing home networks or devices.
- Data Handling Guidelines: How to securely handle sensitive or confidential informaiton.

Standards

Specific measurable requirements that must be followed to ensure consistency.
Its purpose ensure uniformity and compliance across systems and processes.
Common Forms/Examples:
- Encryption Standards: Minimum requirements for encryptin data.
- Network Security Standards: Rules for configuring firewalls, routers, and servers.
- Pasword Standards: Minimum length, complexity, and expiration rules.
- Logging and Monitoring Standards: What logs to maintain and how long.

Common Administrative Control Form

Administrative Control	Definition / Purpose	Common Examples
Policy	High-level rules defining what must be done	Information Security Policy, AUP, Data Classification
Procedure	Step-by-step instruction to implement policies	Incident Response, Backup & Recovery, Account Management
Guideline	Recommended best practices, flexible	Password tips, Email usage, Remote work security
Standard	Specific, measurable requirements	Encryption rules, Network configuration, Logging rules

Physical Controls

Measures that protect physical assets and facilities from unauthorized access or damage.
Its purpose to prevent unauthorized physical access to systems and assets.
Examples:
- Locks, security guards, and access badges.
- CCTV surveillance cameras.
- Fences, gates, and secure server rooms.
- Fire suppression systems.

Physical Access Control Systems (PACS)

PACS are technology-based systems that maange and monitor access to physical spaces such as buildings, rooms, or data centers.
Purpose:
- Allow authorized personnel to enter restricted areas.
- Deny access to unauthorized individuals.
- Log and track who enters and exits areas.

Components of PACS

Authentication Devies (Something You Are / Something You Have)

Card readers: Keycards, smart cards, proximity cards.
Biometri scanners: Fingerprint, iris, or facial recognition.
Keypads / PIN entry

Control Panels

Act as the central hub for access decisions.
Connect authentication devices to locks, alarms, and monitoring system.

Locks and Barriers

Electronic door locks controlled by the PACS.
Turnstiles, gates, or security doors.

Monitoring and Logging

Record access attempts, successful entries, and exits.
Generate audit reports for security review.

Technical / Logical Controls

Technology-based safeguards that protect information systems.
Its purpose is to prevent, detect, or respond to cyber threats.
Examples:
- Firewalls, antivirus software, and intrusion detection systems.
- Encryption of data at rest and in transit
- Access control lists (ACLs) and authentication mechanisms.
- Security monitoring tools.

Common Examples of Technical Controls

Control Type	Description	Example
Encryption	Protects data confidentiality by converting it into unreadable form.	AES encryption for files or emails
Endpoint Security	Protects devices such as computers, laptops, and mobile devices.	Antivirus, anti-malware, EDR (Endpoint Detection & Response)
Clustering / High Availability	Ensures system availability and redundancy to reduce downtime	Server clustering, load balancing
Firewalls	Monitors and controls incoming/outgoing network traffic.	Network firewall, next-gen firewall (NGFW)
Intrusion Detection/Prevention Systems (IDS/IPS)	Detects or blocks suspicious activity	Snort IDS, Cisco IPS
Access Control Restrict user access based on roles or permissions	Role-Based Access Control (RBAC), MFA
Backup & Recovery	Protects data integrity and availability in case of loss or corruption	Daily backups, offsite storage

Preventive vs. Detective Controls

Technical controls can be classified based on their function:

Preventive Controls

Controls designed to stop a security incident before it occurs.
Examples:
- Firewalls - Block unauthorized traffic.
- Encryption - Prevents data exposure.
- Endpoint Security / Antivirus - Block malware before infection.
- Access Controls - Prevent unauthorized access to systems.
Its purpose is to minimize risk by preventing threat s from exploiting vulnerabilities.

Detective Controls

Controls designed to identify and alert about security incidents after they occur.
Examples:
- Intrusion Detection System (IDS) - Detects suspicious network activity.
- Security logs / Monitoring tools - Detect unauthorized access or changes.
- Audit trails - Track user actions for post-incident analysis.
Its purpose is to detect threats and incidents quickly so corrective actions can be taken.

List of Technical / Logical Controls

Control	Function	Type	Purpose
Firewall	Network traffic filtering	Preventive	Block unauthorized access
Encryption	Data confidentiality	Preventive	Protect data from exposure
Endpoint Security	Malware & threat blocking	Preventive	Stop attacks on devices
Clustering / HA	System redundancy	Preventive	Ensure availability and reduce downtime.
IDS / Security Logs	Threat detection	Detective	Detect suspicious activity and alert
Backup & Recovery	Data Integrity & Availability	Preventive	Restore data if lost or corrupted
Audit Trails	Monitoring & accountability	Detective	Track activities and detect anomalies

Preventive controls stop incidents from happening.
Detective controls identify incidents so that corrective measures can be taken.
Most robust security setups combine both preventive and detective controls.

Other Related Controls

Controls	Description	Examples
Detective Controls	Identify and alert about security incidents	Security logs, intrusion detection systems (IDS)
Corrective Controls	Fix issues or restore systems after a breach	Backup restoration, patching vulnerabilities
Deterrent Controls	Discourage unwanted activity	Warning signs, security policies

Common Control Frameworks

ISO/IEC 27001

Full Name: International Organization for Standardization / International Electrotechnical Commission 27001
Type of information Security Management System (ISMS) framework.
Purpose:
- Provides a systematic approach to managing sensitive information.
- Ensures the confidentiality, integrity, and availability (CIA) of data.
Key Features:
- Risk-based approach to information security.
- Requirements for establishing, implementing, maintaining, and improving an ISMS.
- Includes Annex A controls covering areas like access control, cryptography, physical security, and incident management.
Usage Example:
- Organizations implement ISO 27001 to demonstrate compliance and build trust with clients.

COBIT

Full Name: Control Objectives for Information and Related Technologies
Type: IT Governance and Management Framework
Purpose:
- Aligns IT process and resources with business objectives.
- Ensures effective governance, risk management, and control over IT system.
Key Features:
- Covers processes, goals, metrics, and controls.
- Provides best practices for IT governance and risk management.
- Focuses on end-to-end IT management and performance measurement.
Usage Example:
- Enterprises use COBIT to assess IT risks, improve IT controls, and align IT with business goals.

NIST SP 800-53

Full Name: National Institute of Standards and Technology Special Publication 800-53
Type: Security and Privacy Controls Framework
Purpose:
- Provides a catalog of security and privacy controls for federal information systems in the USA.
- Helps organizations protect information systems from cybersecurity risk.
Key Features:
- Detailed control families covering areas like access control, incident response, system integrity, and contingency planning.
- Supports risk-based selection of controls based on impact levels (low, moderate, high)
- Widely used as a reference for cybersecurity compliance.
Usage Example:
- Government agencies and contractors implement NIST SP 800-53 to meet federal cybersecurity requirements.

Framework Comparison

ISO 27001 → Focuses on information security management systems.
COBIT → Focuses on IT governance and alignment with business.
NIST SP 800-53 → Focuses on detailed cybersecurity and privacy controls.

Framework	Type	Purpose	Key Features / Focus	Common Use Case
ISO 27001	ISMS Standard	Manage information security systematically	Risk-based ISMS, Annex A controls, continual improvement	Certification, client trust, compliance
COBIT	IT Governance Framework	Align IT with business goals, governance	Processes, goals, metrics IT control objectives	Enterprise IT management & auditing
NIST SP 800-53	Security & Privacy Controls	Protect information systems from cyber risk	Detailed control families, risk-based, federal compliance	US government systems & contractors

Compliance

Compliance is the act of adhering to laws, regulations, internal policies, and standards that apply to an organization.
Its purpose is to ensure that the organization operates legally and ethically.
Reduce risk of penalties, legal action, or reputational damage.
Promote consistent, secure, and effective practices.
Compliance is about following the rules - both external (laws/regulations) and internal (policies/procedures).

Components Related to Compliance

Laws

Legally binding rules passed by a government.
Its purpose the organizations must follow the law or face legal penalties.
Examples:
- Personal Data Protection Act (PDPA) - Malaysia
- General Data Protection Regulation (GDPR) - European Union
- Health Insurance Portability and Accountability Act (HIPAA) - USA

Regulations

Detailed rules issued by government agencies to enforce laws.
Provides specific requirements for compliance.
Examples:
- GDPR regulations specifying how personal data must be processed.

Policies

High-level statements created by organization to guide behavior and decision-making.
Set internal rules that must be followed.
Examples:
- Information Security Policy
- Acceptable Use Policy (AUP)
- Data Classification Policy

Procedures

Step-by-step instructions to implement policies.
Ensure that policies are applied consistently.
Examples:
- Incident Response Procedure
- Backup and Recovery Procedire
- User Account Creation/Termination Procedure

Standards

Specific, measurable requirements that must be met.
Its purpose is to ensure uniformity, quality, and compliance with policies and regulations.
Examples:
- ISO 27001 Annex A controls for information security.
- NIST SP 800-53 technical controls for cybersecurity.

Guidelines

Recommended best practices that help achieve compliance but are not mandatory.
Its purpose is to provide flexible advice to meet policy, standard, or regulatory.
Examples:
- Password creation recommendations
- Secure remote work guidelines
- Email handling best practices

Compliance Components

Component	Definition / Purpose	Example
Laws	Legally binding rules by government.	GDPR, PDPA, HIPAA
Regulations	Detailed rules enforcing laws	GDPR data processing fules, financial regs
Policies	High-leve internal rules	Info Security Policy, AUP
Procedures	Step-by-step implementation of policies	Incident Response, Backup & Recovery
Standards	Specific measurable requirements	ISO 27001, NIST SP 800-53
Guidelines	Recommended best practices	Password tips, secure remote work guidelines

Compliance is about aligning an organization's practices with laws, regulations, and internal rules, using policies, procedures, standards, and guidelines as the framework.

Compliance Hierarchy (Highest to Lowest)

Laws:
- Highest level of authority.
- Passed by government; legally binding.
- Non-compliance can result in fines, legal action, or imprisonment.
- Example: GDPR, PDPA, HIPAA
Regulations:
- Issued by government agencies to enforce laws.
- More detailed requirements than laws; legally enforceable.
- Example: GDPR rules for data processing, financial reporting regulations.
Policies:
- High-level internal organizational rules.
- Ensure the organization complies with laws and regulations.
- Example: Information Security Policy, Acceptable Use Policy.
Standards:
- Specific, measurable requirements for consistency and compliance.
- Support policies and regulatory adherence; may be mandatory internally.
- Example: ISO 27001 controls, NIST security controls.
Procedures:
- Step-by-step instructions to implement policies and standards.
- Ensure consistent execution.
- Example: Incident Response Procedure, Backup * Recovery Procedure
Guidelines:
- Recommended best practices; not mandatory.
- Provide advice to help employees follow policies, procedures, and standards.
- Example: Password creation guidelines, secure email handling tips.

Ethics

Ethics is the study and practice of moral principles that guide behavior, determining what right or wrong, good or bad.
Purpose:
- Guide behavior in personal, professional, and societal contexts.
- Help maintain trust, fairness, and responsibility.

Ethics in Society, Culture, and Law

Aspect	Definition/Role	Example
Society	Shared norms and values that influence how individuals act within a community	Not stealing, helping others, fairness in business
Culture	Traditions, beliefs, and practices that shape ethical behavior in a group	Respecting elders, gender norms, hospitality
Law	Legal rules established by government to enforce minimum standards of behavior	Law against theft, fraud, and corruption

Ethics is broader than law. Something can be legal but unethical, or ethical but illegal depending on context.
Example: Sharing confidential company info with competitors is unethical, even if not explicitly illegal in some jurisdications.

Globalization and Ethics

Globalization is the interconnectedness of countries through trade, communication, technology, and culture.
Impact on Ethics:
- Organizations must adapt ethical standards across different cultures and legal systems.
- Ethical decision-making becomes complex due to diverse cultural norms and societal expectations.
Example:
- Labor practices acceptable in one country may be considered exploitative or unethical in another.
- Data privacy laws vary globally (e.g., GDPR in the EU vs PDPA in Malaysia).

Ethical

Acting in a way that conforms to accepted moral principles, considering fairness, honesty, and responsibility.
Characteristics of Ethical Behavior:
- Honesty: Truthful communication and actions.
- Fairness: Treating people equally and without bias.
- Respect: Considering others' rights and feelings.
- Responsibiliy: Accepting consequences of actions.

Example in Business:

Protecting customer data even if there is no law requiring it.
Avoiding bribery or corruption in international operations.

Term	Definition / Role	Example
Ethics	Moral principles guiding right and wrong	Fair treatment, honesty, responsibility
Society	Norms and shared values influencing behavior	Community fairness, anti-theft norm
Culture	Beliefs and practices shaping ethical behavior	Respecting traditions, social etiquette
Law	Legal rules enforcing minimum standards	Anti-fraud laws, labor regulations
Globalization	Interconnected world requiring cross-cultural ethics	Adapting busines ethics across countries
Ethical	Behavior aligned with moral principles	Protecting privacy, avoiding exploitation