17 jun. 2014

CISSP: Information Security Governance and Risk Management

Information Security Governance

(human) safety is always the priority

Confidentiality: Keeping secrets secret. Protect from unauthorized access.
Integrity: Complete, consistent and accurate. Integrity protection (Disallowing unauthorized alteration). Integrity Verification (Verifying accurate, complete and consistent)
  • Data Integrity: Protect information (data)
  • System Integrity: Protect a system
Availability: Access to information when is needed
CIA vs DAD (Disclosure, Alteration, Destruction)
Balance CIA with organization security needs.

Information classification:
Criteria: Bussiness value, retention policy
Level: depends (goverment, private sector)

Security awareness: Change user behavior
Security training: Provide skill

Policies: High-level. Mandatory (compulsory)
Procedures: Step-by-step
Standars: Specific use of technology
Guidelines: Recommendations
Baselines:

Security Planning:
Operational Goals: Daily goals and objectives.
Tactical Goals: Mid-term goals
Strategic Goals: Long term goals

Roles and Responsibilities:
Senior management: Responsible
Information Security Officer:
Security Analyst
Owner:
Custodian:
User:
Auditor:

Due Care:
Due diligence:
"Prudent man rule"

Certification: Detailed inspection
Accreditation: Data owner acceptance

Risk Management:
Assets: Valuable resources. People are the most valuable asset.
Threat agent:
Threat: Potentially harmfull ocurrence
Vulnerability: A weakness that allows a threat to cause harm
Impact (Consequences): Severity of the damage (in $).
Risk: Threat x Vulnerability
Control (countermeasure):

  • Qualitative Analysis: Values
  • Quantitative Analysis: Expert Opinion (subjective)
AV: Asset Value

EF: Exposure Factor
SLE: Single Loss Expectancy (AV x EF)
ARO: Annual Rate of Occurrence
ALE: Annualized Loss Expectancy (SLE x ARO)
ROI: Amount of money saved by implementing a safeguard

Risk Choices:
Accept
Mitigate
Transfer
Avoid

No hay comentarios.:

Publicar un comentario