(human) safety is always the priority
Confidentiality: Keeping secrets secret. Protect from unauthorized access.
Integrity: Complete, consistent and accurate. Integrity protection (Disallowing unauthorized alteration). Integrity Verification (Verifying accurate, complete and consistent)
- Data Integrity: Protect information (data)
- System Integrity: Protect a system
CIA vs DAD (Disclosure, Alteration, Destruction)
Balance CIA with organization security needs.
Criteria: Bussiness value, retention policy
Level: depends (goverment, private sector)
Security awareness: Change user behavior
Security training: Provide skill
Policies: High-level. Mandatory (compulsory)
Standars: Specific use of technology
Operational Goals: Daily goals and objectives.
Tactical Goals: Mid-term goals
Strategic Goals: Long term goals
Roles and Responsibilities:
Senior management: Responsible
Information Security Officer:
"Prudent man rule"
Certification: Detailed inspection
Accreditation: Data owner acceptance
Assets: Valuable resources. People are the most valuable asset.
Threat: Potentially harmfull ocurrence
Vulnerability: A weakness that allows a threat to cause harm
Impact (Consequences): Severity of the damage (in $).
Risk: Threat x Vulnerability
- Qualitative Analysis: Values
- Quantitative Analysis: Expert Opinion (subjective)
EF: Exposure FactorSLE: Single Loss Expectancy (AV x EF)
ARO: Annual Rate of Occurrence
ALE: Annualized Loss Expectancy (SLE x ARO)
ROI: Amount of money saved by implementing a safeguard