(human) safety is always the priority
Confidentiality: Keeping secrets secret. Protect from unauthorized access.
Integrity: Complete, consistent and accurate. Integrity protection (Disallowing unauthorized alteration). Integrity Verification (Verifying accurate, complete and consistent)
- Data Integrity: Protect information (data)
- System Integrity: Protect a system
CIA vs DAD (Disclosure, Alteration, Destruction)
Balance CIA with organization security needs.
Information classification:
Criteria: Bussiness value, retention policy
Level: depends (goverment, private sector)
Security awareness: Change user behavior
Security training: Provide skill
Policies: High-level. Mandatory (compulsory)
Procedures: Step-by-step
Standars: Specific use of technology
Guidelines: Recommendations
Baselines:
Security Planning:
Operational Goals: Daily goals and objectives.
Tactical Goals: Mid-term goals
Strategic Goals: Long term goals
Roles and Responsibilities:
Senior management: Responsible
Information Security Officer:
Security Analyst
Owner:
Custodian:
User:
Auditor:
Due Care:
Due diligence:
"Prudent man rule"
Certification: Detailed inspection
Accreditation: Data owner acceptance
Risk Management:
Assets: Valuable resources. People are the most valuable asset.
Threat agent:
Threat: Potentially harmfull ocurrence
Vulnerability: A weakness that allows a threat to cause harm
Impact (Consequences): Severity of the damage (in $).
Risk: Threat x Vulnerability
Control (countermeasure):
- Qualitative Analysis: Values
- Quantitative Analysis: Expert Opinion (subjective)
EF: Exposure Factor
SLE: Single Loss Expectancy (AV x EF)ARO: Annual Rate of Occurrence
ALE: Annualized Loss Expectancy (SLE x ARO)
ROI: Amount of money saved by implementing a safeguard
Risk Choices:
Accept
Mitigate
Transfer
Avoid
No hay comentarios.:
Publicar un comentario