View
229
Download
0
Category
Preview:
Citation preview
8/12/2019 Information Security and IT Governance
http://slidepdf.com/reader/full/information-security-and-it-governance 1/6
UNIQUE TERMS AND DEFINITIONSAnnualized Loss Expectancy | T!eat | "ulne!a#ility | Ris$ | Sa%e&ua!d | Total 'ost o% O(ne!sip |Retu!n on In)est*ent
INTRODU'TIONAssets | sa%e&ua!ds | '+le)el executi)es | Total 'ost o% O(ne!sip ,T'O- | Retu!n on In)est*ent,ROI-.
'ORNERSTONE INFORMATION SE'URIT/ 'ON'E0TS'on1dentiality2Inte&!ity
• Modi1cations unauto!ized pe!sonnel o! p!ocesses
• Unauto!ized *odi1cations #y auto!ized pe!sonnel o! p!ocesse
• Te data a!e inte!nally and exte!nally consistent3
A)aila#ility
| 0e!sonally Identi1a#le In%o!*ation ,0II- | Tension #et(een te 'oncepts
Disclosure Alteration and Destruction
Identity and Authentication, Authorization, and Accountability| No !epudiation | Least 0!i)ile&e and Need to 4no( | De%ence+in+Dept5 laye!edde%ences
RIS4 ANAL/SISAssets | T!eats and "ulne!a#ilities | Ris$ 6 T!eat 7 "ulne!a#ilityI*pact | Ris$ 6 T!eat x "ulne!a#ility x I*pact.
Risk Analysis Matrix
Calculating Annualized Loss Expectancy
Asset "alue | Exposu!e Facto! | Sin&le Loss Expectancy ,SLE- | Annual Rate o% Occu!!ence,ARO- | Annualized Loss Expectancy ,ALE-
8/12/2019 Information Security and IT Governance
http://slidepdf.com/reader/full/information-security-and-it-governance 2/6
Total Cost o !"nership
Return on In#est$ent
Risk Choices%8. Accept te Ris$ | Ris$ Acceptance '!ite!ia9. Miti&ate te Ris$:. T!ans%e! te Ris$;. Ris$ A)oidance
&ualitati#e and &uantitati#e Risk Analysis
8/12/2019 Information Security and IT Governance
http://slidepdf.com/reader/full/information-security-and-it-governance 3/6
The Risk Manage$ent 'rocess
8. Syste* 'a!acte!ization
9. T!eat Identi1cation
:. "ulne!a#ility Identi1cation
;. 'ont!ol Analysis
<. Li$eliood Dete!*ination
=. I*pact Analysis
>. Ris$ Dete!*ination
?. 'ont!ol Reco**endations
@. Results Docu*entation
INFORMATION SE'URIT/ O"ERNAN'E(ecurity 'olicy and Related Docu$ents
'olicy'o*ponents o% 0!o&!a* 0olicy
• 0u!pose
• B Scope
• B Responsi#ilities
• B 'o*pliance
0olicy Types5 p!o&!a* policy | issue+speci1c policy | syste*+speci1c policy
NIST Special 0u#lication ?CC+89
0!ocedu!es
Standa!ds
uidelines
aselines
(ecurity A"areness and Training
Roles and ResponsibilitiesSenio! Mana&e*ent | Data O(ne! ,also called in%o!*ation o(ne! o! #usiness o(ne!- | 'ustodianp!o)ides ands+on p!otection o% assets suc as data.
Co$pliance "ith La"s and Regulations
'ri#acy% 0II
Due Care and Due Diligence!oss Ne&li&ence
)est 'ractice
!utsourcing and !*shoring
Auditing and Control +ra$e"orks
!CTAE5 Ope!ationally '!itical T!eat2 Asset2 and "ulne!a#ility E)aluation2 !is$ *ana&e*ent%!a*e(o!$2 'a!ne&ie Mellon Uni)e!sity2 t!ee+pase p!ocess %o! *ana&in& !is$.
8/12/2019 Information Security and IT Governance
http://slidepdf.com/reader/full/information-security-and-it-governance 4/6
0ase 8 identi1es sta $no(led&e2 assets2 and t!eats.0ase 9 identi1es )ulne!a#ilities and e)aluates sa%e&ua!ds.0ase : conducts te Ris$ Analysis and de)elops te !is$ *iti&ation st!ate&y.
I(! -..// and the I(! 0.111 (eriesISO 8>>@@ ad 88 a!eas2 %ocusin& on speci1c in%o!*ation secu!ity cont!ols5
8. 0olicy
9. O!&anization o% in%o!*ation secu!ity:. Asset *ana&e*ent;. u*an !esou!ces secu!ity<. 0ysical and en)i!on*ental secu!ity=. 'o**unications and ope!ations *ana&e*ent>. Access cont!ol?. In%o!*ation syste*s acGuisition2 de)elop*ent2 and *aintenance@. In%o!*ation secu!ity incident *ana&e*ent8C. usiness continuity *ana&e*ent88. 'o*pliance
C!)IT% ,'ont!ol O#Hecti)es %o! In%o!*ation and !elated Tecnolo&y- 'OIT as %ou! do*ains5
8. 0lan and O!&anise9. AcGui!e and I*ple*ent:. Deli)e! and Suppo!t2;. Monito! and E)aluate.
ITIL5 ,In%o!*ation Tecnolo&y In%!ast!uctu!e Li#!a!y-ITIL contains 1)e Se!)ice Mana&e*ent 0!acticesJ'o!e uidance
8. Se!)ice St!ate&y9. Se!)ice Desi&n:. Se!)ice T!ansition;. B Se!)ice Ope!ation<. B 'ontinual Se!)ice I*p!o)e*ent
Certi2cation and AccreditationNIST S0 ?CC+:>2 NIST S0 ?CC+:>
8. Initiation 0ase9. Secu!ity 'e!ti1cation 0ase:. Secu!ity Acc!editation 0ase;. 'ontinuous Monito!in& 0ase
ETI'S
The 3I(C40 5 Code o EthicsDo(nload te ,IS'-9 K code o% etics at ttp5(((.isc9.o!&eticsde%ault.aspx and study it ca!e%ully. /ou *ust unde!standte enti!e code2 not Hust te details co)e!ed in tis #oo$.
Te canons a!e te %ollo(in&58. 0!otect society2 te co**on(ealt2 and te in%!ast!uctu!e.9. Act ono!a#ly2 onestly2 Hustly2 !esponsi#ly2 and le&ally.:. 0!o)ide dili&ent and co*petent se!)ice to p!incipals.;. Ad)ance and p!otect te p!o%ession.
SELF TEST
8/12/2019 Information Security and IT Governance
http://slidepdf.com/reader/full/information-security-and-it-governance 5/6
8. o$9. o$:. o$;. o$<. o$=. o$>. o$?. o$@. R8C. o$88. o$89. o$8:. o$8;. o$8<. o$
Inor$ation Classi2cation !b6ecti#esInor$ation Classi2cation )ene2ts| O!&anizations co**it*ent | identi%y (ic in%o!*ation is te *ost sensiti)e |
Suppo!ts te tenets| (ic p!otections apply to (ic in%o!*ation | !eGui!ed %o! !e&ulato!y2 co*pliance2o! le&al !easons
Inor$ation Classi2cation ConceptsClassi2cation Ter$s
8. Unclassi1ed9. Sensiti)e #ut Unclassi1ed ,SU-.:. 'on1dential.;. Sec!et<. Top Sec!et.
Classi2cation Criteria"alue | A&e| Use%ul Li%e | 0e!sonal Association.
Inor$ation Classi2cation 'rocedures8. Identi%y te ad*inist!ato!custodian9. Speci%y te c!ite!ia o% o( to classi%y and la#el te in%o!*ation.:. 'lassi%y te data #y its o(ne!2 (o is su#Hect to !e)ie( #y a supe!)iso!.;. Speci%y and docu*ent any exceptions to te classi1cation policy.<. Speci%y te cont!ols tat (ill #e applied to eac classi1cation le)el.=. Speci%y te te!*ination p!ocedu!es %o! declassi%yin& te in%o!*ation o! %o!
t!ans%e!!in& custody o% te in%o!*ation to anote! entity.>. '!eate an ente!p!ise a(a!eness p!o&!a* a#out te classi1cation cont!ols.
Distribution o Classi2ed Inor$ation
8/12/2019 Information Security and IT Governance
http://slidepdf.com/reader/full/information-security-and-it-governance 6/6
'ou!t o!de!. | o)e!n*ent cont!acts | Senio!+le)el app!o)al
Inor$ation Classi2cation Roles!"ner% decision a#out (at le)el o% classi1cation | Re)ie( classi1cation le)els |Dele&ate data p!otection duties to custodian
Custodian% #ac$ups | !esto!ation |
7ser%8 9 A#ide #y policy | due ca!e | Use co*pany !esou!ces in an accepta#le *anne!| open )ie(
Recommended