Information Security and IT Governance

8/12/2019 Information Security and IT Governance

http://slidepdf.com/reader/full/information-security-and-it-governance 1/6

UNIQUE TERMS AND DEFINITIONSAnnualized Loss Expectancy | T!eat | "ulne!a#ility | Ris$ | Sa%e&ua!d | Total 'ost o% O(ne!sip |Retu!n on In)est*ent

INTRODU'TIONAssets | sa%e&ua!ds | '+le)el executi)es | Total 'ost o% O(ne!sip ,T'O- | Retu!n on In)est*ent,ROI-.

'ORNERSTONE INFORMATION SE'URIT/ 'ON'E0TS'on1dentiality2Inte&!ity

• Modi1cations unauto!ized pe!sonnel o! p!ocesses

• Unauto!ized *odi1cations #y auto!ized pe!sonnel o! p!ocesse

• Te data a!e inte!nally and exte!nally consistent3

A)aila#ility

| 0e!sonally Identi1a#le In%o!*ation ,0II- | Tension #et(een te 'oncepts

Disclosure Alteration and Destruction

Identity and Authentication, Authorization, and Accountability| No !epudiation | Least 0!i)ile&e and Need to 4no( | De%ence+in+Dept5 laye!edde%ences

RIS4 ANAL/SISAssets | T!eats and "ulne!a#ilities | Ris$ 6 T!eat 7 "ulne!a#ilityI*pact | Ris$ 6 T!eat x "ulne!a#ility x I*pact.

Risk Analysis Matrix

Calculating Annualized Loss Expectancy

Asset "alue | Exposu!e Facto! | Sin&le Loss Expectancy ,SLE- | Annual Rate o% Occu!!ence,ARO- | Annualized Loss Expectancy ,ALE-



Total Cost o !"nership

Return on In#est$ent

Risk Choices%8. Accept te Ris$ | Ris$ Acceptance '!ite!ia9. Miti&ate te Ris$:. T!ans%e! te Ris$;. Ris$ A)oidance

&ualitati#e and &uantitati#e Risk Analysis



The Risk Manage$ent 'rocess

8. Syste* 'a!acte!ization

9. T!eat Identi1cation

:. "ulne!a#ility Identi1cation

;. 'ont!ol Analysis

<. Li$eliood Dete!*ination

=. I*pact Analysis

>. Ris$ Dete!*ination

?. 'ont!ol Reco**endations

@. Results Docu*entation

INFORMATION SE'URIT/ O"ERNAN'E(ecurity 'olicy and Related Docu$ents

'olicy'o*ponents o% 0!o&!a* 0olicy

• 0u!pose

• B Scope

• B Responsi#ilities

• B 'o*pliance

0olicy Types5 p!o&!a* policy | issue+speci1c policy | syste*+speci1c policy

NIST Special 0u#lication ?CC+89

0!ocedu!es

Standa!ds

uidelines

aselines

(ecurity A"areness and Training

Roles and ResponsibilitiesSenio! Mana&e*ent | Data O(ne! ,also called in%o!*ation o(ne! o! #usiness o(ne!- | 'ustodianp!o)ides ands+on p!otection o% assets suc as data.

Co$pliance "ith La"s and Regulations

'ri#acy% 0II

Due Care and Due Diligence!oss Ne&li&ence

)est 'ractice

!utsourcing and !*shoring

Auditing and Control +ra$e"orks

!CTAE5 Ope!ationally '!itical T!eat2 Asset2 and "ulne!a#ility E)aluation2 !is$ *ana&e*ent%!a*e(o!$2 'a!ne&ie Mellon Uni)e!sity2 t!ee+pase p!ocess %o! *ana&in& !is$.



0ase 8 identi1es sta $no(led&e2 assets2 and t!eats.0ase 9 identi1es )ulne!a#ilities and e)aluates sa%e&ua!ds.0ase : conducts te Ris$ Analysis and de)elops te !is$ *iti&ation st!ate&y.

I(! -..// and the I(! 0.111 (eriesISO 8>>@@ ad 88 a!eas2 %ocusin& on speci1c in%o!*ation secu!ity cont!ols5

8. 0olicy

9. O!&anization o% in%o!*ation secu!ity:. Asset *ana&e*ent;. u*an !esou!ces secu!ity<. 0ysical and en)i!on*ental secu!ity=. 'o**unications and ope!ations *ana&e*ent>. Access cont!ol?. In%o!*ation syste*s acGuisition2 de)elop*ent2 and *aintenance@. In%o!*ation secu!ity incident *ana&e*ent8C. usiness continuity *ana&e*ent88. 'o*pliance

C!)IT% ,'ont!ol O#Hecti)es %o! In%o!*ation and !elated Tecnolo&y- 'OIT as %ou! do*ains5

8. 0lan and O!&anise9. AcGui!e and I*ple*ent:. Deli)e! and Suppo!t2;. Monito! and E)aluate.

ITIL5 ,In%o!*ation Tecnolo&y In%!ast!uctu!e Li#!a!y-ITIL contains 1)e Se!)ice Mana&e*ent 0!acticesJ'o!e uidance

8. Se!)ice St!ate&y9. Se!)ice Desi&n:. Se!)ice T!ansition;. B Se!)ice Ope!ation<. B 'ontinual Se!)ice I*p!o)e*ent

Certi2cation and AccreditationNIST S0 ?CC+:>2 NIST S0 ?CC+:>

8. Initiation 0ase9. Secu!ity 'e!ti1cation 0ase:. Secu!ity Acc!editation 0ase;. 'ontinuous Monito!in& 0ase

ETI'S

The 3I(C40 5 Code o EthicsDo(nload te ,IS'-9 K code o% etics at ttp5(((.isc9.o!&eticsde%ault.aspx and study it ca!e%ully. /ou *ust unde!standte enti!e code2 not Hust te details co)e!ed in tis #oo$.

Te canons a!e te %ollo(in&58. 0!otect society2 te co**on(ealt2 and te in%!ast!uctu!e.9. Act ono!a#ly2 onestly2 Hustly2 !esponsi#ly2 and le&ally.:. 0!o)ide dili&ent and co*petent se!)ice to p!incipals.;. Ad)ance and p!otect te p!o%ession.

SELF TEST



8. o$9. o$:. o$;. o$<. o$=. o$>. o$?. o$@. R8C. o$88. o$89. o$8:. o$8;. o$8<. o$

Inor$ation Classi2cation !b6ecti#esInor$ation Classi2cation )ene2ts| O!&anizations co**it*ent | identi%y (ic in%o!*ation is te *ost sensiti)e |

Suppo!ts te tenets| (ic p!otections apply to (ic in%o!*ation | !eGui!ed %o! !e&ulato!y2 co*pliance2o! le&al !easons

Inor$ation Classi2cation ConceptsClassi2cation Ter$s

8. Unclassi1ed9. Sensiti)e #ut Unclassi1ed ,SU-.:. 'on1dential.;. Sec!et<. Top Sec!et.

Classi2cation Criteria"alue | A&e| Use%ul Li%e | 0e!sonal Association.

Inor$ation Classi2cation 'rocedures8. Identi%y te ad*inist!ato!custodian9. Speci%y te c!ite!ia o% o( to classi%y and la#el te in%o!*ation.:. 'lassi%y te data #y its o(ne!2 (o is su#Hect to !e)ie( #y a supe!)iso!.;. Speci%y and docu*ent any exceptions to te classi1cation policy.<. Speci%y te cont!ols tat (ill #e applied to eac classi1cation le)el.=. Speci%y te te!*ination p!ocedu!es %o! declassi%yin& te in%o!*ation o! %o!

t!ans%e!!in& custody o% te in%o!*ation to anote! entity.>. '!eate an ente!p!ise a(a!eness p!o&!a* a#out te classi1cation cont!ols.

Distribution o Classi2ed Inor$ation



'ou!t o!de!. | o)e!n*ent cont!acts | Senio!+le)el app!o)al

Inor$ation Classi2cation Roles!"ner% decision a#out (at le)el o% classi1cation | Re)ie( classi1cation le)els |Dele&ate data p!otection duties to custodian

Custodian% #ac$ups | !esto!ation |

7ser%8 9 A#ide #y policy | due ca!e | Use co*pany !esou!ces in an accepta#le *anne!| open )ie(

Documents

Information Security and IT Governance