Information Security
Risk management = identification, measurement, and control, overall security review, risk analysis, selection, and evaluation of safeguards, cost–benefit analysis, management decision, safeguard identification and
implementation, along with ongoing eff effectiveness review.
Risk management provides a mechanism to the organization to ensure that executive management knows current risks, and informed decisions can be made.
Qualitative risk assessment = Ease of implementation, Detailed metrics used for the calculation of risk.
Consideration to perform which type of risk assessment depends on = Culture of the organization, Budget, Capabilities of resources.
Because It is expected that an organization will make a selection of the risk assessment methodology, tools, and resources (including people) that best fi t its culture, personnel capabilities, budget, and timeline.
Security awareness training is a method by which organizations can inform employees about their roles, and expectations surrounding their roles, in the observance of information security requirements. It also provides Recognition while training provide skill and education provides understanding.
A signed user acknowledgment of the corporate security policy = Ensures that users understand the policy, as well as the consequences for not following the policy.
Effective security management = Reduces risk to an acceptable level.
Availability makes information accessible by protecting except = Unauthorized transactions
Tactical security plans = Establish high-level security policies, Enable enterprise/entity-wide security management, Reduce downtime
Long-duration security projects = Increase completion risk
12 to 18 months are generally considered to be long term and strategic in nature and typically require more funding and resources or are more complex in their implementation.
Setting clear security roles provide = Establishes personal accountability, Enables continuous improvement, Reduces departmental turf battles.
Well-written security program policies should be reviewed = At least annually
Policies, Standards and baselines, Procedures
Collusion is best mitigated by --- Job rotation
False positives are primarily a concern during ---- Drug and substance abuse testing
key elements of a good configuration process
accommodate change;
(2) accommodate the reuse of proven standards and best practices;
(3) ensure that all requirements remain clear, concise, and valid;
(4) ensure changes, standards, and requirements are communicated promptly and precisely; and
(5) ensure that the results conform to each instance of the product.
Configuration management
Configuration management (CM) is the detailed recording and updating of information that describes an enterprise's computer systems and networks, including all hardware and software components. Such information typically includes the versions and updates that have been applied to installed software packages and the locations and network addresses of hardware devices. Special configuration management software is available. When a system needs a hardware or software upgrade, a computer technician can accesses the configuration management program and database to see what is currently installed. The technician can then make a more informed decision about the upgrade needed.
Configuration management (CM) is the detailed recording and updating of information that describes an enterprise's computer systems and networks, including all hardware and software components. Such information typically includes the versions and updates that have been applied to installed software packages and the locations and network addresses of hardware devices. Special configuration management software is available. When a system needs a hardware or software upgrade, a computer technician can accesses the configuration management program and database to see what is currently installed. The technician can then make a more informed decision about the upgrade needed.
An advantage of a configuration management application is that the entire collection of systems can be reviewed to make sure any changes made to one system do not adversely affect any of the other systems
Configuration management is also used in software development, where it is called Unified Configuration Management (UCM). Using UCM, developers can keep track of the source code, documentation, problems, changes requested, and changes made.
Change management
In a computer system environment, change management refers to a systematic approach to keeping track of the details of the system (for example, what operating system release is running on each computer and which fixes have been applied)
private sector data classification levels
Confidential: Information that, if released or disclosed outside of the organization, would create severe problems for the organization. For example, information that provides a competitive advantage is important to the technical or financial success (like trade secrets, intellectual property, or research designs), or protects the privacy of individuals would be considered confidential. Information may include payroll information, health records, credit information, formulas, technical designs, restricted regulatory information, senior management internal correspondence, or business strategies or plans. These may also be called top secret, privileged, personal, sensitive, or highly confidential. In other words this information is ok within a defined group in the company such as marketing or sales, but is not suited for release to anyone else in the company without permission.
Public: Information that may be disclosed to the general public without concern for harming the company, employees, or business partners. No special protections are required, and information in this category is sometimes referred to as unclassified. For example, information that is posted to a company’s public Internet site, publicly released announcements, marketing materials, cafeteria menus, and any internal documents that would not present harm to the company if they were disclosed would be classified as public. While there is little concern for confidentiality, integrity and availability should be considered.
Internal Use Only: Information that could be disclosed within the company, but could harm the company if disclosed externally. Information such as customer lists, vendor pricing, organizational policies, standards and procedures, and internal organization announcements would need baseline security protections, but do not rise to the level of protection as confidential information. In other words, the information may be used freely within the company but any unapproved use outside the company can pose a chance of harm.
Restricted: Information that requires the utmost protection or, if discovered by unauthorized personnel, would cause irreparable harm to the organization would have the highest level of classification. There may be very few pieces of information like this within an organization, but data classified at this level requires all the access control and protection mechanisms available to the organization. Even when information classified at this level exists, there will be few copies of it
contingency planning process phase
Prioritization of applications = asset valuation
Assessment of threat impact on the organization = threat modeling
Development of recovery scenarios = risk mitigation
eliminate involvement with the risk being evaluated
Risk avoidance is the practice of coming up with alternatives so that the risk in question is not realized.
For example, to give a mobile to your daughter wait until he or she is of legal age
risk handling technique involves the practice of being proactive so that the risk in question is not realized
Risk Avoidance
information access permissions where, unless the user is specifically given access to certain data they are denied any access by default
Implicit Deny
No comments:
Post a Comment