SlideShare a Scribd company logo

Plain Security Talk

Download as PPTX, PDF
Mike Stone
Mike Stone

The document discusses key concepts in information security including the security trinity of confidentiality, integrity, and availability. It outlines the four As of security - account management, authentication controls, authorization/access controls, and audit controls. The document then explains how various security controls protect confidentiality, integrity, and availability. It concludes with outlining a risk-driven security process of identifying assets, risks, impacts, and controls to defend assets within an organization's security budget and objectives.

Technology
1 of 12
Plain Talk about Security 1January 27, 2015 by Mike Stone
Introduction Plain Talk about Security04/02/2015 2 • Security is not just a matter of opinion • even though everybody has an opinion about security • Security is not a wasted effort • even though it may seem like any determined attacker will get through your defenses • Security is a logic, a calculation, and a profession • logic: “you can’t protect assets you don’t know about” • calculation: “the value of a risk to an asset is equal to the value of the asset times the probability that the risk will occur” • profession: “An occupation doesn’t need society’s recognition to be a profession (CISSP). It only needs the actions and activities among its members to cooperate to serve a certain ideal (Security)” – (ISC)2 • Information Security has its counterparts in physical security
The Security Trinity (CIA) Plain Talk about Security04/02/2015 3 Confidentiality Integrity Availability Keep the asset secret! Ensure intended users can always access asset! Prevent unauthorized change to asset!
Start with a Good Secure Architecture Plain Talk about Security04/02/2015 4 Physical Security Information Security • A good architecture • Form facilitates function • Modular • Adaptable • Scalable • A secure architecture • Facilitates organizational mission & objectives • Provides granular segmentation • Provides situational awareness • Defends its assets Internet Dev & QA DMZ Users Prod SOC & NOC C C C C C C Public Confi- dential Top Secret C C
Four A’s of Security: #1 Account Management Plain Talk about Security04/02/2015 5 Physical Security Information Security • User Accounts: represent interactive humans • Service Accounts: represent batch processes • Role-based Accounts: represent groups of accounts with similar profiles & needs admins services employees customers suppliers hackers
Four A’s of Security: #2: Authentication Controls Plain Talk about Security04/02/2015 6 Physical Security Information Security • One Factor Authentication: What you know (password) • Two Factor Authentication: What you have (token) + what you know • Three Factor Authentication: What you are (biometric) + what you have + what you know STOP! Identify yourself! Show me your pass! You don’t look like the commander! Password token Biometric Hand Scanner“Digital Signatures and Certificates also provide User, Host, Software, Message, and Data Authentication Controls!”
Four A’s of Security: #3 Authorization (Access) Controls Plain Talk about Security04/02/2015 7 Physical Security Information Security • Who/what is allowed to do what to a resource (asset) • Resources are assets that are allowed to be used • Minimum Privilege: the least privileges required to perform a job (role) = Granularity • Strong Access Controls require Strong Authentication Controls! General Prod $ $$ $$$ C C Confidential Prod Top Secret Prod Confidential Clearance Top Secret ClearanceGeneral Clearance “Encryption also provides a Presentation Layer Access Control!”
SQL WS TS Srvr Rtr SW Four A’s of Security: #4 Audit Controls Plain Talk about Security04/02/2015 8 Physical Security Information Security • Logs (Running) & Monitoring (Real-Time): ad hoc record of alerts and events • Audit: formal documentation of who did what when and where compared to a framework • Report: statistical (and possibly graphic) view of historical data and trends • Evidence: documentation proving compliance with a security control or standard FW IPS A/V SSL DLP CA NNM MoM SIEM MoM SQL EM WS EM TS EM Srvr EM Rtr EM SW EM FW EM IPS EM A/V EM SSL EM DLP EM CA EM “Digital Signatures and trusted Certificates can provide non- repudiation for business or legal transactions!”
Confidentiality Plain Talk about Security04/02/2015 9 Physical Security Information Security • Protects an asset or person from unauthorized viewing or exposure by: • Access Controls • Encryption • Symmetric • Asymmetric Shredder Symmetric Keys Public & Private Keys “Considering Moore’s Law, you’d better add another bit to the encryption key length every 18 months!” Bob Alice E D KG key key Hi! Hi! @# $^ Bob Alice E D KG Public key Private key Hi! Hi! @# $^
Integrity Plain Talk about Security04/02/2015 10 Physical Security Information Security • Protects an asset from unauthorized modification by: • Access Controls • Digital Signature • Hash • Encryption “Digital Signature, Hash, & Encryption also provide Presentation Layer Access Controls!” General Prod $ $$ $$$ C C Important Prod Critical Prod Medium Integrity Clearance High Integrity ClearanceGeneral Clearance
Site #1 Site #2 Availability Plain Talk about Security04/02/2015 11 Physical Security Information Security • Ensures an resource will always be available for authorized use • High-Availability services shouldn’t have Single Points of Failure (SPoF) • Recovery Point Objective (RPO): how much data a service can afford to lose • Recovery Time Objective (RTO): how much time a service can afford to be shut down S1 SW1 S2 SW2 c1 c2 LB1 LB2 S1 SW1 S2 SW2 c1 c2 LB1 LB2 R1 R2 DNS 1 DNS 2 Internet c3
A Risk-Driven Security Process Plain Talk about Security04/02/2015 12 • Identify your major assets • Identify the risks to those assets • Measure the impacts ($) and probabilities (%) of those risks • Decide what levels of impacts and probabilities of risks are acceptable • Allocate a security budget equal to the difference between the maximum risk (impact x probability) and the acceptable risk level • Create or modify the policies, standards, procedures, and controls to defend those assets while achieving business missions and objectives • Assess residual risks • Review effectiveness of those policies, standards, procedures, and controls ID Assets ID Risks Calc Impact & Probability Decide Acceptable Levels Budget Security Plan Defenses Assess Residual Risks Review Effectiveness

Recommended

CloudCamp Chicago lightning talk: "Security and Sanity in the HIPAA-Compliant...
CloudCamp Chicago lightning talk: "Security and Sanity in the HIPAA-Compliant...CloudCamp Chicago lightning talk: "Security and Sanity in the HIPAA-Compliant...
CloudCamp Chicago lightning talk: "Security and Sanity in the HIPAA-Compliant...CloudCamp Chicago
 
501 ch-1-mastering-security-basics
501 ch-1-mastering-security-basics501 ch-1-mastering-security-basics
501 ch-1-mastering-security-basicsgocybersec
 
How to create a secure IoT device
How to create a secure IoT deviceHow to create a secure IoT device
How to create a secure IoT deviceAbhijeet Rane
 
501 ch 1 mastering security basics
501 ch 1 mastering security basics501 ch 1 mastering security basics
501 ch 1 mastering security basicsgocybersec
 
501 ch 6 threats vulnerabilities and common attacks
501 ch 6 threats vulnerabilities and common attacks501 ch 6 threats vulnerabilities and common attacks
501 ch 6 threats vulnerabilities and common attacksgocybersec
 
Solving problems with authentication
Solving problems with authenticationSolving problems with authentication
Solving problems with authenticationMecklerMedia
 
Kubernetes Secrets Management - Securing Your Production Environment
Kubernetes Secrets Management - Securing Your Production EnvironmentKubernetes Secrets Management - Securing Your Production Environment
Kubernetes Secrets Management - Securing Your Production EnvironmentAkeyless
 
501 ch 5 securing hosts and data
501 ch 5 securing hosts and data501 ch 5 securing hosts and data
501 ch 5 securing hosts and datagocybersec
 

Recommended

CloudCamp Chicago lightning talk: "Security and Sanity in the HIPAA-Compliant...
CloudCamp Chicago lightning talk: "Security and Sanity in the HIPAA-Compliant...CloudCamp Chicago lightning talk: "Security and Sanity in the HIPAA-Compliant...
CloudCamp Chicago lightning talk: "Security and Sanity in the HIPAA-Compliant...CloudCamp Chicago
 
501 ch-1-mastering-security-basics
501 ch-1-mastering-security-basics501 ch-1-mastering-security-basics
501 ch-1-mastering-security-basicsgocybersec
 
How to create a secure IoT device
How to create a secure IoT deviceHow to create a secure IoT device
How to create a secure IoT deviceAbhijeet Rane
 
501 ch 1 mastering security basics
501 ch 1 mastering security basics501 ch 1 mastering security basics
501 ch 1 mastering security basicsgocybersec
 
501 ch 6 threats vulnerabilities and common attacks
501 ch 6 threats vulnerabilities and common attacks501 ch 6 threats vulnerabilities and common attacks
501 ch 6 threats vulnerabilities and common attacksgocybersec
 
Solving problems with authentication
Solving problems with authenticationSolving problems with authentication
Solving problems with authenticationMecklerMedia
 
Kubernetes Secrets Management - Securing Your Production Environment
Kubernetes Secrets Management - Securing Your Production EnvironmentKubernetes Secrets Management - Securing Your Production Environment
Kubernetes Secrets Management - Securing Your Production EnvironmentAkeyless
 
501 ch 5 securing hosts and data
501 ch 5 securing hosts and data501 ch 5 securing hosts and data
501 ch 5 securing hosts and datagocybersec
 
IBM Secret Key management protoco
IBM Secret Key management protocoIBM Secret Key management protoco
IBM Secret Key management protocogori4
 
Who’s Watching the Watchers? Fixing and Preventing Inappropriate Privileged A...
Who’s Watching the Watchers? Fixing and Preventing Inappropriate Privileged A...Who’s Watching the Watchers? Fixing and Preventing Inappropriate Privileged A...
Who’s Watching the Watchers? Fixing and Preventing Inappropriate Privileged A...Quest
 
Identifying Hybrid AD Security Risks with Continuous Assessment
Identifying Hybrid AD Security Risks with Continuous Assessment Identifying Hybrid AD Security Risks with Continuous Assessment
Identifying Hybrid AD Security Risks with Continuous Assessment Quest
 
Kubernetes Secrets - The Good, The Bad, and The Ugly - Akeyless
Kubernetes Secrets - The Good, The Bad, and The Ugly - AkeylessKubernetes Secrets - The Good, The Bad, and The Ugly - Akeyless
Kubernetes Secrets - The Good, The Bad, and The Ugly - AkeylessAkeyless
 
Sounding the Alarm with Real-Time AD Detection and Alerting
Sounding the Alarm with Real-Time AD Detection and AlertingSounding the Alarm with Real-Time AD Detection and Alerting
Sounding the Alarm with Real-Time AD Detection and AlertingQuest
 
Better to Ask Permission? Best Practices for Privacy and Security
Better to Ask Permission? Best Practices for Privacy and SecurityBetter to Ask Permission? Best Practices for Privacy and Security
Better to Ask Permission? Best Practices for Privacy and SecurityEric Kavanagh
 
Securing Your Mobile Applications
Securing Your Mobile ApplicationsSecuring Your Mobile Applications
Securing Your Mobile ApplicationsGreg Patton
 
Investigating and Recovering from a Potential Hybrid AD Security Breach
Investigating and Recovering from a Potential Hybrid AD Security BreachInvestigating and Recovering from a Potential Hybrid AD Security Breach
Investigating and Recovering from a Potential Hybrid AD Security BreachQuest
 
Ayala mar23
Ayala mar23Ayala mar23
Ayala mar23National Information Standards Organization (NISO)
 
The Shifting Landscape of PoS MalwareOutput
The Shifting Landscape of PoS MalwareOutputThe Shifting Landscape of PoS MalwareOutput
The Shifting Landscape of PoS MalwareOutputSilas Cutler
 
501 ch 2 understanding iam
501 ch 2 understanding iam501 ch 2 understanding iam
501 ch 2 understanding iamgocybersec
 
501 ch 7 protecting against advanced attacks
501 ch 7 protecting against advanced attacks501 ch 7 protecting against advanced attacks
501 ch 7 protecting against advanced attacksgocybersec
 
Things Security
Things SecurityThings Security
Things SecurityDony Riyanto
 
The Key to Strong Cloud Security
The Key to Strong Cloud SecurityThe Key to Strong Cloud Security
The Key to Strong Cloud SecurityAkeyless
 
Cyber security
Cyber securityCyber security
Cyber securityJahirUddinKomol
 
Data Security for Project Managers
Data Security for Project ManagersData Security for Project Managers
Data Security for Project ManagersJoseph Wojowski
 
501 ch 8 risk managment tool
501 ch 8 risk managment tool501 ch 8 risk managment tool
501 ch 8 risk managment toolgocybersec
 
Marcel van der Heijden - SpeedInvest & Aircloak - EU GDPR & Data Privacy Comp...
Marcel van der Heijden - SpeedInvest & Aircloak - EU GDPR & Data Privacy Comp...Marcel van der Heijden - SpeedInvest & Aircloak - EU GDPR & Data Privacy Comp...
Marcel van der Heijden - SpeedInvest & Aircloak - EU GDPR & Data Privacy Comp...Burton Lee
 
Enterprise Documents Secure and On the Go
Enterprise Documents Secure and On the GoEnterprise Documents Secure and On the Go
Enterprise Documents Secure and On the GoRob Bogue
 
NTXISSACSC1 Conference - Security is Doomed by Jesse Lee
NTXISSACSC1 Conference - Security is Doomed by Jesse LeeNTXISSACSC1 Conference - Security is Doomed by Jesse Lee
NTXISSACSC1 Conference - Security is Doomed by Jesse LeeNorth Texas Chapter of the ISSA
 
Bab v
Bab vBab v
Bab vKhoirul Umam
 
“Gray Relational Based Analysis of Al-6351”
“Gray Relational Based Analysis of Al-6351”“Gray Relational Based Analysis of Al-6351”
“Gray Relational Based Analysis of Al-6351”iosrjce
 

More Related Content

What's hot

IBM Secret Key management protoco
IBM Secret Key management protocoIBM Secret Key management protoco
IBM Secret Key management protocogori4
 
Who’s Watching the Watchers? Fixing and Preventing Inappropriate Privileged A...
Who’s Watching the Watchers? Fixing and Preventing Inappropriate Privileged A...Who’s Watching the Watchers? Fixing and Preventing Inappropriate Privileged A...
Who’s Watching the Watchers? Fixing and Preventing Inappropriate Privileged A...Quest
 
Identifying Hybrid AD Security Risks with Continuous Assessment
Identifying Hybrid AD Security Risks with Continuous Assessment Identifying Hybrid AD Security Risks with Continuous Assessment
Identifying Hybrid AD Security Risks with Continuous Assessment Quest
 
Kubernetes Secrets - The Good, The Bad, and The Ugly - Akeyless
Kubernetes Secrets - The Good, The Bad, and The Ugly - AkeylessKubernetes Secrets - The Good, The Bad, and The Ugly - Akeyless
Kubernetes Secrets - The Good, The Bad, and The Ugly - AkeylessAkeyless
 
Sounding the Alarm with Real-Time AD Detection and Alerting
Sounding the Alarm with Real-Time AD Detection and AlertingSounding the Alarm with Real-Time AD Detection and Alerting
Sounding the Alarm with Real-Time AD Detection and AlertingQuest
 
Better to Ask Permission? Best Practices for Privacy and Security
Better to Ask Permission? Best Practices for Privacy and SecurityBetter to Ask Permission? Best Practices for Privacy and Security
Better to Ask Permission? Best Practices for Privacy and SecurityEric Kavanagh
 
Securing Your Mobile Applications
Securing Your Mobile ApplicationsSecuring Your Mobile Applications
Securing Your Mobile ApplicationsGreg Patton
 
Investigating and Recovering from a Potential Hybrid AD Security Breach
Investigating and Recovering from a Potential Hybrid AD Security BreachInvestigating and Recovering from a Potential Hybrid AD Security Breach
Investigating and Recovering from a Potential Hybrid AD Security BreachQuest
 
The Shifting Landscape of PoS MalwareOutput
The Shifting Landscape of PoS MalwareOutputThe Shifting Landscape of PoS MalwareOutput
The Shifting Landscape of PoS MalwareOutputSilas Cutler
 
501 ch 2 understanding iam
501 ch 2 understanding iam501 ch 2 understanding iam
501 ch 2 understanding iamgocybersec
 
501 ch 7 protecting against advanced attacks
501 ch 7 protecting against advanced attacks501 ch 7 protecting against advanced attacks
501 ch 7 protecting against advanced attacksgocybersec
 
The Key to Strong Cloud Security
The Key to Strong Cloud SecurityThe Key to Strong Cloud Security
The Key to Strong Cloud SecurityAkeyless
 
Data Security for Project Managers
Data Security for Project ManagersData Security for Project Managers
Data Security for Project ManagersJoseph Wojowski
 
501 ch 8 risk managment tool
501 ch 8 risk managment tool501 ch 8 risk managment tool
501 ch 8 risk managment toolgocybersec
 
Marcel van der Heijden - SpeedInvest & Aircloak - EU GDPR & Data Privacy Comp...
Marcel van der Heijden - SpeedInvest & Aircloak - EU GDPR & Data Privacy Comp...Marcel van der Heijden - SpeedInvest & Aircloak - EU GDPR & Data Privacy Comp...
Marcel van der Heijden - SpeedInvest & Aircloak - EU GDPR & Data Privacy Comp...Burton Lee
 
Enterprise Documents Secure and On the Go
Enterprise Documents Secure and On the GoEnterprise Documents Secure and On the Go
Enterprise Documents Secure and On the GoRob Bogue
 
NTXISSACSC1 Conference - Security is Doomed by Jesse Lee
NTXISSACSC1 Conference - Security is Doomed by Jesse LeeNTXISSACSC1 Conference - Security is Doomed by Jesse Lee
NTXISSACSC1 Conference - Security is Doomed by Jesse LeeNorth Texas Chapter of the ISSA
 

What's hot (20)

IBM Secret Key management protoco
IBM Secret Key management protocoIBM Secret Key management protoco
IBM Secret Key management protoco
 
Who’s Watching the Watchers? Fixing and Preventing Inappropriate Privileged A...
Who’s Watching the Watchers? Fixing and Preventing Inappropriate Privileged A...Who’s Watching the Watchers? Fixing and Preventing Inappropriate Privileged A...
Who’s Watching the Watchers? Fixing and Preventing Inappropriate Privileged A...
 
Identifying Hybrid AD Security Risks with Continuous Assessment
Identifying Hybrid AD Security Risks with Continuous Assessment Identifying Hybrid AD Security Risks with Continuous Assessment
Identifying Hybrid AD Security Risks with Continuous Assessment
 
Kubernetes Secrets - The Good, The Bad, and The Ugly - Akeyless
Kubernetes Secrets - The Good, The Bad, and The Ugly - AkeylessKubernetes Secrets - The Good, The Bad, and The Ugly - Akeyless
Kubernetes Secrets - The Good, The Bad, and The Ugly - Akeyless
 
Sounding the Alarm with Real-Time AD Detection and Alerting
Sounding the Alarm with Real-Time AD Detection and AlertingSounding the Alarm with Real-Time AD Detection and Alerting
Sounding the Alarm with Real-Time AD Detection and Alerting
 
Better to Ask Permission? Best Practices for Privacy and Security
Better to Ask Permission? Best Practices for Privacy and SecurityBetter to Ask Permission? Best Practices for Privacy and Security
Better to Ask Permission? Best Practices for Privacy and Security
 
Securing Your Mobile Applications
Securing Your Mobile ApplicationsSecuring Your Mobile Applications
Securing Your Mobile Applications
 
Investigating and Recovering from a Potential Hybrid AD Security Breach
Investigating and Recovering from a Potential Hybrid AD Security BreachInvestigating and Recovering from a Potential Hybrid AD Security Breach
Investigating and Recovering from a Potential Hybrid AD Security Breach
 
Ayala mar23
Ayala mar23Ayala mar23
Ayala mar23
 
The Shifting Landscape of PoS MalwareOutput
The Shifting Landscape of PoS MalwareOutputThe Shifting Landscape of PoS MalwareOutput
The Shifting Landscape of PoS MalwareOutput
 
501 ch 2 understanding iam
501 ch 2 understanding iam501 ch 2 understanding iam
501 ch 2 understanding iam
 
501 ch 7 protecting against advanced attacks
501 ch 7 protecting against advanced attacks501 ch 7 protecting against advanced attacks
501 ch 7 protecting against advanced attacks
 
Things Security
Things SecurityThings Security
Things Security
 
The Key to Strong Cloud Security
The Key to Strong Cloud SecurityThe Key to Strong Cloud Security
The Key to Strong Cloud Security
 
Cyber security
Cyber securityCyber security
Cyber security
 
Data Security for Project Managers
Data Security for Project ManagersData Security for Project Managers
Data Security for Project Managers
 
501 ch 8 risk managment tool
501 ch 8 risk managment tool501 ch 8 risk managment tool
501 ch 8 risk managment tool
 
Marcel van der Heijden - SpeedInvest & Aircloak - EU GDPR & Data Privacy Comp...
Marcel van der Heijden - SpeedInvest & Aircloak - EU GDPR & Data Privacy Comp...Marcel van der Heijden - SpeedInvest & Aircloak - EU GDPR & Data Privacy Comp...
Marcel van der Heijden - SpeedInvest & Aircloak - EU GDPR & Data Privacy Comp...
 
Enterprise Documents Secure and On the Go
Enterprise Documents Secure and On the GoEnterprise Documents Secure and On the Go
Enterprise Documents Secure and On the Go
 
NTXISSACSC1 Conference - Security is Doomed by Jesse Lee
NTXISSACSC1 Conference - Security is Doomed by Jesse LeeNTXISSACSC1 Conference - Security is Doomed by Jesse Lee
NTXISSACSC1 Conference - Security is Doomed by Jesse Lee
 

Viewers also liked

“Gray Relational Based Analysis of Al-6351”
“Gray Relational Based Analysis of Al-6351”“Gray Relational Based Analysis of Al-6351”
“Gray Relational Based Analysis of Al-6351”iosrjce
 
Стимулирование трудовой деятельности и мотивация к труду персонала организации
Стимулирование трудовой деятельности и мотивация к труду персонала организацииСтимулирование трудовой деятельности и мотивация к труду персонала организации
Стимулирование трудовой деятельности и мотивация к труду персонала организацииElena Aleksandrovna Elena_Aleksandrovna_R
 
University Missouri
University MissouriUniversity Missouri
University MissouriAna Lucia
 
Socio economische oorzaken zijn taboe2
Socio economische oorzaken zijn taboe2Socio economische oorzaken zijn taboe2
Socio economische oorzaken zijn taboe2annekesomers
 
DADS 2017 norme N4DS V01X11 les modifications prises en compte
DADS 2017 norme N4DS V01X11 les modifications prises en compteDADS 2017 norme N4DS V01X11 les modifications prises en compte
DADS 2017 norme N4DS V01X11 les modifications prises en compteRue de la Paye
 
Gezinnen en kansen 4
Gezinnen en kansen 4Gezinnen en kansen 4
Gezinnen en kansen 4annekesomers
 
Exwfylla 01 10 2010
Exwfylla 01 10 2010 Exwfylla 01 10 2010
Exwfylla 01 10 2010 ireportergr
 
Ладыгина Татьяна Анатольевна – «Объекты культурного наследия ГО Красноуфимск»
Ладыгина Татьяна Анатольевна – «Объекты культурного наследия ГО Красноуфимск»Ладыгина Татьяна Анатольевна – «Объекты культурного наследия ГО Красноуфимск»
Ладыгина Татьяна Анатольевна – «Объекты культурного наследия ГО Красноуфимск»arhivkruf
 
It's good to check our plans and actions to see if we need to adapt
It's good to check our plans and actions to see if we need to adaptIt's good to check our plans and actions to see if we need to adapt
It's good to check our plans and actions to see if we need to adaptMartin Jack
 
Where the mind is without fear
Where the mind is without fearWhere the mind is without fear
Where the mind is without fearwhirlsemantic
 

Viewers also liked (16)

Bab v
Bab vBab v
Bab v
 
“Gray Relational Based Analysis of Al-6351”
“Gray Relational Based Analysis of Al-6351”“Gray Relational Based Analysis of Al-6351”
“Gray Relational Based Analysis of Al-6351”
 
Стимулирование трудовой деятельности и мотивация к труду персонала организации
Стимулирование трудовой деятельности и мотивация к труду персонала организацииСтимулирование трудовой деятельности и мотивация к труду персонала организации
Стимулирование трудовой деятельности и мотивация к труду персонала организации
 
RSPH2
RSPH2 RSPH2
RSPH2
 
University Missouri
University MissouriUniversity Missouri
University Missouri
 
Socio economische oorzaken zijn taboe2
Socio economische oorzaken zijn taboe2Socio economische oorzaken zijn taboe2
Socio economische oorzaken zijn taboe2
 
LL.M New York Law School
LL.M New York Law SchoolLL.M New York Law School
LL.M New York Law School
 
「着飾らない IoT」
「着飾らない IoT」「着飾らない IoT」
「着飾らない IoT」
 
DADS 2017 norme N4DS V01X11 les modifications prises en compte
DADS 2017 norme N4DS V01X11 les modifications prises en compteDADS 2017 norme N4DS V01X11 les modifications prises en compte
DADS 2017 norme N4DS V01X11 les modifications prises en compte
 
Gezinnen en kansen 4
Gezinnen en kansen 4Gezinnen en kansen 4
Gezinnen en kansen 4
 
Trabajo
TrabajoTrabajo
Trabajo
 
Exwfylla 01 10 2010
Exwfylla 01 10 2010 Exwfylla 01 10 2010
Exwfylla 01 10 2010
 
Minister of BJP
Minister of BJPMinister of BJP
Minister of BJP
 
Ладыгина Татьяна Анатольевна – «Объекты культурного наследия ГО Красноуфимск»
Ладыгина Татьяна Анатольевна – «Объекты культурного наследия ГО Красноуфимск»Ладыгина Татьяна Анатольевна – «Объекты культурного наследия ГО Красноуфимск»
Ладыгина Татьяна Анатольевна – «Объекты культурного наследия ГО Красноуфимск»
 
It's good to check our plans and actions to see if we need to adapt
It's good to check our plans and actions to see if we need to adaptIt's good to check our plans and actions to see if we need to adapt
It's good to check our plans and actions to see if we need to adapt
 
Where the mind is without fear
Where the mind is without fearWhere the mind is without fear
Where the mind is without fear
 

Similar to Plain Security Talk

SharePointlandia 2013: SharePoint and Compliance
SharePointlandia 2013: SharePoint and ComplianceSharePointlandia 2013: SharePoint and Compliance
SharePointlandia 2013: SharePoint and ComplianceMatthew R. Barrett
 
What Does a Full Featured Security Strategy Look Like?
What Does a Full Featured Security Strategy Look Like?What Does a Full Featured Security Strategy Look Like?
What Does a Full Featured Security Strategy Look Like?Precisely
 
Architecting for Security Resilience
Architecting for Security ResilienceArchitecting for Security Resilience
Architecting for Security ResilienceJoel Aleburu
 
Community IT Webinar - Crafting IT Security Policy Apr 2015
Community IT Webinar - Crafting IT Security Policy Apr 2015Community IT Webinar - Crafting IT Security Policy Apr 2015
Community IT Webinar - Crafting IT Security Policy Apr 2015Community IT Innovators
 
Crush Common Cybersecurity Threats with Privilege Access Management
Crush Common Cybersecurity Threats with Privilege Access ManagementCrush Common Cybersecurity Threats with Privilege Access Management
Crush Common Cybersecurity Threats with Privilege Access ManagementBeyondTrust
 
Privacies are Coming
Privacies are ComingPrivacies are Coming
Privacies are ComingErnest Staats
 
Office 365 Security Features That Nonprofits Should Know and Use
Office 365 Security Features That Nonprofits Should Know and UseOffice 365 Security Features That Nonprofits Should Know and Use
Office 365 Security Features That Nonprofits Should Know and UseTechSoup
 
Cyber security and demonstration of security tools
Cyber security and demonstration of security toolsCyber security and demonstration of security tools
Cyber security and demonstration of security toolsVicky Fernandes
 
Webinar - Compliance with the Microsoft Cloud- 2017-04-19
Webinar - Compliance with the Microsoft Cloud- 2017-04-19Webinar - Compliance with the Microsoft Cloud- 2017-04-19
Webinar - Compliance with the Microsoft Cloud- 2017-04-19TechSoup
 
Application Security within Agile
Application Security within AgileApplication Security within Agile
Application Security within AgileNetlight Consulting
 
Web Security Overview
Web Security OverviewWeb Security Overview
Web Security OverviewNoah Jaehnert
 
Web-of-Things and Services Security
Web-of-Things and Services SecurityWeb-of-Things and Services Security
Web-of-Things and Services SecurityOliver Pfaff
 
Ryan Elkins - Simple Security Defense to Thwart an Army of Cyber Ninja Warriors
Ryan Elkins - Simple Security Defense to Thwart an Army of Cyber Ninja WarriorsRyan Elkins - Simple Security Defense to Thwart an Army of Cyber Ninja Warriors
Ryan Elkins - Simple Security Defense to Thwart an Army of Cyber Ninja WarriorsRyan Elkins
 
Cyber Security and Data Privacy in Information Systems.pptx
Cyber Security and Data Privacy in Information Systems.pptxCyber Security and Data Privacy in Information Systems.pptx
Cyber Security and Data Privacy in Information Systems.pptxRoshni814224
 
Aligning Application Security to Compliance
Aligning Application Security to ComplianceAligning Application Security to Compliance
Aligning Application Security to ComplianceSecurity Innovation
 
Keeping you and your library safe and secure
Keeping you and your library safe and secureKeeping you and your library safe and secure
Keeping you and your library safe and secureLYRASIS
 
Penetration Testing and Vulnerability Assessments: Examining the SEC and FINR...
Penetration Testing and Vulnerability Assessments: Examining the SEC and FINR...Penetration Testing and Vulnerability Assessments: Examining the SEC and FINR...
Penetration Testing and Vulnerability Assessments: Examining the SEC and FINR...TruShield Security Solutions
 
Global CISO Forum 2017: Privacy Partnership
Global CISO Forum 2017: Privacy PartnershipGlobal CISO Forum 2017: Privacy Partnership
Global CISO Forum 2017: Privacy PartnershipEC-Council
 
Marcos de Pedro Neoris authenware_cybersecurity step1
Marcos de Pedro Neoris authenware_cybersecurity step1Marcos de Pedro Neoris authenware_cybersecurity step1
Marcos de Pedro Neoris authenware_cybersecurity step1Marcos De Pedro
 

Similar to Plain Security Talk (20)

SharePointlandia 2013: SharePoint and Compliance
SharePointlandia 2013: SharePoint and ComplianceSharePointlandia 2013: SharePoint and Compliance
SharePointlandia 2013: SharePoint and Compliance
 
What Does a Full Featured Security Strategy Look Like?
What Does a Full Featured Security Strategy Look Like?What Does a Full Featured Security Strategy Look Like?
What Does a Full Featured Security Strategy Look Like?
 
Architecting for Security Resilience
Architecting for Security ResilienceArchitecting for Security Resilience
Architecting for Security Resilience
 
Community IT Webinar - Crafting IT Security Policy Apr 2015
Community IT Webinar - Crafting IT Security Policy Apr 2015Community IT Webinar - Crafting IT Security Policy Apr 2015
Community IT Webinar - Crafting IT Security Policy Apr 2015
 
Crush Common Cybersecurity Threats with Privilege Access Management
Crush Common Cybersecurity Threats with Privilege Access ManagementCrush Common Cybersecurity Threats with Privilege Access Management
Crush Common Cybersecurity Threats with Privilege Access Management
 
Privacies are Coming
Privacies are ComingPrivacies are Coming
Privacies are Coming
 
Security by Design for Law Firms
Security by Design for Law FirmsSecurity by Design for Law Firms
Security by Design for Law Firms
 
Office 365 Security Features That Nonprofits Should Know and Use
Office 365 Security Features That Nonprofits Should Know and UseOffice 365 Security Features That Nonprofits Should Know and Use
Office 365 Security Features That Nonprofits Should Know and Use
 
Cyber security and demonstration of security tools
Cyber security and demonstration of security toolsCyber security and demonstration of security tools
Cyber security and demonstration of security tools
 
Webinar - Compliance with the Microsoft Cloud- 2017-04-19
Webinar - Compliance with the Microsoft Cloud- 2017-04-19Webinar - Compliance with the Microsoft Cloud- 2017-04-19
Webinar - Compliance with the Microsoft Cloud- 2017-04-19
 
Application Security within Agile
Application Security within AgileApplication Security within Agile
Application Security within Agile
 
Web Security Overview
Web Security OverviewWeb Security Overview
Web Security Overview
 
Web-of-Things and Services Security
Web-of-Things and Services SecurityWeb-of-Things and Services Security
Web-of-Things and Services Security
 
Ryan Elkins - Simple Security Defense to Thwart an Army of Cyber Ninja Warriors
Ryan Elkins - Simple Security Defense to Thwart an Army of Cyber Ninja WarriorsRyan Elkins - Simple Security Defense to Thwart an Army of Cyber Ninja Warriors
Ryan Elkins - Simple Security Defense to Thwart an Army of Cyber Ninja Warriors
 
Cyber Security and Data Privacy in Information Systems.pptx
Cyber Security and Data Privacy in Information Systems.pptxCyber Security and Data Privacy in Information Systems.pptx
Cyber Security and Data Privacy in Information Systems.pptx
 
Aligning Application Security to Compliance
Aligning Application Security to ComplianceAligning Application Security to Compliance
Aligning Application Security to Compliance
 
Keeping you and your library safe and secure
Keeping you and your library safe and secureKeeping you and your library safe and secure
Keeping you and your library safe and secure
 
Penetration Testing and Vulnerability Assessments: Examining the SEC and FINR...
Penetration Testing and Vulnerability Assessments: Examining the SEC and FINR...Penetration Testing and Vulnerability Assessments: Examining the SEC and FINR...
Penetration Testing and Vulnerability Assessments: Examining the SEC and FINR...
 
Global CISO Forum 2017: Privacy Partnership
Global CISO Forum 2017: Privacy PartnershipGlobal CISO Forum 2017: Privacy Partnership
Global CISO Forum 2017: Privacy Partnership
 
Marcos de Pedro Neoris authenware_cybersecurity step1
Marcos de Pedro Neoris authenware_cybersecurity step1Marcos de Pedro Neoris authenware_cybersecurity step1
Marcos de Pedro Neoris authenware_cybersecurity step1
 

Recently uploaded

Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxKatpro Technologies
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?XfilesPro
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Alan Dix
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxOnBoard
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Paola De la Torre
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsMemoori
 

Recently uploaded (20)

Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food Manufacturing
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptx
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
 

Plain Security Talk

  • 1. Plain Talk about Security 1January 27, 2015 by Mike Stone
  • 2. Introduction Plain Talk about Security04/02/2015 2 • Security is not just a matter of opinion • even though everybody has an opinion about security • Security is not a wasted effort • even though it may seem like any determined attacker will get through your defenses • Security is a logic, a calculation, and a profession • logic: “you can’t protect assets you don’t know about” • calculation: “the value of a risk to an asset is equal to the value of the asset times the probability that the risk will occur” • profession: “An occupation doesn’t need society’s recognition to be a profession (CISSP). It only needs the actions and activities among its members to cooperate to serve a certain ideal (Security)” – (ISC)2 • Information Security has its counterparts in physical security
  • 3. The Security Trinity (CIA) Plain Talk about Security04/02/2015 3 Confidentiality Integrity Availability Keep the asset secret! Ensure intended users can always access asset! Prevent unauthorized change to asset!
  • 4. Start with a Good Secure Architecture Plain Talk about Security04/02/2015 4 Physical Security Information Security • A good architecture • Form facilitates function • Modular • Adaptable • Scalable • A secure architecture • Facilitates organizational mission & objectives • Provides granular segmentation • Provides situational awareness • Defends its assets Internet Dev & QA DMZ Users Prod SOC & NOC C C C C C C Public Confi- dential Top Secret C C
  • 5. Four A’s of Security: #1 Account Management Plain Talk about Security04/02/2015 5 Physical Security Information Security • User Accounts: represent interactive humans • Service Accounts: represent batch processes • Role-based Accounts: represent groups of accounts with similar profiles & needs admins services employees customers suppliers hackers
  • 6. Four A’s of Security: #2: Authentication Controls Plain Talk about Security04/02/2015 6 Physical Security Information Security • One Factor Authentication: What you know (password) • Two Factor Authentication: What you have (token) + what you know • Three Factor Authentication: What you are (biometric) + what you have + what you know STOP! Identify yourself! Show me your pass! You don’t look like the commander! Password token Biometric Hand Scanner“Digital Signatures and Certificates also provide User, Host, Software, Message, and Data Authentication Controls!”
  • 7. Four A’s of Security: #3 Authorization (Access) Controls Plain Talk about Security04/02/2015 7 Physical Security Information Security • Who/what is allowed to do what to a resource (asset) • Resources are assets that are allowed to be used • Minimum Privilege: the least privileges required to perform a job (role) = Granularity • Strong Access Controls require Strong Authentication Controls! General Prod $ $$ $$$ C C Confidential Prod Top Secret Prod Confidential Clearance Top Secret ClearanceGeneral Clearance “Encryption also provides a Presentation Layer Access Control!”
  • 8. SQL WS TS Srvr Rtr SW Four A’s of Security: #4 Audit Controls Plain Talk about Security04/02/2015 8 Physical Security Information Security • Logs (Running) & Monitoring (Real-Time): ad hoc record of alerts and events • Audit: formal documentation of who did what when and where compared to a framework • Report: statistical (and possibly graphic) view of historical data and trends • Evidence: documentation proving compliance with a security control or standard FW IPS A/V SSL DLP CA NNM MoM SIEM MoM SQL EM WS EM TS EM Srvr EM Rtr EM SW EM FW EM IPS EM A/V EM SSL EM DLP EM CA EM “Digital Signatures and trusted Certificates can provide non- repudiation for business or legal transactions!”
  • 9. Confidentiality Plain Talk about Security04/02/2015 9 Physical Security Information Security • Protects an asset or person from unauthorized viewing or exposure by: • Access Controls • Encryption • Symmetric • Asymmetric Shredder Symmetric Keys Public & Private Keys “Considering Moore’s Law, you’d better add another bit to the encryption key length every 18 months!” Bob Alice E D KG key key Hi! Hi! @# $^ Bob Alice E D KG Public key Private key Hi! Hi! @# $^
  • 10. Integrity Plain Talk about Security04/02/2015 10 Physical Security Information Security • Protects an asset from unauthorized modification by: • Access Controls • Digital Signature • Hash • Encryption “Digital Signature, Hash, & Encryption also provide Presentation Layer Access Controls!” General Prod $ $$ $$$ C C Important Prod Critical Prod Medium Integrity Clearance High Integrity ClearanceGeneral Clearance
  • 11. Site #1 Site #2 Availability Plain Talk about Security04/02/2015 11 Physical Security Information Security • Ensures an resource will always be available for authorized use • High-Availability services shouldn’t have Single Points of Failure (SPoF) • Recovery Point Objective (RPO): how much data a service can afford to lose • Recovery Time Objective (RTO): how much time a service can afford to be shut down S1 SW1 S2 SW2 c1 c2 LB1 LB2 S1 SW1 S2 SW2 c1 c2 LB1 LB2 R1 R2 DNS 1 DNS 2 Internet c3
  • 12. A Risk-Driven Security Process Plain Talk about Security04/02/2015 12 • Identify your major assets • Identify the risks to those assets • Measure the impacts ($) and probabilities (%) of those risks • Decide what levels of impacts and probabilities of risks are acceptable • Allocate a security budget equal to the difference between the maximum risk (impact x probability) and the acceptable risk level • Create or modify the policies, standards, procedures, and controls to defend those assets while achieving business missions and objectives • Assess residual risks • Review effectiveness of those policies, standards, procedures, and controls ID Assets ID Risks Calc Impact & Probability Decide Acceptable Levels Budget Security Plan Defenses Assess Residual Risks Review Effectiveness