2. SECURITY BENCHMARK
Elevated
Standards defined by customer
Advanced security controls
Meet Customer demands
Cost by Customer/Organization
Periodic review by Customer/Third Party
Approvals by Customer/Organization
Example: Customers 3 & 6 are identified as elevated customers
and hence a custom security model will be introduced and
followed for these customers.
Baseline
Organization standard practices
Mandatory security controls
No customer security demands
Cost by Organization
Periodic Review by Organization/Third party
Approvals by Organization
Example: Customers 1, 2, 5 & 7 are identified as baseline
customers. These customers agree to organization's general
security practices therefore a single security model will be
followed.
3. DATA PROTECTION MECHANISMS
Objective: To understand and apply security controls for the protection of confidentiality, integrity, and
availability of critical data or business functions.
Layering: Multiple controls in a series
Abstraction: Similar elements are put into group
Data Hiding: Preventing data from being
discovered or accessed
Encryption : Limit access to intended recipients
4. IDENTITY AND ACCESS MANAGEMENT
Objective: To control access to computer resources, enforcing policies, auditing usage, and trace action
to specific user.
Authentication
Single Sign on
RADIUS
Multi Factor
Authorization
Access Management
Endpoint validation
Accounting
Audit logging
5. RISK MANAGEMENT
Objective: To develop strategies and implement proper controls that reduces overall risks associated with
critical assets, to determine the severity of impact to the business due to any risk that affects the
confidentiality, integrity or availability of critical assets.
Identify Threats and Vulnerabilities
Threats against critical assets
Risk Assessment/Analysis
Qualitative Analysis
o Delphi Technique
Quantitative Analysis
o Revenue Loss in Dollars
o Cost benefit Analysis
Risk Response
Reduce or mitigate
Assign or transfer
Accept
Reject or ignore
Residual risk
6. Objective: To ensure that any change does not lead to reduced or compromised security, which can
impact confidentiality, integrity or availability of any information or business functions.
PDCA Model
Change Management
Improvement/New requirement
Corrective Action/Fix plan
Release Management
Test Plan
Execute Change
Incident Management
Change failure
New Incident reported
Problem Management
Input from incident
New problem reported
Configuration Management
Track Configuration Items
CHANGE MANAGEMENT
7. BUSINESS CONTINUITY PLAN
Objective: To implement a combination of policies, procedures, and processes such that a potentially
disruptive event has as little impact on the business as possible.
BCP Lifecycle :
Project scope
Risk Assessment
Business impact analysis
Continuity planning
Approval, Execute plan
Test, Monitor
8. DISASTER RECOVERY PLAN
Objective: To create a documented process or set of procedures to recover and protect a business IT
infrastructure in the event of a disaster.
Preparedness
HA, Redundancy
24/7 Monitoring
Data backup
Recovery Procedures
Response
Incident Management
Emergency Call Tree
24/7 Support
Recovery
Execute Recovery Plan
Mitigation
Revise CAP & PAP
BCP Continuous Improvement