SlideShare a Scribd company logo

ch01.ppt

Download as PPT, PDF
S
samsam693199

This document provides an overview of key concepts in information security and risk management. It discusses how security supports organizational mission, objectives and goals. It also covers risk management concepts like qualitative and quantitative risk assessment, and risk treatment strategies like risk acceptance, avoidance, reduction and transfer. Additional security management concepts explained include the CIA triad, defense in depth, single points of failure, and privacy. The role of policies, governance, and executive oversight in security management are also summarized.

Career
1 of 67
Information Security and Risk Management CISSP Guide to Security Essentials Chapter 1
Objectives • How security supports organizational mission, goals and objectives • Risk management • Security management • Personnel security • Professional ethics
Organizational Mission, Objectives, and Goals
Mission • Statement of its ongoing purpose and reason for existence. • Usually published, so that employees, customers, suppliers, and partners are aware of the organization’s stated purpose.
Mission (cont.) • Should influence how we will approach the need to protect the organization’s assets.
Example Mission Statements • “Promote professionalism among information system security practitioners through the provisioning of professional certification and training.” – (ISC)²
Example Mission Statements • “Help civilize the electronic frontier; to make it truly useful and beneficial not just to a technical elite, but to everyone, and to do this in a way which is in keeping with our society's highest traditions of the free and open flow of information and communication.” – Electronic Frontier Foundation
Example Mission Statements • “Empower and engage people around the world to collect and develop educational content under a free license or in the public domain, and to disseminate it effectively and globally.” – Wikimedia Foundation
CCSF Mission Statement • Link Ch 1a
Objectives • Statements of activities or end-states that the organization wishes to achieve. • Support the organization’s mission and describe how the organization will fulfill its mission. • Observable and measurable. • Do not necessarily specify how they will be completed, when, or by whom.
Example Objectives • “Obtain ISO 27001 certification by the end of third quarter.” • “Reduce development costs by twenty percent in the next fiscal year.” • “Complete the integration of CRM and ERP systems by the end of November.”
Goals • Specify specific accomplishments that will enable the organization to meet its objectives. • Measurable, observable, objective, support mission and objectives • Goals and objectives are synonyms (links Ch 1c & 1d)
Security Support of Mission, Objectives, and Goals • Our role is to reduce risk through proper activities and controls that protect assets – Protect the organization and its ability to perform its mission, not just its IT assets (Ch 1e) – Be aware of mission, objectives, goals • We need the support of senior management – To get priorities and resources – To become involved in key activities
Risk Management
Risk Management • “The process of determining the maximum acceptable level of overall risk to and from a proposed activity, then using risk assessment techniques to determine the initial level of risk and, if this is excessive, …”
Risk Management • “…developing a strategy to ameliorate appropriate individual risks until the overall level of risk is reduced to an acceptable level.” – Wiktionary • Two steps – Risk assessments – Risk treatment
Qualitative Risk Assessment • For a given scope of assets, identify: – Vulnerabilities – Threats – Threat probability (Low / medium / high) – Impact (Low / medium / high) – Countermeasures
Example of Qualitative Risk Assessment Threat Impact Initial Probability Counter- measure Residual Probability Flood damage H L Water alarms L Theft H L Key cards, surveillance, guards L Logical intrusion H M Intrusion prevention system L
Quantitative Risk Assessment • Extension of a qualitative risk assessment. Metrics for each risk are: – Asset value: replacement cost and/or income derived through the use of an asset – Exposure Factor (EF): portion of asset's value lost through a threat (also called impact) – Single Loss Expectancy (SLE) = Asset ($) x EF (%)
Quantitative Risk Assessment • Metrics (cont.) – Annualized Rate of Occurrence (ARO) • Probability of loss in a year, % – Annual Loss Expectancy (ALE) = SLE x ARO
Example of Quantitative Risk Assesment • Theft of a laptop computer, with the data encrypted • Asset value: $4,000 • Exposure factor: 100% • SLE = $4,000 x 100% = $4,000 • ARO = 10% chance of theft in a year • ALE = 10% x $4,000 = $400
Example of Quantitative Risk Assesment • Dropping a laptop computer and breaking the screen • Asset value: $4,000 • Exposure factor: 50% • SLE = $4,000 x 100% = $2,000 • ARO = 25% chance of theft in a year • ALE = 25% x $2,000 = $500
Quantifying Countermeasures • Goal: reduction of ALE (or the qualitative losses) • Impact of countermeasures: – Cost of countermeasure – Changes in Exposure Factor (EF) – Changes in Single Loss Expectancy (SLE)
Geographic Considerations • Replacement and repair costs of assets may vary by location • Exposure Factor may vary by location • Impact may vary by location
Risk Assessment Methodologies • NIST 800-30, Risk Management Guide for Information Technology Systems • OCTAVE (Operationally Critical Threat, Asset, and Vulnerability Evaluation) • FRAP (Facilitated Risk Analysis Process) – qualitative pre-screening • Spanning Tree Analysis – visual, similar to mind map
Risk Treatment • One or more outcomes from a risk assessment – Risk Acceptance • “yeah, we can live with that” – Risk Avoidance • Discontinue the risk-related activity -- the most extreme form of risk treatment – Risk Reduction (also called Risk Mitigation) • Using countermeasures such as firewalls, IDS systems, etc., to reduce risks – Risk Transfer • Buy insurance
Residual Risk • After risk treatment, some risk remains • Risk can never be eliminated entirely • The remaining risk is called Residual Risk
Security Management Concepts
Security Management Concepts • Security controls • CIA Triad • Defense in depth • Single points of failure • Fail open, fail closed • Privacy
ISO 27001 • Standard for Information Security Management System • Plan-Do-Check-Act cycle – Plan = define requirements, assess risks, decide which controls are applicable – Do = implement and operate the ISMS – Check = monitor and review the ISMS – Act = maintain and continuously improve the ISMS • Documents and records are required
ISO 27001
Security Controls • Detective (records events) • Deterrent (scares evil-doers away) • Preventive (stops attacks) • Corrective (after an attack, prevents another attack) • Recovery (after an attack, restores operations) • Compensating (substitutes for some other control that is inadequate) (covered in depth in Chapter 2, p. 56ff)
CIA: Confidentiality, Integrity, Availability • The three pillars of security: the CIA Triad – Confidentiality: information and functions can be accessed only by properly authorized parties – Integrity: information and functions can be added, altered, or removed only by authorized persons and means – Availability: systems, functions, and data must be available on-demand according to any agreed-upon parameters regarding levels of service
Defense in Depth • A layered defense in which two or more layers or controls are used to protect an asset – Heterogeneity: the different controls should be different types, so as to better resist attack – Entire protection: each control completely protects the asset from most or all threats • Example: antivirus on the email gateway, and also on the workstations
Defense in Depth (cont.) • Defense in depth reduces the risks from – Vulnerability of a single device – Malfunction of a single device – Fail open of a single device
Defense in Depth Example • The IE 0day used against Google – From link Ch 1h
Single Points of Failure • A single point of failure (SPOF) – Failure of a single component results in the failure of the entire system
Fail Open / Fail Closed / Fail Soft • When a security mechanism fails, there are usually two possible outcomes: – Fail open – the mechanism permits all activity – Fail closed – the mechanism blocks all activity • Fail Soft -- shutting down failed systems, preserving some functionality – Example: A server with a UPS and a shutdown script
Fail Open / Fail Closed (cont.) • Principles – Different types of failures will have different results – Both fail open and fail closed are undesirable, but sometimes one or the other is catastrophic – Security devices generally fail closed
Privacy • Defined: the protection and proper handling of sensitive personal information • Requires proper technology for protection • Requires appropriate business processes and controls for appropriate handling • Issues – Inappropriate uses – Unintended disclosures to others
Personally Identifiable Information (PII) • Name • SSN • Phone number • Driver's license number • Credit card numbers – Etc.
Security Management
Security Management • Executive oversight • Governance • Policy, guidelines, standards, and procedures • Roles and responsibilities
Security Management (cont.) • Service level agreements • Secure outsourcing • Data classification and protection • Certification and accreditation • Internal audit
Security Executive Oversight • Executives must support security activities – Support and enforcement of policies – Allocation of resources – Prioritization of activities – Support of risk treatment
Governance • Defined: “Security governance is the set of responsibilities and practices exercised by the board and executive management with the goal of providing strategic direction, ensuring that objectives are achieved, ascertaining that risks are managed appropriately and verifying that the enterprise's resources are used responsibly.”
Governance (cont.) • The process and action that supports executive oversight – Steering committee oversight – Resource allocation and prioritization – Status reporting – Strategic decisions
Policies • Policies – Constraints of behavior on systems and people – Specifies activities that are required, limited, and forbidden • Example – Information systems should be configured to require good security practices in the selection and use of passwords • Policy Standards – ISO 27002:2005 (link Ch 1f) – SANS Security Policy Project (Ch 1j)
Requirements • Requirements – Required characteristics of a system or process – Often the same as or similar to the policy – Specifies what should be done, not how to do it • Example – Information systems must enforce password quality standards and reference a central authentication service, such as LDAP or Active Directory.
Guidelines • Guidelines: defines how to support a policy – Example: Passwords must not be dictionary words
Standards and Procedures • Standards: what products, technical standards, and methods will be used to support policy • Examples – All fiber optic cables must be Corning brand – Passwords must be at least 8 characters • Procedures: step by step instructions
Security Roles and Responsibilities • Formally defined in security policy and job descriptions • These need to be defined: – Ownership of assets – Access to assets – Use of assets: employees are responsible for their behavior – Managers responsible for employee behavior
Service Level Agreements • SLAs define a formal level of service • SLAs for security activities – Security incident response – Security alert / advisory delivery – Security investigation – Policy and procedure review
Secure Outsourcing • Outsourcing risks – Control of confidential information – Loss of control of business activities – Accountability – the organization that outsources activities is still accountable for their activities and outcomes
Data Classification and Protection • Components of a classification and protection program – Sensitivity levels • “confidential”, “restricted”, “secret”, etc. – Marking procedures • How to indicate sensitivity on various forms of information – Access procedures – Handling procedures • E-mailing, faxing, mailing, printing, transmitting, destruction
Certification and Accreditation • Two-step process for the formal evaluation and approval for use of a system – Certification is the process of evaluating a system against a set of formal standards, policies, or specifications. – Accreditation is the formal approval for the use of a certified system – for a defined period of time (and possibly other conditions).
Internal Audit • Evaluation of security controls and policies to measure their effectiveness – Performed by internal staff – Objectivity is of vital importance – Formal methodology – Required by some regulations, e.g. Sarbanes Oxley • Links Ch 1k, 1l
Security Strategies • Management is responsible for developing the ongoing strategy for security management • Past incidents can help shape the future – Incidents – SLA performance – Certification and accreditation – Internal audit
Personnel Security
Personnel / Staffing Security • Hiring practices and procedures • Periodic performance evaluation • Disciplinary action policy and procedures • Termination procedures
Hiring Practices and Procedures • Effective assessment of qualifications • Background verification (prior employment, education, criminal history, financial history) • Non-disclosure agreement (NDA) • Non-compete agreement • Intellectual property agreement
Hiring Practices and Procedures (cont.) • Employment agreement • Employee Handbook • Formal job descriptions
Termination • Immediate termination of all logical and physical access • Change passwords known to the employee • Recovery of all company assets • Notification of the termination to affected staff, customers, other third parties • And possibly: code reviews, review of recent activities prior to the termination
Work Practices • Separation of duties – Designing sensitive processes so that two or more persons are required to complete them • Job rotation – Good for cross-training, and also reduces the likelihood that employees will collude for personal gain • Mandatory vacations – Detect / prevent irregularities that violate policy and practices
Security Education, Training, and Awareness • Training on security policy, guidelines, standards • Upon hire and periodically thereafter • Various types of messaging – E-mail, intranet, posters, flyers, trinkets, training classes • Testing – to measure employee knowledge of policy and practices
Professional Ethics
Professional Ethics • (ISC)² code of ethics – Protect society, the commonwealth, and the infrastructure. – Act honorably, honestly, justly, responsibly, and legally. – Provide diligent and competent service to principals. – Advance and protect the profession.

Recommended

Information Security Risk Management and Compliance.pptx
Information Security Risk Management and Compliance.pptxInformation Security Risk Management and Compliance.pptx
Information Security Risk Management and Compliance.pptx
Abraraw Zerfu
 
Security risk management
Security risk managementSecurity risk management
Security risk management
G Prachi
 
1 info sec+risk-mgmt
1 info sec+risk-mgmt1 info sec+risk-mgmt
1 info sec+risk-mgmt
madunix
 
Risk Mitigation
Risk MitigationRisk Mitigation
Risk Mitigation
primeteacher32
 
002.itsecurity bcp v1
002.itsecurity bcp v1002.itsecurity bcp v1
002.itsecurity bcp v1
Mohammad Ashfaqur Rahman
 
ISAA PPt
ISAA PPtISAA PPt
ISAA PPt
RishabhAgrawal695188
 
4 Operations Security
4 Operations Security4 Operations Security
4 Operations Security
Alfred Ouyang
 
Unit 1&2.pdf
Unit 1&2.pdfUnit 1&2.pdf
Unit 1&2.pdf
Ndheh
 

Recommended

Information Security Risk Management and Compliance.pptx
Information Security Risk Management and Compliance.pptxInformation Security Risk Management and Compliance.pptx
Information Security Risk Management and Compliance.pptx
Abraraw Zerfu
 
Security risk management
Security risk managementSecurity risk management
Security risk management
G Prachi
 
1 info sec+risk-mgmt
1 info sec+risk-mgmt1 info sec+risk-mgmt
1 info sec+risk-mgmt
madunix
 
Risk Mitigation
Risk MitigationRisk Mitigation
Risk Mitigation
primeteacher32
 
002.itsecurity bcp v1
002.itsecurity bcp v1002.itsecurity bcp v1
002.itsecurity bcp v1
Mohammad Ashfaqur Rahman
 
ISAA PPt
ISAA PPtISAA PPt
ISAA PPt
RishabhAgrawal695188
 
4 Operations Security
4 Operations Security4 Operations Security
4 Operations Security
Alfred Ouyang
 
Unit 1&2.pdf
Unit 1&2.pdfUnit 1&2.pdf
Unit 1&2.pdf
Ndheh
 
Cyber Security # Lec 3
Cyber Security # Lec 3 Cyber Security # Lec 3
Cyber Security # Lec 3
Kabul Education University
 
MIS: Information Security Management
MIS: Information Security ManagementMIS: Information Security Management
MIS: Information Security ManagementJonathan Coleman
 
ch14.ppt
ch14.pptch14.ppt
ch14.ppt
FizZaShYkh
 
Introduction to Ethical Hacking
Introduction to Ethical HackingIntroduction to Ethical Hacking
Introduction to Ethical Hacking
UK Defence Cyber School
 
Introduction to information security
Introduction to information securityIntroduction to information security
Introduction to information security
Kumawat Dharmpal
 
01Introduction to Information Security.ppt
01Introduction to Information Security.ppt01Introduction to Information Security.ppt
01Introduction to Information Security.ppt
it160320737038
 
Undertake the Risk Analysis Policy
Undertake the Risk Analysis PolicyUndertake the Risk Analysis Policy
Undertake the Risk Analysis PolicyKomal Zahra
 
Cervone uof t - nist framework (1)
Cervone uof t - nist framework (1)Cervone uof t - nist framework (1)
Cervone uof t - nist framework (1)
Stephen Abram
 
Cyber Security Awareness Month 2017-Nugget 3
Cyber Security Awareness Month 2017-Nugget 3Cyber Security Awareness Month 2017-Nugget 3
Cyber Security Awareness Month 2017-Nugget 3
Chinatu Uzuegbu
 
Seccurity_Risk_Management.pptyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy
Seccurity_Risk_Management.pptyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyySeccurity_Risk_Management.pptyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy
Seccurity_Risk_Management.pptyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy
chaudhryzunair4
 
Isys20261 lecture 01
Isys20261 lecture 01Isys20261 lecture 01
Isys20261 lecture 01Wiliam Ferraciolli
 
Introduction to information security - by Ivan Nganda
Introduction to information security - by Ivan NgandaIntroduction to information security - by Ivan Nganda
Introduction to information security - by Ivan Nganda
See You Rise Holdings
 
Step by-step for risk analysis and management-yaser aljohani
Step by-step for risk analysis and management-yaser aljohaniStep by-step for risk analysis and management-yaser aljohani
Step by-step for risk analysis and management-yaser aljohaniyaseraljohani
 
Step by-step for risk analysis and management-yaser aljohani
Step by-step for risk analysis and management-yaser aljohaniStep by-step for risk analysis and management-yaser aljohani
Step by-step for risk analysis and management-yaser aljohaniYaser Alrefai
 
Lesson 1
Lesson 1Lesson 1
Lesson 1
MLG College of Learning, Inc
 
Stay Ahead of Threats with Advanced Security Protection - Fortinet
Stay Ahead of Threats with Advanced Security Protection - FortinetStay Ahead of Threats with Advanced Security Protection - Fortinet
Stay Ahead of Threats with Advanced Security Protection - Fortinet
MarcoTechnologies
 
Security & Risk Mgmt_WK1.pptx
Security & Risk Mgmt_WK1.pptxSecurity & Risk Mgmt_WK1.pptx
Security & Risk Mgmt_WK1.pptx
dotco
 
Security & Risk Mgmt_WK1.pptx
Security & Risk Mgmt_WK1.pptxSecurity & Risk Mgmt_WK1.pptx
Security & Risk Mgmt_WK1.pptx
Technocracy2
 
Assessing System Risk the Smart Way
Assessing System Risk the Smart WayAssessing System Risk the Smart Way
Assessing System Risk the Smart Way
Security Innovation
 
L1_Introduction.pptx
L1_Introduction.pptxL1_Introduction.pptx
L1_Introduction.pptx
StevenTharp2
 
My Story of Getting into Tech By Gertrude Chilufya Westrin
My Story of Getting into Tech By Gertrude Chilufya WestrinMy Story of Getting into Tech By Gertrude Chilufya Westrin
My Story of Getting into Tech By Gertrude Chilufya Westrin
AlinaseFaith
 
Dr. Nazrul Islam, Northern University Bangladesh - CV (29.5.2024).pdf
Dr. Nazrul Islam, Northern University Bangladesh - CV (29.5.2024).pdfDr. Nazrul Islam, Northern University Bangladesh - CV (29.5.2024).pdf
Dr. Nazrul Islam, Northern University Bangladesh - CV (29.5.2024).pdf
Dr. Nazrul Islam
 

More Related Content

Similar to ch01.ppt

Cyber Security # Lec 3
Cyber Security # Lec 3 Cyber Security # Lec 3
Cyber Security # Lec 3
Kabul Education University
 
MIS: Information Security Management
MIS: Information Security ManagementMIS: Information Security Management
MIS: Information Security ManagementJonathan Coleman
 
ch14.ppt
ch14.pptch14.ppt
ch14.ppt
FizZaShYkh
 
Introduction to Ethical Hacking
Introduction to Ethical HackingIntroduction to Ethical Hacking
Introduction to Ethical Hacking
UK Defence Cyber School
 
Introduction to information security
Introduction to information securityIntroduction to information security
Introduction to information security
Kumawat Dharmpal
 
01Introduction to Information Security.ppt
01Introduction to Information Security.ppt01Introduction to Information Security.ppt
01Introduction to Information Security.ppt
it160320737038
 
Undertake the Risk Analysis Policy
Undertake the Risk Analysis PolicyUndertake the Risk Analysis Policy
Undertake the Risk Analysis PolicyKomal Zahra
 
Cervone uof t - nist framework (1)
Cervone uof t - nist framework (1)Cervone uof t - nist framework (1)
Cervone uof t - nist framework (1)
Stephen Abram
 
Cyber Security Awareness Month 2017-Nugget 3
Cyber Security Awareness Month 2017-Nugget 3Cyber Security Awareness Month 2017-Nugget 3
Cyber Security Awareness Month 2017-Nugget 3
Chinatu Uzuegbu
 
Seccurity_Risk_Management.pptyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy
Seccurity_Risk_Management.pptyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyySeccurity_Risk_Management.pptyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy
Seccurity_Risk_Management.pptyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy
chaudhryzunair4
 
Introduction to information security - by Ivan Nganda
Introduction to information security - by Ivan NgandaIntroduction to information security - by Ivan Nganda
Introduction to information security - by Ivan Nganda
See You Rise Holdings
 
Step by-step for risk analysis and management-yaser aljohani
Step by-step for risk analysis and management-yaser aljohaniStep by-step for risk analysis and management-yaser aljohani
Step by-step for risk analysis and management-yaser aljohaniyaseraljohani
 
Step by-step for risk analysis and management-yaser aljohani
Step by-step for risk analysis and management-yaser aljohaniStep by-step for risk analysis and management-yaser aljohani
Step by-step for risk analysis and management-yaser aljohaniYaser Alrefai
 
Lesson 1
Lesson 1Lesson 1
Lesson 1
MLG College of Learning, Inc
 
Stay Ahead of Threats with Advanced Security Protection - Fortinet
Stay Ahead of Threats with Advanced Security Protection - FortinetStay Ahead of Threats with Advanced Security Protection - Fortinet
Stay Ahead of Threats with Advanced Security Protection - Fortinet
MarcoTechnologies
 
Security & Risk Mgmt_WK1.pptx
Security & Risk Mgmt_WK1.pptxSecurity & Risk Mgmt_WK1.pptx
Security & Risk Mgmt_WK1.pptx
dotco
 
Security & Risk Mgmt_WK1.pptx
Security & Risk Mgmt_WK1.pptxSecurity & Risk Mgmt_WK1.pptx
Security & Risk Mgmt_WK1.pptx
Technocracy2
 
Assessing System Risk the Smart Way
Assessing System Risk the Smart WayAssessing System Risk the Smart Way
Assessing System Risk the Smart Way
Security Innovation
 
L1_Introduction.pptx
L1_Introduction.pptxL1_Introduction.pptx
L1_Introduction.pptx
StevenTharp2
 

Similar to ch01.ppt (20)

Cyber Security # Lec 3
Cyber Security # Lec 3 Cyber Security # Lec 3
Cyber Security # Lec 3
 
MIS: Information Security Management
MIS: Information Security ManagementMIS: Information Security Management
MIS: Information Security Management
 
ch14.ppt
ch14.pptch14.ppt
ch14.ppt
 
Introduction to Ethical Hacking
Introduction to Ethical HackingIntroduction to Ethical Hacking
Introduction to Ethical Hacking
 
Introduction to information security
Introduction to information securityIntroduction to information security
Introduction to information security
 
01Introduction to Information Security.ppt
01Introduction to Information Security.ppt01Introduction to Information Security.ppt
01Introduction to Information Security.ppt
 
Undertake the Risk Analysis Policy
Undertake the Risk Analysis PolicyUndertake the Risk Analysis Policy
Undertake the Risk Analysis Policy
 
Cervone uof t - nist framework (1)
Cervone uof t - nist framework (1)Cervone uof t - nist framework (1)
Cervone uof t - nist framework (1)
 
Cyber Security Awareness Month 2017-Nugget 3
Cyber Security Awareness Month 2017-Nugget 3Cyber Security Awareness Month 2017-Nugget 3
Cyber Security Awareness Month 2017-Nugget 3
 
Seccurity_Risk_Management.pptyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy
Seccurity_Risk_Management.pptyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyySeccurity_Risk_Management.pptyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy
Seccurity_Risk_Management.pptyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy
 
Isys20261 lecture 01
Isys20261 lecture 01Isys20261 lecture 01
Isys20261 lecture 01
 
Introduction to information security - by Ivan Nganda
Introduction to information security - by Ivan NgandaIntroduction to information security - by Ivan Nganda
Introduction to information security - by Ivan Nganda
 
Step by-step for risk analysis and management-yaser aljohani
Step by-step for risk analysis and management-yaser aljohaniStep by-step for risk analysis and management-yaser aljohani
Step by-step for risk analysis and management-yaser aljohani
 
Step by-step for risk analysis and management-yaser aljohani
Step by-step for risk analysis and management-yaser aljohaniStep by-step for risk analysis and management-yaser aljohani
Step by-step for risk analysis and management-yaser aljohani
 
Lesson 1
Lesson 1Lesson 1
Lesson 1
 
Stay Ahead of Threats with Advanced Security Protection - Fortinet
Stay Ahead of Threats with Advanced Security Protection - FortinetStay Ahead of Threats with Advanced Security Protection - Fortinet
Stay Ahead of Threats with Advanced Security Protection - Fortinet
 
Security & Risk Mgmt_WK1.pptx
Security & Risk Mgmt_WK1.pptxSecurity & Risk Mgmt_WK1.pptx
Security & Risk Mgmt_WK1.pptx
 
Security & Risk Mgmt_WK1.pptx
Security & Risk Mgmt_WK1.pptxSecurity & Risk Mgmt_WK1.pptx
Security & Risk Mgmt_WK1.pptx
 
Assessing System Risk the Smart Way
Assessing System Risk the Smart WayAssessing System Risk the Smart Way
Assessing System Risk the Smart Way
 
L1_Introduction.pptx
L1_Introduction.pptxL1_Introduction.pptx
L1_Introduction.pptx
 

Recently uploaded

My Story of Getting into Tech By Gertrude Chilufya Westrin
My Story of Getting into Tech By Gertrude Chilufya WestrinMy Story of Getting into Tech By Gertrude Chilufya Westrin
My Story of Getting into Tech By Gertrude Chilufya Westrin
AlinaseFaith
 
Dr. Nazrul Islam, Northern University Bangladesh - CV (29.5.2024).pdf
Dr. Nazrul Islam, Northern University Bangladesh - CV (29.5.2024).pdfDr. Nazrul Islam, Northern University Bangladesh - CV (29.5.2024).pdf
Dr. Nazrul Islam, Northern University Bangladesh - CV (29.5.2024).pdf
Dr. Nazrul Islam
 
太阳城娱乐-太阳城娱乐推荐-太阳城娱乐官方网站| 立即访问【ac123.net】
太阳城娱乐-太阳城娱乐推荐-太阳城娱乐官方网站| 立即访问【ac123.net】太阳城娱乐-太阳城娱乐推荐-太阳城娱乐官方网站| 立即访问【ac123.net】
太阳城娱乐-太阳城娱乐推荐-太阳城娱乐官方网站| 立即访问【ac123.net】
foismail170
 
135. Reviewer Certificate in Journal of Engineering
135. Reviewer Certificate in Journal of Engineering135. Reviewer Certificate in Journal of Engineering
135. Reviewer Certificate in Journal of Engineering
Manu Mitra
 
15385-LESSON PLAN- 7TH - SS-Insian Constitution an Introduction.pdf
15385-LESSON PLAN- 7TH - SS-Insian Constitution an Introduction.pdf15385-LESSON PLAN- 7TH - SS-Insian Constitution an Introduction.pdf
15385-LESSON PLAN- 7TH - SS-Insian Constitution an Introduction.pdf
gobogo3542
 
Heidi Livengood Resume Senior Technical Recruiter / HR Generalist
Heidi Livengood Resume Senior Technical Recruiter / HR GeneralistHeidi Livengood Resume Senior Technical Recruiter / HR Generalist
Heidi Livengood Resume Senior Technical Recruiter / HR Generalist
HeidiLivengood
 
New Explore Careers and College Majors 2024.pdf
New Explore Careers and College Majors 2024.pdfNew Explore Careers and College Majors 2024.pdf
New Explore Careers and College Majors 2024.pdf
Dr. Mary Askew
 
欧洲杯买球平台-欧洲杯买球平台推荐-欧洲杯买球平台| 立即访问【ac123.net】
欧洲杯买球平台-欧洲杯买球平台推荐-欧洲杯买球平台| 立即访问【ac123.net】欧洲杯买球平台-欧洲杯买球平台推荐-欧洲杯买球平台| 立即访问【ac123.net】
欧洲杯买球平台-欧洲杯买球平台推荐-欧洲杯买球平台| 立即访问【ac123.net】
foismail170
 
132. Acta Scientific Pharmaceutical Sciences
132. Acta Scientific Pharmaceutical Sciences132. Acta Scientific Pharmaceutical Sciences
132. Acta Scientific Pharmaceutical Sciences
Manu Mitra
 
Full Sail_Morales_Michael_SMM_2024-05.pptx
Full Sail_Morales_Michael_SMM_2024-05.pptxFull Sail_Morales_Michael_SMM_2024-05.pptx
Full Sail_Morales_Michael_SMM_2024-05.pptx
mmorales2173
 
皇冠体育- 皇冠体育官方网站- CROWN SPORTS| 立即访问【ac123.net】
皇冠体育- 皇冠体育官方网站- CROWN SPORTS| 立即访问【ac123.net】皇冠体育- 皇冠体育官方网站- CROWN SPORTS| 立即访问【ac123.net】
皇冠体育- 皇冠体育官方网站- CROWN SPORTS| 立即访问【ac123.net】
larisashrestha558
 
欧洲杯投注网站-欧洲杯投注网站推荐-欧洲杯投注网站| 立即访问【ac123.net】
欧洲杯投注网站-欧洲杯投注网站推荐-欧洲杯投注网站| 立即访问【ac123.net】欧洲杯投注网站-欧洲杯投注网站推荐-欧洲杯投注网站| 立即访问【ac123.net】
欧洲杯投注网站-欧洲杯投注网站推荐-欧洲杯投注网站| 立即访问【ac123.net】
foismail170
 
How Mentoring Elevates Your PM Career | PMI Silver Spring Chapter
How Mentoring Elevates Your PM Career | PMI Silver Spring ChapterHow Mentoring Elevates Your PM Career | PMI Silver Spring Chapter
How Mentoring Elevates Your PM Career | PMI Silver Spring Chapter
Hector Del Castillo, CPM, CPMM
 
133. Reviewer Certificate in Advances in Research
133. Reviewer Certificate in Advances in Research133. Reviewer Certificate in Advances in Research
133. Reviewer Certificate in Advances in Research
Manu Mitra
 
Chapters 3 Contracts.pptx Chapters 3 Contracts.pptx
Chapters 3 Contracts.pptx Chapters 3 Contracts.pptxChapters 3 Contracts.pptx Chapters 3 Contracts.pptx
Chapters 3 Contracts.pptx Chapters 3 Contracts.pptx
Sheldon Byron
 
134. Reviewer Certificate in Computer Science
134. Reviewer Certificate in Computer Science134. Reviewer Certificate in Computer Science
134. Reviewer Certificate in Computer Science
Manu Mitra
 
Personal Brand Exploration Comedy Jxnelle.
Personal Brand Exploration Comedy Jxnelle.Personal Brand Exploration Comedy Jxnelle.
Personal Brand Exploration Comedy Jxnelle.
alexthomas971
 
salivary gland disorders.pdf nothing more
salivary gland disorders.pdf nothing moresalivary gland disorders.pdf nothing more
salivary gland disorders.pdf nothing more
GokulnathMbbs
 
How to Master LinkedIn for Career and Business
How to Master LinkedIn for Career and BusinessHow to Master LinkedIn for Career and Business
How to Master LinkedIn for Career and Business
ideatoipo
 
DOC-20240602-WA0001..pdf DOC-20240602-WA0001..pdf
DOC-20240602-WA0001..pdf DOC-20240602-WA0001..pdfDOC-20240602-WA0001..pdf DOC-20240602-WA0001..pdf
DOC-20240602-WA0001..pdf DOC-20240602-WA0001..pdf
Pushpendra Kumar
 

Recently uploaded (20)

My Story of Getting into Tech By Gertrude Chilufya Westrin
My Story of Getting into Tech By Gertrude Chilufya WestrinMy Story of Getting into Tech By Gertrude Chilufya Westrin
My Story of Getting into Tech By Gertrude Chilufya Westrin
 
Dr. Nazrul Islam, Northern University Bangladesh - CV (29.5.2024).pdf
Dr. Nazrul Islam, Northern University Bangladesh - CV (29.5.2024).pdfDr. Nazrul Islam, Northern University Bangladesh - CV (29.5.2024).pdf
Dr. Nazrul Islam, Northern University Bangladesh - CV (29.5.2024).pdf
 
太阳城娱乐-太阳城娱乐推荐-太阳城娱乐官方网站| 立即访问【ac123.net】
太阳城娱乐-太阳城娱乐推荐-太阳城娱乐官方网站| 立即访问【ac123.net】太阳城娱乐-太阳城娱乐推荐-太阳城娱乐官方网站| 立即访问【ac123.net】
太阳城娱乐-太阳城娱乐推荐-太阳城娱乐官方网站| 立即访问【ac123.net】
 
135. Reviewer Certificate in Journal of Engineering
135. Reviewer Certificate in Journal of Engineering135. Reviewer Certificate in Journal of Engineering
135. Reviewer Certificate in Journal of Engineering
 
15385-LESSON PLAN- 7TH - SS-Insian Constitution an Introduction.pdf
15385-LESSON PLAN- 7TH - SS-Insian Constitution an Introduction.pdf15385-LESSON PLAN- 7TH - SS-Insian Constitution an Introduction.pdf
15385-LESSON PLAN- 7TH - SS-Insian Constitution an Introduction.pdf
 
Heidi Livengood Resume Senior Technical Recruiter / HR Generalist
Heidi Livengood Resume Senior Technical Recruiter / HR GeneralistHeidi Livengood Resume Senior Technical Recruiter / HR Generalist
Heidi Livengood Resume Senior Technical Recruiter / HR Generalist
 
New Explore Careers and College Majors 2024.pdf
New Explore Careers and College Majors 2024.pdfNew Explore Careers and College Majors 2024.pdf
New Explore Careers and College Majors 2024.pdf
 
欧洲杯买球平台-欧洲杯买球平台推荐-欧洲杯买球平台| 立即访问【ac123.net】
欧洲杯买球平台-欧洲杯买球平台推荐-欧洲杯买球平台| 立即访问【ac123.net】欧洲杯买球平台-欧洲杯买球平台推荐-欧洲杯买球平台| 立即访问【ac123.net】
欧洲杯买球平台-欧洲杯买球平台推荐-欧洲杯买球平台| 立即访问【ac123.net】
 
132. Acta Scientific Pharmaceutical Sciences
132. Acta Scientific Pharmaceutical Sciences132. Acta Scientific Pharmaceutical Sciences
132. Acta Scientific Pharmaceutical Sciences
 
Full Sail_Morales_Michael_SMM_2024-05.pptx
Full Sail_Morales_Michael_SMM_2024-05.pptxFull Sail_Morales_Michael_SMM_2024-05.pptx
Full Sail_Morales_Michael_SMM_2024-05.pptx
 
皇冠体育- 皇冠体育官方网站- CROWN SPORTS| 立即访问【ac123.net】
皇冠体育- 皇冠体育官方网站- CROWN SPORTS| 立即访问【ac123.net】皇冠体育- 皇冠体育官方网站- CROWN SPORTS| 立即访问【ac123.net】
皇冠体育- 皇冠体育官方网站- CROWN SPORTS| 立即访问【ac123.net】
 
欧洲杯投注网站-欧洲杯投注网站推荐-欧洲杯投注网站| 立即访问【ac123.net】
欧洲杯投注网站-欧洲杯投注网站推荐-欧洲杯投注网站| 立即访问【ac123.net】欧洲杯投注网站-欧洲杯投注网站推荐-欧洲杯投注网站| 立即访问【ac123.net】
欧洲杯投注网站-欧洲杯投注网站推荐-欧洲杯投注网站| 立即访问【ac123.net】
 
How Mentoring Elevates Your PM Career | PMI Silver Spring Chapter
How Mentoring Elevates Your PM Career | PMI Silver Spring ChapterHow Mentoring Elevates Your PM Career | PMI Silver Spring Chapter
How Mentoring Elevates Your PM Career | PMI Silver Spring Chapter
 
133. Reviewer Certificate in Advances in Research
133. Reviewer Certificate in Advances in Research133. Reviewer Certificate in Advances in Research
133. Reviewer Certificate in Advances in Research
 
Chapters 3 Contracts.pptx Chapters 3 Contracts.pptx
Chapters 3 Contracts.pptx Chapters 3 Contracts.pptxChapters 3 Contracts.pptx Chapters 3 Contracts.pptx
Chapters 3 Contracts.pptx Chapters 3 Contracts.pptx
 
134. Reviewer Certificate in Computer Science
134. Reviewer Certificate in Computer Science134. Reviewer Certificate in Computer Science
134. Reviewer Certificate in Computer Science
 
Personal Brand Exploration Comedy Jxnelle.
Personal Brand Exploration Comedy Jxnelle.Personal Brand Exploration Comedy Jxnelle.
Personal Brand Exploration Comedy Jxnelle.
 
salivary gland disorders.pdf nothing more
salivary gland disorders.pdf nothing moresalivary gland disorders.pdf nothing more
salivary gland disorders.pdf nothing more
 
How to Master LinkedIn for Career and Business
How to Master LinkedIn for Career and BusinessHow to Master LinkedIn for Career and Business
How to Master LinkedIn for Career and Business
 
DOC-20240602-WA0001..pdf DOC-20240602-WA0001..pdf
DOC-20240602-WA0001..pdf DOC-20240602-WA0001..pdfDOC-20240602-WA0001..pdf DOC-20240602-WA0001..pdf
DOC-20240602-WA0001..pdf DOC-20240602-WA0001..pdf
 

ch01.ppt

  • 1. Information Security and Risk Management CISSP Guide to Security Essentials Chapter 1
  • 2. Objectives • How security supports organizational mission, goals and objectives • Risk management • Security management • Personnel security • Professional ethics
  • 4. Mission • Statement of its ongoing purpose and reason for existence. • Usually published, so that employees, customers, suppliers, and partners are aware of the organization’s stated purpose.
  • 5. Mission (cont.) • Should influence how we will approach the need to protect the organization’s assets.
  • 6. Example Mission Statements • “Promote professionalism among information system security practitioners through the provisioning of professional certification and training.” – (ISC)²
  • 7. Example Mission Statements • “Help civilize the electronic frontier; to make it truly useful and beneficial not just to a technical elite, but to everyone, and to do this in a way which is in keeping with our society's highest traditions of the free and open flow of information and communication.” – Electronic Frontier Foundation
  • 8. Example Mission Statements • “Empower and engage people around the world to collect and develop educational content under a free license or in the public domain, and to disseminate it effectively and globally.” – Wikimedia Foundation
  • 10. Objectives • Statements of activities or end-states that the organization wishes to achieve. • Support the organization’s mission and describe how the organization will fulfill its mission. • Observable and measurable. • Do not necessarily specify how they will be completed, when, or by whom.
  • 11. Example Objectives • “Obtain ISO 27001 certification by the end of third quarter.” • “Reduce development costs by twenty percent in the next fiscal year.” • “Complete the integration of CRM and ERP systems by the end of November.”
  • 12. Goals • Specify specific accomplishments that will enable the organization to meet its objectives. • Measurable, observable, objective, support mission and objectives • Goals and objectives are synonyms (links Ch 1c & 1d)
  • 13. Security Support of Mission, Objectives, and Goals • Our role is to reduce risk through proper activities and controls that protect assets – Protect the organization and its ability to perform its mission, not just its IT assets (Ch 1e) – Be aware of mission, objectives, goals • We need the support of senior management – To get priorities and resources – To become involved in key activities
  • 15. Risk Management • “The process of determining the maximum acceptable level of overall risk to and from a proposed activity, then using risk assessment techniques to determine the initial level of risk and, if this is excessive, …”
  • 16. Risk Management • “…developing a strategy to ameliorate appropriate individual risks until the overall level of risk is reduced to an acceptable level.” – Wiktionary • Two steps – Risk assessments – Risk treatment
  • 17. Qualitative Risk Assessment • For a given scope of assets, identify: – Vulnerabilities – Threats – Threat probability (Low / medium / high) – Impact (Low / medium / high) – Countermeasures
  • 18. Example of Qualitative Risk Assessment Threat Impact Initial Probability Counter- measure Residual Probability Flood damage H L Water alarms L Theft H L Key cards, surveillance, guards L Logical intrusion H M Intrusion prevention system L
  • 19. Quantitative Risk Assessment • Extension of a qualitative risk assessment. Metrics for each risk are: – Asset value: replacement cost and/or income derived through the use of an asset – Exposure Factor (EF): portion of asset's value lost through a threat (also called impact) – Single Loss Expectancy (SLE) = Asset ($) x EF (%)
  • 20. Quantitative Risk Assessment • Metrics (cont.) – Annualized Rate of Occurrence (ARO) • Probability of loss in a year, % – Annual Loss Expectancy (ALE) = SLE x ARO
  • 21. Example of Quantitative Risk Assesment • Theft of a laptop computer, with the data encrypted • Asset value: $4,000 • Exposure factor: 100% • SLE = $4,000 x 100% = $4,000 • ARO = 10% chance of theft in a year • ALE = 10% x $4,000 = $400
  • 22. Example of Quantitative Risk Assesment • Dropping a laptop computer and breaking the screen • Asset value: $4,000 • Exposure factor: 50% • SLE = $4,000 x 100% = $2,000 • ARO = 25% chance of theft in a year • ALE = 25% x $2,000 = $500
  • 23. Quantifying Countermeasures • Goal: reduction of ALE (or the qualitative losses) • Impact of countermeasures: – Cost of countermeasure – Changes in Exposure Factor (EF) – Changes in Single Loss Expectancy (SLE)
  • 24. Geographic Considerations • Replacement and repair costs of assets may vary by location • Exposure Factor may vary by location • Impact may vary by location
  • 25. Risk Assessment Methodologies • NIST 800-30, Risk Management Guide for Information Technology Systems • OCTAVE (Operationally Critical Threat, Asset, and Vulnerability Evaluation) • FRAP (Facilitated Risk Analysis Process) – qualitative pre-screening • Spanning Tree Analysis – visual, similar to mind map
  • 26. Risk Treatment • One or more outcomes from a risk assessment – Risk Acceptance • “yeah, we can live with that” – Risk Avoidance • Discontinue the risk-related activity -- the most extreme form of risk treatment – Risk Reduction (also called Risk Mitigation) • Using countermeasures such as firewalls, IDS systems, etc., to reduce risks – Risk Transfer • Buy insurance
  • 27. Residual Risk • After risk treatment, some risk remains • Risk can never be eliminated entirely • The remaining risk is called Residual Risk
  • 29. Security Management Concepts • Security controls • CIA Triad • Defense in depth • Single points of failure • Fail open, fail closed • Privacy
  • 30. ISO 27001 • Standard for Information Security Management System • Plan-Do-Check-Act cycle – Plan = define requirements, assess risks, decide which controls are applicable – Do = implement and operate the ISMS – Check = monitor and review the ISMS – Act = maintain and continuously improve the ISMS • Documents and records are required
  • 32. Security Controls • Detective (records events) • Deterrent (scares evil-doers away) • Preventive (stops attacks) • Corrective (after an attack, prevents another attack) • Recovery (after an attack, restores operations) • Compensating (substitutes for some other control that is inadequate) (covered in depth in Chapter 2, p. 56ff)
  • 33. CIA: Confidentiality, Integrity, Availability • The three pillars of security: the CIA Triad – Confidentiality: information and functions can be accessed only by properly authorized parties – Integrity: information and functions can be added, altered, or removed only by authorized persons and means – Availability: systems, functions, and data must be available on-demand according to any agreed-upon parameters regarding levels of service
  • 34. Defense in Depth • A layered defense in which two or more layers or controls are used to protect an asset – Heterogeneity: the different controls should be different types, so as to better resist attack – Entire protection: each control completely protects the asset from most or all threats • Example: antivirus on the email gateway, and also on the workstations
  • 35. Defense in Depth (cont.) • Defense in depth reduces the risks from – Vulnerability of a single device – Malfunction of a single device – Fail open of a single device
  • 36. Defense in Depth Example • The IE 0day used against Google – From link Ch 1h
  • 37. Single Points of Failure • A single point of failure (SPOF) – Failure of a single component results in the failure of the entire system
  • 38. Fail Open / Fail Closed / Fail Soft • When a security mechanism fails, there are usually two possible outcomes: – Fail open – the mechanism permits all activity – Fail closed – the mechanism blocks all activity • Fail Soft -- shutting down failed systems, preserving some functionality – Example: A server with a UPS and a shutdown script
  • 39. Fail Open / Fail Closed (cont.) • Principles – Different types of failures will have different results – Both fail open and fail closed are undesirable, but sometimes one or the other is catastrophic – Security devices generally fail closed
  • 40. Privacy • Defined: the protection and proper handling of sensitive personal information • Requires proper technology for protection • Requires appropriate business processes and controls for appropriate handling • Issues – Inappropriate uses – Unintended disclosures to others
  • 41. Personally Identifiable Information (PII) • Name • SSN • Phone number • Driver's license number • Credit card numbers – Etc.
  • 43. Security Management • Executive oversight • Governance • Policy, guidelines, standards, and procedures • Roles and responsibilities
  • 44. Security Management (cont.) • Service level agreements • Secure outsourcing • Data classification and protection • Certification and accreditation • Internal audit
  • 45. Security Executive Oversight • Executives must support security activities – Support and enforcement of policies – Allocation of resources – Prioritization of activities – Support of risk treatment
  • 46. Governance • Defined: “Security governance is the set of responsibilities and practices exercised by the board and executive management with the goal of providing strategic direction, ensuring that objectives are achieved, ascertaining that risks are managed appropriately and verifying that the enterprise's resources are used responsibly.”
  • 47. Governance (cont.) • The process and action that supports executive oversight – Steering committee oversight – Resource allocation and prioritization – Status reporting – Strategic decisions
  • 48. Policies • Policies – Constraints of behavior on systems and people – Specifies activities that are required, limited, and forbidden • Example – Information systems should be configured to require good security practices in the selection and use of passwords • Policy Standards – ISO 27002:2005 (link Ch 1f) – SANS Security Policy Project (Ch 1j)
  • 49. Requirements • Requirements – Required characteristics of a system or process – Often the same as or similar to the policy – Specifies what should be done, not how to do it • Example – Information systems must enforce password quality standards and reference a central authentication service, such as LDAP or Active Directory.
  • 50. Guidelines • Guidelines: defines how to support a policy – Example: Passwords must not be dictionary words
  • 51. Standards and Procedures • Standards: what products, technical standards, and methods will be used to support policy • Examples – All fiber optic cables must be Corning brand – Passwords must be at least 8 characters • Procedures: step by step instructions
  • 52. Security Roles and Responsibilities • Formally defined in security policy and job descriptions • These need to be defined: – Ownership of assets – Access to assets – Use of assets: employees are responsible for their behavior – Managers responsible for employee behavior
  • 53. Service Level Agreements • SLAs define a formal level of service • SLAs for security activities – Security incident response – Security alert / advisory delivery – Security investigation – Policy and procedure review
  • 54. Secure Outsourcing • Outsourcing risks – Control of confidential information – Loss of control of business activities – Accountability – the organization that outsources activities is still accountable for their activities and outcomes
  • 55. Data Classification and Protection • Components of a classification and protection program – Sensitivity levels • “confidential”, “restricted”, “secret”, etc. – Marking procedures • How to indicate sensitivity on various forms of information – Access procedures – Handling procedures • E-mailing, faxing, mailing, printing, transmitting, destruction
  • 56. Certification and Accreditation • Two-step process for the formal evaluation and approval for use of a system – Certification is the process of evaluating a system against a set of formal standards, policies, or specifications. – Accreditation is the formal approval for the use of a certified system – for a defined period of time (and possibly other conditions).
  • 57. Internal Audit • Evaluation of security controls and policies to measure their effectiveness – Performed by internal staff – Objectivity is of vital importance – Formal methodology – Required by some regulations, e.g. Sarbanes Oxley • Links Ch 1k, 1l
  • 58. Security Strategies • Management is responsible for developing the ongoing strategy for security management • Past incidents can help shape the future – Incidents – SLA performance – Certification and accreditation – Internal audit
  • 60. Personnel / Staffing Security • Hiring practices and procedures • Periodic performance evaluation • Disciplinary action policy and procedures • Termination procedures
  • 61. Hiring Practices and Procedures • Effective assessment of qualifications • Background verification (prior employment, education, criminal history, financial history) • Non-disclosure agreement (NDA) • Non-compete agreement • Intellectual property agreement
  • 62. Hiring Practices and Procedures (cont.) • Employment agreement • Employee Handbook • Formal job descriptions
  • 63. Termination • Immediate termination of all logical and physical access • Change passwords known to the employee • Recovery of all company assets • Notification of the termination to affected staff, customers, other third parties • And possibly: code reviews, review of recent activities prior to the termination
  • 64. Work Practices • Separation of duties – Designing sensitive processes so that two or more persons are required to complete them • Job rotation – Good for cross-training, and also reduces the likelihood that employees will collude for personal gain • Mandatory vacations – Detect / prevent irregularities that violate policy and practices
  • 65. Security Education, Training, and Awareness • Training on security policy, guidelines, standards • Upon hire and periodically thereafter • Various types of messaging – E-mail, intranet, posters, flyers, trinkets, training classes • Testing – to measure employee knowledge of policy and practices
  • 67. Professional Ethics • (ISC)² code of ethics – Protect society, the commonwealth, and the infrastructure. – Act honorably, honestly, justly, responsibly, and legally. – Provide diligent and competent service to principals. – Advance and protect the profession.