This document discusses information security planning and outlines several frameworks for developing an information security program, including policies, standards, and a security blueprint. It describes management's role in developing these elements and how to implement education and training programs. Contingency planning is also discussed to prepare for incidents and disruptions. Frameworks covered include the ISO 27000 series, NIST models and cybersecurity framework, and other sources for developing a layered security architecture.
This document discusses risk management and outlines the FAIR approach to risk assessment. It describes identifying risks, evaluating frequency and magnitude of losses, and deriving risk. Five strategies for controlling risks are discussed: defend, transfer, mitigate, accept, and terminate. Metrics and best practices for risk management are also presented.
This document discusses the process of risk assessment for information assets. It involves identifying the organization's key information assets, threats against those assets, and vulnerabilities that could be exploited. Assets are prioritized based on their importance to the organization. Threats are also prioritized based on their potential danger and cost. Vulnerabilities of each asset are then identified through brainstorming sessions. A risk assessment evaluates the likelihood and potential impact of each threat to determine an overall risk rating. The results are documented in a risk worksheet to guide further risk management actions.
The document discusses the need for information security in organizations. It states that the primary mission of an information security program is to ensure information assets remain safe and useful. It then outlines four important functions of information security for organizations: protecting the organization's ability to function, protecting the data and information it collects and uses, enabling the safe operation of applications, and safeguarding technology assets. Finally, it emphasizes that implementing information security is as much about management as it is about technology.
This document discusses the need for project management in information security projects. It explains that most information security projects require a trained project manager or skilled IT manager to oversee implementation. The project manager's role is crucial to the success of complex security projects. The document also outlines technical and non-technical considerations for implementing a project plan, such as conversion strategies, change management processes, and organizational readiness for change.
This document discusses physical security considerations for information systems. It covers fire detection and response systems, ensuring proper heating, ventilation and air conditioning, managing power supplies and utilities, preventing water damage, avoiding structural collapse, monitoring for data interception, securing mobile devices and remote access, and inventory management. The goal is to identify and address physical threats to information security facilities and systems.
This document discusses the design of security architecture and contingency planning. It covers spheres of security and levels of controls that make up a security framework. Defense in depth through multiple layers of controls is described. The importance of security education, training, and awareness programs is emphasized to reduce accidental breaches and build security knowledge. Contingency plans like incident response, disaster recovery, and business continuity plans aim to restore operations during and after incidents. The contingency planning process involves impact analysis, preventive controls, recovery strategies, plan development, testing and more.
The document discusses information security system implementation and certification. It explains how an organization's security blueprint becomes a project plan, addressing organizational considerations. A project manager plays a key role in successfully implementing complex security projects using technical strategies and models. Organizations face nontechnical challenges when implementing rapid security changes and must certify systems through processes like NIST and ISO to verify security controls meet requirements.
This document discusses information security policies, standards, and practices. It explains the different types of security policies an organization may have, including general security policies, issue-specific policies, and system-specific policies. It emphasizes the importance of management support for security policies and outlines the key components of an information security blueprint, including management controls, operational controls, and technical controls. The document also discusses the importance of security education, training, and awareness programs to ensure all employees understand and comply with security policies and procedures.
This document discusses risk management and outlines the FAIR approach to risk assessment. It describes identifying risks, evaluating frequency and magnitude of losses, and deriving risk. Five strategies for controlling risks are discussed: defend, transfer, mitigate, accept, and terminate. Metrics and best practices for risk management are also presented.
This document discusses the process of risk assessment for information assets. It involves identifying the organization's key information assets, threats against those assets, and vulnerabilities that could be exploited. Assets are prioritized based on their importance to the organization. Threats are also prioritized based on their potential danger and cost. Vulnerabilities of each asset are then identified through brainstorming sessions. A risk assessment evaluates the likelihood and potential impact of each threat to determine an overall risk rating. The results are documented in a risk worksheet to guide further risk management actions.
The document discusses the need for information security in organizations. It states that the primary mission of an information security program is to ensure information assets remain safe and useful. It then outlines four important functions of information security for organizations: protecting the organization's ability to function, protecting the data and information it collects and uses, enabling the safe operation of applications, and safeguarding technology assets. Finally, it emphasizes that implementing information security is as much about management as it is about technology.
This document discusses the need for project management in information security projects. It explains that most information security projects require a trained project manager or skilled IT manager to oversee implementation. The project manager's role is crucial to the success of complex security projects. The document also outlines technical and non-technical considerations for implementing a project plan, such as conversion strategies, change management processes, and organizational readiness for change.
This document discusses physical security considerations for information systems. It covers fire detection and response systems, ensuring proper heating, ventilation and air conditioning, managing power supplies and utilities, preventing water damage, avoiding structural collapse, monitoring for data interception, securing mobile devices and remote access, and inventory management. The goal is to identify and address physical threats to information security facilities and systems.
This document discusses the design of security architecture and contingency planning. It covers spheres of security and levels of controls that make up a security framework. Defense in depth through multiple layers of controls is described. The importance of security education, training, and awareness programs is emphasized to reduce accidental breaches and build security knowledge. Contingency plans like incident response, disaster recovery, and business continuity plans aim to restore operations during and after incidents. The contingency planning process involves impact analysis, preventive controls, recovery strategies, plan development, testing and more.
The document discusses information security system implementation and certification. It explains how an organization's security blueprint becomes a project plan, addressing organizational considerations. A project manager plays a key role in successfully implementing complex security projects using technical strategies and models. Organizations face nontechnical challenges when implementing rapid security changes and must certify systems through processes like NIST and ISO to verify security controls meet requirements.
This document discusses information security policies, standards, and practices. It explains the different types of security policies an organization may have, including general security policies, issue-specific policies, and system-specific policies. It emphasizes the importance of management support for security policies and outlines the key components of an information security blueprint, including management controls, operational controls, and technical controls. The document also discusses the importance of security education, training, and awareness programs to ensure all employees understand and comply with security policies and procedures.
This document discusses principles of software design for information security. It summarizes key software design principles identified by Saltzer and Schroeder, including least privilege and separation of duties. It also outlines the National Institute of Standards and Technology's (NIST) approach to securing the software development lifecycle (SDLC), which involves integrating security early and conducting activities like risk assessments and testing at each phase. Finally, it describes various security roles in an organization, including the chief information security officer, security project team, data owners and custodians, and communities of interest.
This document discusses information security planning and policy development. It describes management's role in developing, maintaining, and enforcing security policies, standards, procedures and guidelines. It explains that an information security blueprint identifies major components that support the security program. It also discusses how organizations institutionalize policies through education, training and awareness programs. Contingency planning relates to incident response, disaster recovery and business continuity plans. The document provides details on developing an enterprise security policy and issue-specific security policies. It emphasizes that policies must direct acceptable behavior and technologies and never contradict laws.
The document discusses the components of an information security blueprint, including policies, standards, practices, and a security education program. It describes developing an enterprise security policy and issue-specific policies. The blueprint provides a plan for security controls, technologies, and training to ensure the organization's information is protected. It is the basis for designing and implementing all aspects of the security program.
This document discusses intrusion detection and prevention systems (IDPS), honeypots, and security scanning and analysis tools. It describes how IDPS effectiveness is measured, different types of IDPS, and how honeypots, honeynets, and padded cell systems work. Finally, it outlines various scanning and analysis tools like port scanners, firewall analyzers, OS detectors, vulnerability scanners, packet sniffers, and wireless security tools that can be used both by attackers and defenders.
This document discusses systems-specific security policies and various frameworks for developing comprehensive organizational security policies. It describes how systems-specific policies provide technical specifications and managerial guidance for configuring systems. It also outlines frameworks from NIST, ISO, and other sources that provide guidance on developing an overall information security strategy through security policies, education, and controls. Key aspects discussed include policy management, the information security blueprint, and the NIST Cybersecurity Framework.
- Technical controls like firewalls and VPNs are essential for enforcing security policy for systems not directly controlled by humans.
- Firewalls use various techniques like packet filtering, application gateways, and circuit gateways to prevent specific types of information from moving between trusted and untrusted networks. Packet filtering firewalls examine packet headers to block or allow traffic based on IP addresses and port numbers.
- Other technical controls discussed include access control methods, authentication factors, authorization for access to resources, logging and auditing for accountability, and biometrics for identity verification. These controls are important for securely managing identification, authentication, and access to computer systems and networks.
The document discusses principles of information security including legal, ethical and professional issues. It covers major national laws affecting information security practice, deterring unethical behavior, codes of ethics from professional organizations like ACM, (ISC)2, SANS, ISACA and ISSA. It also discusses key US federal agencies that deal with cybersecurity and their roles, including DHS, Secret Service, FBI and NSA.
The document discusses the implementation phase of a security project life cycle. It explains that an organization's security blueprint must be translated into a detailed project plan that addresses leadership, budget, timelines, staffing needs, and organizational considerations. An effective project plan uses a work breakdown structure and considers financial, priority, scheduling, procurement, and change management factors. The project manager plays a key role in planning, supervising, and wrapping up the project successfully.
This document discusses risk management and risk identification from the fifth edition of the textbook "Principles of Information Security". It outlines the learning objectives which are to define key risk management terms, describe how to identify and assess risk, explain how to document risk assessments, and discuss risk mitigation strategies. It then covers introducing risk management concepts, providing an overview of the risk management process, and detailing the steps involved in risk identification which include planning, inventorying and categorizing assets, and classifying information assets.
This document discusses the critical characteristics of information from a textbook on information security. It identifies seven key characteristics that provide value to information: availability, accuracy, authenticity, confidentiality, integrity, utility, and possession. Each characteristic is then defined in one or two paragraphs. The document also discusses components of an information system, balancing information security and access, and top-down and bottom-up approaches to implementing information security.
This document discusses physical security considerations for protecting computing facilities and information assets. It covers key physical access controls like walls, fences, locks, ID badges, alarms and electronic monitoring. Critical environment factors are also addressed, such as fire safety and ensuring proper temperature, humidity and power. The roles of general management, IT and information security professionals in implementing physical security measures are defined. Maintaining secure computer rooms and wiring closets is emphasized, as logical access controls can be easily defeated without strong accompanying physical security.
The document discusses the phases of the security systems development life cycle (SecSDLC). It describes the traditional SDLC phases of investigation, analysis, logical design, physical design, implementation, and maintenance/change. These same phases are then adapted for SecSDLC, with each phase focusing on identifying threats and creating controls. Additionally, the document introduces the concept of software assurance, which aims to include security planning across the entire SDLC process to develop more secure systems.
Information security involves protecting information and systems from unauthorized access, use, disclosure, disruption, modification, or destruction. The key aspects of information security are confidentiality, integrity, and availability. Risk management is the process of identifying threats and vulnerabilities, calculating impact, and implementing appropriate controls. Controls can be administrative, logical, or physical. Information security also includes security classification, change management, governance, incident response plans, and compliance with laws and regulations.
This document discusses information security policies and their components. It begins by outlining the learning objectives, which are to understand management's role in developing security policies and the differences between general, issue-specific, and system-specific policies. It then defines what policies, standards, and practices are and how they relate to each other. The document outlines the three types of security policies and provides examples of issue-specific and system-specific policies. It emphasizes that policies must be managed and reviewed on a regular basis to remain effective.
Secrets to managing your Duty of Care in an ever- changing world.
How well do you know your risks?
Are you keeping up with your responsibilities to provide Duty of Care?
How well are you prioritising Cybersecurity initiatives?
Liability for Cybersecurity attacks sits with Executives and Board members who may not have the right level of technical security knowledge. This session will outline what practical steps executives can take to implement a Cybersecurity Roadmap that is aligned with its strategic objectives.
Led by Krist Davood, who has spent over 28 years implementing secure mission critical systems for executives. Krist is an expert in protecting the interconnectedness of technology, intellectual property and information systems, as evidenced through his roles at The Good Guys, Court Services Victoria and Schiavello.
The seminar will cover:
• Fiduciary responsibility
• How to efficiently deal with personal liability and the threat of court action
• The role of a Cybersecurity Executive Dashboard and its ability to simplify risk and amplify informed decision making
• How to identify and bridge the gap between your Cybersecurity Compliance Rating and the threat of court action
The document discusses various topics related to asset management and data security in an IT environment. It covers:
- The importance of having policies for classifying, retaining, and destroying assets like data, hardware, software and documentation.
- Defining roles for data owners, custodians, system owners and administrators.
- Methods for securely storing, transmitting and destroying sensitive data.
- Vulnerabilities that can affect web-based systems and ways to assess security risks through scanning and testing.
Cybersecurity Priorities and Roadmap: Recommendations to DHSJohn Gilligan
This document provides recommendations to the Department of Homeland Security on cybersecurity priorities and a roadmap. It outlines a phased approach over several years to improve the overall cybersecurity posture. Phase I focuses on establishing a baseline of security across government systems through mandates and best practices. Phase II enhances security controls and expands training and collaboration. The roadmap calls for securing infrastructure, changing culture, improving the IT business model, developing the workforce, and advancing technologies over time to reduce vulnerabilities and attacks on critical systems.
Training and Tips that are very helpful to gain knowledge in the field of information Security and passing your CISSP Certification Exam.
To be CISSP Certified Please Check out the link below:
http://asmed.com/cissp-isc2/
Supplement To Student Guide Seminar 03 A 3 Nov09Tammy Clark
This document provides an overview of developing an information security program based on the ISO 27000 framework. It discusses defining requirements, developing policies and plans, key initiatives like awareness training and risk management, and assessing effectiveness. The goal is to build a program tailored to each institution with top management support and an incremental approach. References and resources from EDUCAUSE are provided for each component.
The document discusses systems-specific policies (SysSPs) which provide guidance and technical specifications for configuring and maintaining systems. SysSPs fall into managerial guidance or technical specifications categories. Access control lists and configuration rule policies are examples of technical specifications. Effective policy management requires a responsible manager, regular reviews, and an issuance process. Security frameworks like the Information Security Blueprint, ISO 27000, and NIST publications provide guidance for developing comprehensive organizational security policies and programs.
Ch04_MoIS5e_v02.pptx business business business business business business bu...JawaherAlbaddawi
business business business business business business business business business business business business business business business business business business business business business business business business business business business business business business business business business business business business business business business business business
This document discusses principles of software design for information security. It summarizes key software design principles identified by Saltzer and Schroeder, including least privilege and separation of duties. It also outlines the National Institute of Standards and Technology's (NIST) approach to securing the software development lifecycle (SDLC), which involves integrating security early and conducting activities like risk assessments and testing at each phase. Finally, it describes various security roles in an organization, including the chief information security officer, security project team, data owners and custodians, and communities of interest.
This document discusses information security planning and policy development. It describes management's role in developing, maintaining, and enforcing security policies, standards, procedures and guidelines. It explains that an information security blueprint identifies major components that support the security program. It also discusses how organizations institutionalize policies through education, training and awareness programs. Contingency planning relates to incident response, disaster recovery and business continuity plans. The document provides details on developing an enterprise security policy and issue-specific security policies. It emphasizes that policies must direct acceptable behavior and technologies and never contradict laws.
The document discusses the components of an information security blueprint, including policies, standards, practices, and a security education program. It describes developing an enterprise security policy and issue-specific policies. The blueprint provides a plan for security controls, technologies, and training to ensure the organization's information is protected. It is the basis for designing and implementing all aspects of the security program.
This document discusses intrusion detection and prevention systems (IDPS), honeypots, and security scanning and analysis tools. It describes how IDPS effectiveness is measured, different types of IDPS, and how honeypots, honeynets, and padded cell systems work. Finally, it outlines various scanning and analysis tools like port scanners, firewall analyzers, OS detectors, vulnerability scanners, packet sniffers, and wireless security tools that can be used both by attackers and defenders.
This document discusses systems-specific security policies and various frameworks for developing comprehensive organizational security policies. It describes how systems-specific policies provide technical specifications and managerial guidance for configuring systems. It also outlines frameworks from NIST, ISO, and other sources that provide guidance on developing an overall information security strategy through security policies, education, and controls. Key aspects discussed include policy management, the information security blueprint, and the NIST Cybersecurity Framework.
- Technical controls like firewalls and VPNs are essential for enforcing security policy for systems not directly controlled by humans.
- Firewalls use various techniques like packet filtering, application gateways, and circuit gateways to prevent specific types of information from moving between trusted and untrusted networks. Packet filtering firewalls examine packet headers to block or allow traffic based on IP addresses and port numbers.
- Other technical controls discussed include access control methods, authentication factors, authorization for access to resources, logging and auditing for accountability, and biometrics for identity verification. These controls are important for securely managing identification, authentication, and access to computer systems and networks.
The document discusses principles of information security including legal, ethical and professional issues. It covers major national laws affecting information security practice, deterring unethical behavior, codes of ethics from professional organizations like ACM, (ISC)2, SANS, ISACA and ISSA. It also discusses key US federal agencies that deal with cybersecurity and their roles, including DHS, Secret Service, FBI and NSA.
The document discusses the implementation phase of a security project life cycle. It explains that an organization's security blueprint must be translated into a detailed project plan that addresses leadership, budget, timelines, staffing needs, and organizational considerations. An effective project plan uses a work breakdown structure and considers financial, priority, scheduling, procurement, and change management factors. The project manager plays a key role in planning, supervising, and wrapping up the project successfully.
This document discusses risk management and risk identification from the fifth edition of the textbook "Principles of Information Security". It outlines the learning objectives which are to define key risk management terms, describe how to identify and assess risk, explain how to document risk assessments, and discuss risk mitigation strategies. It then covers introducing risk management concepts, providing an overview of the risk management process, and detailing the steps involved in risk identification which include planning, inventorying and categorizing assets, and classifying information assets.
This document discusses the critical characteristics of information from a textbook on information security. It identifies seven key characteristics that provide value to information: availability, accuracy, authenticity, confidentiality, integrity, utility, and possession. Each characteristic is then defined in one or two paragraphs. The document also discusses components of an information system, balancing information security and access, and top-down and bottom-up approaches to implementing information security.
This document discusses physical security considerations for protecting computing facilities and information assets. It covers key physical access controls like walls, fences, locks, ID badges, alarms and electronic monitoring. Critical environment factors are also addressed, such as fire safety and ensuring proper temperature, humidity and power. The roles of general management, IT and information security professionals in implementing physical security measures are defined. Maintaining secure computer rooms and wiring closets is emphasized, as logical access controls can be easily defeated without strong accompanying physical security.
The document discusses the phases of the security systems development life cycle (SecSDLC). It describes the traditional SDLC phases of investigation, analysis, logical design, physical design, implementation, and maintenance/change. These same phases are then adapted for SecSDLC, with each phase focusing on identifying threats and creating controls. Additionally, the document introduces the concept of software assurance, which aims to include security planning across the entire SDLC process to develop more secure systems.
Information security involves protecting information and systems from unauthorized access, use, disclosure, disruption, modification, or destruction. The key aspects of information security are confidentiality, integrity, and availability. Risk management is the process of identifying threats and vulnerabilities, calculating impact, and implementing appropriate controls. Controls can be administrative, logical, or physical. Information security also includes security classification, change management, governance, incident response plans, and compliance with laws and regulations.
This document discusses information security policies and their components. It begins by outlining the learning objectives, which are to understand management's role in developing security policies and the differences between general, issue-specific, and system-specific policies. It then defines what policies, standards, and practices are and how they relate to each other. The document outlines the three types of security policies and provides examples of issue-specific and system-specific policies. It emphasizes that policies must be managed and reviewed on a regular basis to remain effective.
Secrets to managing your Duty of Care in an ever- changing world.
How well do you know your risks?
Are you keeping up with your responsibilities to provide Duty of Care?
How well are you prioritising Cybersecurity initiatives?
Liability for Cybersecurity attacks sits with Executives and Board members who may not have the right level of technical security knowledge. This session will outline what practical steps executives can take to implement a Cybersecurity Roadmap that is aligned with its strategic objectives.
Led by Krist Davood, who has spent over 28 years implementing secure mission critical systems for executives. Krist is an expert in protecting the interconnectedness of technology, intellectual property and information systems, as evidenced through his roles at The Good Guys, Court Services Victoria and Schiavello.
The seminar will cover:
• Fiduciary responsibility
• How to efficiently deal with personal liability and the threat of court action
• The role of a Cybersecurity Executive Dashboard and its ability to simplify risk and amplify informed decision making
• How to identify and bridge the gap between your Cybersecurity Compliance Rating and the threat of court action
The document discusses various topics related to asset management and data security in an IT environment. It covers:
- The importance of having policies for classifying, retaining, and destroying assets like data, hardware, software and documentation.
- Defining roles for data owners, custodians, system owners and administrators.
- Methods for securely storing, transmitting and destroying sensitive data.
- Vulnerabilities that can affect web-based systems and ways to assess security risks through scanning and testing.
Cybersecurity Priorities and Roadmap: Recommendations to DHSJohn Gilligan
This document provides recommendations to the Department of Homeland Security on cybersecurity priorities and a roadmap. It outlines a phased approach over several years to improve the overall cybersecurity posture. Phase I focuses on establishing a baseline of security across government systems through mandates and best practices. Phase II enhances security controls and expands training and collaboration. The roadmap calls for securing infrastructure, changing culture, improving the IT business model, developing the workforce, and advancing technologies over time to reduce vulnerabilities and attacks on critical systems.
Training and Tips that are very helpful to gain knowledge in the field of information Security and passing your CISSP Certification Exam.
To be CISSP Certified Please Check out the link below:
http://asmed.com/cissp-isc2/
Supplement To Student Guide Seminar 03 A 3 Nov09Tammy Clark
This document provides an overview of developing an information security program based on the ISO 27000 framework. It discusses defining requirements, developing policies and plans, key initiatives like awareness training and risk management, and assessing effectiveness. The goal is to build a program tailored to each institution with top management support and an incremental approach. References and resources from EDUCAUSE are provided for each component.
The document discusses systems-specific policies (SysSPs) which provide guidance and technical specifications for configuring and maintaining systems. SysSPs fall into managerial guidance or technical specifications categories. Access control lists and configuration rule policies are examples of technical specifications. Effective policy management requires a responsible manager, regular reviews, and an issuance process. Security frameworks like the Information Security Blueprint, ISO 27000, and NIST publications provide guidance for developing comprehensive organizational security policies and programs.
Ch04_MoIS5e_v02.pptx business business business business business business bu...JawaherAlbaddawi
business business business business business business business business business business business business business business business business business business business business business business business business business business business business business business business business business business business business business business business business business
1. The document discusses updating information security standards from ISO 27001:2005 to ISO 27001:2013, including revising 12 clauses, improving risk management, and enhancing information security management.
2. It provides an outline for improving information security management by updating strategies, policies, procedures and introducing new security practices and technologies.
3. Selecting best practices from other frameworks requires considering how similar an organization is to the target in terms of industry, challenges, resources, and structure. Adopting applicable guidelines can help improve information security.
Solve the exercise in security management.pdfsdfghj21
This document provides information about an information security management system (ISMS) including:
1) An ISMS provides a model for establishing, implementing, operating, monitoring, reviewing, maintaining and improving information protection based on risk assessment and risk acceptance levels.
2) The ISO/IEC 27000 family of standards relate to ISMS and include standards on requirements, implementation guidance, and auditing of ISMS.
3) Key aspects of an ISMS include identifying information assets, assessing risks and threats, selecting appropriate security controls, and managing the system using a process approach like PDCA (Plan-Do-Check-Act).
This document discusses information security policies and frameworks. It begins by explaining that information security policies are the foundation of an effective security program and outlines key aspects of developing policies, including that they must be properly supported and avoid conflicting with laws. The document then discusses several policy frameworks, notably the ISO 27000 series which provides requirements for an Information Security Management System (ISMS). It stresses that an ISMS should have continuous management support and treat security as an integral part of risk management. The role of training, awareness programs, and incident response planning are also covered.
Chapter 5 Planning for Security-students.pptShruthi48
Management plays a key role in developing information security policies, standards, and practices that form the foundation of an organization's security program. These include enterprise policies that set strategic direction, issue-specific policies that address technology areas, and system-specific policies that provide technical guidance. Policies must be properly disseminated, understood, agreed to, and uniformly enforced. They also require ongoing management through regular reviews and updates to remain effective as an organization's needs change over time.
The document provides an overview of 12 privacy frameworks that can be used to develop comprehensive privacy programs. It describes each framework, including its organization, cost, and key benefits. The top frameworks are ISO 29100, ISO 27701, the ICO Accountability Framework, and the TrustArc-Nymity Framework. They provide standards, guidelines and best practices for building privacy into products and governance. The document aims to help privacy professionals select the most appropriate framework for their needs without needing to reinvent existing approaches.
The document provides an overview of frameworks related to IT governance, management and digital transformation in India. It discusses CoBIT, ISO 27000 and ISO 38500 frameworks. It then summarizes key Indian policies, acts and programs like the IT Act, Aadhar Act, Digital India, National eGovernance Plan and its mission mode projects.
Presentation for March 2017 webcast by NIST.
www.nist.gov/cyberframework
Webcast video: https://www.nist.gov/news-events/events/2017/03/cybersecurity-framework-virtual-events
This presentation introduces the audience to the Framework for Improving Critical Infrastructure Cybersecurity (“The Framework”). It provides a brief history about why and how the Framework was developed, and an understanding of each of the three primary Framework components (the Core, Implementation Tiers, and Profiles). It covers potential benefits of Framework, and how the Framework can be used. It highlights industry resources, progress in Roadmap areas, and future direction of the Framework program.
create your own Security Management Model using the NIST Special Pub.pdfFORTUNE2505
create your own Security Management Model using the NIST Special Publication 800-14 and
Evaluate and apply NIST SP 800-26.
Solution
NIST SP800-14, subtitled Generally Accepted Principles and Practices for Securing Information
Technology Systems, describes best practices and provides information on commonly accepted
information security principles that can direct the security team in the development of a security
blueprint.
It also describes the philosophical principles that the security team should integrate into the
entire information security process, expanding upon the components of SP 800-12.
The more significant points made in NIST SP 800-14 are as follows:
1)Security Supports the Mission of the Organization.
2)Security is an Integral Element of Sound Management.
3)Security Should Be Cost-Effective
4)Systems Owners Have Security Responsibilities Outside Their Own Organizations.
5)Security Responsibilities and Accountability Should Be Made Explicit.
6)Security Requires a Comprehensive and Integrated Approach.
7)Security Should Be Periodically Reassessed.
8)Security is Constrained by Societal Factors.
It enumerates 33 principles for Securing Information Technology Systems:
Principle 1. Establish a sound security policy as the “foundation” for design.
Principle 2. Treat security as an integral part of the overall system design.
Principle 3. Clearly delineate the physical and logical security boundaries governed by
associated security policies.
Principle 4. Reduce risk to an acceptable level.
Principle 5. Assume that external systems are insecure.
Principle 6. Identify potential trade-offs between reducing risk and increased costs and decrease
in other aspects of operational effectiveness.
Principle 7. Implement layered security (Ensure no single point of vulnerability).
Principle 8. Implement tailored system security measures to meet organizational security goals.
Principle 9. Strive for simplicity.
Principle 10. Design and operate an IT system to limit vulnerability and to be resilient in
response.
Principle 11. Minimize the system elements to be trusted.
Principle 12. Implement security through a combination of measures distributed physically and
logically.
Principle 13. Provide assurance that the system is, and continues to be, resilient in the face of
expected threats.
Principle 14. Limit or contain vulnerabilities.
Principle 15. Formulate security measures to address multiple overlapping information domains.
Principle 16. Isolate public access systems from mission critical resources.
Principle 17. Use boundary mechanisms to separate computing systems and network
infrastructures.
Principle 18. Where possible, base security on open standards for portability and interoperability.
Principle 19. Use common language in developing security requirements.
Principle 20. Design and implement audit mechanisms to detect unauthorized use and to support
incident investigations.
Principle 21. Design security to allow for regular adoption of new techno.
Start With A Great Information Security Plan!Tammy Clark
The document discusses Georgia State University's information security plan, which was developed based on the ISO 17799 standard. It summarizes the 12 domains covered by the ISO standard and how the university assessed its current security state in each domain. The plan aims to provide comprehensive and prioritized security objectives and action plans to improve information security protections over multiple years.
Build an Information Security StrategyAndrew Byers
Organizations are struggling to keep up with today’s evolving threat landscape.
From technology sophistication and business adoption to the proliferation of hacking techniques and the expansion of hacking motivations, organizations are facing major security risks.
Every organization needs some kind of information security program to protect their systems and assets.
Organizations today face pressure from regulatory or legal obligations, customer requirement, and now, senior management expectations.
CHAPTER 6
INFORMATION GOVERNANCE
Information Governance Policy Development
ITS 833
Dr. Mia Simmons
Chapter Overview
■ This chapter will cover pages 71-94 in your book.
■ This chapter will cover how to develop an Information
Governance Policy.
– Inform and frame the policy with internal and external
frameworks, models, best practices, and standards—
those that apply to your organization and the scope of its
planned IG program.
2
Review of Record Keeping
■ Chapter 3 - ARMA International’s eight Generally Accepted
Recordkeeping Principles
1. Accountability
2. Transparency
3. Integrity
4. Protection
5. Compliance
6. Availability
7. Retention
8. Disposition
3
IG
REFERENCE
MODEL
4
IG Reference Model
■ Outer Ring
– An understanding of the business imperatives of the enterprise,
– Knowledge of the appropriate tools and infrastructure for managing
information, and
– Sensitivity to the legal and regulatory obligations with which the
enterprise must comply
For any piece of information you hope to manage, the primary
stakeholder is the business user of that information
■ Center
– Life-cycle or Work-Flow - information management is important
at all stages of the information life cycle—from its creation through
its ultimate disposition.
5
Best Practice Considerations
■ IG best practices are evolving & expanding, therefore it should also be
considered in policy formulation
■ 25 Best practices review in Chapter 5
1. IG is a key underpinning for a successful ERM program.
2. IG is not a project but rather an ongoing program.
3. .
4. .
5. .
6. .
24. Some digital information assets must be preserved permanently as
part of an organization’s documentary heritage.
25. Executive sponsorship is crucial
6
Standards Consideration
■ Two Types of standards should be included in policy :
1. De jure (“the law”)
■ published by recognized standards-setting bodies, such as the
International Organization for Standardization (ISO), American
National Standards Institute (ANSI), National Institute of Standards
and Technology (NIST—this is how most people refer to it, as they do
not know what the acronym stands for), British Standards Institute
(BSI), Standards Council of Canada, and Standards Australia.
2. De facto (“the fact”)
■ not formal standards but are regarded by many as if they were.
They may arise though popular use (e.g., Windows at the busi-ness
desktop in the 2001–2010 decade) or may be published by other
bodies, such as the U.S. National Archives and Records
Administration (NARA) or Department of Defense (DoD) for the U.S.
military sector.
7
Benefits and Risks of Standards
■ Quality assurance support. If a product meets a standard, you can be
confident of a certain level of quality.
■ Interoperability support. Some standards are detailed and mature enough
to allow for system interoperability between different vendor platforms.
■ Implementation frameworks a.
This document discusses principles of risk management from a textbook on information security. It describes approaches for identifying risks, assessing their likelihood and impact, and selecting risk mitigation strategies. Key strategies discussed include risk defense, transfer, mitigation, acceptance, and termination. The document also covers how to justify controls using a cost-benefit analysis and benchmarks for best practices.
The document discusses several topics related to information security frameworks and governance:
1. It discusses the importance of having a security framework to provide strategic direction and ensure security objectives are met through information security governance.
2. It recommends following frameworks like the IDEAL framework to effectively implement security governance.
3. It discusses ISO/IEC 27002 and ISO/IEC 27001, two widely referenced security models, focusing on 127 controls over ten areas and how to implement an information security management system.
The document discusses guidelines for developing effective information security policies. It describes the importance of policy and outlines three types of policies: enterprise security policies, issue-specific policies, and system-specific policies. It emphasizes that policies should be properly disseminated, understood, and agreed upon. Effective policy development involves planning, analysis of needs and risks, design, implementation, and processes for ongoing maintenance.
This document discusses risk management and outlines the key steps in the risk identification process. It describes defining risk management, risk identification, and risk control. The risk identification process involves planning the process, inventorying and categorizing assets, identifying people, procedures, data, hardware, software and network assets, and classifying and prioritizing assets. Communities of interest must work together to evaluate risk controls and ensure controls remain effective. The goal is to reduce residual risk to a level within the organization's risk appetite.
Risk Based Security and Self Protection Powerpointrandalje86
Miguel Sanchez presented on risk based security and self protection technologies. He discussed how the threat landscape has changed and the need for a proactive, risk based approach. This involves a multi-tiered risk management process including framing risks at the organizational, mission, and system levels. Emerging technologies like runtime application self protection can help applications protect themselves by monitoring for threats during execution.
In today’s business environment, organizations have a responsibility to their employees, clients, and customers to ensure the confidentiality, integrity and availability of the critical data that is entrusted to them. Every network is vulnerable to some form of attack. However it is not enough to simply confirm that a technical vulnerability exists and implement countermeasures; it is critical to repeatedly verify that the countermeasures are in place and working properly throughout the secured network. During this webinar, David Hammarberg, Principal, IT Director, and leader of McKonly & Asbury’s Cybersecurity Practice will be joined by Partner, Michael Hoffner and they will lead a discussion on a Cybersecurity Risk Management Program including what it is and how it can prepare your organization for the future.
This document discusses configuring and managing Cisco switches. It covers basic switch configuration including the boot sequence, recovering from crashes using the boot loader, and switch LED indicators. It also discusses configuring switch ports including setting duplex and speed, the auto-MDIX feature, and verifying port settings. Additionally, it addresses network access layer issues and troubleshooting media and interface-related problems.
This document provides an introduction to switched networks and describes different types of network switches. It explains that switched networks support small to medium-sized businesses by converging data, voice, and video. There are two main categories of switches: modular switches that provide flexibility through expansion modules, and fixed-configuration switches that include unmanaged, managed, and smart switches. Managed switches offer the most comprehensive features and scalability. Key factors to consider when choosing a switch include speed, port count, Power over Ethernet support, and stackability.
This document introduces switched networks and how they support small to medium-sized businesses. It explains how switched networks converge data, voice, and video and describes what a switched network looks like in this environment. The document also discusses how layer 2 switches forward data frames in a small to medium LAN and compares collision domains to broadcast domains in a switched network.
The document discusses configuring basic settings on a Cisco switch, including:
- Setting the boot system to define the IOS image loaded during startup.
- Configuring switch management access by assigning an IP address, subnet mask, and default gateway to the management VLAN.
- Configuring physical switch ports by setting the duplex and speed settings to match connected devices and troubleshooting common layer 1 and 2 issues.
- Securing remote access using SSH instead of Telnet by generating RSA key pairs, configuring user authentication, and enabling SSH version 2.
- Implementing port security to restrict which MAC addresses can transmit on switch ports and limit them to the configured number.
This document discusses the configuration and installation of UTP cables. It describes the standard arrangement of wires in a UTP cable, with the wires being twisted to cancel out noise and crosstalk. It also lists the tools and materials needed for installing UTP cables, such as wire cutters, strippers, crimp tools, RJ45 connectors, and testers. Finally, it outlines the 8 steps to properly crimp a UTP cable, which includes stripping the cable, placing the wires in the connector, and crimping to complete the connection.
This document discusses network protocols. It begins by defining what a protocol is and provides some common examples used at different layers, such as TCP, UDP, IP, and HTTP. It then explains that protocols break large processes into smaller tasks and functions that must cooperate across network levels. Protocols are created according to industry standards. The document categorizes protocols for communication, network management, and security. It provides examples for each category and concludes with descriptions of some frequently used protocols like HTTP, SSH, and SMS.
This document provides an overview of the history and development of computer networks and the internet. It discusses the early development of packet switching in the 1960s by researchers at MIT, RAND, and the UK. It also describes the creation of ARPANET in the late 1960s and early 1970s and its growth. Subsequent sections discuss the proliferation of networks in the 1980s and 1990s driven by NSFNET and the development of the World Wide Web. The document concludes by outlining some of the key hardware components of networks and benefits and disadvantages of computer networks.
The document discusses the OSI model, which defines 7 layers for network communication: Physical, Data Link, Network, Transport, Session, Presentation, and Application. It was developed by ISO to standardize network architectures and allow components from different vendors to communicate. Each layer has a set of well-defined functions and builds upon the layers below it, with standards developed independently for easier introduction and less effect of changes on other layers. This model divides network communication into simpler components and encourages standardization.
There are several common network topologies for LANs and WANs. Common LAN topologies include bus, star, ring, switched, daisy chain, and hierarchical topologies. Bus topology is easy to implement but has limited cable length. Star topology is easy to manage and scale but a failure of the central device takes down the whole network. Ring topology provides better performance than bus but a single failure affects the whole network. WAN topologies include peer-to-peer, ring, star, full mesh, partial mesh, multi-tiered, and hybrid configurations with different tradeoffs around cost, performance, redundancy, and scalability.
Network media refers to the communication channels used to connect nodes on a computer network. Common network media include copper cables like twisted pair and coaxial, optical fiber cables, and wireless transmission using radio waves. Key factors in choosing network media include the network topology, size, required transmission speed and distance, environment, and cost. A network interface card installed in each computer enables it to connect to the chosen network media type.
A computer network is composed of end devices, network media, and intermediary devices connected together. The number of computers that can be connected depends on the type of network, which is classified by geographical size as a personal area network (PAN), local area network (LAN), campus area network (CAN), metropolitan area network (MAN), wide area network (WAN), wireless local area network (WLAN), or peer-to-peer network. In a client/server network, servers provide centralized services and resources to client devices, while in a peer-to-peer network all devices can act as both clients and servers sharing resources directly.
Network hardware includes end devices like servers, computers, VoIP phones, security cameras, and mobile devices. It also includes intermediary devices like hubs, switches, wireless access points, repeaters, bridges, and routers. Servers store files and applications for sharing. Switches provide connections and send information directly to the correct location. Wireless access points allow Wi-Fi devices to connect to wired networks. Routers select the best path to route messages between networks. Network interface cards provide the physical connection between computers and the network.
The document discusses different types of computer networks classified by their geographical size, including personal area networks (PANs), local area networks (LANs), campus area networks (CANs), metropolitan area networks (MANs), wide area networks (WANs), and wireless local area networks (WLANs). It provides details on each type of network, such as LANs connecting computers close together within the same building, MANs connecting LANs within a city that are too far for a direct connection, and WANs spanning large geographic areas like cities or countries. The document also illustrates a basic computer network and reviews common network acronyms.
A computer network connects multiple computers together to allow them to communicate and share resources. The basic building blocks of a network include computers equipped with network ports, cables to connect the computers, and a network switch for them to plug into. Larger networks may include additional components like routers or repeaters. Computer networks provide benefits such as hardware and data sharing between connected devices, enhanced real-time communication, collaborative work environments, access to shared programs stored on servers, and increased storage capacity from network-attached devices. However, networks also pose security threats from hacking or data theft, single point of failures if the main server crashes, and potential virus or malware spread throughout the connected systems. Proper technical skills are required to administer large computer networks
This document discusses the fundamentals of database systems. It outlines four key characteristics: the self-describing nature of databases through metadata stored in the DBMS catalog; insulation between programs and data through program-data independence; support of multiple views of data through user-specific subsets or views; and sharing of data and multiuser transaction processing through concurrency control in a multiuser environment.
This document defines key terms related to database systems and provides an overview of database fundamentals. It defines data, information, and databases. A database management system (DBMS) is introduced as a collection of programs that enables users to create and maintain a database by defining, constructing, manipulating, and sharing the data. A DBMS also protects the database and maintains it over time. Examples of database systems that store student and course information are provided to illustrate database concepts. Characteristics of the DBMS approach are compared to the traditional file system approach.
A flowchart is a graphical representation of a process or system. This document provides flowcharts for troubleshooting various hardware issues, including hard drive boot problems, CPU/RAM/motherboard performance issues, video adapter/GPU/monitor problems, peripheral device failures, SCSI/SAS drive errors, and DVD/CD/Blu-ray recording issues. The flowcharts help diagnose common problems and their potential solutions.
This document discusses common computer errors, including hardware errors like blank monitors, hard drive failures, and faulty keyboards or mice. It also covers software errors such as access denied, file not found, and out of memory issues. Specific error types like disk read errors, boot failures, freezing, and the blue screen of death are explained in more detail. The document emphasizes the importance of properly diagnosing errors to identify whether the issue is hardware or software related.
Bootable media contains software that allows a computer to boot from a removable device like a USB flash drive. When booting, the computer performs self-checks, loads the BIOS which finds the boot loader on the hard drive, and then loads the operating system along with hardware drivers and any startup programs. Bootable USB flash drives provide an easy way to install operating systems without discs by creating a portable boot device.
Computer troubleshooting is a systematic process used to locate the cause of faults in computer systems and resolve hardware and software issues. It involves following a logical process with steps like identifying the problem, establishing a probable cause, testing theories to determine the cause, developing a solution plan, verifying the system works, and documenting findings. Troubleshooting skills are developed over time through experience solving different problems. Common computer issues include failures of storage devices, motherboards, power supplies, CPUs, memory, displays, and more. Solutions may involve checking connections, updating drivers or BIOS, replacing faulty components, and ensuring proper cooling and power.
Walmart Business+ and Spark Good for Nonprofits.pdfTechSoup
"Learn about all the ways Walmart supports nonprofit organizations.
You will hear from Liz Willett, the Head of Nonprofits, and hear about what Walmart is doing to help nonprofits, including Walmart Business and Spark Good. Walmart Business+ is a new offer for nonprofits that offers discounts and also streamlines nonprofits order and expense tracking, saving time and money.
The webinar may also give some examples on how nonprofits can best leverage Walmart Business+.
The event will cover the following::
Walmart Business + (https://business.walmart.com/plus) is a new shopping experience for nonprofits, schools, and local business customers that connects an exclusive online shopping experience to stores. Benefits include free delivery and shipping, a 'Spend Analytics” feature, special discounts, deals and tax-exempt shopping.
Special TechSoup offer for a free 180 days membership, and up to $150 in discounts on eligible orders.
Spark Good (walmart.com/sparkgood) is a charitable platform that enables nonprofits to receive donations directly from customers and associates.
Answers about how you can do more with Walmart!"
हिंदी वर्णमाला पीपीटी, hindi alphabet PPT presentation, hindi varnamala PPT, Hindi Varnamala pdf, हिंदी स्वर, हिंदी व्यंजन, sikhiye hindi varnmala, dr. mulla adam ali, hindi language and literature, hindi alphabet with drawing, hindi alphabet pdf, hindi varnamala for childrens, hindi language, hindi varnamala practice for kids, https://www.drmullaadamali.com
LAND USE LAND COVER AND NDVI OF MIRZAPUR DISTRICT, UPRAHUL
This Dissertation explores the particular circumstances of Mirzapur, a region located in the
core of India. Mirzapur, with its varied terrains and abundant biodiversity, offers an optimal
environment for investigating the changes in vegetation cover dynamics. Our study utilizes
advanced technologies such as GIS (Geographic Information Systems) and Remote sensing to
analyze the transformations that have taken place over the course of a decade.
The complex relationship between human activities and the environment has been the focus
of extensive research and worry. As the global community grapples with swift urbanization,
population expansion, and economic progress, the effects on natural ecosystems are becoming
more evident. A crucial element of this impact is the alteration of vegetation cover, which plays a
significant role in maintaining the ecological equilibrium of our planet.Land serves as the foundation for all human activities and provides the necessary materials for
these activities. As the most crucial natural resource, its utilization by humans results in different
'Land uses,' which are determined by both human activities and the physical characteristics of the
land.
The utilization of land is impacted by human needs and environmental factors. In countries
like India, rapid population growth and the emphasis on extensive resource exploitation can lead
to significant land degradation, adversely affecting the region's land cover.
Therefore, human intervention has significantly influenced land use patterns over many
centuries, evolving its structure over time and space. In the present era, these changes have
accelerated due to factors such as agriculture and urbanization. Information regarding land use and
cover is essential for various planning and management tasks related to the Earth's surface,
providing crucial environmental data for scientific, resource management, policy purposes, and
diverse human activities.
Accurate understanding of land use and cover is imperative for the development planning
of any area. Consequently, a wide range of professionals, including earth system scientists, land
and water managers, and urban planners, are interested in obtaining data on land use and cover
changes, conversion trends, and other related patterns. The spatial dimensions of land use and
cover support policymakers and scientists in making well-informed decisions, as alterations in
these patterns indicate shifts in economic and social conditions. Monitoring such changes with the
help of Advanced technologies like Remote Sensing and Geographic Information Systems is
crucial for coordinated efforts across different administrative levels. Advanced technologies like
Remote Sensing and Geographic Information Systems
9
Changes in vegetation cover refer to variations in the distribution, composition, and overall
structure of plant communities across different temporal and spatial scales. These changes can
occur natural.
How to Make a Field Mandatory in Odoo 17Celine George
In Odoo, making a field required can be done through both Python code and XML views. When you set the required attribute to True in Python code, it makes the field required across all views where it's used. Conversely, when you set the required attribute in XML views, it makes the field required only in the context of that particular view.
Main Java[All of the Base Concepts}.docxadhitya5119
This is part 1 of my Java Learning Journey. This Contains Custom methods, classes, constructors, packages, multithreading , try- catch block, finally block and more.
Beyond Degrees - Empowering the Workforce in the Context of Skills-First.pptxEduSkills OECD
Iván Bornacelly, Policy Analyst at the OECD Centre for Skills, OECD, presents at the webinar 'Tackling job market gaps with a skills-first approach' on 12 June 2024
How to Setup Warehouse & Location in Odoo 17 InventoryCeline George
In this slide, we'll explore how to set up warehouses and locations in Odoo 17 Inventory. This will help us manage our stock effectively, track inventory levels, and streamline warehouse operations.
This document provides an overview of wound healing, its functions, stages, mechanisms, factors affecting it, and complications.
A wound is a break in the integrity of the skin or tissues, which may be associated with disruption of the structure and function.
Healing is the body’s response to injury in an attempt to restore normal structure and functions.
Healing can occur in two ways: Regeneration and Repair
There are 4 phases of wound healing: hemostasis, inflammation, proliferation, and remodeling. This document also describes the mechanism of wound healing. Factors that affect healing include infection, uncontrolled diabetes, poor nutrition, age, anemia, the presence of foreign bodies, etc.
Complications of wound healing like infection, hyperpigmentation of scar, contractures, and keloid formation.
1. Principles of Information Security,
Fifth Edition
Chapter 4
Planning for Security
Lesson 1 - Information
Security Planning
2. Learning Objectives
• Upon completion of this material, you should be
able to:
– Describe management’s role in the development,
maintenance, and enforcement of information
security policy, standards, practices, procedures,
and guidelines
– Explain what an information security blueprint is,
identify its major components, and explain how it
supports the information security program
Principles of Information Security, Fifth Edition 2
3. Learning Objectives (cont’d)
– Discuss how an organization institutionalizes its
policies, standards, and practices using education,
training, and awareness programs
– Describe what contingency planning is and how it
relates to incident response planning, disaster
recovery planning, and business continuity plans
Principles of Information Security, Fifth Edition 3
4. Introduction
• Information security program begins with policies,
standards, and practices, which are the foundation
for information security architecture and blueprint.
• Coordinated planning is required to create and
maintain these elements.
• Strategic planning for the management of
allocation of resources
• Contingency planning for the preparation of
uncertain business environment
Principles of Information Security, Fifth Edition 4
5. Information Security Planning and
Governance
• Planning levels help translate organization’s strategic
plans into tactical objectives.
• Planning and the CISO
• Information Security Governance
– Governance:
• Set of responsibilities and practices exercised by the
board and executive management
• Goal to provide strategic direction, establishment of
objectives, and measurement of progress toward
objectives
• Also verifies/validates that risk management practices
are appropriate and assets used properly
Principles of Information Security, Fifth Edition 5
6. Information Security Planning and
Governance (cont’d)
• Information Security Governance outcomes
– Five goals:
• Strategic alignment
• Risk management
• Resource management
• Performance measures
• Value delivery
Principles of Information Security, Fifth Edition 6
8. Information Security Policy, Standards,
and Practices
• Management from communities of interest must
make policies the basis for all information security
planning, design, and deployment.
• Policies direct how issues should be addressed
and technologies used.
• Policies should never contradict law, must be able
to stand up in court, and must be properly
administered.
• Security policies are the least expensive controls to
execute but most difficult to implement properly.
Principles of Information Security, Fifth Edition 8
9. Policy as the Foundation for Planning
• Policy functions as organizational law that dictates
acceptable and unacceptable behavior.
• Standards: more detailed statements of what must
be done to comply with policy
• Practices, procedures, and guidelines effectively
explain how to comply with policy.
• For a policy to be effective, it must be properly
disseminated, read, understood, and agreed to by
all members of the organization, and uniformly
enforced.
Principles of Information Security, Fifth Edition 9
11. Enterprise Information Security Policy
(EISP)
• Sets strategic direction, scope, and tone for all
security efforts within the organization
• Executive-level document, usually drafted by or
with Chief Information Officer (CIO) of the
organization
• Typically addresses compliance in two areas:
– Ensure meeting of requirements to establish
program and assigning responsibilities therein to
various organizational components
– Use of specified penalties and disciplinary action
Principles of Information Security, Fifth Edition 11
12. Enterprise Information Security Policy
(EISP) (cont’d)
• EISP Elements should include:
– Overview of corporate security philosophy
– Information on the structure of the organization and
people in information security roles
– Articulated responsibilities for security shared by all
members of the organization
– Articulated responsibilities for security unique to
each role in the organization
Principles of Information Security, Fifth Edition 12
14. Issue-Specific Security Policy (ISSP)
• The ISSP:
– Addresses specific areas of technology
– Requires frequent updates
– Contains statement on the organization’s position on
specific issue
• Three common approaches when creating and
managing ISSPs:
– Create a number of independent ISSP documents
– Create a single comprehensive ISSP document
– Create a modular ISSP document
Principles of Information Security, Fifth Edition 14
15. Issue-Specific Security Policy (ISSP)
(cont’d)
• Components of the policy:
– Statement of policy
– Authorized access and usage of equipment
– Prohibited use of equipment
– Systems management
– Violations of policy
– Policy review and modification
– Limitations of liability
Principles of Information Security, Fifth Edition 15
17. Systems-Specific Policy (SysSP)
• SysSPs often function as standards or procedures used
when configuring or maintaining systems.
• Systems-specific policies fall into two groups:
– Managerial guidance
– Technical specifications
• Access control lists (ACLs) can restrict access for a
particular user, computer, time, duration—even a
particular file.
• Configuration rule policies govern how security system
reacts to received data.
• Combination SysSPs combine managerial guidance
and technical specifications.
Principles of Information Security, Fifth Edition 17
18. Policy Management
• Policies must be managed as they constantly
change.
• To remain viable, security policies must have:
– A responsible manager
– A schedule of reviews
– A method for making recommendations for reviews
– A policy issuance and revision date
– Automated policy management
Principles of Information Security, Fifth Edition 18
19. The Information Security Blueprint
• Basis for design, selection, and implementation of
all security policies, education and training
programs, and technological controls
• Detailed version of security framework (outline of
overall information security strategy for
organization)
• Specifies tasks and order in which they are to be
accomplished
• Should also serve as a scalable, upgradeable, and
comprehensive plan for the current and future
information security needs
Principles of Information Security, Fifth Edition 19
20. The ISO 27000 Series
• One of the most widely referenced security models
• Standard framework for information security that
states organizational security policy is needed to
provide management direction and support
• Purpose is to give recommendations for
information security management
• Provides a starting point for developing
organizational security
Principles of Information Security, Fifth Edition 20
23. NIST Security Models
• Another possible approach described in the
documents available from Computer Security
Resource Center of NIST
– SP 800-12
– SP 800-14
– SP 800-18 Rev. 1
– SP 800-26
– SP 800-30
Principles of Information Security, Fifth Edition 23
24. NIST Special Publication 800-14
• Security supports the mission of the organization
and is an integral element of sound management.
• Security should be cost effective; owners have
security responsibilities outside their own
organizations.
• Security responsibilities and accountability should
be made explicit; security requires a
comprehensive and integrated approach.
• Security should be periodically reassessed;
security is constrained by societal factors.
• Thirty-three principles for securing systems (see
Table 4-5)
Principles of Information Security, Fifth Edition 24
25. NIST Cybersecurity Framework
• Consists of three fundamental components:
– Framework core: set of information security activities
an organization is expected to perform and their
desired results
– Framework tiers: help relate the maturity of security
programs and implement corresponding measures
and functions
– Framework profile: used to perform a gap analysis
between the current and a desired state of
information security/risk management
Principles of Information Security, Fifth Edition 25
26. NIST Cybersecurity Framework
(cont’d)
• Seven-step approach to implementing/improving
programs:
– Prioritize and scope
– Orient
– Create current profile
– Conduct risk assessment
– Create target profile
– Determine, analyze, prioritize gaps
– Implement action plan
Principles of Information Security, Fifth Edition 26
27. Other Sources of Security Frameworks
• Federal Agency Security Practices (FASP)
• Computer Emergency Response Team
Coordination Center (CERT/CC)
• International Association of Professional Security
Consultants
Principles of Information Security, Fifth Edition 27
28. Design of Security Architecture
• Spheres of security: foundation of the security
framework
• Levels of controls:
– Management controls set the direction and scope of
the security processes and provide detailed
instructions for its conduct.
– Operational controls address personnel and physical
security, and the protection of production
inputs/outputs.
– Technical controls are the tactical and technical
implementations related to designing and integrating
security in the organization.
Principles of Information Security, Fifth Edition 28
30. Design of Security Architecture
(cont’d)
• Defense in depth
– Implementation of security in layers
– Requires that organization establish multiple layers
of security controls and safeguards
• Security perimeter
– Border of security protecting internal systems from
outside threats
– Does not protect against internal attacks from
employee threats or onsite physical threats
Principles of Information Security, Fifth Edition 30
33. Security Education, Training, and
Awareness Program
• Once general security policy exists, implement
security education, training, and awareness (SETA)
program
• SETA is a control measure designed to reduce
accidental security breaches.
• The SETA program consists of security education,
security training, and security awareness.
• Enhances security by improving awareness,
developing skills, and knowledge, and building in-
depth knowledge
Principles of Information Security, Fifth Edition 33
34. Security Education
• Everyone in an organization needs to be trained
and aware of information security; not every
member needs a formal degree or certificate in
information security.
• When formal education is deemed appropriate, an
employee can investigate courses in continuing
education from local institutions of higher learning.
• A number of universities have formal coursework in
information security.
Principles of Information Security, Fifth Edition 34
35. Security Training
• Provides members of the organization with detailed
information and hands-on instruction to prepare
them to perform their duties securely
• Management of information security can develop
customized in-house training or outsource the
training program.
• Alternatives to formal training include conferences
and programs offered through professional
organizations.
Principles of Information Security, Fifth Edition 35
36. Security Awareness
• One of the least frequently implemented but most
beneficial programs is the security awareness
program.
• Designed to keep information security at the
forefront of users’ minds
• Need not be complicated or expensive
• If the program is not actively implemented,
employees may begin to neglect security matters,
and risk of employee accidents and failures are
likely to increase.
Principles of Information Security, Fifth Edition 36
38. Continuity Strategies
• Incident response plans (IRPs); disaster recovery plans
(DRPs); business continuity plans (BCPs)
• Primary functions of above plans:
– IRP focuses on immediate response; if attack escalates
or is disastrous, process changes to disaster recovery
and BCP.
– DRP typically focuses on restoring systems after
disasters occur; as such, it is closely associated with
BCP.
– BCP occurs concurrently with DRP when damage is
major or ongoing, requiring more than simple restoration
of information and information resources.
Principles of Information Security, Fifth Edition 38
40. Continuity Strategies (cont’d)
• Before planning can actually begin, a team has to
start the process.
• Champion: high-level manager to support,
promote, and endorse findings of the project
• Project manager: leads project and ensures sound
project planning process is used, a complete and
useful project plan is developed, and project
resources are prudently managed
• Team members: should be managers, or their
representatives, from various communities of
interest: business, IT, and information security
Principles of Information Security, Fifth Edition 40
42. Contingency Planning (CP) Process
• Includes the following steps:
– Develop CP policy statement
– Conduct business impact analysis
– Identify preventive controls
– Create contingency strategies
– Develop contingency plan
– Ensure plan testing, training, and exercises
– Ensure plan maintenance
Principles of Information Security, Fifth Edition 42
44. CP Policy
• Should contain the following sections:
– Introductory statement of philosophical perspective
– Statement of scope/purpose
– Call for periodic risk assessment/BIA
– Specification of CP’s major components
– Call for/guidance in the selection of recovery options
– Requirement to test the various plans regularly
– Identification of key regulations and standards
– Identification of key people responsible for CP operations
– Challenge to the organization members for support
– Administrative information
Principles of Information Security, Fifth Edition 44
45. Business Impact Analysis (BIA)
• Investigation and assessment of various adverse
events that can affect organization
• Assumes security controls have been bypassed, have
failed, or have proven ineffective, and attack has
succeeded
• Organization should consider scope, plan, balance,
knowledge of objectives, and follow-ups
• Three stages:
– Determine mission/business processes and recovery criticality
– Identify recovery priorities for system resources
– Identify resource requirements
Principles of Information Security, Fifth Edition 45
47. Incident Response Planning
• Incident response planning includes identification
of, classification of, and response to an incident.
• Attacks classified as incidents if they:
– Are directed against information assets
– Have a realistic chance of success
– Could threaten confidentiality, integrity, or availability
of information resources
• Incident response (IR) is more reactive than
proactive, with the exception of planning that must
occur to prepare IR teams to be ready to react to
an incident.
Principles of Information Security, Fifth Edition 47
48. Incident Response Planning (cont’d)
• Incident response policy identifies the following key
components:
– Statement of management commitment
– Purpose/objectives of policy
– Scope of policy
– Definition of InfoSec incidents and related terms
– Organizational structure
– Prioritization or severity ratings of incidents
– Performance measures
– Reporting and contact forms
Principles of Information Security, Fifth Edition 48
49. Incident Response Planning (cont’d)
• Incident Planning
– Predefined responses enable the organization to react
quickly and effectively to the detected incident if:
• The organization has an IR team
• The organization can detect the incident
– IR team consists of individuals needed to handle
systems as incident takes place.
• Incident response plan
– Format and content
– Storage
– Testing
Principles of Information Security, Fifth Edition 49
50. Incident Response Planning (cont’d)
• Incident detection
– Most common occurrence is complaint about
technology support, often delivered to help desk.
– Careful training is needed to quickly identify and
classify an incident.
– Once incident is properly identified, the organization
can respond.
– Incident indicators vary.
Principles of Information Security, Fifth Edition 50
51. Incident Response Planning (cont’d)
• Incident reaction
– Consists of actions that guide the organization to stop incident,
mitigate its impact, and provide information for recovery
– Actions that must occur quickly:
• Notification of key personnel
• Documentation of the incident
• Incident containment strategies
– Containment of incident’s scope or impact as first priority; must
then determine which information systems are affected
– Organization can stop incident and attempt to recover control
through a number or strategies.
Principles of Information Security, Fifth Edition 51
52. Incident Response Planning (cont’d)
• Incident recovery
– Once incident has been contained and control of
systems regained, the next stage is recovery.
– The first task is to identify human resources needed
and launch them into action.
– Full extent of the damage must be assessed.
– Organization repairs vulnerabilities, addresses any
shortcomings in safeguards, and restores data and
services of the systems.
Principles of Information Security, Fifth Edition 52
53. Incident Response Planning (cont’d)
• Damage assessment
– Several sources of information on damage can be
used, including system logs, intrusion detection logs,
configuration logs and documents, documentation
from incident response, and results of detailed
assessment of systems and data storage.
– Computer evidence must be carefully collected,
documented, and maintained to be usable in formal
or informal proceedings.
– Individuals who assess damage need special
training.
Principles of Information Security, Fifth Edition 53
54. Incident Response Planning (cont’d)
• Automated response
– New systems can respond to incident threat
autonomously.
– Downsides of current automated response systems
may outweigh benefits.
• Legal liabilities of a counterattack
• Ethical issues
Principles of Information Security, Fifth Edition 54
55. Disaster Recovery Planning
• Disaster recovery planning (DRP) is preparation for
and recovery from a disaster.
• The contingency planning team must decide which
actions constitute disasters and which constitute
incidents.
• When situations are classified as disasters, plans
change as to how to respond; take action to secure
most valuable assets to preserve value for the
longer term.
• DRP strives to reestablish operations at the
primary site.
Principles of Information Security, Fifth Edition 55
56. Business Continuity Planning
• Prepares the organization to reestablish or relocate
critical business operations during a disaster that
affects operations at the primary site
• If disaster has rendered the current location
unusable, there must be a plan to allow business to
continue functioning.
• Development of BCP is somewhat simpler than
IRP or DRP.
– Consists primarily of selecting a continuity strategy
and integrating off-site data storage and recovery
functions into this strategy
Principles of Information Security, Fifth Edition 56
57. Business Continuity Planning (cont’d)
• Continuity strategies
– There are a number of strategies for planning for
business continuity.
– Determining factor in selecting between options is
usually cost.
– In general, there are three exclusive options: hot
sites, warm sites, and cold sites.
– Three shared functions: time-share, service bureaus,
and mutual agreements
Principles of Information Security, Fifth Edition 57
58. Business Continuity Planning (cont’d)
• Off-site disaster data storage
– To get sites up and running quickly, an organization
must have the ability to move data into new site’s
systems.
– Options for getting operations up and running
include:
• Electronic vaulting
• Remote journaling
• Database shadowing
Principles of Information Security, Fifth Edition 58
59. Crisis Management
• Actions taken in response to an emergency to
minimize injury/loss of life, preserve organization’s
image/market share, and complement disaster
recovery/business continuity processes
• What may truly distinguish an incident from a
disaster are the actions of the response teams.
• Disaster recovery personnel must know their roles
without any supporting documentation.
– Preparation
– Training
– Rehearsal
Principles of Information Security, Fifth Edition 59
60. Crisis Management (cont’d)
• Crisis management team is responsible for
managing the event from an enterprise perspective
and covers:
– Supporting personnel and families during crisis
– Determining impact on normal business operations
and, if necessary, making disaster declaration
– Keeping the public informed
– Communicating with major customers, suppliers,
partners, regulatory agencies, industry
organizations, the media, and other interested
parties
Principles of Information Security, Fifth Edition 60
61. Crisis Management (cont’d)
• Key areas of crisis management also include:
– Verifying personnel head count
– Checking alert roster
– Checking emergency information cards
Principles of Information Security, Fifth Edition 61
62. The Consolidated Contingency Plan
• Single document set approach combines all
aspects of contingency policy and plan,
incorporating IR, DR, and BC plans.
• Often created and stored electronically, it should be
easily accessible by employees in time of need.
– Small- and medium-sized organizations may also
store hard copies of the document.
Principles of Information Security, Fifth Edition 62
63. Law Enforcement Involvement
• When incident at hand constitutes a violation of
law, the organization may determine involving law
enforcement is necessary.
• Questions:
– When should law enforcement get involved?
– What level of law enforcement agency should be
involved (local, state, federal)?
– What happens when law enforcement agency is
involved?
• Some questions are best answered by the legal
department.
Principles of Information Security, Fifth Edition 63
64. Benefits and Drawbacks of Law
Enforcement Involvement
• Involving law enforcement agencies has
advantages:
– Agencies may be better equipped at processing
evidence.
– Organization may be less effective in extracting
necessary information to legally convict suspected
criminal.
– Law enforcement agencies are prepared to handle
any necessary warrants and subpoenas.
– Law enforcement is skilled at obtaining witness
statements and other information collection.
Principles of Information Security, Fifth Edition 64
65. Benefits and Drawbacks of Law
Enforcement Involvement (cont’d)
• Involving law enforcement agencies has
disadvantages:
– Once a law enforcement agency takes over the
case, the organization cannot control the chain of
events.
– The organization may not hear about the case for
weeks or months.
– Equipment vital to the organization’s business may
be tagged as evidence.
– If the organization detects a criminal act, it is legally
obligated to involve appropriate law enforcement
officials.
Principles of Information Security, Fifth Edition 65