Introduction to Risk Management via the NIST Cyber Security FrameworkPECB
The cyber security profession has successfully established explicit guidance for practitioners to implement effective cyber security programs via the NIST Cyber Security Framework (CSF). The CSF provides both a roadmap and a measuring stick for effective cyber security. Application of the CSF within cyber is nothing new, but the resurgence of Enterprise Security Risk Management and Security Convergence highlight opportunities for expanded application for cyber, physical, and personnel security risks. This NIST CSF can help practitioners build a cross-pollenated understanding of holistic risk.
Main points covered:
• Understand the purpose, value, and application of the NIST CSF in familiar non-technical terms.
• Understand how the Functions and Categories of the NIST CSF (the CSF “Core”) and an organization's “current” and “target” profiles are relevant and valuable in a variety of sectors and environments.
• Understand how an organization’s physical and cyber security resources and stakeholders can align with the NIST CSF as a tool to achieve holistic security risk management.
Presenters:
David Feeney, CPP, PMP has 17 years of security industry experience assisting organizations with risk management matters specific to physical, personnel, and cyber security. He has 9 years of experience with service providers and 8 years of experience within enterprise security organizations. David has worked with industry leaders in the energy, technology, healthcare, and real estate sectors. Areas of specialization include Security Operations Center design and management, Security Systems design and implementation, and Enterprise Risk Management. David holds leadership positions in ASIS International and is also a member of the InfraGard FBI program. David holds Certification Protection Professional (CPP) and Project Management Professional (PMP) certifications.
Andrea LeStarge, MS has over ten years of experience in program management, risk analysis and curriculum development. Being specialized in Homeland Security, Andrea leverages her experience in formerly managing projects to support various Federal Government entities in identifying, detecting and responding to man-made, natural and cyber incidents. She has an established track record in recognizing security gaps and corrective risk mitigation options, while effectively communicating findings to stakeholders, private sector owners and operators, and first-responder personnel within tactical, operational and strategic levels. Overall, Andrea encompasses analytical tradecraft and demonstrates consistent, repeatable and defensible methodologies pertaining to risk and the elements of threat, vulnerability and consequence.
Recorded webinar: https://youtu.be/hxpuYtMQgf0
Advanced Cybersecurity Risk Management: How to successfully address your Cybe...PECB
Main points covered:
• Understanding the inverted economics of cyber security, the incentives for cyber crime and its effect on the growing threat
• Inefficiencies with the traditional approaches to cyber risk assessment and why we are not making more progress in enhancing cyber defenses
• Resetting roles and responsibilities regarding cyber security within organizations
• Developing empirical, cost-effective cyber risk assessments to meet the evolving threat
Our presenter for this webinar is Larry Clinton, the president of the Internet Security Alliance (ISA), a multi-sector association focused on Cybersecurity thought leadership, policy advocacy, and best practices. Mr. Clinton advises both industry and governments around the world. He has twice been listed on the Corporate 100 list of the most influential people in corporate governance. He is the author of The Cyber Risk Handbook for Corporate Boards. PWC has found the use of this Handbook improves cyber budgeting, cyber risk management and helps create a culture of security. The Handbook has been published in the US, Germany, the UK and Latin America. He is currently working on a version for the European Conference of Directors Associations as well as versions for Japan and India. Mr. Clinton also leads ISA, public policy work built around their publication “The Cyber Security Social Contract” which the NATO Center of Cyber Excellence in Estonia asked for a briefing on.
Recorded Webinar: https://www.youtube.com/watch?v=8qVtoqi37X8
Introduction to Risk Management via the NIST Cyber Security FrameworkPECB
The cyber security profession has successfully established explicit guidance for practitioners to implement effective cyber security programs via the NIST Cyber Security Framework (CSF). The CSF provides both a roadmap and a measuring stick for effective cyber security. Application of the CSF within cyber is nothing new, but the resurgence of Enterprise Security Risk Management and Security Convergence highlight opportunities for expanded application for cyber, physical, and personnel security risks. This NIST CSF can help practitioners build a cross-pollenated understanding of holistic risk.
Main points covered:
• Understand the purpose, value, and application of the NIST CSF in familiar non-technical terms.
• Understand how the Functions and Categories of the NIST CSF (the CSF “Core”) and an organization's “current” and “target” profiles are relevant and valuable in a variety of sectors and environments.
• Understand how an organization’s physical and cyber security resources and stakeholders can align with the NIST CSF as a tool to achieve holistic security risk management.
Presenters:
David Feeney, CPP, PMP has 17 years of security industry experience assisting organizations with risk management matters specific to physical, personnel, and cyber security. He has 9 years of experience with service providers and 8 years of experience within enterprise security organizations. David has worked with industry leaders in the energy, technology, healthcare, and real estate sectors. Areas of specialization include Security Operations Center design and management, Security Systems design and implementation, and Enterprise Risk Management. David holds leadership positions in ASIS International and is also a member of the InfraGard FBI program. David holds Certification Protection Professional (CPP) and Project Management Professional (PMP) certifications.
Andrea LeStarge, MS has over ten years of experience in program management, risk analysis and curriculum development. Being specialized in Homeland Security, Andrea leverages her experience in formerly managing projects to support various Federal Government entities in identifying, detecting and responding to man-made, natural and cyber incidents. She has an established track record in recognizing security gaps and corrective risk mitigation options, while effectively communicating findings to stakeholders, private sector owners and operators, and first-responder personnel within tactical, operational and strategic levels. Overall, Andrea encompasses analytical tradecraft and demonstrates consistent, repeatable and defensible methodologies pertaining to risk and the elements of threat, vulnerability and consequence.
Recorded webinar: https://youtu.be/hxpuYtMQgf0
Advanced Cybersecurity Risk Management: How to successfully address your Cybe...PECB
Main points covered:
• Understanding the inverted economics of cyber security, the incentives for cyber crime and its effect on the growing threat
• Inefficiencies with the traditional approaches to cyber risk assessment and why we are not making more progress in enhancing cyber defenses
• Resetting roles and responsibilities regarding cyber security within organizations
• Developing empirical, cost-effective cyber risk assessments to meet the evolving threat
Our presenter for this webinar is Larry Clinton, the president of the Internet Security Alliance (ISA), a multi-sector association focused on Cybersecurity thought leadership, policy advocacy, and best practices. Mr. Clinton advises both industry and governments around the world. He has twice been listed on the Corporate 100 list of the most influential people in corporate governance. He is the author of The Cyber Risk Handbook for Corporate Boards. PWC has found the use of this Handbook improves cyber budgeting, cyber risk management and helps create a culture of security. The Handbook has been published in the US, Germany, the UK and Latin America. He is currently working on a version for the European Conference of Directors Associations as well as versions for Japan and India. Mr. Clinton also leads ISA, public policy work built around their publication “The Cyber Security Social Contract” which the NATO Center of Cyber Excellence in Estonia asked for a briefing on.
Recorded Webinar: https://www.youtube.com/watch?v=8qVtoqi37X8
One of the most critical aspects of safeguarding the IT assets of any corporation is dealing with the Insider's Threat. With so many diversified IT components, it is a real challenge to design an effective IT security strategy. It is critical to recognize this particular threat and take countermeasures to protect your assets. So, this webinar covers: Insider threats, how to mitigate insider threats, how to design an effective IT security strategy, and how to protect your assets.
Main points covered:
• Insider threats
• How to design an effective IT security strategy
• How to protect your assets
Presenter:
The webinar was hosted by Demetris Kachulis. Mr. Kachulis is an expert in the field of Information Security. With over 20 years of Wall Street consulting experience, he has worked with many Fortune 500 companies. He is currently the director of Eldion Consulting, a company offering Security, Trainings and Business solutions.
Link of the recorded session published on YouTube: https://youtu.be/hXe5HHjnBeU
Presentation for March 2017 webcast by NIST.
www.nist.gov/cyberframework
Webcast video: https://www.nist.gov/news-events/events/2017/03/cybersecurity-framework-virtual-events
This presentation introduces the audience to the Framework for Improving Critical Infrastructure Cybersecurity (“The Framework”). It provides a brief history about why and how the Framework was developed, and an understanding of each of the three primary Framework components (the Core, Implementation Tiers, and Profiles). It covers potential benefits of Framework, and how the Framework can be used. It highlights industry resources, progress in Roadmap areas, and future direction of the Framework program.
Insight is one of the best security operation center that influences all the necessary things that reduce the advanced threats and security risk all over your company and protects your network infrastructure across the organization. https://insightmsp.co.in/soc-as-service.php
What is the NIST Cybersecurity Framework?
Why YOU should care?
How would I apply it?
Would you drive BLINDFOLDED?
A false sense of security?
Without a Security Framework…
Why Cyber Security Framework?
How would I measure my effectiveness?
This is the Fourth Chapter of Cisco Cyber Security Essentials course Which discusses the implementation aspects of Confidentiality via Encryption, Access Control Techniques
Layered Security / Defense in Depth
One area that I have found that even seasoned security professionals have a problem with articulating is layered security (defense in depth). Most are familiar with their area of expertise (servers, networks, pen testing, etc.), but have never viewed security as a heterogeneous process. In my presentation I use a layered diagram to highlight what controls are in what layers, what controls interact across layers, and what a complete layered security model would look like vs. what a more typical company security model does look like.
Nathan Shepard
CISSP, CISM, CRISC, CISA
33 Years in IT.
21 Years in Information Security.
Information Security consulting at the corporate governance level.
Information Security management for outsourced InfoSec delivery.
This is about the lessons in Information, Assurance and Security. Complete module 3of lesson 7 are there so you could learn more about it. And may found helpful with your assignments, activities or etc.
One of the most critical aspects of safeguarding the IT assets of any corporation is dealing with the Insider's Threat. With so many diversified IT components, it is a real challenge to design an effective IT security strategy. It is critical to recognize this particular threat and take countermeasures to protect your assets. So, this webinar covers: Insider threats, how to mitigate insider threats, how to design an effective IT security strategy, and how to protect your assets.
Main points covered:
• Insider threats
• How to design an effective IT security strategy
• How to protect your assets
Presenter:
The webinar was hosted by Demetris Kachulis. Mr. Kachulis is an expert in the field of Information Security. With over 20 years of Wall Street consulting experience, he has worked with many Fortune 500 companies. He is currently the director of Eldion Consulting, a company offering Security, Trainings and Business solutions.
Link of the recorded session published on YouTube: https://youtu.be/hXe5HHjnBeU
Presentation for March 2017 webcast by NIST.
www.nist.gov/cyberframework
Webcast video: https://www.nist.gov/news-events/events/2017/03/cybersecurity-framework-virtual-events
This presentation introduces the audience to the Framework for Improving Critical Infrastructure Cybersecurity (“The Framework”). It provides a brief history about why and how the Framework was developed, and an understanding of each of the three primary Framework components (the Core, Implementation Tiers, and Profiles). It covers potential benefits of Framework, and how the Framework can be used. It highlights industry resources, progress in Roadmap areas, and future direction of the Framework program.
Insight is one of the best security operation center that influences all the necessary things that reduce the advanced threats and security risk all over your company and protects your network infrastructure across the organization. https://insightmsp.co.in/soc-as-service.php
What is the NIST Cybersecurity Framework?
Why YOU should care?
How would I apply it?
Would you drive BLINDFOLDED?
A false sense of security?
Without a Security Framework…
Why Cyber Security Framework?
How would I measure my effectiveness?
This is the Fourth Chapter of Cisco Cyber Security Essentials course Which discusses the implementation aspects of Confidentiality via Encryption, Access Control Techniques
Layered Security / Defense in Depth
One area that I have found that even seasoned security professionals have a problem with articulating is layered security (defense in depth). Most are familiar with their area of expertise (servers, networks, pen testing, etc.), but have never viewed security as a heterogeneous process. In my presentation I use a layered diagram to highlight what controls are in what layers, what controls interact across layers, and what a complete layered security model would look like vs. what a more typical company security model does look like.
Nathan Shepard
CISSP, CISM, CRISC, CISA
33 Years in IT.
21 Years in Information Security.
Information Security consulting at the corporate governance level.
Information Security management for outsourced InfoSec delivery.
This is about the lessons in Information, Assurance and Security. Complete module 3of lesson 7 are there so you could learn more about it. And may found helpful with your assignments, activities or etc.
RISK MITIGATION AND THREAT IDENTIFICATIONIntroductionInforma.docxjoellemurphey
RISK MITIGATION AND THREAT IDENTIFICATION
Introduction
Information security in a modern organization exists primarily to manage information technology
(IT) risk. Managing risk is one of the key responsibilities of every manager within an
organization. In any well-developed risk management program, two formal processes are at
work. The first, risk identification and assessment, is discussed in this chapter; the second,
risk control, is the subject of the next chapter.
Each manager in the organization, regardless of his or her affiliation with one of the three
communities of interest, should focus on reducing risk as follows:
● General management must structure the IT and information security functions in ways
that will result in the successful defense of the organization’s information assets,
including data, hardware, software, procedures, and people.
● IT management must serve the information technology needs of the broader organization
and at the same time exploit the special skills and insights of the information
security community.
● Information security management must lead the way with skill, professionalism, and
flexibility as it works with the other communities of interest to balance the constant
trade-offs between information system utility and security.
Risk Management
If you know the enemy and know yourself, you need not fear the result of a hundred
battles. If you know yourself but not the enemy, for every victory gained you will also suffer a defeat. If you know neither the enemy nor yourself, you
will succumb in every battle.1
Accountability for Risk Management
All three communities of interest bear responsibility for the management of risks, and each
has a particular strategic role to play.
● Information security: Because members of the information security community best
understand the threats and attacks that introduce risk, they often take a leadership
role in addressing risk.
● Information technology: This group must help to build secure systems and ensure their
safe operation. For example, IT builds and operates information systems that are mindful
of operational risks and have proper controls implemented to reduce risk.
Management and users: When properly trained and kept aware of the threats faced by
the organization, this group plays a part in the early detection and response process.
Members of this community also ensure that sufficient resources (money and personnel)
are allocated to the information security and information technology groups to
meet the security needs of the organization. For example, business managers must
ensure that supporting records for orders remain intact in case of data entry error
or transaction corruption. Users must be made aware of threats to data and systems,
and educated on practices that minimize those threats.
All three communities of interest must work together to address every level of risk, ranging
from full-scale disasters (whether natural or human-made) to the smallest mistake ...
IT Risk Management & Leadership 30 March - 02 April 2014 Dubai UAE360 BSI
Are you effectively securing your organization’s IT systems that store, process, or transmit organizational information?
Is your IT risk management plan tailored to the specific risk profile of your business and being coordinated across all functional and business units?
With the release of IT Governance frameworks, requirements for risk management and new international standards entering the market, the pressure is mounting to ensure that all your IT risks are identified and the necessary action is taken – be this to mitigate them, accept or ignore them. So, how safe is your IT system? What are the risks that your organization is being exposed to?
The solution to this challenge is to establish an effective risk management process that protects the organization, not just its IT assets, and provides it with the ability to perform its mission.
Risk management is the process of identifying and assessing risk and taking preventive measures to reduce it to an acceptable level. It is critical that you develop an effective risk management program that assesses and mitigates risks within your IT systems and better manages these IT-related mission risks.
BENEFITS OF ATTENDING THIS WORKSHOP
Identify common IT project risks
Learn how to assess threats and vulnerabilities to create a risk response strategy
Understand what qualifies as risk with IT projects
Understand the most common IT risk sources
Qualify and quantify IT risks
Learn the difference between negative and positive IT risks
Develop an IT risk management plan
Plan risk response methods for IT risks
Create risk mitigation and contingency plans
Monitor and control project risks
Overcome resistance from stakeholders and team members
WHO SHOULD ATTEND THIS WORKSHOP
IT risk managers
IT security managers
Compliance officers
Program and project managers
IT project managers
IT operation manager
Contact Kris at kris@360bsi.com to register.
Chapter 1The International Information Systems Security Certifi.docxcravennichole326
Chapter 1
The International Information Systems Security Certification Consortium (ISC)2 Common Body of Knowledge (CBK) defines the key areas of knowledge for Information Security Gov- ernance and Risk Management in this way:
The Information Security Governance and Risk Management domain entails the identification of an organization’s information assets and the development, documentation, implementation and updating of policies, standards, procedures and guidelines that ensure confidentiality, integrity, and availability. Management tools such as data classification, risk assessment, and risk analysis are used to identify the threats, classify assets, and to rate their vulnerabilities so that effective security measures and controls can be implemented.
The candidate is expected to understand the planning, organization, roles and responsibilities of individuals in identifying and securing an organization’s information assets; the development and use of policies stating management’s views and position on particular topics and the use of guidelines, standards, and procedures to support the policies; security training to make employ- ees aware of the importance of information security, its significance, and the specific security- related requirements relative to their position; the importance of confidentiality, proprietary and private information; third-party management and service level agreements related to infor- mation security; employment agreements; employee hiring and termination practices; and risk management practices and tools to identify, rate, and reduce the risk to specific resources.
Key areas of knowledge:
Understand and align security function to goals, mission, and objectives of the organization
Understand and apply security governance
Understand and apply concepts of confidentiality, integrity, and availability
Develop and implement security policy
Manage the information life cycle (e.g., classification, categorization, and ownership)
Manage third-party governance (e.g., on-site assessment, document exchange and review, process/policy review)
Understand and apply risk management concepts Manage personnel security Develop and manage security education, training, and awareness Manage the security function
Even though this domain is positioned as number 3 in the Certified Information Systems Secu- rity Professional (CISSP) common body of knowledge, it is placed first in this book because all security activities should take place as a result of security and risk management processes.
Organizational Purpose
In order to protect an organization’s assets, it is first necessary to understand several basic characteristics of the organization, including its goals, mission, and objectives. All of these are statements that define what the organization desires to achieve and how it will proceed to achieve them. These three terms are described in more detail as follows:
(Gregory 2)
Gregory, Peter. CISSP Guide to Security Essentials, 2nd Edi ...
Macroeconomics- Movie Location
This will be used as part of your Personal Professional Portfolio once graded.
Objective:
Prepare a presentation or a paper using research, basic comparative analysis, data organization and application of economic information. You will make an informed assessment of an economic climate outside of the United States to accomplish an entertainment industry objective.
How to Make a Field invisible in Odoo 17Celine George
It is possible to hide or invisible some fields in odoo. Commonly using “invisible” attribute in the field definition to invisible the fields. This slide will show how to make a field invisible in odoo 17.
Biological screening of herbal drugs: Introduction and Need for
Phyto-Pharmacological Screening, New Strategies for evaluating
Natural Products, In vitro evaluation techniques for Antioxidants, Antimicrobial and Anticancer drugs. In vivo evaluation techniques
for Anti-inflammatory, Antiulcer, Anticancer, Wound healing, Antidiabetic, Hepatoprotective, Cardio protective, Diuretics and
Antifertility, Toxicity studies as per OECD guidelines
June 3, 2024 Anti-Semitism Letter Sent to MIT President Kornbluth and MIT Cor...Levi Shapiro
Letter from the Congress of the United States regarding Anti-Semitism sent June 3rd to MIT President Sally Kornbluth, MIT Corp Chair, Mark Gorenberg
Dear Dr. Kornbluth and Mr. Gorenberg,
The US House of Representatives is deeply concerned by ongoing and pervasive acts of antisemitic
harassment and intimidation at the Massachusetts Institute of Technology (MIT). Failing to act decisively to ensure a safe learning environment for all students would be a grave dereliction of your responsibilities as President of MIT and Chair of the MIT Corporation.
This Congress will not stand idly by and allow an environment hostile to Jewish students to persist. The House believes that your institution is in violation of Title VI of the Civil Rights Act, and the inability or
unwillingness to rectify this violation through action requires accountability.
Postsecondary education is a unique opportunity for students to learn and have their ideas and beliefs challenged. However, universities receiving hundreds of millions of federal funds annually have denied
students that opportunity and have been hijacked to become venues for the promotion of terrorism, antisemitic harassment and intimidation, unlawful encampments, and in some cases, assaults and riots.
The House of Representatives will not countenance the use of federal funds to indoctrinate students into hateful, antisemitic, anti-American supporters of terrorism. Investigations into campus antisemitism by the Committee on Education and the Workforce and the Committee on Ways and Means have been expanded into a Congress-wide probe across all relevant jurisdictions to address this national crisis. The undersigned Committees will conduct oversight into the use of federal funds at MIT and its learning environment under authorities granted to each Committee.
• The Committee on Education and the Workforce has been investigating your institution since December 7, 2023. The Committee has broad jurisdiction over postsecondary education, including its compliance with Title VI of the Civil Rights Act, campus safety concerns over disruptions to the learning environment, and the awarding of federal student aid under the Higher Education Act.
• The Committee on Oversight and Accountability is investigating the sources of funding and other support flowing to groups espousing pro-Hamas propaganda and engaged in antisemitic harassment and intimidation of students. The Committee on Oversight and Accountability is the principal oversight committee of the US House of Representatives and has broad authority to investigate “any matter” at “any time” under House Rule X.
• The Committee on Ways and Means has been investigating several universities since November 15, 2023, when the Committee held a hearing entitled From Ivory Towers to Dark Corners: Investigating the Nexus Between Antisemitism, Tax-Exempt Universities, and Terror Financing. The Committee followed the hearing with letters to those institutions on January 10, 202
Acetabularia Information For Class 9 .docxvaibhavrinwa19
Acetabularia acetabulum is a single-celled green alga that in its vegetative state is morphologically differentiated into a basal rhizoid and an axially elongated stalk, which bears whorls of branching hairs. The single diploid nucleus resides in the rhizoid.
Read| The latest issue of The Challenger is here! We are thrilled to announce that our school paper has qualified for the NATIONAL SCHOOLS PRESS CONFERENCE (NSPC) 2024. Thank you for your unwavering support and trust. Dive into the stories that made us stand out!
2024.06.01 Introducing a competency framework for languag learning materials ...Sandy Millin
http://sandymillin.wordpress.com/iateflwebinar2024
Published classroom materials form the basis of syllabuses, drive teacher professional development, and have a potentially huge influence on learners, teachers and education systems. All teachers also create their own materials, whether a few sentences on a blackboard, a highly-structured fully-realised online course, or anything in between. Despite this, the knowledge and skills needed to create effective language learning materials are rarely part of teacher training, and are mostly learnt by trial and error.
Knowledge and skills frameworks, generally called competency frameworks, for ELT teachers, trainers and managers have existed for a few years now. However, until I created one for my MA dissertation, there wasn’t one drawing together what we need to know and do to be able to effectively produce language learning materials.
This webinar will introduce you to my framework, highlighting the key competencies I identified from my research. It will also show how anybody involved in language teaching (any language, not just English!), teacher training, managing schools or developing language learning materials can benefit from using the framework.
Operation “Blue Star” is the only event in the history of Independent India where the state went into war with its own people. Even after about 40 years it is not clear if it was culmination of states anger over people of the region, a political game of power or start of dictatorial chapter in the democratic setup.
The people of Punjab felt alienated from main stream due to denial of their just demands during a long democratic struggle since independence. As it happen all over the word, it led to militant struggle with great loss of lives of military, police and civilian personnel. Killing of Indira Gandhi and massacre of innocent Sikhs in Delhi and other India cities was also associated with this movement.
1. Principles of Information Security,
Fifth Edition
Chapter 5
Risk Management
Lesson 1 – Risk
Management
2. Learning Objectives
• Upon completion of this material, you should be
able to:
– Define risk management, risk identification, and risk
control
– Describe how risk is identified and assessed
– Assess risk based on probability of occurrence and
likely impact
– Explain the fundamental aspects of documenting risk
via the process of risk assessment
Principles of Information Security, Fifth Edition 2
3. Learning Objectives (cont’d)
– Describe the various risk mitigation strategy options
– Identify the categories that can be used to classify
controls
– Discuss conceptual frameworks for evaluating risk
controls and formulate a cost-benefit analysis
Principles of Information Security, Fifth Edition 3
4. Introduction
• Organizations must design and create safe
environments in which business processes and
procedures can function.
• Risk management: the process of identifying,
assessing, and reducing risks facing an organization
• Risk identification: the enumeration and
documentation of risks to an organization’s
information assets
• Risk control: the application of controls that reduce
the risks to an organization’s assets to an acceptable
level
Principles of Information Security, Fifth Edition 4
5. An Overview of Risk Management
• Know yourself: identify, examine, and understand
the information and systems currently in place
• Know the enemy: identify, examine, and
understand the threats facing the organization
• Responsibility of each community of interest within
an organization to manage the risks that are
encountered
Principles of Information Security, Fifth Edition 5
7. The Roles of the Communities of
Interest
• Information security, management and users, and
information technology all must work together.
• Communities of interest are responsible for:
– Evaluating the risk controls
– Determining which control options are cost effective
for the organization
– Acquiring or installing the needed controls
– Ensuring that the controls remain effective
Principles of Information Security, Fifth Edition 7
8. Risk Appetite and Residual Risk
• Risk appetite: It defines the quantity and nature of risk
that organizations are willing to accept as trade-offs
between perfect security and unlimited accessibility.
– Reasoned approach is one that balances the expense
of controlling vulnerabilities against possible losses if
the vulnerabilities are exploited.
• Residual risk: risk that has not been completely
removed, shifted, or planned for
– The goal of information security is to bring residual risk
into line with risk appetite.
Principles of Information Security, Fifth Edition 8
10. Risk Identification
• Risk management involves identifying, classifying,
and prioritizing an organization’s assets.
• A threat assessment process identifies and
quantifies the risks facing each asset.
Principles of Information Security, Fifth Edition 10
12. Plan and Organize the Process
• The first step in the risk identification process is to
follow your project management principles.
• Begin by organizing a team with representation
across all affected groups.
• The process must then be planned out.
– Periodic deliverables
– Reviews
– Presentations to management
• Tasks laid out, assignments made, and timetables
discussed
Principles of Information Security, Fifth Edition 12
13. Identifying, Inventorying, and
Categorizing Assets
• Iterative process: Begins with the identification and
inventory of assets, including all elements of an
organization’s system (people, procedures, data
and information, software, hardware, networking)
• Assets are then categorized.
Principles of Information Security, Fifth Edition 13
15. People, Procedures, and Data Asset
Identification
• Human resources, documentation, and data
information assets are more difficult to identify.
• Important asset attributes:
– People: position name/number/ID; supervisor;
security clearance level; special skills
– Procedures: description; intended purpose; relation
to software/hardware/networking elements; storage
location for reference; storage location for update
– Data: classification; owner/creator/manager; data
structure size; data structure used; online/offline;
location; backup procedures employed
Principles of Information Security, Fifth Edition 15
16. Hardware, Software, and Network
Asset Identification
• What information attributes to track depends on:
– Needs of organization/risk management efforts
– Preferences/needs of the security and information
technology communities
• Asset attributes to be considered are name, IP
address, MAC address, element type, serial
number, manufacturer name, model/part number,
software version, physical or logical location, and
controlling entity.
Principles of Information Security, Fifth Edition 16
17. Asset Inventory
• Unless information assets are identified and
inventoried, they cannot be effectively protected.
• Inventory process involves formalizing the
identification process in some form of organizational
tool.
• Automated tools can sometimes identify the system
elements that make up hardware, software, and
network components.
Principles of Information Security, Fifth Edition 17
18. Asset Categorization
• People comprise employees and nonemployees.
• Procedures either do not expose knowledge useful to
a potential attacker or are sensitive and could allow
adversary to gain advantage.
• Data components account for the management of
information in transmission, processing, and storage.
• Software components are applications, operating
systems, or security components.
• Hardware: either the usual system devices and
peripherals or part of information security control
systems
Principles of Information Security, Fifth Edition 18
19. Classifying, Valuing, and Prioritizing
Information Assets
• Many organizations have data classification
schemes (e.g., confidential, internal, public data).
• Classification of components must be specific
enough to enable the determination of priority levels.
• Categories must be comprehensive and mutually
exclusive.
Principles of Information Security, Fifth Edition 19
20. Data Classification and Management
• Variety of classification schemes are used by
corporate and military organizations.
• Information owners are responsible for classifying
their information assets.
• Information classifications must be reviewed
periodically.
• Classifications include confidential, internal, and
external.
Principles of Information Security, Fifth Edition 20
21. Data Classification and Management
(cont’d)
• Security clearances
– Each data user must be assigned authorization level
indicating classification level.
– Before accessing specific set of data, the employee
must meet the need-to-know requirement.
• Management of classified data includes storage,
distribution, transportation, and destruction.
• Clean desk policy
• Dumpster diving
Principles of Information Security, Fifth Edition 21