Lesson 2 - System Specific Policy
•Download as PPT, PDF•
0 likes•78 views
The document discusses systems-specific policies (SysSPs) which provide guidance and technical specifications for configuring and maintaining systems. SysSPs fall into managerial guidance or technical specifications categories. Access control lists and configuration rule policies are examples of technical specifications. Effective policy management requires a responsible manager, regular reviews, and an issuance process. Security frameworks like the Information Security Blueprint, ISO 27000, and NIST publications provide guidance for developing comprehensive organizational security policies and programs.
Report
Share
Report
Share
Recommended
Information Assurance And Security - Chapter 1 - Lesson 4
This document discusses principles of software design for information security. It summarizes key software design principles identified by Saltzer and Schroeder, including least privilege and separation of duties. It also outlines the National Institute of Standards and Technology's (NIST) approach to securing the software development lifecycle (SDLC), which involves integrating security early and conducting activities like risk assessments and testing at each phase. Finally, it describes various security roles in an organization, including the chief information security officer, security project team, data owners and custodians, and communities of interest.
RISK MANAGEMENT: 4 ESSENTIAL FRAMEWORKS
As an information security professional, it is your role to take on the cybersecurity challenges in your organization. That is where a solid understanding of Risk Management comes in. Risk Management is a lot like a chess game. To succeed you need to understand the risks ahead and be able to plot future scenarios, to weigh up the relative impacts and then plan accordingly. Scroll through this slideshare to learn about 4 essential frameworks.
Lesson 2
This document discusses systems-specific security policies and various frameworks for developing comprehensive organizational security policies. It describes how systems-specific policies provide technical specifications and managerial guidance for configuring systems. It also outlines frameworks from NIST, ISO, and other sources that provide guidance on developing an overall information security strategy through security policies, education, and controls. Key aspects discussed include policy management, the information security blueprint, and the NIST Cybersecurity Framework.
Chapter 5
This document discusses information security policies, standards, and practices. It explains the different types of security policies an organization may have, including general security policies, issue-specific policies, and system-specific policies. It emphasizes the importance of management support for security policies and outlines the key components of an information security blueprint, including management controls, operational controls, and technical controls. The document also discusses the importance of security education, training, and awareness programs to ensure all employees understand and comply with security policies and procedures.
Information security policy_2011
The document discusses developing effective information security policies through a multi-step process. It begins with defining different types of policies like enterprise, issue-specific, and systems-specific policies. It then outlines the key phases to developing policies which include investigation, analysis, design, implementation, and maintenance. Specific guidance is provided for each phase, such as conducting a risk assessment in investigation and specifying enforcement in design. Effective policy development requires planning, funding, participation from stakeholders, and periodic reviews.
Nist 800 53 deep dive 20210813
This document discusses strategies for implementing the National Institute of Standards and Technology's (NIST) cybersecurity control families. It recommends prioritizing the top six critical control families in Phase 1, which include configuration management, access control, awareness and training, media protection, and risk assessment. Phase 2 involves following up on the remaining NIST control families. The document also discusses balancing cybersecurity with business goals, gaining cross-organizational buy-in, and juggling priorities by leveraging different organizational teams.
Lesson 1 - Introduction
The document discusses the need for information security in organizations. It states that the primary mission of an information security program is to ensure information assets remain safe and useful. It then outlines four important functions of information security for organizations: protecting the organization's ability to function, protecting the data and information it collects and uses, enabling the safe operation of applications, and safeguarding technology assets. Finally, it emphasizes that implementing information security is as much about management as it is about technology.
Information Security Blueprint
The document discusses the components of an information security blueprint, including policies, standards, practices, and a security education program. It describes developing an enterprise security policy and issue-specific policies. The blueprint provides a plan for security controls, technologies, and training to ensure the organization's information is protected. It is the basis for designing and implementing all aspects of the security program.
Recommended
Information Assurance And Security - Chapter 1 - Lesson 4
This document discusses principles of software design for information security. It summarizes key software design principles identified by Saltzer and Schroeder, including least privilege and separation of duties. It also outlines the National Institute of Standards and Technology's (NIST) approach to securing the software development lifecycle (SDLC), which involves integrating security early and conducting activities like risk assessments and testing at each phase. Finally, it describes various security roles in an organization, including the chief information security officer, security project team, data owners and custodians, and communities of interest.
RISK MANAGEMENT: 4 ESSENTIAL FRAMEWORKS
As an information security professional, it is your role to take on the cybersecurity challenges in your organization. That is where a solid understanding of Risk Management comes in. Risk Management is a lot like a chess game. To succeed you need to understand the risks ahead and be able to plot future scenarios, to weigh up the relative impacts and then plan accordingly. Scroll through this slideshare to learn about 4 essential frameworks.
Lesson 2
This document discusses systems-specific security policies and various frameworks for developing comprehensive organizational security policies. It describes how systems-specific policies provide technical specifications and managerial guidance for configuring systems. It also outlines frameworks from NIST, ISO, and other sources that provide guidance on developing an overall information security strategy through security policies, education, and controls. Key aspects discussed include policy management, the information security blueprint, and the NIST Cybersecurity Framework.
Chapter 5
This document discusses information security policies, standards, and practices. It explains the different types of security policies an organization may have, including general security policies, issue-specific policies, and system-specific policies. It emphasizes the importance of management support for security policies and outlines the key components of an information security blueprint, including management controls, operational controls, and technical controls. The document also discusses the importance of security education, training, and awareness programs to ensure all employees understand and comply with security policies and procedures.
Information security policy_2011
The document discusses developing effective information security policies through a multi-step process. It begins with defining different types of policies like enterprise, issue-specific, and systems-specific policies. It then outlines the key phases to developing policies which include investigation, analysis, design, implementation, and maintenance. Specific guidance is provided for each phase, such as conducting a risk assessment in investigation and specifying enforcement in design. Effective policy development requires planning, funding, participation from stakeholders, and periodic reviews.
Nist 800 53 deep dive 20210813
This document discusses strategies for implementing the National Institute of Standards and Technology's (NIST) cybersecurity control families. It recommends prioritizing the top six critical control families in Phase 1, which include configuration management, access control, awareness and training, media protection, and risk assessment. Phase 2 involves following up on the remaining NIST control families. The document also discusses balancing cybersecurity with business goals, gaining cross-organizational buy-in, and juggling priorities by leveraging different organizational teams.
Lesson 1 - Introduction
The document discusses the need for information security in organizations. It states that the primary mission of an information security program is to ensure information assets remain safe and useful. It then outlines four important functions of information security for organizations: protecting the organization's ability to function, protecting the data and information it collects and uses, enabling the safe operation of applications, and safeguarding technology assets. Finally, it emphasizes that implementing information security is as much about management as it is about technology.
Information Security Blueprint
The document discusses the components of an information security blueprint, including policies, standards, practices, and a security education program. It describes developing an enterprise security policy and issue-specific policies. The blueprint provides a plan for security controls, technologies, and training to ensure the organization's information is protected. It is the basis for designing and implementing all aspects of the security program.
Lesson 3
The document discusses information security system implementation and certification. It explains how an organization's security blueprint becomes a project plan, addressing organizational considerations. A project manager plays a key role in successfully implementing complex security projects using technical strategies and models. Organizations face nontechnical challenges when implementing rapid security changes and must certify systems through processes like NIST and ISO to verify security controls meet requirements.
Lesson 1- Information Policy
This document discusses information security planning and contingency planning. It covers developing information security policies, standards, and practices as the foundation for an information security program. It also discusses creating an information security blueprint, implementing security education and training programs, and developing incident response, disaster recovery, and business continuity plans. The goal is to plan strategically for security and have contingencies in place to prepare for potential business disruptions.
Lesson 3- Fair Approach
This document discusses risk management and outlines the FAIR approach to risk assessment. It describes identifying risks, evaluating frequency and magnitude of losses, and deriving risk. Five strategies for controlling risks are discussed: defend, transfer, mitigate, accept, and terminate. Metrics and best practices for risk management are also presented.
Information Assurance And Security - Chapter 1 - Lesson 3
The document discusses the phases of the security systems development life cycle (SecSDLC). It describes the traditional SDLC phases of investigation, analysis, logical design, physical design, implementation, and maintenance/change. These same phases are then adapted for SecSDLC, with each phase focusing on identifying threats and creating controls. Additionally, the document introduces the concept of software assurance, which aims to include security planning across the entire SDLC process to develop more secure systems.
Understanding the Risk Management Framework & (ISC)2 CAP Module 6: Categorize
The document outlines a system inventory process to categorize an organization's information systems. It involves identifying general support systems and applications, classifying them based on information sensitivity and criticality, determining major applications, and publishing the inventory for review. Key terms defined include general support system, major application, and information system. The process helps organizations understand and protect sensitive data types by properly inventorying and categorizing automated information resources.
Network security and policies
Network policies and security measures are needed to properly manage networks and protect systems and data. Client-server networks have servers that handle data storage and login requests while clients access this data. Peer-to-peer networks have equal sharing between computers. Disaster recovery plans are important in case systems fail, and backups ensure data can be restored if storage devices fail. Network managers must implement passwords, encryption, and user restrictions to secure systems, but new technologies have made networks harder to lock down as hackers can more easily exploit vulnerabilities.
Security
The document outlines security policies for the development and maintenance of an information system. It discusses:
1) Integrating information security into the system development lifecycle to protect test data.
2) Requirements for secure development including security controls in the development environment, software lifecycle, and design phases.
3) Restrictions on changes to software packages, requiring support from vendors and ensuring compatibility.
4) The need for secure system engineering principles, security design in all architecture layers, and regular review of security risks and the design.
Understanding the Risk Management Framework & (ISC)2 CAP Module 7: Select Con...
Part 7 of 15 covering NIST Risk Management Framework (RMF) and (ISC)2 Certified Authorization Professional (CAP).
Understanding the Risk Management Framework & (ISC)2 CAP Module 8: Implement ...
Part 8 of 15 covering NIST Risk Management Framework (RMF) and (ISC)2 Certified Authorization Professional (CAP).
Understanding the Risk Management Framework & (ISC)2 CAP Module 3: Roles
Part 3 of 15 covering NIST Risk Management Framework (RMF) and (ISC)2 Certified Authorization Professional (CAP).
Security Policies
The document discusses security policies, mechanisms, and formal languages for expressing policies. It covers types of security policies like confidentiality and integrity policies. It also discusses policy models, access control types, and examples of formal policy languages like DTEL that use domains and types to constrain access. Trust assumptions in formal methods are outlined, and the relationship between secure and precise enforcement mechanisms is discussed.
Lesson 1- Risk Managment
This document discusses risk management and risk identification from the fifth edition of the textbook "Principles of Information Security". It outlines the learning objectives which are to define key risk management terms, describe how to identify and assess risk, explain how to document risk assessments, and discuss risk mitigation strategies. It then covers introducing risk management concepts, providing an overview of the risk management process, and detailing the steps involved in risk identification which include planning, inventorying and categorizing assets, and classifying information assets.
Personally Identifiable Information (ISO27701) on cloud and PCI DSS Conformit...
The sooner or the later, I guess the Japanese privacy mark certifications (Pマーク)would be replaced with ISO27701 extension to ISMS one for many entities not to compromise GDPR.
Conformity to ISMS extension would be relevant to ISMAP政府情報システムのためのクラウドセキュリティ評価制度 for cloud service providers process PII.
A credit card number would be Personally Identifiable Information(PII). ISO27701, ISO27017, and ISO27018 are partially relevant to PCI DSS.
Understanding the Risk Management Framework & (ISC)2 CAP Module 9: Assess Con...
Part 9 of 15 covering NIST Risk Management Framework (RMF) and (ISC)2 Certified Authorization Professional (CAP).
Understanding the Risk Management Framework & (ISC)2 CAP Module 13: Contingen...
Part 13 of 15 covering NIST Risk Management Framework (RMF) and (ISC)2 Certified Authorization Professional (CAP).
Understanding the Risk Management Framework & (ISC)2 CAP Module 10: Authorize
Part 10 of 15 covering NIST Risk Management Framework (RMF) and (ISC)2 Certified Authorization Professional (CAP).
Guide for Applying The Risk Management Framework to Federal Information Systems
This document provides guidelines for applying the Risk Management Framework (RMF) to federal information systems. The RMF is a six-step process for integrating security and risk management activities into the system development life cycle. The six steps are: (1) categorize the system, (2) select security controls, (3) implement controls, (4) assess controls, (5) authorize the system, and (6) monitor controls. Applying the RMF helps ensure security controls are built into systems and risks are managed on an ongoing basis through activities such as continuous monitoring. The document is intended for individuals involved in system development, security, and risk management.
Information Assurance And Security - Chapter 2 - Lesson 1
The document discusses the need for information security in organizations. It states that the primary mission of an information security program is to ensure information assets remain safe and useful. It then outlines four important functions of information security for organizations: protecting the organization's ability to function, protecting the data and information it collects and uses, enabling the safe operation of applications, and safeguarding technology assets. Finally, it emphasizes that implementing information security is as much about management as it is about technology.
Lesson 2
This document discusses the need for project management in information security projects. It explains that most information security projects require a trained project manager or skilled IT manager to oversee implementation. The project manager's role is crucial to the success of complex security projects. The document also outlines technical and non-technical considerations for implementing a project plan, such as conversion strategies, change management processes, and organizational readiness for change.
Understanding the Risk Management Framework & (ISC)2 CAP Module 11: Monitor
The document discusses the Risk Management Framework (RMF) process for authorizing information systems and maintaining ongoing security authorization. It outlines the six steps of the RMF process - Categorize, Select, Implement, Assess, Authorize, Monitor. The ultimate goal is to achieve ongoing authorization where the authorizing official has sufficient knowledge of the system's security state to determine if continued operation is acceptable based on ongoing risk assessments. Any changes to the system may change the risk, and the RMF process includes tasks for evaluating changes and their impact on risk.
Lesson 1
This document discusses information security planning and outlines several frameworks for developing an information security program, including policies, standards, and a security blueprint. It describes management's role in developing these elements and how to implement education and training programs. Contingency planning is also discussed to prepare for incidents and disruptions. Frameworks covered include the ISO 27000 series, NIST models and cybersecurity framework, and other sources for developing a layered security architecture.
Khas bank isms 3 s
1. The document discusses updating information security standards from ISO 27001:2005 to ISO 27001:2013, including revising 12 clauses, improving risk management, and enhancing information security management.
2. It provides an outline for improving information security management by updating strategies, policies, procedures and introducing new security practices and technologies.
3. Selecting best practices from other frameworks requires considering how similar an organization is to the target in terms of industry, challenges, resources, and structure. Adopting applicable guidelines can help improve information security.
More Related Content
What's hot
Lesson 3
The document discusses information security system implementation and certification. It explains how an organization's security blueprint becomes a project plan, addressing organizational considerations. A project manager plays a key role in successfully implementing complex security projects using technical strategies and models. Organizations face nontechnical challenges when implementing rapid security changes and must certify systems through processes like NIST and ISO to verify security controls meet requirements.
Lesson 1- Information Policy
This document discusses information security planning and contingency planning. It covers developing information security policies, standards, and practices as the foundation for an information security program. It also discusses creating an information security blueprint, implementing security education and training programs, and developing incident response, disaster recovery, and business continuity plans. The goal is to plan strategically for security and have contingencies in place to prepare for potential business disruptions.
Lesson 3- Fair Approach
This document discusses risk management and outlines the FAIR approach to risk assessment. It describes identifying risks, evaluating frequency and magnitude of losses, and deriving risk. Five strategies for controlling risks are discussed: defend, transfer, mitigate, accept, and terminate. Metrics and best practices for risk management are also presented.
Information Assurance And Security - Chapter 1 - Lesson 3
The document discusses the phases of the security systems development life cycle (SecSDLC). It describes the traditional SDLC phases of investigation, analysis, logical design, physical design, implementation, and maintenance/change. These same phases are then adapted for SecSDLC, with each phase focusing on identifying threats and creating controls. Additionally, the document introduces the concept of software assurance, which aims to include security planning across the entire SDLC process to develop more secure systems.
Understanding the Risk Management Framework & (ISC)2 CAP Module 6: Categorize
The document outlines a system inventory process to categorize an organization's information systems. It involves identifying general support systems and applications, classifying them based on information sensitivity and criticality, determining major applications, and publishing the inventory for review. Key terms defined include general support system, major application, and information system. The process helps organizations understand and protect sensitive data types by properly inventorying and categorizing automated information resources.
Network security and policies
Network policies and security measures are needed to properly manage networks and protect systems and data. Client-server networks have servers that handle data storage and login requests while clients access this data. Peer-to-peer networks have equal sharing between computers. Disaster recovery plans are important in case systems fail, and backups ensure data can be restored if storage devices fail. Network managers must implement passwords, encryption, and user restrictions to secure systems, but new technologies have made networks harder to lock down as hackers can more easily exploit vulnerabilities.
Security
The document outlines security policies for the development and maintenance of an information system. It discusses:
1) Integrating information security into the system development lifecycle to protect test data.
2) Requirements for secure development including security controls in the development environment, software lifecycle, and design phases.
3) Restrictions on changes to software packages, requiring support from vendors and ensuring compatibility.
4) The need for secure system engineering principles, security design in all architecture layers, and regular review of security risks and the design.
Understanding the Risk Management Framework & (ISC)2 CAP Module 7: Select Con...
Part 7 of 15 covering NIST Risk Management Framework (RMF) and (ISC)2 Certified Authorization Professional (CAP).
Understanding the Risk Management Framework & (ISC)2 CAP Module 8: Implement ...
Part 8 of 15 covering NIST Risk Management Framework (RMF) and (ISC)2 Certified Authorization Professional (CAP).
Understanding the Risk Management Framework & (ISC)2 CAP Module 3: Roles
Part 3 of 15 covering NIST Risk Management Framework (RMF) and (ISC)2 Certified Authorization Professional (CAP).
Security Policies
The document discusses security policies, mechanisms, and formal languages for expressing policies. It covers types of security policies like confidentiality and integrity policies. It also discusses policy models, access control types, and examples of formal policy languages like DTEL that use domains and types to constrain access. Trust assumptions in formal methods are outlined, and the relationship between secure and precise enforcement mechanisms is discussed.
Lesson 1- Risk Managment
This document discusses risk management and risk identification from the fifth edition of the textbook "Principles of Information Security". It outlines the learning objectives which are to define key risk management terms, describe how to identify and assess risk, explain how to document risk assessments, and discuss risk mitigation strategies. It then covers introducing risk management concepts, providing an overview of the risk management process, and detailing the steps involved in risk identification which include planning, inventorying and categorizing assets, and classifying information assets.
Personally Identifiable Information (ISO27701) on cloud and PCI DSS Conformit...
The sooner or the later, I guess the Japanese privacy mark certifications (Pマーク)would be replaced with ISO27701 extension to ISMS one for many entities not to compromise GDPR.
Conformity to ISMS extension would be relevant to ISMAP政府情報システムのためのクラウドセキュリティ評価制度 for cloud service providers process PII.
A credit card number would be Personally Identifiable Information(PII). ISO27701, ISO27017, and ISO27018 are partially relevant to PCI DSS.
Understanding the Risk Management Framework & (ISC)2 CAP Module 9: Assess Con...
Part 9 of 15 covering NIST Risk Management Framework (RMF) and (ISC)2 Certified Authorization Professional (CAP).
Understanding the Risk Management Framework & (ISC)2 CAP Module 13: Contingen...
Part 13 of 15 covering NIST Risk Management Framework (RMF) and (ISC)2 Certified Authorization Professional (CAP).
Understanding the Risk Management Framework & (ISC)2 CAP Module 10: Authorize
Part 10 of 15 covering NIST Risk Management Framework (RMF) and (ISC)2 Certified Authorization Professional (CAP).
Guide for Applying The Risk Management Framework to Federal Information Systems
This document provides guidelines for applying the Risk Management Framework (RMF) to federal information systems. The RMF is a six-step process for integrating security and risk management activities into the system development life cycle. The six steps are: (1) categorize the system, (2) select security controls, (3) implement controls, (4) assess controls, (5) authorize the system, and (6) monitor controls. Applying the RMF helps ensure security controls are built into systems and risks are managed on an ongoing basis through activities such as continuous monitoring. The document is intended for individuals involved in system development, security, and risk management.
Information Assurance And Security - Chapter 2 - Lesson 1
The document discusses the need for information security in organizations. It states that the primary mission of an information security program is to ensure information assets remain safe and useful. It then outlines four important functions of information security for organizations: protecting the organization's ability to function, protecting the data and information it collects and uses, enabling the safe operation of applications, and safeguarding technology assets. Finally, it emphasizes that implementing information security is as much about management as it is about technology.
Lesson 2
This document discusses the need for project management in information security projects. It explains that most information security projects require a trained project manager or skilled IT manager to oversee implementation. The project manager's role is crucial to the success of complex security projects. The document also outlines technical and non-technical considerations for implementing a project plan, such as conversion strategies, change management processes, and organizational readiness for change.
Understanding the Risk Management Framework & (ISC)2 CAP Module 11: Monitor
The document discusses the Risk Management Framework (RMF) process for authorizing information systems and maintaining ongoing security authorization. It outlines the six steps of the RMF process - Categorize, Select, Implement, Assess, Authorize, Monitor. The ultimate goal is to achieve ongoing authorization where the authorizing official has sufficient knowledge of the system's security state to determine if continued operation is acceptable based on ongoing risk assessments. Any changes to the system may change the risk, and the RMF process includes tasks for evaluating changes and their impact on risk.
What's hot (20)
Information Assurance And Security - Chapter 1 - Lesson 3
Information Assurance And Security - Chapter 1 - Lesson 3
Understanding the Risk Management Framework & (ISC)2 CAP Module 6: Categorize
Understanding the Risk Management Framework & (ISC)2 CAP Module 6: Categorize
Understanding the Risk Management Framework & (ISC)2 CAP Module 7: Select Con...
Understanding the Risk Management Framework & (ISC)2 CAP Module 7: Select Con...
Understanding the Risk Management Framework & (ISC)2 CAP Module 8: Implement ...
Understanding the Risk Management Framework & (ISC)2 CAP Module 8: Implement ...
Understanding the Risk Management Framework & (ISC)2 CAP Module 3: Roles
Understanding the Risk Management Framework & (ISC)2 CAP Module 3: Roles
Personally Identifiable Information (ISO27701) on cloud and PCI DSS Conformit...
Personally Identifiable Information (ISO27701) on cloud and PCI DSS Conformit...
Understanding the Risk Management Framework & (ISC)2 CAP Module 9: Assess Con...
Understanding the Risk Management Framework & (ISC)2 CAP Module 9: Assess Con...
Understanding the Risk Management Framework & (ISC)2 CAP Module 13: Contingen...
Understanding the Risk Management Framework & (ISC)2 CAP Module 13: Contingen...
Understanding the Risk Management Framework & (ISC)2 CAP Module 10: Authorize
Understanding the Risk Management Framework & (ISC)2 CAP Module 10: Authorize
Guide for Applying The Risk Management Framework to Federal Information Systems
Guide for Applying The Risk Management Framework to Federal Information Systems
Information Assurance And Security - Chapter 2 - Lesson 1
Information Assurance And Security - Chapter 2 - Lesson 1
Understanding the Risk Management Framework & (ISC)2 CAP Module 11: Monitor
Understanding the Risk Management Framework & (ISC)2 CAP Module 11: Monitor
Similar to Lesson 2 - System Specific Policy
Lesson 1
This document discusses information security planning and outlines several frameworks for developing an information security program, including policies, standards, and a security blueprint. It describes management's role in developing these elements and how to implement education and training programs. Contingency planning is also discussed to prepare for incidents and disruptions. Frameworks covered include the ISO 27000 series, NIST models and cybersecurity framework, and other sources for developing a layered security architecture.
Khas bank isms 3 s
1. The document discusses updating information security standards from ISO 27001:2005 to ISO 27001:2013, including revising 12 clauses, improving risk management, and enhancing information security management.
2. It provides an outline for improving information security management by updating strategies, policies, procedures and introducing new security practices and technologies.
3. Selecting best practices from other frameworks requires considering how similar an organization is to the target in terms of industry, challenges, resources, and structure. Adopting applicable guidelines can help improve information security.
Info.ppt
This document discusses information security management. It covers topics such as security principles, policies, roles and responsibilities, information classification, and risk management. Organizational security policies provide guidelines for protecting information assets and define roles like executive management, information security professionals, system owners and custodians, users, and auditors. Standards, procedures, baselines and guidelines support policy implementation.
Security policy and standards
The document discusses guidelines for developing effective information security policies. It describes the importance of policy and outlines three types of policies: enterprise security policies, issue-specific policies, and system-specific policies. It emphasizes that policies should be properly disseminated, understood, and agreed upon. Effective policy development involves planning, analysis of needs and risks, design, implementation, and processes for ongoing maintenance.
L4 RMF Phase 3 Select.pptx
This document outlines the process for selecting, tailoring, allocating, documenting, and monitoring security controls for an information system. It discusses selecting an initial control baseline, tailoring the controls, allocating controls to the system or common controls, documenting controls in a security plan, developing a continuous monitoring strategy, and getting the security plan approved. The goal is to establish an effective risk management process for the system's security controls.
create your own Security Management Model using the NIST Special Pub.pdf
create your own Security Management Model using the NIST Special Publication 800-14 and
Evaluate and apply NIST SP 800-26.
Solution
NIST SP800-14, subtitled Generally Accepted Principles and Practices for Securing Information
Technology Systems, describes best practices and provides information on commonly accepted
information security principles that can direct the security team in the development of a security
blueprint.
It also describes the philosophical principles that the security team should integrate into the
entire information security process, expanding upon the components of SP 800-12.
The more significant points made in NIST SP 800-14 are as follows:
1)Security Supports the Mission of the Organization.
2)Security is an Integral Element of Sound Management.
3)Security Should Be Cost-Effective
4)Systems Owners Have Security Responsibilities Outside Their Own Organizations.
5)Security Responsibilities and Accountability Should Be Made Explicit.
6)Security Requires a Comprehensive and Integrated Approach.
7)Security Should Be Periodically Reassessed.
8)Security is Constrained by Societal Factors.
It enumerates 33 principles for Securing Information Technology Systems:
Principle 1. Establish a sound security policy as the “foundation” for design.
Principle 2. Treat security as an integral part of the overall system design.
Principle 3. Clearly delineate the physical and logical security boundaries governed by
associated security policies.
Principle 4. Reduce risk to an acceptable level.
Principle 5. Assume that external systems are insecure.
Principle 6. Identify potential trade-offs between reducing risk and increased costs and decrease
in other aspects of operational effectiveness.
Principle 7. Implement layered security (Ensure no single point of vulnerability).
Principle 8. Implement tailored system security measures to meet organizational security goals.
Principle 9. Strive for simplicity.
Principle 10. Design and operate an IT system to limit vulnerability and to be resilient in
response.
Principle 11. Minimize the system elements to be trusted.
Principle 12. Implement security through a combination of measures distributed physically and
logically.
Principle 13. Provide assurance that the system is, and continues to be, resilient in the face of
expected threats.
Principle 14. Limit or contain vulnerabilities.
Principle 15. Formulate security measures to address multiple overlapping information domains.
Principle 16. Isolate public access systems from mission critical resources.
Principle 17. Use boundary mechanisms to separate computing systems and network
infrastructures.
Principle 18. Where possible, base security on open standards for portability and interoperability.
Principle 19. Use common language in developing security requirements.
Principle 20. Design and implement audit mechanisms to detect unauthorized use and to support
incident investigations.
Principle 21. Design security to allow for regular adoption of new techno.
Ch04_MoIS5e_v02.pptx business business business business business business bu...
business business business business business business business business business business business business business business business business business business business business business business business business business business business business business business business business business business business business business business business business business
Lesson 1
This document discusses information security planning and policy development. It describes management's role in developing, maintaining, and enforcing security policies, standards, procedures and guidelines. It explains that an information security blueprint identifies major components that support the security program. It also discusses how organizations institutionalize policies through education, training and awareness programs. Contingency planning relates to incident response, disaster recovery and business continuity plans. The document provides details on developing an enterprise security policy and issue-specific security policies. It emphasizes that policies must direct acceptable behavior and technologies and never contradict laws.
Solve the exercise in security management.pdf
This document provides information about an information security management system (ISMS) including:
1) An ISMS provides a model for establishing, implementing, operating, monitoring, reviewing, maintaining and improving information protection based on risk assessment and risk acceptance levels.
2) The ISO/IEC 27000 family of standards relate to ISMS and include standards on requirements, implementation guidance, and auditing of ISMS.
3) Key aspects of an ISMS include identifying information assets, assessing risks and threats, selecting appropriate security controls, and managing the system using a process approach like PDCA (Plan-Do-Check-Act).
FISMA NextGen - Continuous Monitoring, Near Real-Time Risk Management
Presented in the ACT/IAC Information Security and Privacy SIG webinar focused on presenting the updated FISMA security requirements described in NIST SP 800-37r1. The other presenters were Ron Ross of NIST and Patti Titus of Unisys.
Unit 4 standards.ppt
The document provides information on various models, frameworks, standards and methodologies related to information security. It discusses models and frameworks, noting that a model is abstract while a framework provides more specific guidance. It defines standards and methodology. It then summarizes several specific models/frameworks - ISO 27001, COBIT, and SSE-CMM. It also outlines some methodologies for information security assessment - IAM, IEM, and SIPES, describing their objectives and phases.
ch14.ppt
This document discusses IT security management and risk assessment. It outlines the process of performing a security risk assessment, including identifying assets, threats, vulnerabilities, and analyzing risks. It also presents a case study of Silver Star Mines, a mining company that conducted a risk assessment to evaluate risks to their IT infrastructure and prioritize security controls and treatments.
Chapter 7 Managing Secure System.pdf
This document discusses information security policies and frameworks. It begins by explaining that information security policies are the foundation of an effective security program and outlines key aspects of developing policies, including that they must be properly supported and avoid conflicting with laws. The document then discusses several policy frameworks, notably the ISO 27000 series which provides requirements for an Information Security Management System (ISMS). It stresses that an ISMS should have continuous management support and treat security as an integral part of risk management. The role of training, awareness programs, and incident response planning are also covered.
Risk Based Security and Self Protection Powerpoint
Miguel Sanchez presented on risk based security and self protection technologies. He discussed how the threat landscape has changed and the need for a proactive, risk based approach. This involves a multi-tiered risk management process including framing risks at the organizational, mission, and system levels. Emerging technologies like runtime application self protection can help applications protect themselves by monitoring for threats during execution.
Cybersecurity Risk Management Program and Your Organization
In today’s business environment, organizations have a responsibility to their employees, clients, and customers to ensure the confidentiality, integrity and availability of the critical data that is entrusted to them. Every network is vulnerable to some form of attack. However it is not enough to simply confirm that a technical vulnerability exists and implement countermeasures; it is critical to repeatedly verify that the countermeasures are in place and working properly throughout the secured network. During this webinar, David Hammarberg, Principal, IT Director, and leader of McKonly & Asbury’s Cybersecurity Practice will be joined by Partner, Michael Hoffner and they will lead a discussion on a Cybersecurity Risk Management Program including what it is and how it can prepare your organization for the future.
ISMS Part I
The document discusses ISO 27001, which establishes requirements for an Information Security Management System (ISMS). It aims to help organizations manage risks to security and ensure confidentiality, integrity and availability of information. The standard specifies requirements for establishing, implementing, maintaining and improving an ISMS through risk assessment and treatment, policies, procedures, management responsibility, monitoring and review. Compliance with ISO 27001 can help organizations improve governance, reduce costs and risks, and gain competitive advantages.
Information security policy_2011
The document discusses developing effective information security policies through a multi-step process. It begins with defining different types of policies like enterprise, issue-specific, and systems-specific policies. It then outlines the key phases to developing policies which include investigation, analysis, design, implementation, and maintenance. Specific guidance is provided for each phase, such as conducting a risk assessment in investigation and specifying enforcement in design. Effective policies must be properly disseminated, understood, and agreed upon.
5757912.ppt
This document provides an overview of NIST SP 800-37, Revision 1, which establishes a risk management framework (RMF) for federal information systems. The RMF is a six-step process for managing risk to systems: (1) categorize the system, (2) select security controls, (3) implement controls, (4) assess controls, (5) authorize the system, and (6) monitor controls continuously. The RMF aims to integrate security into system development lifecycles and provide near real-time risk management through continuous monitoring. It also links system-level risk management to the organizational level through a risk executive function.
Information Security Identity and Access Management Administration 07072016
An information security management system (ISMS) outlines policies and procedures for managing sensitive organizational data to minimize risk and ensure business continuity. Key components of an ISMS include risk management, security policies, asset protection, access controls, incident response, and regulatory compliance. The goal is to systematically protect information confidentiality, integrity, and availability through technical, operational, and management controls. An effective ISMS requires organizational buy-in, ongoing security monitoring and improvement, and a focus on addressing specific and credible threats to the business.
Similar to Lesson 2 - System Specific Policy (20)
create your own Security Management Model using the NIST Special Pub.pdf
create your own Security Management Model using the NIST Special Pub.pdf
Ch04_MoIS5e_v02.pptx business business business business business business bu...
Ch04_MoIS5e_v02.pptx business business business business business business bu...
FISMA NextGen - Continuous Monitoring, Near Real-Time Risk Management
FISMA NextGen - Continuous Monitoring, Near Real-Time Risk Management
Risk Based Security and Self Protection Powerpoint
Risk Based Security and Self Protection Powerpoint
Cybersecurity Risk Management Program and Your Organization
Cybersecurity Risk Management Program and Your Organization
Information Security Identity and Access Management Administration 07072016
Information Security Identity and Access Management Administration 07072016
More from MLG College of Learning, Inc
PC111.Lesson2
This document discusses configuring and managing Cisco switches. It covers basic switch configuration including the boot sequence, recovering from crashes using the boot loader, and switch LED indicators. It also discusses configuring switch ports including setting duplex and speed, the auto-MDIX feature, and verifying port settings. Additionally, it addresses network access layer issues and troubleshooting media and interface-related problems.
PC111.Lesson1
This document provides an introduction to switched networks and describes different types of network switches. It explains that switched networks support small to medium-sized businesses by converging data, voice, and video. There are two main categories of switches: modular switches that provide flexibility through expansion modules, and fixed-configuration switches that include unmanaged, managed, and smart switches. Managed switches offer the most comprehensive features and scalability. Key factors to consider when choosing a switch include speed, port count, Power over Ethernet support, and stackability.
PC111-lesson1.pptx
This document introduces switched networks and how they support small to medium-sized businesses. It explains how switched networks converge data, voice, and video and describes what a switched network looks like in this environment. The document also discusses how layer 2 switches forward data frames in a small to medium LAN and compares collision domains to broadcast domains in a switched network.
PC LEESOON 6.pptx
The document discusses configuring basic settings on a Cisco switch, including:
- Setting the boot system to define the IOS image loaded during startup.
- Configuring switch management access by assigning an IP address, subnet mask, and default gateway to the management VLAN.
- Configuring physical switch ports by setting the duplex and speed settings to match connected devices and troubleshooting common layer 1 and 2 issues.
- Securing remote access using SSH instead of Telnet by generating RSA key pairs, configuring user authentication, and enabling SSH version 2.
- Implementing port security to restrict which MAC addresses can transmit on switch ports and limit them to the configured number.
PC 106 PPT-09.pptx
This document discusses the configuration and installation of UTP cables. It describes the standard arrangement of wires in a UTP cable, with the wires being twisted to cancel out noise and crosstalk. It also lists the tools and materials needed for installing UTP cables, such as wire cutters, strippers, crimp tools, RJ45 connectors, and testers. Finally, it outlines the 8 steps to properly crimp a UTP cable, which includes stripping the cable, placing the wires in the connector, and crimping to complete the connection.
PC 106 PPT-07
This document discusses network protocols. It begins by defining what a protocol is and provides some common examples used at different layers, such as TCP, UDP, IP, and HTTP. It then explains that protocols break large processes into smaller tasks and functions that must cooperate across network levels. Protocols are created according to industry standards. The document categorizes protocols for communication, network management, and security. It provides examples for each category and concludes with descriptions of some frequently used protocols like HTTP, SSH, and SMS.
PC 106 PPT-01
This document provides an overview of the history and development of computer networks and the internet. It discusses the early development of packet switching in the 1960s by researchers at MIT, RAND, and the UK. It also describes the creation of ARPANET in the late 1960s and early 1970s and its growth. Subsequent sections discuss the proliferation of networks in the 1980s and 1990s driven by NSFNET and the development of the World Wide Web. The document concludes by outlining some of the key hardware components of networks and benefits and disadvantages of computer networks.
PC 106 PPT-06
The document discusses the OSI model, which defines 7 layers for network communication: Physical, Data Link, Network, Transport, Session, Presentation, and Application. It was developed by ISO to standardize network architectures and allow components from different vendors to communicate. Each layer has a set of well-defined functions and builds upon the layers below it, with standards developed independently for easier introduction and less effect of changes on other layers. This model divides network communication into simpler components and encourages standardization.
PC 106 PPT-05
There are several common network topologies for LANs and WANs. Common LAN topologies include bus, star, ring, switched, daisy chain, and hierarchical topologies. Bus topology is easy to implement but has limited cable length. Star topology is easy to manage and scale but a failure of the central device takes down the whole network. Ring topology provides better performance than bus but a single failure affects the whole network. WAN topologies include peer-to-peer, ring, star, full mesh, partial mesh, multi-tiered, and hybrid configurations with different tradeoffs around cost, performance, redundancy, and scalability.
PC 106 Slide 04
Network media refers to the communication channels used to connect nodes on a computer network. Common network media include copper cables like twisted pair and coaxial, optical fiber cables, and wireless transmission using radio waves. Key factors in choosing network media include the network topology, size, required transmission speed and distance, environment, and cost. A network interface card installed in each computer enables it to connect to the chosen network media type.
PC 106 Slide no.02
A computer network is composed of end devices, network media, and intermediary devices connected together. The number of computers that can be connected depends on the type of network, which is classified by geographical size as a personal area network (PAN), local area network (LAN), campus area network (CAN), metropolitan area network (MAN), wide area network (WAN), wireless local area network (WLAN), or peer-to-peer network. In a client/server network, servers provide centralized services and resources to client devices, while in a peer-to-peer network all devices can act as both clients and servers sharing resources directly.
pc-106-slide-3
Network hardware includes end devices like servers, computers, VoIP phones, security cameras, and mobile devices. It also includes intermediary devices like hubs, switches, wireless access points, repeaters, bridges, and routers. Servers store files and applications for sharing. Switches provide connections and send information directly to the correct location. Wireless access points allow Wi-Fi devices to connect to wired networks. Routers select the best path to route messages between networks. Network interface cards provide the physical connection between computers and the network.
PC 106 Slide 2
The document discusses different types of computer networks classified by their geographical size, including personal area networks (PANs), local area networks (LANs), campus area networks (CANs), metropolitan area networks (MANs), wide area networks (WANs), and wireless local area networks (WLANs). It provides details on each type of network, such as LANs connecting computers close together within the same building, MANs connecting LANs within a city that are too far for a direct connection, and WANs spanning large geographic areas like cities or countries. The document also illustrates a basic computer network and reviews common network acronyms.
PC 106 Slide 1.pptx
A computer network connects multiple computers together to allow them to communicate and share resources. The basic building blocks of a network include computers equipped with network ports, cables to connect the computers, and a network switch for them to plug into. Larger networks may include additional components like routers or repeaters. Computer networks provide benefits such as hardware and data sharing between connected devices, enhanced real-time communication, collaborative work environments, access to shared programs stored on servers, and increased storage capacity from network-attached devices. However, networks also pose security threats from hacking or data theft, single point of failures if the main server crashes, and potential virus or malware spread throughout the connected systems. Proper technical skills are required to administer large computer networks
Db2 characteristics of db ms
This document discusses the fundamentals of database systems. It outlines four key characteristics: the self-describing nature of databases through metadata stored in the DBMS catalog; insulation between programs and data through program-data independence; support of multiple views of data through user-specific subsets or views; and sharing of data and multiuser transaction processing through concurrency control in a multiuser environment.
Db1 introduction
This document defines key terms related to database systems and provides an overview of database fundamentals. It defines data, information, and databases. A database management system (DBMS) is introduced as a collection of programs that enables users to create and maintain a database by defining, constructing, manipulating, and sharing the data. A DBMS also protects the database and maintains it over time. Examples of database systems that store student and course information are provided to illustrate database concepts. Characteristics of the DBMS approach are compared to the traditional file system approach.
Lesson 3.2
A flowchart is a graphical representation of a process or system. This document provides flowcharts for troubleshooting various hardware issues, including hard drive boot problems, CPU/RAM/motherboard performance issues, video adapter/GPU/monitor problems, peripheral device failures, SCSI/SAS drive errors, and DVD/CD/Blu-ray recording issues. The flowcharts help diagnose common problems and their potential solutions.
Lesson 3.1
This document discusses common computer errors, including hardware errors like blank monitors, hard drive failures, and faulty keyboards or mice. It also covers software errors such as access denied, file not found, and out of memory issues. Specific error types like disk read errors, boot failures, freezing, and the blue screen of death are explained in more detail. The document emphasizes the importance of properly diagnosing errors to identify whether the issue is hardware or software related.
Lesson 1.6
Bootable media contains software that allows a computer to boot from a removable device like a USB flash drive. When booting, the computer performs self-checks, loads the BIOS which finds the boot loader on the hard drive, and then loads the operating system along with hardware drivers and any startup programs. Bootable USB flash drives provide an easy way to install operating systems without discs by creating a portable boot device.
Lesson 3.2
Computer troubleshooting is a systematic process used to locate the cause of faults in computer systems and resolve hardware and software issues. It involves following a logical process with steps like identifying the problem, establishing a probable cause, testing theories to determine the cause, developing a solution plan, verifying the system works, and documenting findings. Troubleshooting skills are developed over time through experience solving different problems. Common computer issues include failures of storage devices, motherboards, power supplies, CPUs, memory, displays, and more. Solutions may involve checking connections, updating drivers or BIOS, replacing faulty components, and ensuring proper cooling and power.
More from MLG College of Learning, Inc (20)
Recently uploaded
Leveraging Generative AI to Drive Nonprofit Innovation
In this webinar, participants learned how to utilize Generative AI to streamline operations and elevate member engagement. Amazon Web Service experts provided a customer specific use cases and dived into low/no-code tools that are quick and easy to deploy through Amazon Web Service (AWS.)
Beyond Degrees - Empowering the Workforce in the Context of Skills-First.pptx
Iván Bornacelly, Policy Analyst at the OECD Centre for Skills, OECD, presents at the webinar 'Tackling job market gaps with a skills-first approach' on 12 June 2024
Chapter 4 - Islamic Financial Institutions in Malaysia.pptx
Chapter 4 - Islamic Financial Institutions in Malaysia.pptxMohd Adib Abd Muin, Senior Lecturer at Universiti Utara Malaysia
This slide is special for master students (MIBS & MIFB) in UUM. Also useful for readers who are interested in the topic of contemporary Islamic banking.
BBR 2024 Summer Sessions Interview Training
Qualitative research interview training by Professor Katrina Pritchard and Dr Helen Williams
Traditional Musical Instruments of Arunachal Pradesh and Uttar Pradesh - RAYH...
Traditional Musical Instruments of Arunachal Pradesh and Uttar Pradesh
PCOS corelations and management through Ayurveda.
This presentation includes basic of PCOS their pathology and treatment and also Ayurveda correlation of PCOS and Ayurvedic line of treatment mentioned in classics.
Pengantar Penggunaan Flutter - Dart programming language1.pptx
Pengantar Penggunaan Flutter - Dart programming language1.pptx
BÀI TẬP BỔ TRỢ TIẾNG ANH 8 CẢ NĂM - GLOBAL SUCCESS - NĂM HỌC 2023-2024 (CÓ FI...
BÀI TẬP BỔ TRỢ TIẾNG ANH 8 CẢ NĂM - GLOBAL SUCCESS - NĂM HỌC 2023-2024 (CÓ FI...Nguyen Thanh Tu Collection
https://app.box.com/s/y977uz6bpd3af4qsebv7r9b7s21935vdবাংলাদেশ অর্থনৈতিক সমীক্ষা (Economic Review) ২০২৪ UJS App.pdf
বাংলাদেশের অর্থনৈতিক সমীক্ষা ২০২৪ [Bangladesh Economic Review 2024 Bangla.pdf] কম্পিউটার , ট্যাব ও স্মার্ট ফোন ভার্সন সহ সম্পূর্ণ বাংলা ই-বুক বা pdf বই " সুচিপত্র ...বুকমার্ক মেনু 🔖 ও হাইপার লিংক মেনু 📝👆 যুক্ত ..
আমাদের সবার জন্য খুব খুব গুরুত্বপূর্ণ একটি বই ..বিসিএস, ব্যাংক, ইউনিভার্সিটি ভর্তি ও যে কোন প্রতিযোগিতা মূলক পরীক্ষার জন্য এর খুব ইম্পরট্যান্ট একটি বিষয় ...তাছাড়া বাংলাদেশের সাম্প্রতিক যে কোন ডাটা বা তথ্য এই বইতে পাবেন ...
তাই একজন নাগরিক হিসাবে এই তথ্য গুলো আপনার জানা প্রয়োজন ...।
বিসিএস ও ব্যাংক এর লিখিত পরীক্ষা ...+এছাড়া মাধ্যমিক ও উচ্চমাধ্যমিকের স্টুডেন্টদের জন্য অনেক কাজে আসবে ...
How to Make a Field Mandatory in Odoo 17
In Odoo, making a field required can be done through both Python code and XML views. When you set the required attribute to True in Python code, it makes the field required across all views where it's used. Conversely, when you set the required attribute in XML views, it makes the field required only in the context of that particular view.
Your Skill Boost Masterclass: Strategies for Effective Upskilling
Your Skill Boost Masterclass: Strategies for Effective UpskillingExcellence Foundation for South Sudan
Strategies for Effective Upskilling is a presentation by Chinwendu Peace in a Your Skill Boost Masterclass organisation by the Excellence Foundation for South Sudan on 08th and 09th June 2024 from 1 PM to 3 PM on each day.How to Setup Warehouse & Location in Odoo 17 Inventory
In this slide, we'll explore how to set up warehouses and locations in Odoo 17 Inventory. This will help us manage our stock effectively, track inventory levels, and streamline warehouse operations.
Recently uploaded (20)
Leveraging Generative AI to Drive Nonprofit Innovation
Leveraging Generative AI to Drive Nonprofit Innovation
Beyond Degrees - Empowering the Workforce in the Context of Skills-First.pptx
Beyond Degrees - Empowering the Workforce in the Context of Skills-First.pptx
Chapter 4 - Islamic Financial Institutions in Malaysia.pptx
Chapter 4 - Islamic Financial Institutions in Malaysia.pptx
Traditional Musical Instruments of Arunachal Pradesh and Uttar Pradesh - RAYH...
Traditional Musical Instruments of Arunachal Pradesh and Uttar Pradesh - RAYH...
NEWSPAPERS - QUESTION 1 - REVISION POWERPOINT.pptx
NEWSPAPERS - QUESTION 1 - REVISION POWERPOINT.pptx
Pengantar Penggunaan Flutter - Dart programming language1.pptx
Pengantar Penggunaan Flutter - Dart programming language1.pptx
BÀI TẬP BỔ TRỢ TIẾNG ANH 8 CẢ NĂM - GLOBAL SUCCESS - NĂM HỌC 2023-2024 (CÓ FI...
BÀI TẬP BỔ TRỢ TIẾNG ANH 8 CẢ NĂM - GLOBAL SUCCESS - NĂM HỌC 2023-2024 (CÓ FI...
বাংলাদেশ অর্থনৈতিক সমীক্ষা (Economic Review) ২০২৪ UJS App.pdf
বাংলাদেশ অর্থনৈতিক সমীক্ষা (Economic Review) ২০২৪ UJS App.pdf
Your Skill Boost Masterclass: Strategies for Effective Upskilling
Your Skill Boost Masterclass: Strategies for Effective Upskilling
Film vocab for eal 3 students: Australia the movie
Film vocab for eal 3 students: Australia the movie
How to Setup Warehouse & Location in Odoo 17 Inventory
How to Setup Warehouse & Location in Odoo 17 Inventory
Lesson 2 - System Specific Policy
- 1. Principles of Information Security, Fifth Edition Chapter 4 Planning for Security Lesson 2 – Systems Specific Policy
- 2. Systems-Specific Policy (SysSP) • SysSPs often function as standards or procedures used when configuring or maintaining systems. • Systems-specific policies fall into two groups: – Managerial guidance – Technical specifications • Access control lists (ACLs) can restrict access for a particular user, computer, time, duration—even a particular file. • Configuration rule policies govern how security system reacts to received data. • Combination SysSPs combine managerial guidance and technical specifications. Principles of Information Security, Fifth Edition 2
- 3. Policy Management • Policies must be managed as they constantly change. • To remain viable, security policies must have: – A responsible manager – A schedule of reviews – A method for making recommendations for reviews – A policy issuance and revision date – Automated policy management Principles of Information Security, Fifth Edition 3
- 4. The Information Security Blueprint • Basis for design, selection, and implementation of all security policies, education and training programs, and technological controls • Detailed version of security framework (outline of overall information security strategy for organization) • Specifies tasks and order in which they are to be accomplished • Should also serve as a scalable, upgradeable, and comprehensive plan for the current and future information security needs Principles of Information Security, Fifth Edition 4
- 5. The ISO 27000 Series • One of the most widely referenced security models • Standard framework for information security that states organizational security policy is needed to provide management direction and support • Purpose is to give recommendations for information security management • Provides a starting point for developing organizational security Principles of Information Security, Fifth Edition 5
- 6. Principles of Information Security, Fifth Edition 6
- 7. Principles of Information Security, Fifth Edition 7
- 8. NIST Security Models • Another possible approach described in the documents available from Computer Security Resource Center of NIST – SP 800-12 – SP 800-14 – SP 800-18 Rev. 1 – SP 800-26 – SP 800-30 Principles of Information Security, Fifth Edition 8
- 9. NIST Special Publication 800-14 • Security supports the mission of the organization and is an integral element of sound management. • Security should be cost effective; owners have security responsibilities outside their own organizations. • Security responsibilities and accountability should be made explicit; security requires a comprehensive and integrated approach. • Security should be periodically reassessed; security is constrained by societal factors. • Thirty-three principles for securing systems (see Table 4-5) Principles of Information Security, Fifth Edition 9
- 10. NIST Cybersecurity Framework • Consists of three fundamental components: – Framework core: set of information security activities an organization is expected to perform and their desired results – Framework tiers: help relate the maturity of security programs and implement corresponding measures and functions – Framework profile: used to perform a gap analysis between the current and a desired state of information security/risk management Principles of Information Security, Fifth Edition 10
- 11. NIST Cybersecurity Framework (cont’d) • Seven-step approach to implementing/improving programs: – Prioritize and scope – Orient – Create current profile – Conduct risk assessment – Create target profile – Determine, analyze, prioritize gaps – Implement action plan Principles of Information Security, Fifth Edition 11
- 12. Other Sources of Security Frameworks • Federal Agency Security Practices (FASP) • Computer Emergency Response Team Coordination Center (CERT/CC) • International Association of Professional Security Consultants Principles of Information Security, Fifth Edition 12