The planning, organization, and roles of individuals in identifying and securing an organizations

information assets
The development of efective employment agreements; employee hiring practices, including
background checks and job descriptions; security clearances; separation of duties and responsibilities;
job rotation; and hiring and termination practices
The development and use of policies stating managements views and positions on particular topics
and the use of guidelines, standards, baselines, and procedures to support those policies.
The diferences between policies, standards, baselines, and procedures in terms of their application to
security administration
The importance of security awareness training to make employees aware of the need for information
security, its signicance, and the specic security!related re"uirements relative to the employees
position
The importance of data classication, including sensitive, condential, proprietary, private, and critical
information
The application of security policies, standards, baselines, and procedures to ensure the privacy,
condentiality, integrity, and availability of information
The importance of risk management practices and tools to identify, rate, and reduce the risk to specic
information assets #sset identication and evaluation
Threat identication and assessment $ulnerability and e%posures identication and assessment
&alculation of single occurrence loss 'single loss e%pectancy( and annual loss e%pectancy
)afeguards and countermeasure identication and evaluation, including risk management practices
and tools to identify, rate, and reduce the risk to specic information assets
&alculation of the resulting annual loss e%pectancy and residual risk &ommunication of the residual risk
to be assigned 'i.e., insured against( or accepted by management
The regulatory and ethical re"uirements to protect individuals from substantial harm, embarrassment,
or inconvenience, due to the inappropriate collection, storage, or dissemination of personal information
The principles and controls that protect data against compromise or inadvertent disclosure
The principles and controls that ensure the logical correctness of an information system; the
consistency of data structures; and the accuracy, precision, and completeness of the data stored
The principles and controls that ensure that a computer resource will be available to authorized users
when they need it
The purpose of and process used for reviewing system records, event logs, and activities; understands
the purpose and processes used to review system records, event logs, and activities
The importance of managing change and the change control process, and certication and
accreditation
The application of commonly accepted best practices for system security administration, including the
concepts of least privilege, separation of duties, job rotation, monitoring, and incident response
*nternal control standards reduce risk. *nternal control standards are re"uired to satisfy obligations with
respect to the law, safeguard the organizations assets, and account for the accurate revenue and e%pense
tracking. There are three categories of internal control standards+ general standards, specic standards,
and audit resolution standards
,eneral standards must provide reasonable assurance, support the internal controls, provide for
competent personnel, and assist in establishing control objectives and techni"ues
)pecic standards must be documented, clear, and available to the personnel. They allow for the
prompt recording of transactions and the prompt e%ecution of authorized transactions. )pecic
standards establish separation of duties, "ualied supervision,
and accountability
#udit resolution standards re"uire that the manager promptly resolve audit ndings. -anagers must
evaluate, determine the corrective action re"uired, and take that action.
The Business Case for Information Security Management
*nformation security management .+ physical, administrative, managerial, technical, and operational
controls.. policies, procedures, standards, and guidelines are implemented to provide the proper
balance of security controls with business operations.
Security and Risk Management Practice
/isks are identied and an ade"uate control environment is established to mitigate the risks
Core Information Security Principles: Confdentiality, Availability, Integrity
CIA!
Information Security Management Governance
Security "overnance #efned: the intent of the governance is to guarantee that the
appropriate information security activities are being performed to ensure that the risks are
appropriately reduced.
The e *T,* proposes that information security governance should be considered a part of *T
governance, and that the board of directors should+
0e informed about information security
)et direction to drive policy and strategy
1rovide resources to security ef orts
#ssign management responsibilities
)et priorities
)upport changes re"uired
2ene cultural values related to risk assessment
3btain assurance from internal or e%ternal auditors *nsist that security investments are made
measurable and reported on for program efectiveness.
#dditionally, the *T,* suggests that the management should
4rite security policies with business input
5nsure that roles and responsibilities are de ned and clearly understood
*dentify threats and vulnerabilities *mplement security infrastructures and control frameworks
'standards, guidelines, baselines, and procedures(
5nsure that policy is approved by the governing body
5stablish priorities and implement security projects in a timely manner
-onitor breaches
&onduct periodic reviews and tests
/einforce awareness education as critical
0uild security into the systems development life cycle.
Security Policies, Procedures, Standards, "uidelines, and $aselines
Security Policy $est Practices
Formally defne a policy creation and policy 6 maintenance practice.. Policies should survive for two
or three years. . Do not be too specifc c in policy statements. . Use forceful, directive wording. |
Technical implementation details do not belong in a policy. . eep each policy as short as possible. .
Provide references in policy to the supporting documents. . Thoughly review before publishing. .
&onduct management review and sign!o" | Do not use technical #argon in policy language. . $eview
incidents and ad#ust policies . periodically review policies . Defne policy e%ception rules . Develop
sanctions for noncompliance.
%ypes of Security Policies:
&. 'rgani(ational or program policy
). Functional, issue!specifc policies
*. +ystem!specifc c policies,
Standards: They lay out the hardware and software mechanisms, which the organization may have
selected for controlling security risks.
Procedures:
$aselines:
"uidelines:
Security and Audit &rame'orks and Met(odologies
C)S): &ommittee of )ponsoring 3rganizations of the Treadway &ommission . formed in 789: .
sponsor the ;ational &ommission on <raudulent <inancial /eporting, which studied factors that lead to
fraudulent nancial reporting and produced recommendations for public companies, their auditors,
the )ecurities 5%change &ommission, and other regulators.
<ive areas of internal control necessary to meet the nancial reporting and disclosure objectives.
7. control environment
=. risk assessment,
>. control activities
?. control information and communication,
:. monitoring
I%I*: *T *nfrastructure @ibrary . >? books . improve *T service management

C)$I%: &ontrol 3bjectives for *nformation and related Technology . published by the *T ,overnance
*nstitute . >? high!level processes . =7? control objectives support these processes . Th e model
denes four domains for governance+
planning and organization,
ac"uisition and implementation
delivery and support
monitoring
IS) +,--- &ormally .no'n as IS)/,,001$S,,00!: 7>? detailed information security
controls based upon the following 77 areas+
7. *nformation security policy
=. 3rganizing information security
>. #sset management
?. Auman resources security
:. 1hysical and environmental security
B. &ommunications and operations management
C. #ccess control
9. *nformation systems ac"uisition, development, and maintenance
8. *nformation security incident management
7D. 0usiness continuity management
77. &ompliance
Risk Assessment Met(odologies
NIST SP 80030 and 800!"IPP# C$I%NTS(+ ;*)T /isk #ssessment methodology process
follows+
7. )ystem characterization
=. $ulnerability identication
>. Threat identication
?. &ountermeasure identication
:. @ikelihood determination
B. *mpact determination
C. /isk determination
9. #dditional countermeasures recommendations
8. 2ocument results
C&#MM '&&T# /isk #nalysis and -anagement -ethod(+ &/#-- is divided into three stages+
7. #sset identication and valuation
=. Threat and vulnerability assessment
>. &ountermeasure selection and recommendation
'ai(ure Modes and %)ect #na(ysis* e%amines potential failures of each part or module, and
e%amines efects of failure at three levels.
7. *mmediate level 'part or module(
=. *ntermediate level 'process or package(
>. )ystem!wide
'&#P !'aci(itated &is+ #na(ysis Process,* "ualitative risk assessment E provides tested
variations on the methodology
-CT#.% * creator E &arnegie -ellon Fniversitys )oftware 5ngineering *nstitute E organizations
1eople direct risk evaluation activities E 3&T#$5 criteria are a set of principles, attributes, and
outputs.
P/S"0* <ederal <inancial *nstitutions 5%amination &ouncil '<<*5&( Technology &onference. 1F)A is
Trademarked to a commercial vendor; &hapman Technology ,roup, *nc
7. 1reparation
=. Fniverse 2enition
>. )coring
?. Aitting the -ark
Security -1cers Management and #na(ysis Pro2ect !S-M#P,* )wiss nonprots t
organization E ,;F license.
.#& !.a(ue at &is+,* $#/ is identied ed as a theoretically based, Guantitative measure of
information security risk.
Risk Management Principles
$is- .voidance | $is- Transfer | $is- /itigation | $is- .cceptance
2(o )'ns t(e Risk3: Fltimately, the 3rganization 'i.e., senior management( owns the risks
Risk Assessment
34 Identify .u(nera5i(ities e.g 1atching and conguration of an organizations information
systems are done on an ad hoc basis, and, therefore, are neither documented nor up to date
+4 Identify %(reats:
"uman '@oss of key personnel, malicious outsider or insider (
Natura( 6isaster
Technica( !Aardware . software failure . malicious code . unauthorized access,
Physica(* &losed!circuit T$ failure, perimeter defense failure
%nvironmenta(* Aazardous waste, biological agent, utility failure
-7erationa(
*ikeli(ood #etermination: @ikelihood, along with impact, determines risk.
34 #etermination of Risk: product of likelihood and impact. if an e%ploit has a likelihood of 7
'high( and an impact of 7DD 'high(, the risk would be 7DD
54 Countermeasure Selection: 3ne of the most important steps for the organization is to
appropriately select countermeasures to apply to risks in the environment.
Information 6aluation: $alue is typically represented by informations cost and its perceived
value internally and e%ternally to an organization. Aow, then, is information value determinedH
Su52ective methods include the creation, dissemination, and data collection from checklists or
survey. Metric8 3r statistica(, measures may provide a more objective view of information
valuation. 5ach of these methods has its uses within an organization. 3ne of the methods that uses
consensus relative to valuation of information is the consensus9modi:ed 6e(7hi method.
-rgani;ationa( Behaviour* 3rganizations e%ist as a system of coordinated activities to
accomplish organizational objectives.
)rgani7ational Structure 8volution
Responsibilities of t(e Information Security )9cer: 0ommunicate $is-s to
1%ecutive /anagement ensuring that a risk assessment is performed, taking into consideration the
threats and vulnerabilities impacting the particular organization. The e%ecutive team is interested in
maintaining the appropriate balance between acceptable risk and ensuring that business operations
are meeting the mission of the 3rganization. *n this conte%t, e%ecutive management is not concerned
with the technical details of the implementations, but rather with what is the costIbenet t of the
solution and what residual risk will remain after the safeguards are implemented.
'7( 4hat is the real perceived threat 'problem to be solved(H
'=( 4hat is the risk 'impact and probability( to our business operationsH
'>( 4hat is the cost of the safeguardH
'?( 4hat will be the residual risk 'risk remaining after the safeguard is properly implemented and
sustained(H ':( how long will the project takeH
$est Practices
2ob $otation
+eparation of Duties 3+'D4
5east Privilege 36eed to now4
/andatory 7acations
2ob Position +ensitivity
$udget for Information Security Activities
Policies, Procedures, $aselines, Standards, and "uidelines: security oJcer and his team
are responsible for ensuring that the security policies, procedures, baselines, standards, and
guidelines are written to address the information security needs of the organization.
Security A'areness Program: security oJcer provides the leadership for the information
security awareness
1rogram by ensuring that the program is delivered in a meaningful, understandable way to the
intended audience.
/nderstand Business -52ectives* &entral to the security oJcers success within the
organization is to understand the vision, mission, objectivesIgoals, and plans of the organization E
allowing security to be introduced at the correct times during the project life cycle.
Maintain A'areness of 8merging %(reats and 6ulnerabilities
8valuate Security Incidents and Response: &omputer incident response teams '&*/Ts(
#evelop Security Compliance Program: &ompliance is the process of ensuring adherence to
security policies.
8stablis( Security Metrics: measuring the number of help desk ticket E end user to self!
administer the
1assword reset process
Participate in Management Meetings: )ecurity oJcers must be involved in the management
teams and planning meetings of the organization to be fully efective. '7( -aintain visibility of the
importance of *nformation security and '=( limit the distortion or inaccurate translation of messages
that can occur due to hierarchical, deep organizations.
Assist Internal and 8:ternal Auditors
Stay Abreast of 8merging %ec(nologies
Reporting Model: security oJcer and the information security organization should report as
Aigh in the organization as possible to
$usiness Relations(ips
Reporting to t(e C8): /eporting directly to the &53 greatly reduces the ltering of
messages that can occur if a message must pass through several layers.
Reporting to t(e Information %ec(nology I%! #epartment
Reporting to Corporate Security
Reporting to t(e Administrative Services #epartment
Reporting to t(e Insurance and Risk Management #epartment
Reporting to t(e Internal Audit #epartment
Reporting to t(e *egal #epartment
8nterprise;2ide Security )versig(t Committee: committee sometimes referred to as
a <Security Counci(=4
)versig(t Committee Representation, <or ma%imum efectiveness the oversight committee
should consist of representatives from multiple organizational units.
Security Council 6ision Statement
Mission Statement: mission statements do not need to be lengthy
Security Program -versight
Security Planning: )trategic, tactical, and operational plans are interrelated, and each provides
a dif erent
<ocus toward enhancing the security of the organization.
Strategic Planning: )trategic plans are aligned with the strategic business and information
technology
,oals. <or e%ample, strategic goals may consist of
Security Program -versight
2ecide on 1roject *nitiativesK
1rioritize *nformation )ecurity 5fortsK
/eview and /ecommend )ecurity 1olicies
&hampion 3rganizational )ecurity 5forts
/ecommend #reas /e"uiring *nvestment
&o(es and &es7onsi5i(ities* 5nd FserK. 5%ecutive -anagementK. )ecurity 3JcerK
*nformation )ystems )ecurity 1rofessional. 2ataI*nformationI0usiness 3wnersK 2ata &ustodian
K. *nformation )ystems #uditorK*T . 0usiness &ontinuity 1lannerK . )ecurity #dministratorK .
;etworkI)ystems #dministratorK . 1hysical )ecurityK . #dministrative #ssistantsI)ecretariesK.
Aelp 2esk #dministratorK
Security Planning
)trategic, tactical, and operational plans are interrelated, and each provides a diferent focus toward
enhancing the security of the organization.
Strategic Planning: )trategic plans are aligned with the strategic business and information
technology goals
<or e%ample, strategic goals may consist of+
%actical Planning: Tactical plans provide the broad initiatives to support and achieve the goals
speci ed
in the strategic plan.
)perational and Pro<ect Planning: )peci c plans with milestones, dates, and accountabilities
provide the communication and direction to ensure that the individual projects are completed.
Personnel Security
8iring Practices
Lob 2escriptions
5mployment #greements
/eference &hecks
0ackground *nvestigations+ it can cover see beside,
0enet of 0ackground &hecks
Timing of Chec+s+ before and during employment
Ty7es of Bac+ground Chec+s*
&redit AistoryK . &riminal AistoryK . 2riving /ecordsK . 1rior 5mploymentK+ $erifyingE dates
employed,
job title, job performance, reason for leaving, . 5ducation, @icensing, and &ertication $ericationK
. )ocial )ecurity ;umber $erication and $alidationK . )uspected Terrorist 4atch @istK
%m7(oyee Su7ervision
%m7(oyee Terminations
34 'riend(y Terminations> property is returned and all access is removed
?4 /nfriend(y Terminations> /isky, special care must be taken to ensure all access is
disabled
Security #@areness8 Training8 and %ducation
)ecurity awareness addresses the why of policy.
2(y Conduct &ormal Security A'areness %raining3: inform employees about their
roles, and e%pectations surrounding their roles E ducated users aid the organization in the ful llment
of its security program objectives,
%raining %opics +ample .wareness on 0orporate +ecurity Policy4
A'areness Activities and Met(ods
=ob %raining
Professional 8ducation
Performance Metrics
-easurement can include periodic walk!through of business unit organizations, periodic "uizzes to
keep
)taf up to date, and so on.
&is+ Management* Mthe techni"ue or profession of assessing, minimizing, and preventing
accidental loss to a business.
Risk Management Concepts
>ualitative Risk Assessments: Gualitative risk assessments produce valid results that are
descriptive versus measurable. Gualitative risk assessment is typically conducted when+ assessors
typically do not re"uire as much
5%perience . timeframe to complete the risk assessment is short . *mplementation is typically easier. .
3rganization does not have a signicant amount of data readily available
>uantitative Risk Assessments
;ote that this calculation can be adjusted for geographical distances using the local annual fre"uency
estimate '@#<5( or the standard annual fre"uency estimate ')#<5(.
Selecting %ools and %ec(ni?ues for Risk Assessment
%thics
%opics in Computer 8t(ics
| 0omputers in the 9or-place . 0omputer 0rime . Privacy and .nonymity . :ntellectual
Property
|Professional $esponsibility and ;lobali(ation
Common Computer 8t(ics &allacies
| 0omputer ;ame Fallacy . 5aw!.biding 0iti(en Fallacy . +hatterproof Fallacy | 0andy!from!a!
<aby Fallacy | 8ac-er Fallacy | Free :nformation Fallacy
@acking and @acktivism: Aacking is an ambivalent term, most commonly perceived as being
part of criminal
activities. # hacker was originally a pe son who sought to understand computers as thoroughly as
possible.
%(e @acker 8t(ic: A #ccess to computers should be unlimited and total.. #ll information should be
free.. #uthority should be mistrusted and decentralization promoted.. Aackers should be judged solely
by their skills at hacking, rather than by race, class, age, gender, or position. . &omputers can be
used to create art and beauty . &omputers can change your life for the better.
8t(ics Codes of Conduct and Resources
%(e Code of &air Information Practices
7. There must be no personal data record!keeping systems whose very e%istence is secret.
=. a way for an individual to nd out what information is in his or her le and how the information
is being used.
>. a way for an individual to correct information in his or her records.
?. #ny organization creating, maintaining, using, or disseminating records of personally identify
able information must assure the reliability of the data for its intended use and must take
precautions to prevent misuse.
:. There must be a way for an individual to prevent personal information obtained for one
purpose from being used for another purpose without his other consent.
Internet Activities $oard IA$! Bo' t(e Internet Arc(itecture $oard! and R&C
/-C,
7. )eeks to gain unauthorized access to the resources of the *nternet
=. 2isrupts the intended use of the *nternet
>. 4astes resources 'people, capacity, computer( through such actions
?. 2estroys the integrity of computer!based information or
:. &ompromises the privacy of users
Computer 8t(ics Institute C8I!
Ten &ommandments for &omputer 5thics.N The &omputer 5thics *nstitute published them as follows
in 788=+.
Bational Conference on Computing and 6alues: was held on the campus of )outhern
&onnecticut )tate Fniversity in #ugust 7887+
7. 1reserve the public trust and condence in computers.
=. 5nforce fair information practices.
>. 1rotect the legitimate interests of the constituents of the system.
?. /esist fraud, waste, and abuse.
%(e 2orking "roup on Computer 8t(ics
*n 7887, the 4orking ,roup on &omputer 5thics created the following 5nd Fsers 0asic Tenets of
/esponsible &omputing+
Bational Computer 8t(ics and Responsibilities Campaign BC8RC!:
Th e ;ational &omputer )ecurity #ssociation ';&)#( and the &omputer 5thics *nstitute cosponsored
;&5/&. Th e 601$0 ;uide to 0omputer 1thics was developed to support the campaign.
3ISC!+ Code of 8t(ics
1rotect society, the commonwealth, and the infrastructure
#ct honourably, honestly, justly, responsibly, and legally
1rovide diligent and competent service to principals
#dvance and protect the profession
)ample Guestions+
7. b
=. ok
>. ok
?. b
:. b
B. ok
C. ok
9. ok
8. b
7D. ok
77. ok
7=. ok
7>. ok
7?. ok
7:. b
7B. ok
7C. ok
79. b
78. ok
=D. ok
=7. ok
==. ok
=>. ok
=?. ok
=:. ok
=B. b
=C. ok