CHAPTER 2_Information Security Governance and Risk Management Flashcards
Bullets: SABSA model
Model and methodology for the development of information security enterprise architectures
Explanations: Change Control Analyst
I have analyzed your change request and it will destroy this company.Response: I am okay with that.
Explanation Bullets: A common hierarchy of security policies is outlined here, which illustrates the relationship between the master policy and the issue-specific policies that support it:
- Organizational policy
- Acceptable use policy
- Risk management policy
- Vulnerability management policy
- Data protection policy
- Access control policy
- Business continuity policy
- Log aggregation and auditing policy
- Personnel security policy
- Physical security policy
- Secure application development policy
- Change control policy
- E-mail policy
- Incident response policy
Bullets: Defense-in-depth
Implementation of multiple controls so that successful penetration and compromise is more difficult to attain
Bullets: July 2005
WorldCom ex-Chief Executive Officer Bernard Ebbers was sentenced to 25 years in prison for his role in orchestrating the biggest corporate fraud in the nation’s history.
Bullets: Confidentiality
Necessary level of secrecy is enforced and unauthorized disclosure is prevented.
Bullets: ISO/IEC 27013
Guideline on the integrated implementation of ISO/IEC 20000-1 and ISO/IEC 27001
Explanation Bullets: The organizational security policy has several important characteristics that must be understood and implemented:
- Business objectives should drive the policy’s creation, implementation, and enforcement. The policy should not dictate business objectives.
- It should be an easily understood document that is used as a reference point for all employees and management.
- It should be developed and used to integrate security into all business functions and processes.
- It should be derived from and support all legislation and regulations applicable to the company.
- It should be reviewed and modified as a company changes, such as through adoption of a new business model, a merger with another company, or change of ownership.
- Each iteration of the policy should be dated and under version control.
- The units and individuals who are governed by the policy must have easy access to it. Policies are commonly posted on portals on an intranet.
- It should be created with the intention of having the policies in place for several years at a time. This will help ensure policies are forward-thinking enough to deal with potential changes that may arise.
- The level of professionalism in the presentation of the policies reinforces their importance as well as the need to adhere to them.
- It should not contain language that isn’t readily understood by everyone. Use clear and declarative statements that are easy to understand and adopt.
- It should be reviewed on a regular basis and adapted to correct incidents that have occurred since the last review and revision of the policies.
Bullets: SP 800-53
Set of controls to protect U.S. federal systems developed by the National Institute of Standards and Technology (NIST)
Emphasis: Response: No, we are more comfortable with chaos and wasting money
Should we map and integrate all of our security efforts with our business efforts?Response: No, we are more comfortable with chaos and wasting money.
Explanations: Information Risk Management Policy
How do I put all of these risk management pieces together?Response: Let’s check out the policy.
Explanations: Protection Mechanisms
Okay, so we know we are at risk, and we know the probability of it happening. Now, what do we do?
Bullets: ISO/IEC 27037
Guideline for identification, collection, and/or acquisition and preservation of digital evidence
Bullets: Business continuity management
Counter disruptions of normal operations by using continuity planning and testing.
Emphasis: risk assessment
A risk assessment, which is really a tool for risk management, is a method of identifying vulnerabilities and threats and assessing the possible impacts to determine where to implement security controls. A risk assessment is carried out, and the results are analyzed. Risk analysis is used to ensure that security is cost-effective, relevant, timely, and responsive to threats. Security can be quite complex, even for well-versed security professionals, and it is easy to apply too much security, not enough security, or the wrong security controls, and to spend too much money in the process without attaining the necessary objectives. Risk analysis helps companies prioritize their risks and shows management the amount of resources that should be applied to protecting against those risks in a sensible manner.
Bullets: Social engineering
Gaining unauthorized access by tricking someone into divulging sensitive information.
Emphasis: Why So Many Roles?
Why So Many Roles?Most organizations will not have all the roles previously listed, but what is important is to build an organizational structure that contains the necessary roles and map the correct security responsibilities to them. This structure includes clear definitions of responsibilities, lines of authority and communication, and enforcement capabilities. A clear-cut structure takes the mystery out of who does what and how things are handled in different situations.
Bullets: Loss of data
Intentional or unintentional loss of information to unauthorized receivers
Explanation Bullets: The cost of a countermeasure is more than just the amount filled out on the purchase order. The following items should be considered and evaluated when deriving the full cost of a countermeasure:
- Product costs
- Design/planning costs
- Implementation costs
- Environment modifications
- Compatibility with other countermeasures
- Maintenance requirements
- Testing requirements
- Repair, replacement, or update costs
- Operating and support costs
- Effects on productivity
- Subscription costs
- Extra man-hours for monitoring and responding to alerts
- Beer for the headaches that this new tool will bring about
Explanation Bullets: So up to this point, we have accomplished the following items:
- Developed a risk management policy
- Developed a risk management team
- Identified company assets to be assessed
- Calculated the value of each asset
- Identified the vulnerabilities and threats that can affect the identified assets
- Chose a risk assessment methodology that best fits our needs
Explanations: The Risk Management Team
Fred is always scared of stuff. He is going to head up our risk team.Response: Fair enough.
Emphasis: vulnerability
A vulnerability is a lack of a countermeasure or a weakness in a countermeasure that is in place. It can be a software, hardware, procedural, or human weakness that can be exploited. A vulnerability may be a service running on a server, unpatched applications or operating systems, an unrestricted wireless access point, an open port on a firewall, lax physical security that allows anyone to enter a server room, or unenforced password management on servers and workstations.
Bullets: January 2004
Enron ex-Chief Financial Officer Andrew Fastow was given a ten-year prison sentence for his accounting scandals, which was a reduced term because he cooperated with prosecutors.
Bullets: Mandatory vacation
Detective administrative control used to uncover potential fraudulent activities by requiring a person to be away from the organization for a period of time.
Explanations: Security Analyst
I have analyzed your security and you have it all wrong.Response: What a surprise.
Bullets: ISO/IEC 27004
Guideline for information security management measurement and metrics framework
Bullets: ISO/IEC 27033
Guideline for IT network security, a multipart standard based on ISO/IEC 18028:2006
Emphasis: qualitative
Another method of risk analysis is qualitative, which does not assign numbers and monetary values to components and losses. Instead, qualitative methods walk through different scenarios of risk possibilities and rank the seriousness of the threats and the validity of the different possible countermeasures based on opinions. (A wide sweeping analysis can include hundreds of scenarios.) Qualitative analysis techniques include judgment, best practices, intuition, and experience. Examples of qualitative techniques to gather data are Delphi, brainstorming, storyboarding, focus groups, surveys, questionnaires, checklists, one-on-one meetings, and interviews. The risk analysis team will determine the best technique for the threats that need to be assessed, as well as the culture of the company and individuals involved with the analysis.
Bullets: Facilitated Risk Analysis Process (FRAP)
A focused, qualitative approach that carries out prescreening to save time and money.
Bullets: Deterrent
Intended to discourage a potential attacker
Explanation Bullets: Quick Tips
- The objectives of security are to provide availability, integrity, and confidentiality protection to data and resources.
- A vulnerability is the absence of or weakness in a control.
- A threat is the possibility that someone or something would exploit a vulnerability, intentionally or accidentally, and cause harm to an asset.
- A risk is the probability of a threat agent exploiting a vulnerability and the loss potential from that action.
- A countermeasure, also called a safeguard or control, mitigates the risk.
- A control can be administrative, technical, or physical and can provide deterrent, preventive, detective, corrective, or recovery protection.
- A compensating control is an alternate control that is put into place because of financial or business functionality reasons.
- CobiT is a framework of control objectives and allows for IT governance.
- ISO/IEC 27001 is the standard for the establishment, implementation, control, and improvement of the information security management system.
- The ISO/IEC 27000 series were derived from BS 7799 and are international best practices on how to develop and maintain a security program.
- Enterprise architecture frameworks are used to develop architectures for specific stakeholders and present information in views.
- An information security management system (ISMS) is a coherent set of policies, processes, and systems to manage risks to information assets as outlined in ISO\IEC 27001.
- Enterprise security architecture is a subset of business architecture and a way to describe current and future security processes, systems, and subunits to ensure strategic alignment.
- Blueprints are functional definitions for the integration of technology into business processes.
- Enterprise architecture frameworks are used to build individual architectures that best map to individual organizational needs and business drivers.
- Zachman is an enterprise architecture framework, and SABSA is a security enterprise architecture framework.
- COSO is a governance model used to help prevent fraud within a corporate environment.
- ITIL is a set of best practices for IT service management.
- Six Sigma is used to identify defects in processes so that the processes can be improved upon.
- CMMI is a maturity model that allows for processes to improve in an incremented and standard approach.
- Security enterprise architecture should tie in strategic alignment, business enablement, process enhancement, and security effectiveness.
- NIST 800-53 uses the following control categories: technical, management, and operational.
- OCTAVE is a team-oriented risk management methodology that employs workshops and is commonly used in the commercial sector.
- Security management should work from the top down (from senior management down to the staff).
- Risk can be transferred, avoided, reduced, or accepted.
- Threats × vulnerability × asset value = total risk.
- (Threats × vulnerability × asset value) × controls gap = residual risk.
- The main goals of risk analysis are the following: identify assets and assign values to them, identify vulnerabilities and threats, quantify the impact of potential threats, and provide an economic balance between the impact of the risk and the cost of the safeguards.
- Failure Modes and Effect Analysis (FMEA) is a method for determining functions, identifying functional failures, and assessing the causes of failure and their failure effects through a structured process.
- A fault tree analysis is a useful approach to detect failures that can take place within complex environments and systems.
- A quantitative risk analysis attempts to assign monetary values to components within the analysis.
- A purely quantitative risk analysis is not possible because qualitative items cannot be quantified with precision.
- Capturing the degree of uncertainty when carrying out a risk analysis is important, because it indicates the level of confidence the team and management should have in the resulting figures.
- Automated risk analysis tools reduce the amount of manual work involved in the analysis. They can be used to estimate future expected losses and calculate the benefits of different security measures.
- Single loss expectancy × frequency per year = annualized loss expectancy (SLE × ARO = ALE).
- Qualitative risk analysis uses judgment and intuition instead of numbers.
- Qualitative risk analysis involves people with the requisite experience and education evaluating threat scenarios and rating the probability, potential loss, and severity of each threat based on their personal experience.
- The Delphi technique is a group decision method where each group member can communicate anonymously.
- When choosing the right safeguard to reduce a specific risk, the cost, functionality, and effectiveness must be evaluated and a cost/benefit analysis performed.
- A security policy is a statement by management dictating the role security plays in the organization.
- Procedures are detailed step-by-step actions that should be followed to achieve a certain task.
- Standards are documents that outline rules that are compulsory in nature and support the organization’s security policies.
- A baseline is a minimum level of security.
- Guidelines are recommendations and general approaches that provide advice and flexibility.
- Job rotation is a detective administrative control to detect fraud.
- Mandatory vacations are a detective administrative control type that can help detect fraudulent activities.
- Separation of duties ensures no single person has total control over a critical activity or task. It is a preventative administrative control.
- Split knowledge and dual control are two aspects of separation of duties.
- Data owners specify the classification of data, and data custodians implement and maintain controls to enforce the set classification levels.
- Security has functional requirements, which define the expected behavior from a product or system, and assurance requirements, which establish confidence in the implemented products or systems overall.
- Management must define the scope and purpose of security management, provide support, appoint a security team, delegate responsibility, and review the team’s findings.
- The risk management team should include individuals from different departments within the organization, not just technical personnel.
- Social engineering is a nontechnical attack carried out to manipulate a person into providing sensitive data to an unauthorized individual.
- Personal identification information (PII) is a collection of identity-based data that can be used in identity theft and financial fraud, and thus must be highly protected.
- Security governance is a framework that provides oversight, accountability, and compliance.
- ISO/IEC 27004:2009 is an international standard for information security measurement management.
- NIST 800-55 is a standard for performance measurement for information security.
Bullets: ISO/IEC 27002
Code of practice for information security management
Emphasis: What
• What are you trying to do at this layer? The assets to be protected by your security architecture.
Explanations: Outsourcing
I am sure that company, based in another company that we have never met or ever heard of, will protect our most sensitive secrets just fine.Response: Yeah, they seem real nice.
Emphasis: threat agent
A threat is any potential danger that is associated with the exploitation of a vulnerability. The threat is that someone, or something, will identify a specific vulnerability and use it against the company or individual. The entity that takes advantage of a vulnerability is referred to as a threat agent. A threat agent could be an intruder accessing the network through a port on the firewall, a process accessing data in a way that violates the security policy, a tornado wiping out a facility, or an employee making an unintentional mistake that could expose confidential information.
Emphasis: Security Administrator
Security AdministratorThe security administrator is responsible for implementing and maintaining specific security network devices and software in the enterprise. These controls commonly include firewalls, IDS, IPS, antimalware, security proxies, data loss prevention, etc. It is common for there to be delineation between the security administrator and the network administrator. The security administrator has the main focus of keeping the network secure, and the network administrator has the focus of keeping things up and running.
Emphasis: chief security officer (CSO)
The chief security officer (CSO) is responsible for understanding the risks that the company faces and for mitigating these risks to an acceptable level. This role is responsible for understanding the organization’s business drivers and for creating and maintaining a security program that facilitates these drivers, along with providing security, compliance with a long list of regulations and laws, and any customer expectations or contractual obligations.
Explanation Bullets: This committee should meet at least quarterly and have a well-defined agenda. Some of the group’s responsibilities are as follows:
- Define the acceptable risk level for the organization.
- Develop security objectives and strategies.
- Determine priorities of security initiatives based on business needs.
- Review risk assessment and auditing reports.
- Monitor the business impact of security risks.
- Review major security breaches and incidents.
- Approve any major change to the security policy and program.
Explanations: NIST 800-53
CobiT contains control objectives used within the private sector; the U.S. government has its own set of requirements when it comes to controls for federal information systems and organizations.
Emphasis: issue-specific policy
An issue-specific policy, also called a functional policy, addresses specific security issues that management feels need more detailed explanation and attention to make sure a comprehensive structure is built and all employees understand how they are to comply with these security issues. For example, an organization may choose to have an e-mail security policy that outlines what management can and cannot do with employees’ e-mail messages for monitoring purposes, that specifies which e-mail functionality employees can or cannot use, and that addresses specific privacy issues.
Bullets: Annualized loss expectancy
Annual expected loss if a specific vulnerability is exploited and how it affects a single asset.
Bullets: Application error
Computation errors, input errors, and buffer overflows
Bullets: Policy
High-level document that outlines senior management’s security directives.
Explanation Bullets: CobiT was derived from the COSO framework, developed by the Committee of Sponsoring Organizations (COSO) of the Treadway Commission in 1985 to deal with fraudulent financial activities and reporting. The COSO framework is made up of the following components:
- Control environment
- Management’s philosophy and operating style
- Company culture as it pertains to ethics and fraud
- Risk assessment
- Establishment of risk objectives
- Ability to manage internal and external change
- Control activities
- Policies, procedures, and practices put in place to mitigate risk
- Information and communication
- Structure that ensures that the right people get the right information at the right time
- Monitoring
- Detecting and responding to control deficiencies
Bullets: Shoulder surfing
Viewing information in an unauthorized manner by looking over the shoulder of someone else.
Emphasis: CSO vs. CISO
CSO vs. CISOThe CSO and chief information security officer (CISO) may have similar or very different responsibilities. How is that for clarification? It is up to the individual organization to define the responsibilities of these two roles and whether they will use both, either, or neither. By and large, the CSO role usually has a farther-reaching list of responsibilities compared to the CISO role. The CISO is usually focused more on technology and has an IT background. The CSO usually is required to understand a wider range of business risks, including physical security, not just technological risks.
Explanations: Top-down Approach
The janitor said we should wrap our computers in tin foil to meet our information security needs.
Bullets: System development and maintenance
Implement security in all phases of a system’s lifetime through development of security requirements, cryptography, integrity protection, and software development procedures.
Bullets: ISO/IEC 27000 series
International standards on how to develop and maintain an ISMS developed by ISO and IEC
Explanation Bullets: The following shows the levels of sensitivity from the highest to the lowest for military purposes:
- Top secret
- Secret
- Confidential
- Sensitive but unclassified
- Unclassified
Explanations: Capability Maturity Model Integration
I only want to get better, and better, and better.Response: I only want you to go away.
Emphasis: Who Really Understands Risk Management?
Who Really Understands Risk Management?Unfortunately, the answer to this question is that not enough people inside or outside of the security profession really understand risk management. Even though information security is big business today, the focus is more on applications, devices, viruses, and hacking. Although these items all must be considered and weighed in risk management processes, they should be considered small pieces of the overall security puzzle, not the main focus of risk management.
Bullets: Standard
Compulsory rules that support the security policies.
Explanations: Handling Risk
Now that we know about the risk, what do we do with it?Response: Hide it behind that plant.
Bullets: Preventive
Intended to avoid an incident from occurring
Bullets: Quantitative risk analysis
Assigning monetary and numeric values to all the data elements of a risk assessment.
Emphasis: Enterprise Security Architecture
Enterprise Security ArchitectureAn enterprise security architecture is a subset of an enterprise architecture and defines the information security strategy that consists of layers of solutions, processes, and procedures and the way they are linked across an enterprise strategically, tactically, and operationally. It is a comprehensive and rigorous method for describing the structure and behavior of all the components that make up a holistic information security management system (ISMS). The main reason to develop an enterprise security architecture is to ensure that security efforts align with business practices in a standardized and cost-effective manner. The architecture works at an abstraction level and provides a frame of reference. Besides security, this type of architecture allows organizations to better achieve interoperability, integration, ease-of-use, standardization, and governance.
Emphasis: Nondisclosure agreements
Nondisclosure agreements must be developed and signed by new employees to protect the company and its sensitive information. Any conflicts of interest must be addressed, and there should be different agreements and precautions taken with temporary and contract employees.
Bullets: Advisory
This type of policy strongly advises employees as to which types of behaviors and activities should and should not take place within the organization. It also outlines possible ramifications if employees do not comply with the established behaviors and activities. This policy type can be used, for example, to describe how to handle medical or financial information.
Emphasis: Privacy
Privacy is different from security. Privacy indicates the amount of control an individual should be able to have and expect as it relates to the release of their own sensitive information. Security is the mechanisms that can be put into place to provide this level of control.
Bullets: Collusion
Two or more people working together to carry out fraudulent activities.
Bullets: NIST 800-30 Risk Management Guide for Information Technology Systems
A U.S. federal standard that is focused on IT risks.
Bullets: Availability
Reliable and timely access to data and resources is provided to authorized individuals.
Explanation Bullets: The following shows the common levels of sensitivity from the highest to the lowest for commercial business:
- Confidential
- Private
- Sensitive
- Public
Bullets: Residual risk
Risk that remains after implementing a control. Threats × vulnerabilities × assets × (control gap) = residual risk.
Bullets: December 2005
The former Chief Executive Officer of HealthSouth Corp. was sentenced to five years in prison for his part in the $2.7 billion scandal.
Explanation Bullets: So how does CobiT fit into the big picture? When you develop your security policies that are aligned with the ISO/IEC 27000 series, these are high-level documents that have statements like, “Unauthorized access should not be permitted.” But who is authorized? How do we authorize individuals? How are we implementing access control to ensure that unauthorized access is not taking place? How do we know our access control components are working properly? This is really where the rubber hits the road, where words within a document (policy) come to life in real-world practical implementations. CobiT provides the objective that the real-world implementations (controls) you chose to put into place need to meet. For example, CobiT outlines the following control practices for user account management:
- Using unique user IDs to enable users to be linked to and held accountable for their actions
- Checking that the user has authorization from the system owner for the use of the information system or service, and the level of access granted is appropriate to the business purpose and consistent with the organizational security policy
- A procedure to require users to understand and acknowledge their access rights and the conditions of such access
- Ensuring that internal and external service providers do not provide access until authorization procedures have been completed
- Maintaining a formal record, including access levels, of all persons registered to use the service
- A timely and regular review of user IDs and access rights
Bullets: ISO/IEC 27007
Guideline for information security management systems auditing
Bullets: ISO/IEC 27011
Information security management guidelines for telecommunications organizations
Emphasis: Security effectiveness
Security effectiveness deals with metrics, meeting service level agreement (SLA) requirements, achieving return on investment (ROI), meeting set baselines, and providing management with a dashboard or balanced scorecard system. These are ways to determine how useful the current security solutions and architecture as a whole are performing.
Bullets: TOGAF
Model and methodology for the development of enterprise architectures developed by The Open Group
Emphasis: exposure factor (EF)
The exposure factor (EF) represents the percentage of loss a realized threat could have on a certain asset. For example, if a data warehouse has the asset value of $150,000, it can be estimated that if a fire were to occur, 25 percent of the warehouse would be damaged, in which case the SLE would be $37,500:
Emphasis: Procedures
Procedures are detailed step-by-step tasks that should be performed to achieve a certain goal. The steps can apply to users, IT staff, operations staff, security members, and others who may need to carry out specific tasks. Many organizations have written procedures on how to install operating systems, configure security mechanisms, implement access control lists, set up new user accounts, assign computer privileges, audit activities, destroy material, report incidents, and much more.
Emphasis: accept the risk
The last approach is to accept the risk, which means the company understands the level of risk it is faced with, as well as the potential cost of damage, and decides to just live with it and not implement the countermeasure. Many companies will accept risk when the cost/benefit ratio indicates that the cost of the countermeasure outweighs the potential loss value.
Emphasis: do
So the different categories of controls that can be used are administrative, technical, and physical. But what do these controls actually do for us? We need to understand the different functionality that each control type can provide us in our quest to secure our environments.
Emphasis: IT
COSO is a model for corporate governance, and CobiT is a model for IT governance. COSO deals more at the strategic level, while CobiT focuses more at the operational level. You can think of CobiT as a way to meet many of the COSO objectives, but only from the IT perspective. COSO deals with non-IT items also, as in company culture, financial accounting principles, board of director responsibility, and internal communication structures. COSO was formed to provide sponsorship for the National Commission on Fraudulent Financial Reporting, an organization that studies deceptive financial reports and what elements lead to them.
Bullets: Uncertainty analysis
Assigning confidence level values to data elements.
Explanation Bullets: This committee is usually responsible for at least the following items:
- The integrity of the company’s financial statements and other financial information provided to stockholders and others
- The company’s system of internal controls
- The engagement and performance of the independent auditors
- The performance of the internal audit function
- Compliance with legal requirements, regulations, and company policies regarding ethical conduct
Bullets: ISO/IEC 27014
Guideline for information security governance
Explanations: Audit Committee
The audit committee should be appointed by the board of directors to help it review and evaluate the company’s internal operations, internal audit system, and the transparency and accuracy of financial reporting so the company’s investors, customers, and creditors have continued confidence in the organization.
Emphasis: organizational security policy
A security policy is an overall general statement produced by senior management (or a selected policy board or committee) that dictates what role security plays within the organization. A security policy can be an organizational policy, an issue-specific policy, or a system-specific policy. In an organizational security policy, management establishes how a security program will be set up, lays out the program’s goals, assigns responsibilities, shows the strategic and tactical value of security, and outlines how enforcement should be carried out. This policy must address relative laws, regulations, and liability issues, and how they are to be satisfied. The organizational security policy provides scope and direction for all future security activities within the organization. It also describes the amount of risk senior management is willing to accept.
Bullets: SABSA framework
Risk-driven enterprise security architecture that maps to business initiatives, similar to the Zachman framework.
Emphasis: system-specific policy
A system-specific policy presents the management’s decisions that are specific to the actual computers, networks, and applications. An organization may have a system-specific policy outlining how a database containing sensitive information should be protected, who can have access, and how auditing should take place. It may also have a system-specific policy outlining how laptops should be locked down and managed. This policy type is directed to one or a group of similar systems and outlines how they should be protected.
Bullets: ISO/IEC 27015
Information security management guidelines for the finance and insurance sectors
Bullets: Capability Maturity Model Integration (CMMI)
Organizational development for process improvement developed by Carnegie Mellon
Bullets: Detective
Helps identify an incident’s activities and potentially an intruder
Explanations: Process Management Development
Along with ensuring that we have the proper controls in place, we also want to have ways to construct and improve our business, IT, and security processes in a structured and controlled manner. The security controls can be considered the “things,” and processes are how we use these things. We want to use them properly, effectively, and efficiently.
Explanations: Executive Management
I am very important, but I am missing a “C” in my title.Response: Then you are not so important.
Bullets: MODAF
Architecture framework used mainly in military support missions developed by the British Ministry of Defence
Explanation Bullets: Each organization is different in its size, security posture, threat profile, and security budget. One organization may have one individual responsible for IRM or a team that works in a coordinated manner. The overall goal of the team is to ensure the company is protected in the most cost-effective manner. This goal can be accomplished only if the following components are in place:
- An established risk acceptance level provided by senior management
- Documented risk assessment processes and procedures
- Procedures for identifying and mitigating risks
- Appropriate resource and fund allocation from senior management
- Security-awareness training for all staff members associated with information assets
- The ability to establish improvement (or risk mitigation) teams in specific areas when necessary
- The mapping of legal and regulation compliancy requirements to control and implement requirements
- The development of metrics and performance indicators so as to measure and manage various types of risks
- The ability to identify and assess new risks as the environment and company change
- The integration of IRM and the organization’s change control process to ensure that changes do not introduce new vulnerabilities
Explanations: Chief Security Officer
Hey, we need a sacrificial lamb in case things go bad.Response: We already have one. He’s called the chief security officer.
Bullets: ISO/IEC 27005
Guideline for information security risk management
Explanations: Quick Tips
• The objectives of security are to provide availability, integrity, and confidentiality protection to data and resources.