Security Governance (Lecture 3) Flashcards
Describe what security management concepts and principles are
Important elements in security policy and solution deployment
Define basic parameters needed for a secure environment
Define the goals and objectives of policy designers and system implementers to achieve to create a secure solution
What are protection mechanisms
Common in security control
Mechanisms include multiple layers (levels of access)
Abstraction
Hiding data
Encryption
What is layering?
Also known as defence in depth
Multiple security controls in series (Firewall, ACL’s, VLAN’s)
Needs to be in a series to perform one after the other in linear fashion. This allows for data to be scanned and evaluated by each security control and if one control measure fails then it does not render the whole system ineffective
What is abstraction?
Puts similar elements into groups, classes or. roles that are assigned security controls, restrictions or permissions as a collective
What is abstraction used for?
Used for efficiency
Used to define what types of data an object can contain, what functions can be performed on or by the object
Simplifies security by enabling you to assign controls to a group of objects collected by type or function
What is Data Hiding?
Preventing data from being accessed by a subject by positioning the data in a logical storage compartment that is not accessible by the subject
List some examples of Data Hiding
Keeping a database from being accessed by unauthorised users
Restricting users at a lower classification level from accessing data at a higher classification level
What is encryption?
A system of hiding the meaning or intent of a communication from unintended recipients
Takes many forms and can be applied to every type of electronic communication (text, audio, video)
Encryption especially important in the transmission of data between systems
Various strengths, each designed for specific use or purpose
What is Security Governance
It is the collection of practices related to supporting, defining and directing the security efforts of an organisation
Closely related to Corporate governance and IT governance
Name the stages of Top Down Responsibility Plan
Year
Strategic Plan
Tactical Plans
Operational Plans
What is a Strategic Plan?
A long term plan that is fairly stable. It defines the organisations security purpose
Helps understand security function and align its goals, mission and objectives of the organisation
Useful for around 5 years if maintained and updated annually
Vision of future discussed within and includes risk assessments
What is a tactical Plan?
Midterm plan developed to provide more details on accomplishing the goals set in strategic plan
Can be ad-hoc based on unpredicted events
Useful for around 1 year and often prescribes and schedules the tasks necessary to accomplish organisational goals
What is an Operational Plan?
Short term plan, highly detailed plan based on strategic and tactical plans
Useful for a short time
Must be updated frequently
Must include details on how the implementation processes are in compliance with the security policy
How do you maintain security when changes are needed?
Systematically manage change
Involves extensive planning, testing, logging, auditing and monitoring
What does Change Control/Management require?
Implement changes in a monitored and orderly manner
formalised testing process to verify changes produce expected results
All changes can be reversed (Backout/rollback plans)
Users informed of changes beforehand to prevent loss of productivity
Effects of change analysed
Negative impact minimised
Changes reviewed and approved by Change Approval Board (CAB)
