Computer security test 2
operational planning
Day to day (departments and teams)
contingency planning types
ramification, reaction, recovery, and relocation
Risk control strategies
1. Defense 2. Transfer 3. Mitigate 4. Accept 5. Terminate
incident characteristics
catastrophic and long-term
Annualized rate of Occurrence formula
number of times / year
Issue-Specific Security Policy (ISSP)
(should:) Address specific areas of technology, Require frequent updating, state an organizations position on a specific issue
five aspects of NIST
1. Identify 2. Protect 3. Detect 4. Respond 5. Recover
Cost benefit analysis formula
ALE(before) - ALE(after) - Annualized cost of a safeguard
Loss magnitude formula
Asset value * Probable loss
Standards
Detailed statements for compliance
access control
Determines types of user access, such as read-only access
risk control defense
Eliminate or reduce any remaining uncontrolled risk using additional controls and safeguards. (Avoidance strategy) (preferred approach)
Single Loss Expectancy (SLE)
Expected monetary loss every time a risk occurs; calculated by multiplying asset value by exposure factor.
Annualized Loss Expectancy (ALE)
Expected monetary loss for an asset due to a risk over a one-year period; calculated by multiplying single loss expectancy by annualized rate of occurrence.
Single loss expectancy formula
Exposure factor (EF) * Asset value
Mitigation strategy includes 3 types of plans
Incident response (IR) Disaster response (DR) Business continuity (BC)
Developing an incident response plan
Plan, detect, react, recover
Strategic planning
Long term planning
Risk formula
Loss frequency * Loss magnitude + uncertainty
NIST
National Institute of Standards and Technology
Guidelines
Recommendations for compliance
Annualized Loss Expectancy formula
Single loss expectancy * Annualized rate of Occ
Risk management definition
The identification, assessment, and prioritization of risks followed by coordinated and economical application of resources to minimize, monitor, and control the probability and/or impact of unfortunate events or to maximize the realization of opportunities.
Exposure factor (EF)
The potential percentage of loss to an asset if a threat is realized.
internal
all internal information that does not meet confidential category
cost-benefit analysis
a study that compares the costs and benefits to society of providing a public good
De facto
actually existing or in effect, although not legally required or sanctioned; (not fully protected)
external
all information that has been approved for public release
information asset valuation
assigning essential value or worth
Loss frequency formula
attack likelihood * Attack success
spheres of security
foundation of the security framework
De jure
fully protected
security awareness
cause people to think about security
management, users, IT
communities of interest regarding risk management
statement, authorized access/use, prohibited use, management, penalties, updating, liability
components of ISSP
controls
defense, transference, mitigation, acceptance, termination
analyze the business impact
essential assets/functionality, potential disruptions, priorities
Enterprise information security policy (EISP)
high-level policy, sets security strategic direction, philosophy/ purpose, structure and responsibilities
IDPRR
identify, detect, protect, respond, recover
dimensions
impact (seriousness) and likelihood (probability)
Annualized cost of a safeguard (ACS)
in a cost-benefit analysis, the total cost of a control or safeguard, including all purchase, maintenance, subscription, personnel, and support fees, divided by the total number of expected years of use.
management
information security is mainly a ___________ problem
incident response plan
initial response/reaction
Procedures
instructions to obtain compliance
business continuity plan
maintaining/ relocating operations
procedures and practice reviews
making policies, procedures, guidelines, and practices themselves
policy administrator
manage, input, communicate
security education
offer formal knowledge toward understanding
day-to-day operations departments and teams, actual implementation
operational planning
security training
provide hands-on and technical skills
disaster recovery plan
restoration/recovery process
plan & organize; identify & categorize; classify & prioritize; identify & prioritize; and specify
risk identification
identify risk, assess potential impact, take steps to reduce risk, and balancing cost/benefit
risk management
policies/mechanisms
security clearance, clean desk policy, proper disposal
SETA
security, education, training, awareness
Issue specific security policy (ISSP)
should address specific areas of technology, requires frequent updating, state an organization's position on a specific issue
senior management, long-term goals, major decisions
strategic planning
security, short-term objectives, more concrete
tactical planning
Confidnetial
the most sensitive corporate information, must be tightly controlled even within the organization
tactical planning
the process of setting work standards and schedules necessary to implement the company's tactical objectives
strategic, tactical, operational
three levels of planning
purpose of security plans
to provide an overview of the security requirements of the system and describe the controls in place or planned for meeting those requirements
having something that a competitor does not
what is competitive advantage