Security Mgt U2, summary

Mind Map by , created over 6 years ago

IYM001 Mind Map on Security Mgt U2, summary, created by jjanesko on 04/01/2013.

Created by jjanesko over 6 years ago
Security Mgt U8, Incident Recovery Image
Security Mgt: Legislation, Organizations, Standards
Security Mgt U5, risk analysis & mgt (part 2)
An Inspector Calls
Georgia 27
Security Mgt, ISO 27001, PDCA
Security Mgt U3, BS7799 (Part 1)
Security Mgt, Flashcards for ISO 27000 series
Exemplary Assignment Answers
Security Mgt U5, quantitative risk assessment forumula (image)
Security Mgt U2, summary
1 information security
1.1 business issue
1.1.1 has own budget
1.1.2 has own personnel
1.1.3 management must drive decisions
1.1.4 business dependent on IT systems
1.2 modern boundaries blurred
1.3 gone from IT issue to consumer issue
1.3.1 due to ecommerce
1.4 confidentiality, integrity, availabiltiy
1.4.1 integrity & availability most important
1.5 resource decentralization
1.6 protect information NOT hardware
1.7 protect the business
1.7.1 sensible controls
1.7.2 usable controls
1.8 information theft
1.8.1 you may not notice it
1.8.2 not audit trail
1.8.3 lucky if there are logs
1.9 information risk mgt
1.9.1 identify threats
1.9.2 identifiy likelihood
1.9.3 identify impacts what is data loss worth? company reputation leaked business info, competitive edge
1.9.4 identify vulnerabilities
1.9.5 governance policy procedure
1.10 adequate (not perfect) protection
1.10.1 people
1.10.2 financial
1.10.3 information
1.10.4 infrastructure
2 risk assessment
2.1 3 components
2.1.1 threats unwanted event that may result in harm to an asset
2.1.2 vulnerability susceptability of asset to attack
2.1.3 impact magnitude of potential loss
2.2 CRAM
2.2.1 tool / software / methodology prompts with threats facilitates documentation
2.3 anecdotal examples/ comments
2.3.1 attack sophistication has increased even though attackers have little technical knowledge
2.3.2 security costs money
2.3.3 identity theft
2.3.4 phishing / pharming
2.3.5 spoof websites
2.3.6 social engineering
2.3.7 DDOS more effective against small companies attacks getting bigger use rapid filtering to manage usually attacks at IP level point DNS to new IP expensive business is reliant on open network
3 governance
3.1 means by which companies are directed and controlled
3.2 accountability of board
3.2.1 ethical
3.2.2 legal
3.2.3 performance
3.3 needs to demonstrate compliance with rules, regulations and law
3.3.1 FSA
3.3.2 FED
3.3.3 SOX
3.3.4 BASLE II
3.3.5 ISO 17799
3.3.6 COBIT
3.3.7 ITIL
3.4 of info sec
3.4.1 means by which infosec is controlled and directed in company
3.4.2 administered by top level steering committee
3.4.3 CISO provides assurance to board and regulators compliance (checking) audit testing board level issue
3.5 specifyimg mode of operaion
3.5.1 policy what you want to do (but not how you do it) outlines responsibilities outliens partner and supplier responsibilities should be endorsed at all management levels identify owners of systems infrastructure (generally IT) applictaions processes (end-to-end
3.5.2 standards specification of how we do it
3.5.3 guidelines good practice but not required
3.5.4 procedures specify behavior for end-to-end processes instalation operation initialisation support

Media attachments