36152
Security Mgt U2, summary
- information security
- business issue
- has own budget
- has own personnel
- management must drive decisions
- business dependent
on IT systems
- has own budget
- modern boundaries blurred
- gone from IT issue to consumer issue
- due to ecommerce
- due to ecommerce
- confidentiality, integrity, availabiltiy
- integrity & availability most important
- integrity & availability most important
- resource decentralization
- protect information NOT hardware
- protect the business
- sensible controls
- usable controls
- sensible controls
- information theft
- you may not notice it
- not audit trail
- lucky if there are logs
- you may not notice it
- information risk mgt
- identify threats
- identifiy likelihood
- identify impacts
- what is data loss worth?
- company reputation
- leaked business info, competitive edge
- company reputation
- what is data loss worth?
- identify vulnerabilities
- governance
- policy
- procedure
- policy
- identify threats
- adequate (not perfect) protection
- people
- financial
- information
- infrastructure
- people
- business issue
- risk assessment
- 3 components
- threats
- unwanted event that may result in harm to an asset
- unwanted event that may result in harm to an asset
- vulnerability
- susceptability of asset to attack
- susceptability of asset to attack
- impact
- magnitude of potential loss
- magnitude of potential loss
- threats
- CRAM
- tool / software / methodology
- prompts with threats
- facilitates documentation
- prompts with threats
- tool / software / methodology
- anecdotal examples/ comments
- attack sophistication has increased
- even though attackers have little technical knowledge
- even though attackers have little technical knowledge
- security costs money
- identity theft
- phishing / pharming
- spoof websites
- social engineering
- DDOS
- more
effective
against
small
companies
- attacks getting bigger
- use rapid filtering to manage
- usually attacks at IP level
- point DNS to new IP
- expensive
- expensive
- point DNS to new IP
- business is reliant on open network
- more
effective
against
small
companies
- attack sophistication has increased
- 3 components
- governance
- means by which companies are directed and controlled
- accountability of board
- ethical
- legal
- performance
- ethical
- needs to demonstrate
compliance with rules,
regulations and law
- FSA
- FED
- SOX
- BASLE II
- ISO 17799
- COBIT
- ITIL
- FSA
- of info sec
- means by which infosec
is controlled and
directed in company
- administered by
top level steering
committee
- CISO provides assurance to board and regulators
- compliance (checking)
- audit testing
- board level issue
- compliance (checking)
- means by which infosec
is controlled and
directed in company
- specifyimg mode of operaion
- policy
- what you want to do (but not how you do it)
- outlines responsibilities
- outliens partner and supplier responsibilities
- should be endorsed at all management levels
- identify owners of systems
- infrastructure (generally IT)
- applictaions
- processes (end-to-end
- infrastructure (generally IT)
- what you want to do (but not how you do it)
- standards
- specification of how we do it
- specification of how we do it
- guidelines
- good practice but not required
- good practice but not required
- procedures
- specify behavior for end-to-end processes
- instalation
- operation
- initialisation
- support
- instalation
- specify behavior for end-to-end processes
- policy
- means by which companies are directed and controlled
Want to create your own Mind Maps for free with GoConqr? Learn more.