IT Security Management Flashcards
IT security management
formal process to develop/maintain appropriate sec levels for org assets preserving CIAAA and reliability
Plan-Do-Check-Act Process Model
ISO 31000 Risk Management Principles and guidelines
Plan -> establish sec policy, obj, processes, procedures; risk assessment; risk treatment plan
Do -> implement risk treatment plan
Check -> monitor and maintain risk treatment plan
Act -> Maintain and improve info sec risk management process; response to incidents review or changes
Org Context and Security Policies
Identify org assets/information with its role and importance
what needs to be managed/provided by IT; consequences if failure in security
Organizational Security policy is generated -> objectives and strategies and the process used to achieve them
IT security office -> responsibility org’s IT security
oversight of process, liaison with mgmt, maintenance of policies, coordination of incidents, mgmt of sec awareness programs and training
IT project security officer -> sec policies at project level
Security risk assessment
Every org asset is examined, and every possible risk is evaluated
if risk is too great -> remedial controls are deployed to reduce the risk
Baseline -> uses industry level practices. it can be too strict or too permissive
Informal -> using internal experts or consultants; it provides better context but can be skewed or incomplete
Detailed -> formal approach number of stages, identify assets threats and vulnerabilities, likelihood of risk and consequences
cost in time, resources and expertise
Combined -> baseline+informal+detailed
baseline + high-level risk assessment on systems + informal risk assessment on key systems and finally performing detailed risk analysis on those systems (ISO 13335)
Detailed Security Analysis
Risk Index = Max Info Sensitivity - Min User Clearance
process: prepare for assessment; conduct risk analysis; communicate results and maintain assessment
establish how vulnerable the industry is when seen against the context
risk appetite -> level of risk the org views as acceptable
who conducts the assessment
asset identification -> asset is anything that needs to be protected
Threat -> potential for a threat source to exploit a vulnerability which may compromise its security
vulnerability -> flaw or weakness in asset’s design
risk -> potential for loss possibility that a threat exploits a vulnerability and magnitude of harm
Detailed Security Analysis - Threat identification
who or what could cause harm to an asset
how could it occur
threat source/agent -> human or human-made, accidental or deliberate
motivation -> why they target, how motivated
capability -> level of skill
resources -> time, money resources
probability of attack -> how likely and often
deterrence -> consequences
Detailed Security Analysis - Vulnerability Identification
Identify flaws or weaknesses in the org’s systems
analyze risks
risk = probability that threat occurs x cost to org
provide guidance to mgmt as to which risks exist and how to appropriately respond
Detailed Security Analysis - Risk Consequences
Risk consequence levels
insignificant, minor, moderate, major, catastrophic, doomsday
level of risk assign to each threat
risk register -> document all possible risks
Detailed Security Analysis - Strategies to reduce risk
Risk acceptance -> accept greater risk level than normal business
Risk avoidance -> remove activity to remove risk
Risk transfer -> share responsibility with third party
Reduce consequence -> modify structure/use to reduce impact
Reduce likelihood -> implement controls to lower attack surface
