Presentation is loading. Please wait.

Presentation is loading. Please wait.

Chapter 1: Security Governance Through Principles and Policies

Published byKathleen Gibbs Modified over 8 years ago

Similar presentations

Presentation on theme: "Chapter 1: Security Governance Through Principles and Policies"— Presentation transcript:

1 Chapter 1: Security Governance Through Principles and Policies

2 Understand and Apply Concepts of Confidentiality, Integrity, and Availability
CIA Triad AAA services Protection mechanisms

3 CIA Triad Confidentiality Integrity Availability C I A

4 Confidentiality Sensitivity Discretion Critical Concealment Secrecy
Privacy Seclusion Isolation

5 AAA Services Identification Authentication Authorization Auditing
Accountability Nonrepudiation

6 Protection Mechanisms
Layering Abstraction Data hiding Encryption

7 Apply Security Governance Principles
Alignment of security function to strategy, goals, mission, and objectives Organizational processes Security roles and responsibilities Control frameworks Due care and due diligence

8 Alignment of Security Function
Alignment to strategy, goals, mission, and objectives Security policy Top-down approach Senior management approval Plans: strategic, tactical, operational

9 Organizational Processes
Security governance Acquisitions and divestitures Change control/management Data classification Government/military vs. commercial/private sector

10 Security Roles and Responsibilities
Senior manager Security professional Data owner Data custodian User Auditor

11 Control Frameworks COBIT ISACA OSSTMM ISO/IEC 27002 ITIL NIST

12 Develop and Implement Documented Security Policy, Standards, Procedures, and Guidelines
Security policies Security standards, baselines, and guidelines Security procedures

13 Understand and Apply Threat Modeling
Identifying threats Determining and diagramming potential attacks Performing reduction analysis Prioritization and response

14 Identifying Threats Focused on assets Focused on attackers
Focused on software STRIDE Spoofing, tampering, repudiation, information disclosure, denial of service, elevation of privilege

15 Determining and Diagramming Potential Attacks
Diagram the infrastructure Identify data flow Identify privilege boundaries Identify attacks for each diagrammed element

16 Performing Reduction Analysis
Trust boundaries Data flow paths Input points Privileged operations Details about security stance and approach

17 Prioritization and Response
Probability × damage potential ranking High/medium/low rating DREAD system Damage potential Reproducibility Exploitability Affected users Discoverability

18 Integrate Security Risk Considerations into Acquisition Strategy and Practice
Resilient integrated security Cost of ownership Outsourcing Integrated security assessments Monitoring and management Onsite assessment Document exchange and review Process/policy review

Download ppt "Chapter 1: Security Governance Through Principles and Policies"

Similar presentations

Copyright © XiSEC, All rights reserved, 2002 Secure Computing Best Lifetime Achievement Award 2002 Ted Humphreys Information Security Management Goes Global.

Copyright © XiSEC, All rights reserved, 2002 Secure Computing Best Lifetime Achievement Award 2002 Ted Humphreys Information Security Management Goes Global.
Risk Assessment What is RISK?  requires vulnerability  likelihood of successful attack  amount of potential damage Two approaches:  threat modeling.

Risk Assessment What is RISK?  requires vulnerability  likelihood of successful attack  amount of potential damage Two approaches:  threat modeling.
Bridging the gap between software developers and auditors.

Bridging the gap between software developers and auditors.
Agenda COBIT 5 Product Family Information Security COBIT 5 content

Agenda COBIT 5 Product Family Information Security COBIT 5 content
Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch

Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch
Lecture 1: Overview modified from slides of Lawrie Brown.

Lecture 1: Overview modified from slides of Lawrie Brown.
Security Controls – What Works

Security Controls – What Works
By Collin Smith http://techinitiatives.blogspot.com COBIT Introduction By Collin Smith http://techinitiatives.blogspot.com.

By Collin Smith COBIT Introduction By Collin Smith
Accounting Information Systems Chapter Outlines

Accounting Information Systems Chapter Outlines
Security Management Practices Keith A. Watson, CISSP CERIAS.

Security Management Practices Keith A. Watson, CISSP CERIAS.
ISO 17799: Standard for Security Ellie Myler & George Broadbent, The Information Management Journal, Nov/Dec ‘06 Presented by Bhavana Reshaboina.

ISO 17799: Standard for Security Ellie Myler & George Broadbent, The Information Management Journal, Nov/Dec ‘06 Presented by Bhavana Reshaboina.
Information Security Governance and Risk Chapter 2 Part 1 Pages 21 to 69.

Information Security Governance and Risk Chapter 2 Part 1 Pages 21 to 69.
Stephen S. Yau CSE 465-591, Fall 2006 1 Security Strategies.

Stephen S. Yau CSE , Fall Security Strategies.
Session 3 – Information Security Policies

Session 3 – Information Security Policies
© 2012 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual.

© 2012 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual.
COBIT®. COBIT - Control Objectives for Information and related Technology C OBI T was initially created by the Information Systems Audit & Control Foundation.

COBIT®. COBIT - Control Objectives for Information and related Technology C OBI T was initially created by the Information Systems Audit & Control Foundation.
Lecture 30 Information Security (Cont’d). Overview Organizational Structures Roles and Responsibilities Information Classification Risk Management 2.

Lecture 30 Information Security (Cont’d). Overview Organizational Structures Roles and Responsibilities Information Classification Risk Management 2.
Storage Security and Management: Security Framework

Storage Security and Management: Security Framework
GRC - Governance, Risk MANAGEMENT, and Compliance

GRC - Governance, Risk MANAGEMENT, and Compliance
1 Chapter Three IT Risks and Controls. 2 The Risk Management Process Identify IT Risks Assess IT Risks Identify IT Controls Document IT Controls Monitor.

1 Chapter Three IT Risks and Controls. 2 The Risk Management Process Identify IT Risks Assess IT Risks Identify IT Controls Document IT Controls Monitor.

Similar presentations

Ads by Google