Embedded Files
Principles
What do are our values? Principles
Ethics, Principles, Beliefs.
Vision
what do we aspire to be? Vision
Hope and Ambition.
Mission
who do we do it for? Mission
Motivation and Purpose.
Strategic Objectives
how are we going to progress? Strategic Objectives
Plans, goals, Sequencing.
Action & KPI’s
what do we need to do and how do we know when we achieved it? Action & KPI’s
Actions, Recourses, Outcomes, Owners, and Timeframes.
Governance vs. Management
Governance vs. Management
Governance
This is C-level Executives (most likely not you) Governance
Stakeholder needs, conditions and options are evaluated to define:
Balanced agreed-upon enterprise objectives to be achieved.
Setting direction through prioritization and decision making.
Monitoring performance and compliance against agreed-upon direction and objectives.
Risk appetite – Aggressive, neutral, adverse.
C-Level Executives (Senior Leadership)
CEO: Chief Executive Officer.
CSO: Chief Security Officer.
CIO: Chief Information Officer.
CFO: Chief Financial Officer.
Normal organizations obviously have more C-Level executives, the ones listed here you need to know.
Also know where you fit in the organization and on the exam.
Management
How do we get to the destination (most likely not you) Management
Plans, builds, runs and monitors activities in alignment with the direction set by the governance to achieve the objectives.
Risk tolerance – How are we going to practically work with our risk appetite and our environment.
Bottom-Up
Bottom-Up
IT Security is seen as a nuisance and not a helper, this often changes when a security breach happens.
Top-Down
Top-Down
IT leadership understands the importance of IT Security, they lead and set the direction.
Governance standards and control frameworks
Governance standards and control frameworks
PCI-DSS: Payment Card Industry Data Security Standard
PCI-DSS: Payment Card Industry Data Security Standard
TBC
OCTAVE®: Operationally Critical Threat, Asset, and Vulnerability Evaluation.
OCTAVE®: Operationally Critical Threat, Asset, and Vulnerability Evaluation.
Self Directed Risk Management.
COBIT: Control Objectives for Information and related Technology.
COBIT: Control Objectives for Information and related Technology.
Goals for IT – Stakeholder needs are mapped down to IT related goals.
COSO: Committee Of Sponsoring Organizations.
COSO: Committee Of Sponsoring Organizations.
Goals for the entire organization.
ITIL: Information Technology Infrastructure Library.
ITIL: Information Technology Infrastructure Library.
IT Service Management (ITSM).
FRAP: Facilitated Risk Analysis Process.
FRAP: Facilitated Risk Analysis Process.
Analyses one business unit, application or system at a time in a roundtable brainstorm with internal employees. Impact analyzed, threats and risks prioritized.
ISO 27001
ISO 27000 seriesISO 27001
Establish, implement, control and improvement of the ISMS. Uses PDCA (Plan, Do, Check, Act)
ISO 27002: (From BS 7799, 1/2, ISO 17799)
ISO 27000 seriesISO 27002: (From BS 7799, 1/2, ISO 17799)
Provides practical advice on how to implement security controls. It has 10 domains it uses for ISMS (Information Security Management Systems).
ISO 27004
ISO 27000 seriesISO 27004
Provides metrics for measuring the success of your ISMS.
ISO 27005
ISO 27000 seriesISO 27005
Standards based approach to risk management.
ISO 27799
ISO 27000 seriesISO 27799
Directives on how to protect PHI (Personal Health Information).
Defense in Depth
Also called Layered Defense or Onion DefenseDefense in Depth
We implement multiple overlapping security controls to protect an asset.
This applies both to physical and logical controls.
To get to a server you may have to go through multiple locked doors, security guards, man-traps.
To get to data you may need to get past firewalls, routers, switches, the server, and the applications security.
Each step may have multiple security controls.
No single security control secures an asset.
By implementing Defense in Depth you improve your organization’s Confidentiality, Integrity and Availability.
Report abuse