You are on page 1of 6


Annualized Loss Expectancy | T!eat | "ulne!a#ility | Ris$ | Sa%e&ua!d | Total 'ost o% O(ne!sip |
Retu!n on In)est*ent
Assets | sa%e&ua!ds | '+le)el executi)es | Total 'ost o% O(ne!sip ,T'O- | Retu!n on In)est*ent
Modi1cations unauto!ized pe!sonnel o! p!ocesses
Unauto!ized *odi1cations #y auto!ized pe!sonnel o! p!ocesse
Te data a!e inte!nally and exte!nally consistent3
| 0e!sonally Identi1a#le In%o!*ation ,0II- | Tension #et(een te 'oncepts
Disclosure Alteration and Destruction
Identity and Authentication, Authorization, and Accountability
| No !epudiation | Least 0!i)ile&e and Need to 4no( | De%ence+in+Dept5 laye!ed
Assets | T!eats and "ulne!a#ilities | Ris$ 6 T!eat 7 "ulne!a#ility
I*pact | Ris$ 6 T!eat x "ulne!a#ility x I*pact.
Risk Analysis Matrix
Calculating Annualized Loss Expectancy
Asset "alue | Exposu!e Facto! | Sin&le Loss Expectancy ,SLE- | Annual Rate o% Occu!!ence
,ARO- | Annualized Loss Expectancy ,ALE-
Total Cost o !"nership
Return on In#est$ent
Risk Choices%
8. Accept te Ris$ | Ris$ Acceptance '!ite!ia
9. Miti&ate te Ris$
:. T!ans%e! te Ris$
;. Ris$ A)oidance
&ualitati#e and &uantitati#e Risk Analysis
The Risk Manage$ent 'rocess
8. Syste* 'a!acte!ization
9. T!eat Identi1cation
:. "ulne!a#ility Identi1cation
;. 'ont!ol Analysis
<. Li$eliood Dete!*ination
=. I*pact Analysis
>. Ris$ Dete!*ination
?. 'ont!ol Reco**endations
@. Results Docu*entation
(ecurity 'olicy and Related Docu$ents
'o*ponents o% 0!o&!a* 0olicy
B Scope
B Responsi#ilities
B 'o*pliance
0olicy Types5 p!o&!a* policy | issue+speci1c policy | syste*+speci1c policy
NIST Special 0u#lication ?CC+89
(ecurity A"areness and Training
Roles and Responsibilities
Senio! Mana&e*ent | Data O(ne! ,also called in%o!*ation o(ne! o! #usiness o(ne!- | 'ustodian
p!o)ides ands+on p!otection o% assets suc as data.
Co$pliance "ith La"s and Regulations
'ri#acy% 0II
Due Care and Due Diligence
A!oss Ne&li&ence
)est 'ractice
!utsourcing and !*shoring
Auditing and Control +ra$e"orks
!CTA,E5 Ope!ationally '!itical T!eat2 Asset2 and "ulne!a#ility E)aluation2 !is$ *ana&e*ent
%!a*e(o!$2 'a!ne&ie Mellon Uni)e!sity2 t!ee+pase p!ocess %o! *ana&in& !is$.
0ase 8 identi1es staE $no(led&e2 assets2 and t!eats.
0ase 9 identi1es )ulne!a#ilities and e)aluates sa%e&ua!ds.
0ase : conducts te Ris$ Analysis and de)elops te !is$ *iti&ation st!ate&y.
I(! -..// and the I(! 0.111 (eries
ISO 8>>@@ ad 88 a!eas2 %ocusin& on speci1c in%o!*ation secu!ity cont!ols5
8. 0olicy
9. O!&anization o% in%o!*ation secu!ity
:. Asset *ana&e*ent
;. Fu*an !esou!ces secu!ity
<. 0ysical and en)i!on*ental secu!ity
=. 'o**unications and ope!ations *ana&e*ent
>. Access cont!ol
?. In%o!*ation syste*s acGuisition2 de)elop*ent2 and *aintenance
@. In%o!*ation secu!ity incident *ana&e*ent
8C. Dusiness continuity *ana&e*ent
88. 'o*pliance
C!)IT% ,'ont!ol O#Hecti)es %o! In%o!*ation and !elated Tecnolo&y- 'ODIT as %ou! do*ains5
8. 0lan and O!&anise
9. AcGui!e and I*ple*ent
:. Deli)e! and Suppo!t2
;. Monito! and E)aluate.
ITIL5 ,In%o!*ation Tecnolo&y In%!ast!uctu!e Li#!a!y-
ITIL contains 1)e ISe!)ice Mana&e*ent 0!acticesJ'o!e Auidance
8. Se!)ice St!ate&y
9. Se!)ice Desi&n
:. Se!)ice T!ansition
;. B Se!)ice Ope!ation
<. B 'ontinual Se!)ice I*p!o)e*ent
Certi2cation and Accreditation
NIST S0 ?CC+:>2 NIST S0 ?CC+:>
8. Initiation 0ase
9. Secu!ity 'e!ti1cation 0ase
:. Secu!ity Acc!editation 0ase
;. 'ontinuous Monito!in& 0ase
The 3I(C40 5 Code o Ethics
Do(nload te ,IS'-9 K code o% etics at ttp5LL(((.isc9.o!&LeticsLde%ault.aspx and study it ca!e%ully. /ou *ust unde!stand
te enti!e code2 not Hust te details co)e!ed in tis #oo$.
Te canons a!e te %ollo(in&5
8. 0!otect society2 te co**on(ealt2 and te in%!ast!uctu!e.
9. Act ono!a#ly2 onestly2 Hustly2 !esponsi#ly2 and le&ally.
:. 0!o)ide dili&ent and co*petent se!)ice to p!incipals.
;. Ad)ance and p!otect te p!o%ession.
8. o$
9. o$
:. o$
;. o$
<. o$
=. o$
>. o$
?. o$
@. R
8C. o$
88. o$
89. o$
8:. o$
8;. o$
8<. o$
Inor$ation Classi2cation !b6ecti#es
Inor$ation Classi2cation )ene2ts
| O!&anizations co**it*ent | identi%y (ic in%o!*ation is te *ost sensiti)e |
Suppo!ts te tenets
| (ic p!otections apply to (ic in%o!*ation | !eGui!ed %o! !e&ulato!y2 co*pliance2
o! le&al !easons
Inor$ation Classi2cation Concepts
Classi2cation Ter$s
8. Unclassi1ed
9. Sensiti)e #ut Unclassi1ed ,SDU-.
:. 'on1dential.
;. Sec!et
<. Top Sec!et.
Classi2cation Criteria
"alue | A&e| Use%ul Li%e | 0e!sonal Association.
Inor$ation Classi2cation 'rocedures
8. Identi%y te ad*inist!ato!Lcustodian
9. Speci%y te c!ite!ia o% o( to classi%y and la#el te in%o!*ation.
:. 'lassi%y te data #y its o(ne!2 (o is su#Hect to !e)ie( #y a supe!)iso!.
;. Speci%y and docu*ent any exceptions to te classi1cation policy.
<. Speci%y te cont!ols tat (ill #e applied to eac classi1cation le)el.
=. Speci%y te te!*ination p!ocedu!es %o! declassi%yin& te in%o!*ation o! %o!
t!ans%e!!in& custody o% te in%o!*ation to anote! entity.
>. '!eate an ente!p!ise a(a!eness p!o&!a* a#out te classi1cation cont!ols.
Distribution o Classi2ed Inor$ation
'ou!t o!de!. | Ao)e!n*ent cont!acts | Senio!+le)el app!o)al
Inor$ation Classi2cation Roles
!"ner% decision a#out (at le)el o% classi1cation | Re)ie( classi1cation le)els |
Dele&ate data p!otection duties to custodian
Custodian% #ac$ups | !esto!ation |
7ser%8 9 A#ide #y policy | due ca!e | Use co*pany !esou!ces in an accepta#le *anne!M
| open )ie(