1.

Information assurance dosen't depend on the size of the organization but it is

one in a life time event and an ongoing process.

2. Information asset life cycle***************

The PDCA( Plan, Do, Check, Act)---->eimm( establish,implement,monitor,maintain)
a.Plan phase:*****************************************
- Defining the scope of IAMS
- Planning & Documenting of whole steps
- Provide a systemmatic approach
- Perform risk assessment
- Preparing SOA( System of Applicability)

b.Do phase:
- Define implement and operate
- Prepare procedure manuals
- Devlop risk treatment planning

c.Check Phase:
- Execute monitor review, checkup

d. Act phase:
- Maintain

3.Best practices:
Due care: Managers & their organizations have their responsibilty or moral duty
to provide information assurance in order to ensure
a. type of control
b. cost of control******************
c. deployment of control are appropriate for the system being managed

Due deligence: It is a continuous set of activities that an organization take to

ensure that the efforts established in due care are effective &
properly
implemented.

4. Specific laws & regulations:*****

a. Criminal Law- Deals with crime and criminal acts.Under this law punishment comes
in the form
of jails, fine, death penalty
b. Administrative law- Also called as regulatory law. Sets standards of performance
and code on conduct
for the organizations. Violation results in financial
penalties etc.
c. Civil Law- One of its form is known as tort law. There is usually no jail
sentence for violation
but there is financial penalty

Intellectual property law:

a. Patents- It grants legal ownership of the invention to an individual or
organization.
The patent holder may grant a license to others to use the design
information
b. Trademarks- It is a distinguishing name symbol or logo etc that establishes an
identity of an
organization, pdt , service
c. Trade Secrets- It is a proprietary information important for the owner's
economic survival
 and profitability.Owners of this should take leagal steps to
protect this
d. Copyrights- It protects the expression of ideas.

4. Privacy laws:
a. The collection of data should be by lawful means.
b. Data should be accurate, complete and up to the date
c. Data should be reasonably protected from security breach
d. Individuals should have the right to make alterations & corrections

----------------------------------------------------------------------------------
APM:An asset performance management maturity model is a systematic approach to
analyze
an organization's asset management process,technologies,capabilities and
system.It
helps the organizations to understand their present capabilities and skills and

identify a sequence of steps to proceed thorught he next level.

It is broken into 5 stages with each stage having a set of unique
characterstics
Intial Defiant Compliant Evolving Execution(IDCEE)*******

Risk Management:It is a process of identifying risk as represented by

vulnerabilities to
an organization's asset, people, information and infrastructure.
a.Risk Identification- Examination and documentation of the security posture*******
Plan Categorize Inventory Classify Identify Specify(PCICIS)
b.Risk Assessment- Determination of the extent to which the organization's
information is
exposed to risk.*****
The probability that a vulnerabilty will be object of successful
attack:
Assign a numeric value ie a no b/w 0.1 & 1 or on a scale of 100.
Zero is
not used as it means zero attack.After this you have to identify
for
possible control which are of three categories namely:Policies,
Technologies,Program.After this you have to document the result

c.Risk Control- Preventive measures taken to control/reduce the risk to an

organization.
Once the above steps is completed you have to choose any of the
five:
Defence Transfer Mitigate Acceptance Terminate(DTMAT).
Before deciding any strategy you have to study the feseability
studies of all:
a.CBA(Cost benefit Analysis) CBA=ALE(prior)-ALE(post)-ACS Annualized loss
expectancy

Baselining- Analysis of measures against established standards ie it is the

comparance of
security activities
Benchmarking-Benchmarking is process of seeking out and studying practices in other
org that
one�s own organization desires to duplicate
Policies- Communities must consider it as the basis for all information security
efforts.
a.It directs how issues should be addressed and how technologies should
be used
b.It should never contradicts the law.It is a difficult process.
c.It is a plan of action that conveys instructions from an org senior
management
to those who take decisions,perform action,do their duties.
d.It formalize acceptable & unacceptable behaviours within an
organization.
e.It defines what is right what is wrong how much penalty has to be made.
f.In short it is practice--->Procedure---->Guidelines****
The process involved in this:*********
a.Defines the issue.
b.Gather neccesseary informations
c.Brainstorm it.
d.Make the first draft
e.Hold first meeting
f.Do necesseary recomendations
g.Hold sec third...meeting
h.Make further revisions
i.Adapt it

Accrediation: In security management accrediation is what authorizes an IT system

to process
store and transmit information. It is issued by management offcial and
ensures
that IT system is of adequate quality.It also challanges the managers
and employee
to find best security.
Cerification:A comprehensive evaluation of technical & non technical security
controls of an IT
system to support accrediation process
Assurance: It is a way to make sure the product has been devloped in a secure
manner
The above two are not permanent in anture.