Professional Documents
Culture Documents
What are the level of permanence and obligation. Each differ in the intent.
Policies and Procedures
Policies and procedures are critical governance tools in every enterprise. Where policies dictate
the rules, procedures explain how these same rules are practically applied in real life. Taken as a
collective, policies and procedures set expectations for behaviors and activities, as well as
provide mechanisms to enforce these expectations.
Senior management needs to define the scope of security and identify and decide what must be
protected and to what extent.
Given the importance and relative "permanence" of policy and procedure documents, they
should be carefully and conscientiously crafted in order to withstand both time and scrutiny. The
goal of this Policies and Procedures Definition program is to provide the tools and guidance
necessary to construct these governing documents.
Senior management must also determine what is expected from employees and what the
consequences of noncompliance will be.
Risk Transfer
◦ Passing on the risk to a third party, such as an insurance company
Risk Mitigation
◦ Defining the acceptable risk level the organization can tolerate and reducing the risk level
Risk Acceptance
◦ Understanding and accepting the level of risk as well as the cost of damages that can occur.
Let’s discuss the single loss expectancy (SLE). It contains information about the potential loss when a
threat occurs (expressed in monetary values). It is calculated as follows: SLE = AV x EF, where EF is
exposure factor. Exposure factor describes the loss that will happen to the asset as a result of the
threat (expressed as percentage value). SLE is $30,000 in our example, when EF is estimated to be 0.3.
As we can see, the risk is about the impact of the vulnerability on the business and the
probability of the vulnerability to be exploited.
Administrative (e.g., security awareness training should not be forgotten, because people are the weakest
point in the security chain)
Countermeasures are implemented to reduce the risk. We talk about total risk when no countermeasure is
implemented. Let’s assume now that the countermeasure is implemented. Perfect security doesn’t exist
and there is some risk left. This is a residual risk.
Password Policy
What goes in these policies? How are they crafted to become a policy?
NIACAP
ISO/IEC 27001
ISO/IEC 27002