Professional Documents
Culture Documents
Module 1:
Core Principles
Confidentiality:
• Only those who require access actually have access (The confidentiality of information is
protected)
Integrity:
• Data is edited correctly and by the right people
Availability:
• If you cannot use it, why do you have it?
Applying CIA
Ideal: Three equal parts
• Only works in “perfect world security”
Authorization:
• While we know Keith is Keith, what can Keith do?
Accountability:
• While we know Keith is Keith, what did Keith do?
The PPT
Policy:
• Broad general statement of management’s intent
Procedure:
• The detailed steps to make policy happen
Training:
• Users must know what policies and procedures say in order to follow
them
The Core of All Security
Prevent/Detect/Respond (PDR)
Current state of the art – it is as good as it gets:
• Prevent as much as you can
• Detect for everything else:
• Or if the preventive measures fail
• Respond to what is detected
Prevention is ideal
Detection is a must
Detection without response is useless
Security by Thirds
A security professional needs to be:
• 1/3 technologist
• 1/3 manager
• 1/3 lawyer
• This is the perfect summation of the career field
Data Custodian:
• The person/group that makes
the decisions of the owners happen
Users:
• Use data
• Are also automatically Data Custodians
The Nature of the Threat (1)
Years ago: We faced teenagers