‏Comp TIA security ‏Section 2 : the CIA of security

Get Started. It's Free
or sign up with your email address
‏Comp TIA security ‏Section 2 : the CIA of security by Mind Map: ‏Comp TIA security  ‏Section 2 : the CIA of security

1. Third Party Agreements

1.1. * Business Partner Agreement BPA: the most generic of all documents and common in private sector

1.1.1. 1. Primary entities 2. Time frame 3. Financial issues 4. Management

1.2. * Service Level Agreement ( SLA)

1.2.1. 1. Service to be provided 2. Minimum up-time 3. Response time(contacts) 4. Start and end date

1.3. Interconno Security Agreement (ISA) : see them a lot in government entities

1.3.1. 1. Statement of requirments 2. System security considerations 3. Topological drawing 4 Sianature authoritu.

1.4. Memorandum of Understanding/Agreement

1.4.1. 1. Purpose of the interconnection 2. Relevant authorities 3. Specify the responsibilities 4. Define the terms of the agreement 5. Termination/reauthorization

2. Organizing Data:

2.1. * Data sensitivity/ labeling :

2.1.1. 1-Owner • Legally responsible for the data 2-Steward/custodian • Maintain the accuracy and integrity of data 3- Privacy Officer • Ensures data adheres to privacy policies and procedures

2.1.2. 1- Public • No restrictions 2- Confidential • Limited to authorized viewing as agreed on by the parties involved 3- Private • Limited to only the individual to whom the information is shared • Personally Identifiable Information (PII) 4-Proprietary • Like private but at corporate level 5-Protected Health Information (PHI) • Health Insurance Portability and Accountability Act (HIPAA)

2.2. * Data Roles:

2.3. * User Roles

2.3.1. 1- Users • Assigned standard permissions to complete task 2-Privileged users • Increased access and control relative user 3-Executive users • Set policy on data and incident response actions

2.4. * business administrator * Data owner/System Owner

3. Business Impact Analysis

3.1. * Business Impact Analysis: is the study and analysis of the impact on your organization if you have disruption

3.2. BIA Basics

3.2.1. * 1• Determine mission process * 2• Identify critical systems * 3• Single point-of-failure * 4• Identify resource requirements Identify recovery priorities

3.3. * PIA = privacy impact assessment = is a process which assists organizations in identifying and managing the privacy risks arising from new projects, initiatives, systems, processes, strategies, policies, business relationships etc.

3.4. * PTI: privacy threshold Assessment

3.5. * Recovery Time Objective (RTO)

3.5.1. * 1-• Minimum time to restore critical systems * 2-• Maximum time critical systems down without substantial impact

3.6. * Recovery Point Objective (RPO)• Maximum data that can he lost without substantial impact

4. - Quantitative Risk Calculations

4.1. * SLE-ASset Value x Exposure Factor * ALE= SLE x ARO * ALE=Annualized Loss Expectancy

5. Security Policeies

5.1. * 1-Acceptable Use Policy: defines what a person can or can’t do when using company assets

5.2. * 2-Data Sensitivity and Classification Policy: define the importance or nature of the data

5.3. * 3-Access control Polices :

5.3.1. 1-How to get access to data or resources 2-What type of data do users have access to

5.3.2. -

5.4. * 4-Password Policy: Password Recovery-Bad login- password retention-password reuse

5.5. * 5-Care and Use of Equipment: How you maintain company equipment * 6- privacy Policies: often for customers

5.6. * 7-personal Polices: deal with people they dealing with data

6. Frameworks

6.1. * framework: It is a set of ready-made components that a programmer uses in a program, as the goal is to make some kind of tools or infrastructure necessary for the programmer, so that his program does not start from scratch.

6.2. * Frameworks come from a variety of sources including regulatory, non-regulatory, national, and industry standards (best practices)

6.3. * Evaluate security controls to verify what js feasible to implement in an environment

6.4. * Authorization is an important process when defining. implementing, and measuring security controls

7. Interesting security controls :

7.1. * 1-Manditory vacation is a type of control to detect vulnerablity or unauthorized activity

7.2. 2-Job Rotation : switching people around to work in different positions

7.3. * 3-Multi-person control allows for checks and balances of critical functions

7.4. * 4-Separation of Duties : single individuals should not perform all critical or privileged duties across the board

7.5. * 5-Principle of Least privilege is set resource access to what is only necessary to perform the job

8. Defense in Dapth

8.1. * Diversity vs. redundancy

8.2. * Redundancy is repeang the same controls at various intervals

8.3. diversity is using a variety of controls in a random pattern

9. IT Security Governance :

9.1. * Security controls are defined within the policies and standards

9.2. * Sources of IT Governace come form Laws & Regulations industry best practices internal standards

9.3. * Policies, Security Controls and Standards help define and build procedures

10. Security Training

10.1. * onboarding : To prepare new employees to join the organization by providing knowledge, services and behaviors to become effective in their work.

10.2. * Background check * Non - disclosure agreement ( NDA ) * Standard operating procedures Specialized issues

10.3. * Rules of behavior * General security policies

10.4. * Role-based Data Controls

10.4.1. 1-System owner 2-system administrator 3-Data Owner 4- User 5- privileged User 6- Executive User