RISK MITIGATION

Get Started. It's Free
or sign up with your email address
Rocket clouds
RISK MITIGATION by Mind Map: RISK MITIGATION

1. SECURITY Policy Subset

1.1. Acceptable use policy

1.1.1. defines the actions users may perform while accessing systems and networking equipment

1.1.2. covers all computer use, incl. internet, email, web and password security

1.1.3. Users include employees, vendors, contractors, visitors each with different privileges

1.1.4. provide explicit prohibitions regarding security and proprietary info.

1.1.5. outlines unacceptable use

1.1.6. most important policy

1.2. privacy

1.2.1. also called Personally Identifiable Information (PII)

1.2.1.1. outlines how the organization uses personal information it collects

1.3. security-related human resources

1.3.1. Includes statements about how an employee’s information technology resources will be addressed

1.3.2. Typically presented at employee orientation session after employee is hired

1.3.3. May include statements regarding due process and/or due diligence

1.3.4. May include statements regarding actions to be taken when employee is terminated

1.4. password management and complexity

1.4.1. Addresses how passwords are created and managed

1.4.2. Reminds users of differences between strong and weak passwords

1.5. disposal and distruction

1.5.1. Addresses disposal of confidential resources

1.5.2. Describes how to dispose of equipment, records, and data

1.6. classification of information

1.6.1. Designed to produce standardized framework for classifying information assets

1.6.2. Generally involves creating classification categories Example: high, medium, low

1.7. Ethics

1.7.1. Defining Ethics can be difficult

1.7.2. Values

1.7.2.1. fundamental beliefs and principles used to define what is good right, and just.

1.7.2.2. Classified

1.7.2.2.1. Moral

1.7.2.2.2. Pragmatic

1.7.2.2.3. aesthetic

1.7.3. Morals

1.7.3.1. values that are attributed to a system of beliefs that help individuals distinguish between right and wrong

1.7.4. IS

1.7.4.1. the study of what a group of people understand to be good and right behavior and how people make those judgements

1.7.4.2. ethical behavioral standards are set by the organization and is taught to the employees

1.7.5. Policy

1.7.5.1. written code

1.7.5.2. central guide and reference for employees in support

1.7.5.3. Serves as a communication tool to reflect organization’s commitments

2. Concepts at the heart of information Security

3. Approach

3.1. most organization use multifaceted approach

3.1.1. 1. thru different management approach

3.1.2. 2. develop a security policy that reflects the org. philosophy re: protecting technology resources

3.1.3. 3. User awareness and training

4. Terminology

4.1. Threat - A type of action that has the potential to cause harm

4.2. Threat agent - a person or element that has the power to carry out a threat

4.3. Vulnerability - A flaw or weakness that allows a threat agent to bypass security

4.4. Risk - The likelihood that the threat agent will exploit the vulnerability

5. Classification

5.1. Strategic

5.1.1. actions that affect the long-term goals of the org.

5.2. Compliance

5.2.1. following regulations and standards

5.3. Financial

5.3.1. impact on financial decision and market factors

5.4. Operational

5.4.1. impact daily operations

5.5. Environmental

5.5.1. actions relation to surroundings

5.6. Technical

5.6.1. events that affect IT Systems

5.7. Managerial

5.7.1. actions related to the management of the org.

6. Controlling Risk Strategies

6.1. Privilege Management

6.1.1. the process of assigning and revoking privileges to objects

6.1.2. Privilege is a subjects access level over an object

6.1.3. Privilege Auditing -

6.1.3.1. Periodically reviewing a subject’s privileges over an object

6.1.3.2. serve to verify the security protections enacted are adhered to and that corrective actions can be swiftly implemented

6.2. Incident Management

6.2.1. Response to an authorized change

6.2.2. Components required to identify, analyze, and contain an incident

6.2.3. Incident Handling

6.2.3.1. planning, coordination, communication and planning functions that are needed to resolve an incident in an efficient manner.

6.2.4. Objective

6.2.4.1. to restore normal operations as quickly as possible impact on the business or the user

6.3. Change Management

6.3.1. Methodology for making modifications and keeping track of changes

6.3.2. Ensures proper documentation of changes so future changes have less chance of creating a vulnerability

6.3.3. Major Types of Change

6.3.3.1. Changes to system architecture i.e. new router, server, other equipment being introduced on the network

6.3.3.2. Changes to file or document classification i.e. Top Secret, Secret,, Confidential, Unclassified

6.3.4. Change Management Team (CMT)

6.3.4.1. Responsible for overseeing the changes

6.3.4.2. made up of representatives from all areas of IT, Network Security, and upper management

6.3.4.3. All changes must be approved by CMT

6.3.4.4. DUTIES include

6.3.4.4.1. Review proposed changes

6.3.4.4.2. Ensure the risk and impact of planned changes are clearly understood

6.3.4.4.3. Approve, disapprove, defer, or withdraw of request change

6.3.4.4.4. Communicate proposed and approved changes to coworkers

7. Awareness & Training

7.1. key defense in information security

7.2. Training Topics

7.2.1. Compliance

7.2.1.1. informing users in

7.2.1.1.1. Security Policy training and procedures

7.2.1.1.2. PII

7.2.1.1.3. Data labeling, handling, and disposal

7.2.1.1.4. compliance with law, best practices and standards

7.2.2. secure user practices

7.2.2.1. helping user to know how their normal practices can impact the security of the organization

7.2.2.1.1. Categories

7.2.3. awareness of threats

7.2.3.1. common exampes

7.2.3.1.1. Peer-to-Peer (P2P) Network

7.2.3.1.2. Social Networking

7.2.3.2. aware of new viruses, phishing attacks, and zero day exploits

7.3. TRAINING Techniques

7.3.1. when a new employee is hired

7.3.2. after a computer attack has occured

7.3.3. when an employee is promoted or given new responsibilities

7.3.4. during an annual departmental retreat

7.3.5. when new user software is installed

7.3.6. when user hardware is upgraded

7.4. Traits of learners

7.4.1. impact how people learn

7.4.1.1. Pedagogical approach

7.4.1.1.1. lead a child

7.4.1.2. andragogical approach

7.4.1.2.1. the art of helping an adult learn

7.4.2. Examples of learning styles

7.4.2.1. Visual

7.4.2.1.1. taking notes, being at the front of the class, and watching presentations

7.4.2.2. Auditory

7.4.2.2.1. sit in the middle of the class and learn best thru lectures and discussions

7.4.2.3. Kinetics

7.4.2.3.1. learn thru lab environment or other hands on approaches

8. Reducing Risk

8.1. Security Policy

8.1.1. a document that outlines the asset protections that should be enacted

8.1.2. Functions

8.1.2.1. Documents management’s overall intention and direction

8.1.2.2. Details specific risks and how to address them

8.1.2.3. Provides controls to direct employee behavior

8.1.2.4. Helps create a security-aware organizational culture

8.1.2.5. Helps ensure employee behavior is directed and monitored

8.1.2.6. Helps ensure employee behavior is directed and monitored

8.1.2.7. Helps ensure employee behavior is directed and monitored

8.1.3. Balancing Trust and Control

8.1.3.1. Approach

8.1.3.1.1. Trust everyone all the time

8.1.3.1.2. Trust No one at anytime

8.1.3.1.3. Trust some people some of the time

8.1.4. Balance Control

8.1.4.1. Influenced by security needs of the org

8.1.5. Designing a Security Policy

8.1.5.1. Terminology

8.1.5.1.1. Standard - a collection of requirements specific to the system or procedure that must be met by everyone

8.1.5.1.2. Guideline - a collection of suggestions that should be implemented. *They are not required to be met but strongly recommended*

8.1.5.1.3. Policy - document that outlines specific requirements or rules that must be met

8.1.5.2. Security Policy Cycle (Phases)

8.1.5.2.1. PHASE 1 - Vulnerability assessment

8.1.5.2.2. PHASE 2 - Create the policy using information from risk management study

8.1.5.2.3. PHASE 3 - Review the policy for compliance

8.1.6. MUST

8.1.6.1. Be implementable and enforceable

8.1.6.2. easy to understand and concise

8.1.6.3. balance protection with productivity

8.1.7. SHOULD

8.1.7.1. state reasons the policy is necessary

8.1.7.2. describe what is covered by the policy

8.1.7.3. outline how violations will be handled

8.1.8. TEAM

8.1.8.1. Senior level administrator

8.1.8.2. Member of management who can enforce the policy

8.1.8.3. Member of the legal staff

8.1.8.4. Representative from the user community

8.1.8.5. SIZE of TEAM

8.1.8.5.1. depend on the size and scope of the policy

8.1.8.6. decides on

8.1.8.6.1. Goals & Scope of Policy

8.1.8.6.2. How specific to make the policy

8.1.8.6.3. Include DUE CARE statements

8.1.9. GUIDELINES

8.1.9.1. Notify users in advance that a new security policy is being developed and explain why the policy is needed

8.1.9.2. Provide a sample of people affected by the policy with an opportunity to review and comment on the policy

8.1.9.3. Prior to development, give all users at least two weeks to review and comment

8.1.9.4. Allow users given responsibility in a policy the authority to carry out their responsibilities

8.1.9.5. *some designate a person who served on the development team to serve as the official policy interpreter in case questions arise