1. Third Party Agreements
1.1. * Business Partner Agreement BPA: the most generic of all documents and common in private sector
1.1.1. 1. Primary entities 2. Time frame 3. Financial issues 4. Management
1.2. * Service Level Agreement ( SLA)
1.2.1. 1. Service to be provided 2. Minimum up-time 3. Response time(contacts) 4. Start and end date
1.3. Interconno Security Agreement (ISA) : see them a lot in government entities
1.3.1. 1. Statement of requirments 2. System security considerations 3. Topological drawing 4 Sianature authoritu.
1.4. Memorandum of Understanding/Agreement
1.4.1. 1. Purpose of the interconnection 2. Relevant authorities 3. Specify the responsibilities 4. Define the terms of the agreement 5. Termination/reauthorization
2. - Quantitative Risk Calculations
2.1. * SLE-ASset Value x Exposure Factor * ALE= SLE x ARO * ALE=Annualized Loss Expectancy
3. Security Policeies
3.1. * 1-Acceptable Use Policy: defines what a person can or can’t do when using company assets
3.2. * 2-Data Sensitivity and Classification Policy: define the importance or nature of the data
3.3. * 3-Access control Polices :
3.3.1. 1-How to get access to data or resources 2-What type of data do users have access to
3.3.2. -
3.4. * 4-Password Policy: Password Recovery-Bad login- password retention-password reuse
3.5. * 5-Care and Use of Equipment: How you maintain company equipment * 6- privacy Policies: often for customers
3.6. * 7-personal Polices: deal with people they dealing with data
4. Interesting security controls :
4.1. * 1-Manditory vacation is a type of control to detect vulnerablity or unauthorized activity
4.2. 2-Job Rotation : switching people around to work in different positions
4.3. * 3-Multi-person control allows for checks and balances of critical functions
4.4. * 4-Separation of Duties : single individuals should not perform all critical or privileged duties across the board
4.5. * 5-Principle of Least privilege is set resource access to what is only necessary to perform the job
5. IT Security Governance :
5.1. * Security controls are defined within the policies and standards
5.2. * Sources of IT Governace come form Laws & Regulations industry best practices internal standards
5.3. * Policies, Security Controls and Standards help define and build procedures
6. Security Training
6.1. * onboarding : To prepare new employees to join the organization by providing knowledge, services and behaviors to become effective in their work.
6.2. * Background check * Non - disclosure agreement ( NDA ) * Standard operating procedures Specialized issues
6.3. * Rules of behavior * General security policies
6.4. * Role-based Data Controls
6.4.1. 1-System owner 2-system administrator 3-Data Owner 4- User 5- privileged User 6- Executive User
7. Organizing Data:
7.1. * Data sensitivity/ labeling :
7.1.1. 1-Owner • Legally responsible for the data 2-Steward/custodian • Maintain the accuracy and integrity of data 3- Privacy Officer • Ensures data adheres to privacy policies and procedures
7.1.2. 1- Public • No restrictions 2- Confidential • Limited to authorized viewing as agreed on by the parties involved 3- Private • Limited to only the individual to whom the information is shared • Personally Identifiable Information (PII) 4-Proprietary • Like private but at corporate level 5-Protected Health Information (PHI) • Health Insurance Portability and Accountability Act (HIPAA)
7.2. * Data Roles:
7.3. * User Roles
7.3.1. 1- Users • Assigned standard permissions to complete task 2-Privileged users • Increased access and control relative user 3-Executive users • Set policy on data and incident response actions
7.4. * business administrator * Data owner/System Owner
8. Business Impact Analysis
8.1. * Business Impact Analysis: is the study and analysis of the impact on your organization if you have disruption
8.2. BIA Basics
8.2.1. * 1• Determine mission process * 2• Identify critical systems * 3• Single point-of-failure * 4• Identify resource requirements Identify recovery priorities
8.3. * PIA = privacy impact assessment = is a process which assists organizations in identifying and managing the privacy risks arising from new projects, initiatives, systems, processes, strategies, policies, business relationships etc.
8.4. * PTI: privacy threshold Assessment
8.5. * Recovery Time Objective (RTO)
8.5.1. * 1-• Minimum time to restore critical systems * 2-• Maximum time critical systems down without substantial impact