Directed study chapter 2 Fall 2014

2.1 Security objectives:

 a. Availability: reliability and timely access to data and resources.

 b. Integrity: accuracy and reliability of information and system.

 c. Confidentiality: necessary level of secrecy at each junction of data.

 2.3 a. Layered model:

              Fence, Locked external doors, closed-circuit TV, security guard, locked internal doors, locked server room, physically secured computers.

   b. Technical controls:

              Firewalls, intrusion detection system, intrusion prevention systems, antimalware, access control, encryption.

2.3 a. Layered model:

              Fence, Locked external doors, closed-circuit TV, security guard, locked internal doors, locked server room, physically secured computers.

   b. Technical controls:

              Firewalls, intrusion detection system, intrusion prevention systems, antimalware, access control, encryption.
 c. The open group architecture framework (TOGAF):(Business activities) choice (data) decide (App) use (technology)

 d. NIST: business drive information and decide standards; information decide system; system choice data and also give feedback to business; data support hardware, software and communications
 e. CobiT: IT sources ==> plan and company ==> achieve goals ==> payment ==> control and evaluate ==> IT sources.
 f. PDCA sycle:
Plan ==> processing ==> control and evaluate ==> solve problems ==> new plan

Coso: control environment, risk assessment, control activeties, information and communication, monitoring.

2.5 Risk: physical damage, human interaction, equipment malfunction, inside and outside attacks, misuse of data, loss of data, application error.

IRM policy: team, risk level, identification of risk, connection between organization’s strategic and IRM policy, IRM’s duty in organization, internal control, the change of staff behavior and resource allocation, budgets, main purpose.

2.6 Main goals of risk analysis:

       a. Identify the value of assets

       b. Vulnerabilities and threats

       c. Quantify the threat

       d. Budgets

2.7 NIST: system characterization, threat identification, vulnerability identification, control analysis, likelihood determination, impact analysis, risk determination, control recommendations, results documentation.

Risk management of NIST:
(1) system check, (2) find threat, (3) find vulnerability, (4) control threat, (5)likelihood determination, (6) analysis, (7) make sure risk, (8) recommendations, (9) results

2.8  Functionality and effectiveness: **(P95 - 95 table 2-10)**

2.9 Four ways of handing risk: transfer, avoid, reduce, and accept.

2.10 Security Policy:

       a. Business objectives drive the policy creation

       b. Easily to understand

       c. Can be used in all of business processes and functions

       d. Legal

       e. Changing with company development

       f. Daily control

       g. Easy to research

       h. Foresight

       i. Professional level

       j. Regularly manage policy

2.11 Classifications levels:
Public: no bad affection for company
Sensitive: need be protect.
Private: employees' personal information,no good for share.
Confidential: The most important thing.
Unclassified: can be publicized
SBU: no sharing information
Secret: Serious damage if disclosed
Top secret: you won't never want to tell others.

2.12 Layers of Responsibility

       a. Board of directors (control the fulfillment of the corporation’s charter)

       b. Executive management (“C” people’s duty is daily management) and security    steering committee (“C” people and technology supporter)

       c. Audit committee (you need they pay)

       d. Data owner, data custodian, system owner, security administrator, security analyst, application owner, Change control analyst, data analyst, data analyst,        process owner, solution provider (technician and supervisor, they are basis      layer)

       e. User, product line manager and auditor (they are user)