competitive advantage
leverage gained by an organization that supplies superior products or services
competitive disadvantage
leverage lost by an organization that supplies products or services perceived to be inferior to other organizations
risk management
process of identifying risk to an organization's information assets and infrastructure and taking steps to reduce this risk to an acceptable level
3 major undertakings of risk management
risk identification, risk assessment, risk control
risk identification
examination and documentation of the security posture of an organization's information technology and the risks it faces
risk assessment
determination of the extent to which the organization's information assets are exposed or at risk
risk control
application of controls to reduce the risks to an organization's data and information systems
security managers and technicians
defenders of information
assets
information and the systems that use, store, and transmit information
identify and inventory assets, classify and prioritize assets, identify and prioritize threats
3 components of risk identification
identify vulnerabilities between assets and threats, identify and quantify asset exposure
2 components of risk assessment
select strategy, justify controls, implement and monitor controls
3 components of risk control
identifying, examining, and understanding the threats
knowing the enemy
role of information security
understand the threats and attacks that introduce risk into the organization
role of management and users
play a part in the early detection and response process; ensure that sufficient resources are allocated
role of information technology
assist in building secure systems and operating them safely
role of general management, IT management, and information security management
collectively accountable for identifying and classifying all levels of risk
information security, management and users, information technology
3 communities of interest
other responsibilities of 3 communities of interest
evaluating the risk controls, determining which control options are cost effective for the organization, acquiring or installing the needed controls, ensuring that the controls remain effective
risk management strategy
calls on information security professionals to identify, classify, and prioritize the organization's information assets
threat assessment process
identify and quantify the risk facing each asset
risk management process
requires applying the organization's project management principles to the risk management process
needed by risk management process
a proper plan with periodic deliverables, including a task list and appropriate assignments
how iterative process begins
identification of assets, including people, procedures, data, software, hardware, and networking components
what happens after asset identification
classification and categorization
identifying human resources, documentation, and data info
more difficult than identifying hardware and software assets
people, procedures, data
asset attributes to consider when deciding which info assets to track
information owners
responsible for classifying the info assets for which they are responsible
confidential, internal, external
3 categories of typical info classification scheme
U.S. Military Classification Scheme
has more complex categorization scheme than most corporations
unclassified, sensitive but classified, confidential, secret, top-secret
military 5-level classification scheme
Personnel Information and Evaluation Reports
special military classification rating
Need-to-Know and Named Projects
used by FBI and CIA
Public, For Official Use Only, Sensitive, Classified
simple classification scheme used by most organizations
personnel security clearance structure
a single level of authorization for each user of data in the organization
need-to-know requirement
extra level of protection that ensures that confidentiality of info is properly maintained
storage, distribution, portability, destruction
included in management of classified data
by inconspicuous means, such as locked briefcase or portfolio
how classified info should be carried
clean desk policy
requires employees to secure all info in appropriate storage containers at the end of each day
shredding, burning, or transferring to an authorized document destruction service
how copies of classified info should be destroyed when they are no longer valuable
confidential data, internal data, and public data
3 kinds of classifications
comprehensive
all info assets must fit in the list somewhere
mutually exclusive
an info asset should fit in only one category
personnel security clearance structure
identifies the level of info individuals are authorized to view based on what each person needs to know